#line 1 "system/sepolicy/private/security_classes" # FLASK # # Define the security object classes # # Classes marked as userspace are classes # for userspace object managers class security class process class system class capability # file-related classes class filesystem class file class anon_inode class dir class fd class lnk_file class chr_file class blk_file class sock_file class fifo_file # network-related classes class socket class tcp_socket class udp_socket class rawip_socket class node class netif class netlink_socket class packet_socket class key_socket class unix_stream_socket class unix_dgram_socket # sysv-ipc-related classes class sem class msg class msgq class shm class ipc # extended netlink sockets class netlink_route_socket class netlink_tcpdiag_socket class netlink_nflog_socket class netlink_xfrm_socket class netlink_selinux_socket class netlink_audit_socket class netlink_dnrt_socket # IPSec association class association # Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket class appletalk_socket class packet # Kernel access key retention class key class dccp_socket class memprotect # network peer labels class peer # Capabilities >= 32 class capability2 # kernel services that need to override task security, e.g. cachefiles class kernel_service class tun_socket class binder # Updated netlink classes for more recent netlink protocols. class netlink_iscsi_socket class netlink_fib_lookup_socket class netlink_connector_socket class netlink_netfilter_socket class netlink_generic_socket class netlink_scsitransport_socket class netlink_rdma_socket class netlink_crypto_socket # Infiniband class infiniband_pkey class infiniband_endport # Capability checks when on a non-init user namespace class cap_userns class cap2_userns # New socket classes introduced by extended_socket_class policy capability. # These two were previously mapped to rawip_socket. class sctp_socket class icmp_socket # These were previously mapped to socket. class ax25_socket class ipx_socket class netrom_socket class atmpvc_socket class x25_socket class rose_socket class decnet_socket class atmsvc_socket class rds_socket class irda_socket class pppox_socket class llc_socket class can_socket class tipc_socket class bluetooth_socket class iucv_socket class rxrpc_socket class isdn_socket class phonet_socket class ieee802154_socket class caif_socket class alg_socket class nfc_socket class vsock_socket class kcm_socket class qipcrtr_socket class smc_socket class process2 class bpf class xdp_socket class perf_event class io_uring # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 class lockdown # Property service class property_service # userspace # Service manager class service_manager # userspace # hardware service manager # userspace class hwservice_manager # Legacy Keystore key permissions class keystore_key # userspace # Keystore 2.0 permissions class keystore2 # userspace # Keystore 2.0 key permissions class keystore2_key # userspace # Diced permissions class diced # userspace class drmservice # userspace # FLASK #line 1 "system/sepolicy/private/initial_sids" # FLASK # # Define initial security identifiers # sid kernel sid security sid unlabeled sid fs sid file sid file_labels sid init sid any_socket sid port sid netif sid netmsg sid node sid igmp_packet sid icmp_socket sid tcp_socket sid sysctl_modprobe sid sysctl sid sysctl_fs sid sysctl_kernel sid sysctl_net sid sysctl_net_unix sid sysctl_vm sid sysctl_dev sid kmod sid policy sid scmp_packet sid devnull # FLASK #line 1 "system/sepolicy/private/access_vectors" # # Define common prefixes for access vectors # # common common_name { permission_name ... } # # Define a common prefix for file access vectors. # common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads } # # Define a common prefix for socket access vectors. # common socket { # inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append map # socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind } # # Define a common prefix for ipc access vectors. # common ipc { create destroy getattr setattr read write associate unix_read unix_write } # # Define a common for capability access vectors. # common cap { # The capabilities are defined in include/linux/capability.h # Capabilities >= 32 are defined in the cap2 common. # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } common cap2 { mac_override # unused by SELinux mac_admin syslog wake_alarm block_suspend audit_read perfmon } # # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } # # Define the access vector interpretation for file-related objects. # class filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch } class dir inherits file { add_name remove_name reparent search rmdir } class file inherits file { execute_no_trans entrypoint } class anon_inode inherits file class lnk_file inherits file class chr_file inherits file { execute_no_trans entrypoint } class blk_file inherits file class sock_file inherits file class fifo_file inherits file class fd { use } # # Define the access vector interpretation for network-related objects. # class socket inherits socket class tcp_socket inherits socket { node_bind name_connect } class udp_socket inherits socket { node_bind } class rawip_socket inherits socket { node_bind } class node { recvfrom sendto } class netif { ingress egress } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto } class unix_dgram_socket inherits socket # # Define the access vector interpretation for process-related objects # class process { fork transition sigchld # commonly granted from child to parent sigkill # cannot be caught or ignored sigstop # cannot be caught or ignored signull # for kill(pid, 0) signal # all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit } class process2 { nnp_transition nosuid_transition } # # Define the access vector interpretation for ipc-related objects # class ipc inherits ipc class sem inherits ipc class msgq inherits ipc { enqueue } class msg { send receive } class shm inherits ipc { lock } # # Define the access vector interpretation for the security server. # class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce # was avc_toggle in system class setbool setsecparam setcheckreqprot read_policy validate_trans } # # Define the access vector interpretation for system operations. # class system { ipc_info syslog_read syslog_mod syslog_console module_request module_load } # # Define the access vector interpretation for controlling capabilities # class capability inherits cap class capability2 inherits cap2 # # Extended Netlink classes # class netlink_route_socket inherits socket { nlmsg_read nlmsg_write nlmsg_readpriv nlmsg_getneigh } class netlink_tcpdiag_socket inherits socket { nlmsg_read nlmsg_write } class netlink_nflog_socket inherits socket class netlink_xfrm_socket inherits socket { nlmsg_read nlmsg_write } class netlink_selinux_socket inherits socket class netlink_audit_socket inherits socket { nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit } class netlink_dnrt_socket inherits socket # Define the access vector interpretation for controlling # access to IPSec network data by association # class association { sendto recvfrom setcontext polmatch } # Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket inherits socket class appletalk_socket inherits socket class packet { send recv relabelto forward_in forward_out } class key { view read write search link setattr create } class dccp_socket inherits socket { node_bind name_connect } class memprotect { mmap_zero } # network peer labels class peer { recv } class kernel_service { use_as_override create_files_as } class tun_socket inherits socket { attach_queue } class binder { impersonate call set_context_mgr transfer } class netlink_iscsi_socket inherits socket class netlink_fib_lookup_socket inherits socket class netlink_connector_socket inherits socket class netlink_netfilter_socket inherits socket class netlink_generic_socket inherits socket class netlink_scsitransport_socket inherits socket class netlink_rdma_socket inherits socket class netlink_crypto_socket inherits socket class infiniband_pkey { access } class infiniband_endport { manage_subnet } # # Define the access vector interpretation for controlling capabilities # in user namespaces # class cap_userns inherits cap class cap2_userns inherits cap2 # # Define the access vector interpretation for the new socket classes # enabled by the extended_socket_class policy capability. # # # The next two classes were previously mapped to rawip_socket and therefore # have the same definition as rawip_socket (until further permissions # are defined). # class sctp_socket inherits socket { node_bind name_connect association } class icmp_socket inherits socket { node_bind } # # The remaining network socket classes were previously # mapped to the socket class and therefore have the # same definition as socket. # class ax25_socket inherits socket class ipx_socket inherits socket class netrom_socket inherits socket class atmpvc_socket inherits socket class x25_socket inherits socket class rose_socket inherits socket class decnet_socket inherits socket class atmsvc_socket inherits socket class rds_socket inherits socket class irda_socket inherits socket class pppox_socket inherits socket class llc_socket inherits socket class can_socket inherits socket class tipc_socket inherits socket class bluetooth_socket inherits socket class iucv_socket inherits socket class rxrpc_socket inherits socket class isdn_socket inherits socket class phonet_socket inherits socket class ieee802154_socket inherits socket class caif_socket inherits socket class alg_socket inherits socket class nfc_socket inherits socket class vsock_socket inherits socket class kcm_socket inherits socket class qipcrtr_socket inherits socket class smc_socket inherits socket class bpf { map_create map_read map_write prog_load prog_run } class property_service { set } class service_manager { add find list } class hwservice_manager { add find list } class keystore_key { get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id } class keystore2 { add_auth change_password change_user clear_ns clear_uid delete_all_keys early_boot_ended get_attestation_key get_auth_token get_last_auth_time get_state list lock pull_metrics report_off_body reset unlock } class keystore2_key { convert_storage_key_to_ephemeral delete gen_unique_id get_info grant manage_blob rebind req_forced_op update use use_dev_id } class diced { demote demote_self derive get_attestation_chain use_seal use_sign } class drmservice { consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread } class xdp_socket inherits socket class perf_event { open cpu kernel tracepoint read write } class lockdown { integrity confidentiality } class io_uring { override_creds sqpoll cmd } #line 1 "system/sepolicy/public/global_macros" ##################################### # Common groupings of object classes. # ##################################### # Common groupings of permissions. # ##################################### # Common socket permission sets. #line 1 "system/sepolicy/public/neverallow_macros" # # Common neverallow permissions ##################################### # neverallow_establish_socket_comms(src, dst) # neverallow src domain establishing socket connections to dst domain. # #line 15 #line 1 "system/sepolicy/private/mls_macros" ######################################## # # gen_cats(N) # # declares categores c0 to c(N-1) # #line 10 ######################################## # # gen_sens(N) # # declares sensitivites s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # #line 24 #line 34 ######################################## # # gen_levels(N,M) # # levels from s0 to (N-1) with categories c0 to (M-1) # #line 45 ######################################## # # Basic level names for system low and high # #line 1 "system/sepolicy/private/mls_decl" ######################################### # MLS declarations # # Generate the desired number of sensitivities and categories. #line 6 # Each sensitivity has a name and zero or more aliases. #line 6 sensitivity s0; #line 6 #line 6 #line 6 # Define the ordering of the sensitivity levels (least to greatest) #line 6 dominance { s0 } #line 6 category c0; #line 7 category c1; #line 7 category c2; #line 7 category c3; #line 7 category c4; #line 7 category c5; #line 7 category c6; #line 7 category c7; #line 7 category c8; #line 7 category c9; #line 7 category c10; #line 7 category c11; #line 7 category c12; #line 7 category c13; #line 7 category c14; #line 7 category c15; #line 7 category c16; #line 7 category c17; #line 7 category c18; #line 7 category c19; #line 7 category c20; #line 7 category c21; #line 7 category c22; #line 7 category c23; #line 7 category c24; #line 7 category c25; #line 7 category c26; #line 7 category c27; #line 7 category c28; #line 7 category c29; #line 7 category c30; #line 7 category c31; #line 7 category c32; #line 7 category c33; #line 7 category c34; #line 7 category c35; #line 7 category c36; #line 7 category c37; #line 7 category c38; #line 7 category c39; #line 7 category c40; #line 7 category c41; #line 7 category c42; #line 7 category c43; #line 7 category c44; #line 7 category c45; #line 7 category c46; #line 7 category c47; #line 7 category c48; #line 7 category c49; #line 7 category c50; #line 7 category c51; #line 7 category c52; #line 7 category c53; #line 7 category c54; #line 7 category c55; #line 7 category c56; #line 7 category c57; #line 7 category c58; #line 7 category c59; #line 7 category c60; #line 7 category c61; #line 7 category c62; #line 7 category c63; #line 7 category c64; #line 7 category c65; #line 7 category c66; #line 7 category c67; #line 7 category c68; #line 7 category c69; #line 7 category c70; #line 7 category c71; #line 7 category c72; #line 7 category c73; #line 7 category c74; #line 7 category c75; #line 7 category c76; #line 7 category c77; #line 7 category c78; #line 7 category c79; #line 7 category c80; #line 7 category c81; #line 7 category c82; #line 7 category c83; #line 7 category c84; #line 7 category c85; #line 7 category c86; #line 7 category c87; #line 7 category c88; #line 7 category c89; #line 7 category c90; #line 7 category c91; #line 7 category c92; #line 7 category c93; #line 7 category c94; #line 7 category c95; #line 7 category c96; #line 7 category c97; #line 7 category c98; #line 7 category c99; #line 7 category c100; #line 7 category c101; #line 7 category c102; #line 7 category c103; #line 7 category c104; #line 7 category c105; #line 7 category c106; #line 7 category c107; #line 7 category c108; #line 7 category c109; #line 7 category c110; #line 7 category c111; #line 7 category c112; #line 7 category c113; #line 7 category c114; #line 7 category c115; #line 7 category c116; #line 7 category c117; #line 7 category c118; #line 7 category c119; #line 7 category c120; #line 7 category c121; #line 7 category c122; #line 7 category c123; #line 7 category c124; #line 7 category c125; #line 7 category c126; #line 7 category c127; #line 7 category c128; #line 7 category c129; #line 7 category c130; #line 7 category c131; #line 7 category c132; #line 7 category c133; #line 7 category c134; #line 7 category c135; #line 7 category c136; #line 7 category c137; #line 7 category c138; #line 7 category c139; #line 7 category c140; #line 7 category c141; #line 7 category c142; #line 7 category c143; #line 7 category c144; #line 7 category c145; #line 7 category c146; #line 7 category c147; #line 7 category c148; #line 7 category c149; #line 7 category c150; #line 7 category c151; #line 7 category c152; #line 7 category c153; #line 7 category c154; #line 7 category c155; #line 7 category c156; #line 7 category c157; #line 7 category c158; #line 7 category c159; #line 7 category c160; #line 7 category c161; #line 7 category c162; #line 7 category c163; #line 7 category c164; #line 7 category c165; #line 7 category c166; #line 7 category c167; #line 7 category c168; #line 7 category c169; #line 7 category c170; #line 7 category c171; #line 7 category c172; #line 7 category c173; #line 7 category c174; #line 7 category c175; #line 7 category c176; #line 7 category c177; #line 7 category c178; #line 7 category c179; #line 7 category c180; #line 7 category c181; #line 7 category c182; #line 7 category c183; #line 7 category c184; #line 7 category c185; #line 7 category c186; #line 7 category c187; #line 7 category c188; #line 7 category c189; #line 7 category c190; #line 7 category c191; #line 7 category c192; #line 7 category c193; #line 7 category c194; #line 7 category c195; #line 7 category c196; #line 7 category c197; #line 7 category c198; #line 7 category c199; #line 7 category c200; #line 7 category c201; #line 7 category c202; #line 7 category c203; #line 7 category c204; #line 7 category c205; #line 7 category c206; #line 7 category c207; #line 7 category c208; #line 7 category c209; #line 7 category c210; #line 7 category c211; #line 7 category c212; #line 7 category c213; #line 7 category c214; #line 7 category c215; #line 7 category c216; #line 7 category c217; #line 7 category c218; #line 7 category c219; #line 7 category c220; #line 7 category c221; #line 7 category c222; #line 7 category c223; #line 7 category c224; #line 7 category c225; #line 7 category c226; #line 7 category c227; #line 7 category c228; #line 7 category c229; #line 7 category c230; #line 7 category c231; #line 7 category c232; #line 7 category c233; #line 7 category c234; #line 7 category c235; #line 7 category c236; #line 7 category c237; #line 7 category c238; #line 7 category c239; #line 7 category c240; #line 7 category c241; #line 7 category c242; #line 7 category c243; #line 7 category c244; #line 7 category c245; #line 7 category c246; #line 7 category c247; #line 7 category c248; #line 7 category c249; #line 7 category c250; #line 7 category c251; #line 7 category c252; #line 7 category c253; #line 7 category c254; #line 7 category c255; #line 7 category c256; #line 7 category c257; #line 7 category c258; #line 7 category c259; #line 7 category c260; #line 7 category c261; #line 7 category c262; #line 7 category c263; #line 7 category c264; #line 7 category c265; #line 7 category c266; #line 7 category c267; #line 7 category c268; #line 7 category c269; #line 7 category c270; #line 7 category c271; #line 7 category c272; #line 7 category c273; #line 7 category c274; #line 7 category c275; #line 7 category c276; #line 7 category c277; #line 7 category c278; #line 7 category c279; #line 7 category c280; #line 7 category c281; #line 7 category c282; #line 7 category c283; #line 7 category c284; #line 7 category c285; #line 7 category c286; #line 7 category c287; #line 7 category c288; #line 7 category c289; #line 7 category c290; #line 7 category c291; #line 7 category c292; #line 7 category c293; #line 7 category c294; #line 7 category c295; #line 7 category c296; #line 7 category c297; #line 7 category c298; #line 7 category c299; #line 7 category c300; #line 7 category c301; #line 7 category c302; #line 7 category c303; #line 7 category c304; #line 7 category c305; #line 7 category c306; #line 7 category c307; #line 7 category c308; #line 7 category c309; #line 7 category c310; #line 7 category c311; #line 7 category c312; #line 7 category c313; #line 7 category c314; #line 7 category c315; #line 7 category c316; #line 7 category c317; #line 7 category c318; #line 7 category c319; #line 7 category c320; #line 7 category c321; #line 7 category c322; #line 7 category c323; #line 7 category c324; #line 7 category c325; #line 7 category c326; #line 7 category c327; #line 7 category c328; #line 7 category c329; #line 7 category c330; #line 7 category c331; #line 7 category c332; #line 7 category c333; #line 7 category c334; #line 7 category c335; #line 7 category c336; #line 7 category c337; #line 7 category c338; #line 7 category c339; #line 7 category c340; #line 7 category c341; #line 7 category c342; #line 7 category c343; #line 7 category c344; #line 7 category c345; #line 7 category c346; #line 7 category c347; #line 7 category c348; #line 7 category c349; #line 7 category c350; #line 7 category c351; #line 7 category c352; #line 7 category c353; #line 7 category c354; #line 7 category c355; #line 7 category c356; #line 7 category c357; #line 7 category c358; #line 7 category c359; #line 7 category c360; #line 7 category c361; #line 7 category c362; #line 7 category c363; #line 7 category c364; #line 7 category c365; #line 7 category c366; #line 7 category c367; #line 7 category c368; #line 7 category c369; #line 7 category c370; #line 7 category c371; #line 7 category c372; #line 7 category c373; #line 7 category c374; #line 7 category c375; #line 7 category c376; #line 7 category c377; #line 7 category c378; #line 7 category c379; #line 7 category c380; #line 7 category c381; #line 7 category c382; #line 7 category c383; #line 7 category c384; #line 7 category c385; #line 7 category c386; #line 7 category c387; #line 7 category c388; #line 7 category c389; #line 7 category c390; #line 7 category c391; #line 7 category c392; #line 7 category c393; #line 7 category c394; #line 7 category c395; #line 7 category c396; #line 7 category c397; #line 7 category c398; #line 7 category c399; #line 7 category c400; #line 7 category c401; #line 7 category c402; #line 7 category c403; #line 7 category c404; #line 7 category c405; #line 7 category c406; #line 7 category c407; #line 7 category c408; #line 7 category c409; #line 7 category c410; #line 7 category c411; #line 7 category c412; #line 7 category c413; #line 7 category c414; #line 7 category c415; #line 7 category c416; #line 7 category c417; #line 7 category c418; #line 7 category c419; #line 7 category c420; #line 7 category c421; #line 7 category c422; #line 7 category c423; #line 7 category c424; #line 7 category c425; #line 7 category c426; #line 7 category c427; #line 7 category c428; #line 7 category c429; #line 7 category c430; #line 7 category c431; #line 7 category c432; #line 7 category c433; #line 7 category c434; #line 7 category c435; #line 7 category c436; #line 7 category c437; #line 7 category c438; #line 7 category c439; #line 7 category c440; #line 7 category c441; #line 7 category c442; #line 7 category c443; #line 7 category c444; #line 7 category c445; #line 7 category c446; #line 7 category c447; #line 7 category c448; #line 7 category c449; #line 7 category c450; #line 7 category c451; #line 7 category c452; #line 7 category c453; #line 7 category c454; #line 7 category c455; #line 7 category c456; #line 7 category c457; #line 7 category c458; #line 7 category c459; #line 7 category c460; #line 7 category c461; #line 7 category c462; #line 7 category c463; #line 7 category c464; #line 7 category c465; #line 7 category c466; #line 7 category c467; #line 7 category c468; #line 7 category c469; #line 7 category c470; #line 7 category c471; #line 7 category c472; #line 7 category c473; #line 7 category c474; #line 7 category c475; #line 7 category c476; #line 7 category c477; #line 7 category c478; #line 7 category c479; #line 7 category c480; #line 7 category c481; #line 7 category c482; #line 7 category c483; #line 7 category c484; #line 7 category c485; #line 7 category c486; #line 7 category c487; #line 7 category c488; #line 7 category c489; #line 7 category c490; #line 7 category c491; #line 7 category c492; #line 7 category c493; #line 7 category c494; #line 7 category c495; #line 7 category c496; #line 7 category c497; #line 7 category c498; #line 7 category c499; #line 7 category c500; #line 7 category c501; #line 7 category c502; #line 7 category c503; #line 7 category c504; #line 7 category c505; #line 7 category c506; #line 7 category c507; #line 7 category c508; #line 7 category c509; #line 7 category c510; #line 7 category c511; #line 7 category c512; #line 7 category c513; #line 7 category c514; #line 7 category c515; #line 7 category c516; #line 7 category c517; #line 7 category c518; #line 7 category c519; #line 7 category c520; #line 7 category c521; #line 7 category c522; #line 7 category c523; #line 7 category c524; #line 7 category c525; #line 7 category c526; #line 7 category c527; #line 7 category c528; #line 7 category c529; #line 7 category c530; #line 7 category c531; #line 7 category c532; #line 7 category c533; #line 7 category c534; #line 7 category c535; #line 7 category c536; #line 7 category c537; #line 7 category c538; #line 7 category c539; #line 7 category c540; #line 7 category c541; #line 7 category c542; #line 7 category c543; #line 7 category c544; #line 7 category c545; #line 7 category c546; #line 7 category c547; #line 7 category c548; #line 7 category c549; #line 7 category c550; #line 7 category c551; #line 7 category c552; #line 7 category c553; #line 7 category c554; #line 7 category c555; #line 7 category c556; #line 7 category c557; #line 7 category c558; #line 7 category c559; #line 7 category c560; #line 7 category c561; #line 7 category c562; #line 7 category c563; #line 7 category c564; #line 7 category c565; #line 7 category c566; #line 7 category c567; #line 7 category c568; #line 7 category c569; #line 7 category c570; #line 7 category c571; #line 7 category c572; #line 7 category c573; #line 7 category c574; #line 7 category c575; #line 7 category c576; #line 7 category c577; #line 7 category c578; #line 7 category c579; #line 7 category c580; #line 7 category c581; #line 7 category c582; #line 7 category c583; #line 7 category c584; #line 7 category c585; #line 7 category c586; #line 7 category c587; #line 7 category c588; #line 7 category c589; #line 7 category c590; #line 7 category c591; #line 7 category c592; #line 7 category c593; #line 7 category c594; #line 7 category c595; #line 7 category c596; #line 7 category c597; #line 7 category c598; #line 7 category c599; #line 7 category c600; #line 7 category c601; #line 7 category c602; #line 7 category c603; #line 7 category c604; #line 7 category c605; #line 7 category c606; #line 7 category c607; #line 7 category c608; #line 7 category c609; #line 7 category c610; #line 7 category c611; #line 7 category c612; #line 7 category c613; #line 7 category c614; #line 7 category c615; #line 7 category c616; #line 7 category c617; #line 7 category c618; #line 7 category c619; #line 7 category c620; #line 7 category c621; #line 7 category c622; #line 7 category c623; #line 7 category c624; #line 7 category c625; #line 7 category c626; #line 7 category c627; #line 7 category c628; #line 7 category c629; #line 7 category c630; #line 7 category c631; #line 7 category c632; #line 7 category c633; #line 7 category c634; #line 7 category c635; #line 7 category c636; #line 7 category c637; #line 7 category c638; #line 7 category c639; #line 7 category c640; #line 7 category c641; #line 7 category c642; #line 7 category c643; #line 7 category c644; #line 7 category c645; #line 7 category c646; #line 7 category c647; #line 7 category c648; #line 7 category c649; #line 7 category c650; #line 7 category c651; #line 7 category c652; #line 7 category c653; #line 7 category c654; #line 7 category c655; #line 7 category c656; #line 7 category c657; #line 7 category c658; #line 7 category c659; #line 7 category c660; #line 7 category c661; #line 7 category c662; #line 7 category c663; #line 7 category c664; #line 7 category c665; #line 7 category c666; #line 7 category c667; #line 7 category c668; #line 7 category c669; #line 7 category c670; #line 7 category c671; #line 7 category c672; #line 7 category c673; #line 7 category c674; #line 7 category c675; #line 7 category c676; #line 7 category c677; #line 7 category c678; #line 7 category c679; #line 7 category c680; #line 7 category c681; #line 7 category c682; #line 7 category c683; #line 7 category c684; #line 7 category c685; #line 7 category c686; #line 7 category c687; #line 7 category c688; #line 7 category c689; #line 7 category c690; #line 7 category c691; #line 7 category c692; #line 7 category c693; #line 7 category c694; #line 7 category c695; #line 7 category c696; #line 7 category c697; #line 7 category c698; #line 7 category c699; #line 7 category c700; #line 7 category c701; #line 7 category c702; #line 7 category c703; #line 7 category c704; #line 7 category c705; #line 7 category c706; #line 7 category c707; #line 7 category c708; #line 7 category c709; #line 7 category c710; #line 7 category c711; #line 7 category c712; #line 7 category c713; #line 7 category c714; #line 7 category c715; #line 7 category c716; #line 7 category c717; #line 7 category c718; #line 7 category c719; #line 7 category c720; #line 7 category c721; #line 7 category c722; #line 7 category c723; #line 7 category c724; #line 7 category c725; #line 7 category c726; #line 7 category c727; #line 7 category c728; #line 7 category c729; #line 7 category c730; #line 7 category c731; #line 7 category c732; #line 7 category c733; #line 7 category c734; #line 7 category c735; #line 7 category c736; #line 7 category c737; #line 7 category c738; #line 7 category c739; #line 7 category c740; #line 7 category c741; #line 7 category c742; #line 7 category c743; #line 7 category c744; #line 7 category c745; #line 7 category c746; #line 7 category c747; #line 7 category c748; #line 7 category c749; #line 7 category c750; #line 7 category c751; #line 7 category c752; #line 7 category c753; #line 7 category c754; #line 7 category c755; #line 7 category c756; #line 7 category c757; #line 7 category c758; #line 7 category c759; #line 7 category c760; #line 7 category c761; #line 7 category c762; #line 7 category c763; #line 7 category c764; #line 7 category c765; #line 7 category c766; #line 7 category c767; #line 7 category c768; #line 7 category c769; #line 7 category c770; #line 7 category c771; #line 7 category c772; #line 7 category c773; #line 7 category c774; #line 7 category c775; #line 7 category c776; #line 7 category c777; #line 7 category c778; #line 7 category c779; #line 7 category c780; #line 7 category c781; #line 7 category c782; #line 7 category c783; #line 7 category c784; #line 7 category c785; #line 7 category c786; #line 7 category c787; #line 7 category c788; #line 7 category c789; #line 7 category c790; #line 7 category c791; #line 7 category c792; #line 7 category c793; #line 7 category c794; #line 7 category c795; #line 7 category c796; #line 7 category c797; #line 7 category c798; #line 7 category c799; #line 7 category c800; #line 7 category c801; #line 7 category c802; #line 7 category c803; #line 7 category c804; #line 7 category c805; #line 7 category c806; #line 7 category c807; #line 7 category c808; #line 7 category c809; #line 7 category c810; #line 7 category c811; #line 7 category c812; #line 7 category c813; #line 7 category c814; #line 7 category c815; #line 7 category c816; #line 7 category c817; #line 7 category c818; #line 7 category c819; #line 7 category c820; #line 7 category c821; #line 7 category c822; #line 7 category c823; #line 7 category c824; #line 7 category c825; #line 7 category c826; #line 7 category c827; #line 7 category c828; #line 7 category c829; #line 7 category c830; #line 7 category c831; #line 7 category c832; #line 7 category c833; #line 7 category c834; #line 7 category c835; #line 7 category c836; #line 7 category c837; #line 7 category c838; #line 7 category c839; #line 7 category c840; #line 7 category c841; #line 7 category c842; #line 7 category c843; #line 7 category c844; #line 7 category c845; #line 7 category c846; #line 7 category c847; #line 7 category c848; #line 7 category c849; #line 7 category c850; #line 7 category c851; #line 7 category c852; #line 7 category c853; #line 7 category c854; #line 7 category c855; #line 7 category c856; #line 7 category c857; #line 7 category c858; #line 7 category c859; #line 7 category c860; #line 7 category c861; #line 7 category c862; #line 7 category c863; #line 7 category c864; #line 7 category c865; #line 7 category c866; #line 7 category c867; #line 7 category c868; #line 7 category c869; #line 7 category c870; #line 7 category c871; #line 7 category c872; #line 7 category c873; #line 7 category c874; #line 7 category c875; #line 7 category c876; #line 7 category c877; #line 7 category c878; #line 7 category c879; #line 7 category c880; #line 7 category c881; #line 7 category c882; #line 7 category c883; #line 7 category c884; #line 7 category c885; #line 7 category c886; #line 7 category c887; #line 7 category c888; #line 7 category c889; #line 7 category c890; #line 7 category c891; #line 7 category c892; #line 7 category c893; #line 7 category c894; #line 7 category c895; #line 7 category c896; #line 7 category c897; #line 7 category c898; #line 7 category c899; #line 7 category c900; #line 7 category c901; #line 7 category c902; #line 7 category c903; #line 7 category c904; #line 7 category c905; #line 7 category c906; #line 7 category c907; #line 7 category c908; #line 7 category c909; #line 7 category c910; #line 7 category c911; #line 7 category c912; #line 7 category c913; #line 7 category c914; #line 7 category c915; #line 7 category c916; #line 7 category c917; #line 7 category c918; #line 7 category c919; #line 7 category c920; #line 7 category c921; #line 7 category c922; #line 7 category c923; #line 7 category c924; #line 7 category c925; #line 7 category c926; #line 7 category c927; #line 7 category c928; #line 7 category c929; #line 7 category c930; #line 7 category c931; #line 7 category c932; #line 7 category c933; #line 7 category c934; #line 7 category c935; #line 7 category c936; #line 7 category c937; #line 7 category c938; #line 7 category c939; #line 7 category c940; #line 7 category c941; #line 7 category c942; #line 7 category c943; #line 7 category c944; #line 7 category c945; #line 7 category c946; #line 7 category c947; #line 7 category c948; #line 7 category c949; #line 7 category c950; #line 7 category c951; #line 7 category c952; #line 7 category c953; #line 7 category c954; #line 7 category c955; #line 7 category c956; #line 7 category c957; #line 7 category c958; #line 7 category c959; #line 7 category c960; #line 7 category c961; #line 7 category c962; #line 7 category c963; #line 7 category c964; #line 7 category c965; #line 7 category c966; #line 7 category c967; #line 7 category c968; #line 7 category c969; #line 7 category c970; #line 7 category c971; #line 7 category c972; #line 7 category c973; #line 7 category c974; #line 7 category c975; #line 7 category c976; #line 7 category c977; #line 7 category c978; #line 7 category c979; #line 7 category c980; #line 7 category c981; #line 7 category c982; #line 7 category c983; #line 7 category c984; #line 7 category c985; #line 7 category c986; #line 7 category c987; #line 7 category c988; #line 7 category c989; #line 7 category c990; #line 7 category c991; #line 7 category c992; #line 7 category c993; #line 7 category c994; #line 7 category c995; #line 7 category c996; #line 7 category c997; #line 7 category c998; #line 7 category c999; #line 7 category c1000; #line 7 category c1001; #line 7 category c1002; #line 7 category c1003; #line 7 category c1004; #line 7 category c1005; #line 7 category c1006; #line 7 category c1007; #line 7 category c1008; #line 7 category c1009; #line 7 category c1010; #line 7 category c1011; #line 7 category c1012; #line 7 category c1013; #line 7 category c1014; #line 7 category c1015; #line 7 category c1016; #line 7 category c1017; #line 7 category c1018; #line 7 category c1019; #line 7 category c1020; #line 7 category c1021; #line 7 category c1022; #line 7 category c1023; #line 7 # Generate level definitions for each sensitivity and category. level s0:c0.c1023; #line 10 #line 1 "system/sepolicy/private/mls" ################################################# # MLS policy constraints # # # Process constraints # # Process transition: Require equivalence unless the subject is trusted. mlsconstrain process { transition dyntransition } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); # Process read operations: No read up unless trusted. mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } (l1 dom l2 or t1 == mlstrustedsubject); # Process write operations: Require equivalence unless trusted. mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } (l1 eq l2 or t1 == mlstrustedsubject); # # Socket constraints # # Create/relabel operations: Subject must be equivalent to object unless # the subject is trusted. Sockets inherit the range of their creator. mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { create relabelfrom relabelto } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); # Datagram send: Sender must be equivalent to the receiver unless one of them # is trusted. mlsconstrain unix_dgram_socket { sendto } (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # Stream connect: Client must be equivalent to server unless one of them # is trusted. mlsconstrain unix_stream_socket { connectto } (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # # Directory/file constraints # # Create/relabel operations: Subject must be equivalent to object unless # the subject is trusted. Also, files should always be single-level. # Do NOT exempt mlstrustedobject types from this constraint. mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto } (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); # # Userfaultfd constraints # # To enforce that anonymous inodes are self contained in the application's process. mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod } (l1 eq l2); # # Constraints for app data files only. # # Only constrain open, not read/write, so already open fds can be used. # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. # Subject must dominate object unless the subject is trusted. mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir } (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject); mlsconstrain { file sock_file } { open setattr unlink link rename } ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); # For symlinks in app data files, require equivalence in order to manipulate or follow (read). mlsconstrain { lnk_file } { open setattr unlink link rename read } ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject); # But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this. # TODO: Migrate to equivalence when it's no longer needed. mlsconstrain { lnk_file } { open setattr unlink link rename read } ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject); # # Constraints for file types other than app data files. # # Read operations: Subject must dominate object unless the subject # or the object is trusted. mlsconstrain dir { read getattr search } (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) ); mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Write operations: Subject must be equivalent to the object unless the # subject or the object is trusted. mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the # creating process' label. Thus we also have an exemption when the "object" # is a domain type, so that processes can communicate via unnamed pipes # passed by binder or local socket IPC. mlsconstrain fifo_file { read getattr } (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); mlsconstrain fifo_file { write setattr append unlink link rename } (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); # # Binder IPC constraints # # Presently commented out, as apps are expected to call one another. # This would only make sense if apps were assigned categories # based on allowable communications rather than per-app categories. #mlsconstrain binder call # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); #line 1 "system/sepolicy/private/policy_capabilities" # Enable new networking controls. policycap network_peer_controls; # Enable open permission check. policycap open_perms; # Enable separate security classes for # all network address families previously # mapped to the socket class and for # ICMP and SCTP sockets previously mapped # to the rawip_socket class. policycap extended_socket_class; # Enable NoNewPrivileges support. Requires libsepol 2.7+ # and kernel 4.14 (estimated). # # Checks enabled; # process2: nnp_transition, nosuid_transition # policycap nnp_nosuid_transition; #line 1 "system/sepolicy/flagging/te_macros" #################################### # is_flag_enabled(flag, rules) # SELinux rules which apply only if given feature is turned on #################################### # is_flag_disabled(flag, rules) # SELinux rules which apply only if given feature is turned off #line 1 "system/sepolicy/public/te_macros" ##################################### # domain_trans(olddomain, type, newdomain) # Allow a transition from olddomain to newdomain # upon executing a file labeled with type. # This only allows the transition; it does not # cause it to occur automatically - use domain_auto_trans # if that is what you want. # #line 21 ##################################### # domain_auto_trans(olddomain, type, newdomain) # Automatically transition from olddomain to newdomain # upon executing a file labeled with type. # #line 33 ##################################### # file_type_trans(domain, dir_type, file_type) # Allow domain to create a file labeled file_type in a # directory labeled dir_type. # This only allows the transition; it does not # cause it to occur automatically - use file_type_auto_trans # if that is what you want. # #line 49 ##################################### # file_type_auto_trans(domain, dir_type, file_type) # Automatically label new files with file_type when # they are created by domain in directories labeled dir_type. # #line 62 ##################################### # r_dir_file(domain, type) # Allow the specified domain to read directories, files # and symbolic links of the specified type. #line 71 ##################################### # tmpfs_domain(domain) # Allow access to a unique type for this domain when creating tmpfs / ashmem files. #line 79 # pdx macros for IPC. pdx is a high-level name which contains transport-specific # rules from underlying transport (e.g. UDS-based implementation). ##################################### # pdx_service_attributes(service) # Defines type attribute used to identify various service-related types. #line 92 ##################################### # pdx_service_socket_types(service, endpoint_dir_t) # Define types for endpoint and channel sockets. #line 105 ##################################### # pdx_server(server_domain, service) #line 124 ##################################### # pdx_connect(client, service) #line 134 ##################################### # pdx_use(client, service) #line 149 ##################################### # pdx_client(client, service) #line 156 ##################################### # init_daemon_domain(domain) # Set up a transition from init to the daemon domain # upon executing its binary. #line 164 #################################### # userfaultfd_use(domain) # Allow domain to create/use userfaultfd. #line 179 #################################### # virtualizationservice_use(domain) # Allow domain to create and communicate with a virtual machine using # virtualizationservice and virtualizationmanager. #line 204 ##################################### # app_domain(domain) # Allow a base set of permissions required for all apps. #line 226 ##################################### # untrusted_app_domain(domain) # Allow a base set of permissions required for all untrusted apps. #line 233 ##################################### # isolated_app_domain(domain) # Allow a base set of permissions required for all isolated apps. #line 240 ##################################### # net_domain(domain) # Allow a base set of permissions required for network access. #line 247 ##################################### # bluetooth_domain(domain) # Allow a base set of permissions required for bluetooth access. #line 254 ##################################### # hal_attribute(hal_name) # Add an attribute for hal implementations along with necessary # restrictions. #line 276 ##################################### # hal_server_domain(domain, hal_type) # Allow a base set of permissions required for a domain to offer a # HAL implementation of the specified type over HwBinder. # # For example, default implementation of Foo HAL: # type hal_foo_default, domain; # hal_server_domain(hal_foo_default, hal_foo) # #line 291 ##################################### # hal_client_domain(domain, hal_type) # Allow a base set of permissions required for a domain to be a # client of a HAL of the specified type. # # For example, make some_domain a client of Foo HAL: # hal_client_domain(some_domain, hal_foo) # #line 315 ##################################### # passthrough_hal_client_domain(domain, hal_type) # Allow a base set of permissions required for a domain to be a # client of a passthrough HAL of the specified type. # # For example, make some_domain a client of passthrough Foo HAL: # passthrough_hal_client_domain(some_domain, hal_foo) # #line 333 ##################################### # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. # # Note: If you see denial records that distill to the # following allow rules: # allow clientdomain property_socket:sock_file write; # allow clientdomain init:unix_stream_socket connectto; # allow clientdomain something_prop:property_service set; # # This sequence is indicative of attempting to set a property. # use set_prop(sourcedomain, targetproperty) # #line 352 ##################################### # set_prop(sourcedomain, targetproperty) # Allows source domain to set the # targetproperty. # #line 363 ##################################### # get_prop(sourcedomain, targetproperty) # Allows source domain to read the # targetproperty. # #line 372 ##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via # socket to serverdomain. #line 381 ##################################### # binder_use(domain) # Allow domain to use Binder IPC. #line 397 ##################################### # hwbinder_use(domain) # Allow domain to use HwBinder IPC. #line 413 ##################################### # vndbinder_use(domain) # Allow domain to use Binder IPC. #line 427 ##################################### # binder_call(clientdomain, serverdomain) # Allow clientdomain to perform binder IPC to serverdomain. #line 439 ##################################### # binder_service(domain) # Deprecated. Consider granting the exact permissions required by your service. #line 446 ##################################### # wakelock_use(domain) # Allow domain to manage wake locks #line 468 ##################################### # selinux_check_access(domain) # Allow domain to check SELinux permissions via selinuxfs. #line 478 ##################################### # selinux_check_context(domain) # Allow domain to check SELinux contexts via selinuxfs. #line 487 ##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. #line 506 ##################################### # Non system_app application set # ##################################### # Recovery only # SELinux rules which apply only to recovery mode # ##################################### # Not recovery # SELinux rules which apply only to non-recovery (normal) mode # ##################################### # Full TREBLE only # SELinux rules which apply only to full TREBLE devices # #line 534 ##################################### # Not full TREBLE # SELinux rules which apply only to devices which are not full TREBLE devices # ##################################### # enforce_debugfs_restriction # SELinux rules which apply to devices that enable debugfs restrictions. # The keyword "cts" is used to insert markers to only CTS test the neverallows # added by the macro for S-launch devices and newer. #line 552 ##################################### # no_debugfs_restriction # SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. ##################################### # Compatible property only # SELinux rules which apply only to devices with compatible property # #line 568 ##################################### # Not compatible property # SELinux rules which apply only to devices without compatible property # ##################################### # Userdebug or eng builds # SELinux rules which apply only to userdebug or eng builds # ##################################### # asan builds # SELinux rules which apply only to asan builds # ##################################### # native coverage builds # SELinux rules which apply only to builds with native coverage # ##################################### # Build-time-only test # SELinux rules which are verified during build, but not as part of *TS testing. # #################################### # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). # #line 618 ##################################### # WITH_DEXPREOPT builds # SELinux rules which apply only when pre-opting. # ##################################### # write_logd(domain) # Ability to write to android log # daemon via sockets #line 633 ##################################### # read_logd(domain) # Ability to run logcat and read from android # log daemon via sockets #line 642 ##################################### # read_runtime_log_tags(domain) # ability to directly map the runtime event log tags #line 649 ##################################### # control_logd(domain) # Ability to control # android log daemon via sockets #line 659 ##################################### # use_keystore(domain) # Ability to use keystore. # Keystore is requires the following permissions # to call getpidcon. #line 675 ##################################### # use_credstore(domain) # Ability to use credstore. #line 687 ########################################### # use_drmservice(domain) # Ability to use DrmService which requires # DrmService to call getpidcon. #line 697 ########################################### # add_service(domain, service) # Ability for domain to add a service to service_manager # and find it. It also creates a neverallow preventing # others from adding it. #line 713 ########################################### # add_hwservice(domain, service) # Ability for domain to add a service to hwservice_manager # and find it. It also creates a neverallow preventing # others from adding it. #line 724 ########################################### # hal_attribute_hwservice(attribute, service) # Ability for domain to get a service to hwservice_manager # and find it. It also creates a neverallow preventing # others from adding it. # # Used to pair hal_foo_client with hal_foo_hwservice #line 743 ########################################### # hal_attribute_service(attribute, service) # Ability for domain to get a service to service_manager # and find it. It also creates a neverallow preventing # others from adding it. # # Used to pair hal_foo_client with hal_foo_service #line 771 ################################### # can_profile_heap(domain) # Allow processes within the domain to have their heap profiled by central # heapprofd. #line 801 ################################### # never_profile_heap(domain) # Opt out of heap profiling by heapprofd. #line 809 ################################### # can_profile_perf(domain) # Allow processes within the domain to be profiled, and have their stacks # sampled, by traced_perf. #line 829 ################################### # never_profile_perf(domain) # Opt out of profiling by traced_perf. #line 837 ################################### # perfetto_producer(domain) # Allow processes within the domain to write data to Perfetto. # When applying this macro, you might need to also allow traced to use the # producer tmpfs domain, if the producer will be the one creating the shared # memory. #line 854 ########################################### # dump_hal(hal_type) # Ability to dump the hal debug info # #line 864 ##################################### # treble_sysprop_neverallow(rules) # SELinux neverallow rules which enforces the accessibility of each property # outside the owner. # # For devices launching with R or later, exported properties must be explicitly marked as # "restricted" or "public", depending on the accessibility outside the owner. # For devices launching with Q or eariler, this neverallow rules can be relaxed with defining # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk. # See {partition}_{accessibility}_prop macros below. # # CTS uses these rules only for devices launching with R or later. # # TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW # #line 886 ##################################### # enforce_sysprop_owner(rules) # SELinux neverallow rules which enforces the owner of each property. # # For devices launching with S or later, all properties must be explicitly marked as one of: # system_property_type, vendor_property_type, or product_property_type. # For devices launching with R or eariler, this neverallow rules can be relaxed with defining # BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk. # See {partition}_{accessibility}_prop macros below. # # CTS uses these ules only for devices launching with S or later. # #line 905 ########################################### # define_prop(name, owner, scope) # Define a property with given owner and scope # #line 913 ########################################### # system_internal_prop(name) # Define a /system-owned property used only in /system # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 926 ########################################### # system_restricted_prop(name) # Define a /system-owned property which can't be written outside /system # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 939 ########################################### # system_public_prop(name) # Define a /system-owned property with no restrictions # ########################################### # system_vendor_config_prop(name) # Define a /system-owned property which can only be written by vendor_init # This is a macro for vendor-specific configuration properties which is meant # to be set once from vendor_init. # #line 957 ########################################### # product_internal_prop(name) # Define a /product-owned property used only in /product # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 970 ########################################### # product_restricted_prop(name) # Define a /product-owned property which can't be written outside /product # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 983 ########################################### # product_public_prop(name) # Define a /product-owned property with no restrictions # ########################################### # vendor_internal_prop(name) # Define a /vendor-owned property used only in /vendor # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 1003 ########################################### # vendor_restricted_prop(name) # Define a /vendor-owned property which can't be written outside /vendor # For devices launching with Q or eariler, this restriction can be relaxed with # BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true # #line 1017 ########################################### # vendor_public_prop(name) # Define a /vendor-owned property with no restrictions # ##################################### # read_fstab(domain) # Ability to call ReadDefaultFstab() and ReadFstabFromFile(). # #line 1033 ###################################### # use_bootstrap_libs(domain) # Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap #line 1041 ###################################### # use_apex_info(domain) # Allow access to apex information #line 1050 #################################### # io_uring_use(domain) # Allow domain to create/use io_uring. #line 1068 #line 1 "system/sepolicy/public/ioctl_defines" #line 1 "system/sepolicy/public/ioctl_macros" # socket ioctls allowed to unprivileged apps #line 12 # socket ioctls never allowed to unprivileged apps #line 42 # commonly used ioctls on unix sockets #line 47 # commonly used TTY ioctls # merge with unpriv_unix_sock_ioctls? #line 54 # point to point ioctls #line 68 # unprivileged binder ioctls #line 77 #line 1 "system/sepolicy/public/attributes" ###################################### # Attribute declarations # # All types used for devices. # On change, update CHECK_FC_ASSERT_ATTRS # in tools/checkfc.c attribute dev_type; # Attribute for all bpf filesystem subtypes. attribute bpffs_type; # All types used for processes. attribute domain; # All types used for filesystems. # On change, update CHECK_FC_ASSERT_ATTRS # definition in tools/checkfc.c. attribute fs_type; # All types used for context= mounts. attribute contextmount_type; # All types referencing a FUSE filesystem. # When mounting a new FUSE filesystem, the fscontext= option should be used to # set a domain-specific type with this attribute. See app_fusefs for an # example. attribute fusefs_type; # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. # On change, update CHECK_FC_ASSERT_ATTRS # definition in tools/checkfc.c. attribute file_type; # All types used for domain entry points. attribute exec_type; # All types used for /data files. attribute data_file_type; expandattribute data_file_type false; # All types in /data, not in /data/vendor attribute core_data_file_type; expandattribute core_data_file_type false; # All types used for app private data files in seapp_contexts. # Such types should not be applied to any other files. attribute app_data_file_type; expandattribute app_data_file_type false; # All types in /system attribute system_file_type; # All types in /system_dlkm attribute system_dlkm_file_type; # All types in /vendor attribute vendor_file_type; # All types used for procfs files. attribute proc_type; expandattribute proc_type false; # Types in /proc/net, excluding qtaguid types. # TODO(b/9496886) Lock down access to /proc/net. # This attribute is used to audit access to proc_net. it is temporary and will # be removed. attribute proc_net_type; expandattribute proc_net_type true; # All types used for sysfs files. attribute sysfs_type; # All types use for debugfs files. attribute debugfs_type; # All types used for tracefs files. attribute tracefs_type; # Attribute used for all sdcards attribute sdcard_type; # All types used for nodes/hosts. attribute node_type; # All types used for network interfaces. attribute netif_type; # All types used for network ports. attribute port_type; # All types used for property service # On change, update CHECK_PC_ASSERT_ATTRS # definition in tools/checkfc.c. attribute property_type; # All properties defined in core SELinux policy. Should not be # used by device specific properties attribute core_property_type; # All properties used to configure log filtering. attribute log_property_type; # All properties that are not specific to device but are added from # outside of AOSP. (e.g. OEM-specific properties) # These properties are not accessible from device-specific domains attribute extended_core_property_type; # Properties used for representing ownership. All properties should have one # of: system_property_type, product_property_type, or vendor_property_type. # All properties defined by /system. attribute system_property_type; expandattribute system_property_type false; # All /system-defined properties used only in /system. attribute system_internal_property_type; expandattribute system_internal_property_type false; # All /system-defined properties which can't be written outside /system. attribute system_restricted_property_type; expandattribute system_restricted_property_type false; # All /system-defined properties with no restrictions. attribute system_public_property_type; expandattribute system_public_property_type false; # All keystore2_key labels. attribute keystore2_key_type; # All properties defined by /product. # Currently there are no enforcements between /system and /product, so for now # /product attributes are just replaced to /system attributes. # All properties defined by /vendor. attribute vendor_property_type; expandattribute vendor_property_type false; # All /vendor-defined properties used only in /vendor. attribute vendor_internal_property_type; expandattribute vendor_internal_property_type false; # All /vendor-defined properties which can't be written outside /vendor. attribute vendor_restricted_property_type; expandattribute vendor_restricted_property_type false; # All /vendor-defined properties with no restrictions. attribute vendor_public_property_type; expandattribute vendor_public_property_type false; # All service_manager types created by system_server attribute system_server_service; # services which should be available to all but isolated apps attribute app_api_service; # services which should be available to all ephemeral apps attribute ephemeral_app_api_service; # services which export only system_api attribute system_api_service; # services which are explicitly disallowed for untrusted apps to access attribute protected_service; # All types used for services managed by servicemanager. # On change, update CHECK_SC_ASSERT_ATTRS # definition in tools/checkfc.c. attribute service_manager_type; # All types used for services managed by hwservicemanager attribute hwservice_manager_type; # All HwBinder services guaranteed to be passthrough. These services always run # in the process of their clients, and thus operate with the same access as # their clients. attribute same_process_hwservice; # All HwBinder services guaranteed to be offered only by core domain components attribute coredomain_hwservice; # All HwBinder services that untrusted apps can't directly access attribute protected_hwservice; # All types used for services managed by vndservicemanager attribute vndservice_manager_type; # All services declared as part of an HAL attribute hal_service_type; # All domains that can override MLS restrictions. # i.e. processes that can read up and write down. attribute mlstrustedsubject; # All types that can override MLS restrictions. # i.e. files that can be read by lower and written by higher attribute mlstrustedobject; # All domains used for apps. attribute appdomain; # All third party apps (except isolated_app and ephemeral_app) attribute untrusted_app_all; # All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999). attribute isolated_app_all; # All service types that would be allowed for isolated_compute_app. attribute isolated_compute_allowed_service; # All device types that would be allowed for isolated_compute_app. attribute isolated_compute_allowed_device; # All domains used for apps with network access. attribute netdomain; # All domains used for apps with bluetooth access. attribute bluetoothdomain; # Specific domains that expose a binder service. # Deprecated, consider granting the exact permissions required by your service. attribute binderservicedomain; # All domains which have BPF access. attribute bpfdomain; expandattribute bpfdomain false; # update_engine related domains that need to apply an update and run # postinstall. This includes the background daemon and the sideload tool from # recovery for A/B devices. attribute update_engine_common; # All core domains (as opposed to vendor/device-specific domains) attribute coredomain; # All vendor hwservice. attribute vendor_hwservice_type; # All socket devices owned by core domain components attribute coredomain_socket; expandattribute coredomain_socket false; # All vendor domains which violate the requirement of not using sockets for # communicating with core components # TODO(b/36577153): Remove this once there are no violations attribute socket_between_core_and_vendor_violators; expandattribute socket_between_core_and_vendor_violators false; # All vendor domains which violate the requirement of not executing # system processes # TODO(b/36463595) attribute vendor_executes_system_violators; expandattribute vendor_executes_system_violators false; # All domains which violate the requirement of not sharing files by path # between between vendor and core domains. # TODO(b/34980020) attribute data_between_core_and_vendor_violators; expandattribute data_between_core_and_vendor_violators false; # All system domains which violate the requirement of not executing vendor # binaries/libraries. # TODO(b/62041836) attribute system_executes_vendor_violators; expandattribute system_executes_vendor_violators false; # All system domains which violate the requirement of not writing vendor # properties. # TODO(b/78598545): Remove this once there are no violations attribute system_writes_vendor_properties_violators; expandattribute system_writes_vendor_properties_violators false; # All system domains which violate the requirement of not writing to # /mnt/vendor/*. Must not be used on devices launched with P or later. attribute system_writes_mnt_vendor_violators; expandattribute system_writes_mnt_vendor_violators false; # hwservices that are accessible from untrusted applications # WARNING: Use of this attribute should be avoided unless # absolutely necessary. It is a temporary allowance to aid the # transition to treble and will be removed in a future platform # version, requiring all hwservices that are labeled with this # attribute to be submitted to AOSP in order to maintain their # app-visibility. attribute untrusted_app_visible_hwservice_violators; expandattribute untrusted_app_visible_hwservice_violators false; # halserver domains that are accessible to untrusted applications. These # domains are typically those hosting hwservices attributed by the # untrusted_app_visible_hwservice_violators. # WARNING: Use of this attribute should be avoided unless absolutely necessary. # It is a temporary allowance to aid the transition to treble and will be # removed in the future platform version, requiring all halserver domains that # are labeled with this attribute to be submitted to AOSP in order to maintain # their app-visibility. attribute untrusted_app_visible_halserver_violators; expandattribute untrusted_app_visible_halserver_violators false; # PDX services attribute pdx_endpoint_dir_type; attribute pdx_endpoint_socket_type; expandattribute pdx_endpoint_socket_type false; attribute pdx_channel_socket_type; expandattribute pdx_channel_socket_type false; #line 310 attribute pdx_display_client_endpoint_dir_type; #line 310 attribute pdx_display_client_endpoint_socket_type; #line 310 attribute pdx_display_client_channel_socket_type; #line 310 attribute pdx_display_client_server_type; #line 310 #line 311 attribute pdx_display_manager_endpoint_dir_type; #line 311 attribute pdx_display_manager_endpoint_socket_type; #line 311 attribute pdx_display_manager_channel_socket_type; #line 311 attribute pdx_display_manager_server_type; #line 311 #line 312 attribute pdx_display_screenshot_endpoint_dir_type; #line 312 attribute pdx_display_screenshot_endpoint_socket_type; #line 312 attribute pdx_display_screenshot_channel_socket_type; #line 312 attribute pdx_display_screenshot_server_type; #line 312 #line 313 attribute pdx_display_vsync_endpoint_dir_type; #line 313 attribute pdx_display_vsync_endpoint_socket_type; #line 313 attribute pdx_display_vsync_channel_socket_type; #line 313 attribute pdx_display_vsync_server_type; #line 313 #line 314 attribute pdx_performance_client_endpoint_dir_type; #line 314 attribute pdx_performance_client_endpoint_socket_type; #line 314 attribute pdx_performance_client_channel_socket_type; #line 314 attribute pdx_performance_client_server_type; #line 314 #line 315 attribute pdx_bufferhub_client_endpoint_dir_type; #line 315 attribute pdx_bufferhub_client_endpoint_socket_type; #line 315 attribute pdx_bufferhub_client_channel_socket_type; #line 315 attribute pdx_bufferhub_client_server_type; #line 315 # All HAL servers attribute halserverdomain; # All HAL clients attribute halclientdomain; expandattribute halclientdomain true; # Exempt for halserverdomain to access sockets. Only builds for automotive # device types are allowed to use this attribute (enforced by CTS). # Unlike phone, in a car many modules are external from Android perspective and # HALs should be able to communicate with those devices through sockets. attribute hal_automotive_socket_exemption; # HALs #line 330 attribute hal_allocator; #line 330 expandattribute hal_allocator true; #line 330 attribute hal_allocator_client; #line 330 expandattribute hal_allocator_client true; #line 330 attribute hal_allocator_server; #line 330 expandattribute hal_allocator_server false; #line 330 #line 330 neverallow { hal_allocator_server -halserverdomain } domain:process fork; #line 330 # hal_*_client and halclientdomain attributes are always expanded for #line 330 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 330 # verified by CTS since these attributes are already expanded by that time. #line 330 #line 330 ; #line 331 attribute hal_atrace; #line 331 expandattribute hal_atrace true; #line 331 attribute hal_atrace_client; #line 331 expandattribute hal_atrace_client true; #line 331 attribute hal_atrace_server; #line 331 expandattribute hal_atrace_server false; #line 331 #line 331 neverallow { hal_atrace_server -halserverdomain } domain:process fork; #line 331 # hal_*_client and halclientdomain attributes are always expanded for #line 331 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 331 # verified by CTS since these attributes are already expanded by that time. #line 331 #line 331 ; #line 332 attribute hal_audio; #line 332 expandattribute hal_audio true; #line 332 attribute hal_audio_client; #line 332 expandattribute hal_audio_client true; #line 332 attribute hal_audio_server; #line 332 expandattribute hal_audio_server false; #line 332 #line 332 neverallow { hal_audio_server -halserverdomain } domain:process fork; #line 332 # hal_*_client and halclientdomain attributes are always expanded for #line 332 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 332 # verified by CTS since these attributes are already expanded by that time. #line 332 #line 332 ; #line 333 attribute hal_audiocontrol; #line 333 expandattribute hal_audiocontrol true; #line 333 attribute hal_audiocontrol_client; #line 333 expandattribute hal_audiocontrol_client true; #line 333 attribute hal_audiocontrol_server; #line 333 expandattribute hal_audiocontrol_server false; #line 333 #line 333 neverallow { hal_audiocontrol_server -halserverdomain } domain:process fork; #line 333 # hal_*_client and halclientdomain attributes are always expanded for #line 333 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 333 # verified by CTS since these attributes are already expanded by that time. #line 333 #line 333 ; #line 334 attribute hal_authgraph; #line 334 expandattribute hal_authgraph true; #line 334 attribute hal_authgraph_client; #line 334 expandattribute hal_authgraph_client true; #line 334 attribute hal_authgraph_server; #line 334 expandattribute hal_authgraph_server false; #line 334 #line 334 neverallow { hal_authgraph_server -halserverdomain } domain:process fork; #line 334 # hal_*_client and halclientdomain attributes are always expanded for #line 334 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 334 # verified by CTS since these attributes are already expanded by that time. #line 334 #line 334 ; #line 335 attribute hal_authsecret; #line 335 expandattribute hal_authsecret true; #line 335 attribute hal_authsecret_client; #line 335 expandattribute hal_authsecret_client true; #line 335 attribute hal_authsecret_server; #line 335 expandattribute hal_authsecret_server false; #line 335 #line 335 neverallow { hal_authsecret_server -halserverdomain } domain:process fork; #line 335 # hal_*_client and halclientdomain attributes are always expanded for #line 335 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 335 # verified by CTS since these attributes are already expanded by that time. #line 335 #line 335 ; #line 336 attribute hal_bluetooth; #line 336 expandattribute hal_bluetooth true; #line 336 attribute hal_bluetooth_client; #line 336 expandattribute hal_bluetooth_client true; #line 336 attribute hal_bluetooth_server; #line 336 expandattribute hal_bluetooth_server false; #line 336 #line 336 neverallow { hal_bluetooth_server -halserverdomain } domain:process fork; #line 336 # hal_*_client and halclientdomain attributes are always expanded for #line 336 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 336 # verified by CTS since these attributes are already expanded by that time. #line 336 #line 336 ; #line 337 attribute hal_bootctl; #line 337 expandattribute hal_bootctl true; #line 337 attribute hal_bootctl_client; #line 337 expandattribute hal_bootctl_client true; #line 337 attribute hal_bootctl_server; #line 337 expandattribute hal_bootctl_server false; #line 337 #line 337 neverallow { hal_bootctl_server -halserverdomain } domain:process fork; #line 337 # hal_*_client and halclientdomain attributes are always expanded for #line 337 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 337 # verified by CTS since these attributes are already expanded by that time. #line 337 #line 337 ; #line 338 attribute hal_broadcastradio; #line 338 expandattribute hal_broadcastradio true; #line 338 attribute hal_broadcastradio_client; #line 338 expandattribute hal_broadcastradio_client true; #line 338 attribute hal_broadcastradio_server; #line 338 expandattribute hal_broadcastradio_server false; #line 338 #line 338 neverallow { hal_broadcastradio_server -halserverdomain } domain:process fork; #line 338 # hal_*_client and halclientdomain attributes are always expanded for #line 338 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 338 # verified by CTS since these attributes are already expanded by that time. #line 338 #line 338 ; #line 339 attribute hal_camera; #line 339 expandattribute hal_camera true; #line 339 attribute hal_camera_client; #line 339 expandattribute hal_camera_client true; #line 339 attribute hal_camera_server; #line 339 expandattribute hal_camera_server false; #line 339 #line 339 neverallow { hal_camera_server -halserverdomain } domain:process fork; #line 339 # hal_*_client and halclientdomain attributes are always expanded for #line 339 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 339 # verified by CTS since these attributes are already expanded by that time. #line 339 #line 339 ; #line 340 attribute hal_can_bus; #line 340 expandattribute hal_can_bus true; #line 340 attribute hal_can_bus_client; #line 340 expandattribute hal_can_bus_client true; #line 340 attribute hal_can_bus_server; #line 340 expandattribute hal_can_bus_server false; #line 340 #line 340 neverallow { hal_can_bus_server -halserverdomain } domain:process fork; #line 340 # hal_*_client and halclientdomain attributes are always expanded for #line 340 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 340 # verified by CTS since these attributes are already expanded by that time. #line 340 #line 340 ; #line 341 attribute hal_can_controller; #line 341 expandattribute hal_can_controller true; #line 341 attribute hal_can_controller_client; #line 341 expandattribute hal_can_controller_client true; #line 341 attribute hal_can_controller_server; #line 341 expandattribute hal_can_controller_server false; #line 341 #line 341 neverallow { hal_can_controller_server -halserverdomain } domain:process fork; #line 341 # hal_*_client and halclientdomain attributes are always expanded for #line 341 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 341 # verified by CTS since these attributes are already expanded by that time. #line 341 #line 341 ; #line 342 attribute hal_cas; #line 342 expandattribute hal_cas true; #line 342 attribute hal_cas_client; #line 342 expandattribute hal_cas_client true; #line 342 attribute hal_cas_server; #line 342 expandattribute hal_cas_server false; #line 342 #line 342 neverallow { hal_cas_server -halserverdomain } domain:process fork; #line 342 # hal_*_client and halclientdomain attributes are always expanded for #line 342 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 342 # verified by CTS since these attributes are already expanded by that time. #line 342 #line 342 ; #line 343 attribute hal_codec2; #line 343 expandattribute hal_codec2 true; #line 343 attribute hal_codec2_client; #line 343 expandattribute hal_codec2_client true; #line 343 attribute hal_codec2_server; #line 343 expandattribute hal_codec2_server false; #line 343 #line 343 neverallow { hal_codec2_server -halserverdomain } domain:process fork; #line 343 # hal_*_client and halclientdomain attributes are always expanded for #line 343 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 343 # verified by CTS since these attributes are already expanded by that time. #line 343 #line 343 ; #line 344 attribute hal_configstore; #line 344 expandattribute hal_configstore true; #line 344 attribute hal_configstore_client; #line 344 expandattribute hal_configstore_client true; #line 344 attribute hal_configstore_server; #line 344 expandattribute hal_configstore_server false; #line 344 #line 344 neverallow { hal_configstore_server -halserverdomain } domain:process fork; #line 344 # hal_*_client and halclientdomain attributes are always expanded for #line 344 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 344 # verified by CTS since these attributes are already expanded by that time. #line 344 #line 344 ; #line 345 attribute hal_confirmationui; #line 345 expandattribute hal_confirmationui true; #line 345 attribute hal_confirmationui_client; #line 345 expandattribute hal_confirmationui_client true; #line 345 attribute hal_confirmationui_server; #line 345 expandattribute hal_confirmationui_server false; #line 345 #line 345 neverallow { hal_confirmationui_server -halserverdomain } domain:process fork; #line 345 # hal_*_client and halclientdomain attributes are always expanded for #line 345 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 345 # verified by CTS since these attributes are already expanded by that time. #line 345 #line 345 ; #line 346 attribute hal_contexthub; #line 346 expandattribute hal_contexthub true; #line 346 attribute hal_contexthub_client; #line 346 expandattribute hal_contexthub_client true; #line 346 attribute hal_contexthub_server; #line 346 expandattribute hal_contexthub_server false; #line 346 #line 346 neverallow { hal_contexthub_server -halserverdomain } domain:process fork; #line 346 # hal_*_client and halclientdomain attributes are always expanded for #line 346 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 346 # verified by CTS since these attributes are already expanded by that time. #line 346 #line 346 ; #line 347 attribute hal_drm; #line 347 expandattribute hal_drm true; #line 347 attribute hal_drm_client; #line 347 expandattribute hal_drm_client true; #line 347 attribute hal_drm_server; #line 347 expandattribute hal_drm_server false; #line 347 #line 347 neverallow { hal_drm_server -halserverdomain } domain:process fork; #line 347 # hal_*_client and halclientdomain attributes are always expanded for #line 347 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 347 # verified by CTS since these attributes are already expanded by that time. #line 347 #line 347 ; #line 348 attribute hal_dumpstate; #line 348 expandattribute hal_dumpstate true; #line 348 attribute hal_dumpstate_client; #line 348 expandattribute hal_dumpstate_client true; #line 348 attribute hal_dumpstate_server; #line 348 expandattribute hal_dumpstate_server false; #line 348 #line 348 neverallow { hal_dumpstate_server -halserverdomain } domain:process fork; #line 348 # hal_*_client and halclientdomain attributes are always expanded for #line 348 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 348 # verified by CTS since these attributes are already expanded by that time. #line 348 #line 348 ; #line 349 attribute hal_evs; #line 349 expandattribute hal_evs true; #line 349 attribute hal_evs_client; #line 349 expandattribute hal_evs_client true; #line 349 attribute hal_evs_server; #line 349 expandattribute hal_evs_server false; #line 349 #line 349 neverallow { hal_evs_server -halserverdomain } domain:process fork; #line 349 # hal_*_client and halclientdomain attributes are always expanded for #line 349 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 349 # verified by CTS since these attributes are already expanded by that time. #line 349 #line 349 ; #line 350 attribute hal_face; #line 350 expandattribute hal_face true; #line 350 attribute hal_face_client; #line 350 expandattribute hal_face_client true; #line 350 attribute hal_face_server; #line 350 expandattribute hal_face_server false; #line 350 #line 350 neverallow { hal_face_server -halserverdomain } domain:process fork; #line 350 # hal_*_client and halclientdomain attributes are always expanded for #line 350 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 350 # verified by CTS since these attributes are already expanded by that time. #line 350 #line 350 ; #line 351 attribute hal_fastboot; #line 351 expandattribute hal_fastboot true; #line 351 attribute hal_fastboot_client; #line 351 expandattribute hal_fastboot_client true; #line 351 attribute hal_fastboot_server; #line 351 expandattribute hal_fastboot_server false; #line 351 #line 351 neverallow { hal_fastboot_server -halserverdomain } domain:process fork; #line 351 # hal_*_client and halclientdomain attributes are always expanded for #line 351 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 351 # verified by CTS since these attributes are already expanded by that time. #line 351 #line 351 ; #line 352 attribute hal_fingerprint; #line 352 expandattribute hal_fingerprint true; #line 352 attribute hal_fingerprint_client; #line 352 expandattribute hal_fingerprint_client true; #line 352 attribute hal_fingerprint_server; #line 352 expandattribute hal_fingerprint_server false; #line 352 #line 352 neverallow { hal_fingerprint_server -halserverdomain } domain:process fork; #line 352 # hal_*_client and halclientdomain attributes are always expanded for #line 352 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 352 # verified by CTS since these attributes are already expanded by that time. #line 352 #line 352 ; #line 353 attribute hal_gatekeeper; #line 353 expandattribute hal_gatekeeper true; #line 353 attribute hal_gatekeeper_client; #line 353 expandattribute hal_gatekeeper_client true; #line 353 attribute hal_gatekeeper_server; #line 353 expandattribute hal_gatekeeper_server false; #line 353 #line 353 neverallow { hal_gatekeeper_server -halserverdomain } domain:process fork; #line 353 # hal_*_client and halclientdomain attributes are always expanded for #line 353 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 353 # verified by CTS since these attributes are already expanded by that time. #line 353 #line 353 ; #line 354 attribute hal_gnss; #line 354 expandattribute hal_gnss true; #line 354 attribute hal_gnss_client; #line 354 expandattribute hal_gnss_client true; #line 354 attribute hal_gnss_server; #line 354 expandattribute hal_gnss_server false; #line 354 #line 354 neverallow { hal_gnss_server -halserverdomain } domain:process fork; #line 354 # hal_*_client and halclientdomain attributes are always expanded for #line 354 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 354 # verified by CTS since these attributes are already expanded by that time. #line 354 #line 354 ; #line 355 attribute hal_graphics_allocator; #line 355 expandattribute hal_graphics_allocator true; #line 355 attribute hal_graphics_allocator_client; #line 355 expandattribute hal_graphics_allocator_client true; #line 355 attribute hal_graphics_allocator_server; #line 355 expandattribute hal_graphics_allocator_server false; #line 355 #line 355 neverallow { hal_graphics_allocator_server -halserverdomain } domain:process fork; #line 355 # hal_*_client and halclientdomain attributes are always expanded for #line 355 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 355 # verified by CTS since these attributes are already expanded by that time. #line 355 #line 355 ; #line 356 attribute hal_graphics_composer; #line 356 expandattribute hal_graphics_composer true; #line 356 attribute hal_graphics_composer_client; #line 356 expandattribute hal_graphics_composer_client true; #line 356 attribute hal_graphics_composer_server; #line 356 expandattribute hal_graphics_composer_server false; #line 356 #line 356 neverallow { hal_graphics_composer_server -halserverdomain } domain:process fork; #line 356 # hal_*_client and halclientdomain attributes are always expanded for #line 356 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 356 # verified by CTS since these attributes are already expanded by that time. #line 356 #line 356 ; #line 357 attribute hal_health; #line 357 expandattribute hal_health true; #line 357 attribute hal_health_client; #line 357 expandattribute hal_health_client true; #line 357 attribute hal_health_server; #line 357 expandattribute hal_health_server false; #line 357 #line 357 neverallow { hal_health_server -halserverdomain } domain:process fork; #line 357 # hal_*_client and halclientdomain attributes are always expanded for #line 357 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 357 # verified by CTS since these attributes are already expanded by that time. #line 357 #line 357 ; #line 358 attribute hal_health_storage; #line 358 expandattribute hal_health_storage true; #line 358 attribute hal_health_storage_client; #line 358 expandattribute hal_health_storage_client true; #line 358 attribute hal_health_storage_server; #line 358 expandattribute hal_health_storage_server false; #line 358 #line 358 neverallow { hal_health_storage_server -halserverdomain } domain:process fork; #line 358 # hal_*_client and halclientdomain attributes are always expanded for #line 358 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 358 # verified by CTS since these attributes are already expanded by that time. #line 358 #line 358 ; #line 359 attribute hal_identity; #line 359 expandattribute hal_identity true; #line 359 attribute hal_identity_client; #line 359 expandattribute hal_identity_client true; #line 359 attribute hal_identity_server; #line 359 expandattribute hal_identity_server false; #line 359 #line 359 neverallow { hal_identity_server -halserverdomain } domain:process fork; #line 359 # hal_*_client and halclientdomain attributes are always expanded for #line 359 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 359 # verified by CTS since these attributes are already expanded by that time. #line 359 #line 359 ; #line 360 attribute hal_input_classifier; #line 360 expandattribute hal_input_classifier true; #line 360 attribute hal_input_classifier_client; #line 360 expandattribute hal_input_classifier_client true; #line 360 attribute hal_input_classifier_server; #line 360 expandattribute hal_input_classifier_server false; #line 360 #line 360 neverallow { hal_input_classifier_server -halserverdomain } domain:process fork; #line 360 # hal_*_client and halclientdomain attributes are always expanded for #line 360 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 360 # verified by CTS since these attributes are already expanded by that time. #line 360 #line 360 ; #line 361 attribute hal_input_processor; #line 361 expandattribute hal_input_processor true; #line 361 attribute hal_input_processor_client; #line 361 expandattribute hal_input_processor_client true; #line 361 attribute hal_input_processor_server; #line 361 expandattribute hal_input_processor_server false; #line 361 #line 361 neverallow { hal_input_processor_server -halserverdomain } domain:process fork; #line 361 # hal_*_client and halclientdomain attributes are always expanded for #line 361 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 361 # verified by CTS since these attributes are already expanded by that time. #line 361 #line 361 ; #line 362 attribute hal_ir; #line 362 expandattribute hal_ir true; #line 362 attribute hal_ir_client; #line 362 expandattribute hal_ir_client true; #line 362 attribute hal_ir_server; #line 362 expandattribute hal_ir_server false; #line 362 #line 362 neverallow { hal_ir_server -halserverdomain } domain:process fork; #line 362 # hal_*_client and halclientdomain attributes are always expanded for #line 362 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 362 # verified by CTS since these attributes are already expanded by that time. #line 362 #line 362 ; #line 363 attribute hal_ivn; #line 363 expandattribute hal_ivn true; #line 363 attribute hal_ivn_client; #line 363 expandattribute hal_ivn_client true; #line 363 attribute hal_ivn_server; #line 363 expandattribute hal_ivn_server false; #line 363 #line 363 neverallow { hal_ivn_server -halserverdomain } domain:process fork; #line 363 # hal_*_client and halclientdomain attributes are always expanded for #line 363 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 363 # verified by CTS since these attributes are already expanded by that time. #line 363 #line 363 ; #line 364 attribute hal_keymaster; #line 364 expandattribute hal_keymaster true; #line 364 attribute hal_keymaster_client; #line 364 expandattribute hal_keymaster_client true; #line 364 attribute hal_keymaster_server; #line 364 expandattribute hal_keymaster_server false; #line 364 #line 364 neverallow { hal_keymaster_server -halserverdomain } domain:process fork; #line 364 # hal_*_client and halclientdomain attributes are always expanded for #line 364 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 364 # verified by CTS since these attributes are already expanded by that time. #line 364 #line 364 ; #line 365 attribute hal_keymint; #line 365 expandattribute hal_keymint true; #line 365 attribute hal_keymint_client; #line 365 expandattribute hal_keymint_client true; #line 365 attribute hal_keymint_server; #line 365 expandattribute hal_keymint_server false; #line 365 #line 365 neverallow { hal_keymint_server -halserverdomain } domain:process fork; #line 365 # hal_*_client and halclientdomain attributes are always expanded for #line 365 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 365 # verified by CTS since these attributes are already expanded by that time. #line 365 #line 365 ; #line 366 attribute hal_light; #line 366 expandattribute hal_light true; #line 366 attribute hal_light_client; #line 366 expandattribute hal_light_client true; #line 366 attribute hal_light_server; #line 366 expandattribute hal_light_server false; #line 366 #line 366 neverallow { hal_light_server -halserverdomain } domain:process fork; #line 366 # hal_*_client and halclientdomain attributes are always expanded for #line 366 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 366 # verified by CTS since these attributes are already expanded by that time. #line 366 #line 366 ; #line 367 attribute hal_lowpan; #line 367 expandattribute hal_lowpan true; #line 367 attribute hal_lowpan_client; #line 367 expandattribute hal_lowpan_client true; #line 367 attribute hal_lowpan_server; #line 367 expandattribute hal_lowpan_server false; #line 367 #line 367 neverallow { hal_lowpan_server -halserverdomain } domain:process fork; #line 367 # hal_*_client and halclientdomain attributes are always expanded for #line 367 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 367 # verified by CTS since these attributes are already expanded by that time. #line 367 #line 367 ; #line 368 attribute hal_macsec; #line 368 expandattribute hal_macsec true; #line 368 attribute hal_macsec_client; #line 368 expandattribute hal_macsec_client true; #line 368 attribute hal_macsec_server; #line 368 expandattribute hal_macsec_server false; #line 368 #line 368 neverallow { hal_macsec_server -halserverdomain } domain:process fork; #line 368 # hal_*_client and halclientdomain attributes are always expanded for #line 368 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 368 # verified by CTS since these attributes are already expanded by that time. #line 368 #line 368 ; #line 369 attribute hal_memtrack; #line 369 expandattribute hal_memtrack true; #line 369 attribute hal_memtrack_client; #line 369 expandattribute hal_memtrack_client true; #line 369 attribute hal_memtrack_server; #line 369 expandattribute hal_memtrack_server false; #line 369 #line 369 neverallow { hal_memtrack_server -halserverdomain } domain:process fork; #line 369 # hal_*_client and halclientdomain attributes are always expanded for #line 369 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 369 # verified by CTS since these attributes are already expanded by that time. #line 369 #line 369 ; #line 370 attribute hal_neuralnetworks; #line 370 expandattribute hal_neuralnetworks true; #line 370 attribute hal_neuralnetworks_client; #line 370 expandattribute hal_neuralnetworks_client true; #line 370 attribute hal_neuralnetworks_server; #line 370 expandattribute hal_neuralnetworks_server false; #line 370 #line 370 neverallow { hal_neuralnetworks_server -halserverdomain } domain:process fork; #line 370 # hal_*_client and halclientdomain attributes are always expanded for #line 370 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 370 # verified by CTS since these attributes are already expanded by that time. #line 370 #line 370 ; #line 371 attribute hal_nfc; #line 371 expandattribute hal_nfc true; #line 371 attribute hal_nfc_client; #line 371 expandattribute hal_nfc_client true; #line 371 attribute hal_nfc_server; #line 371 expandattribute hal_nfc_server false; #line 371 #line 371 neverallow { hal_nfc_server -halserverdomain } domain:process fork; #line 371 # hal_*_client and halclientdomain attributes are always expanded for #line 371 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 371 # verified by CTS since these attributes are already expanded by that time. #line 371 #line 371 ; #line 372 attribute hal_nlinterceptor; #line 372 expandattribute hal_nlinterceptor true; #line 372 attribute hal_nlinterceptor_client; #line 372 expandattribute hal_nlinterceptor_client true; #line 372 attribute hal_nlinterceptor_server; #line 372 expandattribute hal_nlinterceptor_server false; #line 372 #line 372 neverallow { hal_nlinterceptor_server -halserverdomain } domain:process fork; #line 372 # hal_*_client and halclientdomain attributes are always expanded for #line 372 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 372 # verified by CTS since these attributes are already expanded by that time. #line 372 #line 372 ; #line 373 attribute hal_oemlock; #line 373 expandattribute hal_oemlock true; #line 373 attribute hal_oemlock_client; #line 373 expandattribute hal_oemlock_client true; #line 373 attribute hal_oemlock_server; #line 373 expandattribute hal_oemlock_server false; #line 373 #line 373 neverallow { hal_oemlock_server -halserverdomain } domain:process fork; #line 373 # hal_*_client and halclientdomain attributes are always expanded for #line 373 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 373 # verified by CTS since these attributes are already expanded by that time. #line 373 #line 373 ; #line 374 attribute hal_omx; #line 374 expandattribute hal_omx true; #line 374 attribute hal_omx_client; #line 374 expandattribute hal_omx_client true; #line 374 attribute hal_omx_server; #line 374 expandattribute hal_omx_server false; #line 374 #line 374 neverallow { hal_omx_server -halserverdomain } domain:process fork; #line 374 # hal_*_client and halclientdomain attributes are always expanded for #line 374 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 374 # verified by CTS since these attributes are already expanded by that time. #line 374 #line 374 ; #line 375 attribute hal_power; #line 375 expandattribute hal_power true; #line 375 attribute hal_power_client; #line 375 expandattribute hal_power_client true; #line 375 attribute hal_power_server; #line 375 expandattribute hal_power_server false; #line 375 #line 375 neverallow { hal_power_server -halserverdomain } domain:process fork; #line 375 # hal_*_client and halclientdomain attributes are always expanded for #line 375 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 375 # verified by CTS since these attributes are already expanded by that time. #line 375 #line 375 ; #line 376 attribute hal_power_stats; #line 376 expandattribute hal_power_stats true; #line 376 attribute hal_power_stats_client; #line 376 expandattribute hal_power_stats_client true; #line 376 attribute hal_power_stats_server; #line 376 expandattribute hal_power_stats_server false; #line 376 #line 376 neverallow { hal_power_stats_server -halserverdomain } domain:process fork; #line 376 # hal_*_client and halclientdomain attributes are always expanded for #line 376 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 376 # verified by CTS since these attributes are already expanded by that time. #line 376 #line 376 ; #line 377 attribute hal_rebootescrow; #line 377 expandattribute hal_rebootescrow true; #line 377 attribute hal_rebootescrow_client; #line 377 expandattribute hal_rebootescrow_client true; #line 377 attribute hal_rebootescrow_server; #line 377 expandattribute hal_rebootescrow_server false; #line 377 #line 377 neverallow { hal_rebootescrow_server -halserverdomain } domain:process fork; #line 377 # hal_*_client and halclientdomain attributes are always expanded for #line 377 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 377 # verified by CTS since these attributes are already expanded by that time. #line 377 #line 377 ; #line 378 attribute hal_remoteaccess; #line 378 expandattribute hal_remoteaccess true; #line 378 attribute hal_remoteaccess_client; #line 378 expandattribute hal_remoteaccess_client true; #line 378 attribute hal_remoteaccess_server; #line 378 expandattribute hal_remoteaccess_server false; #line 378 #line 378 neverallow { hal_remoteaccess_server -halserverdomain } domain:process fork; #line 378 # hal_*_client and halclientdomain attributes are always expanded for #line 378 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 378 # verified by CTS since these attributes are already expanded by that time. #line 378 #line 378 ; #line 379 attribute hal_secretkeeper; #line 379 expandattribute hal_secretkeeper true; #line 379 attribute hal_secretkeeper_client; #line 379 expandattribute hal_secretkeeper_client true; #line 379 attribute hal_secretkeeper_server; #line 379 expandattribute hal_secretkeeper_server false; #line 379 #line 379 neverallow { hal_secretkeeper_server -halserverdomain } domain:process fork; #line 379 # hal_*_client and halclientdomain attributes are always expanded for #line 379 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 379 # verified by CTS since these attributes are already expanded by that time. #line 379 #line 379 ; #line 380 attribute hal_remotelyprovisionedcomponent_avf; #line 380 expandattribute hal_remotelyprovisionedcomponent_avf true; #line 380 attribute hal_remotelyprovisionedcomponent_avf_client; #line 380 expandattribute hal_remotelyprovisionedcomponent_avf_client true; #line 380 attribute hal_remotelyprovisionedcomponent_avf_server; #line 380 expandattribute hal_remotelyprovisionedcomponent_avf_server false; #line 380 #line 380 neverallow { hal_remotelyprovisionedcomponent_avf_server -halserverdomain } domain:process fork; #line 380 # hal_*_client and halclientdomain attributes are always expanded for #line 380 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 380 # verified by CTS since these attributes are already expanded by that time. #line 380 #line 380 ; #line 381 attribute hal_secure_element; #line 381 expandattribute hal_secure_element true; #line 381 attribute hal_secure_element_client; #line 381 expandattribute hal_secure_element_client true; #line 381 attribute hal_secure_element_server; #line 381 expandattribute hal_secure_element_server false; #line 381 #line 381 neverallow { hal_secure_element_server -halserverdomain } domain:process fork; #line 381 # hal_*_client and halclientdomain attributes are always expanded for #line 381 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 381 # verified by CTS since these attributes are already expanded by that time. #line 381 #line 381 ; #line 382 attribute hal_sensors; #line 382 expandattribute hal_sensors true; #line 382 attribute hal_sensors_client; #line 382 expandattribute hal_sensors_client true; #line 382 attribute hal_sensors_server; #line 382 expandattribute hal_sensors_server false; #line 382 #line 382 neverallow { hal_sensors_server -halserverdomain } domain:process fork; #line 382 # hal_*_client and halclientdomain attributes are always expanded for #line 382 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 382 # verified by CTS since these attributes are already expanded by that time. #line 382 #line 382 ; #line 383 attribute hal_telephony; #line 383 expandattribute hal_telephony true; #line 383 attribute hal_telephony_client; #line 383 expandattribute hal_telephony_client true; #line 383 attribute hal_telephony_server; #line 383 expandattribute hal_telephony_server false; #line 383 #line 383 neverallow { hal_telephony_server -halserverdomain } domain:process fork; #line 383 # hal_*_client and halclientdomain attributes are always expanded for #line 383 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 383 # verified by CTS since these attributes are already expanded by that time. #line 383 #line 383 ; #line 384 attribute hal_tetheroffload; #line 384 expandattribute hal_tetheroffload true; #line 384 attribute hal_tetheroffload_client; #line 384 expandattribute hal_tetheroffload_client true; #line 384 attribute hal_tetheroffload_server; #line 384 expandattribute hal_tetheroffload_server false; #line 384 #line 384 neverallow { hal_tetheroffload_server -halserverdomain } domain:process fork; #line 384 # hal_*_client and halclientdomain attributes are always expanded for #line 384 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 384 # verified by CTS since these attributes are already expanded by that time. #line 384 #line 384 ; #line 385 attribute hal_thermal; #line 385 expandattribute hal_thermal true; #line 385 attribute hal_thermal_client; #line 385 expandattribute hal_thermal_client true; #line 385 attribute hal_thermal_server; #line 385 expandattribute hal_thermal_server false; #line 385 #line 385 neverallow { hal_thermal_server -halserverdomain } domain:process fork; #line 385 # hal_*_client and halclientdomain attributes are always expanded for #line 385 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 385 # verified by CTS since these attributes are already expanded by that time. #line 385 #line 385 ; #line 386 attribute hal_threadnetwork; #line 386 expandattribute hal_threadnetwork true; #line 386 attribute hal_threadnetwork_client; #line 386 expandattribute hal_threadnetwork_client true; #line 386 attribute hal_threadnetwork_server; #line 386 expandattribute hal_threadnetwork_server false; #line 386 #line 386 neverallow { hal_threadnetwork_server -halserverdomain } domain:process fork; #line 386 # hal_*_client and halclientdomain attributes are always expanded for #line 386 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 386 # verified by CTS since these attributes are already expanded by that time. #line 386 #line 386 ; #line 387 attribute hal_tv_cec; #line 387 expandattribute hal_tv_cec true; #line 387 attribute hal_tv_cec_client; #line 387 expandattribute hal_tv_cec_client true; #line 387 attribute hal_tv_cec_server; #line 387 expandattribute hal_tv_cec_server false; #line 387 #line 387 neverallow { hal_tv_cec_server -halserverdomain } domain:process fork; #line 387 # hal_*_client and halclientdomain attributes are always expanded for #line 387 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 387 # verified by CTS since these attributes are already expanded by that time. #line 387 #line 387 ; #line 388 attribute hal_tv_hdmi_cec; #line 388 expandattribute hal_tv_hdmi_cec true; #line 388 attribute hal_tv_hdmi_cec_client; #line 388 expandattribute hal_tv_hdmi_cec_client true; #line 388 attribute hal_tv_hdmi_cec_server; #line 388 expandattribute hal_tv_hdmi_cec_server false; #line 388 #line 388 neverallow { hal_tv_hdmi_cec_server -halserverdomain } domain:process fork; #line 388 # hal_*_client and halclientdomain attributes are always expanded for #line 388 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 388 # verified by CTS since these attributes are already expanded by that time. #line 388 #line 388 ; #line 389 attribute hal_tv_hdmi_connection; #line 389 expandattribute hal_tv_hdmi_connection true; #line 389 attribute hal_tv_hdmi_connection_client; #line 389 expandattribute hal_tv_hdmi_connection_client true; #line 389 attribute hal_tv_hdmi_connection_server; #line 389 expandattribute hal_tv_hdmi_connection_server false; #line 389 #line 389 neverallow { hal_tv_hdmi_connection_server -halserverdomain } domain:process fork; #line 389 # hal_*_client and halclientdomain attributes are always expanded for #line 389 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 389 # verified by CTS since these attributes are already expanded by that time. #line 389 #line 389 ; #line 390 attribute hal_tv_hdmi_earc; #line 390 expandattribute hal_tv_hdmi_earc true; #line 390 attribute hal_tv_hdmi_earc_client; #line 390 expandattribute hal_tv_hdmi_earc_client true; #line 390 attribute hal_tv_hdmi_earc_server; #line 390 expandattribute hal_tv_hdmi_earc_server false; #line 390 #line 390 neverallow { hal_tv_hdmi_earc_server -halserverdomain } domain:process fork; #line 390 # hal_*_client and halclientdomain attributes are always expanded for #line 390 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 390 # verified by CTS since these attributes are already expanded by that time. #line 390 #line 390 ; #line 391 attribute hal_tv_input; #line 391 expandattribute hal_tv_input true; #line 391 attribute hal_tv_input_client; #line 391 expandattribute hal_tv_input_client true; #line 391 attribute hal_tv_input_server; #line 391 expandattribute hal_tv_input_server false; #line 391 #line 391 neverallow { hal_tv_input_server -halserverdomain } domain:process fork; #line 391 # hal_*_client and halclientdomain attributes are always expanded for #line 391 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 391 # verified by CTS since these attributes are already expanded by that time. #line 391 #line 391 ; #line 392 attribute hal_tv_tuner; #line 392 expandattribute hal_tv_tuner true; #line 392 attribute hal_tv_tuner_client; #line 392 expandattribute hal_tv_tuner_client true; #line 392 attribute hal_tv_tuner_server; #line 392 expandattribute hal_tv_tuner_server false; #line 392 #line 392 neverallow { hal_tv_tuner_server -halserverdomain } domain:process fork; #line 392 # hal_*_client and halclientdomain attributes are always expanded for #line 392 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 392 # verified by CTS since these attributes are already expanded by that time. #line 392 #line 392 ; #line 393 attribute hal_usb; #line 393 expandattribute hal_usb true; #line 393 attribute hal_usb_client; #line 393 expandattribute hal_usb_client true; #line 393 attribute hal_usb_server; #line 393 expandattribute hal_usb_server false; #line 393 #line 393 neverallow { hal_usb_server -halserverdomain } domain:process fork; #line 393 # hal_*_client and halclientdomain attributes are always expanded for #line 393 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 393 # verified by CTS since these attributes are already expanded by that time. #line 393 #line 393 ; #line 394 attribute hal_usb_gadget; #line 394 expandattribute hal_usb_gadget true; #line 394 attribute hal_usb_gadget_client; #line 394 expandattribute hal_usb_gadget_client true; #line 394 attribute hal_usb_gadget_server; #line 394 expandattribute hal_usb_gadget_server false; #line 394 #line 394 neverallow { hal_usb_gadget_server -halserverdomain } domain:process fork; #line 394 # hal_*_client and halclientdomain attributes are always expanded for #line 394 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 394 # verified by CTS since these attributes are already expanded by that time. #line 394 #line 394 ; #line 395 attribute hal_uwb; #line 395 expandattribute hal_uwb true; #line 395 attribute hal_uwb_client; #line 395 expandattribute hal_uwb_client true; #line 395 attribute hal_uwb_server; #line 395 expandattribute hal_uwb_server false; #line 395 #line 395 neverallow { hal_uwb_server -halserverdomain } domain:process fork; #line 395 # hal_*_client and halclientdomain attributes are always expanded for #line 395 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 395 # verified by CTS since these attributes are already expanded by that time. #line 395 #line 395 ; # TODO(b/196225233): Remove this attribute and its usages elsewhere # once all chip vendors integrate to the new UWB stack. #line 398 attribute hal_uwb_vendor; #line 398 expandattribute hal_uwb_vendor true; #line 398 attribute hal_uwb_vendor_client; #line 398 expandattribute hal_uwb_vendor_client true; #line 398 attribute hal_uwb_vendor_server; #line 398 expandattribute hal_uwb_vendor_server false; #line 398 #line 398 neverallow { hal_uwb_vendor_server -halserverdomain } domain:process fork; #line 398 # hal_*_client and halclientdomain attributes are always expanded for #line 398 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 398 # verified by CTS since these attributes are already expanded by that time. #line 398 #line 398 ; #line 399 attribute hal_vehicle; #line 399 expandattribute hal_vehicle true; #line 399 attribute hal_vehicle_client; #line 399 expandattribute hal_vehicle_client true; #line 399 attribute hal_vehicle_server; #line 399 expandattribute hal_vehicle_server false; #line 399 #line 399 neverallow { hal_vehicle_server -halserverdomain } domain:process fork; #line 399 # hal_*_client and halclientdomain attributes are always expanded for #line 399 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 399 # verified by CTS since these attributes are already expanded by that time. #line 399 #line 399 ; #line 400 attribute hal_vibrator; #line 400 expandattribute hal_vibrator true; #line 400 attribute hal_vibrator_client; #line 400 expandattribute hal_vibrator_client true; #line 400 attribute hal_vibrator_server; #line 400 expandattribute hal_vibrator_server false; #line 400 #line 400 neverallow { hal_vibrator_server -halserverdomain } domain:process fork; #line 400 # hal_*_client and halclientdomain attributes are always expanded for #line 400 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 400 # verified by CTS since these attributes are already expanded by that time. #line 400 #line 400 ; #line 401 attribute hal_vr; #line 401 expandattribute hal_vr true; #line 401 attribute hal_vr_client; #line 401 expandattribute hal_vr_client true; #line 401 attribute hal_vr_server; #line 401 expandattribute hal_vr_server false; #line 401 #line 401 neverallow { hal_vr_server -halserverdomain } domain:process fork; #line 401 # hal_*_client and halclientdomain attributes are always expanded for #line 401 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 401 # verified by CTS since these attributes are already expanded by that time. #line 401 #line 401 ; #line 402 attribute hal_weaver; #line 402 expandattribute hal_weaver true; #line 402 attribute hal_weaver_client; #line 402 expandattribute hal_weaver_client true; #line 402 attribute hal_weaver_server; #line 402 expandattribute hal_weaver_server false; #line 402 #line 402 neverallow { hal_weaver_server -halserverdomain } domain:process fork; #line 402 # hal_*_client and halclientdomain attributes are always expanded for #line 402 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 402 # verified by CTS since these attributes are already expanded by that time. #line 402 #line 402 ; #line 403 attribute hal_wifi; #line 403 expandattribute hal_wifi true; #line 403 attribute hal_wifi_client; #line 403 expandattribute hal_wifi_client true; #line 403 attribute hal_wifi_server; #line 403 expandattribute hal_wifi_server false; #line 403 #line 403 neverallow { hal_wifi_server -halserverdomain } domain:process fork; #line 403 # hal_*_client and halclientdomain attributes are always expanded for #line 403 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 403 # verified by CTS since these attributes are already expanded by that time. #line 403 #line 403 ; #line 404 attribute hal_wifi_hostapd; #line 404 expandattribute hal_wifi_hostapd true; #line 404 attribute hal_wifi_hostapd_client; #line 404 expandattribute hal_wifi_hostapd_client true; #line 404 attribute hal_wifi_hostapd_server; #line 404 expandattribute hal_wifi_hostapd_server false; #line 404 #line 404 neverallow { hal_wifi_hostapd_server -halserverdomain } domain:process fork; #line 404 # hal_*_client and halclientdomain attributes are always expanded for #line 404 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 404 # verified by CTS since these attributes are already expanded by that time. #line 404 #line 404 ; #line 405 attribute hal_wifi_supplicant; #line 405 expandattribute hal_wifi_supplicant true; #line 405 attribute hal_wifi_supplicant_client; #line 405 expandattribute hal_wifi_supplicant_client true; #line 405 attribute hal_wifi_supplicant_server; #line 405 expandattribute hal_wifi_supplicant_server false; #line 405 #line 405 neverallow { hal_wifi_supplicant_server -halserverdomain } domain:process fork; #line 405 # hal_*_client and halclientdomain attributes are always expanded for #line 405 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 405 # verified by CTS since these attributes are already expanded by that time. #line 405 #line 405 ; # HwBinder services offered across the core-vendor boundary # # We annotate server domains with x_server to loosen the coupling between # system and vendor images. For example, it should be possible to move a service # from one core domain to another, without having to update the vendor image # which contains clients of this service. attribute automotive_display_service_server; attribute camera_service_server; attribute display_service_server; attribute evsmanager_service_server; attribute remote_provisioning_service_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; attribute system_suspend_internal_server; attribute system_suspend_server; attribute wifi_keystore_service_server; # All types used for super partition block devices. attribute super_block_device_type; # All types used for DMA-BUF heaps attribute dmabuf_heap_device_type; expandattribute dmabuf_heap_device_type false; # Types for VM managers attribute vm_manager_device_type; # All types used for DSU metadata files. attribute gsi_metadata_file_type; # Types used for module-specific APEX data directories under # /data/{misc,misc_ce,misc_de}/apexdata. attribute apex_data_file_type; # Domains used for charger. # This is the common type for domains that executes charger's # functionalities, including setting and getting necessary properties, # permissions to maintain the health loop, writing to kernel log, handling # inputs and drawing screens, etc. attribute charger_type; # All types of ART properties. attribute dalvik_config_prop_type; #line 1 "system/sepolicy/public/adbd.te" # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type adbd, domain; type adbd_exec, exec_type, file_type, system_file_type; # Only init is allowed to enter the adbd domain via exec() neverallow { domain -init } adbd:process transition; neverallow * adbd:process dyntransition; # Access /data/local/tests. allow adbd shell_test_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow adbd shell_test_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow adbd shell_test_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/public/aidl_lazy_test_server.te" type aidl_lazy_test_server, domain; type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type; #line 9 #line 1 "system/sepolicy/public/apexd.te" # apexd -- manager for APEX packages type apexd, domain; type apexd_exec, exec_type, file_type, system_file_type; #line 5 # Call the servicemanager and transfer references to it. #line 5 allow apexd servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager apexd:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager apexd:dir search; #line 5 allow servicemanager apexd:file { read open }; #line 5 allow servicemanager apexd:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 6 allow apexd apex_service:service_manager { add find }; #line 6 neverallow { domain -apexd } apex_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find; neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call; neverallow { domain } apexd:process ptrace; #line 1 "system/sepolicy/public/app.te" ### ### Domain for all zygote spawned apps ### ### This file is the base policy for all zygote spawned apps. ### Other policy files, such as isolated_app.te, untrusted_app.te, etc ### extend from this policy. Only policies which should apply to ALL ### zygote spawned apps should be added here. ### type appdomain_tmpfs, file_type; ### ### Neverallow rules ### ### These are things that Android apps should NEVER be able to do ### # Superuser capabilities. # bluetooth requires net_admin and wake_alarm. network stack app requires net_admin. neverallow { appdomain -bluetooth -network_stack } self:{ capability capability2 cap_userns cap2_userns } *; # Block device access. neverallow appdomain dev_type:blk_file { read write }; # Note: Try expanding list of app domains in the future. neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; neverallow { appdomain -nfc } nfc_device:chr_file { read write }; neverallow { appdomain -bluetooth } hci_attach_dev:chr_file { read write }; neverallow appdomain tee_device:chr_file { read write }; # Privileged netlink socket interfaces. neverallow { appdomain -network_stack } domain:{ netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket } *; # These messages are broadcast messages from the kernel to userspace. # Do not allow the writing of netlink messages, which has been a source # of rooting vulns in the past. neverallow { appdomain -network_stack } domain:netlink_kobject_uevent_socket { write append }; # Sockets under /dev/socket that are not specifically typed. neverallow appdomain socket_device:sock_file write; # Unix domain sockets. neverallow appdomain adbd_socket:sock_file write; neverallow { appdomain -radio } rild_socket:sock_file write; # ptrace access to non-app domains. neverallow appdomain { domain -appdomain }:process ptrace; # The Android security model guarantees the confidentiality and integrity # of application data and execution state. Ptrace bypasses those # confidentiality guarantees. Disallow ptrace access from system components # to apps. Crash_dump is excluded, as it needs ptrace access to # produce stack traces. llkd is excluded, as it needs ptrace access to # inspect stack traces for live lock conditions. neverallow { domain -appdomain -crash_dump } appdomain:process ptrace; # Read or write access to /proc/pid entries for any non-app domain. # A different form of hidepid=2 like protections neverallow appdomain { domain -appdomain }:file { append create link unlink relabelfrom rename setattr write }; neverallow { appdomain -shell } { domain -appdomain }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # signal access to non-app domains. # sigchld allowed for parent death notification. # signull allowed for kill(pid, 0) existence test. # All others prohibited. # -perfetto is to allow shell (which is an appdomain) to kill perfetto # (see private/shell.te). neverallow appdomain { domain -appdomain -perfetto }:process { sigkill sigstop signal }; # Write to rootfs. neverallow appdomain rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to /system. neverallow appdomain system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to entrypoint executables. neverallow appdomain exec_type:file { create write setattr relabelfrom relabelto append unlink link rename }; # Write to system-owned parts of /data. # This is the default type for anything under /data not otherwise # specified in file_contexts. Define a different type for portions # that should be writable by apps. neverallow appdomain system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # Write to various other parts of /data. neverallow appdomain drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -shell } shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -bluetooth } bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { domain -credstore -init } credstore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *; neverallow appdomain keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow appdomain dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; # access tmp apk files neverallow { appdomain -platform_app } apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *; neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ { chr_file blk_file } dir fifo_file lnk_file sock_file } *; neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read }; # Access to factory files. neverallow appdomain efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; neverallow { appdomain -shell } efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } read; # Write to various pseudo file systems. neverallow { appdomain -bluetooth -nfc } sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; neverallow appdomain proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Access to syslog(2) or /proc/kmsg. neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; # SELinux is not an API for apps to use neverallow { appdomain -shell } *:security { compute_av check_context }; neverallow { appdomain -shell } *:netlink_selinux_socket *; # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. neverallow appdomain fs_type:filesystem ~getattr; # prevent creation/manipulation of globally readable symlinks neverallow appdomain { apk_data_file cache_file cache_recovery_file dev_type rootfs system_file tmpfs }:lnk_file { append create link unlink relabelfrom rename setattr write }; # Applications should use the activity model for receiving events neverallow { appdomain -shell # bugreport } input_device:chr_file ~getattr; # Do not allow access to Bluetooth-related system properties except for a few allowed domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain -bluetooth -system_app } { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow system_app to access Nfc-related system properties. #line 196 #line 196 allow system_app property_socket:sock_file write; #line 196 allow system_app init:unix_stream_socket connectto; #line 196 #line 196 allow system_app nfc_prop:property_service set; #line 196 #line 196 allow system_app nfc_prop:file { getattr open read map }; #line 196 #line 196 # allow system_app to access radio_config system properties. #line 199 #line 199 allow system_app property_socket:sock_file write; #line 199 allow system_app init:unix_stream_socket connectto; #line 199 #line 199 allow system_app radio_control_prop:property_service set; #line 199 #line 199 allow system_app radio_control_prop:file { getattr open read map }; #line 199 #line 199 # Apps cannot access proc_uid_time_in_state neverallow appdomain proc_uid_time_in_state:file *; # Apps cannot access proc_uid_concurrent_active_time neverallow appdomain proc_uid_concurrent_active_time:file *; # Apps cannot access proc_uid_concurrent_policy_time neverallow appdomain proc_uid_concurrent_policy_time:file *; # Apps cannot access proc_uid_cpupower neverallow appdomain proc_uid_cpupower:file *; # Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the # application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to # perform UID lookups. neverallow { appdomain -shell } proc_net_tcp_udp:file *; # Apps cannot access bootstrap files. The bootstrap files are only for # extremely early processes (like init, etc.) which are started before # the runtime APEX is activated and Bionic libs are provided from there. # If app process accesses (or even load/execute) the bootstrap files, # it might cause problems such as ODR violation, etc. neverallow appdomain system_bootstrap_lib_file:file { open read write append execute execute_no_trans map }; neverallow appdomain system_bootstrap_lib_file:dir { open read getattr search }; #line 1 "system/sepolicy/public/app_zygote.te" # app_zygote is an auxiliary zygote process that is used to spawn # isolated service processes for individual applications. It is # spawned from the regular zygote process as a "child zygote". type app_zygote, domain; type app_zygote_tmpfs, file_type; #line 1 "system/sepolicy/public/artd.te" # ART service daemon. type artd, domain; #line 1 "system/sepolicy/public/asan_extract.te" # asan_extract # # This command set moves the artifact corresponding to the current slot # from /data/ota to /data/dalvik-cache. #line 33 #line 1 "system/sepolicy/public/atrace.te" type atrace, domain, coredomain; #line 1 "system/sepolicy/public/audioserver.te" # audioserver - audio services daemon type audioserver, domain; type audioserver_tmpfs, file_type; # Allow audioserver to signal audio HAL processes and dump their stacks. allow audioserver hal_audio_server:process signal; # Allow audioserver to access sensorservice. allow audioserver sensorservice_service:service_manager find; allow audioserver system_server:unix_stream_socket { read write }; #line 1 "system/sepolicy/public/blkid.te" # blkid called from vold type blkid, domain; #line 1 "system/sepolicy/public/blkid_untrusted.te" # blkid for untrusted block devices type blkid_untrusted, domain; #line 1 "system/sepolicy/public/bluetooth.te" # bluetooth subsystem type bluetooth, domain; #line 1 "system/sepolicy/public/bootanim.te" # bootanimation oneshot service type bootanim, domain; type bootanim_exec, system_file_type, exec_type, file_type; #line 5 typeattribute bootanim halclientdomain; #line 5 typeattribute bootanim hal_configstore_client; #line 5 #line 5 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 5 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 5 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 5 #line 5 typeattribute bootanim hal_configstore; #line 5 # Find passthrough HAL implementations #line 5 allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_configstore vendor_file:file { read open getattr execute map }; #line 5 #line 5 #line 6 typeattribute bootanim halclientdomain; #line 6 typeattribute bootanim hal_graphics_allocator_client; #line 6 #line 6 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 6 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 6 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 6 #line 6 typeattribute bootanim hal_graphics_allocator; #line 6 # Find passthrough HAL implementations #line 6 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 6 #line 6 #line 7 typeattribute bootanim halclientdomain; #line 7 typeattribute bootanim hal_graphics_composer_client; #line 7 #line 7 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 7 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 7 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 7 #line 7 typeattribute bootanim hal_graphics_composer; #line 7 # Find passthrough HAL implementations #line 7 allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_graphics_composer vendor_file:file { read open getattr execute map }; #line 7 #line 7 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow bootanim servicemanager:binder { call transfer }; #line 9 # Allow servicemanager to send out callbacks #line 9 allow servicemanager bootanim:binder { call transfer }; #line 9 # servicemanager performs getpidcon on clients. #line 9 allow servicemanager bootanim:dir search; #line 9 allow servicemanager bootanim:file { read open }; #line 9 allow servicemanager bootanim:process getattr; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow bootanim surfaceflinger:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow surfaceflinger bootanim:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow bootanim surfaceflinger:fd use; #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow bootanim audioserver:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow audioserver bootanim:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow bootanim audioserver:fd use; #line 11 #line 13 # Call the hwservicemanager and transfer references to it. #line 13 allow bootanim hwservicemanager:binder { call transfer }; #line 13 # Allow hwservicemanager to send out callbacks #line 13 allow hwservicemanager bootanim:binder { call transfer }; #line 13 # hwservicemanager performs getpidcon on clients. #line 13 allow hwservicemanager bootanim:dir search; #line 13 allow hwservicemanager bootanim:file { read open map }; #line 13 allow hwservicemanager bootanim:process getattr; #line 13 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 13 # all domains in domain.te. #line 13 allow bootanim gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow bootanim gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow bootanim sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads }; # /oem access allow bootanim oemfs:dir { open getattr read search ioctl lock watch watch_reads }; # boot animations on oem are stored with specific label allow bootanim bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads }; allow bootanim audio_device:dir { open getattr read search ioctl lock watch watch_reads }; allow bootanim audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow bootanim audioserver_service:service_manager find; allow bootanim surfaceflinger_service:service_manager find; allow bootanim surfaceflinger:unix_stream_socket { read write }; # Allow access to ion memory allocation device allow bootanim ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow access to DMA-BUF system heap allow bootanim dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow bootanim hal_graphics_allocator:fd use; # Fences allow bootanim hal_graphics_composer:fd use; # Read access to pseudo filesystems. allow bootanim proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; # System file accesses. allow bootanim system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/public/bootstat.te" # bootstat command type bootstat, domain; type bootstat_exec, system_file_type, exec_type, file_type; #line 5 allow bootstat runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 5 # Allow persistent storage in /data/misc/bootstat. allow bootstat bootstat_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow bootstat bootstat_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow bootstat metadata_file:dir search; allow bootstat metadata_bootstat_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow bootstat metadata_bootstat_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # ToDo: TBI move access for the following to a system health HAL # Allow access to /sys/fs/pstore/ and syslog allow bootstat pstorefs:dir search; allow bootstat pstorefs:file { getattr open read ioctl lock map watch watch_reads }; allow bootstat kernel:system syslog_read; # Allow access to reading the logs to read aspects of system health #line 23 allow bootstat logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 23 #line 23 allow bootstat logdr_socket:sock_file write; #line 23 allow bootstat logd:unix_stream_socket connectto; #line 23 #line 23 # Allow bootstat write to statsd. #line 26 allow bootstat statsdw_socket:sock_file write; #line 26 allow bootstat statsd:unix_dgram_socket sendto; #line 26 neverallow { domain -bootstat -init } system_boot_reason_prop:property_service set; #line 1 "system/sepolicy/public/bpfloader.te" type bpfloader, domain, coredomain; #line 1 "system/sepolicy/public/bufferhubd.te" # bufferhubd type bufferhubd, domain, mlstrustedsubject; type bufferhubd_exec, system_file_type, exec_type, file_type; #line 5 typeattribute bufferhubd halclientdomain; #line 5 typeattribute bufferhubd hal_graphics_allocator_client; #line 5 #line 5 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 5 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 5 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 5 #line 5 typeattribute bufferhubd hal_graphics_allocator; #line 5 # Find passthrough HAL implementations #line 5 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 5 #line 5 # TODO(b/112338294): remove these after migrate to Binder #line 8 # Mark the server domain as a PDX server. #line 8 typeattribute bufferhubd pdx_bufferhub_client_server_type; #line 8 # Allow the init process to create the initial endpoint socket. #line 8 allow init pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { create bind }; #line 8 # Allow the server domain to use the endpoint socket and accept connections on it. #line 8 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 8 # than we need (e.g. we don"t need "bind" or "connect"). #line 8 allow bufferhubd pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 8 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 8 allow bufferhubd self:process setsockcreate; #line 8 # Allow the server domain to create a client channel socket. #line 8 allow bufferhubd pdx_bufferhub_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 8 # Prevent other processes from claiming to be a server for the same service. #line 8 neverallow {domain -bufferhubd} pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { listen accept }; #line 8 #line 9 #line 9 # Allow client to open the service endpoint file. #line 9 allow bufferhubd pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow bufferhubd pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 9 # Allow the client to connect to endpoint socket. #line 9 allow bufferhubd pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 9 #line 9 #line 9 # Allow the client to use the PDX channel socket. #line 9 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 9 # than we need (e.g. we don"t need "bind" or "connect"). #line 9 allow bufferhubd pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 9 # Client needs to use an channel event fd from the server. #line 9 allow bufferhubd pdx_performance_client_server_type:fd use; #line 9 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 9 # This could be tightened on a per-server basis, but keeping track of service #line 9 # clients is error prone. #line 9 allow pdx_performance_client_server_type bufferhubd:fd use; #line 9 #line 9 # Access the GPU. allow bufferhubd gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access /dev/ion allow bufferhubd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly # connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. # Thus, there is no need to use pdx_client macro. allow bufferhubd hal_omx_server:fd use; # Codec2 is similar to OMX allow bufferhubd hal_codec2_server:fd use; #line 1 "system/sepolicy/public/camera_service_server.te" #line 1 allow camera_service_server fwk_camera_hwservice:hwservice_manager { add find }; #line 1 allow camera_service_server hidl_base_hwservice:hwservice_manager add; #line 1 neverallow { domain -camera_service_server } fwk_camera_hwservice:hwservice_manager add; #line 1 #line 1 "system/sepolicy/public/cameraserver.te" # cameraserver - camera daemon type cameraserver, domain; type cameraserver_exec, system_file_type, exec_type, file_type; type cameraserver_tmpfs, file_type; #line 6 # Call the servicemanager and transfer references to it. #line 6 allow cameraserver servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager cameraserver:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager cameraserver:dir search; #line 6 allow servicemanager cameraserver:file { read open }; #line 6 allow servicemanager cameraserver:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow cameraserver binderservicedomain:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow binderservicedomain cameraserver:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow cameraserver binderservicedomain:fd use; #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow cameraserver appdomain:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow appdomain cameraserver:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow cameraserver appdomain:fd use; #line 8 #line 9 typeattribute cameraserver binderservicedomain; #line 9 #line 11 typeattribute cameraserver halclientdomain; #line 11 typeattribute cameraserver hal_camera_client; #line 11 #line 11 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 11 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 11 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 11 #line 11 typeattribute cameraserver hal_camera; #line 11 # Find passthrough HAL implementations #line 11 allow hal_camera system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_camera vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_camera vendor_file:file { read open getattr execute map }; #line 11 #line 11 #line 13 typeattribute cameraserver halclientdomain; #line 13 typeattribute cameraserver hal_graphics_allocator_client; #line 13 #line 13 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 13 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 13 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 13 #line 13 typeattribute cameraserver hal_graphics_allocator; #line 13 # Find passthrough HAL implementations #line 13 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 13 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 13 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 13 #line 13 allow cameraserver ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow cameraserver dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Talk with graphics composer fences allow cameraserver hal_graphics_composer:fd use; #line 21 allow cameraserver cameraserver_service:service_manager { add find }; #line 21 neverallow { domain -cameraserver } cameraserver_service:service_manager add; #line 21 #line 21 # On debug builds with root, allow binder services to use binder over TCP. #line 21 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 21 #line 21 #line 22 allow cameraserver fwk_camera_service:service_manager { add find }; #line 22 neverallow { domain -cameraserver } fwk_camera_service:service_manager add; #line 22 #line 22 # On debug builds with root, allow binder services to use binder over TCP. #line 22 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 22 #line 22 #line 23 allow cameraserver fwk_camera_hwservice:hwservice_manager { add find }; #line 23 allow cameraserver hidl_base_hwservice:hwservice_manager add; #line 23 neverallow { domain -cameraserver } fwk_camera_hwservice:hwservice_manager add; #line 23 allow cameraserver activity_service:service_manager find; allow cameraserver appops_service:service_manager find; allow cameraserver audioserver_service:service_manager find; allow cameraserver batterystats_service:service_manager find; allow cameraserver cameraproxy_service:service_manager find; allow cameraserver mediaserver_service:service_manager find; allow cameraserver package_native_service:service_manager find; allow cameraserver permission_checker_service:service_manager find; allow cameraserver processinfo_service:service_manager find; allow cameraserver scheduling_policy_service:service_manager find; allow cameraserver sensor_privacy_service:service_manager find; allow cameraserver surfaceflinger_service:service_manager find; allow cameraserver hidl_token_hwservice:hwservice_manager find; allow cameraserver hal_camera_service:service_manager find; allow cameraserver virtual_camera_service:service_manager find; # Allow to talk with surfaceflinger through unix stream socket allow cameraserver surfaceflinger:unix_stream_socket { read write }; ### ### neverallow rules ### # cameraserver should never execute any executable without a # domain transition neverallow cameraserver { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow cameraserver domain:{ udp_socket rawip_socket } *; neverallow cameraserver { domain }:tcp_socket *; # Allow shell commands from ADB for CTS testing/dumping allow cameraserver adbd:fd use; allow cameraserver adbd:unix_stream_socket { read write }; allow cameraserver shell:fd use; allow cameraserver shell:unix_stream_socket { read write }; allow cameraserver shell:fifo_file { read write }; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; #line 75 typeattribute cameraserver halclientdomain; #line 75 typeattribute cameraserver hal_codec2_client; #line 75 #line 75 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 75 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 75 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 75 #line 75 typeattribute cameraserver hal_codec2; #line 75 # Find passthrough HAL implementations #line 75 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 75 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 75 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 75 #line 75 #line 76 typeattribute cameraserver halclientdomain; #line 76 typeattribute cameraserver hal_omx_client; #line 76 #line 76 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 76 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 76 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 76 #line 76 typeattribute cameraserver hal_omx; #line 76 # Find passthrough HAL implementations #line 76 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_omx vendor_file:file { read open getattr execute map }; #line 76 #line 76 #line 77 typeattribute cameraserver halclientdomain; #line 77 typeattribute cameraserver hal_allocator_client; #line 77 #line 77 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 77 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 77 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 77 #line 77 typeattribute cameraserver hal_allocator; #line 77 # Find passthrough HAL implementations #line 77 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 77 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 77 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 77 #line 77 # Allow shell commands from ADB for CTS testing/dumping #line 84 #line 1 "system/sepolicy/public/charger.te" type charger, charger_type, domain; type charger_exec, system_file_type, exec_type, file_type; # The system charger is a client of HIDL health HAL. #line 5 typeattribute charger halclientdomain; #line 5 typeattribute charger hal_health_client; #line 5 #line 5 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 5 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 5 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 5 #line 5 typeattribute charger hal_health; #line 5 # Find passthrough HAL implementations #line 5 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow hal_health vendor_file:file { read open getattr execute map }; #line 5 #line 5 #line 1 "system/sepolicy/public/charger_type.te" # Write to /dev/kmsg allow charger_type kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read access to pseudo filesystems. #line 5 allow charger_type rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow charger_type rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 5 #line 6 allow charger_type cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow charger_type cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 6 #line 7 allow charger_type cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow charger_type cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 7 # Allow to read /sys/class/power_supply directory allow charger_type sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; allow charger_type self:{ capability cap_userns } { sys_boot sys_tty_config }; #line 17 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 17 # deprecated. #line 17 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 17 allow charger_type sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 17 # Accessing these files requires CAP_BLOCK_SUSPEND #line 17 allow charger_type self:{ capability2 cap2_userns } block_suspend; #line 17 # system_suspend permissions #line 17 #line 17 # Call the server domain and optionally transfer references to it. #line 17 allow charger_type system_suspend_server:binder { call transfer }; #line 17 # Allow the serverdomain to transfer references to the client on the reply. #line 17 allow system_suspend_server charger_type:binder transfer; #line 17 # Receive and use open files from the server. #line 17 allow charger_type system_suspend_server:fd use; #line 17 #line 17 allow charger_type system_suspend_hwservice:hwservice_manager find; #line 17 # halclientdomain permissions #line 17 #line 17 # Call the hwservicemanager and transfer references to it. #line 17 allow charger_type hwservicemanager:binder { call transfer }; #line 17 # Allow hwservicemanager to send out callbacks #line 17 allow hwservicemanager charger_type:binder { call transfer }; #line 17 # hwservicemanager performs getpidcon on clients. #line 17 allow hwservicemanager charger_type:dir search; #line 17 allow hwservicemanager charger_type:file { read open map }; #line 17 allow hwservicemanager charger_type:process getattr; #line 17 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 17 # all domains in domain.te. #line 17 #line 17 #line 17 allow charger_type hwservicemanager_prop:file { getattr open read map }; #line 17 #line 17 allow charger_type hidl_manager_hwservice:hwservice_manager find; #line 17 # AIDL suspend hal permissions #line 17 allow charger_type hal_system_suspend_service:service_manager find; #line 17 #line 17 # Call the servicemanager and transfer references to it. #line 17 allow charger_type servicemanager:binder { call transfer }; #line 17 # Allow servicemanager to send out callbacks #line 17 allow servicemanager charger_type:binder { call transfer }; #line 17 # servicemanager performs getpidcon on clients. #line 17 allow servicemanager charger_type:dir search; #line 17 allow servicemanager charger_type:file { read open }; #line 17 allow servicemanager charger_type:process getattr; #line 17 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 17 # all domains in domain.te. #line 17 #line 17 allow charger_type self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Read/write to /sys/power/state allow charger_type sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 24 allow charger_type sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads }; #line 24 allow charger_type sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 24 # Read /sys/fs/pstore/console-ramoops # Don't worry about overly broad permissions for now, as there's # only one file in /sys/fs/pstore allow charger_type pstorefs:dir { open getattr read search ioctl lock watch watch_reads }; allow charger_type pstorefs:file { getattr open read ioctl lock map watch watch_reads }; allow charger_type graphics_device:dir { open getattr read search ioctl lock watch watch_reads }; allow charger_type graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow charger_type input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow charger_type input_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow charger_type tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow charger_type proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/charger_vendor.te" # Context when health HAL runs charger mode type charger_vendor, charger_type, domain; #line 4 typeattribute charger_vendor halserverdomain; #line 4 typeattribute charger_vendor hal_health_server; #line 4 typeattribute charger_vendor hal_health; #line 4 typeattribute charger_vendor bpfdomain; #line 1 "system/sepolicy/public/crash_dump.te" type crash_dump, domain; type crash_dump_exec, system_file_type, exec_type, file_type; # crash_dump might inherit CAP_SYS_PTRACE from a privileged process, # which will result in an audit log even when it's allowed to trace. dontaudit crash_dump self:{ capability cap_userns } { sys_ptrace }; #line 13 # Use inherited file descriptors allow crash_dump domain:fd use; # Read/write IPC pipes inherited from crashing processes. allow crash_dump domain:fifo_file { read write }; # Append to pipes given to us by processes requesting dumps (e.g. dumpstate) allow crash_dump domain:fifo_file { append }; # Read information from /proc/$PID. allow crash_dump domain:process getattr; #line 27 allow crash_dump domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 27 allow crash_dump domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 27 allow crash_dump exec_type:file { getattr open read ioctl lock map watch watch_reads }; # Read /data/dalvik-cache. allow crash_dump dalvikcache_data_file:dir { search getattr }; allow crash_dump dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Read APEX data directories. allow crash_dump apex_module_data_file:dir { getattr search }; # Read uptime allow crash_dump proc_uptime:file { getattr open read ioctl lock map watch watch_reads }; # Read APK files. #line 41 allow crash_dump apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 41 allow crash_dump apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 41 ; # Read all /vendor #line 44 allow crash_dump { vendor_file same_process_hal_file }:dir { open getattr read search ioctl lock watch watch_reads }; #line 44 allow crash_dump { vendor_file same_process_hal_file }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 44 # Read all /data/local/tests #line 47 allow crash_dump shell_test_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 47 allow crash_dump shell_test_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 47 # Talk to tombstoned #line 50 allow crash_dump tombstoned_crash_socket:sock_file write; #line 50 allow crash_dump tombstoned:unix_stream_socket connectto; #line 50 # Talk to ActivityManager. #line 53 allow crash_dump system_ndebug_socket:sock_file write; #line 53 allow crash_dump system_server:unix_stream_socket connectto; #line 53 # Append to ANR files. allow crash_dump anr_data_file:file { append getattr }; # Append to tombstone files. allow crash_dump tombstone_data_file:file { append getattr }; # crash_dump writes out logcat logs at the bottom of tombstones, # which is super useful in some cases. #line 63 allow crash_dump logdr_socket:sock_file write; #line 63 allow crash_dump logd:unix_stream_socket connectto; #line 63 # Crash dump is not intended to access the following files. Since these # are WAI, suppress the denials to clean up the logs. dontaudit crash_dump { core_data_file_type vendor_file_type }:dir search; dontaudit crash_dump system_data_file:{ lnk_file file } read; dontaudit crash_dump property_type:file read; ### ### neverallow assertions ### # A domain transition must occur for crash_dump to get the privileges needed to trace the process. # Do not allow the execution of crash_dump without a domain transition. neverallow domain crash_dump_exec:file execute_no_trans; #line 1 "system/sepolicy/public/credstore.te" type credstore, domain; type credstore_exec, system_file_type, exec_type, file_type; # credstore daemon #line 5 # Call the servicemanager and transfer references to it. #line 5 allow credstore servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager credstore:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager credstore:dir search; #line 5 allow servicemanager credstore:file { read open }; #line 5 allow servicemanager credstore:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 6 typeattribute credstore binderservicedomain; #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow credstore system_server:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow system_server credstore:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow credstore system_server:fd use; #line 7 allow credstore credstore_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow credstore credstore_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 12 allow credstore credstore_service:service_manager { add find }; #line 12 neverallow { domain -credstore } credstore_service:service_manager add; #line 12 #line 12 # On debug builds with root, allow binder services to use binder over TCP. #line 12 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 12 #line 12 allow credstore sec_key_att_app_id_provider_service:service_manager find; allow credstore dropbox_service:service_manager find; allow credstore authorization_service:service_manager find; allow credstore keystore:keystore2 get_auth_token; #line 18 allow credstore cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow credstore cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 18 #line 19 allow credstore cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow credstore cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 19 #line 1 "system/sepolicy/public/device.te" # Device types type device, dev_type, fs_type; type ashmem_device, dev_type, mlstrustedobject; type ashmem_libcutils_device, dev_type, mlstrustedobject; type audio_device, dev_type; type binder_device, dev_type, mlstrustedobject; type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_device; type vndbinder_device, dev_type; type block_device, dev_type; type bt_device, dev_type; type camera_device, dev_type; type dm_device, dev_type; type ublk_block_device, dev_type; type dm_user_device, dev_type; type ublk_control_device, dev_type; type keychord_device, dev_type; type loop_control_device, dev_type; type loop_device, dev_type; type pmsg_device, dev_type, mlstrustedobject; type radio_device, dev_type; type ram_device, dev_type; type rtc_device, dev_type; type vd_device, dev_type; type vold_device, dev_type; type console_device, dev_type; type fscklogs, dev_type; # GPU (used by most UI apps) type gpu_device, dev_type, mlstrustedobject; type graphics_device, dev_type; type hw_random_device, dev_type; type input_device, dev_type; type port_device, dev_type; type lowpan_device, dev_type; type mtp_device, dev_type, mlstrustedobject; type nfc_device, dev_type; type ptmx_device, dev_type, mlstrustedobject; type kmsg_device, dev_type, mlstrustedobject; type kmsg_debug_device, dev_type; type null_device, dev_type, mlstrustedobject; type random_device, dev_type, mlstrustedobject; type secure_element_device, dev_type; type sensors_device, dev_type; type serial_device, dev_type; type socket_device, dev_type; type owntty_device, dev_type, mlstrustedobject; type tty_device, dev_type; type video_device, dev_type; type zero_device, dev_type, mlstrustedobject; type fuse_device, dev_type, mlstrustedobject; type iio_device, dev_type; type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_device; type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device; type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject; type qtaguid_device, dev_type; type watchdog_device, dev_type; type uhid_device, dev_type, mlstrustedobject; type uio_device, dev_type; type tun_device, dev_type, mlstrustedobject; type usbaccessory_device, dev_type, mlstrustedobject; type usb_device, dev_type, mlstrustedobject; type usb_serial_device, dev_type; type gnss_device, dev_type; type properties_device, dev_type; type properties_serial, dev_type; type property_info, dev_type; type hidraw_device, dev_type; # All devices have a uart for the hci # attach service. The uart dev node # varies per device. This type # is used in per device policy type hci_attach_dev, dev_type; # All devices have a rpmsg device for # achieving remoteproc and rpmsg modules type rpmsg_device, dev_type; # Partition layout block device type root_block_device, dev_type; # factory reset protection block device type frp_block_device, dev_type; # System block device mounted on /system. # Documented at https://source.android.com/devices/bootloader/partitions type system_block_device, dev_type; # Recovery block device. # Documented at https://source.android.com/devices/bootloader/partitions type recovery_block_device, dev_type; # boot block device. # Documented at https://source.android.com/devices/bootloader/partitions type boot_block_device, dev_type; # dtbo block device, type used for getting DTBO information for AVF. # Documented at https://source.android.com/docs/core/architecture/dto/partitions type dtbo_block_device, dev_type; # Userdata block device mounted on /data. # Documented at https://source.android.com/devices/bootloader/partitions type userdata_block_device, dev_type; # Zoned block device. type zoned_block_device, dev_type; # Cache block device mounted on /cache. # Documented at https://source.android.com/devices/bootloader/partitions type cache_block_device, dev_type; # Block device for any swap partition. type swap_block_device, dev_type; # Metadata block device mounted on /metadata, used for encryption metadata and # various other purposes. # Documented at https://source.android.com/devices/bootloader/partitions type metadata_block_device, dev_type; # The 'misc' partition used by recovery and A/B. # Documented at https://source.android.com/devices/bootloader/partitions type misc_block_device, dev_type; # 'super' partition to be used for logical partitioning. type super_block_device, super_block_device_type, dev_type; # sdcard devices; normally vold uses the vold_block_device label and creates a # separate device node. gsid, however, accesses the original devide node # created through uevents, so we use a separate label. type sdcard_block_device, dev_type; # Userdata device file for filesystem tunables type userdata_sysdev, dev_type; # Root disk file for disk tunables type rootdisk_sysdev, dev_type; # vfio device type vfio_device, dev_type; #line 1 "system/sepolicy/public/dhcp.te" type dhcp, domain; type dhcp_exec, system_file_type, exec_type, file_type; #line 4 typeattribute dhcp netdomain; #line 4 allow dhcp cgroup:dir { create write add_name }; allow dhcp cgroup_v2:dir { create write add_name }; allow dhcp self:{ capability cap_userns } { setgid setuid net_admin net_raw net_bind_service }; allow dhcp self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow dhcp self:netlink_route_socket nlmsg_write; allow dhcp shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow dhcp system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow dhcp vendor_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec) allow dhcp toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net_type:file write; allow dhcp dhcp_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow dhcp dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # PAN connections allow dhcp netd:fd use; allow dhcp netd:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write }; allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; #line 1 "system/sepolicy/public/display_service_server.te" #line 1 allow display_service_server fwk_display_hwservice:hwservice_manager { add find }; #line 1 allow display_service_server hidl_base_hwservice:hwservice_manager add; #line 1 neverallow { domain -display_service_server } fwk_display_hwservice:hwservice_manager add; #line 1 #line 1 "system/sepolicy/public/dnsmasq.te" # DNS, DHCP services type dnsmasq, domain; type dnsmasq_exec, system_file_type, exec_type, file_type; #line 5 typeattribute dnsmasq netdomain; #line 5 allowxperm dnsmasq self:udp_socket ioctl #line 6 { #line 6 # qualcomm rmnet ioctls #line 6 0x00006900 0x00006902 #line 6 # socket ioctls #line 6 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 6 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 6 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 6 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 6 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 6 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 6 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 6 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 6 0x00008991 0x00008992 0x00008993 0x00008994 #line 6 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 6 # device and protocol specific ioctls #line 6 0x000089f0-0x000089ff #line 6 0x000089e0-0x000089ef #line 6 # Wireless extension ioctls #line 6 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 6 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 6 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 6 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 6 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 6 0x00008b34 0x00008b35 0x00008b36 #line 6 # Dev private ioctl i.e. hardware specific ioctls #line 6 0x00008be0-0x00008bff #line 6 }; # TODO: Run with dhcp group to avoid need for dac_override. allow dnsmasq self:{ capability cap_userns } { dac_override dac_read_search }; allow dnsmasq self:{ capability cap_userns } { net_admin net_raw net_bind_service setgid setuid }; allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name lock }; allow dnsmasq dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Inherit and use open files from netd. allow dnsmasq netd:fd use; allow dnsmasq netd:fifo_file { getattr read write }; # TODO: Investigate whether these inherited sockets should be closed on exec. allow dnsmasq netd:netlink_kobject_uevent_socket { read write }; allow dnsmasq netd:netlink_nflog_socket { read write }; allow dnsmasq netd:netlink_route_socket { read write }; allow dnsmasq netd:unix_stream_socket { getattr read write }; allow dnsmasq netd:unix_dgram_socket { read write }; allow dnsmasq netd:udp_socket { read write }; #line 1 "system/sepolicy/public/domain.te" # Rules for all domains. # Allow reaping by init. allow domain init:process sigchld; # Intra-domain accesses. allow domain self:process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit }; allow domain self:fd use; allow domain proc:dir { open getattr read search ioctl lock watch watch_reads }; allow domain proc_net_type:dir search; #line 27 allow domain self:dir { open getattr read search ioctl lock watch watch_reads }; #line 27 allow domain self:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 27 allow domain self:{ fifo_file file } { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain self:unix_dgram_socket { { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } } sendto }; allow domain self:unix_stream_socket { { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } } connectto }; # Inherit or receive open files from others. allow domain init:fd use; #line 52 #line 58 # Allow everyone to read aconfig flags #line 61 allow domain device_config_aconfig_flags_prop:file { getattr open read map }; #line 61 ; # Root fs. allow domain tmpfs:dir { getattr search }; allow domain rootfs:dir search; allow domain rootfs:lnk_file { read getattr }; # Device accesses. allow domain device:dir search; allow domain dev_type:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow domain devpts:dir search; allow domain dmabuf_heap_device:dir { open getattr read search ioctl lock watch watch_reads }; allow domain socket_device:dir { open getattr read search ioctl lock watch watch_reads }; allow domain owntty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain null_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain zero_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # /dev/ashmem is being deprecated by means of constraining and eventually # removing all "open" permissions. We preserve the other permissions. allow domain ashmem_device:chr_file { getattr read ioctl lock map append write }; # This device is used by libcutils, which is accessible to everyone. allow domain ashmem_libcutils_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # /dev/binder can be accessed by ... everyone! :) allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 86 allow {domain -hwservicemanager -vndservicemanager } servicemanager_prop:file { getattr open read map }; #line 86 # Restrict binder ioctls to an allowlist. Additional ioctl commands may be # added to individual domains, but this sets safe defaults for all processes. allowxperm domain binder_device:chr_file ioctl { { #line 90 0xc0306201 0x40086203 0x40046205 #line 90 0x40046206 0x40046207 0x40046208 #line 90 0xc0046209 0xc018620b 0xc018620c #line 90 0x4018620d 0x40046210 #line 90 0xc0486211 #line 90 } }; # /dev/binderfs needs to be accessed by everyone too! allow domain binderfs:dir { getattr search }; allow domain binderfs_logs_proc:dir search; allow domain binderfs_features:dir search; allow domain binderfs_features:file { getattr open read ioctl lock map watch watch_reads }; allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain ptmx_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain random_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow domain proc_random:dir { open getattr read search ioctl lock watch watch_reads }; allow domain proc_random:file { getattr open read ioctl lock map watch watch_reads }; allow domain properties_device:dir { search getattr }; allow domain properties_serial:file { getattr open read ioctl lock map watch watch_reads }; allow domain property_info:file { getattr open read ioctl lock map watch watch_reads }; # Let everyone read log properties, so that liblog can avoid sending unloggable # messages to logd. #line 109 allow domain log_property_type:file { getattr open read map }; #line 109 dontaudit domain property_type:file audit_access; allow domain property_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain init:key search; allow domain vold:key search; # logd access #line 117 #line 117 allow domain logdw_socket:sock_file write; #line 117 allow domain logd:unix_dgram_socket sendto; #line 117 #line 117 allow domain pmsg_device:chr_file { open append write lock map }; #line 117 # Directory/link file access for path resolution. allow domain { system_file system_lib_file system_seccomp_policy_file system_security_cacerts_file }:dir { open getattr read search ioctl lock watch watch_reads }; allow domain system_file:lnk_file { getattr read }; # Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*, # /(system|product|system_ext)/etc/(group|passwd), linker and its config. allow domain system_seccomp_policy_file:file { getattr open read ioctl lock map watch watch_reads }; # cacerts are accessible from public Java API. allow domain system_security_cacerts_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain system_group_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain system_passwd_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain system_linker_exec:file { execute read open getattr map }; allow domain system_linker_config_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain system_lib_file:file { execute read open getattr map }; # To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc. allow domain system_linker_exec:lnk_file { read open getattr }; allow domain system_lib_file:lnk_file { read open getattr }; allow domain system_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; allow { appdomain coredomain } system_file:file { execute read open getattr map }; # Make sure system/vendor split doesn not affect non-treble # devices #line 148 allow domain system_file:file { execute read open getattr map }; #line 148 allow domain vendor_file_type:dir { search getattr }; #line 148 allow domain vendor_file_type:file { execute read open getattr map }; #line 148 allow domain vendor_file_type:lnk_file { getattr read }; #line 153 # All domains are allowed to open and read directories # that contain HAL implementations (e.g. passthrough # HALs require clients to have these permissions) allow domain vendor_hal_file:dir { open getattr read search ioctl lock watch watch_reads }; # Everyone can read and execute all same process HALs allow domain same_process_hal_file:dir { open getattr read search ioctl lock watch watch_reads }; allow { domain -coredomain # access is explicitly granted to individual coredomains } same_process_hal_file:file { execute read open getattr map }; # Any process can load vndk-sp libraries, which are system libraries # used by same process HALs allow domain vndk_sp_file:dir { open getattr read search ioctl lock watch watch_reads }; allow domain vndk_sp_file:file { execute read open getattr map }; # All domains get access to /vendor/etc allow domain vendor_configs_file:dir { open getattr read search ioctl lock watch watch_reads }; allow domain vendor_configs_file:file { read open getattr map }; # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 176 #line 176 # Allow all domains to be able to follow /system/vendor and/or #line 176 # /vendor/odm symlinks. #line 176 allow domain vendor_file_type:lnk_file { getattr open read }; #line 176 #line 176 # This is required to be able to search & read /vendor/lib64 #line 176 # in order to lookup vendor libraries. The execute permission #line 176 # for coredomains is granted *only* for same process HALs #line 176 allow domain vendor_file:dir { getattr search }; #line 176 #line 176 # Allow reading and executing out of /vendor to all vendor domains #line 176 allow { domain -coredomain } vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 176 allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; #line 176 allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; #line 176 #line 176 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 190 # read and stat any sysfs symlinks allow domain sysfs:lnk_file { getattr read }; # libc references /system/usr/share/zoneinfo for timezone related information. # This directory is considered to be a VNDK-stable allow domain { system_zoneinfo_file }:file { getattr open read ioctl lock map watch watch_reads }; allow domain { system_zoneinfo_file }:dir { open getattr read search ioctl lock watch watch_reads }; # Lots of processes access current CPU information #line 201 allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl lock watch watch_reads }; #line 201 allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 201 #line 203 allow domain sysfs_usb:dir { open getattr read search ioctl lock watch watch_reads }; #line 203 allow domain sysfs_usb:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 203 ; # If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically # included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled. allow domain sysfs_transparent_hugepage:dir search; allow domain sysfs_transparent_hugepage:file { getattr open read ioctl lock map watch watch_reads }; # Allow search access, and sometimes getattr access, to various directories # under /data. We are fairly lenient in allowing search access to top-level # dirs that commonly need to be traversed to get access to the "real" files, as # this greatly simplifies the policy and doesn't open up much attack surface. #line 214 allow domain system_data_file:dir getattr; #line 216 allow { coredomain appdomain } system_data_file:dir getattr; # Anything that accesses anything in /data needs search access to /data itself. # This includes vendor components, as they need to access /data/vendor. allow domain system_data_root_file:dir { search getattr } ; # system_data_file is the default type for directories in /data. Anything # accessing data files with a more specific type often has to traverse a # system_data_file directory such as /data/misc to get there. allow domain system_data_file:dir search; # Anything that accesses files in /data/user (and /data/user_de, etc.) needs # search access to these directories themselves. getattr access is sometimes # needed too. allow { coredomain appdomain } system_userdir_file:dir { search getattr }; # Anything that accesses files in /data/media needs search access to /data/media # itself. allow { coredomain appdomain } media_userdir_file:dir search; # TODO restrict this to non-coredomain allow domain vendor_userdir_file:dir { getattr search }; allow domain vendor_data_file:dir { getattr search }; # required by the dynamic linker allow domain proc:lnk_file { getattr read }; # /proc/cpuinfo allow domain proc_cpuinfo:file { getattr open read ioctl lock map watch watch_reads }; # /dev/cpu_variant:.* allow domain dev_cpu_variant:file { getattr open read ioctl lock map watch watch_reads }; # profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate allow domain proc_perf:file { getattr open read ioctl lock map watch watch_reads }; # toybox loads libselinux which stats /sys/fs/selinux/ allow domain selinuxfs:dir search; allow domain selinuxfs:file getattr; allow domain sysfs:dir search; allow domain selinuxfs:filesystem getattr; # Almost all processes log tracing information to # /sys/kernel/debug/tracing/trace_marker # The reason behind this is documented in b/6513400 allow domain debugfs:dir search; allow domain debugfs_tracing:dir search; allow domain debugfs_tracing_debug:dir search; allow domain debugfs_trace_marker:file { open append write lock map }; # Linux lockdown mode offered coarse-grained definitions for access controls. In # previous versions of the policy, the integrity permission was neverallowed. # It was found that this permission mainly duplicates pre-existing rules in # the policy (see b/285443587). Additionally, some access were found to be # required (b/269377822). The access vector was removed from kernel 5.16 # onwards. Grant unconditional access, these rules should be removed from the # policy once no kernel <5.16 are supported. allow domain self:lockdown { confidentiality integrity }; # Filesystem access. allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; # Restrict all domains to an allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe # defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl { #line 281 { #line 281 # Socket ioctls for gathering information about the interface #line 281 0x00008906 0x00008907 #line 281 0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919 #line 281 0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942 #line 281 # Wireless extension ioctls. Primarily get functions. #line 281 0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d #line 281 0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23 #line 281 0x00008b25 0x00008b27 0x00008b29 0x00008b2d #line 281 } { #line 281 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 281 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 281 } }; # default allowlist for unix sockets. allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } ioctl { #line 284 0x00005411 0x00005451 0x00005450 0x00005401 0x00005413 0x00005414 0x0000541b #line 284 }; # Restrict PTYs to only allowed ioctls. # Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl { #line 290 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 290 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 290 }; # All domains must clearly enumerate what ioctls they use # on filesystem objects (plain files, directories, symbolic links, # named pipes, and named sockets). We start off with a safe set. allowxperm domain { file_type fs_type domain dev_type }:{ dir { file lnk_file sock_file fifo_file } blk_file } ioctl { 0x00005451 0x00005450 }; # If a domain has ioctl access to tun_device, it must clearly enumerate the # ioctls used. Safe defaults are listed below. allowxperm domain tun_device:chr_file ioctl { 0x00005451 0x00005450 }; # Allow a process to make a determination whether a file descriptor # for a plain file or pipe (fifo_file) is a tty. Note that granting # this allowlist to domain does not grant the ioctl permission to # these files. That must be granted separately. allowxperm domain { file_type fs_type }:file ioctl { 0x00005401 }; allowxperm domain domain:fifo_file ioctl { 0x00005401 }; # If a domain has access to perform an ioctl on a block device, allow these # very common, benign ioctls allowxperm domain dev_type:blk_file ioctl { 0x80081272 0x00001268 }; # Support sqlite F2FS specific optimizations # ioctl permission on the specific file type is still required # TODO: consider only compiling these rules if we know the # /data partition is F2FS allowxperm domain { file_type sdcard_type }:file ioctl { 0xf505 0xf502 0xf50c 0xf50e 0xf50d 0xf501 }; # Workaround for policy compiler being too aggressive and removing hwservice_manager_type # when it's not explicitly used in allow rules allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; # Workaround for policy compiler being too aggressive and removing vndservice_manager_type # when it's not explicitly used in allow rules allow { domain -domain } vndservice_manager_type:service_manager { add find }; # Under ASAN, processes will try to read /data, as the sanitized libraries are there. # Under ASAN, /system/asan.options needs to be globally accessible. # read APEX dir and stat any symlink pointing to APEXs. allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Allow everyone to read media server-configurable flags, so that libstagefright can be # configured using server-configurable flags #line 343 allow domain device_config_media_native_prop:file { getattr open read map }; #line 343 # Allow everyone to read from flag value boot snapshot files and general pb files # The boot copy of the flag value files serves flag read traffic for all processes, thus # needs to be readable by everybody. Also, the metadata directory will contain pb file # that records where flag storage files are, so also needs to be readable by everbody. allow domain { aconfig_storage_metadata_file }:file { getattr open read ioctl lock map watch watch_reads }; ### ### neverallow rules ### # All ioctls on file-like objects (except chr_file and blk_file) and # sockets must be restricted to an allowlist. neverallowxperm * *:{ dir { file lnk_file sock_file fifo_file } { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } blk_file } ioctl { 0 }; # b/68014825 and https://android-review.googlesource.com/516535 # rfc6093 says that processes should not use the TCP urgent mechanism neverallowxperm domain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } ioctl { 0x00008905 }; # TIOCSTI is only ever used for exploits. Block it. # b/33073072, b/7530569 # http://www.openwall.com/lists/oss-security/2016/09/26/14 neverallowxperm * devpts:chr_file ioctl 0x00005412; # Do not allow any domain other than init to create unlabeled files. neverallow { domain -init -recovery } unlabeled:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } create; # Limit device node creation to these allowed domains. neverallow { domain -kernel -init -ueventd -vold } self:{ capability cap_userns } mknod; # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). neverallow * self:memprotect mmap_zero; # No domain needs mac_override as it is unused by SELinux. neverallow * self:{ capability2 cap2_userns } mac_override; # Disallow attempts to set contexts not defined in current policy # This helps guarantee that unknown or dangerous contents will not ever # be set. neverallow * self:{ capability2 cap2_userns } mac_admin; # Once the policy has been loaded there shall be none to modify the policy. # It is sealed. neverallow * kernel:security load_policy; # Only init prior to switching context should be able to set enforcing mode. # init starts in kernel domain and switches to init domain via setcon in # the init.rc, so the setenforce occurs while still in kernel. After # switching domains, there is never any need to setenforce again by init. neverallow * kernel:security setenforce; neverallow { domain -kernel } kernel:security setcheckreqprot; # No booleans in AOSP policy, so no need to ever set them. neverallow * kernel:security setbool; # Adjusting the AVC cache threshold. # Not presently allowed to anything in policy, but possibly something # that could be set from init.rc. neverallow { domain -init } kernel:security setsecparam; # Only the kernel hwrng thread should be able to read from the HW RNG. neverallow { domain -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG -shell # For CTS, restricted to just getattr in shell.te -ueventd # To create the /dev/hw_random file } hw_random_device:chr_file *; # b/78174219 b/64114943 neverallow { domain -shell # stat of /dev, getattr only -ueventd } keychord_device:chr_file *; # Ensure that all entrypoint executables are in exec_type or postinstall_file. neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; # The dynamic linker always calls access(2) on the path. Don't generate SElinux # denials since the linker does not actually access the path in case the path # does not exist or isn't accessible for the process. dontaudit domain postinstall_mnt_dir:dir audit_access; #Ensure that nothing in userspace can access /dev/port neverallow { domain -shell # Shell user should not have any abilities outside of getattr -ueventd } port_device:chr_file *; neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. neverallow { domain -init } usermodehelper:file { append write }; neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; neverallow { domain -init -vendor_init } proc_security:file { append open read write }; # Init can't do anything with binder calls. If this neverallow rule is being # triggered, it's probably due to a service with no SELinux domain. neverallow * init:binder *; neverallow * vendor_init:binder *; # Binderfs logs contain sensitive information about other processes. neverallow { domain -dumpstate -init -vendor_init } { binderfs_logs binderfs_logs_proc }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Don't allow raw read/write/open access to block_device # Rather force a relabel to a more specific type neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; # Do not allow renaming of block files or character files # Ability to do so can lead to possible use in an exploit chain # e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html neverallow * *:{ blk_file chr_file } rename; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. neverallow domain device:chr_file { open read write }; # Files from cache should never be executed neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; # The test files and executables MUST not be accessible to any domain neverallow { domain } nativetest_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } { append create link unlink relabelfrom rename setattr write }; neverallow domain nativetest_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain } nativetest_data_file:file { execute execute_no_trans }; neverallow { domain -shell -init -adbd } shell_test_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } { append create link unlink relabelfrom rename setattr write }; neverallow { domain -shell -init -adbd } shell_test_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *; neverallow heapprofd shell_test_data_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *; # Only the init property service should write to /data/property and /dev/__properties__ neverallow { domain -init } property_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -init } property_data_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; neverallow { domain -init } property_type:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; neverallow { domain -init } properties_device:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; neverallow { domain -init } properties_serial:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; # Nobody should be doing writes to /system & /vendor # These partitions are intended to be read-only and must never be # modified. Doing so would violate important Android security guarantees # and invalidate dm-verity signatures. neverallow { domain } { system_file_type vendor_file_type exec_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom append unlink link rename }; neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; # Don't allow mounting on top of /system files or directories neverallow * exec_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton; # Nothing should be writing to files in the rootfs. neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. neverallow * {fs_type -contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= # mount to another type. neverallow * contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create setattr relabelfrom relabelto append link rename }; neverallow { domain } contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { write unlink }; # Do not allow service_manager add for default service labels. # Instead domains should use a more specific type such as # system_app_service rather than the generic type. # New service_types are defined in {,hw,vnd}service.te and new mappings # from service name to service_type are defined in {,hw,vnd}service_contexts. neverallow * default_android_service:service_manager *; neverallow * default_android_vndservice:service_manager *; neverallow * default_android_hwservice:hwservice_manager *; # Looking up the base class/interface of all HwBinder services is a bad idea. # hwservicemanager currently offer such lookups only to make it so that security # decisions are expressed in SELinux policy. However, it's unclear whether this # lookup has security implications. If it doesn't, hwservicemanager should be # modified to not offer this lookup. # This rule can be removed if hwservicemanager is modified to not permit these # lookups. neverallow * hidl_base_hwservice:hwservice_manager find; # Require that domains explicitly label unknown properties, and do not allow # anyone but init to modify unknown properties. neverallow { domain -init -vendor_init } mmc_prop:property_service set; neverallow { domain -init -vendor_init } vndk_prop:property_service set; # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 544 #line 544 neverallow { domain -init } mmc_prop:property_service set; #line 544 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; #line 544 neverallow { domain -init } exported_secure_prop:property_service set; #line 544 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; #line 544 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; #line 544 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; #line 544 #line 544 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 551 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 553 #line 553 neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; #line 553 neverallow { domain -coredomain -vendor_init } exported_pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 553 #line 553 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 556 # New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop. neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set; neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # ART may introduce new sysprops. SELinux denials due to reading new sysprops on # old platforms shouldn't be regarded as a problem. dontaudit domain future_pm_prop:file read; neverallow { domain -init } aac_drc_prop:property_service set; neverallow { domain -init } build_prop:property_service set; neverallow { domain -init } userdebug_or_eng_prop:property_service set; # Do not allow reading device's serial number from system properties except form # a few allowed domains. neverallow { domain -adbd -dumpstate -fastbootd -hal_camera_server -hal_cas_server -hal_drm_server -hal_keymint_server -init -mediadrmserver -mediaserver -recovery -shell -system_server -vendor_init } serialno_prop:file { getattr open read ioctl lock map watch watch_reads }; neverallow { domain -init -recovery -system_server -ueventd # Further restricted in ueventd.te } frp_block_device:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # The metadata block device is set aside for device encryption and # verified boot metadata. It may be reset at will and should not # be used by other domains. neverallow { domain -init -recovery -vold -e2fs -fsck -fastbootd -hal_fastboot_server } metadata_block_device:blk_file { append link rename write open read ioctl lock }; # No domain other than recovery, update_engine and fastbootd can write to system partition(s). neverallow { domain -fastbootd -recovery -update_engine } system_block_device:blk_file { write append }; # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; # The service managers are only allowed to access their own device node neverallow servicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow servicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow hwservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow hwservicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow vndservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow vndservicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 633 #line 633 # Vendor apps are permited to use only stable public services. If they were to use arbitrary #line 633 # services which can change any time framework/core is updated, breakage is likely. #line 633 # #line 633 # Note, this same logic applies to untrusted apps, but neverallows for these are separate. #line 633 neverallow { #line 633 appdomain #line 633 -coredomain #line 633 } { #line 633 service_manager_type #line 633 #line 633 -app_api_service #line 633 -ephemeral_app_api_service #line 633 #line 633 -hal_service_type # see app_neverallows.te #line 633 #line 633 -apc_service #line 633 -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed #line 633 -cameraserver_service #line 633 -drmserver_service #line 633 -credstore_service #line 633 -keystore_maintenance_service #line 633 -keystore_service #line 633 -legacykeystore_service #line 633 -mediadrmserver_service #line 633 -mediaextractor_service #line 633 -mediametrics_service #line 633 -mediaserver_service #line 633 -nfc_service #line 633 -radio_service #line 633 -virtual_touchpad_service #line 633 -vr_manager_service #line 633 #line 633 }:service_manager find; #line 633 #line 633 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 667 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 670 #line 670 neverallow { #line 670 coredomain #line 670 -shell #line 670 #line 670 -ueventd # uevent is granted create for this device, but we still neverallow I/O below #line 670 } vndbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 670 #line 670 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 677 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 678 #line 678 neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; #line 678 #line 678 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 680 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 681 #line 681 neverallow { #line 681 coredomain #line 681 -shell #line 681 #line 681 } vndservice_manager_type:service_manager *; #line 681 #line 681 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 687 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 688 #line 688 neverallow { #line 688 coredomain #line 688 -shell #line 688 #line 688 } vndservicemanager:binder *; #line 688 #line 688 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 694 # On full TREBLE devices, socket communications between core components and vendor components are # not permitted. # Most general rules first, more specific rules below. # Core domains are not permitted to initiate communications to vendor domain sockets. # We are not restricting the use of already established sockets because it is fine for a process # to obtain an already established socket via some public/official/stable API and then exchange # data with its peer over that socket. The wire format in this scenario is dicatated by the API # and thus does not break the core-vendor separation. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 705 #line 705 #line 705 neverallow { #line 705 coredomain #line 705 -init #line 705 -adbd #line 705 } { #line 705 domain #line 705 -coredomain #line 705 -socket_between_core_and_vendor_violators #line 705 }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto }; #line 705 neverallow { #line 705 coredomain #line 705 -init #line 705 -adbd #line 705 } { #line 705 domain #line 705 -coredomain #line 705 -socket_between_core_and_vendor_violators #line 705 }:unix_stream_socket connectto; #line 705 ; #line 705 #line 705 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 715 # Vendor domains are not permitted to initiate create/open sockets owned by core domains # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 718 #line 718 neverallow { #line 718 domain #line 718 -coredomain #line 718 -appdomain # appdomain restrictions below #line 718 -data_between_core_and_vendor_violators # b/70393317 #line 718 -socket_between_core_and_vendor_violators #line 718 -vendor_init #line 718 } { #line 718 coredomain_socket #line 718 core_data_file_type #line 718 unlabeled # used only by core domains #line 718 }:sock_file ~{ append getattr ioctl read write }; #line 718 #line 718 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 731 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 732 #line 732 neverallow { #line 732 appdomain #line 732 -coredomain #line 732 } { #line 732 coredomain_socket #line 732 unlabeled # used only by core domains #line 732 core_data_file_type #line 732 -app_data_file #line 732 -privapp_data_file #line 732 -pdx_endpoint_socket_type # used by VR layer #line 732 -pdx_channel_socket_type # used by VR layer #line 732 }:sock_file ~{ append getattr ioctl read write }; #line 732 #line 732 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 745 # Core domains are not permitted to create/open sockets owned by vendor domains # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 748 #line 748 neverallow { #line 748 coredomain #line 748 -init #line 748 -ueventd #line 748 -socket_between_core_and_vendor_violators #line 748 } { #line 748 file_type #line 748 dev_type #line 748 -coredomain_socket #line 748 -core_data_file_type #line 748 -app_data_file_type #line 748 -unlabeled #line 748 }:sock_file ~{ append getattr ioctl read write }; #line 748 #line 748 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 762 # On TREBLE devices, vendor and system components are only allowed to share # files by passing open FDs over hwbinder. Ban all directory access and all file # accesses other than what can be applied to an open FD such as # ioctl/stat/read/write/append. This is enforced by segregating /data. # Vendor domains may directly access file in /data/vendor by path, but may only # access files outside of /data/vendor via an open FD passed over hwbinder. # Likewise, core domains may only directly access files outside /data/vendor by # path and files in /data/vendor by open FD. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 772 #line 772 # only coredomains may only access core_data_file_type, particularly not #line 772 # /data/vendor #line 772 neverallow { #line 772 coredomain #line 772 -appdomain # TODO(b/34980020) remove exemption for appdomain #line 772 -data_between_core_and_vendor_violators #line 772 -init #line 772 -vold_prepare_subdirs #line 772 } { #line 772 data_file_type #line 772 -core_data_file_type #line 772 -app_data_file_type #line 772 }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map }; #line 772 #line 772 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 786 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 787 #line 787 neverallow { #line 787 coredomain #line 787 -appdomain # TODO(b/34980020) remove exemption for appdomain #line 787 -data_between_core_and_vendor_violators #line 787 -init #line 787 -vold_prepare_subdirs #line 787 } { #line 787 data_file_type #line 787 -core_data_file_type #line 787 -app_data_file_type #line 787 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent #line 787 # neverallow. Currently only getattr and search are allowed. #line 787 -vendor_data_file #line 787 }:dir *; #line 787 #line 787 #line 787 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 803 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 804 #line 804 # vendor domains may only access files in /data/vendor, never core_data_file_types #line 804 neverallow { #line 804 domain #line 804 -appdomain # TODO(b/34980020) remove exemption for appdomain #line 804 -coredomain #line 804 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up #line 804 -vendor_init #line 804 } { #line 804 core_data_file_type #line 804 #line 804 }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map }; #line 804 neverallow { #line 804 vendor_init #line 804 -data_between_core_and_vendor_violators #line 804 } { #line 804 core_data_file_type #line 804 -unencrypted_data_file #line 804 #line 804 }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map }; #line 804 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. #line 804 # The vendor init binary lives on the system partition so there is not a concern with stability. #line 804 neverallow vendor_init unencrypted_data_file:file ~{ getattr open read ioctl lock map watch watch_reads }; #line 804 #line 804 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 827 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 828 #line 828 # vendor domains may only access dirs in /data/vendor, never core_data_file_types #line 828 neverallow { #line 828 domain #line 828 -appdomain # TODO(b/34980020) remove exemption for appdomain #line 828 -coredomain #line 828 -data_between_core_and_vendor_violators #line 828 -vendor_init #line 828 } { #line 828 core_data_file_type #line 828 -system_data_file # default label for files on /data. Covered below... #line 828 -system_data_root_file #line 828 -vendor_userdir_file #line 828 -vendor_data_file #line 828 #line 828 }:dir *; #line 828 neverallow { #line 828 vendor_init #line 828 -data_between_core_and_vendor_violators #line 828 } { #line 828 core_data_file_type #line 828 -unencrypted_data_file #line 828 -system_data_file #line 828 -system_data_root_file #line 828 -vendor_userdir_file #line 828 -vendor_data_file #line 828 #line 828 }:dir *; #line 828 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. #line 828 # The vendor init binary lives on the system partition so there is not a concern with stability. #line 828 neverallow vendor_init unencrypted_data_file:dir ~search; #line 828 #line 828 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 859 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 860 #line 860 # vendor domains may only access dirs in /data/vendor, never core_data_file_types #line 860 neverallow { #line 860 domain #line 860 -appdomain # TODO(b/34980020) remove exemption for appdomain #line 860 -coredomain #line 860 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up #line 860 } { #line 860 system_data_file # default label for files on /data. Covered below #line 860 }:dir ~{ getattr search }; #line 860 #line 860 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 870 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 872 #line 872 # coredomains may not access dirs in /data/vendor. #line 872 neverallow { #line 872 coredomain #line 872 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up #line 872 -init #line 872 -vold # vold creates per-user storage for both system and vendor #line 872 -vold_prepare_subdirs #line 872 } { #line 872 vendor_data_file # default label for files on /data. Covered below #line 872 }:dir ~{ getattr search }; #line 872 #line 872 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 883 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 885 #line 885 # coredomains may not access dirs in /data/vendor. #line 885 neverallow { #line 885 coredomain #line 885 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up #line 885 -init #line 885 } { #line 885 vendor_data_file # default label for files on /data/vendor{,_ce,_de}. #line 885 }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map }; #line 885 #line 885 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 894 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 896 #line 896 # Non-vendor domains are not allowed to file execute shell #line 896 # from vendor #line 896 neverallow { #line 896 coredomain #line 896 -init #line 896 -shell #line 896 -ueventd #line 896 } vendor_shell_exec:file { execute execute_no_trans }; #line 896 #line 896 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 905 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 907 #line 907 # Do not allow vendor components to execute files from system #line 907 # except for the ones allowed here. #line 907 neverallow { #line 907 domain #line 907 -coredomain #line 907 -appdomain #line 907 -vendor_executes_system_violators #line 907 -vendor_init #line 907 } { #line 907 system_file_type #line 907 -system_lib_file #line 907 -system_linker_exec #line 907 -crash_dump_exec #line 907 -netutils_wrapper_exec #line 907 #line 907 # Vendor components still can invoke shell commands via /system/bin/sh #line 907 -shell_exec #line 907 -toolbox_exec #line 907 }:file { entrypoint execute execute_no_trans }; #line 907 #line 907 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 927 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 929 #line 929 # Do not allow coredomain to access entrypoint for files other #line 929 # than system_file_type and postinstall_file #line 929 neverallow coredomain { #line 929 file_type #line 929 -system_file_type #line 929 -postinstall_file #line 929 }:file entrypoint; #line 929 # Do not allow domains other than coredomain to access entrypoint #line 929 # for anything but vendor_file_type and init_exec for vendor_init. #line 929 neverallow { domain -coredomain } { #line 929 file_type #line 929 -vendor_file_type #line 929 -init_exec #line 929 }:file entrypoint; #line 929 #line 929 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 944 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 946 #line 946 # Do not allow system components to execute files from vendor #line 946 # except for the ones allowed here. #line 946 neverallow { #line 946 coredomain #line 946 -init #line 946 -shell #line 946 -system_executes_vendor_violators #line 946 -ueventd #line 946 } { #line 946 vendor_file_type #line 946 -same_process_hal_file #line 946 -vndk_sp_file #line 946 -vendor_app_file #line 946 -vendor_public_framework_file #line 946 -vendor_public_lib_file #line 946 }:file execute; #line 946 #line 946 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 963 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 965 #line 965 neverallow { #line 965 coredomain #line 965 -shell #line 965 -system_executes_vendor_violators #line 965 } { #line 965 vendor_file_type #line 965 -same_process_hal_file #line 965 }:file execute_no_trans; #line 965 #line 965 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 974 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 976 #line 976 # Do not allow vendor components access to /system files except for the #line 976 # ones allowed here. #line 976 neverallow { #line 976 domain #line 976 -appdomain #line 976 -coredomain #line 976 -vendor_executes_system_violators #line 976 # vendor_init needs access to init_exec for domain transition. vendor_init #line 976 # neverallows are covered in public/vendor_init.te #line 976 -vendor_init #line 976 } { #line 976 system_file_type #line 976 -crash_dump_exec #line 976 -file_contexts_file #line 976 -netutils_wrapper_exec #line 976 -property_contexts_file #line 976 -system_event_log_tags_file #line 976 -system_group_file #line 976 -system_lib_file #line 976 #line 976 -system_linker_exec #line 976 -system_linker_config_file #line 976 -system_passwd_file #line 976 -system_seccomp_policy_file #line 976 -system_security_cacerts_file #line 976 -system_zoneinfo_file #line 976 -task_profiles_api_file #line 976 -task_profiles_file #line 976 #line 976 # Vendor components still can invoke shell commands via /system/bin/sh #line 976 -shell_exec #line 976 -toolbox_exec #line 976 }:file *; #line 976 #line 976 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 1010 # Only system_server should be able to send commands via the zygote socket neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; neverallow { domain -system_server } zygote_socket:sock_file write; neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto; neverallow { domain -system_server } webview_zygote:sock_file write; neverallow { domain -system_server } app_zygote:sock_file write; neverallow domain tombstoned_crash_socket:unix_stream_socket connectto; # Never allow anyone except dumpstate, incidentd, or the system server to connect or write to # the tombstoned intercept socket. neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; # Never allow anyone but system_server to read heapdumps in /data/system/heapdump. neverallow { domain -init -system_server } heapdump_data_file:file read; # Android does not support System V IPCs. # # The reason for this is due to the fact that, by design, they lead to global # kernel resource leakage. # # For example, there is no way to automatically release a SysV semaphore # allocated in the kernel when: # # - a buggy or malicious process exits # - a non-buggy and non-malicious process crashes or is explicitly killed. # # Killing processes automatically to make room for new ones is an # important part of Android's application lifecycle implementation. This means # that, even assuming only non-buggy and non-malicious code, it is very likely # that over time, the kernel global tables used to implement SysV IPCs will fill # up. neverallow * *:{ shm sem msg msgq } *; # Do not mount on top of symlinks, fifos, or sockets. # Feature parity with Chromium LSM. neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; # Nobody should be able to execute su on user builds. # On userdebug/eng builds, only dumpstate, shell, and # su itself execute su. neverallow { domain } su_exec:file { execute execute_no_trans }; # Do not allow the introduction of new execmod rules. Text relocations # and modification of executable pages are unsafe. # The only exceptions are for NDK text relocations associated with # https://code.google.com/p/android/issues/detail?id=23203 # which, long term, need to go away. neverallow * { file_type -apk_data_file -app_data_file -asec_public_file }:file execmod; # Do not allow making the stack or heap executable. # We would also like to minimize execmem but it seems to be # required by some device-specific service domains. neverallow * self:process { execstack execheap }; # Do not allow the introduction of new execmod rules. Text relocations # and modification of executable pages are unsafe. neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod; neverallow { domain -init } proc:{ file dir } mounton; neverallow { domain -init -zygote } proc_type:{ file dir } mounton; # Ensure that all types assigned to processes are included # in the domain attribute, so that all allow and neverallow rules # written on domain are applied to all processes. # This is achieved by ensuring that it is impossible to transition # from a domain to a non-domain type and vice versa. # TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; neverallow ~domain domain:process { transition dyntransition }; # # Only system_app and system_server should be creating or writing # their files. The proper way to share files is to setup # type transitions to a more specific type or assigning a type # to its parent directory via a file_contexts entry. # Example type transition: # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) # neverallow { domain -system_server -system_app -init -toolbox # TODO(b/141108496) We want to remove toolbox -installd # for relabelfrom and unlink, check for this in explicit neverallow -vold_prepare_subdirs # For unlink } system_data_file:file { append create link unlink relabelfrom rename setattr write }; # do not grant anything greater than r_file_perms and relabelfrom unlink # to installd neverallow installd system_data_file:file ~{ { getattr open read ioctl lock map watch watch_reads } relabelfrom unlink }; # # Only these domains should transition to shell domain. This domain is # permissible for the "shell user". If you need a process to exec a shell # script with differing privilege, define a domain and set up a transition. # neverallow { domain -adbd -init -runas -zygote } shell:process { transition dyntransition }; # Only domains spawned from zygote, runas and simpleperf_app_runner may have # the appdomain attribute. simpleperf is excluded as a domain transitioned to # when running an app-scoped profiling session. neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } { appdomain -shell -simpleperf }:process { transition dyntransition }; # Minimize read access to shell- or app-writable symlinks. # This is to prevent malicious symlink attacks. neverallow { domain -appdomain -artd -installd } { app_data_file privapp_data_file }:lnk_file read; neverallow { domain -shell -installd } shell_data_file:lnk_file read; # servicemanager and vndservicemanager are the only processes which handle the # service_manager list request neverallow * ~{ servicemanager vndservicemanager }:service_manager list; # hwservicemanager is the only process which handles hw list requests neverallow * ~{ hwservicemanager }:hwservice_manager list; # only service_manager_types can be added to service_manager # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; # Prevent assigning non property types to properties # TODO - rework this: neverallow * ~property_type:property_service set; # Domain types should never be assigned to any files other # than the /proc/pid files associated with a process. The # executable file used to enter a domain should be labeled # with its own _exec type, not with the domain type. # Conventionally, this looks something like: # $ cat mydaemon.te # type mydaemon, domain; # type mydaemon_exec, exec_type, file_type; # init_daemon_domain(mydaemon) # $ grep mydaemon file_contexts # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 neverallow * domain:file { execute execute_no_trans entrypoint }; # Do not allow access to the generic debugfs label. This is too broad. # Instead, if access to part of debugfs is desired, it should have a # more specific label. # TODO: fix dumpstate neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Do not allow executable files in debugfs. neverallow domain debugfs_type:file { execute execute_no_trans }; # Don't allow access to the FUSE control filesystem, except to vold and init's neverallow { domain -vold -init -vendor_init } fusectlfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Profiles contain untrusted data and profman parses that. We should only run # it from installd and artd forked processes. neverallow { domain -installd -profman -artd } profman_exec:file { execute execute_no_trans }; # Enforce restrictions on kernel module origin. # Do not allow kernel module loading except from system, # vendor, boot, and system_dlkm partitions. # TODO(b/218951883): Remove usage of system and rootfs as origin neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; # Only allow filesystem caps to be set at build time. Runtime changes # to filesystem capabilities are not permitted. neverallow * self:{ capability cap_userns } setfcap; # Enforce AT_SECURE for executing crash_dump. neverallow domain crash_dump:process noatsecure; # Do not permit non-core domains to register HwBinder services which are # guaranteed to be provided by core domains only. neverallow ~coredomain coredomain_hwservice:hwservice_manager add; # Do not permit the registeration of HwBinder services which are guaranteed to # be passthrough only (i.e., run in the process of their clients instead of a # separate server process). neverallow * same_process_hwservice:hwservice_manager add; # If an already existing file is opened with O_CREAT, the kernel might generate # a false report of a create denial. Silence these denials and make sure that # inappropriate permissions are not granted. # These filesystems don't allow files or directories to be created, so the permission # to do so should never be granted. neverallow domain { proc_type sysfs_type }:dir { add_name create link remove_name rename reparent rmdir write }; # cgroupfs directories can be created, but not files within them. neverallow domain cgroup:file create; neverallow domain cgroup_v2:file create; dontaudit domain proc_type:dir write; dontaudit domain sysfs_type:dir write; dontaudit domain cgroup:file create; dontaudit domain cgroup_v2:file create; # These are only needed in permissive mode - in enforcing mode the # directory write check fails and so these are never attempted. #line 1248 # Platform must not have access to /mnt/vendor. neverallow { coredomain -init -ueventd -vold -system_writes_mnt_vendor_violators } mnt_vendor_file:dir *; # Only apps are allowed access to vendor public libraries. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 1260 #line 1260 neverallow { #line 1260 coredomain #line 1260 -appdomain #line 1260 } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans }; #line 1260 #line 1260 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 1265 # Vendor domian must not have access to /mnt/product. neverallow { domain -coredomain } mnt_product_file:dir *; # Platform must not have access to sysfs_batteryinfo, but should do it via health HAL # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 1274 #line 1274 neverallow { #line 1274 coredomain #line 1274 -shell #line 1274 # For access to block device information under /sys/class/block. #line 1274 -apexd #line 1274 # Read sysfs block device information. #line 1274 -init #line 1274 # Generate uevents for health info #line 1274 -ueventd #line 1274 # Recovery uses health HAL passthrough implementation. #line 1274 -recovery #line 1274 # Charger uses health HAL passthrough implementation. #line 1274 -charger #line 1274 # TODO(b/110891300): remove this exception #line 1274 -incidentd #line 1274 } sysfs_batteryinfo:file { open read }; #line 1274 #line 1274 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 1291 neverallow { domain -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; # Only apps targetting < Q are allowed to open /dev/ashmem directly. # Apps must use ASharedMemory NDK API. Native code must use libcutils API. neverallow { domain -ephemeral_app # We don't distinguish ephemeral apps based on target API. -untrusted_app_25 -untrusted_app_27 } ashmem_device:chr_file open; neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; #line 1 "system/sepolicy/public/drmserver.te" # drmserver - DRM service type drmserver, domain; type drmserver_exec, system_file_type, exec_type, file_type; typeattribute drmserver mlstrustedsubject; #line 7 typeattribute drmserver netdomain; #line 7 # Perform Binder IPC to system server. #line 10 # Call the servicemanager and transfer references to it. #line 10 allow drmserver servicemanager:binder { call transfer }; #line 10 # Allow servicemanager to send out callbacks #line 10 allow servicemanager drmserver:binder { call transfer }; #line 10 # servicemanager performs getpidcon on clients. #line 10 allow servicemanager drmserver:dir search; #line 10 allow servicemanager drmserver:file { read open }; #line 10 allow servicemanager drmserver:process getattr; #line 10 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 10 # all domains in domain.te. #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow drmserver system_server:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow system_server drmserver:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow drmserver system_server:fd use; #line 11 #line 12 # Call the server domain and optionally transfer references to it. #line 12 allow drmserver appdomain:binder { call transfer }; #line 12 # Allow the serverdomain to transfer references to the client on the reply. #line 12 allow appdomain drmserver:binder transfer; #line 12 # Receive and use open files from the server. #line 12 allow drmserver appdomain:fd use; #line 12 #line 13 # Call the server domain and optionally transfer references to it. #line 13 allow drmserver mediametrics:binder { call transfer }; #line 13 # Allow the serverdomain to transfer references to the client on the reply. #line 13 allow mediametrics drmserver:binder transfer; #line 13 # Receive and use open files from the server. #line 13 allow drmserver mediametrics:fd use; #line 13 #line 14 typeattribute drmserver binderservicedomain; #line 14 # Inherit or receive open files from system_server. allow drmserver system_server:fd use; # Perform Binder IPC to mediaserver #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow drmserver mediaserver:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow mediaserver drmserver:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow drmserver mediaserver:fd use; #line 19 allow drmserver { sdcard_type fuse }:dir search; allow drmserver drm_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow drmserver drm_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow drmserver { app_data_file privapp_data_file }:file { read write getattr map }; allow drmserver { sdcard_type fuse }:file { read write getattr map }; #line 26 allow drmserver efs_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 26 allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 26 type drmserver_socket, file_type; # /data/app/tlcd_sock socket file. # Clearly, /data/app is the most logical place to create a socket. Not. allow drmserver apk_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; auditallow drmserver apk_data_file:dir { add_name write }; allow drmserver drmserver_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; auditallow drmserver drmserver_socket:sock_file create; # Delete old socket file if present. allow drmserver apk_data_file:sock_file unlink; # After taking a video, drmserver looks at the video file. #line 40 allow drmserver media_rw_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 40 allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 40 # Read resources from open apk files passed over Binder. allow drmserver apk_data_file:file { read getattr map }; allow drmserver asec_apk_file:file { read getattr map }; allow drmserver ringtone_file:file { read getattr map }; # Read /data/data/com.android.providers.telephony files passed over Binder. allow drmserver radio_data_file:file { read getattr map }; # /oem access allow drmserver oemfs:dir search; allow drmserver oemfs:file { getattr open read ioctl lock map watch watch_reads }; # overlay package access allow drmserver vendor_overlay_file:file { read map }; #line 57 allow drmserver drmserver_service:service_manager { add find }; #line 57 neverallow { domain -drmserver } drmserver_service:service_manager add; #line 57 #line 57 # On debug builds with root, allow binder services to use binder over TCP. #line 57 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 57 #line 57 allow drmserver permission_service:service_manager find; allow drmserver mediametrics_service:service_manager find; #line 61 #line 61 allow drmserver selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 61 allow drmserver selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 61 #line 61 allow drmserver selinuxfs:file { open append write lock map }; #line 61 allow drmserver kernel:security compute_av; #line 61 allow drmserver self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 61 #line 63 allow drmserver cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 63 allow drmserver cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 63 #line 64 allow drmserver cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 64 allow drmserver cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 64 #line 65 allow drmserver system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 65 allow drmserver system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 65 #line 1 "system/sepolicy/public/dumpstate.te" # dumpstate type dumpstate, domain, mlstrustedsubject; type dumpstate_exec, system_file_type, exec_type, file_type; #line 5 typeattribute dumpstate netdomain; #line 5 #line 6 # Call the servicemanager and transfer references to it. #line 6 allow dumpstate servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager dumpstate:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager dumpstate:dir search; #line 6 allow servicemanager dumpstate:file { read open }; #line 6 allow servicemanager dumpstate:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 7 # deprecated. #line 7 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 7 allow dumpstate sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 7 # Accessing these files requires CAP_BLOCK_SUSPEND #line 7 allow dumpstate self:{ capability2 cap2_userns } block_suspend; #line 7 # system_suspend permissions #line 7 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow dumpstate system_suspend_server:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow system_suspend_server dumpstate:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow dumpstate system_suspend_server:fd use; #line 7 #line 7 allow dumpstate system_suspend_hwservice:hwservice_manager find; #line 7 # halclientdomain permissions #line 7 #line 7 # Call the hwservicemanager and transfer references to it. #line 7 allow dumpstate hwservicemanager:binder { call transfer }; #line 7 # Allow hwservicemanager to send out callbacks #line 7 allow hwservicemanager dumpstate:binder { call transfer }; #line 7 # hwservicemanager performs getpidcon on clients. #line 7 allow hwservicemanager dumpstate:dir search; #line 7 allow hwservicemanager dumpstate:file { read open map }; #line 7 allow hwservicemanager dumpstate:process getattr; #line 7 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 7 #line 7 allow dumpstate hwservicemanager_prop:file { getattr open read map }; #line 7 #line 7 allow dumpstate hidl_manager_hwservice:hwservice_manager find; #line 7 # AIDL suspend hal permissions #line 7 allow dumpstate hal_system_suspend_service:service_manager find; #line 7 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow dumpstate servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager dumpstate:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager dumpstate:dir search; #line 7 allow servicemanager dumpstate:file { read open }; #line 7 allow servicemanager dumpstate:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 7 # Allow setting process priority, protect from OOM killer, and dropping # privileges by switching UID / GID allow dumpstate self:{ capability cap_userns } { setuid setgid sys_resource }; # Allow dumpstate to scan through /proc/pid for all processes #line 14 allow dumpstate domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 14 allow dumpstate self:{ capability cap_userns } { # Send signals to processes kill # Run iptables net_raw net_admin }; # Allow executing files on system, such as: # /system/bin/toolbox # /system/bin/logcat # /system/bin/dumpsys allow dumpstate system_file:file execute_no_trans; allow dumpstate vendor_file:file execute_no_trans; allow dumpstate toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # hidl searches for files in /system/lib(64)/hw/ allow dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Create and write into /data/anr/ allow dumpstate self:{ capability cap_userns } { dac_override dac_read_search chown fowner fsetid }; allow dumpstate anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow dumpstate anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow reading /data/system/uiderrors.txt # TODO: scope this down. allow dumpstate system_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow dumpstate to append into apps' private files. allow dumpstate { privapp_data_file app_data_file }:file append; # Read dmesg allow dumpstate self:{ capability2 cap2_userns } syslog; allow dumpstate kernel:system syslog_read; # Read /sys/fs/pstore/console-ramoops allow dumpstate pstorefs:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate pstorefs:file { getattr open read ioctl lock map watch watch_reads }; # Get process attributes allow dumpstate domain:process getattr; # Signal java processes to dump their stack allow dumpstate { appdomain system_server zygote app_zygote }:process signal; # Signal native processes to dump their stack. allow dumpstate { # This list comes from native_processes_to_dump in dumputils/dump_utils.c audioserver cameraserver drmserver inputflinger mediadrmserver mediaextractor mediametrics mediaserver mediaswcodec sdcardd surfaceflinger vold # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c evsmanagerd hal_audio_server hal_audiocontrol_server hal_bluetooth_server hal_broadcastradio_server hal_camera_server hal_codec2_server hal_drm_server hal_evs_server hal_face_server hal_fingerprint_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server hal_input_processor_server hal_neuralnetworks_server hal_omx_server hal_power_server hal_power_stats_server hal_sensors_server hal_thermal_server hal_vehicle_server hal_vr_server system_suspend_server }:process signal; # Connect to tombstoned to intercept dumps. #line 105 allow dumpstate tombstoned_intercept_socket:sock_file write; #line 105 allow dumpstate tombstoned:unix_stream_socket connectto; #line 105 # Access to /sys allow dumpstate sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate { sysfs_devices_block sysfs_dm sysfs_loop sysfs_usb sysfs_zram }:file { getattr open read ioctl lock map watch watch_reads }; # Ignore other file access under /sys. dontaudit dumpstate sysfs:file { getattr open read ioctl lock map watch watch_reads }; # Other random bits of data we want to collect #line 122 allow dumpstate debugfs:file { getattr open read ioctl lock map watch watch_reads }; #line 122 auditallow dumpstate debugfs:file { getattr open read ioctl lock map watch watch_reads }; #line 122 #line 122 allow dumpstate debugfs_mmc:file { getattr open read ioctl lock map watch watch_reads }; #line 127 # df for allow dumpstate { block_device cache_file metadata_file rootfs selinuxfs storage_file tmpfs }:dir { search getattr }; allow dumpstate fuse_device:chr_file getattr; allow dumpstate { dm_device cache_block_device }:blk_file getattr; allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; # Read /dev/cpuctl and /dev/cpuset #line 144 allow dumpstate cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 144 allow dumpstate cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 144 #line 145 allow dumpstate cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 145 allow dumpstate cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 145 # Allow dumpstate to make binder calls to any binder service #line 148 # Call the server domain and optionally transfer references to it. #line 148 allow dumpstate binderservicedomain:binder { call transfer }; #line 148 # Allow the serverdomain to transfer references to the client on the reply. #line 148 allow binderservicedomain dumpstate:binder transfer; #line 148 # Receive and use open files from the server. #line 148 allow dumpstate binderservicedomain:fd use; #line 148 #line 149 # Call the server domain and optionally transfer references to it. #line 149 allow dumpstate { appdomain artd netd wificond }:binder { call transfer }; #line 149 # Allow the serverdomain to transfer references to the client on the reply. #line 149 allow { appdomain artd netd wificond } dumpstate:binder transfer; #line 149 # Receive and use open files from the server. #line 149 allow dumpstate { appdomain artd netd wificond }:fd use; #line 149 # Allow dumpstate to call dump() on specific hals. #line 152 #line 152 typeattribute dumpstate halclientdomain; #line 152 typeattribute dumpstate hal_audio_client; #line 152 #line 152 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 152 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 152 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 152 #line 152 typeattribute dumpstate hal_audio; #line 152 # Find passthrough HAL implementations #line 152 allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 152 allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 152 allow hal_audio vendor_file:file { read open getattr execute map }; #line 152 #line 152 ; #line 152 allow hal_audio_server dumpstate:fifo_file write; #line 152 allow hal_audio_server dumpstate:fd use; #line 152 #line 153 #line 153 typeattribute dumpstate halclientdomain; #line 153 typeattribute dumpstate hal_audiocontrol_client; #line 153 #line 153 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 153 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 153 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 153 #line 153 typeattribute dumpstate hal_audiocontrol; #line 153 # Find passthrough HAL implementations #line 153 allow hal_audiocontrol system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 153 allow hal_audiocontrol vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 153 allow hal_audiocontrol vendor_file:file { read open getattr execute map }; #line 153 #line 153 ; #line 153 allow hal_audiocontrol_server dumpstate:fifo_file write; #line 153 allow hal_audiocontrol_server dumpstate:fd use; #line 153 #line 154 #line 154 typeattribute dumpstate halclientdomain; #line 154 typeattribute dumpstate hal_authgraph_client; #line 154 #line 154 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 154 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 154 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 154 #line 154 typeattribute dumpstate hal_authgraph; #line 154 # Find passthrough HAL implementations #line 154 allow hal_authgraph system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 154 allow hal_authgraph vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 154 allow hal_authgraph vendor_file:file { read open getattr execute map }; #line 154 #line 154 ; #line 154 allow hal_authgraph_server dumpstate:fifo_file write; #line 154 allow hal_authgraph_server dumpstate:fd use; #line 154 #line 155 #line 155 typeattribute dumpstate halclientdomain; #line 155 typeattribute dumpstate hal_authsecret_client; #line 155 #line 155 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 155 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 155 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 155 #line 155 typeattribute dumpstate hal_authsecret; #line 155 # Find passthrough HAL implementations #line 155 allow hal_authsecret system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 155 allow hal_authsecret vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 155 allow hal_authsecret vendor_file:file { read open getattr execute map }; #line 155 #line 155 ; #line 155 allow hal_authsecret_server dumpstate:fifo_file write; #line 155 allow hal_authsecret_server dumpstate:fd use; #line 155 #line 156 #line 156 typeattribute dumpstate halclientdomain; #line 156 typeattribute dumpstate hal_bluetooth_client; #line 156 #line 156 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 156 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 156 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 156 #line 156 typeattribute dumpstate hal_bluetooth; #line 156 # Find passthrough HAL implementations #line 156 allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 156 allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 156 allow hal_bluetooth vendor_file:file { read open getattr execute map }; #line 156 #line 156 ; #line 156 allow hal_bluetooth_server dumpstate:fifo_file write; #line 156 allow hal_bluetooth_server dumpstate:fd use; #line 156 #line 157 #line 157 typeattribute dumpstate halclientdomain; #line 157 typeattribute dumpstate hal_broadcastradio_client; #line 157 #line 157 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 157 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 157 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 157 #line 157 typeattribute dumpstate hal_broadcastradio; #line 157 # Find passthrough HAL implementations #line 157 allow hal_broadcastradio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 157 allow hal_broadcastradio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 157 allow hal_broadcastradio vendor_file:file { read open getattr execute map }; #line 157 #line 157 ; #line 157 allow hal_broadcastradio_server dumpstate:fifo_file write; #line 157 allow hal_broadcastradio_server dumpstate:fd use; #line 157 #line 158 #line 158 typeattribute dumpstate halclientdomain; #line 158 typeattribute dumpstate hal_camera_client; #line 158 #line 158 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 158 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 158 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 158 #line 158 typeattribute dumpstate hal_camera; #line 158 # Find passthrough HAL implementations #line 158 allow hal_camera system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 158 allow hal_camera vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 158 allow hal_camera vendor_file:file { read open getattr execute map }; #line 158 #line 158 ; #line 158 allow hal_camera_server dumpstate:fifo_file write; #line 158 allow hal_camera_server dumpstate:fd use; #line 158 #line 159 #line 159 typeattribute dumpstate halclientdomain; #line 159 typeattribute dumpstate hal_codec2_client; #line 159 #line 159 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 159 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 159 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 159 #line 159 typeattribute dumpstate hal_codec2; #line 159 # Find passthrough HAL implementations #line 159 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 159 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 159 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 159 #line 159 ; #line 159 allow hal_codec2_server dumpstate:fifo_file write; #line 159 allow hal_codec2_server dumpstate:fd use; #line 159 #line 160 #line 160 typeattribute dumpstate halclientdomain; #line 160 typeattribute dumpstate hal_contexthub_client; #line 160 #line 160 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 160 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 160 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 160 #line 160 typeattribute dumpstate hal_contexthub; #line 160 # Find passthrough HAL implementations #line 160 allow hal_contexthub system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 160 allow hal_contexthub vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 160 allow hal_contexthub vendor_file:file { read open getattr execute map }; #line 160 #line 160 ; #line 160 allow hal_contexthub_server dumpstate:fifo_file write; #line 160 allow hal_contexthub_server dumpstate:fd use; #line 160 #line 161 #line 161 typeattribute dumpstate halclientdomain; #line 161 typeattribute dumpstate hal_drm_client; #line 161 #line 161 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 161 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 161 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 161 #line 161 typeattribute dumpstate hal_drm; #line 161 # Find passthrough HAL implementations #line 161 allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 161 allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 161 allow hal_drm vendor_file:file { read open getattr execute map }; #line 161 #line 161 ; #line 161 allow hal_drm_server dumpstate:fifo_file write; #line 161 allow hal_drm_server dumpstate:fd use; #line 161 #line 162 #line 162 typeattribute dumpstate halclientdomain; #line 162 typeattribute dumpstate hal_dumpstate_client; #line 162 #line 162 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 162 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 162 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 162 #line 162 typeattribute dumpstate hal_dumpstate; #line 162 # Find passthrough HAL implementations #line 162 allow hal_dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 162 allow hal_dumpstate vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 162 allow hal_dumpstate vendor_file:file { read open getattr execute map }; #line 162 #line 162 ; #line 162 allow hal_dumpstate_server dumpstate:fifo_file write; #line 162 allow hal_dumpstate_server dumpstate:fd use; #line 162 #line 163 #line 163 typeattribute dumpstate halclientdomain; #line 163 typeattribute dumpstate hal_evs_client; #line 163 #line 163 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 163 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 163 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 163 #line 163 typeattribute dumpstate hal_evs; #line 163 # Find passthrough HAL implementations #line 163 allow hal_evs system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 163 allow hal_evs vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 163 allow hal_evs vendor_file:file { read open getattr execute map }; #line 163 #line 163 ; #line 163 allow hal_evs_server dumpstate:fifo_file write; #line 163 allow hal_evs_server dumpstate:fd use; #line 163 #line 164 #line 164 typeattribute dumpstate halclientdomain; #line 164 typeattribute dumpstate hal_face_client; #line 164 #line 164 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 164 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 164 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 164 #line 164 typeattribute dumpstate hal_face; #line 164 # Find passthrough HAL implementations #line 164 allow hal_face system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 164 allow hal_face vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 164 allow hal_face vendor_file:file { read open getattr execute map }; #line 164 #line 164 ; #line 164 allow hal_face_server dumpstate:fifo_file write; #line 164 allow hal_face_server dumpstate:fd use; #line 164 #line 165 #line 165 typeattribute dumpstate halclientdomain; #line 165 typeattribute dumpstate hal_fingerprint_client; #line 165 #line 165 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 165 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 165 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 165 #line 165 typeattribute dumpstate hal_fingerprint; #line 165 # Find passthrough HAL implementations #line 165 allow hal_fingerprint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 165 allow hal_fingerprint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 165 allow hal_fingerprint vendor_file:file { read open getattr execute map }; #line 165 #line 165 ; #line 165 allow hal_fingerprint_server dumpstate:fifo_file write; #line 165 allow hal_fingerprint_server dumpstate:fd use; #line 165 #line 166 #line 166 typeattribute dumpstate halclientdomain; #line 166 typeattribute dumpstate hal_gnss_client; #line 166 #line 166 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 166 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 166 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 166 #line 166 typeattribute dumpstate hal_gnss; #line 166 # Find passthrough HAL implementations #line 166 allow hal_gnss system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 166 allow hal_gnss vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 166 allow hal_gnss vendor_file:file { read open getattr execute map }; #line 166 #line 166 ; #line 166 allow hal_gnss_server dumpstate:fifo_file write; #line 166 allow hal_gnss_server dumpstate:fd use; #line 166 #line 167 #line 167 typeattribute dumpstate halclientdomain; #line 167 typeattribute dumpstate hal_graphics_allocator_client; #line 167 #line 167 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 167 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 167 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 167 #line 167 typeattribute dumpstate hal_graphics_allocator; #line 167 # Find passthrough HAL implementations #line 167 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 167 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 167 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 167 #line 167 ; #line 167 allow hal_graphics_allocator_server dumpstate:fifo_file write; #line 167 allow hal_graphics_allocator_server dumpstate:fd use; #line 167 #line 168 #line 168 typeattribute dumpstate halclientdomain; #line 168 typeattribute dumpstate hal_graphics_composer_client; #line 168 #line 168 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 168 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 168 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 168 #line 168 typeattribute dumpstate hal_graphics_composer; #line 168 # Find passthrough HAL implementations #line 168 allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 168 allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 168 allow hal_graphics_composer vendor_file:file { read open getattr execute map }; #line 168 #line 168 ; #line 168 allow hal_graphics_composer_server dumpstate:fifo_file write; #line 168 allow hal_graphics_composer_server dumpstate:fd use; #line 168 #line 169 #line 169 typeattribute dumpstate halclientdomain; #line 169 typeattribute dumpstate hal_health_client; #line 169 #line 169 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 169 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 169 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 169 #line 169 typeattribute dumpstate hal_health; #line 169 # Find passthrough HAL implementations #line 169 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 169 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 169 allow hal_health vendor_file:file { read open getattr execute map }; #line 169 #line 169 ; #line 169 allow hal_health_server dumpstate:fifo_file write; #line 169 allow hal_health_server dumpstate:fd use; #line 169 #line 170 #line 170 typeattribute dumpstate halclientdomain; #line 170 typeattribute dumpstate hal_identity_client; #line 170 #line 170 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 170 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 170 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 170 #line 170 typeattribute dumpstate hal_identity; #line 170 # Find passthrough HAL implementations #line 170 allow hal_identity system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 170 allow hal_identity vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 170 allow hal_identity vendor_file:file { read open getattr execute map }; #line 170 #line 170 ; #line 170 allow hal_identity_server dumpstate:fifo_file write; #line 170 allow hal_identity_server dumpstate:fd use; #line 170 #line 171 #line 171 typeattribute dumpstate halclientdomain; #line 171 typeattribute dumpstate hal_input_processor_client; #line 171 #line 171 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 171 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 171 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 171 #line 171 typeattribute dumpstate hal_input_processor; #line 171 # Find passthrough HAL implementations #line 171 allow hal_input_processor system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 171 allow hal_input_processor vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 171 allow hal_input_processor vendor_file:file { read open getattr execute map }; #line 171 #line 171 ; #line 171 allow hal_input_processor_server dumpstate:fifo_file write; #line 171 allow hal_input_processor_server dumpstate:fd use; #line 171 #line 172 #line 172 typeattribute dumpstate halclientdomain; #line 172 typeattribute dumpstate hal_keymint_client; #line 172 #line 172 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 172 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 172 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 172 #line 172 typeattribute dumpstate hal_keymint; #line 172 # Find passthrough HAL implementations #line 172 allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 172 allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 172 allow hal_keymint vendor_file:file { read open getattr execute map }; #line 172 #line 172 ; #line 172 allow hal_keymint_server dumpstate:fifo_file write; #line 172 allow hal_keymint_server dumpstate:fd use; #line 172 #line 173 #line 173 typeattribute dumpstate halclientdomain; #line 173 typeattribute dumpstate hal_light_client; #line 173 #line 173 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 173 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 173 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 173 #line 173 typeattribute dumpstate hal_light; #line 173 # Find passthrough HAL implementations #line 173 allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 173 allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 173 allow hal_light vendor_file:file { read open getattr execute map }; #line 173 #line 173 ; #line 173 allow hal_light_server dumpstate:fifo_file write; #line 173 allow hal_light_server dumpstate:fd use; #line 173 #line 174 #line 174 typeattribute dumpstate halclientdomain; #line 174 typeattribute dumpstate hal_memtrack_client; #line 174 #line 174 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 174 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 174 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 174 #line 174 typeattribute dumpstate hal_memtrack; #line 174 # Find passthrough HAL implementations #line 174 allow hal_memtrack system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 174 allow hal_memtrack vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 174 allow hal_memtrack vendor_file:file { read open getattr execute map }; #line 174 #line 174 ; #line 174 allow hal_memtrack_server dumpstate:fifo_file write; #line 174 allow hal_memtrack_server dumpstate:fd use; #line 174 #line 175 #line 175 typeattribute dumpstate halclientdomain; #line 175 typeattribute dumpstate hal_neuralnetworks_client; #line 175 #line 175 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 175 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 175 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 175 #line 175 typeattribute dumpstate hal_neuralnetworks; #line 175 # Find passthrough HAL implementations #line 175 allow hal_neuralnetworks system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 175 allow hal_neuralnetworks vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 175 allow hal_neuralnetworks vendor_file:file { read open getattr execute map }; #line 175 #line 175 ; #line 175 allow hal_neuralnetworks_server dumpstate:fifo_file write; #line 175 allow hal_neuralnetworks_server dumpstate:fd use; #line 175 #line 176 #line 176 typeattribute dumpstate halclientdomain; #line 176 typeattribute dumpstate hal_nfc_client; #line 176 #line 176 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 176 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 176 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 176 #line 176 typeattribute dumpstate hal_nfc; #line 176 # Find passthrough HAL implementations #line 176 allow hal_nfc system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 176 allow hal_nfc vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 176 allow hal_nfc vendor_file:file { read open getattr execute map }; #line 176 #line 176 ; #line 176 allow hal_nfc_server dumpstate:fifo_file write; #line 176 allow hal_nfc_server dumpstate:fd use; #line 176 #line 177 #line 177 typeattribute dumpstate halclientdomain; #line 177 typeattribute dumpstate hal_oemlock_client; #line 177 #line 177 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 177 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 177 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 177 #line 177 typeattribute dumpstate hal_oemlock; #line 177 # Find passthrough HAL implementations #line 177 allow hal_oemlock system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 177 allow hal_oemlock vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 177 allow hal_oemlock vendor_file:file { read open getattr execute map }; #line 177 #line 177 ; #line 177 allow hal_oemlock_server dumpstate:fifo_file write; #line 177 allow hal_oemlock_server dumpstate:fd use; #line 177 #line 178 #line 178 typeattribute dumpstate halclientdomain; #line 178 typeattribute dumpstate hal_power_client; #line 178 #line 178 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 178 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 178 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 178 #line 178 typeattribute dumpstate hal_power; #line 178 # Find passthrough HAL implementations #line 178 allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 178 allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 178 allow hal_power vendor_file:file { read open getattr execute map }; #line 178 #line 178 ; #line 178 allow hal_power_server dumpstate:fifo_file write; #line 178 allow hal_power_server dumpstate:fd use; #line 178 #line 179 #line 179 typeattribute dumpstate halclientdomain; #line 179 typeattribute dumpstate hal_power_stats_client; #line 179 #line 179 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 179 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 179 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 179 #line 179 typeattribute dumpstate hal_power_stats; #line 179 # Find passthrough HAL implementations #line 179 allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 179 allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 179 allow hal_power_stats vendor_file:file { read open getattr execute map }; #line 179 #line 179 ; #line 179 allow hal_power_stats_server dumpstate:fifo_file write; #line 179 allow hal_power_stats_server dumpstate:fd use; #line 179 #line 180 #line 180 typeattribute dumpstate halclientdomain; #line 180 typeattribute dumpstate hal_rebootescrow_client; #line 180 #line 180 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 180 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 180 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 180 #line 180 typeattribute dumpstate hal_rebootescrow; #line 180 # Find passthrough HAL implementations #line 180 allow hal_rebootescrow system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 180 allow hal_rebootescrow vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 180 allow hal_rebootescrow vendor_file:file { read open getattr execute map }; #line 180 #line 180 ; #line 180 allow hal_rebootescrow_server dumpstate:fifo_file write; #line 180 allow hal_rebootescrow_server dumpstate:fd use; #line 180 #line 181 #line 181 typeattribute dumpstate halclientdomain; #line 181 typeattribute dumpstate hal_secretkeeper_client; #line 181 #line 181 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 181 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 181 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 181 #line 181 typeattribute dumpstate hal_secretkeeper; #line 181 # Find passthrough HAL implementations #line 181 allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 181 allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 181 allow hal_secretkeeper vendor_file:file { read open getattr execute map }; #line 181 #line 181 ; #line 181 allow hal_secretkeeper_server dumpstate:fifo_file write; #line 181 allow hal_secretkeeper_server dumpstate:fd use; #line 181 #line 182 #line 182 typeattribute dumpstate halclientdomain; #line 182 typeattribute dumpstate hal_sensors_client; #line 182 #line 182 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 182 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 182 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 182 #line 182 typeattribute dumpstate hal_sensors; #line 182 # Find passthrough HAL implementations #line 182 allow hal_sensors system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 182 allow hal_sensors vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 182 allow hal_sensors vendor_file:file { read open getattr execute map }; #line 182 #line 182 ; #line 182 allow hal_sensors_server dumpstate:fifo_file write; #line 182 allow hal_sensors_server dumpstate:fd use; #line 182 #line 183 #line 183 typeattribute dumpstate halclientdomain; #line 183 typeattribute dumpstate hal_thermal_client; #line 183 #line 183 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 183 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 183 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 183 #line 183 typeattribute dumpstate hal_thermal; #line 183 # Find passthrough HAL implementations #line 183 allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 183 allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 183 allow hal_thermal vendor_file:file { read open getattr execute map }; #line 183 #line 183 ; #line 183 allow hal_thermal_server dumpstate:fifo_file write; #line 183 allow hal_thermal_server dumpstate:fd use; #line 183 #line 184 #line 184 typeattribute dumpstate halclientdomain; #line 184 typeattribute dumpstate hal_vehicle_client; #line 184 #line 184 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 184 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 184 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 184 #line 184 typeattribute dumpstate hal_vehicle; #line 184 # Find passthrough HAL implementations #line 184 allow hal_vehicle system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 184 allow hal_vehicle vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 184 allow hal_vehicle vendor_file:file { read open getattr execute map }; #line 184 #line 184 ; #line 184 allow hal_vehicle_server dumpstate:fifo_file write; #line 184 allow hal_vehicle_server dumpstate:fd use; #line 184 #line 185 #line 185 typeattribute dumpstate halclientdomain; #line 185 typeattribute dumpstate hal_weaver_client; #line 185 #line 185 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 185 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 185 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 185 #line 185 typeattribute dumpstate hal_weaver; #line 185 # Find passthrough HAL implementations #line 185 allow hal_weaver system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 185 allow hal_weaver vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 185 allow hal_weaver vendor_file:file { read open getattr execute map }; #line 185 #line 185 ; #line 185 allow hal_weaver_server dumpstate:fifo_file write; #line 185 allow hal_weaver_server dumpstate:fd use; #line 185 #line 186 #line 186 typeattribute dumpstate halclientdomain; #line 186 typeattribute dumpstate hal_wifi_client; #line 186 #line 186 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 186 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 186 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 186 #line 186 typeattribute dumpstate hal_wifi; #line 186 # Find passthrough HAL implementations #line 186 allow hal_wifi system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 186 allow hal_wifi vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 186 allow hal_wifi vendor_file:file { read open getattr execute map }; #line 186 #line 186 ; #line 186 allow hal_wifi_server dumpstate:fifo_file write; #line 186 allow hal_wifi_server dumpstate:fd use; #line 186 # Vibrate the device after we are done collecting the bugreport #line 189 typeattribute dumpstate halclientdomain; #line 189 typeattribute dumpstate hal_vibrator_client; #line 189 #line 189 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 189 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 189 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 189 #line 189 typeattribute dumpstate hal_vibrator; #line 189 # Find passthrough HAL implementations #line 189 allow hal_vibrator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 189 allow hal_vibrator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 189 allow hal_vibrator vendor_file:file { read open getattr execute map }; #line 189 #line 189 # Reading /proc/PID/maps of other processes allow dumpstate self:{ capability cap_userns } sys_ptrace; # Allow the bugreport service to create a file in # /data/data/com.android.shell/files/bugreports/bugreport allow dumpstate shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow dumpstate shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Run a shell. allow dumpstate shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # For running am and similar framework commands. # Run /system/bin/app_process. allow dumpstate zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # For Bluetooth allow dumpstate bluetooth_data_file:dir search; allow dumpstate bluetooth_logs_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate bluetooth_logs_data_file:file { getattr open read ioctl lock map watch watch_reads }; # For Nfc allow dumpstate nfc_logs_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate nfc_logs_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access allow dumpstate gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow dumpstate gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; # logd access #line 220 allow dumpstate logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 220 #line 220 allow dumpstate logdr_socket:sock_file write; #line 220 allow dumpstate logd:unix_stream_socket connectto; #line 220 #line 220 #line 221 # Group AID_LOG checked by filesystem & logd #line 221 # to permit control commands #line 221 #line 221 allow dumpstate logd_socket:sock_file write; #line 221 allow dumpstate logd:unix_stream_socket connectto; #line 221 #line 221 #line 222 allow dumpstate runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 222 # Read files in /proc allow dumpstate { proc_bootconfig proc_buddyinfo proc_cmdline proc_meminfo proc_modules proc_net_type proc_pipe_conf proc_pagetypeinfo proc_qtaguid_ctrl proc_qtaguid_stat proc_slabinfo proc_version proc_vmallocinfo proc_vmstat }:file { getattr open read ioctl lock map watch watch_reads }; # Read network state info files. allow dumpstate net_data_file:dir search; allow dumpstate net_data_file:file { getattr open read ioctl lock map watch watch_reads }; # List sockets via ss. allow dumpstate self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read }; # Access /data/tombstones. allow dumpstate tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /cache/recovery allow dumpstate cache_recovery_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate cache_recovery_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/misc/recovery allow dumpstate recovery_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate recovery_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/misc/update_engine & /data/misc/update_engine_log allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate { update_engine_data_file update_engine_log_data_file }:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/misc/snapuserd_log allow dumpstate snapuserd_log_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate snapuserd_log_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/misc/profiles/{cur,ref}/ #line 272 # Access /data/misc/logd allow dumpstate misc_logd_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate misc_logd_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/misc/prereboot allow dumpstate prereboot_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate prereboot_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate app_fuse_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate overlayfs_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate { service_manager_type -apex_service -dumpstate_service -gatekeeper_service -hal_service_type -virtual_touchpad_service -vold_service -default_android_service }:service_manager find; # suppress denials for services dumpstate should not be accessing. dontaudit dumpstate { apex_service dumpstate_service gatekeeper_service hal_service_type virtual_touchpad_service vold_service }:service_manager find; # Most of these are neverallowed. dontaudit dumpstate hwservice_manager_type:hwservice_manager find; allow dumpstate servicemanager:service_manager list; allow dumpstate hwservicemanager:hwservice_manager list; allow dumpstate devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read any system properties #line 314 allow dumpstate property_type:file { getattr open read map }; #line 314 # Access to /data/media. # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. allow dumpstate media_rw_data_file:dir getattr; allow dumpstate proc_interrupts:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads }; # Create a service for talking back to system_server #line 324 allow dumpstate dumpstate_service:service_manager { add find }; #line 324 neverallow { domain -dumpstate } dumpstate_service:service_manager add; #line 324 #line 324 # On debug builds with root, allow binder services to use binder over TCP. #line 324 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 324 #line 324 # use /dev/ion for screen capture allow dumpstate ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow dumpstate to run top allow dumpstate proc_stat:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate proc_pressure_cpu:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate proc_pressure_mem:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate proc_pressure_io:file { getattr open read ioctl lock map watch watch_reads }; # Allow dumpstate to run ps allow dumpstate proc_pid_max:file { getattr open read ioctl lock map watch watch_reads }; # Allow dumpstate to talk to installd over binder #line 340 # Call the server domain and optionally transfer references to it. #line 340 allow dumpstate installd:binder { call transfer }; #line 340 # Allow the serverdomain to transfer references to the client on the reply. #line 340 allow installd dumpstate:binder transfer; #line 340 # Receive and use open files from the server. #line 340 allow dumpstate installd:fd use; #line 340 ; # Allow dumpstate to run ip xfrm policy allow dumpstate self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read }; # Allow dumpstate to run iotop allow dumpstate self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # newer kernels (e.g. 4.4) have a new class for sockets allow dumpstate self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Allow dumpstate to run ss allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } getattr; # Allow dumpstate to read linkerconfig directory allow dumpstate linkerconfig_file:dir { read open }; # For when dumpstate runs df dontaudit dumpstate { mnt_vendor_file mirror_data_file mnt_user_file mnt_product_file }:dir search; dontaudit dumpstate { apex_mnt_dir linkerconfig_file mirror_data_file mnt_user_file }:dir getattr; # Allow dumpstate to talk to bufferhubd over binder #line 371 # Call the server domain and optionally transfer references to it. #line 371 allow dumpstate bufferhubd:binder { call transfer }; #line 371 # Allow the serverdomain to transfer references to the client on the reply. #line 371 allow bufferhubd dumpstate:binder transfer; #line 371 # Receive and use open files from the server. #line 371 allow dumpstate bufferhubd:fd use; #line 371 ; # Allow dumpstate to talk to mediaswcodec over binder #line 374 # Call the server domain and optionally transfer references to it. #line 374 allow dumpstate mediaswcodec:binder { call transfer }; #line 374 # Allow the serverdomain to transfer references to the client on the reply. #line 374 allow mediaswcodec dumpstate:binder transfer; #line 374 # Receive and use open files from the server. #line 374 allow dumpstate mediaswcodec:fd use; #line 374 ; #Access /data/misc/snapshotctl_log allow dumpstate snapshotctl_log_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate snapshotctl_log_data_file:file { getattr open read ioctl lock map watch watch_reads }; #Allow access to /dev/binderfs/binder_logs allow dumpstate binderfs_logs:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate binderfs_logs:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate binderfs_logs_proc:file { getattr open read ioctl lock map watch watch_reads }; allow dumpstate binderfs_logs_stats:file { getattr open read ioctl lock map watch watch_reads }; #line 386 allow dumpstate apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; #line 386 allow dumpstate apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 386 #line 386 allow dumpstate vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 386 allow dumpstate vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 386 #line 386 # Allow reading files under /data/system/shutdown-checkpoints/ allow dumpstate shutdown_checkpoints_system_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dumpstate shutdown_checkpoints_system_data_file:file { getattr open read ioctl lock map watch watch_reads }; ### ### neverallow rules ### # dumpstate has capability sys_ptrace, but should only use that capability for # accessing sensitive /proc/PID files, never for using ptrace attach. neverallow dumpstate *:process ptrace; # only system_server, dumpstate, traceur_app and shell can find the dumpstate service neverallow { domain -system_server -shell -traceur_app -dumpstate } dumpstate_service:service_manager find; #line 1 "system/sepolicy/public/e2fs.te" type e2fs, domain, coredomain; type e2fs_exec, system_file_type, exec_type, file_type; allow e2fs devpts:chr_file { read write getattr ioctl }; allow e2fs dev_type:blk_file getattr; allow e2fs block_device:dir search; allow e2fs userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow e2fs metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow e2fs dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow e2fs zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Vold needs to capture mkfs.ext4's output allow e2fs vold:fd use; # Need to be able to format a partition allow e2fs sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; allow e2fs sysfs_dm:file { getattr open read ioctl lock map watch watch_reads }; allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl { 0x0000127d 0x00001277 0x0000127b 0x0000127c 0x0000125e 0xc0101282 0x40101283 }; allow e2fs { proc_filesystems proc_mounts proc_swaps }:file { getattr open read ioctl lock map watch watch_reads }; # access /sys/fs/ext4/features allow e2fs sysfs_fs_ext4_features:dir search; allow e2fs sysfs_fs_ext4_features:file { getattr open read ioctl lock map watch watch_reads }; # access SELinux context files allow e2fs file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/ephemeral_app.te" ### ### Ephemeral apps. ### ### This file defines the security policy for apps with the ephemeral ### feature. ### ### The ephemeral_app domain is a reduced permissions sandbox allowing ### ephemeral applications to be safely installed and run. Non ephemeral ### applications may also opt-in to ephemeral to take advantage of the ### additional security features. ### ### PackageManager flags an app as ephemeral at install time. type ephemeral_app, domain; #line 1 "system/sepolicy/public/evsmanagerd.te" # evsmanager daemon type evsmanagerd, domain; #line 1 "system/sepolicy/public/extra_free_kbytes.te" # The extra_free_kbytes.sh script run by init. type extra_free_kbytes, domain; type extra_free_kbytes_exec, system_file_type, exec_type, file_type; # required permissions to run the script from init allow extra_free_kbytes shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow extra_free_kbytes system_file:file { getattr execute execute_no_trans map }; allow extra_free_kbytes toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # files used by the script allow extra_free_kbytes proc_extra_free_kbytes:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow extra_free_kbytes proc_watermark_scale_factor:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow extra_free_kbytes proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/fastbootd.te" # fastbootd (used in recovery init.rc for /sbin/fastbootd) # Declare the domain unconditionally so we can always reference it # in neverallow rules. type fastbootd, domain; # But the allow rules are only included in the recovery policy. # Otherwise fastbootd is only allowed the domain rules. #line 119 ### ### neverallow rules ### # Write permission is required to wipe userdata # until recovery supports vold. neverallow fastbootd { data_file_type }:file { { execute execute_no_trans } }; #line 1 "system/sepolicy/public/file.te" # Filesystem types type labeledfs, fs_type; type pipefs, fs_type; type sockfs, fs_type; type rootfs, fs_type; type proc, fs_type, proc_type; type binderfs, fs_type; type binderfs_logs, fs_type; type binderfs_logs_proc, fs_type; type binderfs_logs_stats, fs_type; type binderfs_features, fs_type; # Security-sensitive proc nodes that should not be writable to most. type proc_security, fs_type, proc_type; type proc_drop_caches, fs_type, proc_type; type proc_overcommit_memory, fs_type, proc_type; type proc_min_free_order_shift, fs_type, proc_type; type proc_kpageflags, fs_type, proc_type; type proc_watermark_boost_factor, fs_type, proc_type; type proc_percpu_pagelist_high_fraction, fs_type, proc_type; # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. type usermodehelper, fs_type, proc_type; type sysfs_usermodehelper, fs_type, sysfs_type; type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; type proc_bluetooth_writable, fs_type, proc_type; type proc_abi, fs_type, proc_type; type proc_asound, fs_type, proc_type; type proc_bootconfig, fs_type, proc_type; type proc_bpf, fs_type, proc_type; type proc_buddyinfo, fs_type, proc_type; type proc_cmdline, fs_type, proc_type; type proc_cpu_alignment, fs_type, proc_type; type proc_cpuinfo, fs_type, proc_type; type proc_dirty, fs_type, proc_type; type proc_diskstats, fs_type, proc_type; type proc_extra_free_kbytes, fs_type, proc_type; type proc_filesystems, fs_type, proc_type; type proc_fs_verity, fs_type, proc_type; type proc_hostname, fs_type, proc_type; type proc_hung_task, fs_type, proc_type; type proc_interrupts, fs_type, proc_type; type proc_iomem, fs_type, proc_type; type proc_kallsyms, fs_type, proc_type; type proc_keys, fs_type, proc_type; type proc_kmsg, fs_type, proc_type; type proc_loadavg, fs_type, proc_type; type proc_locks, fs_type, proc_type; type proc_lowmemorykiller, fs_type, proc_type; type proc_max_map_count, fs_type, proc_type; type proc_meminfo, fs_type, proc_type; type proc_misc, fs_type, proc_type; type proc_modules, fs_type, proc_type; type proc_mounts, fs_type, proc_type; type proc_net, fs_type, proc_type, proc_net_type; type proc_net_tcp_udp, fs_type, proc_type; type proc_page_cluster, fs_type, proc_type; type proc_pagetypeinfo, fs_type, proc_type; type proc_panic, fs_type, proc_type; type proc_perf, fs_type, proc_type; type proc_pid_max, fs_type, proc_type; type proc_pipe_conf, fs_type, proc_type; type proc_pressure_cpu, fs_type, proc_type; type proc_pressure_io, fs_type, proc_type; type proc_pressure_mem, fs_type, proc_type; type proc_random, fs_type, proc_type; type proc_sched, fs_type, proc_type; type proc_slabinfo, fs_type, proc_type; type proc_stat, fs_type, proc_type; type proc_swaps, fs_type, proc_type; type proc_sysrq, fs_type, proc_type; type proc_timer, fs_type, proc_type; type proc_tty_drivers, fs_type, proc_type; type proc_uid_cputime_showstat, fs_type, proc_type; type proc_uid_cputime_removeuid, fs_type, proc_type; type proc_uid_io_stats, fs_type, proc_type; type proc_uid_procstat_set, fs_type, proc_type; type proc_uid_time_in_state, fs_type, proc_type; type proc_uid_concurrent_active_time, fs_type, proc_type; type proc_uid_concurrent_policy_time, fs_type, proc_type; type proc_uid_cpupower, fs_type, proc_type; type proc_uptime, fs_type, proc_type; type proc_version, fs_type, proc_type; type proc_vmallocinfo, fs_type, proc_type; type proc_vmstat, fs_type, proc_type; type proc_watermark_scale_factor, fs_type, proc_type; type proc_zoneinfo, fs_type, proc_type; type proc_vendor_sched, proc_type, fs_type; type selinuxfs, fs_type, mlstrustedobject; type fusectlfs, fs_type; type cgroup, fs_type, mlstrustedobject; type cgroup_v2, fs_type; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; type sysfs_batteryinfo, fs_type, sysfs_type; type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_devfreq_cur, fs_type, sysfs_type; type sysfs_devfreq_dir, fs_type, sysfs_type; type sysfs_devices_block, fs_type, sysfs_type; type sysfs_dm, fs_type, sysfs_type; type sysfs_dm_verity, fs_type, sysfs_type; type sysfs_dma_heap, fs_type, sysfs_type; type sysfs_dmabuf_stats, fs_type, sysfs_type; type sysfs_dt_firmware_android, fs_type, sysfs_type; type sysfs_extcon, fs_type, sysfs_type; type sysfs_ion, fs_type, sysfs_type; type sysfs_ipv4, fs_type, sysfs_type; type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; type sysfs_leds, fs_type, sysfs_type; type sysfs_loop, fs_type, sysfs_type; type sysfs_gpu, fs_type, sysfs_type; type sysfs_hwrandom, fs_type, sysfs_type; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_wake_lock, fs_type, sysfs_type; type sysfs_net, fs_type, sysfs_type; type sysfs_power, fs_type, sysfs_type; type sysfs_rtc, fs_type, sysfs_type; type sysfs_suspend_stats, fs_type, sysfs_type; type sysfs_switch, fs_type, sysfs_type; type sysfs_sync_on_suspend, fs_type, sysfs_type; type sysfs_transparent_hugepage, fs_type, sysfs_type; type sysfs_lru_gen_enabled, fs_type, sysfs_type; type sysfs_usb, fs_type, sysfs_type; type sysfs_wakeup, fs_type, sysfs_type; type sysfs_wakeup_reasons, fs_type, sysfs_type; type sysfs_fs_ext4_features, sysfs_type, fs_type; type sysfs_fs_f2fs, sysfs_type, fs_type; type sysfs_fs_fuse_bpf, sysfs_type, fs_type; type sysfs_fs_fuse_features, sysfs_type, fs_type; type sysfs_fs_incfs_features, sysfs_type, fs_type; type sysfs_fs_incfs_metrics, sysfs_type, fs_type; type sysfs_vendor_sched, sysfs_type, fs_type; #line 135 type fs_bpf, fs_type, bpffs_type; # TODO: S+ fs_bpf_tethering (used by mainline) should be private type fs_bpf_tethering, fs_type, bpffs_type; type fs_bpf_vendor, fs_type, bpffs_type; type configfs, fs_type; # /sys/devices/cs_etm type sysfs_devices_cs_etm, fs_type, sysfs_type; # /sys/devices/system/cpu type sysfs_devices_system_cpu, fs_type, sysfs_type; # /sys/module/lowmemorykiller type sysfs_lowmemorykiller, fs_type, sysfs_type; # /sys/module/wlan/parameters/fwpath type sysfs_wlan_fwpath, fs_type, sysfs_type; type sysfs_vibrator, fs_type, sysfs_type; type sysfs_uhid, fs_type, sysfs_type; type sysfs_thermal, sysfs_type, fs_type; type sysfs_zram, fs_type, sysfs_type; type sysfs_zram_uevent, fs_type, sysfs_type; type inotify, fs_type, mlstrustedobject; type devpts, fs_type, mlstrustedobject; type tmpfs, fs_type; type shm, fs_type; type mqueue, fs_type; type fuse, fusefs_type, fs_type, mlstrustedobject; type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject; type sdcardfs, sdcard_type, fs_type, mlstrustedobject; type vfat, sdcard_type, fs_type, mlstrustedobject; type exfat, sdcard_type, fs_type, mlstrustedobject; type debugfs, fs_type, debugfs_type; type debugfs_kprobes, fs_type, debugfs_type; type debugfs_mmc, fs_type, debugfs_type; type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type; type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type; type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type; type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type; type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type; type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type; type debugfs_wakeup_sources, fs_type, debugfs_type; type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type; type securityfs, fs_type; type pstorefs, fs_type; type functionfs, fs_type, mlstrustedobject; type oemfs, fs_type, contextmount_type; type usbfs, fs_type; type binfmt_miscfs, fs_type; type app_fusefs, fs_type, fusefs_type, contextmount_type; # File types type unlabeled, file_type; # Default type for anything under /system. type system_file, system_file_type, file_type; # Default type for /system/asan.options type system_asan_options_file, system_file_type, file_type; # Type for /system/etc/event-log-tags (liblog implementation detail) type system_event_log_tags_file, system_file_type, file_type; # Default type for anything under /system/lib[64]. type system_lib_file, system_file_type, file_type; # system libraries that are available only to bootstrap processes type system_bootstrap_lib_file, system_file_type, file_type; # Default type for the group file /system/etc/group. type system_group_file, system_file_type, file_type; # Default type for linker executable /system/bin/linker[64]. type system_linker_exec, system_file_type, file_type; # Default type for linker config /system/etc/ld.config.*. type system_linker_config_file, system_file_type, file_type; # Default type for the passwd file /system/etc/passwd. type system_passwd_file, system_file_type, file_type; # Default type for linker config /system/etc/seccomp_policy/*. type system_seccomp_policy_file, system_file_type, file_type; # Default type for cacerts in /system/etc/security/cacerts/*. type system_security_cacerts_file, system_file_type, file_type; # Default type for /system/bin/tcpdump. type tcpdump_exec, system_file_type, exec_type, file_type; # Default type for zoneinfo files in /system/usr/share/zoneinfo/*. type system_zoneinfo_file, system_file_type, file_type; # Cgroups description file under /system/etc/cgroups.json type cgroup_desc_file, system_file_type, file_type; # Cgroups description file under /system/etc/task_profiles/cgroups_*.json type cgroup_desc_api_file, system_file_type, file_type; # Vendor cgroups description file under /vendor/etc/cgroups.json type vendor_cgroup_desc_file, vendor_file_type, file_type; # Task profiles file under /system/etc/task_profiles.json type task_profiles_file, system_file_type, file_type; # Task profiles file under /system/etc/task_profiles/task_profiles_*.json type task_profiles_api_file, system_file_type, file_type; # Vendor task profiles file under /vendor/etc/task_profiles.json type vendor_task_profiles_file, vendor_file_type, file_type; # Type for /system/apex/com.android.art type art_apex_dir, system_file_type, file_type; # /linkerconfig(/.*)? type linkerconfig_file, file_type; # Control files under /data/incremental type incremental_control_file, file_type, data_file_type, core_data_file_type; # /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip type bootanim_oem_file, file_type, system_file_type; # Default type for directories search for # HAL implementations type vendor_hal_file, vendor_file_type, file_type; # Default type for under /vendor or /system/vendor type vendor_file, vendor_file_type, file_type; # Default type for everything in /vendor/app type vendor_app_file, vendor_file_type, file_type; # Default type for everything under /vendor/etc/ type vendor_configs_file, vendor_file_type, file_type; # Default type for all *same process* HALs and their lib/bin dependencies. # e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so type same_process_hal_file, vendor_file_type, file_type; # Default type for vndk-sp libs. /vendor/lib/vndk-sp type vndk_sp_file, vendor_file_type, file_type; # Default type for everything in /vendor/framework type vendor_framework_file, vendor_file_type, file_type; # Default type for everything in /vendor/overlay type vendor_overlay_file, vendor_file_type, file_type; # Type for all vendor public libraries. These libs should only be exposed to # apps. ABI stability of these libs is vendor's responsibility. type vendor_public_lib_file, vendor_file_type, file_type; # Type for all vendor public libraries for system. These libs should only be exposed to # system. ABI stability of these libs is vendor's responsibility. type vendor_public_framework_file, vendor_file_type, file_type; # Type for all microdroid related files in the vendor partition. # Files having this type should be read-only. type vendor_microdroid_file, vendor_file_type, file_type; # Input configuration type vendor_keylayout_file, vendor_file_type, file_type; type vendor_keychars_file, vendor_file_type, file_type; type vendor_idc_file, vendor_file_type, file_type; # Type for vendor uuid mapping config file type vendor_uuid_mapping_config_file, vendor_file_type, file_type; # SoC-specific virtual machine disk files type vendor_vm_file, vendor_file_type, file_type; # SoC-specific virtual machine disk files that are mutable type vendor_vm_data_file, vendor_file_type, file_type; # /metadata partition itself type metadata_file, file_type; # Vold files within /metadata type vold_metadata_file, file_type; # GSI files within /metadata type gsi_metadata_file, gsi_metadata_file_type, file_type; # DSU (GSI) files within /metadata that are globally readable. type gsi_public_metadata_file, gsi_metadata_file_type, file_type; # system_server shares Weaver slot information in /metadata type password_slot_metadata_file, file_type; # APEX files within /metadata type apex_metadata_file, file_type; # libsnapshot files within /metadata type ota_metadata_file, file_type; # property files within /metadata/bootstat type metadata_bootstat_file, file_type; # userspace reboot files within /metadata/userspacereboot type userspace_reboot_metadata_file, file_type; # Staged install files within /metadata/staged-install type staged_install_file, file_type; # Metadata information within /metadata/watchdog type watchdog_metadata_file, file_type; # Repair mode files within /metadata/repair-mode type repair_mode_metadata_file, file_type; # Aconfig storage file type aconfig_storage_metadata_file, file_type; # Aconfig storage flag value persistent copy type aconfig_storage_flags_metadata_file, file_type; # Type for /dev/cpu_variant:.*. type dev_cpu_variant, file_type; # Speedup access for trusted applications to the runtime event tags type runtime_event_log_tags_file, file_type; # Type for /system/bin/logcat. type logcat_exec, system_file_type, exec_type, file_type; # Speedup access to cgroup map file type cgroup_rc_file, file_type; # /cores for coredumps on userdebug / eng builds type coredump_file, file_type; # Type of /data itself type system_data_root_file, file_type, data_file_type, core_data_file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type, core_data_file_type; # Default type for directories containing per-user encrypted directories, such # as /data/user and /data/user_de. type system_userdir_file, file_type, data_file_type, core_data_file_type; # Type for /data/system/packages.list. # TODO(b/129332765): Narrow down permissions to this. # Find out users of system_data_file that should be granted only this. type packages_list_file, file_type, data_file_type, core_data_file_type; type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type; # Default type for anything inside /data/vendor_{ce,de}. type vendor_data_file, file_type, data_file_type; # Type for /data/vendor_{ce,de} themselves. This has core_data_file_type # because these directories themselves are platform-managed; only the files # *inside* them are vendor data. (Somewhat similar to system_data_root_file.) type vendor_userdir_file, file_type, data_file_type, core_data_file_type; # Unencrypted data type unencrypted_data_file, file_type, data_file_type, core_data_file_type; # installd-create files in /data/misc/installd such as layout_version type install_data_file, file_type, data_file_type, core_data_file_type; # /data/drm - DRM plugin data type drm_data_file, file_type, data_file_type, core_data_file_type; # /data/adb - adb debugging files type adb_data_file, file_type, data_file_type, core_data_file_type; # /data/anr - ANR traces type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/tombstones - core dumps type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/vendor/tombstones/wifi - vendor wifi dumps type tombstone_wifi_data_file, file_type, data_file_type; # /data/apex - APEX data files type apex_data_file, file_type, data_file_type, core_data_file_type; # /data/app - user-installed apps type apk_data_file, file_type, data_file_type, core_data_file_type; type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/app-private - forward-locked apps type apk_private_data_file, file_type, data_file_type, core_data_file_type; type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; # /data/ota type ota_data_file, file_type, data_file_type, core_data_file_type; # /data/ota_package type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/misc/profiles type user_profile_root_file, file_type, data_file_type, core_data_file_type; type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/misc/profman type profman_dump_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/prereboot type prereboot_data_file, file_type, data_file_type, core_data_file_type; # /data/resource-cache type resourcecache_data_file, file_type, data_file_type, core_data_file_type; # /data/local - writable by shell type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; # /data/property type property_data_file, file_type, data_file_type, core_data_file_type; # /data/bootchart type bootchart_data_file, file_type, data_file_type, core_data_file_type; # /data/system/dropbox type dropbox_data_file, file_type, data_file_type, core_data_file_type; # /data/system/heapdump type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/nativetest type nativetest_data_file, file_type, data_file_type, core_data_file_type; # /data/local/tests type shell_test_data_file, file_type, data_file_type, core_data_file_type; # /data/system_de/0/ringtones type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/preloads type preloads_data_file, file_type, data_file_type, core_data_file_type; # /data/preloads/media type preloads_media_file, file_type, data_file_type, core_data_file_type; # /data/misc/dhcp and /data/misc/dhcp-6.8.2 type dhcp_data_file, file_type, data_file_type, core_data_file_type; # /data/server_configurable_flags type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; # /data/app-staging type staging_data_file, file_type, data_file_type, core_data_file_type; # /vendor/apex type vendor_apex_file, vendor_file_type, file_type; # apex_manifest.pb in vendor apex type vendor_apex_metadata_file, vendor_file_type, file_type; # /data/system/shutdown-checkpoints type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type; # Mount locations managed by vold type mnt_media_rw_file, file_type; type mnt_user_file, file_type; type mnt_pass_through_file, file_type; type mnt_expand_file, file_type; type mnt_sdcard_file, file_type; type storage_file, file_type; # Label for storage dirs which are just mount stubs type mnt_media_rw_stub_file, file_type; type storage_stub_file, file_type; # Mount location for read-write vendor partitions. type mnt_vendor_file, file_type; # Mount location for read-write product partitions. type mnt_product_file, file_type; # Mount point used for APEX images type apex_mnt_dir, file_type; # /apex/apex-info-list.xml created by apexd type apex_info_file, file_type; # /postinstall: Mount point used by update_engine to run postinstall. type postinstall_mnt_dir, file_type; # Files inside the /postinstall mountpoint are all labeled as postinstall_file. type postinstall_file, file_type; # /postinstall/apex: Mount point used for APEX images within /postinstall. type postinstall_apex_mnt_dir, file_type; # /data_mirror: Contains mirror directory for storing all apps data. type mirror_data_file, file_type, core_data_file_type; # /data/misc subdirectories type adb_keys_file, file_type, data_file_type, core_data_file_type; type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; type apex_module_data_file, file_type, data_file_type, core_data_file_type; type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type; type apex_rollback_data_file, file_type, data_file_type, core_data_file_type; type appcompat_data_file, file_type, data_file_type, core_data_file_type; type audio_data_file, file_type, data_file_type, core_data_file_type; type audioserver_data_file, file_type, data_file_type, core_data_file_type; type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; type bootstat_data_file, file_type, data_file_type, core_data_file_type; type boottrace_data_file, file_type, data_file_type, core_data_file_type; type camera_data_file, file_type, data_file_type, core_data_file_type; type credstore_data_file, file_type, data_file_type, core_data_file_type; type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; type incident_data_file, file_type, data_file_type, core_data_file_type; type keychain_data_file, file_type, data_file_type, core_data_file_type; type keystore_data_file, file_type, data_file_type, core_data_file_type; type media_data_file, file_type, data_file_type, core_data_file_type; type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type media_userdir_file, file_type, data_file_type, core_data_file_type; type misc_user_data_file, file_type, data_file_type, core_data_file_type; type net_data_file, file_type, data_file_type, core_data_file_type; type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; type nfc_logs_data_file, file_type, data_file_type, core_data_file_type; type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; type recovery_data_file, file_type, data_file_type, core_data_file_type; type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type; type stats_config_data_file, file_type, data_file_type, core_data_file_type; type stats_data_file, file_type, data_file_type, core_data_file_type; type systemkeys_data_file, file_type, data_file_type, core_data_file_type; type textclassifier_data_file, file_type, data_file_type, core_data_file_type; type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type vpn_data_file, file_type, data_file_type, core_data_file_type; type wifi_data_file, file_type, data_file_type, core_data_file_type; type vold_data_file, file_type, data_file_type, core_data_file_type; type tee_data_file, file_type, data_file_type; type update_engine_data_file, file_type, data_file_type, core_data_file_type; type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/trace for method traces on userdebug / eng builds type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; type gsi_data_file, file_type, data_file_type, core_data_file_type; type radio_core_data_file, file_type, data_file_type, core_data_file_type; # /data/data subdirectories - app sandboxes type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; # /data/data subdirectories - priv-app sandboxes type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; # /data/data subdirectory for system UID apps. type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; # Compatibility with type name used in Android 4.3 and 4.4. # Default type for anything under /cache type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Type for /cache/overlay /mnt/scratch/overlay type overlayfs_file, file_type, data_file_type, core_data_file_type; # Type for /cache/backup_stage/* (fd interchange with apps) type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # type for anything under /cache/backup (local transport storage) type cache_private_backup_file, file_type, data_file_type, core_data_file_type; # Type for anything under /cache/recovery type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Default type for anything under /efs type efs_file, file_type; # Type for wallpaper file. type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Type for shortcut manager icon file. type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Type for user icon file. type icon_file, file_type, data_file_type, core_data_file_type; # /mnt/asec type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Elements of asec files (/mnt/asec) that are world readable type asec_public_file, file_type, data_file_type, core_data_file_type; # /data/app-asec type asec_image_file, file_type, data_file_type, core_data_file_type; # /data/backup and /data/secure/backup type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # All devices have bluetooth efs files. But they # vary per device, so this type is used in per # device policy type bluetooth_efs_file, file_type; # Type for fingerprint template file type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; # Type for _new_ fingerprint template file type fingerprint_vendor_data_file, file_type, data_file_type; # Type for appfuse file. type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Type for face template file type face_vendor_data_file, file_type, data_file_type; # Type for iris template file type iris_vendor_data_file, file_type, data_file_type; # Socket types type adbd_socket, file_type, coredomain_socket; type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; type dumpstate_socket, file_type, coredomain_socket; type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; type lmkd_socket, file_type, coredomain_socket; type logd_socket, file_type, coredomain_socket, mlstrustedobject; type logdr_socket, file_type, coredomain_socket, mlstrustedobject; type logdw_socket, file_type, coredomain_socket, mlstrustedobject; type mdns_socket, file_type, coredomain_socket; type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; type mtpd_socket, file_type, coredomain_socket; type ot_daemon_socket, file_type, coredomain_socket; type property_socket, file_type, coredomain_socket, mlstrustedobject; type racoon_socket, file_type, coredomain_socket; type recovery_socket, file_type, coredomain_socket; type rild_socket, file_type; type rild_debug_socket, file_type; type snapuserd_socket, file_type, coredomain_socket; type snapuserd_proxy_socket, file_type, coredomain_socket; type statsdw_socket, file_type, coredomain_socket, mlstrustedobject; type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; type tombstoned_java_trace_socket, file_type, mlstrustedobject; type tombstoned_intercept_socket, file_type, coredomain_socket; type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject; type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject; type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; type uncrypt_socket, file_type, coredomain_socket; type wpa_socket, file_type, data_file_type, core_data_file_type; type zygote_socket, file_type, coredomain_socket; type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject; # UART (for GPS) control proc file type gps_control, file_type; # PDX endpoint types type pdx_display_dir, pdx_endpoint_dir_type, file_type; type pdx_performance_dir, pdx_endpoint_dir_type, file_type; type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; #line 577 typeattribute pdx_display_dir pdx_display_client_endpoint_dir_type; #line 577 type pdx_display_client_endpoint_socket, pdx_display_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 577 type pdx_display_client_channel_socket, pdx_display_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 577 #line 577 #line 578 typeattribute pdx_display_dir pdx_display_manager_endpoint_dir_type; #line 578 type pdx_display_manager_endpoint_socket, pdx_display_manager_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 578 type pdx_display_manager_channel_socket, pdx_display_manager_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 578 #line 578 #line 579 typeattribute pdx_display_dir pdx_display_screenshot_endpoint_dir_type; #line 579 type pdx_display_screenshot_endpoint_socket, pdx_display_screenshot_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 579 type pdx_display_screenshot_channel_socket, pdx_display_screenshot_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 579 #line 579 #line 580 typeattribute pdx_display_dir pdx_display_vsync_endpoint_dir_type; #line 580 type pdx_display_vsync_endpoint_socket, pdx_display_vsync_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 580 type pdx_display_vsync_channel_socket, pdx_display_vsync_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 580 #line 580 #line 581 typeattribute pdx_performance_dir pdx_performance_client_endpoint_dir_type; #line 581 type pdx_performance_client_endpoint_socket, pdx_performance_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 581 type pdx_performance_client_channel_socket, pdx_performance_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 581 #line 581 #line 582 typeattribute pdx_bufferhub_dir pdx_bufferhub_client_endpoint_dir_type; #line 582 type pdx_bufferhub_client_endpoint_socket, pdx_bufferhub_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; #line 582 type pdx_bufferhub_client_channel_socket, pdx_bufferhub_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket; #line 582 #line 582 # file_contexts files type file_contexts_file, system_file_type, file_type; # mac_permissions file type mac_perms_file, system_file_type, file_type; # property_contexts file type property_contexts_file, system_file_type, file_type; # seapp_contexts file type seapp_contexts_file, system_file_type, file_type; # sepolicy files binary and others type sepolicy_file, system_file_type, file_type; # service_contexts file type service_contexts_file, system_file_type, file_type; # keystore2_key_contexts_file type keystore2_key_contexts_file, system_file_type, file_type; # vendor service_contexts file type vendor_service_contexts_file, vendor_file_type, file_type; # hwservice_contexts file type hwservice_contexts_file, system_file_type, file_type; # vndservice_contexts file type vndservice_contexts_file, file_type; # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions. type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; # kernel modules type vendor_kernel_modules, vendor_file_type, file_type; # system_dlkm type system_dlkm_file, system_dlkm_file_type, file_type; # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; allow cgroup_v2 tmpfs:filesystem associate; allow cgroup_rc_file tmpfs:filesystem associate; allow sysfs_type sysfs:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; allow file_type labeledfs:filesystem associate; allow file_type tmpfs:filesystem associate; allow file_type rootfs:filesystem associate; allow dev_type tmpfs:filesystem associate; allow app_fuse_file app_fusefs:filesystem associate; allow postinstall_file self:filesystem associate; allow proc_net proc:filesystem associate; # asanwrapper (run a sanitized app_process, to be used with wrap properties) # Deprecated in SDK version 28 type audiohal_data_file, file_type, data_file_type, core_data_file_type; # It's a bug to assign the file_type attribute and fs_type attribute # to any type. Do not allow it. # # For example, the following is a bug: # type apk_data_file, file_type, data_file_type, fs_type; # Should be: # type apk_data_file, file_type, data_file_type; neverallow fs_type file_type:filesystem associate; #line 1 "system/sepolicy/public/fingerprintd.te" type fingerprintd, domain; type fingerprintd_exec, system_file_type, exec_type, file_type; #line 4 # Call the servicemanager and transfer references to it. #line 4 allow fingerprintd servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager fingerprintd:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager fingerprintd:dir search; #line 4 allow servicemanager fingerprintd:file { read open }; #line 4 allow servicemanager fingerprintd:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 # Scan through /system/lib64/hw looking for installed HALs allow fingerprintd system_file:dir { open getattr read search ioctl lock watch watch_reads }; # need to find KeyStore and add self #line 10 allow fingerprintd fingerprintd_service:service_manager { add find }; #line 10 neverallow { domain -fingerprintd } fingerprintd_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 # allow HAL module to read dir contents allow fingerprintd fingerprintd_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } }; # allow HAL module to read/write/unlink contents of this dir allow fingerprintd fingerprintd_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Need to add auth tokens to KeyStore #line 19 allow keystore fingerprintd:dir search; #line 19 allow keystore fingerprintd:file { read open }; #line 19 allow keystore fingerprintd:process getattr; #line 19 allow fingerprintd apc_service:service_manager find; #line 19 allow fingerprintd keystore_service:service_manager find; #line 19 allow fingerprintd legacykeystore_service:service_manager find; #line 19 #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow fingerprintd keystore:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow keystore fingerprintd:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow fingerprintd keystore:fd use; #line 19 #line 19 #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow keystore fingerprintd:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow fingerprintd keystore:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow keystore fingerprintd:fd use; #line 19 #line 19 allow fingerprintd keystore:keystore2 { add_auth }; # For permissions checking #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow fingerprintd system_server:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow system_server fingerprintd:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow fingerprintd system_server:fd use; #line 23 ; allow fingerprintd permission_service:service_manager find; allow fingerprintd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/flags_health_check.te" # The flags_health_check command run by init. type flags_health_check, domain, coredomain; type flags_health_check_exec, system_file_type, exec_type, file_type; allow flags_health_check server_configurable_flags_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow flags_health_check server_configurable_flags_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # server_configurable_flags_data_file is used for storing whether server configurable flags which # have been reset during current booting. Mistakenly modified by unrelated components can # cause bad server configurable flags synced back to device. neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file { append create link unlink relabelfrom rename setattr write }; #line 1 "system/sepolicy/public/fsck.te" # Any fsck program run by init type fsck, domain; type fsck_exec, system_file_type, exec_type, file_type; # /dev/__null__ created by init prior to policy load, # open fd inherited by fsck. allow fsck tmpfs:chr_file { read write ioctl }; # Inherit and use pty created by android_fork_execvp_ext(). allow fsck devpts:chr_file { read write ioctl getattr }; # Allow stdin/out back to vold allow fsck vold:fd use; allow fsck vold:fifo_file { read write getattr }; # Run fsck on certain block devices allow fsck userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow fsck cache_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow fsck dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow fsck zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 23 # e2fsck performs a comprehensive search of /proc/mounts to check whether the # checked filesystem is currently mounted. allow fsck metadata_file:dir getattr; allow fsck block_device:dir search; allow fsck mirror_data_file:dir search; # For the block devices where we have ioctl access, # allow at a minimum the following common fsck ioctls. allowxperm fsck dev_type:blk_file ioctl { 0x0000127c 0x0000125e 0xc0101282 }; # To determine if it is safe to run fsck on a filesystem, e2fsck # must first determine if the filesystem is mounted. To do that, # e2fsck scans through /proc/mounts and collects all the mounted # block devices. With that information, it runs stat() on each block # device, comparing the major and minor numbers to the filesystem # passed in on the command line. If there is a match, then the filesystem # is currently mounted and running fsck is dangerous. # Allow stat access to all block devices so that fsck can compare # major/minor values. allow fsck dev_type:blk_file getattr; allow fsck { proc_mounts proc_swaps sysfs_dm }:file { getattr open read ioctl lock map watch watch_reads }; allow fsck rootfs:dir { open getattr read search ioctl lock watch watch_reads }; allow fsck sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; ### ### neverallow rules ### # fsck should never be run on these block devices neverallow fsck { boot_block_device frp_block_device recovery_block_device root_block_device swap_block_device system_block_device vold_device }:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only allow entry from init or vold via fsck binaries neverallow { domain -init -vold } fsck:process transition; neverallow * fsck:process dyntransition; neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; #line 1 "system/sepolicy/public/fsck_untrusted.te" # Any fsck program run on untrusted block devices type fsck_untrusted, domain; # Inherit and use pty created by android_fork_execvp_ext(). allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; # Allow stdin/out back to vold allow fsck_untrusted vold:fd use; allow fsck_untrusted vold:fifo_file { read write getattr }; # Run fsck on vold block devices allow fsck_untrusted block_device:dir search; allow fsck_untrusted vold_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow fsck_untrusted proc_mounts:file { getattr open read ioctl lock map watch watch_reads }; # To determine if it is safe to run fsck on a filesystem, e2fsck # must first determine if the filesystem is mounted. To do that, # e2fsck scans through /proc/mounts and collects all the mounted # block devices. With that information, it runs stat() on each block # device, comparing the major and minor numbers to the filesystem # passed in on the command line. If there is a match, then the filesystem # is currently mounted and running fsck is dangerous. # Allow stat access to all block devices so that fsck can compare # major/minor values. allow fsck_untrusted dev_type:blk_file getattr; ### ### neverallow rules ### # Untrusted fsck should never be run on block devices holding sensitive data neverallow fsck_untrusted { boot_block_device frp_block_device metadata_block_device recovery_block_device root_block_device swap_block_device system_block_device userdata_block_device cache_block_device dm_device }:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only allow entry from vold via fsck binaries neverallow { domain -vold } fsck_untrusted:process transition; neverallow * fsck_untrusted:process dyntransition; neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin # permissions, that is a code mistake that needs to be fixed, not a permission that # should be granted. Same with setgid and setuid. neverallow fsck_untrusted self:{ capability cap_userns } { setgid setuid sys_admin }; ### ### dontaudit rules ### # Ignores attempts to access sysfs. fsck binaries seem to like trying to go # here, but nothing bad happens if they can't, and they shouldn't be allowed. dontaudit fsck_untrusted sysfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; dontaudit fsck_untrusted sysfs_dm:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; dontaudit fsck_untrusted sysfs_dm:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Ignore attempts to access tmpfs. fsck don't need to do this. dontaudit fsck_untrusted tmpfs:lnk_file read; #line 1 "system/sepolicy/public/gatekeeperd.te" type gatekeeperd, domain; type gatekeeperd_exec, system_file_type, exec_type, file_type; # gatekeeperd #line 5 typeattribute gatekeeperd binderservicedomain; #line 5 #line 6 # Call the servicemanager and transfer references to it. #line 6 allow gatekeeperd servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager gatekeeperd:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager gatekeeperd:dir search; #line 6 allow servicemanager gatekeeperd:file { read open }; #line 6 allow servicemanager gatekeeperd:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 ### Rules needed when Gatekeeper HAL runs inside gatekeeperd process. ### These rules should eventually be granted only when needed. allow gatekeeperd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Load HAL implementation allow gatekeeperd system_file:dir { open getattr read search ioctl lock watch watch_reads }; ### ### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process. ### These rules should eventually be granted only when needed. #line 17 typeattribute gatekeeperd halclientdomain; #line 17 typeattribute gatekeeperd hal_gatekeeper_client; #line 17 #line 17 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 17 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 17 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 17 #line 17 typeattribute gatekeeperd hal_gatekeeper; #line 17 # Find passthrough HAL implementations #line 17 allow hal_gatekeeper system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_gatekeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_gatekeeper vendor_file:file { read open getattr execute map }; #line 17 #line 17 ### # need to find KeyStore and add self #line 21 allow gatekeeperd gatekeeper_service:service_manager { add find }; #line 21 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; #line 21 #line 21 # On debug builds with root, allow binder services to use binder over TCP. #line 21 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 21 #line 21 # Need to add auth tokens to KeyStore #line 24 allow keystore gatekeeperd:dir search; #line 24 allow keystore gatekeeperd:file { read open }; #line 24 allow keystore gatekeeperd:process getattr; #line 24 allow gatekeeperd apc_service:service_manager find; #line 24 allow gatekeeperd keystore_service:service_manager find; #line 24 allow gatekeeperd legacykeystore_service:service_manager find; #line 24 #line 24 # Call the server domain and optionally transfer references to it. #line 24 allow gatekeeperd keystore:binder { call transfer }; #line 24 # Allow the serverdomain to transfer references to the client on the reply. #line 24 allow keystore gatekeeperd:binder transfer; #line 24 # Receive and use open files from the server. #line 24 allow gatekeeperd keystore:fd use; #line 24 #line 24 #line 24 # Call the server domain and optionally transfer references to it. #line 24 allow keystore gatekeeperd:binder { call transfer }; #line 24 # Allow the serverdomain to transfer references to the client on the reply. #line 24 allow gatekeeperd keystore:binder transfer; #line 24 # Receive and use open files from the server. #line 24 allow keystore gatekeeperd:fd use; #line 24 #line 24 allow gatekeeperd keystore:keystore2 { add_auth }; allow gatekeeperd authorization_service:service_manager find; # For permissions checking allow gatekeeperd system_server:binder call; allow gatekeeperd permission_service:service_manager find; # for SID file access allow gatekeeperd gatekeeper_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow gatekeeperd gatekeeper_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # For hardware properties retrieval allow gatekeeperd hardware_properties_service:service_manager find; #line 40 allow gatekeeperd cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 40 allow gatekeeperd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 40 #line 41 allow gatekeeperd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 41 allow gatekeeperd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 41 #line 1 "system/sepolicy/public/gmscore_app.te" ### ### A domain for further sandboxing the PrebuiltGMSCore app. ### type gmscore_app, domain; #line 1 "system/sepolicy/public/gpuservice.te" # gpuservice - server for gpu stats and other gpu related services type gpuservice, domain; #line 1 "system/sepolicy/public/hal_allocator.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_allocator_client hal_allocator_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_allocator_server hal_allocator_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_allocator_client hal_allocator_server:fd use; #line 2 #line 4 allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_allocator_server hidl_allocator_hwservice:hwservice_manager { add find }; #line 4 allow hal_allocator_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_allocator_server } hidl_allocator_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find; allow hal_allocator_client same_process_hal_file:file { execute read open getattr map }; #line 1 "system/sepolicy/public/hal_atrace.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_atrace_client hal_atrace_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_atrace_server hal_atrace_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_atrace_client hal_atrace_server:fd use; #line 2 #line 4 allow hal_atrace_client hal_atrace_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_atrace_server hal_atrace_hwservice:hwservice_manager { add find }; #line 4 allow hal_atrace_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_atrace_server } hal_atrace_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 1 "system/sepolicy/public/hal_audio.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_audio_client hal_audio_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_audio_server hal_audio_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_audio_client hal_audio_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_audio_server hal_audio_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_audio_client hal_audio_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_audio_server hal_audio_client:fd use; #line 3 #line 5 allow hal_audio_client hal_audio_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_audio_server hal_audio_hwservice:hwservice_manager { add find }; #line 5 allow hal_audio_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_audio_server } hal_audio_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_audio_client hal_audio_service:service_manager find; #line 6 #line 6 allow hal_audio_server hal_audio_service:service_manager { add find }; #line 6 neverallow { domain -hal_audio_server } hal_audio_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 allow hal_audio ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow hal_audio_server servicemanager:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow servicemanager hal_audio_server:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow hal_audio_server servicemanager:fd use; #line 10 #line 12 allow hal_audio proc:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_audio proc:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 #line 13 allow hal_audio proc_asound:dir { open getattr read search ioctl lock watch watch_reads }; #line 13 allow hal_audio proc_asound:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 13 allow hal_audio_server audio_device:dir { open getattr read search ioctl lock watch watch_reads }; allow hal_audio_server audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Needed to provide debug dump output via dumpsys' pipes. allow hal_audio shell:fd use; allow hal_audio shell:fifo_file write; allow hal_audio dumpstate:fd use; allow hal_audio dumpstate:fifo_file write; # Needed to allow sound trigger hal to access shared memory from apps. allow hal_audio_server appdomain:fd use; # Allow sound trigger hal to access shared memory from system server. allow hal_audio_server system_server_tmpfs:file { getattr map read }; # allow self to set scheduler (and allows Binder RT PI) allow hal_audio_server self:{ capability cap_userns } sys_nice; # allow hal audio to use vnbinder #line 32 # Talk to the vndbinder device node #line 32 allow hal_audio vndbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 32 # Call the vndservicemanager and transfer references to it. #line 32 allow hal_audio vndservicemanager:binder { call transfer }; #line 32 # vndservicemanager performs getpidcon on clients. #line 32 allow vndservicemanager hal_audio:dir search; #line 32 allow vndservicemanager hal_audio:file { read open map }; #line 32 allow vndservicemanager hal_audio:process getattr; #line 32 ### ### neverallow rules ### # Should never execute any executable without a domain transition neverallow hal_audio_server { file_type fs_type }:file execute_no_trans; # Only audio HAL may directly access the audio hardware neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *; #line 44 allow hal_audio audio_config_prop:file { getattr open read map }; #line 44 #line 45 allow hal_audio bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 45 #line 46 allow hal_audio bluetooth_audio_hal_prop:file { getattr open read map }; #line 46 #line 1 "system/sepolicy/public/hal_audiocontrol.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_audiocontrol_client hal_audiocontrol_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_audiocontrol_server hal_audiocontrol_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_audiocontrol_client hal_audiocontrol_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_audiocontrol_server hal_audiocontrol_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_audiocontrol_client hal_audiocontrol_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_audiocontrol_server hal_audiocontrol_client:fd use; #line 3 #line 5 allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_audiocontrol_server hal_audiocontrol_hwservice:hwservice_manager { add find }; #line 5 allow hal_audiocontrol_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_audiocontrol_server } hal_audiocontrol_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_audiocontrol_client hal_audiocontrol_service:service_manager find; #line 6 #line 6 allow hal_audiocontrol_server hal_audiocontrol_service:service_manager { add find }; #line 6 neverallow { domain -hal_audiocontrol_server } hal_audiocontrol_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_audiocontrol_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_audiocontrol_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_audiocontrol_server servicemanager:fd use; #line 8 #line 1 "system/sepolicy/public/hal_authgraph.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_authgraph_client hal_authgraph_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_authgraph_server hal_authgraph_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_authgraph_client hal_authgraph_server:fd use; #line 1 #line 3 allow hal_authgraph_client hal_authgraph_service:service_manager find; #line 3 #line 3 allow hal_authgraph_server hal_authgraph_service:service_manager { add find }; #line 3 neverallow { domain -hal_authgraph_server } hal_authgraph_service:service_manager add; #line 3 #line 3 # On debug builds with root, allow binder services to use binder over TCP. #line 3 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 3 #line 3 #line 3 #line 3 #line 3 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_authgraph_server servicemanager:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow servicemanager hal_authgraph_server:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_authgraph_server servicemanager:fd use; #line 4 allow hal_authgraph_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_authgraph_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/hal_authsecret.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_authsecret_client hal_authsecret_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_authsecret_server hal_authsecret_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_authsecret_client hal_authsecret_server:fd use; #line 2 #line 4 allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_authsecret_server hal_authsecret_hwservice:hwservice_manager { add find }; #line 4 allow hal_authsecret_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_authsecret_server } hal_authsecret_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_authsecret_client hal_authsecret_service:service_manager find; #line 5 #line 5 allow hal_authsecret_server hal_authsecret_service:service_manager { add find }; #line 5 neverallow { domain -hal_authsecret_server } hal_authsecret_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_authsecret_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_authsecret_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_authsecret_server servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_bluetooth.te" # HwBinder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_bluetooth_client hal_bluetooth_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_bluetooth_server hal_bluetooth_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_bluetooth_client hal_bluetooth_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_bluetooth_server hal_bluetooth_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_bluetooth_client hal_bluetooth_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_bluetooth_server hal_bluetooth_client:fd use; #line 3 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_bluetooth_server servicemanager:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow servicemanager hal_bluetooth_server:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_bluetooth_server servicemanager:fd use; #line 4 #line 6 allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find; #line 6 #line 6 allow hal_bluetooth_server hal_bluetooth_hwservice:hwservice_manager { add find }; #line 6 allow hal_bluetooth_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hal_bluetooth_server } hal_bluetooth_hwservice:hwservice_manager add; #line 6 #line 6 #line 6 #line 6 #line 7 allow hal_bluetooth_client hal_bluetooth_service:service_manager find; #line 7 #line 7 allow hal_bluetooth_server hal_bluetooth_service:service_manager { add find }; #line 7 neverallow { domain -hal_bluetooth_server } hal_bluetooth_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 #line 9 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 9 # deprecated. #line 9 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 9 allow hal_bluetooth sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 9 # Accessing these files requires CAP_BLOCK_SUSPEND #line 9 allow hal_bluetooth self:{ capability2 cap2_userns } block_suspend; #line 9 # system_suspend permissions #line 9 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow hal_bluetooth system_suspend_server:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow system_suspend_server hal_bluetooth:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow hal_bluetooth system_suspend_server:fd use; #line 9 #line 9 allow hal_bluetooth system_suspend_hwservice:hwservice_manager find; #line 9 # halclientdomain permissions #line 9 #line 9 # Call the hwservicemanager and transfer references to it. #line 9 allow hal_bluetooth hwservicemanager:binder { call transfer }; #line 9 # Allow hwservicemanager to send out callbacks #line 9 allow hwservicemanager hal_bluetooth:binder { call transfer }; #line 9 # hwservicemanager performs getpidcon on clients. #line 9 allow hwservicemanager hal_bluetooth:dir search; #line 9 allow hwservicemanager hal_bluetooth:file { read open map }; #line 9 allow hwservicemanager hal_bluetooth:process getattr; #line 9 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 9 #line 9 allow hal_bluetooth hwservicemanager_prop:file { getattr open read map }; #line 9 #line 9 allow hal_bluetooth hidl_manager_hwservice:hwservice_manager find; #line 9 # AIDL suspend hal permissions #line 9 allow hal_bluetooth hal_system_suspend_service:service_manager find; #line 9 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow hal_bluetooth servicemanager:binder { call transfer }; #line 9 # Allow servicemanager to send out callbacks #line 9 allow servicemanager hal_bluetooth:binder { call transfer }; #line 9 # servicemanager performs getpidcon on clients. #line 9 allow servicemanager hal_bluetooth:dir search; #line 9 allow servicemanager hal_bluetooth:file { read open }; #line 9 allow servicemanager hal_bluetooth:process getattr; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 9 ; # The HAL toggles rfkill to power the chip off/on. allow hal_bluetooth self:{ capability cap_userns } net_admin; # bluetooth factory file accesses. #line 15 allow hal_bluetooth bluetooth_efs_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hal_bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # sysfs access. #line 20 allow hal_bluetooth sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_bluetooth sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 allow hal_bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_bluetooth self:{ capability2 cap2_userns } wake_alarm; # Allow write access to bluetooth-specific properties #line 25 #line 25 allow hal_bluetooth property_socket:sock_file write; #line 25 allow hal_bluetooth init:unix_stream_socket connectto; #line 25 #line 25 allow hal_bluetooth bluetooth_a2dp_offload_prop:property_service set; #line 25 #line 25 allow hal_bluetooth bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 25 #line 25 #line 26 #line 26 allow hal_bluetooth property_socket:sock_file write; #line 26 allow hal_bluetooth init:unix_stream_socket connectto; #line 26 #line 26 allow hal_bluetooth bluetooth_audio_hal_prop:property_service set; #line 26 #line 26 allow hal_bluetooth bluetooth_audio_hal_prop:file { getattr open read map }; #line 26 #line 26 #line 27 #line 27 allow hal_bluetooth property_socket:sock_file write; #line 27 allow hal_bluetooth init:unix_stream_socket connectto; #line 27 #line 27 allow hal_bluetooth bluetooth_prop:property_service set; #line 27 #line 27 allow hal_bluetooth bluetooth_prop:file { getattr open read map }; #line 27 #line 27 #line 28 #line 28 allow hal_bluetooth property_socket:sock_file write; #line 28 allow hal_bluetooth init:unix_stream_socket connectto; #line 28 #line 28 allow hal_bluetooth exported_bluetooth_prop:property_service set; #line 28 #line 28 allow hal_bluetooth exported_bluetooth_prop:file { getattr open read map }; #line 28 #line 28 # /proc access (bluesleep etc.). allow hal_bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # allow to run with real-time scheduling policy allow hal_bluetooth self:{ capability cap_userns } sys_nice; #line 1 "system/sepolicy/public/hal_bootctl.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_bootctl_client hal_bootctl_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_bootctl_server hal_bootctl_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_bootctl_client hal_bootctl_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_bootctl_server hal_bootctl_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_bootctl_client hal_bootctl_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_bootctl_server hal_bootctl_client:fd use; #line 3 #line 4 # Call the servicemanager and transfer references to it. #line 4 allow hal_bootctl_server servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager hal_bootctl_server:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager hal_bootctl_server:dir search; #line 4 allow servicemanager hal_bootctl_server:file { read open }; #line 4 allow servicemanager hal_bootctl_server:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 6 allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find; #line 6 #line 6 allow hal_bootctl_server hal_bootctl_hwservice:hwservice_manager { add find }; #line 6 allow hal_bootctl_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hal_bootctl_server } hal_bootctl_hwservice:hwservice_manager add; #line 6 #line 6 #line 6 #line 6 allow hal_bootctl_server proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads }; # Needed to wait for AIDL hal services #line 10 allow hal_bootctl_client hal_bootctl_service:service_manager find; #line 10 #line 10 allow hal_bootctl_server hal_bootctl_service:service_manager { add find }; #line 10 neverallow { domain -hal_bootctl_server } hal_bootctl_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 #line 10 #line 10 #line 10 ; #line 1 "system/sepolicy/public/hal_broadcastradio.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_broadcastradio_client hal_broadcastradio_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_broadcastradio_server hal_broadcastradio_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_broadcastradio_client hal_broadcastradio_server:fd use; #line 1 #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_broadcastradio_server hal_broadcastradio_client:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_broadcastradio_client hal_broadcastradio_server:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_broadcastradio_server hal_broadcastradio_client:fd use; #line 2 #line 4 allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_broadcastradio_server hal_broadcastradio_hwservice:hwservice_manager { add find }; #line 4 allow hal_broadcastradio_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_broadcastradio_server } hal_broadcastradio_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_broadcastradio_client hal_broadcastradio_service:service_manager find; #line 5 #line 5 allow hal_broadcastradio_server hal_broadcastradio_service:service_manager { add find }; #line 5 neverallow { domain -hal_broadcastradio_server } hal_broadcastradio_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_broadcastradio_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_broadcastradio_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_broadcastradio_server servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_camera.te" # HwBinder IPC from clients to server and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_camera_client hal_camera_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_camera_server hal_camera_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_camera_client hal_camera_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_camera_server hal_camera_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_camera_client hal_camera_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_camera_server hal_camera_client:fd use; #line 3 #binder IPC from client to service manager and callbacks #line 6 # Call the servicemanager and transfer references to it. #line 6 allow hal_camera_server servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager hal_camera_server:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager hal_camera_server:dir search; #line 6 allow servicemanager hal_camera_server:file { read open }; #line 6 allow servicemanager hal_camera_server:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 8 allow hal_camera_client hal_camera_hwservice:hwservice_manager find; #line 8 #line 8 allow hal_camera_server hal_camera_hwservice:hwservice_manager { add find }; #line 8 allow hal_camera_server hidl_base_hwservice:hwservice_manager add; #line 8 neverallow { domain -hal_camera_server } hal_camera_hwservice:hwservice_manager add; #line 8 #line 8 #line 8 #line 8 #line 9 allow hal_camera_client hal_camera_service:service_manager find; #line 9 #line 9 allow hal_camera_server hal_camera_service:service_manager { add find }; #line 9 neverallow { domain -hal_camera_server } hal_camera_service:service_manager add; #line 9 #line 9 # On debug builds with root, allow binder services to use binder over TCP. #line 9 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 9 #line 9 #line 9 #line 9 #line 9 allow hal_camera device:dir { open getattr read search ioctl lock watch watch_reads }; allow hal_camera video_device:dir { open getattr read search ioctl lock watch watch_reads }; allow hal_camera video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_camera camera_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_camera ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_camera dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Both the client and the server need to use the graphics allocator allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; # Allow hal_camera to use fd from app,gralloc,and ashmem HAL allow hal_camera { appdomain -isolated_app }:fd use; allow hal_camera surfaceflinger:fd use; allow hal_camera hal_allocator_server:fd use; # Needed to provide debug dump output via dumpsys' pipes. allow hal_camera shell:fd use; allow hal_camera shell:fifo_file write; ### ### neverallow rules ### # hal_camera should never execute any executable without a # domain transition neverallow hal_camera_server { file_type fs_type }:file execute_no_trans; # hal_camera should never need network access. Disallow network sockets. neverallow hal_camera_server { domain }:{ tcp_socket udp_socket rawip_socket } *; # Only camera HAL may directly access the camera hardware neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *; #line 1 "system/sepolicy/public/hal_can.te" # CAN controller #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_can_controller_client hal_can_controller_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_can_controller_server hal_can_controller_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_can_controller_client hal_can_controller_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_can_controller_server hal_can_controller_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_can_controller_client hal_can_controller_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_can_controller_server hal_can_controller_client:fd use; #line 3 #line 4 allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_can_controller_server hal_can_controller_hwservice:hwservice_manager { add find }; #line 4 allow hal_can_controller_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_can_controller_server } hal_can_controller_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 # CAN bus #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_can_bus_client hal_can_bus_server:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow hal_can_bus_server hal_can_bus_client:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_can_bus_client hal_can_bus_server:fd use; #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_can_bus_server hal_can_bus_client:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow hal_can_bus_client hal_can_bus_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_can_bus_server hal_can_bus_client:fd use; #line 8 #line 9 allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find; #line 9 #line 9 allow hal_can_bus_server hal_can_bus_hwservice:hwservice_manager { add find }; #line 9 allow hal_can_bus_server hidl_base_hwservice:hwservice_manager add; #line 9 neverallow { domain -hal_can_bus_server } hal_can_bus_hwservice:hwservice_manager add; #line 9 #line 9 #line 9 #line 9 # AIDL HAL for CAN buses (ICanController) #line 12 allow hal_can_controller_client hal_can_controller_service:service_manager find; #line 12 #line 12 allow hal_can_controller_server hal_can_controller_service:service_manager { add find }; #line 12 neverallow { domain -hal_can_controller_server } hal_can_controller_service:service_manager add; #line 12 #line 12 # On debug builds with root, allow binder services to use binder over TCP. #line 12 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 12 #line 12 #line 12 #line 12 #line 12 #line 13 # Call the servicemanager and transfer references to it. #line 13 allow hal_can_controller servicemanager:binder { call transfer }; #line 13 # Allow servicemanager to send out callbacks #line 13 allow servicemanager hal_can_controller:binder { call transfer }; #line 13 # servicemanager performs getpidcon on clients. #line 13 allow servicemanager hal_can_controller:dir search; #line 13 allow servicemanager hal_can_controller:file { read open }; #line 13 allow servicemanager hal_can_controller:process getattr; #line 13 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 13 # all domains in domain.te. #line 13 #line 1 "system/sepolicy/public/hal_cas.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_cas_client hal_cas_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_cas_server hal_cas_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_cas_client hal_cas_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_cas_server hal_cas_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_cas_client hal_cas_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_cas_server hal_cas_client:fd use; #line 3 #line 5 allow hal_cas_client hal_cas_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_cas_server hal_cas_hwservice:hwservice_manager { add find }; #line 5 allow hal_cas_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_cas_server } hal_cas_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; #line 8 allow hal_cas_client hal_cas_service:service_manager find; #line 8 #line 8 allow hal_cas_server hal_cas_service:service_manager { add find }; #line 8 neverallow { domain -hal_cas_server } hal_cas_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 #line 8 #line 8 #line 8 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow hal_cas_server servicemanager:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow servicemanager hal_cas_server:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow hal_cas_server servicemanager:fd use; #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow hal_cas_client servicemanager:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow servicemanager hal_cas_client:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow hal_cas_client servicemanager:fd use; #line 11 # Permit reading device's serial number from system properties #line 14 allow hal_cas_server serialno_prop:file { getattr open read map }; #line 14 # Read files already opened under /data allow hal_cas system_data_file:file { getattr read }; # Read access to pseudo filesystems #line 20 allow hal_cas cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_cas cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 allow hal_cas cgroup:dir { search write }; allow hal_cas cgroup:file { open append write lock map }; #line 24 allow hal_cas cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 24 allow hal_cas cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 24 allow hal_cas cgroup_v2:dir { search write }; allow hal_cas cgroup_v2:file { open append write lock map }; # Allow access to ion memory allocation device allow hal_cas ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_cas hal_graphics_allocator:fd use; allow hal_cas tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; ### ### neverallow rules ### # hal_cas should never execute any executable without a # domain transition neverallow hal_cas_server { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 43 { #line 43 # qualcomm rmnet ioctls #line 43 0x00006900 0x00006902 #line 43 # socket ioctls #line 43 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 43 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 43 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 43 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 43 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 43 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 43 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 43 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 43 0x00008991 0x00008992 0x00008993 0x00008994 #line 43 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 43 # device and protocol specific ioctls #line 43 0x000089f0-0x000089ff #line 43 0x000089e0-0x000089ef #line 43 # Wireless extension ioctls #line 43 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 43 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 43 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 43 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 43 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 43 0x00008b34 0x00008b35 0x00008b36 #line 43 # Dev private ioctl i.e. hardware specific ioctls #line 43 0x00008be0-0x00008bff #line 43 }; #line 1 "system/sepolicy/public/hal_codec2.te" #line 1 allow hal_codec2_client media_variant_prop:file { getattr open read map }; #line 1 #line 2 allow hal_codec2_server media_variant_prop:file { getattr open read map }; #line 2 #line 3 allow hal_codec2_client codec2_config_prop:file { getattr open read map }; #line 3 #line 4 allow hal_codec2_server codec2_config_prop:file { getattr open read map }; #line 4 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_codec2_client hal_codec2_server:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow hal_codec2_server hal_codec2_client:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_codec2_client hal_codec2_server:fd use; #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_codec2_server hal_codec2_client:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow hal_codec2_client hal_codec2_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_codec2_server hal_codec2_client:fd use; #line 7 #line 9 allow hal_codec2_client hal_codec2_hwservice:hwservice_manager find; #line 9 #line 9 allow hal_codec2_server hal_codec2_hwservice:hwservice_manager { add find }; #line 9 allow hal_codec2_server hidl_base_hwservice:hwservice_manager add; #line 9 neverallow { domain -hal_codec2_server } hal_codec2_hwservice:hwservice_manager add; #line 9 #line 9 #line 9 #line 9 #line 10 allow hal_codec2_client hal_codec2_service:service_manager find; #line 10 #line 10 allow hal_codec2_server hal_codec2_service:service_manager { add find }; #line 10 neverallow { domain -hal_codec2_server } hal_codec2_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 #line 10 #line 10 #line 10 # The following permissions are added to hal_codec2_server because vendor and # vndk libraries provided for Codec2 implementation need them. # Allow server access to composer sync fences allow hal_codec2_server hal_graphics_composer:fd use; # Allow both server and client access to ion allow hal_codec2_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow server access to camera HAL's fences allow hal_codec2_server hal_camera:fd use; # Receive gralloc buffer FDs from bufferhubd. allow hal_codec2_server bufferhubd:fd use; allow hal_codec2_client ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # codec2 aidl graphic buffer allocation waitable object allow hal_codec2_server su:fifo_file read; allow hal_codec2_server mediaserver:fifo_file read; allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read; #line 1 "system/sepolicy/public/hal_configstore.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_configstore_client hal_configstore_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_configstore_server hal_configstore_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_configstore_client hal_configstore_server:fd use; #line 2 #line 4 allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; #line 4 #line 4 allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { add find }; #line 4 allow hal_configstore_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_configstore_server } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 # hal_configstore runs with a strict seccomp filter. Use crash_dump's # fallback path to collect crash data. #line 8 #line 8 allow hal_configstore_server anr_data_file:file append; #line 8 allow hal_configstore_server dumpstate:fd use; #line 8 allow hal_configstore_server incidentd:fd use; #line 8 # TODO: Figure out why write is needed. #line 8 allow hal_configstore_server dumpstate:fifo_file { append write }; #line 8 allow hal_configstore_server incidentd:fifo_file { append write }; #line 8 allow hal_configstore_server system_server:fifo_file { append write }; #line 8 allow hal_configstore_server tombstoned:unix_stream_socket connectto; #line 8 allow hal_configstore_server tombstoned:fd use; #line 8 allow hal_configstore_server tombstoned_crash_socket:sock_file write; #line 8 allow hal_configstore_server tombstone_data_file:file append; #line 8 ### ### neverallow rules ### # Should never execute an executable without a domain transition neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans; # Should never need network access. Disallow sockets except for # for unix stream/dgram sockets used for logging/debugging. neverallow hal_configstore_server domain:{ rawip_socket tcp_socket udp_socket netlink_route_socket netlink_selinux_socket socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } *; neverallow hal_configstore_server { domain -hal_configstore_server -logd -prng_seeder -tombstoned }:{ unix_dgram_socket unix_stream_socket } *; # Should never need access to anything on /data neverallow hal_configstore_server { data_file_type -anr_data_file # for crash dump collection -tombstone_data_file # for crash dump collection }:{ file fifo_file sock_file } *; # Should never need sdcard access neverallow hal_configstore_server { sdcard_type fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness }:dir ~getattr; neverallow hal_configstore_server { sdcard_type fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness }:file *; # Do not permit access to service_manager and vndservice_manager neverallow hal_configstore_server *:service_manager *; # No privileged capabilities neverallow hal_configstore_server self:{ capability capability2 cap_userns cap2_userns } *; # No ptracing other processes neverallow hal_configstore_server *:process ptrace; # no relabeling neverallow hal_configstore_server *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { relabelfrom relabelto }; #line 1 "system/sepolicy/public/hal_confirmationui.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_confirmationui_client hal_confirmationui_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_confirmationui_server hal_confirmationui_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_confirmationui_client hal_confirmationui_server:fd use; #line 2 #line 4 allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_confirmationui_server hal_confirmationui_hwservice:hwservice_manager { add find }; #line 4 allow hal_confirmationui_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_confirmationui_server } hal_confirmationui_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_confirmationui_client hal_confirmationui_service:service_manager find; #line 5 #line 5 allow hal_confirmationui_server hal_confirmationui_service:service_manager { add find }; #line 5 neverallow { domain -hal_confirmationui_server } hal_confirmationui_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_confirmationui_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_confirmationui_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_confirmationui_server servicemanager:fd use; #line 6 #line 1 "system/sepolicy/public/hal_contexthub.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_contexthub_client hal_contexthub_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_contexthub_server hal_contexthub_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_contexthub_client hal_contexthub_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_contexthub_server hal_contexthub_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_contexthub_client hal_contexthub_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_contexthub_server hal_contexthub_client:fd use; #line 3 #line 5 allow hal_contexthub_server hal_contexthub_service:service_manager { add find }; #line 5 neverallow { domain -hal_contexthub_server } hal_contexthub_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_contexthub_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_contexthub_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_contexthub_server servicemanager:fd use; #line 6 allow hal_contexthub_client hal_contexthub_service:service_manager find; #line 10 allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find; #line 10 #line 10 allow hal_contexthub_server hal_contexthub_hwservice:hwservice_manager { add find }; #line 10 allow hal_contexthub_server hidl_base_hwservice:hwservice_manager add; #line 10 neverallow { domain -hal_contexthub_server } hal_contexthub_hwservice:hwservice_manager add; #line 10 #line 10 #line 10 #line 10 #line 1 "system/sepolicy/public/hal_drm.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the servicemanager and transfer references to it. #line 2 allow hal_drm_server servicemanager:binder { call transfer }; #line 2 # Allow servicemanager to send out callbacks #line 2 allow servicemanager hal_drm_server:binder { call transfer }; #line 2 # servicemanager performs getpidcon on clients. #line 2 allow servicemanager hal_drm_server:dir search; #line 2 allow servicemanager hal_drm_server:file { read open }; #line 2 allow servicemanager hal_drm_server:process getattr; #line 2 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 2 # all domains in domain.te. #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_drm_client hal_drm_server:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_drm_server hal_drm_client:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_drm_client hal_drm_server:fd use; #line 3 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_drm_server hal_drm_client:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow hal_drm_client hal_drm_server:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_drm_server hal_drm_client:fd use; #line 4 #line 6 allow hal_drm_client hal_drm_hwservice:hwservice_manager find; #line 6 #line 6 allow hal_drm_server hal_drm_hwservice:hwservice_manager { add find }; #line 6 allow hal_drm_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hal_drm_server } hal_drm_hwservice:hwservice_manager add; #line 6 #line 6 #line 6 #line 6 #line 7 allow hal_drm_client hal_drm_service:service_manager find; #line 7 #line 7 allow hal_drm_server hal_drm_service:service_manager { add find }; #line 7 neverallow { domain -hal_drm_server } hal_drm_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 allow hal_drm hidl_memory_hwservice:hwservice_manager find; # Required by Widevine DRM (b/22990512) allow hal_drm self:process execmem; # Permit reading device's serial number from system properties #line 15 allow hal_drm_server serialno_prop:file { getattr open read map }; #line 15 # Permit reading force L3 system property #line 17 allow hal_drm_server drm_forcel3_prop:file { getattr open read map }; #line 17 # Read files already opened under /data allow hal_drm system_data_file:file { getattr read }; # Read access to pseudo filesystems #line 23 allow hal_drm cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow hal_drm cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 23 allow hal_drm cgroup:dir { search write }; allow hal_drm cgroup:file { open append write lock map }; #line 27 allow hal_drm cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 27 allow hal_drm cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 27 allow hal_drm cgroup_v2:dir { search write }; allow hal_drm cgroup_v2:file { open append write lock map }; # Allow dumpsys Widevine without root #line 35 # Allow access to ion memory allocation device allow hal_drm ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_drm hal_graphics_allocator:fd use; # Allow access to hidl_memory allocation service allow hal_drm hal_allocator_server:fd use; # Allow access to fds allocated by mediaserver allow hal_drm mediaserver:fd use; allow hal_drm sysfs:file { getattr open read ioctl lock map watch watch_reads }; allow hal_drm tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_drm_server { appdomain -isolated_app }:fd use; # only allow unprivileged socket ioctl commands allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket } ioctl { #line 55 { #line 55 # Socket ioctls for gathering information about the interface #line 55 0x00008906 0x00008907 #line 55 0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919 #line 55 0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942 #line 55 # Wireless extension ioctls. Primarily get functions. #line 55 0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d #line 55 0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23 #line 55 0x00008b25 0x00008b27 0x00008b29 0x00008b2d #line 55 } { #line 55 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 55 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 55 } }; ### ### neverallow rules ### # hal_drm should never execute any executable without a # domain transition neverallow hal_drm_server { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 66 { #line 66 # qualcomm rmnet ioctls #line 66 0x00006900 0x00006902 #line 66 # socket ioctls #line 66 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 66 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 66 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 66 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 66 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 66 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 66 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 66 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 66 0x00008991 0x00008992 0x00008993 0x00008994 #line 66 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 66 # device and protocol specific ioctls #line 66 0x000089f0-0x000089ff #line 66 0x000089e0-0x000089ef #line 66 # Wireless extension ioctls #line 66 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 66 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 66 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 66 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 66 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 66 0x00008b34 0x00008b35 0x00008b36 #line 66 # Dev private ioctl i.e. hardware specific ioctls #line 66 0x00008be0-0x00008bff #line 66 }; #line 1 "system/sepolicy/public/hal_dumpstate.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_dumpstate_client hal_dumpstate_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_dumpstate_server hal_dumpstate_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_dumpstate_client hal_dumpstate_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_dumpstate_server hal_dumpstate_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_dumpstate_client hal_dumpstate_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_dumpstate_server hal_dumpstate_client:fd use; #line 3 #line 5 #line 5 allow hal_dumpstate_server property_socket:sock_file write; #line 5 allow hal_dumpstate_server init:unix_stream_socket connectto; #line 5 #line 5 allow hal_dumpstate_server hal_dumpstate_config_prop:property_service set; #line 5 #line 5 allow hal_dumpstate_server hal_dumpstate_config_prop:file { getattr open read map }; #line 5 #line 5 #line 7 allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find; #line 7 #line 7 allow hal_dumpstate_server hal_dumpstate_hwservice:hwservice_manager { add find }; #line 7 allow hal_dumpstate_server hidl_base_hwservice:hwservice_manager add; #line 7 neverallow { domain -hal_dumpstate_server } hal_dumpstate_hwservice:hwservice_manager add; #line 7 #line 7 #line 7 #line 7 #line 8 allow hal_dumpstate_client hal_dumpstate_service:service_manager find; #line 8 #line 8 allow hal_dumpstate_server hal_dumpstate_service:service_manager { add find }; #line 8 neverallow { domain -hal_dumpstate_server } hal_dumpstate_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 #line 8 #line 8 #line 8 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow hal_dumpstate_server servicemanager:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow servicemanager hal_dumpstate_server:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow hal_dumpstate_server servicemanager:fd use; #line 10 #line 12 # Call the servicemanager and transfer references to it. #line 12 allow hal_dumpstate_server servicemanager:binder { call transfer }; #line 12 # Allow servicemanager to send out callbacks #line 12 allow servicemanager hal_dumpstate_server:binder { call transfer }; #line 12 # servicemanager performs getpidcon on clients. #line 12 allow servicemanager hal_dumpstate_server:dir search; #line 12 allow servicemanager hal_dumpstate_server:file { read open }; #line 12 allow servicemanager hal_dumpstate_server:process getattr; #line 12 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 12 # all domains in domain.te. #line 12 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport allow hal_dumpstate shell_data_file:file write; # allow reading /proc/interrupts for all hal impls allow hal_dumpstate proc_interrupts:file { getattr open read ioctl lock map watch watch_reads }; # Log fsck results #line 20 allow hal_dumpstate fscklogs:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_dumpstate fscklogs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 #line 1 "system/sepolicy/public/hal_evs.te" #line 1 # Call the hwservicemanager and transfer references to it. #line 1 allow hal_evs_client hwservicemanager:binder { call transfer }; #line 1 # Allow hwservicemanager to send out callbacks #line 1 allow hwservicemanager hal_evs_client:binder { call transfer }; #line 1 # hwservicemanager performs getpidcon on clients. #line 1 allow hwservicemanager hal_evs_client:dir search; #line 1 allow hwservicemanager hal_evs_client:file { read open map }; #line 1 allow hwservicemanager hal_evs_client:process getattr; #line 1 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 1 # all domains in domain.te. #line 1 #line 2 # Call the hwservicemanager and transfer references to it. #line 2 allow hal_evs_server hwservicemanager:binder { call transfer }; #line 2 # Allow hwservicemanager to send out callbacks #line 2 allow hwservicemanager hal_evs_server:binder { call transfer }; #line 2 # hwservicemanager performs getpidcon on clients. #line 2 allow hwservicemanager hal_evs_server:dir search; #line 2 allow hwservicemanager hal_evs_server:file { read open map }; #line 2 allow hwservicemanager hal_evs_server:process getattr; #line 2 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 2 # all domains in domain.te. #line 2 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_evs_client hal_evs_server:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow hal_evs_server hal_evs_client:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_evs_client hal_evs_server:fd use; #line 4 #line 5 # Call the server domain and optionally transfer references to it. #line 5 allow hal_evs_server hal_evs_client:binder { call transfer }; #line 5 # Allow the serverdomain to transfer references to the client on the reply. #line 5 allow hal_evs_client hal_evs_server:binder transfer; #line 5 # Receive and use open files from the server. #line 5 allow hal_evs_server hal_evs_client:fd use; #line 5 # Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice) # except it allows evsmanagerd to add hal_evs_hwservice. allow hal_evs_client hal_evs_hwservice:hwservice_manager find; allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find }; allow hal_evs_server hidl_base_hwservice:hwservice_manager add; neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add; # Allows to add a service #line 15 allow hal_evs_client hal_evs_service:service_manager find; #line 15 #line 15 allow hal_evs_server hal_evs_service:service_manager { add find }; #line 15 neverallow { domain -hal_evs_server } hal_evs_service:service_manager add; #line 15 #line 15 # On debug builds with root, allow binder services to use binder over TCP. #line 15 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 15 #line 15 #line 15 #line 15 #line 15 #line 1 "system/sepolicy/public/hal_face.te" # Allow HwBinder IPC from client to server, and vice versa for callbacks. #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_face_client hal_face_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_face_server hal_face_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_face_client hal_face_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_face_server hal_face_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_face_client hal_face_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_face_server hal_face_client:fd use; #line 3 #line 5 allow hal_face_client hal_face_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_face_server hal_face_hwservice:hwservice_manager { add find }; #line 5 allow hal_face_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_face_server } hal_face_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_face_client hal_face_service:service_manager find; #line 6 #line 6 allow hal_face_server hal_face_service:service_manager { add find }; #line 6 neverallow { domain -hal_face_server } hal_face_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_face_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_face_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_face_server:dir search; #line 8 allow servicemanager hal_face_server:file { read open }; #line 8 allow servicemanager hal_face_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 # Allow access to the ion memory allocation device. allow hal_face ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow read/write access to the face template directory. allow hal_face face_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow hal_face face_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; #line 1 "system/sepolicy/public/hal_fastboot.te" # allow binder connection from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_fastboot_client hal_fastboot_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_fastboot_server hal_fastboot_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_fastboot_client hal_fastboot_server:fd use; #line 2 # allow client to find the service, allow server to register the service #line 4 allow hal_fastboot_client hal_fastboot_service:service_manager find; #line 4 #line 4 allow hal_fastboot_server hal_fastboot_service:service_manager { add find }; #line 4 neverallow { domain -hal_fastboot_server } hal_fastboot_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 # allow binder communication from server to service_manager #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_fastboot_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_fastboot_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_fastboot_server servicemanager:fd use; #line 6 #line 1 "system/sepolicy/public/hal_fingerprint.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_fingerprint_client hal_fingerprint_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_fingerprint_server hal_fingerprint_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_fingerprint_client hal_fingerprint_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_fingerprint_server hal_fingerprint_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_fingerprint_client hal_fingerprint_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_fingerprint_server hal_fingerprint_client:fd use; #line 3 #line 5 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_fingerprint_server hal_fingerprint_hwservice:hwservice_manager { add find }; #line 5 allow hal_fingerprint_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_fingerprint_server } hal_fingerprint_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_fingerprint_client hal_fingerprint_service:service_manager find; #line 6 #line 6 allow hal_fingerprint_server hal_fingerprint_service:service_manager { add find }; #line 6 neverallow { domain -hal_fingerprint_server } hal_fingerprint_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_fingerprint_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_fingerprint_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_fingerprint_server:dir search; #line 8 allow servicemanager hal_fingerprint_server:file { read open }; #line 8 allow servicemanager hal_fingerprint_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 # For memory allocation allow hal_fingerprint ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow hal_fingerprint fingerprint_vendor_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } }; allow hal_fingerprint fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; #line 16 allow hal_fingerprint cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow hal_fingerprint cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 16 #line 17 allow hal_fingerprint cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_fingerprint cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 17 #line 18 allow hal_fingerprint sysfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_fingerprint sysfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 18 #line 1 "system/sepolicy/public/hal_gatekeeper.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_gatekeeper_client hal_gatekeeper_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_gatekeeper_server hal_gatekeeper_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_gatekeeper_client hal_gatekeeper_server:fd use; #line 1 #line 3 allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find; #line 3 #line 3 allow hal_gatekeeper_server hal_gatekeeper_hwservice:hwservice_manager { add find }; #line 3 allow hal_gatekeeper_server hidl_base_hwservice:hwservice_manager add; #line 3 neverallow { domain -hal_gatekeeper_server } hal_gatekeeper_hwservice:hwservice_manager add; #line 3 #line 3 #line 3 #line 3 #line 4 allow hal_gatekeeper_client hal_gatekeeper_service:service_manager find; #line 4 #line 4 allow hal_gatekeeper_server hal_gatekeeper_service:service_manager { add find }; #line 4 neverallow { domain -hal_gatekeeper_server } hal_gatekeeper_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 #line 5 # Call the server domain and optionally transfer references to it. #line 5 allow hal_gatekeeper_server servicemanager:binder { call transfer }; #line 5 # Allow the serverdomain to transfer references to the client on the reply. #line 5 allow servicemanager hal_gatekeeper_server:binder transfer; #line 5 # Receive and use open files from the server. #line 5 allow hal_gatekeeper_server servicemanager:fd use; #line 5 # TEE access. allow hal_gatekeeper tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_gatekeeper ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/hal_gnss.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_gnss_client hal_gnss_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_gnss_server hal_gnss_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_gnss_client hal_gnss_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_gnss_server hal_gnss_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_gnss_client hal_gnss_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_gnss_server hal_gnss_client:fd use; #line 3 #line 5 allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_gnss_server hal_gnss_hwservice:hwservice_manager { add find }; #line 5 allow hal_gnss_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_gnss_server } hal_gnss_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_gnss_client hal_gnss_service:service_manager find; #line 6 #line 6 allow hal_gnss_server hal_gnss_service:service_manager { add find }; #line 6 neverallow { domain -hal_gnss_server } hal_gnss_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow hal_gnss_server servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager hal_gnss_server:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager hal_gnss_server:dir search; #line 7 allow servicemanager hal_gnss_server:file { read open }; #line 7 allow servicemanager hal_gnss_server:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_gnss_client servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_gnss_client:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_gnss_client:dir search; #line 8 allow servicemanager hal_gnss_client:file { read open }; #line 8 allow servicemanager hal_gnss_client:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 1 "system/sepolicy/public/hal_graphics_allocator.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_graphics_allocator_client hal_graphics_allocator_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_graphics_allocator_server hal_graphics_allocator_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_graphics_allocator_client hal_graphics_allocator_server:fd use; #line 2 #line 4 allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_graphics_allocator_server hal_graphics_allocator_hwservice:hwservice_manager { add find }; #line 4 allow hal_graphics_allocator_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_graphics_allocator_server } hal_graphics_allocator_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find; allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find; allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map }; # GPU device access allow hal_graphics_allocator gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_graphics_allocator gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow hal_graphics_allocator ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow hal_graphics_allocator dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Access the secure heap allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # allow to run with real-time scheduling policy allow hal_graphics_allocator self:{ capability cap_userns } sys_nice; # IAllocator stable-aidl #line 22 allow hal_graphics_allocator_client hal_graphics_allocator_service:service_manager find; #line 22 #line 22 allow hal_graphics_allocator_server hal_graphics_allocator_service:service_manager { add find }; #line 22 neverallow { domain -hal_graphics_allocator_server } hal_graphics_allocator_service:service_manager add; #line 22 #line 22 # On debug builds with root, allow binder services to use binder over TCP. #line 22 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 22 #line 22 #line 22 #line 22 #line 22 #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow hal_graphics_allocator_server servicemanager:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow servicemanager hal_graphics_allocator_server:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow hal_graphics_allocator_server servicemanager:fd use; #line 23 #line 24 # Call the server domain and optionally transfer references to it. #line 24 allow hal_graphics_allocator_client servicemanager:binder { call transfer }; #line 24 # Allow the serverdomain to transfer references to the client on the reply. #line 24 allow servicemanager hal_graphics_allocator_client:binder transfer; #line 24 # Receive and use open files from the server. #line 24 allow hal_graphics_allocator_client servicemanager:fd use; #line 24 #line 1 "system/sepolicy/public/hal_graphics_composer.te" type hal_graphics_composer_server_tmpfs, file_type; attribute hal_graphics_composer_client_tmpfs; expandattribute hal_graphics_composer_client_tmpfs true; # HwBinder IPC from client to server, and callbacks #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_graphics_composer_client hal_graphics_composer_server:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow hal_graphics_composer_server hal_graphics_composer_client:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_graphics_composer_client hal_graphics_composer_server:fd use; #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_graphics_composer_server hal_graphics_composer_client:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow hal_graphics_composer_client hal_graphics_composer_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_graphics_composer_server hal_graphics_composer_client:fd use; #line 7 allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write }; allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write }; #line 11 allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find; #line 11 #line 11 allow hal_graphics_composer_server hal_graphics_composer_hwservice:hwservice_manager { add find }; #line 11 allow hal_graphics_composer_server hidl_base_hwservice:hwservice_manager add; #line 11 neverallow { domain -hal_graphics_composer_server } hal_graphics_composer_hwservice:hwservice_manager add; #line 11 #line 11 #line 11 #line 11 # Coordinate with hal_graphics_mapper allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find; # GPU device access allow hal_graphics_composer gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_graphics_composer gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow hal_graphics_composer ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow hal_graphics_composer dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow hal_graphics_composer hal_graphics_allocator:fd use; # Access /dev/graphics/fb0. allow hal_graphics_composer graphics_device:dir search; allow hal_graphics_composer graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Fences allow hal_graphics_composer system_server:fd use; allow hal_graphics_composer bootanim:fd use; allow hal_graphics_composer appdomain:fd use; # allow self to set SCHED_FIFO allow hal_graphics_composer self:{ capability cap_userns } sys_nice; # allow surfaceflinger to use a pipe for dumpsys output allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write; #line 39 # Call the server domain and optionally transfer references to it. #line 39 allow hal_graphics_composer_client servicemanager:binder { call transfer }; #line 39 # Allow the serverdomain to transfer references to the client on the reply. #line 39 allow servicemanager hal_graphics_composer_client:binder transfer; #line 39 # Receive and use open files from the server. #line 39 allow hal_graphics_composer_client servicemanager:fd use; #line 39 #line 40 # Call the server domain and optionally transfer references to it. #line 40 allow hal_graphics_composer_server servicemanager:binder { call transfer }; #line 40 # Allow the serverdomain to transfer references to the client on the reply. #line 40 allow servicemanager hal_graphics_composer_server:binder transfer; #line 40 # Receive and use open files from the server. #line 40 allow hal_graphics_composer_server servicemanager:fd use; #line 40 #line 42 allow hal_graphics_composer_client hal_graphics_composer_service:service_manager find; #line 42 #line 42 allow hal_graphics_composer_server hal_graphics_composer_service:service_manager { add find }; #line 42 neverallow { domain -hal_graphics_composer_server } hal_graphics_composer_service:service_manager add; #line 42 #line 42 # On debug builds with root, allow binder services to use binder over TCP. #line 42 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 42 #line 42 #line 42 #line 42 #line 42 #line 1 "system/sepolicy/public/hal_health.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_health_client hal_health_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_health_server hal_health_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_health_client hal_health_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_health_server hal_health_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_health_client hal_health_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_health_server hal_health_client:fd use; #line 3 #line 5 allow hal_health_client hal_health_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_health_server hal_health_hwservice:hwservice_manager { add find }; #line 5 allow hal_health_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_health_server } hal_health_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_health_client hal_health_service:service_manager find; #line 6 #line 6 allow hal_health_server hal_health_service:service_manager { add find }; #line 6 neverallow { domain -hal_health_server } hal_health_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 # Common rules for a health service. # Allow to listen to uevents for updates allow hal_health_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Allow to read /sys/class/power_supply directory allow hal_health_server sysfs:dir { open getattr read search ioctl lock watch watch_reads }; # Allow to read files under /sys/class/power_supply. Implementations typically have symlinks # to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health # HAL service. #line 19 allow hal_health_server sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_health_server sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 19 # Allow to wake up to send periodic events #line 22 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 22 # deprecated. #line 22 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 22 allow hal_health_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 22 # Accessing these files requires CAP_BLOCK_SUSPEND #line 22 allow hal_health_server self:{ capability2 cap2_userns } block_suspend; #line 22 # system_suspend permissions #line 22 #line 22 # Call the server domain and optionally transfer references to it. #line 22 allow hal_health_server system_suspend_server:binder { call transfer }; #line 22 # Allow the serverdomain to transfer references to the client on the reply. #line 22 allow system_suspend_server hal_health_server:binder transfer; #line 22 # Receive and use open files from the server. #line 22 allow hal_health_server system_suspend_server:fd use; #line 22 #line 22 allow hal_health_server system_suspend_hwservice:hwservice_manager find; #line 22 # halclientdomain permissions #line 22 #line 22 # Call the hwservicemanager and transfer references to it. #line 22 allow hal_health_server hwservicemanager:binder { call transfer }; #line 22 # Allow hwservicemanager to send out callbacks #line 22 allow hwservicemanager hal_health_server:binder { call transfer }; #line 22 # hwservicemanager performs getpidcon on clients. #line 22 allow hwservicemanager hal_health_server:dir search; #line 22 allow hwservicemanager hal_health_server:file { read open map }; #line 22 allow hwservicemanager hal_health_server:process getattr; #line 22 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 22 # all domains in domain.te. #line 22 #line 22 #line 22 allow hal_health_server hwservicemanager_prop:file { getattr open read map }; #line 22 #line 22 allow hal_health_server hidl_manager_hwservice:hwservice_manager find; #line 22 # AIDL suspend hal permissions #line 22 allow hal_health_server hal_system_suspend_service:service_manager find; #line 22 #line 22 # Call the servicemanager and transfer references to it. #line 22 allow hal_health_server servicemanager:binder { call transfer }; #line 22 # Allow servicemanager to send out callbacks #line 22 allow servicemanager hal_health_server:binder { call transfer }; #line 22 # servicemanager performs getpidcon on clients. #line 22 allow servicemanager hal_health_server:dir search; #line 22 allow servicemanager hal_health_server:file { read open }; #line 22 allow servicemanager hal_health_server:process getattr; #line 22 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 22 # all domains in domain.te. #line 22 #line 22 # Write to /dev/kmsg allow hal_health_server kmsg_device:chr_file { getattr { open append write lock map } }; # Allow to use timerfd to wake itself up periodically to send health info. allow hal_health_server self:capability2 wake_alarm; # Use bpf programs allow hal_health_server fs_bpf_vendor:dir search; allow hal_health_server fs_bpf_vendor:file read; allow hal_health_server bpfloader:bpf prog_run; #line 1 "system/sepolicy/public/hal_health_storage.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_health_storage_client hal_health_storage_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_health_storage_server hal_health_storage_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_health_storage_client hal_health_storage_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_health_storage_server hal_health_storage_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_health_storage_client hal_health_storage_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_health_storage_server hal_health_storage_client:fd use; #line 3 #line 5 # Call the servicemanager and transfer references to it. #line 5 allow hal_health_storage_server servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager hal_health_storage_server:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager hal_health_storage_server:dir search; #line 5 allow servicemanager hal_health_storage_server:file { read open }; #line 5 allow servicemanager hal_health_storage_server:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 7 allow hal_health_storage_client hal_health_storage_hwservice:hwservice_manager find; #line 7 #line 7 allow hal_health_storage_server hal_health_storage_hwservice:hwservice_manager { add find }; #line 7 allow hal_health_storage_server hidl_base_hwservice:hwservice_manager add; #line 7 neverallow { domain -hal_health_storage_server } hal_health_storage_hwservice:hwservice_manager add; #line 7 #line 7 #line 7 #line 7 #line 8 allow hal_health_storage_client hal_health_storage_service:service_manager find; #line 8 #line 8 allow hal_health_storage_server hal_health_storage_service:service_manager { add find }; #line 8 neverallow { domain -hal_health_storage_server } hal_health_storage_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 #line 8 #line 8 #line 8 # Allow ReadDefaultFstab(). #line 11 allow hal_health_storage_server { metadata_file gsi_metadata_file_type }:dir search; #line 11 allow hal_health_storage_server gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 11 allow hal_health_storage_server { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 11 #line 1 "system/sepolicy/public/hal_identity.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_identity_client hal_identity_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_identity_server hal_identity_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_identity_client hal_identity_server:fd use; #line 2 #line 4 allow hal_identity_client hal_identity_service:service_manager find; #line 4 #line 4 allow hal_identity_server hal_identity_service:service_manager { add find }; #line 4 neverallow { domain -hal_identity_server } hal_identity_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_identity_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_identity_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_identity_server servicemanager:fd use; #line 6 #line 1 "system/sepolicy/public/hal_input_classifier.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_input_classifier_client hal_input_classifier_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_input_classifier_server hal_input_classifier_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_input_classifier_client hal_input_classifier_server:fd use; #line 2 #line 4 allow hal_input_classifier_client hal_input_classifier_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_input_classifier_server hal_input_classifier_hwservice:hwservice_manager { add find }; #line 4 allow hal_input_classifier_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_input_classifier_server } hal_input_classifier_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 1 "system/sepolicy/public/hal_input_processor.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_input_processor_client hal_input_processor_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_input_processor_server hal_input_processor_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_input_processor_client hal_input_processor_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_input_processor_server servicemanager:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow servicemanager hal_input_processor_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_input_processor_server servicemanager:fd use; #line 3 #line 5 allow hal_input_processor_client hal_input_processor_service:service_manager find; #line 5 #line 5 allow hal_input_processor_server hal_input_processor_service:service_manager { add find }; #line 5 neverallow { domain -hal_input_processor_server } hal_input_processor_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 # Allow dumping of the HAL allow hal_input_processor_server dumpstate:fifo_file write; #line 1 "system/sepolicy/public/hal_ir.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_ir_client hal_ir_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_ir_server hal_ir_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_ir_client hal_ir_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_ir_server hal_ir_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_ir_client hal_ir_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_ir_server hal_ir_client:fd use; #line 3 #line 5 allow hal_ir_client hal_ir_service:service_manager find; #line 5 #line 5 allow hal_ir_server hal_ir_service:service_manager { add find }; #line 5 neverallow { domain -hal_ir_server } hal_ir_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_ir_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_ir_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_ir_server servicemanager:fd use; #line 6 #line 8 allow hal_ir_client hal_ir_hwservice:hwservice_manager find; #line 8 #line 8 allow hal_ir_server hal_ir_hwservice:hwservice_manager { add find }; #line 8 allow hal_ir_server hidl_base_hwservice:hwservice_manager add; #line 8 neverallow { domain -hal_ir_server } hal_ir_hwservice:hwservice_manager add; #line 8 #line 8 #line 8 #line 8 #line 1 "system/sepolicy/public/hal_ivn.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_ivn_client hal_ivn_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_ivn_server hal_ivn_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_ivn_client hal_ivn_server:fd use; #line 2 #line 4 allow hal_ivn_client hal_ivn_service:service_manager find; #line 4 #line 4 allow hal_ivn_server hal_ivn_service:service_manager { add find }; #line 4 neverallow { domain -hal_ivn_server } hal_ivn_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 1 "system/sepolicy/public/hal_keymaster.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_keymaster_client hal_keymaster_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_keymaster_server hal_keymaster_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_keymaster_client hal_keymaster_server:fd use; #line 2 #line 4 allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_keymaster_server hal_keymaster_hwservice:hwservice_manager { add find }; #line 4 allow hal_keymaster_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_keymaster_server } hal_keymaster_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 allow hal_keymaster tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_keymaster ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/hal_keymint.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_keymint_client hal_keymint_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_keymint_server hal_keymint_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_keymint_client hal_keymint_server:fd use; #line 1 #line 3 allow hal_keymint_client hal_keymint_service:service_manager find; #line 3 #line 3 allow hal_keymint_server hal_keymint_service:service_manager { add find }; #line 3 neverallow { domain -hal_keymint_server } hal_keymint_service:service_manager add; #line 3 #line 3 # On debug builds with root, allow binder services to use binder over TCP. #line 3 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 3 #line 3 #line 3 #line 3 #line 3 #line 4 allow hal_keymint_client hal_remotelyprovisionedcomponent_service:service_manager find; #line 4 #line 4 allow hal_keymint_server hal_remotelyprovisionedcomponent_service:service_manager { add find }; #line 4 neverallow { domain -hal_keymint_server } hal_remotelyprovisionedcomponent_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 #line 5 # Call the server domain and optionally transfer references to it. #line 5 allow hal_keymint_server servicemanager:binder { call transfer }; #line 5 # Allow the serverdomain to transfer references to the client on the reply. #line 5 allow servicemanager hal_keymint_server:binder transfer; #line 5 # Receive and use open files from the server. #line 5 allow hal_keymint_server servicemanager:fd use; #line 5 allow hal_keymint_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_keymint_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/hal_light.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_light_client hal_light_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_light_server hal_light_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_light_client hal_light_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_light_server hal_light_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_light_client hal_light_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_light_server hal_light_client:fd use; #line 3 #line 5 allow hal_light_client hal_light_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_light_server hal_light_hwservice:hwservice_manager { add find }; #line 5 allow hal_light_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_light_server } hal_light_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_light_client hal_light_service:service_manager find; #line 6 #line 6 allow hal_light_server hal_light_service:service_manager { add find }; #line 6 neverallow { domain -hal_light_server } hal_light_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_light_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_light_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_light_server servicemanager:fd use; #line 8 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow hal_light_client servicemanager:binder { call transfer }; #line 9 # Allow servicemanager to send out callbacks #line 9 allow servicemanager hal_light_client:binder { call transfer }; #line 9 # servicemanager performs getpidcon on clients. #line 9 allow servicemanager hal_light_client:dir search; #line 9 allow servicemanager hal_light_client:file { read open }; #line 9 allow servicemanager hal_light_client:process getattr; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 allow hal_light_server dumpstate:fifo_file write; allow hal_light sysfs_leds:lnk_file read; allow hal_light sysfs_leds:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_light sysfs_leds:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/public/hal_lowpan.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_lowpan_client hal_lowpan_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_lowpan_server hal_lowpan_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_lowpan_client hal_lowpan_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_lowpan_server hal_lowpan_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_lowpan_client hal_lowpan_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_lowpan_server hal_lowpan_client:fd use; #line 3 # Allow hal_lowpan_client to be able to find the hal_lowpan_server #line 7 allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find; #line 7 #line 7 allow hal_lowpan_server hal_lowpan_hwservice:hwservice_manager { add find }; #line 7 allow hal_lowpan_server hidl_base_hwservice:hwservice_manager add; #line 7 neverallow { domain -hal_lowpan_server } hal_lowpan_hwservice:hwservice_manager add; #line 7 #line 7 #line 7 #line 7 # hal_lowpan domain can write/read to/from lowpan_prop #line 10 #line 10 allow hal_lowpan_server property_socket:sock_file write; #line 10 allow hal_lowpan_server init:unix_stream_socket connectto; #line 10 #line 10 allow hal_lowpan_server lowpan_prop:property_service set; #line 10 #line 10 allow hal_lowpan_server lowpan_prop:file { getattr open read map }; #line 10 #line 10 # Allow hal_lowpan_server to open lowpan_devices allow hal_lowpan_server lowpan_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; ### ### neverallow rules ### # Only LoWPAN HAL may directly access LoWPAN hardware neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr; #line 1 "system/sepolicy/public/hal_macsec.te" # Binder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_macsec_client hal_macsec_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_macsec_server hal_macsec_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_macsec_client hal_macsec_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_macsec_server hal_macsec_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_macsec_client hal_macsec_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_macsec_server hal_macsec_client:fd use; #line 3 #line 5 allow hal_macsec_client hal_macsec_service:service_manager find; #line 5 #line 5 allow hal_macsec_server hal_macsec_service:service_manager { add find }; #line 5 neverallow { domain -hal_macsec_server } hal_macsec_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow hal_macsec_server servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager hal_macsec_server:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager hal_macsec_server:dir search; #line 7 allow servicemanager hal_macsec_server:file { read open }; #line 7 allow servicemanager hal_macsec_server:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 1 "system/sepolicy/public/hal_memtrack.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_memtrack_client hal_memtrack_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_memtrack_server hal_memtrack_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_memtrack_client hal_memtrack_server:fd use; #line 2 #line 4 allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_memtrack_server hal_memtrack_hwservice:hwservice_manager { add find }; #line 4 allow hal_memtrack_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_memtrack_server } hal_memtrack_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 6 allow hal_memtrack_client hal_memtrack_service:service_manager find; #line 6 #line 6 allow hal_memtrack_server hal_memtrack_service:service_manager { add find }; #line 6 neverallow { domain -hal_memtrack_server } hal_memtrack_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_memtrack_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_memtrack_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_memtrack_server servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_neuralnetworks.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_neuralnetworks_client hal_neuralnetworks_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_neuralnetworks_server hal_neuralnetworks_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_neuralnetworks_client hal_neuralnetworks_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_neuralnetworks_server hal_neuralnetworks_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_neuralnetworks_client hal_neuralnetworks_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_neuralnetworks_server hal_neuralnetworks_client:fd use; #line 3 #line 5 allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_neuralnetworks_server hal_neuralnetworks_hwservice:hwservice_manager { add find }; #line 5 allow hal_neuralnetworks_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_neuralnetworks_server } hal_neuralnetworks_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find; allow hal_neuralnetworks hal_allocator:fd use; allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find; allow hal_neuralnetworks hal_graphics_allocator:fd use; allow hal_neuralnetworks gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_neuralnetworks gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow NN HAL service to use a client-provided fd residing in /data/data/. allow hal_neuralnetworks_server app_data_file:file { read write getattr map }; allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map }; # Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/. allow hal_neuralnetworks_server shell_data_file:file { read write getattr map }; # Allow NN HAL service to read a client-provided ION memory fd. allow hal_neuralnetworks_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow NN HAL service to use a client-provided fd residing in /storage allow hal_neuralnetworks_server storage_file:file { getattr map read }; # Allow NN HAL service to read a client-provided fd residing in /data/app/. allow hal_neuralnetworks_server apk_data_file:file { getattr map read }; # Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product # property to determine whether to deny NNAPI extensions use for apps # on product partition (apps in GSI are not allowed to use NNAPI extensions). #line 32 allow hal_neuralnetworks_client nnapi_ext_deny_product_prop:file { getattr open read map }; #line 32 ; # Allow NN HAL client to read device_config_nnapi_native_prop. #line 35 allow hal_neuralnetworks_client device_config_nnapi_native_prop:file { getattr open read map }; #line 35 # This property is only expected to be found in /product/build.prop, # allow to be set only by init. neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set; # Define sepolicy for NN AIDL HAL service #line 42 allow hal_neuralnetworks_client hal_neuralnetworks_service:service_manager find; #line 42 #line 42 allow hal_neuralnetworks_server hal_neuralnetworks_service:service_manager { add find }; #line 42 neverallow { domain -hal_neuralnetworks_server } hal_neuralnetworks_service:service_manager add; #line 42 #line 42 # On debug builds with root, allow binder services to use binder over TCP. #line 42 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 42 #line 42 #line 42 #line 42 #line 42 #line 43 # Call the server domain and optionally transfer references to it. #line 43 allow hal_neuralnetworks_server servicemanager:binder { call transfer }; #line 43 # Allow the serverdomain to transfer references to the client on the reply. #line 43 allow servicemanager hal_neuralnetworks_server:binder transfer; #line 43 # Receive and use open files from the server. #line 43 allow hal_neuralnetworks_server servicemanager:fd use; #line 43 #line 45 # Call the servicemanager and transfer references to it. #line 45 allow hal_neuralnetworks_server servicemanager:binder { call transfer }; #line 45 # Allow servicemanager to send out callbacks #line 45 allow servicemanager hal_neuralnetworks_server:binder { call transfer }; #line 45 # servicemanager performs getpidcon on clients. #line 45 allow servicemanager hal_neuralnetworks_server:dir search; #line 45 allow servicemanager hal_neuralnetworks_server:file { read open }; #line 45 allow servicemanager hal_neuralnetworks_server:process getattr; #line 45 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 45 # all domains in domain.te. #line 45 allow hal_neuralnetworks_server dumpstate:fifo_file write; #line 1 "system/sepolicy/public/hal_neverallows.te" # only HALs responsible for network hardware should have privileged # network capabilities neverallow { halserverdomain -hal_bluetooth_server -hal_can_controller_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_uwb_server # TODO(b/196225233): Remove hal_uwb_vendor_server -hal_uwb_vendor_server -hal_nlinterceptor_server -hal_tv_tuner_server } self:{ capability cap_userns } { net_admin net_raw }; # Unless a HAL's job is to communicate over the network, or control network # hardware, it should not be using network sockets. # NOTE: HALs for automotive devices have an exemption from this rule because in # a car it is common to have external modules and HALs need to communicate to # those modules using network. Using this exemption for non-automotive builds # will result in CTS failure. neverallow { halserverdomain -hal_automotive_socket_exemption -hal_can_controller_server -hal_tetheroffload_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_uwb_server # TODO(b/196225233): Remove hal_uwb_vendor_server -hal_uwb_vendor_server -hal_nlinterceptor_server -hal_bluetooth_server -hal_tv_tuner_server } domain:{ udp_socket rawip_socket } *; neverallow { halserverdomain -hal_automotive_socket_exemption -hal_can_controller_server -hal_tetheroffload_server -hal_wifi_server -hal_wifi_hostapd_server -hal_wifi_supplicant_server -hal_telephony_server -hal_nlinterceptor_server -hal_bluetooth_server -hal_tv_tuner_server } { domain }:tcp_socket *; # The UWB HAL is not actually a networking HAL but may need to bring up and down # interfaces. Restrict it to only these networking operations. neverallow hal_uwb_vendor_server self:{ capability cap_userns } { net_raw }; # Subset of socket_class_set likely to be usable for communication or accessible through net_admin. # udp_socket is required to use interface ioctls. neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *; ### # HALs are defined as an attribute and so a given domain could hypothetically # have multiple HALs in it (or even all of them) with the subsequent policy of # the domain comprised of the union of all the HALs. # # This is a problem because # 1) Security sensitive components should only be accessed by specific HALs. # 2) hwbinder_call and the restrictions it provides cannot be reasoned about in # the platform. # 3) The platform cannot reason about defense in depth if there are # monolithic domains etc. # # As an example, hal_keymaster and hal_gatekeeper can access the TEE and while # its OK for them to share a process its not OK with them to share processes # with other hals. # # The following neverallow rules, in conjuntion with CTS tests, assert that # these security principles are adhered to. # # Do not allow a hal to exec another process without a domain transition. # TODO remove exemptions. neverallow { halserverdomain -hal_dumpstate_server -hal_telephony_server } { file_type fs_type # May invoke shell commands via /system/bin/sh -shell_exec -toolbox_exec }:file execute_no_trans; # Do not allow a process other than init to transition into a HAL domain. neverallow { domain -init } halserverdomain:process transition; # Only allow transitioning to a domain by running its executable. Do not # allow transitioning into a HAL domain by use of seclabel in an # init.*.rc script. neverallow * halserverdomain:process dyntransition; #line 1 "system/sepolicy/public/hal_nfc.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_nfc_client hal_nfc_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_nfc_server hal_nfc_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_nfc_client hal_nfc_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_nfc_server hal_nfc_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_nfc_client hal_nfc_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_nfc_server hal_nfc_client:fd use; #line 3 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_nfc_server servicemanager:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow servicemanager hal_nfc_server:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_nfc_server servicemanager:fd use; #line 4 #line 6 allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find; #line 6 #line 6 allow hal_nfc_server hal_nfc_hwservice:hwservice_manager { add find }; #line 6 allow hal_nfc_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hal_nfc_server } hal_nfc_hwservice:hwservice_manager add; #line 6 #line 6 #line 6 #line 6 #line 7 allow hal_nfc_client hal_nfc_service:service_manager find; #line 7 #line 7 allow hal_nfc_server hal_nfc_service:service_manager { add find }; #line 7 neverallow { domain -hal_nfc_server } hal_nfc_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 # Set NFC properties (used by bcm2079x HAL). #line 10 #line 10 allow hal_nfc property_socket:sock_file write; #line 10 allow hal_nfc init:unix_stream_socket connectto; #line 10 #line 10 allow hal_nfc nfc_prop:property_service set; #line 10 #line 10 allow hal_nfc nfc_prop:file { getattr open read map }; #line 10 #line 10 # NFC device access. allow hal_nfc nfc_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/hal_nlinterceptor.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_nlinterceptor_client hal_nlinterceptor_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_nlinterceptor_server hal_nlinterceptor_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_nlinterceptor_client hal_nlinterceptor_server:fd use; #line 1 #line 3 allow hal_nlinterceptor_client hal_nlinterceptor_service:service_manager find; #line 3 #line 3 allow hal_nlinterceptor_server hal_nlinterceptor_service:service_manager { add find }; #line 3 neverallow { domain -hal_nlinterceptor_server } hal_nlinterceptor_service:service_manager add; #line 3 #line 3 # On debug builds with root, allow binder services to use binder over TCP. #line 3 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 3 #line 3 #line 3 #line 3 #line 3 #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_nlinterceptor servicemanager:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow servicemanager hal_nlinterceptor:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_nlinterceptor servicemanager:fd use; #line 4 allow hal_nlinterceptor self:{ capability cap_userns } net_admin; allow hal_nlinterceptor self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_nlinterceptor self:netlink_route_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_readpriv nlmsg_write }; #line 1 "system/sepolicy/public/hal_oemlock.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_oemlock_client hal_oemlock_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_oemlock_server hal_oemlock_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_oemlock_client hal_oemlock_server:fd use; #line 2 #line 4 allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_oemlock_server hal_oemlock_hwservice:hwservice_manager { add find }; #line 4 allow hal_oemlock_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_oemlock_server } hal_oemlock_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_oemlock_client hal_oemlock_service:service_manager find; #line 5 #line 5 allow hal_oemlock_server hal_oemlock_service:service_manager { add find }; #line 5 neverallow { domain -hal_oemlock_server } hal_oemlock_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_oemlock_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_oemlock_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_oemlock_server servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_omx.te" # applies all permissions to hal_omx NOT hal_omx_server # since OMX must always be in its own process. #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow hal_omx_server binderservicedomain:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow binderservicedomain hal_omx_server:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow hal_omx_server binderservicedomain:fd use; #line 4 #line 5 # Call the server domain and optionally transfer references to it. #line 5 allow hal_omx_server { appdomain -isolated_app }:binder { call transfer }; #line 5 # Allow the serverdomain to transfer references to the client on the reply. #line 5 allow { appdomain -isolated_app } hal_omx_server:binder transfer; #line 5 # Receive and use open files from the server. #line 5 allow hal_omx_server { appdomain -isolated_app }:fd use; #line 5 # Allow hal_omx_server access to composer sync fences allow hal_omx_server hal_graphics_composer:fd use; allow hal_omx_server ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_omx_server hal_camera:fd use; #line 13 #line 13 allow hal_omx_server anr_data_file:file append; #line 13 allow hal_omx_server dumpstate:fd use; #line 13 allow hal_omx_server incidentd:fd use; #line 13 # TODO: Figure out why write is needed. #line 13 allow hal_omx_server dumpstate:fifo_file { append write }; #line 13 allow hal_omx_server incidentd:fifo_file { append write }; #line 13 allow hal_omx_server system_server:fifo_file { append write }; #line 13 allow hal_omx_server tombstoned:unix_stream_socket connectto; #line 13 allow hal_omx_server tombstoned:fd use; #line 13 allow hal_omx_server tombstoned_crash_socket:sock_file write; #line 13 allow hal_omx_server tombstone_data_file:file append; #line 13 # Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge # between those two: it talks to hal_omx_server via Binder and talks to bufferhubd # via PDX. Thus, there is no need to use pdx_client macro. allow hal_omx_server bufferhubd:fd use; #line 21 allow hal_omx_client hal_omx_hwservice:hwservice_manager find; #line 21 #line 21 allow hal_omx_server hal_omx_hwservice:hwservice_manager { add find }; #line 21 allow hal_omx_server hidl_base_hwservice:hwservice_manager add; #line 21 neverallow { domain -hal_omx_server } hal_omx_hwservice:hwservice_manager add; #line 21 #line 21 #line 21 #line 21 allow hal_omx_client hidl_token_hwservice:hwservice_manager find; #line 25 allow hal_omx_client media_variant_prop:file { getattr open read map }; #line 25 #line 26 allow hal_omx_server media_variant_prop:file { getattr open read map }; #line 26 #line 28 # Call the server domain and optionally transfer references to it. #line 28 allow hal_omx_client hal_omx_server:binder { call transfer }; #line 28 # Allow the serverdomain to transfer references to the client on the reply. #line 28 allow hal_omx_server hal_omx_client:binder transfer; #line 28 # Receive and use open files from the server. #line 28 allow hal_omx_client hal_omx_server:fd use; #line 28 #line 29 # Call the server domain and optionally transfer references to it. #line 29 allow hal_omx_server hal_omx_client:binder { call transfer }; #line 29 # Allow the serverdomain to transfer references to the client on the reply. #line 29 allow hal_omx_client hal_omx_server:binder transfer; #line 29 # Receive and use open files from the server. #line 29 allow hal_omx_server hal_omx_client:fd use; #line 29 ### ### neverallow rules ### # hal_omx_server should never execute any executable without a # domain transition neverallow hal_omx_server { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow hal_omx_server domain:{ udp_socket rawip_socket } *; neverallow hal_omx_server { domain }:tcp_socket *; #line 1 "system/sepolicy/public/hal_power.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_power_client hal_power_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_power_server hal_power_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_power_client hal_power_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_power_server hal_power_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_power_client hal_power_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_power_server hal_power_client:fd use; #line 3 #line 5 allow hal_power_client hal_power_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_power_server hal_power_hwservice:hwservice_manager { add find }; #line 5 allow hal_power_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_power_server } hal_power_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_power_client hal_power_service:service_manager find; #line 6 #line 6 allow hal_power_server hal_power_service:service_manager { add find }; #line 6 neverallow { domain -hal_power_server } hal_power_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_power_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_power_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_power_server servicemanager:fd use; #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow hal_power_client servicemanager:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow servicemanager hal_power_client:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow hal_power_client servicemanager:fd use; #line 9 #line 1 "system/sepolicy/public/hal_power_stats.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_power_stats_client hal_power_stats_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_power_stats_server hal_power_stats_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_power_stats_client hal_power_stats_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_power_stats_server hal_power_stats_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_power_stats_client hal_power_stats_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_power_stats_server hal_power_stats_client:fd use; #line 3 #line 5 allow hal_power_stats_client hal_power_stats_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_power_stats_server hal_power_stats_hwservice:hwservice_manager { add find }; #line 5 allow hal_power_stats_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_power_stats_server } hal_power_stats_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_power_stats_client hal_power_stats_service:service_manager find; #line 6 #line 6 allow hal_power_stats_server hal_power_stats_service:service_manager { add find }; #line 6 neverallow { domain -hal_power_stats_server } hal_power_stats_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_power_stats_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_power_stats_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_power_stats_server servicemanager:fd use; #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow hal_power_stats_client servicemanager:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow servicemanager hal_power_stats_client:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow hal_power_stats_client servicemanager:fd use; #line 9 #line 1 "system/sepolicy/public/hal_rebootescrow.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_rebootescrow_client hal_rebootescrow_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_rebootescrow_server hal_rebootescrow_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_rebootescrow_client hal_rebootescrow_server:fd use; #line 2 #line 4 allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find; #line 4 #line 4 allow hal_rebootescrow_server hal_rebootescrow_service:service_manager { add find }; #line 4 neverallow { domain -hal_rebootescrow_server } hal_rebootescrow_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 #line 6 # Call the servicemanager and transfer references to it. #line 6 allow hal_rebootescrow_server servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager hal_rebootescrow_server:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager hal_rebootescrow_server:dir search; #line 6 allow servicemanager hal_rebootescrow_server:file { read open }; #line 6 allow servicemanager hal_rebootescrow_server:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 1 "system/sepolicy/public/hal_remoteaccess.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_remoteaccess_client hal_remoteaccess_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_remoteaccess_server hal_remoteaccess_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_remoteaccess_client hal_remoteaccess_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_remoteaccess_server hal_remoteaccess_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_remoteaccess_client hal_remoteaccess_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_remoteaccess_server hal_remoteaccess_client:fd use; #line 3 #line 5 allow hal_remoteaccess_client hal_remoteaccess_service:service_manager find; #line 5 #line 5 allow hal_remoteaccess_server hal_remoteaccess_service:service_manager { add find }; #line 5 neverallow { domain -hal_remoteaccess_server } hal_remoteaccess_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 1 "system/sepolicy/public/hal_remotelyprovisionedcomponent_avf.te" # allow binder connection from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_remotelyprovisionedcomponent_avf_server hal_remotelyprovisionedcomponent_avf_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_server:fd use; #line 2 # allow client to find the service, allow server to register the service #line 5 allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_service:service_manager find; #line 5 #line 5 allow hal_remotelyprovisionedcomponent_avf_server hal_remotelyprovisionedcomponent_avf_service:service_manager { add find }; #line 5 neverallow { domain -hal_remotelyprovisionedcomponent_avf_server } hal_remotelyprovisionedcomponent_avf_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 # allow binder communication from server to service_manager #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_remotelyprovisionedcomponent_avf_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_remotelyprovisionedcomponent_avf_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_remotelyprovisionedcomponent_avf_server:dir search; #line 8 allow servicemanager hal_remotelyprovisionedcomponent_avf_server:file { read open }; #line 8 allow servicemanager hal_remotelyprovisionedcomponent_avf_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 1 "system/sepolicy/public/hal_secretkeeper.te" # Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected) # storage of secrets guarded by DICE policies. #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_secretkeeper_client hal_secretkeeper_server:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_secretkeeper_server hal_secretkeeper_client:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_secretkeeper_client hal_secretkeeper_server:fd use; #line 3 #line 5 allow hal_secretkeeper_client hal_secretkeeper_service:service_manager find; #line 5 #line 5 allow hal_secretkeeper_server hal_secretkeeper_service:service_manager { add find }; #line 5 neverallow { domain -hal_secretkeeper_server } hal_secretkeeper_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow hal_secretkeeper_server servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager hal_secretkeeper_server:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager hal_secretkeeper_server:dir search; #line 7 allow servicemanager hal_secretkeeper_server:file { read open }; #line 7 allow servicemanager hal_secretkeeper_server:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_secretkeeper_client servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_secretkeeper_client:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_secretkeeper_client:dir search; #line 8 allow servicemanager hal_secretkeeper_client:file { read open }; #line 8 allow servicemanager hal_secretkeeper_client:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 # The Secretkeeper HAL service needs to communicate with a trusted application running # in the TEE, which is represented by the tee_device permission. allow hal_secretkeeper_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/hal_secure_element.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_secure_element_client hal_secure_element_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_secure_element_server hal_secure_element_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_secure_element_client hal_secure_element_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_secure_element_server hal_secure_element_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_secure_element_client hal_secure_element_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_secure_element_server hal_secure_element_client:fd use; #line 3 #line 5 allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_secure_element_server hal_secure_element_hwservice:hwservice_manager { add find }; #line 5 allow hal_secure_element_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_secure_element_server } hal_secure_element_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_secure_element_client hal_secure_element_service:service_manager find; #line 6 #line 6 allow hal_secure_element_server hal_secure_element_service:service_manager { add find }; #line 6 neverallow { domain -hal_secure_element_server } hal_secure_element_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_secure_element_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_secure_element_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_secure_element_server:dir search; #line 8 allow servicemanager hal_secure_element_server:file { read open }; #line 8 allow servicemanager hal_secure_element_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 allow hal_secure_element_client hal_secure_element_service:service_manager find; #line 1 "system/sepolicy/public/hal_sensors.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_sensors_client hal_sensors_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_sensors_server hal_sensors_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_sensors_client hal_sensors_server:fd use; #line 2 #line 4 allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_sensors_server hal_sensors_hwservice:hwservice_manager { add find }; #line 4 allow hal_sensors_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_sensors_server } hal_sensors_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 # Allow sensor hals to access ashmem memory allocated by apps allow hal_sensors { appdomain -isolated_app }:fd use; # Allow sensor hals to access ashmem memory allocated by android.hidl.allocator # fd is passed in from framework sensorservice HAL. allow hal_sensors hal_allocator:fd use; # allow to run with real-time scheduling policy allow hal_sensors self:{ capability cap_userns } sys_nice; #line 16 allow hal_sensors_server hal_sensors_service:service_manager { add find }; #line 16 neverallow { domain -hal_sensors_server } hal_sensors_service:service_manager add; #line 16 #line 16 # On debug builds with root, allow binder services to use binder over TCP. #line 16 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 16 #line 16 #line 17 # Call the server domain and optionally transfer references to it. #line 17 allow hal_sensors_server servicemanager:binder { call transfer }; #line 17 # Allow the serverdomain to transfer references to the client on the reply. #line 17 allow servicemanager hal_sensors_server:binder transfer; #line 17 # Receive and use open files from the server. #line 17 allow hal_sensors_server servicemanager:fd use; #line 17 allow hal_sensors_client hal_sensors_service:service_manager find; #line 1 "system/sepolicy/public/hal_telephony.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_telephony_client hal_telephony_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_telephony_server hal_telephony_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_telephony_client hal_telephony_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_telephony_server hal_telephony_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_telephony_client hal_telephony_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_telephony_server hal_telephony_client:fd use; #line 3 #line 5 allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_telephony_server hal_telephony_hwservice:hwservice_manager { add find }; #line 5 allow hal_telephony_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_telephony_server } hal_telephony_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_telephony_client hal_radio_service:service_manager find; #line 6 #line 6 allow hal_telephony_server hal_radio_service:service_manager { add find }; #line 6 neverallow { domain -hal_telephony_server } hal_radio_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 allowxperm hal_telephony_server self:udp_socket ioctl #line 8 { #line 8 # qualcomm rmnet ioctls #line 8 0x00006900 0x00006902 #line 8 # socket ioctls #line 8 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 8 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 8 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 8 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 8 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 8 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 8 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 8 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 8 0x00008991 0x00008992 0x00008993 0x00008994 #line 8 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 8 # device and protocol specific ioctls #line 8 0x000089f0-0x000089ff #line 8 0x000089e0-0x000089ef #line 8 # Wireless extension ioctls #line 8 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 8 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 8 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 8 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 8 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 8 0x00008b34 0x00008b35 0x00008b36 #line 8 # Dev private ioctl i.e. hardware specific ioctls #line 8 0x00008be0-0x00008bff #line 8 }; allow hal_telephony_server self:netlink_route_socket nlmsg_write; allow hal_telephony_server self:{ capability cap_userns } { setpcap setgid setuid net_admin net_raw }; allow hal_telephony_server cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow hal_telephony_server cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; allow hal_telephony_server cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow hal_telephony_server cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; allow hal_telephony_server radio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_telephony_server radio_device:blk_file { getattr open read ioctl lock map watch watch_reads }; allow hal_telephony_server efs_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow hal_telephony_server efs_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow hal_telephony_server vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow hal_telephony_server bluetooth_efs_file:file { getattr open read ioctl lock map watch watch_reads }; allow hal_telephony_server bluetooth_efs_file:dir { open getattr read search ioctl lock watch watch_reads }; # property service #line 25 allow hal_telephony_server telephony_config_prop:file { getattr open read map }; #line 25 #line 26 #line 26 allow hal_telephony_server property_socket:sock_file write; #line 26 allow hal_telephony_server init:unix_stream_socket connectto; #line 26 #line 26 allow hal_telephony_server radio_control_prop:property_service set; #line 26 #line 26 allow hal_telephony_server radio_control_prop:file { getattr open read map }; #line 26 #line 26 #line 27 #line 27 allow hal_telephony_server property_socket:sock_file write; #line 27 allow hal_telephony_server init:unix_stream_socket connectto; #line 27 #line 27 allow hal_telephony_server radio_prop:property_service set; #line 27 #line 27 allow hal_telephony_server radio_prop:file { getattr open read map }; #line 27 #line 27 #line 28 #line 28 allow hal_telephony_server property_socket:sock_file write; #line 28 allow hal_telephony_server init:unix_stream_socket connectto; #line 28 #line 28 allow hal_telephony_server telephony_status_prop:property_service set; #line 28 #line 28 allow hal_telephony_server telephony_status_prop:file { getattr open read map }; #line 28 #line 28 allow hal_telephony_server tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow hal_telephony_server to create and use netlink sockets. allow hal_telephony_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_telephony_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_telephony_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Access to wake locks #line 38 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 38 # deprecated. #line 38 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 38 allow hal_telephony_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 38 # Accessing these files requires CAP_BLOCK_SUSPEND #line 38 allow hal_telephony_server self:{ capability2 cap2_userns } block_suspend; #line 38 # system_suspend permissions #line 38 #line 38 # Call the server domain and optionally transfer references to it. #line 38 allow hal_telephony_server system_suspend_server:binder { call transfer }; #line 38 # Allow the serverdomain to transfer references to the client on the reply. #line 38 allow system_suspend_server hal_telephony_server:binder transfer; #line 38 # Receive and use open files from the server. #line 38 allow hal_telephony_server system_suspend_server:fd use; #line 38 #line 38 allow hal_telephony_server system_suspend_hwservice:hwservice_manager find; #line 38 # halclientdomain permissions #line 38 #line 38 # Call the hwservicemanager and transfer references to it. #line 38 allow hal_telephony_server hwservicemanager:binder { call transfer }; #line 38 # Allow hwservicemanager to send out callbacks #line 38 allow hwservicemanager hal_telephony_server:binder { call transfer }; #line 38 # hwservicemanager performs getpidcon on clients. #line 38 allow hwservicemanager hal_telephony_server:dir search; #line 38 allow hwservicemanager hal_telephony_server:file { read open map }; #line 38 allow hwservicemanager hal_telephony_server:process getattr; #line 38 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 38 # all domains in domain.te. #line 38 #line 38 #line 38 allow hal_telephony_server hwservicemanager_prop:file { getattr open read map }; #line 38 #line 38 allow hal_telephony_server hidl_manager_hwservice:hwservice_manager find; #line 38 # AIDL suspend hal permissions #line 38 allow hal_telephony_server hal_system_suspend_service:service_manager find; #line 38 #line 38 # Call the servicemanager and transfer references to it. #line 38 allow hal_telephony_server servicemanager:binder { call transfer }; #line 38 # Allow servicemanager to send out callbacks #line 38 allow servicemanager hal_telephony_server:binder { call transfer }; #line 38 # servicemanager performs getpidcon on clients. #line 38 allow servicemanager hal_telephony_server:dir search; #line 38 allow servicemanager hal_telephony_server:file { read open }; #line 38 allow servicemanager hal_telephony_server:process getattr; #line 38 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 38 # all domains in domain.te. #line 38 #line 38 #line 40 allow hal_telephony_server proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 40 allow hal_telephony_server proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 40 #line 41 allow hal_telephony_server sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 41 allow hal_telephony_server sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 41 # granting the ioctl permission for hal_telephony_server should be device specific allow hal_telephony_server self:socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Allow AIDL HAL shim to call HIDL HAL implementation #line 47 # Call the server domain and optionally transfer references to it. #line 47 allow hal_telephony_server hal_telephony_server:binder { call transfer }; #line 47 # Allow the serverdomain to transfer references to the client on the reply. #line 47 allow hal_telephony_server hal_telephony_server:binder transfer; #line 47 # Receive and use open files from the server. #line 47 allow hal_telephony_server hal_telephony_server:fd use; #line 47 #line 1 "system/sepolicy/public/hal_tetheroffload.te" ## HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tetheroffload_client hal_tetheroffload_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tetheroffload_server hal_tetheroffload_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tetheroffload_client hal_tetheroffload_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tetheroffload_server hal_tetheroffload_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tetheroffload_client hal_tetheroffload_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tetheroffload_server hal_tetheroffload_client:fd use; #line 3 #line 5 allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_tetheroffload_server hal_tetheroffload_hwservice:hwservice_manager { add find }; #line 5 allow hal_tetheroffload_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_tetheroffload_server } hal_tetheroffload_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_tetheroffload_client hal_tetheroffload_service:service_manager find; #line 6 #line 6 allow hal_tetheroffload_server hal_tetheroffload_service:service_manager { add find }; #line 6 neverallow { domain -hal_tetheroffload_server } hal_tetheroffload_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_tetheroffload_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_tetheroffload_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_tetheroffload_server:dir search; #line 8 allow servicemanager hal_tetheroffload_server:file { read open }; #line 8 allow servicemanager hal_tetheroffload_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 # allow the client to pass the server already open netlink sockets allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write }; #line 1 "system/sepolicy/public/hal_thermal.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_thermal_client hal_thermal_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_thermal_server hal_thermal_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_thermal_client hal_thermal_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_thermal_server hal_thermal_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_thermal_client hal_thermal_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_thermal_server hal_thermal_client:fd use; #line 3 #line 5 allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_thermal_server hal_thermal_hwservice:hwservice_manager { add find }; #line 5 allow hal_thermal_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_thermal_server } hal_thermal_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_thermal_client hal_thermal_service:service_manager find; #line 6 #line 6 allow hal_thermal_server hal_thermal_service:service_manager { add find }; #line 6 neverallow { domain -hal_thermal_server } hal_thermal_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 allow hal_thermal_server hal_thermal_service:service_manager { add find }; #line 8 neverallow { domain -hal_thermal_server } hal_thermal_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow hal_thermal_server servicemanager:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow servicemanager hal_thermal_server:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow hal_thermal_server servicemanager:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow hal_thermal_client servicemanager:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow servicemanager hal_thermal_client:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow hal_thermal_client servicemanager:fd use; #line 10 #line 1 "system/sepolicy/public/hal_threadnetwork.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_threadnetwork_client hal_threadnetwork_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_threadnetwork_server hal_threadnetwork_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_threadnetwork_client hal_threadnetwork_server:fd use; #line 1 #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_threadnetwork_server hal_threadnetwork_client:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_threadnetwork_client hal_threadnetwork_server:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_threadnetwork_server hal_threadnetwork_client:fd use; #line 2 #line 4 allow hal_threadnetwork_client hal_threadnetwork_service:service_manager find; #line 4 #line 4 allow hal_threadnetwork_server hal_threadnetwork_service:service_manager { add find }; #line 4 neverallow { domain -hal_threadnetwork_server } hal_threadnetwork_service:service_manager add; #line 4 #line 4 # On debug builds with root, allow binder services to use binder over TCP. #line 4 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 4 #line 4 #line 4 #line 4 #line 4 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_threadnetwork_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_threadnetwork_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_threadnetwork_server servicemanager:fd use; #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_threadnetwork_client servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_threadnetwork_client:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_threadnetwork_client servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_tv_cec.te" # HwBinder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_cec_client hal_tv_cec_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_cec_server hal_tv_cec_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_cec_client hal_tv_cec_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tv_cec_server hal_tv_cec_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tv_cec_client hal_tv_cec_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tv_cec_server hal_tv_cec_client:fd use; #line 3 #line 5 allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_tv_cec_server hal_tv_cec_hwservice:hwservice_manager { add find }; #line 5 allow hal_tv_cec_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_tv_cec_server } hal_tv_cec_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 1 "system/sepolicy/public/hal_tv_hdmi_cec.te" # Binder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:fd use; #line 3 #line 4 # Call the servicemanager and transfer references to it. #line 4 allow hal_tv_hdmi_cec_client servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager hal_tv_hdmi_cec_client:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager hal_tv_hdmi_cec_client:dir search; #line 4 allow servicemanager hal_tv_hdmi_cec_client:file { read open }; #line 4 allow servicemanager hal_tv_hdmi_cec_client:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 5 # Call the servicemanager and transfer references to it. #line 5 allow hal_tv_hdmi_cec_server servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager hal_tv_hdmi_cec_server:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager hal_tv_hdmi_cec_server:dir search; #line 5 allow servicemanager hal_tv_hdmi_cec_server:file { read open }; #line 5 allow servicemanager hal_tv_hdmi_cec_server:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 7 allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_service:service_manager find; #line 7 #line 7 allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_service:service_manager { add find }; #line 7 neverallow { domain -hal_tv_hdmi_cec_server } hal_tv_hdmi_cec_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 #line 1 "system/sepolicy/public/hal_tv_hdmi_connection.te" # Binder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:fd use; #line 3 #line 4 # Call the servicemanager and transfer references to it. #line 4 allow hal_tv_hdmi_connection_client servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager hal_tv_hdmi_connection_client:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager hal_tv_hdmi_connection_client:dir search; #line 4 allow servicemanager hal_tv_hdmi_connection_client:file { read open }; #line 4 allow servicemanager hal_tv_hdmi_connection_client:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 5 # Call the servicemanager and transfer references to it. #line 5 allow hal_tv_hdmi_connection_server servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager hal_tv_hdmi_connection_server:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager hal_tv_hdmi_connection_server:dir search; #line 5 allow servicemanager hal_tv_hdmi_connection_server:file { read open }; #line 5 allow servicemanager hal_tv_hdmi_connection_server:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 7 allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_service:service_manager find; #line 7 #line 7 allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_service:service_manager { add find }; #line 7 neverallow { domain -hal_tv_hdmi_connection_server } hal_tv_hdmi_connection_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 #line 1 "system/sepolicy/public/hal_tv_hdmi_earc.te" # Binder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:fd use; #line 3 #line 4 # Call the servicemanager and transfer references to it. #line 4 allow hal_tv_hdmi_earc_client servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager hal_tv_hdmi_earc_client:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager hal_tv_hdmi_earc_client:dir search; #line 4 allow servicemanager hal_tv_hdmi_earc_client:file { read open }; #line 4 allow servicemanager hal_tv_hdmi_earc_client:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 5 # Call the servicemanager and transfer references to it. #line 5 allow hal_tv_hdmi_earc_server servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager hal_tv_hdmi_earc_server:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager hal_tv_hdmi_earc_server:dir search; #line 5 allow servicemanager hal_tv_hdmi_earc_server:file { read open }; #line 5 allow servicemanager hal_tv_hdmi_earc_server:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 7 allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_service:service_manager find; #line 7 #line 7 allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_service:service_manager { add find }; #line 7 neverallow { domain -hal_tv_hdmi_earc_server } hal_tv_hdmi_earc_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 #line 1 "system/sepolicy/public/hal_tv_input.te" # HwBinder IPC from clients into server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_input_client hal_tv_input_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_input_server hal_tv_input_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_input_client hal_tv_input_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_tv_input_server hal_tv_input_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_tv_input_client hal_tv_input_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_tv_input_server hal_tv_input_client:fd use; #line 3 #line 5 allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_tv_input_server hal_tv_input_hwservice:hwservice_manager { add find }; #line 5 allow hal_tv_input_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_tv_input_server } hal_tv_input_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_tv_input_client hal_tv_input_service:service_manager find; #line 6 #line 6 allow hal_tv_input_server hal_tv_input_service:service_manager { add find }; #line 6 neverallow { domain -hal_tv_input_server } hal_tv_input_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_tv_input_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_tv_input_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_tv_input_server servicemanager:fd use; #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow hal_tv_input_client servicemanager:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow servicemanager hal_tv_input_client:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow hal_tv_input_client servicemanager:fd use; #line 9 #line 1 "system/sepolicy/public/hal_tv_tuner.te" #line 1 # Call the server domain and optionally transfer references to it. #line 1 allow hal_tv_tuner_client hal_tv_tuner_server:binder { call transfer }; #line 1 # Allow the serverdomain to transfer references to the client on the reply. #line 1 allow hal_tv_tuner_server hal_tv_tuner_client:binder transfer; #line 1 # Receive and use open files from the server. #line 1 allow hal_tv_tuner_client hal_tv_tuner_server:fd use; #line 1 #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_tv_tuner_server hal_tv_tuner_client:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_tv_tuner_client hal_tv_tuner_server:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_tv_tuner_server hal_tv_tuner_client:fd use; #line 2 #line 4 allow hal_tv_tuner_client hal_tv_tuner_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_tv_tuner_server hal_tv_tuner_hwservice:hwservice_manager { add find }; #line 4 allow hal_tv_tuner_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_tv_tuner_server } hal_tv_tuner_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_tv_tuner_client hal_tv_tuner_service:service_manager find; #line 5 #line 5 allow hal_tv_tuner_server hal_tv_tuner_service:service_manager { add find }; #line 5 neverallow { domain -hal_tv_tuner_server } hal_tv_tuner_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_tv_tuner_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_tv_tuner_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_tv_tuner_server servicemanager:fd use; #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_tv_tuner_client servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_tv_tuner_client:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_tv_tuner_client servicemanager:fd use; #line 8 #line 1 "system/sepolicy/public/hal_usb.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_usb_client hal_usb_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_usb_server hal_usb_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_usb_client hal_usb_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_usb_server hal_usb_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_usb_client hal_usb_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_usb_server hal_usb_client:fd use; #line 3 #line 5 allow hal_usb_client hal_usb_service:service_manager find; #line 5 #line 5 allow hal_usb_server hal_usb_service:service_manager { add find }; #line 5 neverallow { domain -hal_usb_server } hal_usb_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_usb_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_usb_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_usb_server servicemanager:fd use; #line 6 #line 8 allow hal_usb_client hal_usb_hwservice:hwservice_manager find; #line 8 #line 8 allow hal_usb_server hal_usb_hwservice:hwservice_manager { add find }; #line 8 allow hal_usb_server hidl_base_hwservice:hwservice_manager add; #line 8 neverallow { domain -hal_usb_server } hal_usb_hwservice:hwservice_manager add; #line 8 #line 8 #line 8 #line 8 allow hal_usb self:netlink_kobject_uevent_socket create; allow hal_usb self:netlink_kobject_uevent_socket setopt; allow hal_usb self:netlink_kobject_uevent_socket getopt; allow hal_usb self:netlink_kobject_uevent_socket bind; allow hal_usb self:netlink_kobject_uevent_socket read; allow hal_usb sysfs:dir open; allow hal_usb sysfs:dir read; allow hal_usb sysfs:file read; allow hal_usb sysfs:file open; allow hal_usb sysfs:file write; allow hal_usb sysfs:file getattr; #line 1 "system/sepolicy/public/hal_usb_gadget.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_usb_gadget_client hal_usb_gadget_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_usb_gadget_server hal_usb_gadget_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_usb_gadget_client hal_usb_gadget_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_usb_gadget_server hal_usb_gadget_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_usb_gadget_client hal_usb_gadget_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_usb_gadget_server hal_usb_gadget_client:fd use; #line 3 #line 5 allow hal_usb_gadget_client hal_usb_gadget_service:service_manager find; #line 5 #line 5 allow hal_usb_gadget_server hal_usb_gadget_service:service_manager { add find }; #line 5 neverallow { domain -hal_usb_gadget_server } hal_usb_gadget_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow hal_usb_gadget_server servicemanager:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow servicemanager hal_usb_gadget_server:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow hal_usb_gadget_server servicemanager:fd use; #line 6 #line 8 allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find; #line 8 #line 8 allow hal_usb_gadget_server hal_usb_gadget_hwservice:hwservice_manager { add find }; #line 8 allow hal_usb_gadget_server hidl_base_hwservice:hwservice_manager add; #line 8 neverallow { domain -hal_usb_gadget_server } hal_usb_gadget_hwservice:hwservice_manager add; #line 8 #line 8 #line 8 #line 8 # Configuring usb gadget functions allow hal_usb_gadget_server configfs:lnk_file { read create unlink}; allow hal_usb_gadget_server configfs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow hal_usb_gadget_server configfs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow hal_usb_gadget_server functionfs:dir { read search }; allow hal_usb_gadget_server functionfs:file read; allow hal_usb_gadget_server proc_interrupts:file { getattr open read ioctl lock map watch watch_reads }; # Read access to ro.usb.uvc.enabled #line 19 allow hal_usb_gadget_server usb_uvc_enabled_prop:file { getattr open read map }; #line 19 #line 1 "system/sepolicy/public/hal_uwb.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_uwb_client hal_uwb_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_uwb_server hal_uwb_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_uwb_client hal_uwb_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_uwb_server hal_uwb_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_uwb_client hal_uwb_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_uwb_server hal_uwb_client:fd use; #line 3 #line 5 allow hal_uwb_client hal_uwb_service:service_manager find; #line 5 #line 5 allow hal_uwb_server hal_uwb_service:service_manager { add find }; #line 5 neverallow { domain -hal_uwb_server } hal_uwb_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_uwb_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_uwb_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_uwb_server servicemanager:fd use; #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_uwb_client servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_uwb_client:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_uwb_client servicemanager:fd use; #line 8 #line 1 "system/sepolicy/public/hal_vehicle.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_vehicle_client hal_vehicle_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_vehicle_server hal_vehicle_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_vehicle_client hal_vehicle_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_vehicle_server hal_vehicle_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_vehicle_client hal_vehicle_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_vehicle_server hal_vehicle_client:fd use; #line 3 #line 6 allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find; #line 6 #line 6 allow hal_vehicle_server hal_vehicle_hwservice:hwservice_manager { add find }; #line 6 allow hal_vehicle_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hal_vehicle_server } hal_vehicle_hwservice:hwservice_manager add; #line 6 #line 6 #line 6 #line 6 #line 7 allow hal_vehicle_client hal_vehicle_service:service_manager find; #line 7 #line 7 allow hal_vehicle_server hal_vehicle_service:service_manager { add find }; #line 7 neverallow { domain -hal_vehicle_server } hal_vehicle_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 7 #line 7 #line 7 #line 1 "system/sepolicy/public/hal_vibrator.te" # HwBinder IPC client/server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_vibrator_client hal_vibrator_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_vibrator_server hal_vibrator_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_vibrator_client hal_vibrator_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_vibrator_server hal_vibrator_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_vibrator_client hal_vibrator_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_vibrator_server hal_vibrator_client:fd use; #line 3 ; #line 5 allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_vibrator_server hal_vibrator_hwservice:hwservice_manager { add find }; #line 5 allow hal_vibrator_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_vibrator_server } hal_vibrator_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_vibrator_client hal_vibrator_service:service_manager find; #line 6 #line 6 allow hal_vibrator_server hal_vibrator_service:service_manager { add find }; #line 6 neverallow { domain -hal_vibrator_server } hal_vibrator_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow hal_vibrator_server servicemanager:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow servicemanager hal_vibrator_server:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow hal_vibrator_server servicemanager:fd use; #line 8 allow hal_vibrator_server dumpstate:fifo_file write; # vibrator sysfs rw access allow hal_vibrator sysfs_vibrator:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow hal_vibrator sysfs_vibrator:dir search; # Allow HAL vibrator to control some parameters of a vibration, such as scaling. allow hal_vibrator fwk_vibrator_control_service:service_manager find; #line 1 "system/sepolicy/public/hal_vr.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_vr_client hal_vr_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_vr_server hal_vr_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_vr_client hal_vr_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_vr_server hal_vr_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_vr_client hal_vr_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_vr_server hal_vr_client:fd use; #line 3 #line 5 allow hal_vr_client hal_vr_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_vr_server hal_vr_hwservice:hwservice_manager { add find }; #line 5 allow hal_vr_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_vr_server } hal_vr_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 1 "system/sepolicy/public/hal_weaver.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_weaver_client hal_weaver_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_weaver_server hal_weaver_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_weaver_client hal_weaver_server:fd use; #line 2 #line 4 allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find; #line 4 #line 4 allow hal_weaver_server hal_weaver_hwservice:hwservice_manager { add find }; #line 4 allow hal_weaver_server hidl_base_hwservice:hwservice_manager add; #line 4 neverallow { domain -hal_weaver_server } hal_weaver_hwservice:hwservice_manager add; #line 4 #line 4 #line 4 #line 4 #line 5 allow hal_weaver_client hal_weaver_service:service_manager find; #line 5 #line 5 allow hal_weaver_server hal_weaver_service:service_manager { add find }; #line 5 neverallow { domain -hal_weaver_server } hal_weaver_service:service_manager add; #line 5 #line 5 # On debug builds with root, allow binder services to use binder over TCP. #line 5 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 5 #line 5 #line 5 #line 5 #line 5 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow hal_weaver_server servicemanager:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow servicemanager hal_weaver_server:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow hal_weaver_server servicemanager:fd use; #line 7 #line 1 "system/sepolicy/public/hal_wifi.te" # HwBinder IPC from client to server, and callbacks #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_wifi_client hal_wifi_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_wifi_server hal_wifi_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_wifi_client hal_wifi_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_wifi_server hal_wifi_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_wifi_client hal_wifi_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_wifi_server hal_wifi_client:fd use; #line 3 #line 5 allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_wifi_server hal_wifi_hwservice:hwservice_manager { add find }; #line 5 allow hal_wifi_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_wifi_server } hal_wifi_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_wifi_client hal_wifi_service:service_manager find; #line 6 #line 6 allow hal_wifi_server hal_wifi_service:service_manager { add find }; #line 6 neverallow { domain -hal_wifi_server } hal_wifi_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_wifi_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_wifi_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_wifi_server:dir search; #line 8 allow servicemanager hal_wifi_server:file { read open }; #line 8 allow servicemanager hal_wifi_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 10 allow hal_wifi proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow hal_wifi proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 #line 11 allow hal_wifi sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_wifi sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 11 #line 13 #line 13 allow hal_wifi_server property_socket:sock_file write; #line 13 allow hal_wifi_server init:unix_stream_socket connectto; #line 13 #line 13 allow hal_wifi_server wifi_hal_prop:property_service set; #line 13 #line 13 allow hal_wifi_server wifi_hal_prop:file { getattr open read map }; #line 13 #line 13 #line 14 #line 14 allow hal_wifi property_socket:sock_file write; #line 14 allow hal_wifi init:unix_stream_socket connectto; #line 14 #line 14 allow hal_wifi wifi_prop:property_service set; #line 14 #line 14 allow hal_wifi wifi_prop:file { getattr open read map }; #line 14 #line 14 # allow hal wifi set interfaces up and down and get the factory MAC allow hal_wifi self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allowxperm hal_wifi self:udp_socket ioctl { 0x00008914 0x00008924 0x00008946 }; allow hal_wifi self:{ capability cap_userns } { net_admin net_raw }; # allow hal_wifi to speak to nl80211 in the kernel allow hal_wifi self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets allow hal_wifi self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # hal_wifi writes firmware paths to this file. allow hal_wifi sysfs_wlan_fwpath:file { { open append write lock map } }; # allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded allow hal_wifi proc_modules:file { getattr open read }; # Allow hal_wifi to send dump info to dumpstate allow hal_wifi dumpstate:fifo_file write; # allow hal_wifi to write into /data/vendor/tombstones/wifi allow hal_wifi_server tombstone_wifi_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow hal_wifi_server tombstone_wifi_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/public/hal_wifi_hostapd.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_wifi_hostapd_client hal_wifi_hostapd_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_wifi_hostapd_server hal_wifi_hostapd_client:fd use; #line 3 #line 5 allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_wifi_hostapd_server hal_wifi_hostapd_hwservice:hwservice_manager { add find }; #line 5 allow hal_wifi_hostapd_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_wifi_hostapd_server } hal_wifi_hostapd_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_wifi_hostapd_client hal_wifi_hostapd_service:service_manager find; #line 6 #line 6 allow hal_wifi_hostapd_server hal_wifi_hostapd_service:service_manager { add find }; #line 6 neverallow { domain -hal_wifi_hostapd_server } hal_wifi_hostapd_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow hal_wifi_hostapd_server servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager hal_wifi_hostapd_server:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager hal_wifi_hostapd_server:dir search; #line 8 allow servicemanager hal_wifi_hostapd_server:file { read open }; #line 8 allow servicemanager hal_wifi_hostapd_server:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 allow hal_wifi_hostapd_server dumpstate:fifo_file write; allow hal_wifi_hostapd_server self:{ capability cap_userns } { net_admin net_raw }; allow hal_wifi_hostapd_server sysfs_net:dir search; # Allow hal_wifi_hostapd to access /proc/net/psched allow hal_wifi_hostapd_server proc_net_type:file { getattr open read }; # Various socket permissions. allowxperm hal_wifi_hostapd_server self:udp_socket ioctl #line 20 { #line 20 # qualcomm rmnet ioctls #line 20 0x00006900 0x00006902 #line 20 # socket ioctls #line 20 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 20 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 20 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 20 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 20 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 20 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 20 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 20 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 20 0x00008991 0x00008992 0x00008993 0x00008994 #line 20 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 20 # device and protocol specific ioctls #line 20 0x000089f0-0x000089ff #line 20 0x000089e0-0x000089ef #line 20 # Wireless extension ioctls #line 20 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 20 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 20 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 20 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 20 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 20 0x00008b34 0x00008b35 0x00008b36 #line 20 # Dev private ioctl i.e. hardware specific ioctls #line 20 0x00008be0-0x00008bff #line 20 }; allow hal_wifi_hostapd_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_wifi_hostapd_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_wifi_hostapd_server self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write; ### ### neverallow rules ### # hal_wifi_hostapd should not trust any data from sdcards neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr; neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *; #line 1 "system/sepolicy/public/hal_wifi_supplicant.te" # HwBinder IPC from client to server #line 2 # Call the server domain and optionally transfer references to it. #line 2 allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder { call transfer }; #line 2 # Allow the serverdomain to transfer references to the client on the reply. #line 2 allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder transfer; #line 2 # Receive and use open files from the server. #line 2 allow hal_wifi_supplicant_client hal_wifi_supplicant_server:fd use; #line 2 #line 3 # Call the server domain and optionally transfer references to it. #line 3 allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder { call transfer }; #line 3 # Allow the serverdomain to transfer references to the client on the reply. #line 3 allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder transfer; #line 3 # Receive and use open files from the server. #line 3 allow hal_wifi_supplicant_server hal_wifi_supplicant_client:fd use; #line 3 #line 5 allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find; #line 5 #line 5 allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice:hwservice_manager { add find }; #line 5 allow hal_wifi_supplicant_server hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hal_wifi_supplicant_server } hal_wifi_supplicant_hwservice:hwservice_manager add; #line 5 #line 5 #line 5 #line 5 #line 6 allow hal_wifi_supplicant_client hal_wifi_supplicant_service:service_manager find; #line 6 #line 6 allow hal_wifi_supplicant_server hal_wifi_supplicant_service:service_manager { add find }; #line 6 neverallow { domain -hal_wifi_supplicant_server } hal_wifi_supplicant_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 #line 6 #line 6 #line 6 # in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl #line 9 { #line 9 # qualcomm rmnet ioctls #line 9 0x00006900 0x00006902 #line 9 # socket ioctls #line 9 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 9 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 9 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 9 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 9 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 9 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 9 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 9 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 9 0x00008991 0x00008992 0x00008993 0x00008994 #line 9 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 9 # device and protocol specific ioctls #line 9 0x000089f0-0x000089ff #line 9 0x000089e0-0x000089ef #line 9 # Wireless extension ioctls #line 9 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 9 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 9 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 9 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 9 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 9 0x00008b34 0x00008b35 0x00008b36 #line 9 # Dev private ioctl i.e. hardware specific ioctls #line 9 0x00008be0-0x00008bff #line 9 }; #line 11 allow hal_wifi_supplicant sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_wifi_supplicant sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 11 #line 12 allow hal_wifi_supplicant proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_wifi_supplicant proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 allow hal_wifi_supplicant self:{ capability cap_userns } { setuid net_admin setgid net_raw }; allow hal_wifi_supplicant cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow hal_wifi_supplicant cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write; allow hal_wifi_supplicant self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_wifi_supplicant self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow hal_wifi_supplicant self:packet_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allowxperm hal_wifi_supplicant self:packet_socket ioctl { #line 21 { #line 21 # Socket ioctls for gathering information about the interface #line 21 0x00008906 0x00008907 #line 21 0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919 #line 21 0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942 #line 21 # Wireless extension ioctls. Primarily get functions. #line 21 0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d #line 21 0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23 #line 21 0x00008b25 0x00008b27 0x00008b29 0x00008b2d #line 21 } #line 21 { #line 21 # qualcomm rmnet ioctls #line 21 0x00006900 0x00006902 #line 21 # socket ioctls #line 21 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 21 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 21 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 21 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 21 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 21 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 21 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 21 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 21 0x00008991 0x00008992 0x00008993 0x00008994 #line 21 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 21 # device and protocol specific ioctls #line 21 0x000089f0-0x000089ff #line 21 0x000089e0-0x000089ef #line 21 # Wireless extension ioctls #line 21 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 21 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 21 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 21 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 21 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 21 0x00008b34 0x00008b35 0x00008b36 #line 21 # Dev private ioctl i.e. hardware specific ioctls #line 21 0x00008be0-0x00008bff #line 21 } { #line 21 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 21 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 21 } }; #line 23 allow keystore hal_wifi_supplicant:dir search; #line 23 allow keystore hal_wifi_supplicant:file { read open }; #line 23 allow keystore hal_wifi_supplicant:process getattr; #line 23 allow hal_wifi_supplicant apc_service:service_manager find; #line 23 allow hal_wifi_supplicant keystore_service:service_manager find; #line 23 allow hal_wifi_supplicant legacykeystore_service:service_manager find; #line 23 #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow hal_wifi_supplicant keystore:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow keystore hal_wifi_supplicant:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow hal_wifi_supplicant keystore:fd use; #line 23 #line 23 #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow keystore hal_wifi_supplicant:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow hal_wifi_supplicant keystore:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow keystore hal_wifi_supplicant:fd use; #line 23 #line 23 #line 24 # Call the servicemanager and transfer references to it. #line 24 allow hal_wifi_supplicant_server servicemanager:binder { call transfer }; #line 24 # Allow servicemanager to send out callbacks #line 24 allow servicemanager hal_wifi_supplicant_server:binder { call transfer }; #line 24 # servicemanager performs getpidcon on clients. #line 24 allow servicemanager hal_wifi_supplicant_server:dir search; #line 24 allow servicemanager hal_wifi_supplicant_server:file { read open }; #line 24 allow servicemanager hal_wifi_supplicant_server:process getattr; #line 24 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 24 # all domains in domain.te. #line 24 # Allow the WI-FI HAL to use keys in the keystore namespace wifi_key. allow hal_wifi_supplicant wifi_key:keystore2_key { get_info use }; ### ### neverallow rules ### # wpa_supplicant should not trust any data from sdcards neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr; neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *; #line 1 "system/sepolicy/public/healthd.te" # healthd - battery/charger monitoring service daemon # healthd is removed. The type is kept for backwards compatibility. type healthd, domain; #line 1 "system/sepolicy/public/heapprofd.te" type heapprofd, domain, coredomain; #line 1 "system/sepolicy/public/hwservice.te" # hwservice types. By default most of the HALs are protected_hwservice, which means # access from untrusted apps is prohibited. type default_android_hwservice, hwservice_manager_type, protected_hwservice; type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice; type hal_audio_hwservice, hwservice_manager_type, protected_hwservice; type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice; type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice; type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice; type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice; type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice; type hal_camera_hwservice, hwservice_manager_type, protected_hwservice; type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice; type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice; type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice; type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice; type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice; type hal_evs_hwservice, hwservice_manager_type, protected_hwservice; type hal_face_hwservice, hwservice_manager_type, protected_hwservice; type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice; type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice; type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice; type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice; type hal_health_hwservice, hwservice_manager_type, protected_hwservice; type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice; type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice; type hal_ir_hwservice, hwservice_manager_type, protected_hwservice; type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice; type hal_light_hwservice, hwservice_manager_type, protected_hwservice; type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice; type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice; type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice; type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice; type hal_power_hwservice, hwservice_manager_type, protected_hwservice; type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice; type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice; type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice; type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice; type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice; type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice; type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice; type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice; type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice; type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice; type hal_usb_hwservice, hwservice_manager_type, protected_hwservice; type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice; type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice; type hal_vr_hwservice, hwservice_manager_type, protected_hwservice; type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice; type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice; type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice; type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice; type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; # Following is the hwservices that are explicitly not marked with protected_hwservice. # These are directly accessible from untrusted apps. # - same process services: because they by definition run in the process # of the client and thus have the same access as the client domain in which # the process runs # - coredomain_hwservice: are considered safer than ordinary hwservices which # are from vendor partition # - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been # designed for use by any domain. # - hal_graphics_allocator_hwservice: because these operations are also offered # by surfaceflinger Binder service, which apps are permitted to access # - hal_omx_hwservice: because this is a HwBinder version of the mediacodec # Binder service which apps were permitted to access. # - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. # - hal_drm_hwservice: versions > API 29 are designed specifically with # untrusted app access in mind. type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice; type hal_cas_hwservice, hwservice_manager_type; type hal_codec2_hwservice, hwservice_manager_type; type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type; type hal_drm_hwservice, hwservice_manager_type; type hal_graphics_allocator_hwservice, hwservice_manager_type; type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice; type hal_neuralnetworks_hwservice, hwservice_manager_type; type hal_omx_hwservice, hwservice_manager_type; type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice; type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_base_hwservice, hwservice_manager_type; type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; ### ### Neverallow rules ### # hwservicemanager handles registering or looking up named services. # It does not make sense to register or lookup something which is not a # hwservice. Trigger a compile error if this occurs. neverallow domain ~hwservice_manager_type:hwservice_manager { add find }; #line 1 "system/sepolicy/public/hwservicemanager.te" # hwservicemanager - the Binder context manager for HAL services type hwservicemanager, domain, mlstrustedsubject; type hwservicemanager_exec, system_file_type, exec_type, file_type; # Note that we do not use the binder_* macros here. # hwservicemanager provides name service (aka context manager) # for hwbinder. # Additionally, it initiates binder IPC calls to # clients who request service notifications. The permission # to do this is granted in the hwbinder_use macro. allow hwservicemanager self:binder set_context_mgr; # Scan through /system/lib64/hw looking for installed HALs allow hwservicemanager system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Read hwservice_contexts allow hwservicemanager hwservice_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Check SELinux permissions. #line 20 #line 20 allow hwservicemanager selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hwservicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 #line 20 allow hwservicemanager selinuxfs:file { open append write lock map }; #line 20 allow hwservicemanager kernel:security compute_av; #line 20 allow hwservicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 20 #line 1 "system/sepolicy/public/idmap.te" # idmap, when executed by installd type idmap, domain; type idmap_exec, system_file_type, exec_type, file_type; # Allow read + write access to /data/resource-cache allow idmap resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow idmap resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Open and read from target and overlay apk files passed by argument. allow idmap apk_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow idmap apk_data_file:dir search; # Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files allow idmap { apk_tmp_file apk_private_tmp_file }:file { getattr open read ioctl lock map watch watch_reads }; allow idmap { apk_tmp_file apk_private_tmp_file }:dir search; # Allow apps access to /vendor/app #line 18 allow idmap vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow idmap vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 18 # Allow apps access to /vendor/overlay #line 21 allow idmap vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow idmap vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 21 # Allow the idmap2d binary to register as a service and communicate via AIDL #line 24 # Call the servicemanager and transfer references to it. #line 24 allow idmap servicemanager:binder { call transfer }; #line 24 # Allow servicemanager to send out callbacks #line 24 allow servicemanager idmap:binder { call transfer }; #line 24 # servicemanager performs getpidcon on clients. #line 24 allow servicemanager idmap:dir search; #line 24 allow servicemanager idmap:file { read open }; #line 24 allow servicemanager idmap:process getattr; #line 24 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 24 # all domains in domain.te. #line 24 #line 25 typeattribute idmap binderservicedomain; #line 25 #line 26 allow idmap idmap_service:service_manager { add find }; #line 26 neverallow { domain -idmap } idmap_service:service_manager add; #line 26 #line 26 # On debug builds with root, allow binder services to use binder over TCP. #line 26 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 26 #line 26 #line 1 "system/sepolicy/public/incident.te" # The incident command is used to call into the incidentd service to # take an incident report (binary, shared bugreport), download incident # reports that have already been taken, and monitor for new ones. # It doesn't do anything else. # incident type incident, domain; #line 1 "system/sepolicy/public/incident_helper.te" # The incident_helper is called by incidentd and # can only read/write data from/to incidentd # incident_helper type incident_helper, domain; #line 1 "system/sepolicy/public/incidentd.te" # incidentd type incidentd, domain; #line 1 "system/sepolicy/public/init.te" # init is its own domain. type init, domain, mlstrustedsubject; type init_exec, system_file_type, exec_type, file_type; type init_tmpfs, file_type; # /dev/__null__ node created by init. allow init tmpfs:chr_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # # init direct restorecon calls. # # /dev/kmsg allow init tmpfs:chr_file relabelfrom; allow init kmsg_device:chr_file { getattr write relabelto }; # /dev/kmsg_debug #line 18 # allow init to mount and unmount debugfs in debug builds #line 23 # /dev/__properties__ allow init properties_device:dir relabelto; allow init properties_serial:file { write relabelto }; allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write }; # /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info allow init properties_device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow init property_info:file relabelto; # /dev/event-log-tags allow init device:file relabelfrom; allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; # /dev/socket allow init { device socket_device dm_user_device }:dir relabelto; # allow init to establish connection and communicate with lmkd #line 38 allow init lmkd_socket:sock_file write; #line 38 allow init lmkd:unix_stream_socket connectto; #line 38 # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random # and /dev/urandom allow init { console_device null_device ptmx_device random_device } : chr_file relabelto; # /dev/device-mapper, /dev/block(/.*)? allow init tmpfs:{ chr_file blk_file } relabelfrom; allow init tmpfs:blk_file getattr; allow init block_device:{ dir blk_file lnk_file } relabelto; allow init dm_device:{ chr_file blk_file } relabelto; allow init dm_user_device:chr_file relabelto; allow init kernel:fd use; # restorecon for early mount device symlinks allow init tmpfs:lnk_file { getattr read relabelfrom }; allow init { metadata_block_device misc_block_device recovery_block_device system_block_device userdata_block_device }:{ blk_file lnk_file } relabelto; allow init dtbo_block_device:lnk_file relabelto; allow init super_block_device:lnk_file relabelto; # Create /mnt/sdcard -> /storage/self/primary symlink. allow init mnt_sdcard_file:lnk_file create; # setrlimit allow init self:{ capability cap_userns } sys_resource; # Remove /dev/.booting and load /debug_ramdisk/* files allow init tmpfs:file { getattr unlink }; # Access pty created for fsck. allow init devpts:chr_file { read write open }; # Create /dev/fscklogs files. allow init fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access /dev/__null__ node created prior to initial policy load. allow init tmpfs:chr_file write; # Access /dev/console. allow init console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access /dev/tty0. allow init tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Call mount(2). allow init self:{ capability cap_userns } sys_admin; # Call setns(2). allow init self:{ capability cap_userns } sys_chroot; # Create and mount on directories in /. allow init rootfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init { rootfs cache_file cgroup linkerconfig_file storage_file mnt_user_file system_data_file system_data_root_file system_dlkm_file system_file vendor_file postinstall_mnt_dir mirror_data_file shell_data_file }:dir mounton; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; # Mount on /dev/usb-ffs/adb. allow init device:dir mounton; # Mount tmpfs on /apex allow init apex_mnt_dir:dir mounton; # Bind-mount on /system/apex/com.android.art allow init art_apex_dir:dir mounton; # Create and remove symlinks in /. allow init rootfs:lnk_file { create unlink }; # Mount debugfs on /sys/kernel/debug. allow init sysfs:dir mounton; # Create cgroups mount points in tmpfs and mount cgroups on them. allow init tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init tmpfs:dir mounton; allow init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init cgroup:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init cgroup_rc_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads }; allow init cgroup_desc_api_file:file { getattr open read ioctl lock map watch watch_reads }; allow init vendor_cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads }; allow init cgroup_v2:dir { mounton { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }}; allow init cgroup_v2:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # /config allow init configfs:dir mounton; allow init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # /metadata allow init metadata_file:dir mounton; # Run restorecon on /dev allow init tmpfs:dir relabelfrom; # Create directories under /dev/cpuctl after chowning it to system. allow init self:{ capability cap_userns } { dac_override dac_read_search }; # Set system clock. allow init self:{ capability cap_userns } sys_time; allow init self:{ capability cap_userns } { sys_rawio mknod }; # Mounting filesystems from block devices. allow init dev_type:blk_file { getattr open read ioctl lock map watch watch_reads }; allowxperm init dev_type:blk_file ioctl 0x0000125d; allowxperm init system_data_root_file:dir ioctl 0x587d; # Mounting filesystems. # Only allow relabelto for types used in context= mount options, # which should all be assigned the contextmount_type attribute. # This can be done in device-specific policy via type or typeattribute # declarations. allow init { fs_type # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 172 -debugfs_type #line 172 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 172 }:filesystem ~relabelto; # Allow init to mount/unmount debugfs in non-user builds. # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 176 #line 176 #line 176 #line 176 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 178 # Allow init to mount tracefs in /sys/kernel/tracing allow init debugfs_tracing_debug:filesystem mount; allow init unlabeled:filesystem ~relabelto; allow init contextmount_type:filesystem relabelto; # Allow read-only access to context= mounted filesystems. allow init contextmount_type:dir { open getattr read search ioctl lock watch watch_reads }; allow init contextmount_type:{ file lnk_file sock_file fifo_file } { getattr open read ioctl lock map watch watch_reads }; # restorecon /adb_keys or any other rootfs files and directories to a more # specific type. allow init rootfs:{ dir file } relabelfrom; # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). # system/core/init.rc requires at least cache_file and data_file_type. # init..rc files often include device-specific types, so # we just allow all file types except /system files here. allow init self:{ capability cap_userns } { chown fowner fsetid }; allow init { file_type -app_data_file -bpffs_type -exec_type -misc_logd_file -nativetest_data_file -privapp_data_file -system_app_data_file -system_dlkm_file_type -system_file_type -vendor_file_type }:dir { create search getattr open read setattr ioctl }; allow init { file_type -app_data_file -bpffs_type -credstore_data_file -exec_type -keystore_data_file -media_userdir_file -misc_logd_file -nativetest_data_file -privapp_data_file -shell_data_file -system_app_data_file -system_dlkm_file_type -system_file_type -system_userdir_file -vendor_file_type -vendor_userdir_file -vold_data_file }:dir { write add_name remove_name rmdir relabelfrom }; allow init { file_type -apex_info_file -app_data_file -bpffs_type -exec_type -gsi_data_file -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file -privapp_data_file -runtime_event_log_tags_file -shell_data_file -system_app_data_file -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 255 -debugfs_type #line 255 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 255 }:file { create getattr open read write setattr relabelfrom unlink map }; allow init tracefs_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom }; # Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine # subcontext for action/service defined in APEXes. allow init apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; allow init { file_type -app_data_file -bpffs_type -exec_type -gsi_data_file -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file -privapp_data_file -shell_data_file -system_app_data_file -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; allow init { file_type -apex_mnt_dir -app_data_file -bpffs_type -exec_type -gsi_data_file -credstore_data_file -keystore_data_file -misc_logd_file -nativetest_data_file -privapp_data_file -shell_data_file -system_app_data_file -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file }:lnk_file { create getattr setattr relabelfrom unlink }; allow init cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow init { file_type -bpffs_type -system_dlkm_file_type -system_file_type -vendor_file_type -exec_type -app_data_file -privapp_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; allow init { sysfs_type debugfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr }; allow init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init dev_type:lnk_file create; # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on allow init debugfs_tracing:file { open append write lock map }; # Setup and control wifi event tracing (see wifi-events.rc) allow init debugfs_tracing_instances:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init debugfs_tracing_instances:file { open append write lock map }; allow init debugfs_wifi_tracing:file { open append write lock map }; # chown/chmod on pseudo files. allow init { fs_type -bpffs_type -contextmount_type -keychord_device -proc_type -sdcard_type -fusefs_type -sysfs_type -rootfs # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 340 -debugfs_type #line 340 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 340 }:file { open read setattr }; allow init { fs_type -bpffs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search }; allow init { binder_device console_device devpts dm_device hwbinder_device input_device kmsg_device null_device owntty_device pmsg_device ptmx_device random_device tty_device zero_device }:chr_file { read open }; # Unlabeled file access for upgrades from 4.2. allow init unlabeled:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow init unlabeled:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom }; # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. allow init kernel:system syslog_mod; allow init self:{ capability2 cap2_userns } syslog; # init access to /proc. #line 378 allow init proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 378 allow init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 378 allow init proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; #line 387 allow init { proc # b/67049235 processes /proc//* files are mislabeled. proc_bootconfig proc_cmdline proc_diskstats proc_kmsg # Open /proc/kmsg for logd service. proc_meminfo proc_stat # Read /proc/stat for bootchart. proc_uptime proc_version }:file { getattr open read ioctl lock map watch watch_reads }; allow init { proc_abi proc_cpu_alignment proc_dirty proc_hostname proc_hung_task proc_extra_free_kbytes proc_net_type proc_max_map_count proc_min_free_order_shift proc_overcommit_memory # /proc/sys/vm/overcommit_memory proc_panic proc_page_cluster proc_perf proc_sched proc_sysrq proc_watermark_boost_factor }:file { open append write lock map }; allow init { proc_security }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # init chmod/chown access to /proc files. allow init { proc_cmdline proc_bootconfig proc_kmsg proc_net proc_pagetypeinfo proc_qtaguid_stat proc_slabinfo proc_sysrq proc_qtaguid_ctrl proc_vmallocinfo }:file setattr; # init access to /sys files. allow init { sysfs_android_usb sysfs_dm_verity sysfs_leds sysfs_power sysfs_fs_f2fs sysfs_dm sysfs_lru_gen_enabled }:file { open append write lock map }; allow init { sysfs_dt_firmware_android sysfs_fs_ext4_features }:file { getattr open read ioctl lock map watch watch_reads }; allow init { sysfs_zram }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # allow init to create loop devices with /dev/loop-control allow init loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm init loop_device:blk_file ioctl { 0x00004c00 0x00004c01 0x00004c82 0x00004c09 0x00004c08 0x00004c03 0x00004c04 }; # Allow init to write to vibrator/trigger allow init sysfs_vibrator:file { open append write lock map }; # init chmod/chown access to /sys files. allow init { sysfs_android_usb sysfs_devices_system_cpu sysfs_ipv4 sysfs_leds sysfs_lowmemorykiller sysfs_power sysfs_vibrator sysfs_wake_lock sysfs_zram }:file setattr; # Set usermodehelpers. allow init { usermodehelper sysfs_usermodehelper }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init self:{ capability cap_userns } net_admin; # Reboot. allow init self:{ capability cap_userns } sys_boot; # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". # Init will also walk through the directory as part of a recursive restorecon. allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; allow init misc_logd_file:file { open create getattr setattr write }; # Support "adb shell stop" allow init self:{ capability cap_userns } kill; allow init domain:process { getpgid sigkill signal }; # Init creates credstore's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init credstore_data_file:dir { open create read getattr setattr search }; allow init credstore_data_file:file { getattr }; # Init creates keystore's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init keystore_data_file:dir { open create read getattr setattr search }; allow init keystore_data_file:file { getattr }; # Init creates vold's directory on boot, and walks through # the directory as part of a recursive restorecon. allow init vold_data_file:dir { open create read getattr setattr search }; allow init vold_data_file:file { getattr }; # Init creates /data/local/tmp at boot allow init shell_data_file:dir { open create read getattr setattr search }; allow init shell_data_file:file { getattr }; # Set UID, GID, and adjust capability bounding set for services. allow init self:{ capability cap_userns } { setuid setgid setpcap }; # For bootchart to read the /proc/$pid/cmdline file of each process, # we need to have following line to allow init to have access # to different domains. #line 529 allow init domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 529 allow init domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 529 # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). # setexec is for services with seclabel options. # setfscreate is for labeling directories and socket files. # setsockcreate is for labeling local/unix domain sockets. allow init self:process { setexec setfscreate setsockcreate }; # Get file context allow init file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # sepolicy access allow init sepolicy_file:file { getattr open read ioctl lock map watch watch_reads }; # Perform SELinux access checks on setting properties. #line 544 #line 544 allow init selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 544 allow init selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 544 #line 544 allow init selinuxfs:file { open append write lock map }; #line 544 allow init kernel:security compute_av; #line 544 allow init self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 544 # Ask the kernel for the new context on services to label their sockets. allow init kernel:security compute_create; # Create sockets for the services. allow init domain:unix_stream_socket { create bind setopt }; allow init domain:unix_dgram_socket { create bind setopt }; # Create /data/property and files within it. allow init property_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init property_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Set any property. allow init property_type:property_service set; # Send an SELinux userspace denial to the kernel audit subsystem, # so it can be picked up and processed by logd. These denials are # generated when an attempt to set a property is denied by policy. allow init self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_relay }; allow init self:{ capability cap_userns } audit_write; # Run "ifup lo" to bring up the localhost interface allow init self:udp_socket { create ioctl }; # in addition to unpriv ioctls granted to all domains, init also needs: allowxperm init self:udp_socket ioctl 0x00008914; allow init self:{ capability cap_userns } net_raw; # Set scheduling info for psi monitor thread. # TODO: delete or revise this line b/131761776 allow init kernel:process { getsched setsched }; # swapon() needs write access to swap device # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all allow init swap_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Create and access /dev files without a specific type, # e.g. /dev/.coldboot_done, /dev/.booting # TODO: Move these files into their own type unless they are # only ever accessed by init. allow init device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # keychord retrieval from /dev/input/ devices allow init input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow init input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access device mapper for setting up dm-verity allow init dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access dm-user for OTA boot allow init dm_user_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access metadata block device for storing dm-verity state allow init metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read /sys/fs/pstore/console-ramoops to detect restarts caused # by dm-verity detecting corrupted blocks allow init pstorefs:dir search; allow init pstorefs:file { getattr open read ioctl lock map watch watch_reads }; allow init kernel:system syslog_read; # linux keyring configuration allow init init:key { write search setattr }; # Allow init to create /data/unencrypted allow init unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Set encryption policy on dirs in /data allowxperm init { data_file_type unlabeled }:dir ioctl { 0x400c6615 0x800c6613 }; # Raw writes to misc block device allow init misc_block_device:blk_file { open append write lock map }; #line 621 allow init system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 621 allow init system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 621 #line 622 allow init system_dlkm_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 622 allow init system_dlkm_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 622 #line 623 allow init vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 623 allow init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 623 allow init system_data_file:file { getattr read }; allow init system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # For init to be able to run shell scripts from vendor allow init vendor_shell_exec:file execute; # Metadata setup allow init vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init vold_metadata_file:file getattr; allow init metadata_bootstat_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow init metadata_bootstat_file:file { open append write lock map }; allow init userspace_reboot_metadata_file:file { open append write lock map }; # Allow init to touch PSI monitors allow init proc_pressure_mem:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } setattr }; # init is using bootstrap bionic #line 642 allow init system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 642 allow init system_bootstrap_lib_file:file { execute read open getattr map }; #line 642 # stat the root dir of fuse filesystems (for the mount handler) allow init fuse:dir { search getattr }; # allow filesystem tuning allow init userdata_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow disk tuning allow init rootdisk_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; ### ### neverallow rules ### # The init domain is only entered via an exec based transition from the # kernel domain, never via setcon(). neverallow domain init:process dyntransition; neverallow { domain -kernel } init:process transition; neverallow init { file_type fs_type -init_exec }:file entrypoint; # Never read/follow symlinks created by shell or untrusted apps. neverallow init shell_data_file:lnk_file read; neverallow init app_data_file_type:lnk_file read; # init should never execute a program without changing to another domain. neverallow init { file_type fs_type }:file execute_no_trans; # The use of sensitive environment variables, such as LD_PRELOAD, is disallowed # when init is executing other binaries. The use of LD_PRELOAD for init spawned # services is generally considered a no-no, as it injects libraries which the # binary was not expecting. This is especially problematic for APEXes. The use # of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads # code into a process which wasn't expecting that code, with potentially # unexpected side effects. (b/140789528) neverallow init *:process noatsecure; # init can never add binder services neverallow init service_manager_type:service_manager { add find }; # init can never list binder services neverallow init servicemanager:service_manager list; # Init should not be creating subdirectories in /data/local/tmp neverallow init shell_data_file:dir { write add_name remove_name }; # Init should not access sysfs node that are not explicitly labeled. neverallow init sysfs:file { open write }; # No domain should be allowed to ptrace init. neverallow * init:process ptrace; # init owns the root of /data # TODO(b/140259336) We want to remove vendor_init # TODO(b/141108496) We want to remove toolbox neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; #line 1 "system/sepolicy/public/inputflinger.te" # inputflinger type inputflinger, domain; type inputflinger_exec, system_file_type, exec_type, file_type; #line 5 # Call the servicemanager and transfer references to it. #line 5 allow inputflinger servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager inputflinger:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager inputflinger:dir search; #line 5 allow servicemanager inputflinger:file { read open }; #line 5 allow servicemanager inputflinger:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 6 typeattribute inputflinger binderservicedomain; #line 6 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow inputflinger system_server:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow system_server inputflinger:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow inputflinger system_server:fd use; #line 8 #line 10 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 10 # deprecated. #line 10 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 10 allow inputflinger sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 10 # Accessing these files requires CAP_BLOCK_SUSPEND #line 10 allow inputflinger self:{ capability2 cap2_userns } block_suspend; #line 10 # system_suspend permissions #line 10 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow inputflinger system_suspend_server:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow system_suspend_server inputflinger:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow inputflinger system_suspend_server:fd use; #line 10 #line 10 allow inputflinger system_suspend_hwservice:hwservice_manager find; #line 10 # halclientdomain permissions #line 10 #line 10 # Call the hwservicemanager and transfer references to it. #line 10 allow inputflinger hwservicemanager:binder { call transfer }; #line 10 # Allow hwservicemanager to send out callbacks #line 10 allow hwservicemanager inputflinger:binder { call transfer }; #line 10 # hwservicemanager performs getpidcon on clients. #line 10 allow hwservicemanager inputflinger:dir search; #line 10 allow hwservicemanager inputflinger:file { read open map }; #line 10 allow hwservicemanager inputflinger:process getattr; #line 10 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 10 # all domains in domain.te. #line 10 #line 10 #line 10 allow inputflinger hwservicemanager_prop:file { getattr open read map }; #line 10 #line 10 allow inputflinger hidl_manager_hwservice:hwservice_manager find; #line 10 # AIDL suspend hal permissions #line 10 allow inputflinger hal_system_suspend_service:service_manager find; #line 10 #line 10 # Call the servicemanager and transfer references to it. #line 10 allow inputflinger servicemanager:binder { call transfer }; #line 10 # Allow servicemanager to send out callbacks #line 10 allow servicemanager inputflinger:binder { call transfer }; #line 10 # servicemanager performs getpidcon on clients. #line 10 allow servicemanager inputflinger:dir search; #line 10 allow servicemanager inputflinger:file { read open }; #line 10 allow servicemanager inputflinger:process getattr; #line 10 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 10 # all domains in domain.te. #line 10 #line 10 allow inputflinger input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow inputflinger input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 15 allow inputflinger cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow inputflinger cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 #line 16 allow inputflinger cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow inputflinger cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 16 #line 1 "system/sepolicy/public/installd.te" # installer daemon type installd, domain; type installd_exec, system_file_type, exec_type, file_type; typeattribute installd mlstrustedsubject; allow installd self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill }; # Allow labeling of files under /data/app/com.example/oat/ allow installd dalvikcache_data_file:dir relabelto; allow installd dalvikcache_data_file:file { relabelto link }; # Allow movement of APK files between volumes allow installd apk_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow installd apk_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom link }; allow installd apk_data_file:lnk_file { create { getattr open read ioctl lock map watch watch_reads } unlink }; allow installd asec_apk_file:file { getattr open read ioctl lock map watch watch_reads }; allow installd apk_tmp_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow installd apk_tmp_file:dir { relabelfrom { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } }; allow installd oemfs:dir { open getattr read search ioctl lock watch watch_reads }; allow installd oemfs:file { getattr open read ioctl lock map watch watch_reads }; allow installd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd mnt_expand_file:dir { search getattr }; # Check validity of SELinux context before use. #line 25 #line 25 allow installd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 25 allow installd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 25 #line 25 allow installd selinuxfs:file { open append write lock map }; #line 25 allow installd kernel:security check_context; #line 25 #line 27 allow installd rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 27 allow installd rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 27 # Scan through APKs in /system/app and /system/priv-app #line 29 allow installd system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow installd system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 29 # Scan through APKs in /vendor/app #line 31 allow installd vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 31 allow installd vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 31 # Scan through JARs in /vendor/framework #line 33 allow installd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow installd vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 # Scan through Runtime Resource Overlay APKs in /vendor/overlay #line 35 allow installd vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow installd vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 35 # Vendor overlay can be found in vendor apex allow installd vendor_apex_metadata_file:dir { getattr search }; # Get file context allow installd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Get seapp_context allow installd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Search /data/app-asec and stat files in it. allow installd asec_image_file:dir search; allow installd asec_image_file:file getattr; # Required to initially create subdirectories of /data/user/$userId # and lib symlinks before the setfilecon call. May want to # move symlink creation after setfilecon in installd. allow installd system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Also, allow read for lnk_file so that we can process symlinks within # /data/user/$userId when optimizing application code. allow installd system_data_file:lnk_file { create getattr read setattr unlink }; # Manage lower filesystem via pass_through mounts allow installd mnt_pass_through_file:dir { open getattr read search ioctl lock watch watch_reads }; # Upgrade /data/media for multi-user if necessary. allow installd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd media_rw_data_file:file { getattr unlink }; # restorecon new /data/media directory. allow installd system_data_file:dir relabelfrom; allow installd media_rw_data_file:dir relabelto; # Delete /data/media files through sdcardfs, instead of going behind its back allow installd media_userdir_file:dir { open getattr read search ioctl lock watch watch_reads }; allow installd tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; allow installd storage_file:dir search; allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir }; allow installd { sdcard_type fuse }:file { getattr unlink }; # Create app's mirror data directory in /data_mirror, and bind mount the real directory to it allow installd mirror_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; # Upgrade /data/misc/keychain for multi-user if necessary. allow installd system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads }; allow installd misc_user_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd misc_user_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow installd keychain_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd keychain_data_file:file {{ getattr open read ioctl lock map watch watch_reads } unlink}; # Create /data/misc/installd/layout_version.* file allow installd install_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow installd install_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Create files under /data/dalvik-cache. allow installd dalvikcache_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow installd dalvikcache_data_file:lnk_file getattr; # Create files under /data/resource-cache. allow installd resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow installd resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Upgrade from unlabeled userdata. # Just need enough to remove and/or relabel it. allow installd unlabeled:dir { getattr search relabelfrom { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rmdir }; allow installd unlabeled:{ file lnk_file sock_file fifo_file } { getattr relabelfrom rename unlink setattr }; # Read pkg.apk file for input during dexopt. allow installd unlabeled:file { getattr open read ioctl lock map watch watch_reads }; # Upgrade from before system_app_data_file was used for system UID apps. # Just need enough to relabel it and to unlink removed package files. # Directory access covered by earlier rule above. allow installd system_data_file:{ file lnk_file sock_file fifo_file } { getattr relabelfrom unlink }; # Manage /data/data subdirectories, including initially labeling them # upon creation via setfilecon or running restorecon_recursive, # setting owner/mode, creating symlinks within them, and deleting them # upon package uninstall. allow installd app_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom relabelto }; allow installd app_data_file_type:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom relabelto }; # Allow setting extended attributes (for project quota IDs) on dirs and files # and to enable project ID inheritance through FS_IOC_SETFLAGS # Added install_data_file to be able to create file under /data/misc/installd/ioctl_check allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl { 0x801c581f 0x401c5820 0x80086601 0x40086602 }; # Similar for the files under /data/misc/profiles/ allow installd user_profile_root_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow installd user_profile_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow installd user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow installd user_profile_data_file:file unlink; # Allow zygote to unmount mirror directories allow installd labeledfs:filesystem unmount; # Files created/updated by profman dumps. allow installd profman_dump_data_file:dir { search add_name write }; allow installd profman_dump_data_file:file { create setattr open write }; # Create and use pty created by android_fork_execvp(). allow installd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # execute toybox for app relocation allow installd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow installd to publish a binder service and make binder calls. #line 144 # Call the servicemanager and transfer references to it. #line 144 allow installd servicemanager:binder { call transfer }; #line 144 # Allow servicemanager to send out callbacks #line 144 allow servicemanager installd:binder { call transfer }; #line 144 # servicemanager performs getpidcon on clients. #line 144 allow servicemanager installd:dir search; #line 144 allow servicemanager installd:file { read open }; #line 144 allow servicemanager installd:process getattr; #line 144 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 144 # all domains in domain.te. #line 144 #line 145 allow installd installd_service:service_manager { add find }; #line 145 neverallow { domain -installd } installd_service:service_manager add; #line 145 #line 145 # On debug builds with root, allow binder services to use binder over TCP. #line 145 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 145 #line 145 allow installd dumpstate:fifo_file { getattr write }; # Allow installd to call into the system server so it can check permissions. #line 149 # Call the server domain and optionally transfer references to it. #line 149 allow installd system_server:binder { call transfer }; #line 149 # Allow the serverdomain to transfer references to the client on the reply. #line 149 allow system_server installd:binder transfer; #line 149 # Receive and use open files from the server. #line 149 allow installd system_server:fd use; #line 149 allow installd permission_service:service_manager find; # Allow installd to read and write quotas allow installd block_device:dir { search }; allow installd labeledfs:filesystem { quotaget quotamod }; # Allow installd to delete from /data/preloads when trimming data caches # TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server allow installd preloads_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow installd preloads_data_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir }; allow installd preloads_media_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow installd preloads_media_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir }; # Allow installd to read /proc/filesystems allow installd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; #add for move app to sd card #line 167 allow installd storage_config_prop:file { getattr open read map }; #line 167 # Allow installd to access apps installed on the Incremental File System # Accessing files on the Incremental File System uses fds opened in the context of vold. allow installd vold:fd use; ### ### Neverallow rules ### # only system_server, installd, dumpstate, and servicemanager may interact with installd over binder neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find; neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call; neverallow installd { domain -system_server -servicemanager }:binder call; #line 1 "system/sepolicy/public/isolated_app.te" ### ### Services with isolatedProcess=true in their manifest. ### ### This file defines the rules for isolated apps. An "isolated ### app" is an APP with UID between AID_ISOLATED_START (99000) ### and AID_ISOLATED_END (99999). ### type isolated_app, domain; #line 1 "system/sepolicy/public/isolated_compute_app.te" type isolated_compute_app, domain; #line 1 "system/sepolicy/public/kernel.te" # Life begins with the kernel. type kernel, domain, mlstrustedsubject; allow kernel self:{ capability cap_userns } sys_nice; # Root fs. #line 7 allow kernel rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow kernel rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 7 # Used to read androidboot.selinux property allow kernel { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; # Get SELinux enforcing status. allow kernel selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; allow kernel selinuxfs:file { getattr open read ioctl lock map watch watch_reads }; # Get file contexts during first stage allow kernel file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow init relabel itself. allow kernel rootfs:file relabelfrom; allow kernel init_exec:file relabelto; # TODO: investigate why we need this. allow kernel init:process share; # cgroup filesystem initialization prior to setting the cgroup root directory label. allow kernel unlabeled:dir search; # Mount usbfs. allow kernel usbfs:filesystem mount; allow kernel usbfs:dir search; # Initial setenforce by init prior to switching to init domain. # We use dontaudit instead of allow to prevent a kernel spawned userspace # process from turning off SELinux once enabled. dontaudit kernel self:security setenforce; # Write to /proc/1/oom_adj prior to switching to init domain. allow kernel self:{ capability cap_userns } sys_resource; # Init reboot before switching selinux domains under certain error # conditions. Allow it. # As part of rebooting, init writes "u" to /proc/sysrq-trigger to # remount filesystems read-only. /data is not mounted at this point, # so we could ignore this. For now, we allow it. allow kernel self:{ capability cap_userns } sys_boot; allow kernel proc_sysrq:file { open append write lock map }; # Allow writing to /dev/kmsg which was created prior to loading policy. allow kernel tmpfs:chr_file write; # Set checkreqprot by init.rc prior to switching to init domain. allow kernel selinuxfs:file write; allow kernel self:security setcheckreqprot; # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) allow kernel { sdcard_type fuse }:file { read write }; # f_mtp driver accesses files from kernel context. allow kernel mediaprovider:fd use; # Allow the kernel to read OBB files from app directories. (b/17428116) # Kernel thread "loop0" reads a vold supplied file descriptor. # Fixes CTS tests: # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs allow kernel vold:fd use; allow kernel { app_data_file privapp_data_file }:file read; allow kernel asec_image_file:file read; # Allow mounting loop device in update_engine_unittests. (b/28319454) # and for LTP kernel tests (b/73220071) #line 78 # Access to /data/media. # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. allow kernel media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow kernel media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access to /data/misc/vold/virtual_disk. allow kernel vold_data_file:file { read write }; # Allow the kernel to read APEX file descriptors and (staged) data files; # Needed because APEX uses the loopback driver, which issues requests from # a kernel thread in earlier kernel version. allow kernel apexd:fd use; allow kernel { apex_data_file staging_data_file vendor_apex_file }:file read; # Also allow the kernel to read/write /data/local/tmp files via loop device # for ApexTestCases and fiemap_image_test. #line 102 # Allow the first-stage init (which is running in the kernel domain) to execute the # dynamic linker when it re-executes /init to switch into the second stage. # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed # before the domain is switched to the target domain. So, we need to allow the kernel # domain (the source domain) to execute the dynamic linker (system_file type). # TODO(b/110147943) remove these allow rules when we no longer need to support Linux # kernel older than 4.8. allow kernel system_file:file execute; # The label for the dynamic linker is rootfs in the recovery partition. This is because # the recovery partition which is rootfs does not support xattr and thus labeling can't be # done at build-time. All files are by default labeled as rootfs upon booting. #line 117 # required by VTS lidbm unit test allow kernel appdomain_tmpfs:file { read write }; ### ### neverallow rules ### # The initial task starts in the kernel domain (assigned via # initial_sid_contexts), but nothing ever transitions to it. neverallow * kernel:process { transition dyntransition }; # The kernel domain is never entered via an exec, nor should it # ever execute a program outside the rootfs without changing to another domain. # If you encounter an execute_no_trans denial on the kernel domain, then # possible causes include: # - The program is a kernel usermodehelper. In this case, define a domain # for the program and domain_auto_trans() to it. # - You are running an exploit which switched to the init task credentials # and is then trying to exec a shell or other program. You lose! neverallow kernel *:file { entrypoint execute_no_trans }; # the kernel should not be accessing files owned by other users. # Instead of adding dac_{read_search,override}, fix the unix permissions # on files being accessed. neverallow kernel self:{ capability cap_userns } { dac_override dac_read_search }; # Nobody should be ptracing kernel threads neverallow * kernel:process ptrace; #line 1 "system/sepolicy/public/keystore.te" type keystore, domain, keystore2_key_type; type keystore_exec, system_file_type, exec_type, file_type; # keystore daemon typeattribute keystore mlstrustedsubject; #line 6 # Call the servicemanager and transfer references to it. #line 6 allow keystore servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager keystore:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager keystore:dir search; #line 6 allow servicemanager keystore:file { read open }; #line 6 allow servicemanager keystore:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 typeattribute keystore binderservicedomain; #line 7 #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow keystore remote_provisioning_service_server:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow remote_provisioning_service_server keystore:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow keystore remote_provisioning_service_server:fd use; #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow keystore system_server:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow system_server keystore:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow keystore system_server:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow keystore wificond:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow wificond keystore:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow keystore wificond:fd use; #line 10 allow keystore keystore_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow keystore keystore_exec:file { getattr }; #line 16 allow keystore keystore_service:service_manager { add find }; #line 16 neverallow { domain -keystore } keystore_service:service_manager add; #line 16 #line 16 # On debug builds with root, allow binder services to use binder over TCP. #line 16 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 16 #line 16 allow keystore sec_key_att_app_id_provider_service:service_manager find; allow keystore dropbox_service:service_manager find; allow keystore remote_provisioning_service:service_manager find; #line 20 allow keystore apc_service:service_manager { add find }; #line 20 neverallow { domain -keystore } apc_service:service_manager add; #line 20 #line 20 # On debug builds with root, allow binder services to use binder over TCP. #line 20 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 20 #line 20 #line 21 allow keystore keystore_compat_hal_service:service_manager { add find }; #line 21 neverallow { domain -keystore } keystore_compat_hal_service:service_manager add; #line 21 #line 21 # On debug builds with root, allow binder services to use binder over TCP. #line 21 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 21 #line 21 #line 22 allow keystore authorization_service:service_manager { add find }; #line 22 neverallow { domain -keystore } authorization_service:service_manager add; #line 22 #line 22 # On debug builds with root, allow binder services to use binder over TCP. #line 22 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 22 #line 22 #line 23 allow keystore keystore_maintenance_service:service_manager { add find }; #line 23 neverallow { domain -keystore } keystore_maintenance_service:service_manager add; #line 23 #line 23 # On debug builds with root, allow binder services to use binder over TCP. #line 23 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 23 #line 23 #line 24 allow keystore keystore_metrics_service:service_manager { add find }; #line 24 neverallow { domain -keystore } keystore_metrics_service:service_manager add; #line 24 #line 24 # On debug builds with root, allow binder services to use binder over TCP. #line 24 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 24 #line 24 #line 25 allow keystore legacykeystore_service:service_manager { add find }; #line 25 neverallow { domain -keystore } legacykeystore_service:service_manager add; #line 25 #line 25 # On debug builds with root, allow binder services to use binder over TCP. #line 25 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 25 #line 25 # Check SELinux permissions. #line 28 #line 28 allow keystore selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 28 allow keystore selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 28 #line 28 allow keystore selinuxfs:file { open append write lock map }; #line 28 allow keystore kernel:security compute_av; #line 28 allow keystore self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 28 #line 30 allow keystore cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 30 allow keystore cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 30 #line 31 allow keystore cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 31 allow keystore cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 31 ### ### Neverallow rules ### ### Protect ourself from others ### neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -keystore } keystore_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; neverallow { domain -keystore -init } keystore_data_file:dir *; neverallow { domain -keystore -init } keystore_data_file:{ file lnk_file sock_file fifo_file } *; # TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?) neverallow { domain } keystore:process ptrace; # The software KeyMint implementation used in km_compat needs # to read the vendor security patch level. #line 50 allow keystore vendor_security_patch_level_prop:file { getattr open read map }; #line 50 ; # Allow keystore to read its vendor configuration #line 53 allow keystore keystore_config_prop:file { getattr open read map }; #line 53 #line 1 "system/sepolicy/public/keystore_keys.te" # A keystore2 namespace for WI-FI. type wifi_key, keystore2_key_type; #line 1 "system/sepolicy/public/llkd.te" # llkd Live LocK Daemon type llkd, domain, mlstrustedsubject; type llkd_exec, system_file_type, exec_type, file_type; #line 1 "system/sepolicy/public/lmkd.te" # lmkd low memory killer daemon type lmkd, domain, mlstrustedsubject; type lmkd_exec, system_file_type, exec_type, file_type; allow lmkd self:{ capability cap_userns } { dac_override dac_read_search sys_resource kill }; # lmkd locks itself in memory, to prevent it from being # swapped out and unable to kill other memory hogs. # system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 # b/16236289 allow lmkd self:{ capability cap_userns } ipc_lock; ## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns ## TODO: maybe scope this down? #line 15 allow lmkd domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow lmkd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 allow lmkd domain:file write; ## Writes to /sys/module/lowmemorykiller/parameters/minfree #line 19 allow lmkd sysfs_lowmemorykiller:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow lmkd sysfs_lowmemorykiller:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 19 allow lmkd sysfs_lowmemorykiller:file { open append write lock map }; # setsched and send kill signals to any registered process allow lmkd domain:process { setsched sigkill }; # TODO: delete this line b/131761776 allow lmkd kernel:process { setsched }; # Clean up old cgroups allow lmkd cgroup:dir { remove_name rmdir }; allow lmkd cgroup_v2:dir { remove_name rmdir }; # Allow to read memcg stats allow lmkd cgroup:file { getattr open read ioctl lock map watch watch_reads }; allow lmkd cgroup_v2:file { getattr open read ioctl lock map watch watch_reads }; # Set self to SCHED_FIFO allow lmkd self:{ capability cap_userns } sys_nice; allow lmkd proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads }; allow lmkd proc_vmstat:file { getattr open read ioctl lock map watch watch_reads }; # live lock watchdog process allowed to look through /proc/ allow lmkd domain:dir { search open read }; allow lmkd domain:file { open read }; # live lock watchdog process allowed to dump process trace and # reboot because orderly shutdown may not be possible. allow lmkd proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read /proc/lowmemorykiller allow lmkd proc_lowmemorykiller:file { getattr open read ioctl lock map watch watch_reads }; # Read /proc/meminfo allow lmkd proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; # Read /proc/pressure/cpu and /proc/pressure/io allow lmkd proc_pressure_cpu:file { getattr open read ioctl lock map watch watch_reads }; allow lmkd proc_pressure_io:file { getattr open read ioctl lock map watch watch_reads }; # Read/Write /proc/pressure/memory allow lmkd proc_pressure_mem:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow lmkd to connect during reinit. allow lmkd lmkd_socket:sock_file write; # Allow lmkd to write to statsd. #line 66 allow lmkd statsdw_socket:sock_file write; #line 66 allow lmkd statsd:unix_dgram_socket sendto; #line 66 ### neverallow rules # never honor LD_PRELOAD neverallow * lmkd:process noatsecure; neverallow lmkd self:{ capability cap_userns } sys_ptrace; #line 1 "system/sepolicy/public/logd.te" # android user-space log manager type logd, domain, mlstrustedsubject; type logd_exec, system_file_type, exec_type, file_type; # Read access to pseudo filesystems. #line 6 allow logd cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow logd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 6 #line 7 allow logd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow logd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 7 #line 8 allow logd proc_kmsg:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow logd proc_kmsg:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 8 #line 9 allow logd proc_meminfo:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow logd proc_meminfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 9 allow logd self:{ capability cap_userns } { setuid setgid setpcap sys_nice audit_control }; allow logd self:{ capability2 cap2_userns } syslog; allow logd self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write }; allow logd kernel:system syslog_read; allow logd kmsg_device:chr_file { getattr { open append write lock map } }; allow logd system_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; allow logd packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; allow logd pstorefs:dir search; allow logd pstorefs:file { getattr open read ioctl lock map watch watch_reads }; #line 24 allow logd runtime_event_log_tags_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 27 allow logd domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 27 allow logd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 27 allow logd kernel:system syslog_mod; #line 31 # Group AID_LOG checked by filesystem & logd #line 31 # to permit control commands #line 31 #line 31 allow logd logd_socket:sock_file write; #line 31 allow logd logd:unix_stream_socket connectto; #line 31 #line 31 #line 32 allow logd runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 32 allow runtime_event_log_tags_file tmpfs:filesystem associate; # Typically harmlessly blindly trying to access via liblog # event tag mapping while in the untrusted_app domain. # Access for that domain is controlled and gated via the # event log tag service (albeit at a performance penalty, # expected to be locally cached). dontaudit domain runtime_event_log_tags_file:file { map open read }; # Logd sets defaults if certain properties are empty. #line 43 #line 43 allow logd property_socket:sock_file write; #line 43 allow logd init:unix_stream_socket connectto; #line 43 #line 43 allow logd logd_prop:property_service set; #line 43 #line 43 allow logd logd_prop:file { getattr open read map }; #line 43 #line 43 ### ### Neverallow rules ### ### logd should NEVER do any of this # Block device access. neverallow logd dev_type:blk_file { read write }; # ptrace any other app neverallow logd domain:process ptrace; # ... and nobody may ptrace me (except on userdebug or eng builds) neverallow { domain } logd:process ptrace; # Write to /system. neverallow logd system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data or system files on /data neverallow logd { app_data_file_type system_data_file packages_list_file -shell_data_file # for bugreports }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Only init is allowed to enter the logd domain via exec() neverallow { domain -init } logd:process transition; neverallow * logd:process dyntransition; # protect the event-log-tags file neverallow { domain -init -logd } runtime_event_log_tags_file:file { append create link unlink relabelfrom rename setattr write }; #line 1 "system/sepolicy/public/logpersist.te" # android debug logging, logpersist domains type logpersist, domain; # logcatd is a shell script that execs logcat with various parameters. allow logpersist shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow logpersist logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; ### ### Neverallow rules ### ### logpersist should NEVER do any of this # Block device access. neverallow logpersist dev_type:blk_file { read write }; # ptrace any other app neverallow logpersist domain:process ptrace; # Write to files in /data/data or system files on /data except misc_logd_file neverallow logpersist { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Only init should be allowed to enter the logpersist domain via exec() # Following is a list of debug domains we know that transition to logpersist # neverallow_with_undefined_domains { # domain # -init # goldfish, logcatd, raft # -mmi # bat, mtp8996, msmcobalt # -system_app # Smith.apk # } logpersist:process transition; neverallow * logpersist:process dyntransition; allowxperm logpersist misc_logd_file:file ioctl { 0xf512 0x40086602 }; #line 1 "system/sepolicy/public/mdnsd.te" # mdns daemon type mdnsd, domain; #line 1 "system/sepolicy/public/mediadrmserver.te" # mediadrmserver - mediadrm daemon type mediadrmserver, domain; type mediadrmserver_exec, system_file_type, exec_type, file_type; typeattribute mediadrmserver mlstrustedsubject; #line 7 typeattribute mediadrmserver netdomain; #line 7 #line 8 # Call the servicemanager and transfer references to it. #line 8 allow mediadrmserver servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager mediadrmserver:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager mediadrmserver:dir search; #line 8 allow servicemanager mediadrmserver:file { read open }; #line 8 allow servicemanager mediadrmserver:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow mediadrmserver binderservicedomain:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow binderservicedomain mediadrmserver:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow mediadrmserver binderservicedomain:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow mediadrmserver appdomain:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow appdomain mediadrmserver:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow mediadrmserver appdomain:fd use; #line 10 #line 11 typeattribute mediadrmserver binderservicedomain; #line 11 #line 12 typeattribute mediadrmserver halclientdomain; #line 12 typeattribute mediadrmserver hal_drm_client; #line 12 #line 12 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 12 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 12 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 12 #line 12 typeattribute mediadrmserver hal_drm; #line 12 # Find passthrough HAL implementations #line 12 allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_drm vendor_file:file { read open getattr execute map }; #line 12 #line 12 #line 14 allow mediadrmserver mediadrmserver_service:service_manager { add find }; #line 14 neverallow { domain -mediadrmserver } mediadrmserver_service:service_manager add; #line 14 #line 14 # On debug builds with root, allow binder services to use binder over TCP. #line 14 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 14 #line 14 allow mediadrmserver mediaserver_service:service_manager find; allow mediadrmserver mediametrics_service:service_manager find; allow mediadrmserver processinfo_service:service_manager find; allow mediadrmserver surfaceflinger_service:service_manager find; allow mediadrmserver system_file:dir { open getattr read search ioctl lock watch watch_reads }; # TODO(b/80317992): remove #line 22 # Call the server domain and optionally transfer references to it. #line 22 allow mediadrmserver hal_omx_server:binder { call transfer }; #line 22 # Allow the serverdomain to transfer references to the client on the reply. #line 22 allow hal_omx_server mediadrmserver:binder transfer; #line 22 # Receive and use open files from the server. #line 22 allow mediadrmserver hal_omx_server:fd use; #line 22 ### ### neverallow rules ### # mediadrmserver should never execute any executable without a # domain transition neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 33 { #line 33 # qualcomm rmnet ioctls #line 33 0x00006900 0x00006902 #line 33 # socket ioctls #line 33 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 33 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 33 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 33 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 33 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 33 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 33 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 33 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 33 0x00008991 0x00008992 0x00008993 0x00008994 #line 33 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 33 # device and protocol specific ioctls #line 33 0x000089f0-0x000089ff #line 33 0x000089e0-0x000089ef #line 33 # Wireless extension ioctls #line 33 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 33 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 33 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 33 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 33 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 33 0x00008b34 0x00008b35 0x00008b36 #line 33 # Dev private ioctl i.e. hardware specific ioctls #line 33 0x00008be0-0x00008bff #line 33 }; #line 1 "system/sepolicy/public/mediaextractor.te" # mediaextractor - multimedia daemon type mediaextractor, domain; type mediaextractor_exec, system_file_type, exec_type, file_type; type mediaextractor_tmpfs, file_type; typeattribute mediaextractor mlstrustedsubject; #line 8 # Call the servicemanager and transfer references to it. #line 8 allow mediaextractor servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager mediaextractor:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager mediaextractor:dir search; #line 8 allow servicemanager mediaextractor:file { read open }; #line 8 allow servicemanager mediaextractor:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow mediaextractor binderservicedomain:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow binderservicedomain mediaextractor:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow mediaextractor binderservicedomain:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow mediaextractor appdomain:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow appdomain mediaextractor:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow mediaextractor appdomain:fd use; #line 10 #line 11 typeattribute mediaextractor binderservicedomain; #line 11 #line 13 allow mediaextractor mediaextractor_service:service_manager { add find }; #line 13 neverallow { domain -mediaextractor } mediaextractor_service:service_manager add; #line 13 #line 13 # On debug builds with root, allow binder services to use binder over TCP. #line 13 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 13 #line 13 allow mediaextractor mediametrics_service:service_manager find; allow mediaextractor hidl_token_hwservice:hwservice_manager find; allow mediaextractor system_server:fd use; #line 19 typeattribute mediaextractor halclientdomain; #line 19 typeattribute mediaextractor hal_cas_client; #line 19 #line 19 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 19 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 19 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 19 #line 19 typeattribute mediaextractor hal_cas; #line 19 # Find passthrough HAL implementations #line 19 allow hal_cas system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_cas vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_cas vendor_file:file { read open getattr execute map }; #line 19 #line 19 #line 20 typeattribute mediaextractor halclientdomain; #line 20 typeattribute mediaextractor hal_allocator_client; #line 20 #line 20 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 20 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 20 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 20 #line 20 typeattribute mediaextractor hal_allocator; #line 20 # Find passthrough HAL implementations #line 20 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 20 #line 20 #line 22 allow mediaextractor cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow mediaextractor cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 #line 23 allow mediaextractor cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow mediaextractor cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 23 allow mediaextractor proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; #line 26 #line 26 allow mediaextractor anr_data_file:file append; #line 26 allow mediaextractor dumpstate:fd use; #line 26 allow mediaextractor incidentd:fd use; #line 26 # TODO: Figure out why write is needed. #line 26 allow mediaextractor dumpstate:fifo_file { append write }; #line 26 allow mediaextractor incidentd:fifo_file { append write }; #line 26 allow mediaextractor system_server:fifo_file { append write }; #line 26 allow mediaextractor tombstoned:unix_stream_socket connectto; #line 26 allow mediaextractor tombstoned:fd use; #line 26 allow mediaextractor tombstoned_crash_socket:sock_file write; #line 26 allow mediaextractor tombstone_data_file:file append; #line 26 # allow mediaextractor read permissions for file sources allow mediaextractor { sdcard_type fuse }:file { getattr read }; allow mediaextractor media_rw_data_file:file { getattr read }; allow mediaextractor { app_data_file privapp_data_file }:file { getattr read }; # Read resources from open apk files passed over Binder allow mediaextractor apk_data_file:file { read getattr }; allow mediaextractor asec_apk_file:file { read getattr }; allow mediaextractor ringtone_file:file { read getattr }; # overlay package access allow mediaextractor vendor_overlay_file:file { read map }; # scan extractor library directory to dynamically load extractors allow mediaextractor system_file:dir { read open }; ### ### neverallow rules ### # mediaextractor should never execute any executable without a # domain transition neverallow mediaextractor { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediaextractor domain:{ udp_socket rawip_socket } *; neverallow mediaextractor { domain }:tcp_socket *; # mediaextractor should not be opening /data files directly. Any files # it touches (with a few exceptions) need to be passed to it via a file # descriptor opened outside the process. neverallow mediaextractor { data_file_type # for loading media extractor plugins }:file open; #line 1 "system/sepolicy/public/mediametrics.te" # mediametrics - daemon for collecting media.metrics data type mediametrics, domain; type mediametrics_exec, system_file_type, exec_type, file_type; #line 6 # Call the servicemanager and transfer references to it. #line 6 allow mediametrics servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager mediametrics:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager mediametrics:dir search; #line 6 allow servicemanager mediametrics:file { read open }; #line 6 allow servicemanager mediametrics:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow mediametrics binderservicedomain:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow binderservicedomain mediametrics:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow mediametrics binderservicedomain:fd use; #line 7 #line 8 typeattribute mediametrics binderservicedomain; #line 8 #line 10 allow mediametrics mediametrics_service:service_manager { add find }; #line 10 neverallow { domain -mediametrics } mediametrics_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 allow mediametrics system_server:fd use; #line 14 allow mediametrics cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow mediametrics cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 14 #line 15 allow mediametrics cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow mediametrics cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 allow mediametrics proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; # allows interactions with dumpsys to GMScore allow mediametrics { app_data_file privapp_data_file }:file write; # allow access to package manager for uid->apk mapping allow mediametrics package_native_service:service_manager find; # Allow metrics service to send information to statsd socket. #line 25 allow mediametrics statsdw_socket:sock_file write; #line 25 allow mediametrics statsd:unix_dgram_socket sendto; #line 25 ### ### neverallow rules ### # mediametrics should never execute any executable without a # domain transition neverallow mediametrics { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediametrics domain:{ udp_socket rawip_socket } *; neverallow mediametrics { domain }:tcp_socket *; #line 1 "system/sepolicy/public/mediaprovider.te" ### ### A domain for android.process.media, which contains both ### MediaProvider and DownloadProvider and associated services. ### type mediaprovider, domain; #line 1 "system/sepolicy/public/mediaserver.te" # mediaserver - multimedia daemon type mediaserver, domain; type mediaserver_exec, system_file_type, exec_type, file_type; type mediaserver_tmpfs, file_type; typeattribute mediaserver mlstrustedsubject; #line 8 typeattribute mediaserver netdomain; #line 8 #line 10 allow mediaserver sdcard_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 #line 11 allow mediaserver fuse:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow mediaserver fuse:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 11 #line 12 allow mediaserver cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow mediaserver cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 #line 13 allow mediaserver cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 13 allow mediaserver cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 13 # stat /proc/self allow mediaserver proc:lnk_file getattr; # open /vendor/lib/mediadrm allow mediaserver system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 24 #line 26 # Call the servicemanager and transfer references to it. #line 26 allow mediaserver servicemanager:binder { call transfer }; #line 26 # Allow servicemanager to send out callbacks #line 26 allow servicemanager mediaserver:binder { call transfer }; #line 26 # servicemanager performs getpidcon on clients. #line 26 allow servicemanager mediaserver:dir search; #line 26 allow servicemanager mediaserver:file { read open }; #line 26 allow servicemanager mediaserver:process getattr; #line 26 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 26 # all domains in domain.te. #line 26 #line 27 # Call the server domain and optionally transfer references to it. #line 27 allow mediaserver binderservicedomain:binder { call transfer }; #line 27 # Allow the serverdomain to transfer references to the client on the reply. #line 27 allow binderservicedomain mediaserver:binder transfer; #line 27 # Receive and use open files from the server. #line 27 allow mediaserver binderservicedomain:fd use; #line 27 #line 28 # Call the server domain and optionally transfer references to it. #line 28 allow mediaserver appdomain:binder { call transfer }; #line 28 # Allow the serverdomain to transfer references to the client on the reply. #line 28 allow appdomain mediaserver:binder transfer; #line 28 # Receive and use open files from the server. #line 28 allow mediaserver appdomain:fd use; #line 28 #line 29 typeattribute mediaserver binderservicedomain; #line 29 allow mediaserver media_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow mediaserver media_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; allow mediaserver { sdcard_type fuse }:file write; allow mediaserver gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow mediaserver gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow mediaserver video_device:dir { open getattr read search ioctl lock watch watch_reads }; allow mediaserver video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read resources from open apk files passed over Binder. allow mediaserver apk_data_file:file { read getattr }; allow mediaserver asec_apk_file:file { read getattr }; allow mediaserver ringtone_file:file { read getattr }; # Read /data/data/com.android.providers.telephony files passed over Binder. allow mediaserver radio_data_file:file { read getattr }; # Use pipes passed over Binder from app domains. allow mediaserver appdomain:fifo_file { getattr read write }; allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Inter System processes communicate over named pipe (FIFO) allow mediaserver system_server:fifo_file { getattr open read ioctl lock map watch watch_reads }; #line 56 allow mediaserver media_rw_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 56 allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 56 # Grant access to read files on appfuse. allow mediaserver app_fuse_file:file { read getattr }; # Needed on some devices for playing DRM protected content, # but seems expected and appropriate for all devices. #line 63 allow mediaserver drmserver_socket:sock_file write; #line 63 allow mediaserver drmserver:unix_stream_socket connectto; #line 63 # Needed on some devices for playing audio on paired BT device, # but seems appropriate for all devices. #line 67 allow mediaserver bluetooth_socket:sock_file write; #line 67 allow mediaserver bluetooth:unix_stream_socket connectto; #line 67 # Needed for mediaserver to send information to statsd socket. #line 70 allow mediaserver statsdw_socket:sock_file write; #line 70 allow mediaserver statsd:unix_dgram_socket sendto; #line 70 #line 72 allow mediaserver mediaserver_service:service_manager { add find }; #line 72 neverallow { domain -mediaserver } mediaserver_service:service_manager add; #line 72 #line 72 # On debug builds with root, allow binder services to use binder over TCP. #line 72 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 72 #line 72 allow mediaserver activity_service:service_manager find; allow mediaserver appops_service:service_manager find; allow mediaserver audio_service:service_manager find; allow mediaserver audioserver_service:service_manager find; allow mediaserver cameraserver_service:service_manager find; allow mediaserver batterystats_service:service_manager find; allow mediaserver drmserver_service:service_manager find; allow mediaserver mediaextractor_service:service_manager find; allow mediaserver mediametrics_service:service_manager find; allow mediaserver media_session_service:service_manager find; allow mediaserver package_native_service:service_manager find; allow mediaserver permission_service:service_manager find; allow mediaserver permission_checker_service:service_manager find; allow mediaserver power_service:service_manager find; allow mediaserver processinfo_service:service_manager find; allow mediaserver scheduling_policy_service:service_manager find; allow mediaserver surfaceflinger_service:service_manager find; # for ModDrm/MediaPlayer allow mediaserver mediadrmserver_service:service_manager find; # For hybrid interfaces allow mediaserver hidl_token_hwservice:hwservice_manager find; # /oem access allow mediaserver oemfs:dir search; allow mediaserver oemfs:file { getattr open read ioctl lock map watch watch_reads }; # /oem boot animation file allow mediaserver bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads }; # /vendor apk access allow mediaserver vendor_app_file:file { read map getattr }; #line 107 allow drmserver mediaserver:dir search; #line 107 allow drmserver mediaserver:file { read open }; #line 107 allow drmserver mediaserver:process getattr; #line 107 allow mediaserver drmserver:drmservice { consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread }; # only allow unprivileged socket ioctl commands allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl { #line 121 { #line 121 # Socket ioctls for gathering information about the interface #line 121 0x00008906 0x00008907 #line 121 0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919 #line 121 0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942 #line 121 # Wireless extension ioctls. Primarily get functions. #line 121 0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d #line 121 0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23 #line 121 0x00008b25 0x00008b27 0x00008b29 0x00008b2d #line 121 } { #line 121 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 121 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 121 } }; # Access to /data/media. # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. allow mediaserver media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow mediaserver media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access to media in /data/preloads allow mediaserver preloads_media_file:file { getattr read ioctl }; allow mediaserver ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediaserver dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediaserver dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediaserver hal_graphics_allocator:fd use; allow mediaserver hal_graphics_composer:fd use; allow mediaserver hal_camera:fd use; allow mediaserver system_server:fd use; # b/120491318 allow mediaserver to access void:fd allow mediaserver vold:fd use; # overlay package access allow mediaserver vendor_overlay_file:file { read getattr map }; #line 147 typeattribute mediaserver halclientdomain; #line 147 typeattribute mediaserver hal_allocator_client; #line 147 #line 147 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 147 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 147 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 147 #line 147 typeattribute mediaserver hal_allocator; #line 147 # Find passthrough HAL implementations #line 147 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 147 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 147 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 147 #line 147 ### ### neverallow rules ### # mediaserver should never execute any executable without a # domain transition neverallow mediaserver { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 158 { #line 158 # qualcomm rmnet ioctls #line 158 0x00006900 0x00006902 #line 158 # socket ioctls #line 158 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 158 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 158 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 158 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 158 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 158 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 158 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 158 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 158 0x00008991 0x00008992 0x00008993 0x00008994 #line 158 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 158 # device and protocol specific ioctls #line 158 0x000089f0-0x000089ff #line 158 0x000089e0-0x000089ef #line 158 # Wireless extension ioctls #line 158 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 158 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 158 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 158 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 158 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 158 0x00008b34 0x00008b35 0x00008b36 #line 158 # Dev private ioctl i.e. hardware specific ioctls #line 158 0x00008be0-0x00008bff #line 158 }; #line 1 "system/sepolicy/public/mediaswcodec.te" type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; #line 4 typeattribute mediaswcodec halserverdomain; #line 4 typeattribute mediaswcodec hal_codec2_server; #line 4 typeattribute mediaswcodec hal_codec2; #line 4 # mediaswcodec may use an input surface from a different Codec2 service or an # OMX service #line 8 typeattribute mediaswcodec halclientdomain; #line 8 typeattribute mediaswcodec hal_codec2_client; #line 8 #line 8 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 8 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 8 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 8 #line 8 typeattribute mediaswcodec hal_codec2; #line 8 # Find passthrough HAL implementations #line 8 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 8 #line 8 #line 9 typeattribute mediaswcodec halclientdomain; #line 9 typeattribute mediaswcodec hal_omx_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute mediaswcodec hal_omx; #line 9 # Find passthrough HAL implementations #line 9 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_omx vendor_file:file { read open getattr execute map }; #line 9 #line 9 #line 11 typeattribute mediaswcodec halclientdomain; #line 11 typeattribute mediaswcodec hal_allocator_client; #line 11 #line 11 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 11 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 11 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 11 #line 11 typeattribute mediaswcodec hal_allocator; #line 11 # Find passthrough HAL implementations #line 11 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 11 #line 11 #line 12 typeattribute mediaswcodec halclientdomain; #line 12 typeattribute mediaswcodec hal_graphics_allocator_client; #line 12 #line 12 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 12 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 12 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 12 #line 12 typeattribute mediaswcodec hal_graphics_allocator; #line 12 # Find passthrough HAL implementations #line 12 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 12 #line 12 # get aac_drc_* properties #line 15 allow mediaswcodec aac_drc_prop:file { getattr open read map }; #line 15 #line 17 #line 17 allow mediaswcodec anr_data_file:file append; #line 17 allow mediaswcodec dumpstate:fd use; #line 17 allow mediaswcodec incidentd:fd use; #line 17 # TODO: Figure out why write is needed. #line 17 allow mediaswcodec dumpstate:fifo_file { append write }; #line 17 allow mediaswcodec incidentd:fifo_file { append write }; #line 17 allow mediaswcodec system_server:fifo_file { append write }; #line 17 allow mediaswcodec tombstoned:unix_stream_socket connectto; #line 17 allow mediaswcodec tombstoned:fd use; #line 17 allow mediaswcodec tombstoned_crash_socket:sock_file write; #line 17 allow mediaswcodec tombstone_data_file:file append; #line 17 # mediaswcodec_server should never execute any executable without a # domain transition neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediaswcodec domain:{ udp_socket rawip_socket } *; neverallow mediaswcodec { domain }:tcp_socket *; allow mediaswcodec dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediaswcodec dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediaswcodec gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow mediaswcodec gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/public/mediatranscoding.te" type mediatranscoding, domain; #line 1 "system/sepolicy/public/modprobe.te" type modprobe, domain; allow modprobe proc_modules:file { getattr open read ioctl lock map watch watch_reads }; allow modprobe proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; allow modprobe self:{ capability cap_userns } sys_module; allow modprobe kernel:key search; allow modprobe system_dlkm_file:dir search; allow modprobe system_dlkm_file:file { getattr open read ioctl lock map watch watch_reads }; allow modprobe system_dlkm_file:system module_load; #line 13 #line 1 "system/sepolicy/public/mtp.te" # vpn tunneling protocol manager type mtp, domain; #line 1 "system/sepolicy/public/net.te" ## Network types type node, node_type; type netif, netif_type; type port, port_type; ### ### Domain with network access ### # Use network sockets. allow netdomain self:tcp_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; allow netdomain self:{ icmp_socket udp_socket rawip_socket } { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Connect to ports. allow netdomain port_type:tcp_socket name_connect; # See changes to the routing table. allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; # Talks to netd via dnsproxyd socket. #line 20 allow netdomain dnsproxyd_socket:sock_file write; #line 20 allow netdomain netd:unix_stream_socket connectto; #line 20 # Talks to netd via fwmarkd socket. #line 23 allow netdomain fwmarkd_socket:sock_file write; #line 23 allow netdomain netd:unix_stream_socket connectto; #line 23 #line 1 "system/sepolicy/public/netd.te" # network manager type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; #line 5 typeattribute netd netdomain; #line 5 # Connect to mdnsd via mdnsd socket. #line 7 allow netd mdnsd_socket:sock_file write; #line 7 allow netd mdnsd:unix_stream_socket connectto; #line 7 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl #line 9 { #line 9 # qualcomm rmnet ioctls #line 9 0x00006900 0x00006902 #line 9 # socket ioctls #line 9 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 9 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 9 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 9 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 9 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 9 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 9 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 9 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 9 0x00008991 0x00008992 0x00008993 0x00008994 #line 9 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 9 # device and protocol specific ioctls #line 9 0x000089f0-0x000089ff #line 9 0x000089e0-0x000089ef #line 9 # Wireless extension ioctls #line 9 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 9 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 9 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 9 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 9 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 9 0x00008b34 0x00008b35 0x00008b36 #line 9 # Dev private ioctl i.e. hardware specific ioctls #line 9 0x00008be0-0x00008bff #line 9 }; #line 11 allow netd cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow netd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 11 allow netd system_server:fd use; allow netd self:{ capability cap_userns } { net_admin net_raw kill }; # Note: fsetid is deliberately not included above. fsetid checks are # triggered by chmod on a directory or file owned by a group other # than one of the groups assigned to the current process to see if # the setgid bit should be cleared, regardless of whether the setgid # bit was even set. We do not appear to truly need this capability # for netd to operate. dontaudit netd self:{ capability cap_userns } fsetid; # Allow netd to open /dev/tun, set it up and pass it to clatd allow netd tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm netd tun_device:chr_file ioctl { 0x800454d2 0x400454ca }; allow netd self:tun_socket create; allow netd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netd self:netlink_route_socket nlmsg_write; allow netd self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netd self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netd self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write }; allow netd self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netd self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow netd system_file:file { getattr execute execute_no_trans map }; allow netd vendor_file:file { getattr execute execute_no_trans map }; allow netd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't # exist, suppress the denial. allow netd system_file:file lock; dontaudit netd system_file:dir write; # Allow netd to write to qtaguid ctrl file. # TODO: Add proper rules to prevent other process to access qtaguid_proc file # after migration complete allow netd proc_qtaguid_ctrl:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. allow netd qtaguid_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 53 allow netd proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 53 allow netd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 53 # For /proc/sys/net/ipv[46]/route/flush. allow netd proc_net_type:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Enables PppController and interface enumeration (among others) allow netd sysfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 59 allow netd sysfs_net:dir { open getattr read search ioctl lock watch watch_reads }; #line 59 allow netd sysfs_net:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 59 # Allows setting interface MTU allow netd sysfs_net:file { open append write lock map }; # TODO: added to match above sysfs rule. Remove me? allow netd sysfs_usb:file write; #line 67 allow netd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 67 allow netd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 67 # TODO: netd previously thought it needed these permissions to do WiFi related # work. However, after all the WiFi stuff is gone, we still need them. # Why? allow netd self:{ capability cap_userns } { dac_override dac_read_search chown }; # Needed to update /data/misc/net/rt_tables allow netd net_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow netd net_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow netd self:{ capability cap_userns } fowner; # Needed to lock the iptables lock. allow netd system_file:file lock; # Allow netd to spawn dnsmasq in it's own domain allow netd dnsmasq:process { sigkill signal }; # Allow netd to publish a binder service and make binder calls. #line 86 # Call the servicemanager and transfer references to it. #line 86 allow netd servicemanager:binder { call transfer }; #line 86 # Allow servicemanager to send out callbacks #line 86 allow servicemanager netd:binder { call transfer }; #line 86 # servicemanager performs getpidcon on clients. #line 86 allow servicemanager netd:dir search; #line 86 allow servicemanager netd:file { read open }; #line 86 allow servicemanager netd:process getattr; #line 86 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 86 # all domains in domain.te. #line 86 #line 87 allow netd netd_service:service_manager { add find }; #line 87 neverallow { domain -netd } netd_service:service_manager add; #line 87 #line 87 # On debug builds with root, allow binder services to use binder over TCP. #line 87 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 87 #line 87 #line 88 allow netd dnsresolver_service:service_manager { add find }; #line 88 neverallow { domain -netd } dnsresolver_service:service_manager add; #line 88 #line 88 # On debug builds with root, allow binder services to use binder over TCP. #line 88 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 88 #line 88 #line 89 allow netd mdns_service:service_manager { add find }; #line 89 neverallow { domain -netd } mdns_service:service_manager add; #line 89 #line 89 # On debug builds with root, allow binder services to use binder over TCP. #line 89 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 89 #line 89 allow netd dumpstate:fifo_file { getattr write }; # Allow netd to call into the system server so it can check permissions. allow netd system_server:binder call; allow netd permission_service:service_manager find; # Allow netd to talk to the framework service which collects netd events. allow netd netd_listener_service:service_manager find; # Allow netd to operate on sockets that are passed to it. allow netd netdomain:{ icmp_socket tcp_socket udp_socket rawip_socket tun_socket } { read write getattr setattr getopt setopt }; allow netd netdomain:fd use; # give netd permission to read and write netlink xfrm allow netd self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read }; # Allow netd to register as hal server. #line 113 allow netd system_net_netd_hwservice:hwservice_manager { add find }; #line 113 allow netd hidl_base_hwservice:hwservice_manager add; #line 113 neverallow { domain -netd } system_net_netd_hwservice:hwservice_manager add; #line 113 #line 114 # Call the hwservicemanager and transfer references to it. #line 114 allow netd hwservicemanager:binder { call transfer }; #line 114 # Allow hwservicemanager to send out callbacks #line 114 allow hwservicemanager netd:binder { call transfer }; #line 114 # hwservicemanager performs getpidcon on clients. #line 114 allow hwservicemanager netd:dir search; #line 114 allow hwservicemanager netd:file { read open map }; #line 114 allow hwservicemanager netd:process getattr; #line 114 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 114 # all domains in domain.te. #line 114 # AIDL hal server #line 117 # Call the server domain and optionally transfer references to it. #line 117 allow system_net_netd_service servicemanager:binder { call transfer }; #line 117 # Allow the serverdomain to transfer references to the client on the reply. #line 117 allow servicemanager system_net_netd_service:binder transfer; #line 117 # Receive and use open files from the server. #line 117 allow system_net_netd_service servicemanager:fd use; #line 117 #line 118 allow netd system_net_netd_service:service_manager { add find }; #line 118 neverallow { domain -netd } system_net_netd_service:service_manager add; #line 118 #line 118 # On debug builds with root, allow binder services to use binder over TCP. #line 118 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 118 #line 118 ### ### Neverallow rules ### ### netd should NEVER do any of this # Block device access. neverallow netd dev_type:blk_file { read write }; # ptrace any other app neverallow netd { domain }:process ptrace; # Write to /system. neverallow netd system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data or system files on /data neverallow netd { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # only system_server, dumpstate and network stack app may find netd service neverallow { domain -system_server -dumpstate -network_stack -netd -netutils_wrapper } netd_service:service_manager find; # only system_server, dumpstate and network stack app may find dnsresolver service neverallow { domain -system_server -dumpstate -network_stack -netd -netutils_wrapper } dnsresolver_service:service_manager find; # only system_server, dumpstate and network stack app may find mdns service neverallow { domain -system_server -dumpstate -network_stack -netd -netutils_wrapper } mdns_service:service_manager find; # apps may not interact with netd over binder. neverallow { appdomain -network_stack } netd:binder call; neverallow netd { appdomain -network_stack }:binder call; # If an already existing file is opened with O_CREATE, the kernel might generate # a false report of a create denial. Silence these denials and make sure that # inappropriate permissions are not granted. neverallow netd proc_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; dontaudit netd proc_net:dir write; neverallow netd sysfs_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; dontaudit netd sysfs_net:dir write; # Netd should not have SYS_ADMIN privs. neverallow netd self:capability sys_admin; dontaudit netd self:capability sys_admin; # Netd should not have SYS_MODULE privs, nor should it be requesting module loads # (things it requires should be built directly into the kernel) dontaudit netd self:capability sys_module; dontaudit netd appdomain:unix_stream_socket { read write }; #line 1 "system/sepolicy/public/netutils_wrapper.te" type netutils_wrapper, domain; type netutils_wrapper_exec, system_file_type, exec_type, file_type; neverallow domain netutils_wrapper_exec:file execute_no_trans; #line 1 "system/sepolicy/public/network_stack.te" # Network stack service app type network_stack, domain; #line 1 "system/sepolicy/public/nfc.te" # nfc subsystem type nfc, domain; #line 1 "system/sepolicy/public/otapreopt_chroot.te" # otapreopt_chroot seclabel # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons. type otapreopt_chroot, domain; #line 1 "system/sepolicy/public/perfetto.te" type perfetto, domain, coredomain; #line 1 "system/sepolicy/public/performanced.te" # performanced type performanced, domain, mlstrustedsubject; type performanced_exec, system_file_type, exec_type, file_type; # Needed to check for app permissions. #line 6 # Call the servicemanager and transfer references to it. #line 6 allow performanced servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager performanced:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager performanced:dir search; #line 6 allow servicemanager performanced:file { read open }; #line 6 allow servicemanager performanced:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow performanced system_server:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow system_server performanced:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow performanced system_server:fd use; #line 7 allow performanced permission_service:service_manager find; #line 10 # Mark the server domain as a PDX server. #line 10 typeattribute performanced pdx_performance_client_server_type; #line 10 # Allow the init process to create the initial endpoint socket. #line 10 allow init pdx_performance_client_endpoint_socket_type:unix_stream_socket { create bind }; #line 10 # Allow the server domain to use the endpoint socket and accept connections on it. #line 10 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 10 # than we need (e.g. we don"t need "bind" or "connect"). #line 10 allow performanced pdx_performance_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 10 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 10 allow performanced self:process setsockcreate; #line 10 # Allow the server domain to create a client channel socket. #line 10 allow performanced pdx_performance_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 10 # Prevent other processes from claiming to be a server for the same service. #line 10 neverallow {domain -performanced} pdx_performance_client_endpoint_socket_type:unix_stream_socket { listen accept }; #line 10 # TODO: use file caps to obtain sys_nice instead of setuid / setgid. allow performanced self:{ capability cap_userns } { setuid setgid sys_nice }; # Access /proc to validate we're only affecting threads in the same thread group. # Performanced also shields unbound kernel threads. It scans every task in the # root cpu set, but only affects the kernel threads. #line 18 allow performanced { appdomain bufferhubd kernel surfaceflinger }:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow performanced { appdomain bufferhubd kernel surfaceflinger }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 18 dontaudit performanced domain:dir read; allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; # These /proc accesses only show up in permissive mode but they # generate a lot of noise in the log. #line 27 # Access /dev/cpuset/cpuset.cpus #line 30 allow performanced cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 30 allow performanced cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 30 #line 31 allow performanced cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 31 allow performanced cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 31 #line 1 "system/sepolicy/public/platform_app.te" ### ### Apps signed with the platform key. ### type platform_app, domain; #line 1 "system/sepolicy/public/postinstall.te" # Domain where the postinstall program runs during the update. # Extend the permissions in this domain to allow this program to access other # files needed by the specific device on your device's sepolicy directory. type postinstall, domain; # Allow postinstall to write to its stdout/stderr when redirected via pipes to # update_engine. allow postinstall update_engine_common:fd use; allow postinstall update_engine_common:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow postinstall to read and execute directories and files in the same # mounted location. allow postinstall postinstall_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow postinstall postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow postinstall postinstall_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow postinstall to execute the shell or other system executables. allow postinstall shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow postinstall system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow postinstall toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow postinstall to execute shell in recovery. #line 25 # # For OTA dexopt. # # Allow postinstall scripts to talk to the system server. #line 32 # Call the servicemanager and transfer references to it. #line 32 allow postinstall servicemanager:binder { call transfer }; #line 32 # Allow servicemanager to send out callbacks #line 32 allow servicemanager postinstall:binder { call transfer }; #line 32 # servicemanager performs getpidcon on clients. #line 32 allow servicemanager postinstall:dir search; #line 32 allow servicemanager postinstall:file { read open }; #line 32 allow servicemanager postinstall:process getattr; #line 32 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 32 # all domains in domain.te. #line 32 #line 33 # Call the server domain and optionally transfer references to it. #line 33 allow postinstall system_server:binder { call transfer }; #line 33 # Allow the serverdomain to transfer references to the client on the reply. #line 33 allow system_server postinstall:binder transfer; #line 33 # Receive and use open files from the server. #line 33 allow postinstall system_server:fd use; #line 33 # Need to talk to the otadexopt service. allow postinstall otadexopt_service:service_manager find; # Allow postinstall scripts to trigger f2fs garbage collection allow postinstall sysfs_fs_f2fs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow postinstall sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads }; # No domain other than update_engine and recovery (via update_engine_sideload) # should transition to postinstall, as it is only meant to run during the # update. neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; #line 1 "system/sepolicy/public/ppp.te" # Point to Point Protocol daemon type ppp, domain; #line 1 "system/sepolicy/public/priv_app.te" ### ### A domain for further sandboxing privileged apps. ### type priv_app, domain; #line 1 "system/sepolicy/public/prng_seeder.te" # PRNG seeder daemon type prng_seeder, domain; #line 1 "system/sepolicy/public/profman.te" # profman type profman, domain; type profman_exec, system_file_type, exec_type, file_type; allow profman user_profile_data_file:file { getattr read write lock map }; # Dumping profile info opens the application APK file for pretty printing. allow profman asec_apk_file:file { read map }; allow profman apk_data_file:file { getattr read map }; allow profman apk_data_file:dir { getattr read search }; allow profman oemfs:file { read map }; # Reading an APK opens a ZipArchive, which unpack to tmpfs. allow profman tmpfs:file { read map }; allow profman profman_dump_data_file:file { write map }; # Allow profman to analyze profiles for the secondary dex files. These # are application dex files reported back to the framework when using # BaseDexClassLoader. allow profman { privapp_data_file app_data_file }:file { getattr read write lock map }; allow profman { privapp_data_file app_data_file }:dir { getattr read search }; # Allow query ART device config properties #line 24 allow profman device_config_runtime_native_prop:file { getattr open read map }; #line 24 #line 25 allow profman device_config_runtime_native_boot_prop:file { getattr open read map }; #line 25 ### ### neverallow rules ### neverallow profman app_data_file_type:{ file lnk_file sock_file fifo_file } open; #line 1 "system/sepolicy/public/property.te" # Properties used only in /system # # DO NOT ADD system_internal_prop here. # Instead, add to private/property.te. # TODO(b/150331497): move these to private/property.te #line 6 #line 6 type apexd_prop, property_type, system_property_type, system_internal_property_type; #line 6 #line 6 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 6 #line 6 neverallow { domain -coredomain } apexd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 #line 6 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 6 #line 6 #line 7 #line 7 type bootloader_boot_reason_prop, property_type, system_property_type, system_internal_property_type; #line 7 #line 7 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 7 #line 7 neverallow { domain -coredomain } bootloader_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 #line 7 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 7 #line 7 #line 8 #line 8 type device_config_activity_manager_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 8 #line 8 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 8 #line 8 neverallow { domain -coredomain } device_config_activity_manager_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 8 #line 8 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 8 #line 8 #line 9 #line 9 type device_config_boot_count_prop, property_type, system_property_type, system_internal_property_type; #line 9 #line 9 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 9 #line 9 neverallow { domain -coredomain } device_config_boot_count_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 #line 9 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 9 #line 9 #line 10 #line 10 type device_config_input_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 10 #line 10 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 10 #line 10 neverallow { domain -coredomain } device_config_input_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 10 #line 10 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 10 #line 10 #line 11 #line 11 type device_config_netd_native_prop, property_type, system_property_type, system_internal_property_type; #line 11 #line 11 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 11 #line 11 neverallow { domain -coredomain } device_config_netd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 11 #line 11 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 11 #line 11 #line 12 #line 12 type device_config_reset_performed_prop, property_type, system_property_type, system_internal_property_type; #line 12 #line 12 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 12 #line 12 neverallow { domain -coredomain } device_config_reset_performed_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 12 #line 12 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 12 #line 12 #line 13 #line 13 type firstboot_prop, property_type, system_property_type, system_internal_property_type; #line 13 #line 13 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 13 #line 13 neverallow { domain -coredomain } firstboot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 #line 13 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 13 #line 13 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 # DO NOT ADD ANY PROPERTIES HERE #line 15 #line 15 #line 15 type boottime_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } boottime_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type charger_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } charger_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type cold_boot_done_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } cold_boot_done_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_adbd_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_apexd_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_apexd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_bootanim_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_bootanim_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_bugreport_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_bugreport_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_console_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_console_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_dumpstate_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_dumpstate_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_fuse_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_fuse_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_gsid_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_gsid_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_interface_restart_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_interface_restart_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_interface_stop_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_interface_stop_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_mdnsd_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_mdnsd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_restart_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_restart_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_rildaemon_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_rildaemon_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type ctl_sigstop_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } ctl_sigstop_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type dynamic_system_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } dynamic_system_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type heapprofd_enabled_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } heapprofd_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type llkd_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } llkd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type lpdumpd_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } lpdumpd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type mmc_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } mmc_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type mock_ota_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } mock_ota_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type net_dns_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } net_dns_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type overlay_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } overlay_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type persistent_properties_ready_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } persistent_properties_ready_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type safemode_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } safemode_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type system_lmk_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } system_lmk_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type system_trace_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } system_trace_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type test_boot_reason_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } test_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type time_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } time_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type traced_enabled_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } traced_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 #line 15 type traced_lazy_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } traced_lazy_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 15 #line 15 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 50 # Properties which can't be written outside system #line 53 #line 53 type aac_drc_prop, property_type, system_property_type, system_restricted_property_type; #line 53 #line 53 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 53 #line 53 neverallow { domain -coredomain } aac_drc_prop:property_service set; #line 53 #line 53 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 53 #line 53 #line 54 #line 54 type adaptive_haptics_prop, property_type, system_property_type, system_restricted_property_type; #line 54 #line 54 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 54 #line 54 neverallow { domain -coredomain } adaptive_haptics_prop:property_service set; #line 54 #line 54 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 54 #line 54 #line 55 #line 55 type apex_ready_prop, property_type, system_property_type, system_restricted_property_type; #line 55 #line 55 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 55 #line 55 neverallow { domain -coredomain } apex_ready_prop:property_service set; #line 55 #line 55 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 55 #line 55 #line 56 #line 56 type arm64_memtag_prop, property_type, system_property_type, system_restricted_property_type; #line 56 #line 56 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 56 #line 56 neverallow { domain -coredomain } arm64_memtag_prop:property_service set; #line 56 #line 56 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 56 #line 56 #line 57 #line 57 type binder_cache_bluetooth_server_prop, property_type, system_property_type, system_restricted_property_type; #line 57 #line 57 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 57 #line 57 neverallow { domain -coredomain } binder_cache_bluetooth_server_prop:property_service set; #line 57 #line 57 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 57 #line 57 #line 58 #line 58 type binder_cache_system_server_prop, property_type, system_property_type, system_restricted_property_type; #line 58 #line 58 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 58 #line 58 neverallow { domain -coredomain } binder_cache_system_server_prop:property_service set; #line 58 #line 58 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 58 #line 58 #line 59 #line 59 type binder_cache_telephony_server_prop, property_type, system_property_type, system_restricted_property_type; #line 59 #line 59 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 59 #line 59 neverallow { domain -coredomain } binder_cache_telephony_server_prop:property_service set; #line 59 #line 59 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 59 #line 59 #line 60 #line 60 type boot_status_prop, property_type, system_property_type, system_restricted_property_type; #line 60 #line 60 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 60 #line 60 neverallow { domain -coredomain } boot_status_prop:property_service set; #line 60 #line 60 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 60 #line 60 #line 61 #line 61 type bootanim_system_prop, property_type, system_property_type, system_restricted_property_type; #line 61 #line 61 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 61 #line 61 neverallow { domain -coredomain } bootanim_system_prop:property_service set; #line 61 #line 61 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 61 #line 61 #line 62 #line 62 type bootloader_prop, property_type, system_property_type, system_restricted_property_type; #line 62 #line 62 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 62 #line 62 neverallow { domain -coredomain } bootloader_prop:property_service set; #line 62 #line 62 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 62 #line 62 #line 63 #line 63 type boottime_public_prop, property_type, system_property_type, system_restricted_property_type; #line 63 #line 63 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 63 #line 63 neverallow { domain -coredomain } boottime_public_prop:property_service set; #line 63 #line 63 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 63 #line 63 #line 64 #line 64 type bq_config_prop, property_type, system_property_type, system_restricted_property_type; #line 64 #line 64 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 64 #line 64 neverallow { domain -coredomain } bq_config_prop:property_service set; #line 64 #line 64 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 64 #line 64 #line 65 #line 65 type build_bootimage_prop, property_type, system_property_type, system_restricted_property_type; #line 65 #line 65 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 65 #line 65 neverallow { domain -coredomain } build_bootimage_prop:property_service set; #line 65 #line 65 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 65 #line 65 #line 66 #line 66 type build_prop, property_type, system_property_type, system_restricted_property_type; #line 66 #line 66 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 66 #line 66 neverallow { domain -coredomain } build_prop:property_service set; #line 66 #line 66 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 66 #line 66 #line 67 #line 67 type composd_vm_art_prop, property_type, system_property_type, system_restricted_property_type; #line 67 #line 67 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 67 #line 67 neverallow { domain -coredomain } composd_vm_art_prop:property_service set; #line 67 #line 67 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 67 #line 67 #line 68 #line 68 type device_config_aconfig_flags_prop, property_type, system_property_type, system_restricted_property_type; #line 68 #line 68 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 68 #line 68 neverallow { domain -coredomain } device_config_aconfig_flags_prop:property_service set; #line 68 #line 68 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 68 #line 68 #line 69 #line 69 type device_config_camera_native_prop, property_type, system_property_type, system_restricted_property_type; #line 69 #line 69 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 69 #line 69 neverallow { domain -coredomain } device_config_camera_native_prop:property_service set; #line 69 #line 69 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 69 #line 69 #line 70 #line 70 type device_config_edgetpu_native_prop, property_type, system_property_type, system_restricted_property_type; #line 70 #line 70 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 70 #line 70 neverallow { domain -coredomain } device_config_edgetpu_native_prop:property_service set; #line 70 #line 70 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 70 #line 70 #line 71 #line 71 type device_config_media_native_prop, property_type, system_property_type, system_restricted_property_type; #line 71 #line 71 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 71 #line 71 neverallow { domain -coredomain } device_config_media_native_prop:property_service set; #line 71 #line 71 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 71 #line 71 #line 72 #line 72 type device_config_nnapi_native_prop, property_type, system_property_type, system_restricted_property_type; #line 72 #line 72 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 72 #line 72 neverallow { domain -coredomain } device_config_nnapi_native_prop:property_service set; #line 72 #line 72 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 72 #line 72 #line 73 #line 73 type device_config_runtime_native_boot_prop, property_type, system_property_type, system_restricted_property_type; #line 73 #line 73 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 73 #line 73 neverallow { domain -coredomain } device_config_runtime_native_boot_prop:property_service set; #line 73 #line 73 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 73 #line 73 #line 74 #line 74 type device_config_runtime_native_prop, property_type, system_property_type, system_restricted_property_type; #line 74 #line 74 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 74 #line 74 neverallow { domain -coredomain } device_config_runtime_native_prop:property_service set; #line 74 #line 74 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 74 #line 74 #line 75 #line 75 type device_config_surface_flinger_native_boot_prop, property_type, system_property_type, system_restricted_property_type; #line 75 #line 75 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 75 #line 75 neverallow { domain -coredomain } device_config_surface_flinger_native_boot_prop:property_service set; #line 75 #line 75 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 75 #line 75 #line 76 #line 76 type device_config_vendor_system_native_prop, property_type, system_property_type, system_restricted_property_type; #line 76 #line 76 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 76 #line 76 neverallow { domain -coredomain } device_config_vendor_system_native_prop:property_service set; #line 76 #line 76 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 76 #line 76 #line 77 #line 77 type device_config_vendor_system_native_boot_prop, property_type, system_property_type, system_restricted_property_type; #line 77 #line 77 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 77 #line 77 neverallow { domain -coredomain } device_config_vendor_system_native_boot_prop:property_service set; #line 77 #line 77 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 77 #line 77 #line 78 #line 78 type drm_forcel3_prop, property_type, system_property_type, system_restricted_property_type; #line 78 #line 78 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 78 #line 78 neverallow { domain -coredomain } drm_forcel3_prop:property_service set; #line 78 #line 78 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 78 #line 78 #line 79 #line 79 type fingerprint_prop, property_type, system_property_type, system_restricted_property_type; #line 79 #line 79 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 79 #line 79 neverallow { domain -coredomain } fingerprint_prop:property_service set; #line 79 #line 79 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 79 #line 79 #line 80 #line 80 type gwp_asan_prop, property_type, system_property_type, system_restricted_property_type; #line 80 #line 80 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 80 #line 80 neverallow { domain -coredomain } gwp_asan_prop:property_service set; #line 80 #line 80 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 80 #line 80 #line 81 #line 81 type hal_instrumentation_prop, property_type, system_property_type, system_restricted_property_type; #line 81 #line 81 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 81 #line 81 neverallow { domain -coredomain } hal_instrumentation_prop:property_service set; #line 81 #line 81 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 81 #line 81 #line 82 #line 82 type userdebug_or_eng_prop, property_type, system_property_type, system_restricted_property_type; #line 82 #line 82 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 82 #line 82 neverallow { domain -coredomain } userdebug_or_eng_prop:property_service set; #line 82 #line 82 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 82 #line 82 #line 83 #line 83 type init_service_status_prop, property_type, system_property_type, system_restricted_property_type; #line 83 #line 83 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 83 #line 83 neverallow { domain -coredomain } init_service_status_prop:property_service set; #line 83 #line 83 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 83 #line 83 #line 84 #line 84 type libc_debug_prop, property_type, system_property_type, system_restricted_property_type; #line 84 #line 84 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 84 #line 84 neverallow { domain -coredomain } libc_debug_prop:property_service set; #line 84 #line 84 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 84 #line 84 #line 85 #line 85 type module_sdkextensions_prop, property_type, system_property_type, system_restricted_property_type; #line 85 #line 85 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 85 #line 85 neverallow { domain -coredomain } module_sdkextensions_prop:property_service set; #line 85 #line 85 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 85 #line 85 #line 86 #line 86 type nnapi_ext_deny_product_prop, property_type, system_property_type, system_restricted_property_type; #line 86 #line 86 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 86 #line 86 neverallow { domain -coredomain } nnapi_ext_deny_product_prop:property_service set; #line 86 #line 86 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 86 #line 86 #line 87 #line 87 type persist_wm_debug_prop, property_type, system_property_type, system_restricted_property_type; #line 87 #line 87 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 87 #line 87 neverallow { domain -coredomain } persist_wm_debug_prop:property_service set; #line 87 #line 87 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 87 #line 87 #line 88 #line 88 type power_debug_prop, property_type, system_property_type, system_restricted_property_type; #line 88 #line 88 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 88 #line 88 neverallow { domain -coredomain } power_debug_prop:property_service set; #line 88 #line 88 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 88 #line 88 #line 89 #line 89 type property_service_version_prop, property_type, system_property_type, system_restricted_property_type; #line 89 #line 89 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 89 #line 89 neverallow { domain -coredomain } property_service_version_prop:property_service set; #line 89 #line 89 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 89 #line 89 #line 90 #line 90 type provisioned_prop, property_type, system_property_type, system_restricted_property_type; #line 90 #line 90 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 90 #line 90 neverallow { domain -coredomain } provisioned_prop:property_service set; #line 90 #line 90 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 90 #line 90 #line 91 #line 91 type restorecon_prop, property_type, system_property_type, system_restricted_property_type; #line 91 #line 91 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 91 #line 91 neverallow { domain -coredomain } restorecon_prop:property_service set; #line 91 #line 91 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 91 #line 91 #line 92 #line 92 type retaildemo_prop, property_type, system_property_type, system_restricted_property_type; #line 92 #line 92 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 92 #line 92 neverallow { domain -coredomain } retaildemo_prop:property_service set; #line 92 #line 92 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 92 #line 92 #line 93 #line 93 type servicemanager_prop, property_type, system_property_type, system_restricted_property_type; #line 93 #line 93 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 93 #line 93 neverallow { domain -coredomain } servicemanager_prop:property_service set; #line 93 #line 93 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 93 #line 93 #line 94 #line 94 type smart_idle_maint_enabled_prop, property_type, system_property_type, system_restricted_property_type; #line 94 #line 94 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 94 #line 94 neverallow { domain -coredomain } smart_idle_maint_enabled_prop:property_service set; #line 94 #line 94 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 94 #line 94 #line 95 #line 95 type socket_hook_prop, property_type, system_property_type, system_restricted_property_type; #line 95 #line 95 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 95 #line 95 neverallow { domain -coredomain } socket_hook_prop:property_service set; #line 95 #line 95 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 95 #line 95 #line 96 #line 96 type sqlite_log_prop, property_type, system_property_type, system_restricted_property_type; #line 96 #line 96 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 96 #line 96 neverallow { domain -coredomain } sqlite_log_prop:property_service set; #line 96 #line 96 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 96 #line 96 #line 97 #line 97 type surfaceflinger_display_prop, property_type, system_property_type, system_restricted_property_type; #line 97 #line 97 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 97 #line 97 neverallow { domain -coredomain } surfaceflinger_display_prop:property_service set; #line 97 #line 97 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 97 #line 97 #line 98 #line 98 type system_boot_reason_prop, property_type, system_property_type, system_restricted_property_type; #line 98 #line 98 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 98 #line 98 neverallow { domain -coredomain } system_boot_reason_prop:property_service set; #line 98 #line 98 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 98 #line 98 #line 99 #line 99 type system_jvmti_agent_prop, property_type, system_property_type, system_restricted_property_type; #line 99 #line 99 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 99 #line 99 neverallow { domain -coredomain } system_jvmti_agent_prop:property_service set; #line 99 #line 99 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 99 #line 99 #line 100 #line 100 type traced_oome_heap_session_count_prop, property_type, system_property_type, system_restricted_property_type; #line 100 #line 100 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 100 #line 100 neverallow { domain -coredomain } traced_oome_heap_session_count_prop:property_service set; #line 100 #line 100 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 100 #line 100 #line 101 #line 101 type ab_update_gki_prop, property_type, system_property_type, system_restricted_property_type; #line 101 #line 101 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 101 #line 101 neverallow { domain -coredomain } ab_update_gki_prop:property_service set; #line 101 #line 101 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 101 #line 101 #line 102 #line 102 type usb_prop, property_type, system_property_type, system_restricted_property_type; #line 102 #line 102 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 102 #line 102 neverallow { domain -coredomain } usb_prop:property_service set; #line 102 #line 102 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 102 #line 102 #line 103 #line 103 type userspace_reboot_exported_prop, property_type, system_property_type, system_restricted_property_type; #line 103 #line 103 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 103 #line 103 neverallow { domain -coredomain } userspace_reboot_exported_prop:property_service set; #line 103 #line 103 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 103 #line 103 #line 104 #line 104 type vold_status_prop, property_type, system_property_type, system_restricted_property_type; #line 104 #line 104 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 104 #line 104 neverallow { domain -coredomain } vold_status_prop:property_service set; #line 104 #line 104 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 104 #line 104 #line 105 #line 105 type vts_status_prop, property_type, system_property_type, system_restricted_property_type; #line 105 #line 105 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 105 #line 105 neverallow { domain -coredomain } vts_status_prop:property_service set; #line 105 #line 105 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 105 #line 105 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 # DO NOT ADD ANY PROPERTIES HERE #line 107 #line 107 #line 107 type config_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } config_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type cppreopt_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } cppreopt_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type dalvik_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } dalvik_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type debuggerd_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } debuggerd_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type device_logging_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } device_logging_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type dhcp_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } dhcp_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type dumpstate_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } dumpstate_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type exported3_system_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } exported3_system_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type exported_dumpstate_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } exported_dumpstate_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type exported_secure_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } exported_secure_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type heapprofd_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } heapprofd_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type net_radio_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } net_radio_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type pan_result_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } pan_result_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type persist_debug_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } persist_debug_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type shell_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } shell_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type test_harness_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } test_harness_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type theme_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } theme_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type use_memfd_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } use_memfd_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 #line 107 type vold_prop, property_type, system_property_type, system_restricted_property_type; #line 107 #line 107 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 neverallow { domain -coredomain } vold_prop:property_service set; #line 107 #line 107 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 107 #line 107 #line 107 #line 107 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 128 # Properties which can be written only by vendor_init #line 131 #line 131 type apexd_config_prop, property_type, system_property_type, system_public_property_type; #line 131 #line 131 #line 131 #line 131 allow vendor_init property_socket:sock_file write; #line 131 allow vendor_init init:unix_stream_socket connectto; #line 131 #line 131 allow vendor_init apexd_config_prop:property_service set; #line 131 #line 131 allow vendor_init apexd_config_prop:file { getattr open read map }; #line 131 #line 131 #line 131 neverallow { domain -init -vendor_init } apexd_config_prop:property_service set; #line 131 #line 132 #line 132 type apexd_select_prop, property_type, system_property_type, system_public_property_type; #line 132 #line 132 #line 132 #line 132 allow vendor_init property_socket:sock_file write; #line 132 allow vendor_init init:unix_stream_socket connectto; #line 132 #line 132 allow vendor_init apexd_select_prop:property_service set; #line 132 #line 132 allow vendor_init apexd_select_prop:file { getattr open read map }; #line 132 #line 132 #line 132 neverallow { domain -init -vendor_init } apexd_select_prop:property_service set; #line 132 #line 133 #line 133 type aaudio_config_prop, property_type, system_property_type, system_public_property_type; #line 133 #line 133 #line 133 #line 133 allow vendor_init property_socket:sock_file write; #line 133 allow vendor_init init:unix_stream_socket connectto; #line 133 #line 133 allow vendor_init aaudio_config_prop:property_service set; #line 133 #line 133 allow vendor_init aaudio_config_prop:file { getattr open read map }; #line 133 #line 133 #line 133 neverallow { domain -init -vendor_init } aaudio_config_prop:property_service set; #line 133 #line 134 #line 134 type apk_verity_prop, property_type, system_property_type, system_public_property_type; #line 134 #line 134 #line 134 #line 134 allow vendor_init property_socket:sock_file write; #line 134 allow vendor_init init:unix_stream_socket connectto; #line 134 #line 134 allow vendor_init apk_verity_prop:property_service set; #line 134 #line 134 allow vendor_init apk_verity_prop:file { getattr open read map }; #line 134 #line 134 #line 134 neverallow { domain -init -vendor_init } apk_verity_prop:property_service set; #line 134 #line 135 #line 135 type audio_config_prop, property_type, system_property_type, system_public_property_type; #line 135 #line 135 #line 135 #line 135 allow vendor_init property_socket:sock_file write; #line 135 allow vendor_init init:unix_stream_socket connectto; #line 135 #line 135 allow vendor_init audio_config_prop:property_service set; #line 135 #line 135 allow vendor_init audio_config_prop:file { getattr open read map }; #line 135 #line 135 #line 135 neverallow { domain -init -vendor_init } audio_config_prop:property_service set; #line 135 #line 136 #line 136 type bootanim_config_prop, property_type, system_property_type, system_public_property_type; #line 136 #line 136 #line 136 #line 136 allow vendor_init property_socket:sock_file write; #line 136 allow vendor_init init:unix_stream_socket connectto; #line 136 #line 136 allow vendor_init bootanim_config_prop:property_service set; #line 136 #line 136 allow vendor_init bootanim_config_prop:file { getattr open read map }; #line 136 #line 136 #line 136 neverallow { domain -init -vendor_init } bootanim_config_prop:property_service set; #line 136 #line 137 #line 137 type bluetooth_config_prop, property_type, system_property_type, system_public_property_type; #line 137 #line 137 #line 137 #line 137 allow vendor_init property_socket:sock_file write; #line 137 allow vendor_init init:unix_stream_socket connectto; #line 137 #line 137 allow vendor_init bluetooth_config_prop:property_service set; #line 137 #line 137 allow vendor_init bluetooth_config_prop:file { getattr open read map }; #line 137 #line 137 #line 137 neverallow { domain -init -vendor_init } bluetooth_config_prop:property_service set; #line 137 #line 138 #line 138 type build_attestation_prop, property_type, system_property_type, system_public_property_type; #line 138 #line 138 #line 138 #line 138 allow vendor_init property_socket:sock_file write; #line 138 allow vendor_init init:unix_stream_socket connectto; #line 138 #line 138 allow vendor_init build_attestation_prop:property_service set; #line 138 #line 138 allow vendor_init build_attestation_prop:file { getattr open read map }; #line 138 #line 138 #line 138 neverallow { domain -init -vendor_init } build_attestation_prop:property_service set; #line 138 #line 139 #line 139 type build_config_prop, property_type, system_property_type, system_public_property_type; #line 139 #line 139 #line 139 #line 139 allow vendor_init property_socket:sock_file write; #line 139 allow vendor_init init:unix_stream_socket connectto; #line 139 #line 139 allow vendor_init build_config_prop:property_service set; #line 139 #line 139 allow vendor_init build_config_prop:file { getattr open read map }; #line 139 #line 139 #line 139 neverallow { domain -init -vendor_init } build_config_prop:property_service set; #line 139 #line 140 #line 140 type build_odm_prop, property_type, system_property_type, system_public_property_type; #line 140 #line 140 #line 140 #line 140 allow vendor_init property_socket:sock_file write; #line 140 allow vendor_init init:unix_stream_socket connectto; #line 140 #line 140 allow vendor_init build_odm_prop:property_service set; #line 140 #line 140 allow vendor_init build_odm_prop:file { getattr open read map }; #line 140 #line 140 #line 140 neverallow { domain -init -vendor_init } build_odm_prop:property_service set; #line 140 #line 141 #line 141 type build_vendor_prop, property_type, system_property_type, system_public_property_type; #line 141 #line 141 #line 141 #line 141 allow vendor_init property_socket:sock_file write; #line 141 allow vendor_init init:unix_stream_socket connectto; #line 141 #line 141 allow vendor_init build_vendor_prop:property_service set; #line 141 #line 141 allow vendor_init build_vendor_prop:file { getattr open read map }; #line 141 #line 141 #line 141 neverallow { domain -init -vendor_init } build_vendor_prop:property_service set; #line 141 #line 142 #line 142 type camera_calibration_prop, property_type, system_property_type, system_public_property_type; #line 142 #line 142 #line 142 #line 142 allow vendor_init property_socket:sock_file write; #line 142 allow vendor_init init:unix_stream_socket connectto; #line 142 #line 142 allow vendor_init camera_calibration_prop:property_service set; #line 142 #line 142 allow vendor_init camera_calibration_prop:file { getattr open read map }; #line 142 #line 142 #line 142 neverallow { domain -init -vendor_init } camera_calibration_prop:property_service set; #line 142 #line 143 #line 143 type camera_config_prop, property_type, system_property_type, system_public_property_type; #line 143 #line 143 #line 143 #line 143 allow vendor_init property_socket:sock_file write; #line 143 allow vendor_init init:unix_stream_socket connectto; #line 143 #line 143 allow vendor_init camera_config_prop:property_service set; #line 143 #line 143 allow vendor_init camera_config_prop:file { getattr open read map }; #line 143 #line 143 #line 143 neverallow { domain -init -vendor_init } camera_config_prop:property_service set; #line 143 #line 144 #line 144 type camera2_extensions_prop, property_type, system_property_type, system_public_property_type; #line 144 #line 144 #line 144 #line 144 allow vendor_init property_socket:sock_file write; #line 144 allow vendor_init init:unix_stream_socket connectto; #line 144 #line 144 allow vendor_init camera2_extensions_prop:property_service set; #line 144 #line 144 allow vendor_init camera2_extensions_prop:file { getattr open read map }; #line 144 #line 144 #line 144 neverallow { domain -init -vendor_init } camera2_extensions_prop:property_service set; #line 144 #line 145 #line 145 type camerax_extensions_prop, property_type, system_property_type, system_public_property_type; #line 145 #line 145 #line 145 #line 145 allow vendor_init property_socket:sock_file write; #line 145 allow vendor_init init:unix_stream_socket connectto; #line 145 #line 145 allow vendor_init camerax_extensions_prop:property_service set; #line 145 #line 145 allow vendor_init camerax_extensions_prop:file { getattr open read map }; #line 145 #line 145 #line 145 neverallow { domain -init -vendor_init } camerax_extensions_prop:property_service set; #line 145 #line 146 #line 146 type charger_config_prop, property_type, system_property_type, system_public_property_type; #line 146 #line 146 #line 146 #line 146 allow vendor_init property_socket:sock_file write; #line 146 allow vendor_init init:unix_stream_socket connectto; #line 146 #line 146 allow vendor_init charger_config_prop:property_service set; #line 146 #line 146 allow vendor_init charger_config_prop:file { getattr open read map }; #line 146 #line 146 #line 146 neverallow { domain -init -vendor_init } charger_config_prop:property_service set; #line 146 #line 147 #line 147 type codec2_config_prop, property_type, system_property_type, system_public_property_type; #line 147 #line 147 #line 147 #line 147 allow vendor_init property_socket:sock_file write; #line 147 allow vendor_init init:unix_stream_socket connectto; #line 147 #line 147 allow vendor_init codec2_config_prop:property_service set; #line 147 #line 147 allow vendor_init codec2_config_prop:file { getattr open read map }; #line 147 #line 147 #line 147 neverallow { domain -init -vendor_init } codec2_config_prop:property_service set; #line 147 #line 148 #line 148 type composd_vm_vendor_prop, property_type, system_property_type, system_public_property_type; #line 148 #line 148 #line 148 #line 148 allow vendor_init property_socket:sock_file write; #line 148 allow vendor_init init:unix_stream_socket connectto; #line 148 #line 148 allow vendor_init composd_vm_vendor_prop:property_service set; #line 148 #line 148 allow vendor_init composd_vm_vendor_prop:file { getattr open read map }; #line 148 #line 148 #line 148 neverallow { domain -init -vendor_init } composd_vm_vendor_prop:property_service set; #line 148 #line 149 #line 149 type cpu_variant_prop, property_type, system_property_type, system_public_property_type; #line 149 #line 149 #line 149 #line 149 allow vendor_init property_socket:sock_file write; #line 149 allow vendor_init init:unix_stream_socket connectto; #line 149 #line 149 allow vendor_init cpu_variant_prop:property_service set; #line 149 #line 149 allow vendor_init cpu_variant_prop:file { getattr open read map }; #line 149 #line 149 #line 149 neverallow { domain -init -vendor_init } cpu_variant_prop:property_service set; #line 149 #line 150 #line 150 type debugfs_restriction_prop, property_type, system_property_type, system_public_property_type; #line 150 #line 150 #line 150 #line 150 allow vendor_init property_socket:sock_file write; #line 150 allow vendor_init init:unix_stream_socket connectto; #line 150 #line 150 allow vendor_init debugfs_restriction_prop:property_service set; #line 150 #line 150 allow vendor_init debugfs_restriction_prop:file { getattr open read map }; #line 150 #line 150 #line 150 neverallow { domain -init -vendor_init } debugfs_restriction_prop:property_service set; #line 150 #line 151 #line 151 type drm_service_config_prop, property_type, system_property_type, system_public_property_type; #line 151 #line 151 #line 151 #line 151 allow vendor_init property_socket:sock_file write; #line 151 allow vendor_init init:unix_stream_socket connectto; #line 151 #line 151 allow vendor_init drm_service_config_prop:property_service set; #line 151 #line 151 allow vendor_init drm_service_config_prop:file { getattr open read map }; #line 151 #line 151 #line 151 neverallow { domain -init -vendor_init } drm_service_config_prop:property_service set; #line 151 #line 152 #line 152 type exported_camera_prop, property_type, system_property_type, system_public_property_type; #line 152 #line 152 #line 152 #line 152 allow vendor_init property_socket:sock_file write; #line 152 allow vendor_init init:unix_stream_socket connectto; #line 152 #line 152 allow vendor_init exported_camera_prop:property_service set; #line 152 #line 152 allow vendor_init exported_camera_prop:file { getattr open read map }; #line 152 #line 152 #line 152 neverallow { domain -init -vendor_init } exported_camera_prop:property_service set; #line 152 #line 153 #line 153 type exported_config_prop, property_type, system_property_type, system_public_property_type; #line 153 #line 153 #line 153 #line 153 allow vendor_init property_socket:sock_file write; #line 153 allow vendor_init init:unix_stream_socket connectto; #line 153 #line 153 allow vendor_init exported_config_prop:property_service set; #line 153 #line 153 allow vendor_init exported_config_prop:file { getattr open read map }; #line 153 #line 153 #line 153 neverallow { domain -init -vendor_init } exported_config_prop:property_service set; #line 153 #line 154 #line 154 type exported_default_prop, property_type, system_property_type, system_public_property_type; #line 154 #line 154 #line 154 #line 154 allow vendor_init property_socket:sock_file write; #line 154 allow vendor_init init:unix_stream_socket connectto; #line 154 #line 154 allow vendor_init exported_default_prop:property_service set; #line 154 #line 154 allow vendor_init exported_default_prop:file { getattr open read map }; #line 154 #line 154 #line 154 neverallow { domain -init -vendor_init } exported_default_prop:property_service set; #line 154 #line 155 #line 155 type ffs_config_prop, property_type, system_property_type, system_public_property_type; #line 155 #line 155 #line 155 #line 155 allow vendor_init property_socket:sock_file write; #line 155 allow vendor_init init:unix_stream_socket connectto; #line 155 #line 155 allow vendor_init ffs_config_prop:property_service set; #line 155 #line 155 allow vendor_init ffs_config_prop:file { getattr open read map }; #line 155 #line 155 #line 155 neverallow { domain -init -vendor_init } ffs_config_prop:property_service set; #line 155 #line 156 #line 156 type framework_watchdog_config_prop, property_type, system_property_type, system_public_property_type; #line 156 #line 156 #line 156 #line 156 allow vendor_init property_socket:sock_file write; #line 156 allow vendor_init init:unix_stream_socket connectto; #line 156 #line 156 allow vendor_init framework_watchdog_config_prop:property_service set; #line 156 #line 156 allow vendor_init framework_watchdog_config_prop:file { getattr open read map }; #line 156 #line 156 #line 156 neverallow { domain -init -vendor_init } framework_watchdog_config_prop:property_service set; #line 156 #line 157 #line 157 type graphics_config_prop, property_type, system_property_type, system_public_property_type; #line 157 #line 157 #line 157 #line 157 allow vendor_init property_socket:sock_file write; #line 157 allow vendor_init init:unix_stream_socket connectto; #line 157 #line 157 allow vendor_init graphics_config_prop:property_service set; #line 157 #line 157 allow vendor_init graphics_config_prop:file { getattr open read map }; #line 157 #line 157 #line 157 neverallow { domain -init -vendor_init } graphics_config_prop:property_service set; #line 157 #line 158 #line 158 type hdmi_config_prop, property_type, system_property_type, system_public_property_type; #line 158 #line 158 #line 158 #line 158 allow vendor_init property_socket:sock_file write; #line 158 allow vendor_init init:unix_stream_socket connectto; #line 158 #line 158 allow vendor_init hdmi_config_prop:property_service set; #line 158 #line 158 allow vendor_init hdmi_config_prop:file { getattr open read map }; #line 158 #line 158 #line 158 neverallow { domain -init -vendor_init } hdmi_config_prop:property_service set; #line 158 #line 159 #line 159 type hw_timeout_multiplier_prop, property_type, system_property_type, system_public_property_type; #line 159 #line 159 #line 159 #line 159 allow vendor_init property_socket:sock_file write; #line 159 allow vendor_init init:unix_stream_socket connectto; #line 159 #line 159 allow vendor_init hw_timeout_multiplier_prop:property_service set; #line 159 #line 159 allow vendor_init hw_timeout_multiplier_prop:file { getattr open read map }; #line 159 #line 159 #line 159 neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set; #line 159 #line 160 #line 160 type hypervisor_prop, property_type, system_property_type, system_public_property_type; #line 160 #line 160 #line 160 #line 160 allow vendor_init property_socket:sock_file write; #line 160 allow vendor_init init:unix_stream_socket connectto; #line 160 #line 160 allow vendor_init hypervisor_prop:property_service set; #line 160 #line 160 allow vendor_init hypervisor_prop:file { getattr open read map }; #line 160 #line 160 #line 160 neverallow { domain -init -vendor_init } hypervisor_prop:property_service set; #line 160 #line 161 #line 161 type hypervisor_restricted_prop, property_type, system_property_type, system_public_property_type; #line 161 #line 161 #line 161 #line 161 allow vendor_init property_socket:sock_file write; #line 161 allow vendor_init init:unix_stream_socket connectto; #line 161 #line 161 allow vendor_init hypervisor_restricted_prop:property_service set; #line 161 #line 161 allow vendor_init hypervisor_restricted_prop:file { getattr open read map }; #line 161 #line 161 #line 161 neverallow { domain -init -vendor_init } hypervisor_restricted_prop:property_service set; #line 161 #line 162 #line 162 type incremental_prop, property_type, system_property_type, system_public_property_type; #line 162 #line 162 #line 162 #line 162 allow vendor_init property_socket:sock_file write; #line 162 allow vendor_init init:unix_stream_socket connectto; #line 162 #line 162 allow vendor_init incremental_prop:property_service set; #line 162 #line 162 allow vendor_init incremental_prop:file { getattr open read map }; #line 162 #line 162 #line 162 neverallow { domain -init -vendor_init } incremental_prop:property_service set; #line 162 #line 163 #line 163 type input_device_config_prop, property_type, system_property_type, system_public_property_type; #line 163 #line 163 #line 163 #line 163 allow vendor_init property_socket:sock_file write; #line 163 allow vendor_init init:unix_stream_socket connectto; #line 163 #line 163 allow vendor_init input_device_config_prop:property_service set; #line 163 #line 163 allow vendor_init input_device_config_prop:file { getattr open read map }; #line 163 #line 163 #line 163 neverallow { domain -init -vendor_init } input_device_config_prop:property_service set; #line 163 #line 164 #line 164 type keyguard_config_prop, property_type, system_property_type, system_public_property_type; #line 164 #line 164 #line 164 #line 164 allow vendor_init property_socket:sock_file write; #line 164 allow vendor_init init:unix_stream_socket connectto; #line 164 #line 164 allow vendor_init keyguard_config_prop:property_service set; #line 164 #line 164 allow vendor_init keyguard_config_prop:file { getattr open read map }; #line 164 #line 164 #line 164 neverallow { domain -init -vendor_init } keyguard_config_prop:property_service set; #line 164 #line 165 #line 165 type keystore_config_prop, property_type, system_property_type, system_public_property_type; #line 165 #line 165 #line 165 #line 165 allow vendor_init property_socket:sock_file write; #line 165 allow vendor_init init:unix_stream_socket connectto; #line 165 #line 165 allow vendor_init keystore_config_prop:property_service set; #line 165 #line 165 allow vendor_init keystore_config_prop:file { getattr open read map }; #line 165 #line 165 #line 165 neverallow { domain -init -vendor_init } keystore_config_prop:property_service set; #line 165 #line 166 #line 166 type lmkd_config_prop, property_type, system_property_type, system_public_property_type; #line 166 #line 166 #line 166 #line 166 allow vendor_init property_socket:sock_file write; #line 166 allow vendor_init init:unix_stream_socket connectto; #line 166 #line 166 allow vendor_init lmkd_config_prop:property_service set; #line 166 #line 166 allow vendor_init lmkd_config_prop:file { getattr open read map }; #line 166 #line 166 #line 166 neverallow { domain -init -vendor_init } lmkd_config_prop:property_service set; #line 166 #line 167 #line 167 type media_config_prop, property_type, system_property_type, system_public_property_type; #line 167 #line 167 #line 167 #line 167 allow vendor_init property_socket:sock_file write; #line 167 allow vendor_init init:unix_stream_socket connectto; #line 167 #line 167 allow vendor_init media_config_prop:property_service set; #line 167 #line 167 allow vendor_init media_config_prop:file { getattr open read map }; #line 167 #line 167 #line 167 neverallow { domain -init -vendor_init } media_config_prop:property_service set; #line 167 #line 168 #line 168 type media_variant_prop, property_type, system_property_type, system_public_property_type; #line 168 #line 168 #line 168 #line 168 allow vendor_init property_socket:sock_file write; #line 168 allow vendor_init init:unix_stream_socket connectto; #line 168 #line 168 allow vendor_init media_variant_prop:property_service set; #line 168 #line 168 allow vendor_init media_variant_prop:file { getattr open read map }; #line 168 #line 168 #line 168 neverallow { domain -init -vendor_init } media_variant_prop:property_service set; #line 168 #line 169 #line 169 type mediadrm_config_prop, property_type, system_property_type, system_public_property_type; #line 169 #line 169 #line 169 #line 169 allow vendor_init property_socket:sock_file write; #line 169 allow vendor_init init:unix_stream_socket connectto; #line 169 #line 169 allow vendor_init mediadrm_config_prop:property_service set; #line 169 #line 169 allow vendor_init mediadrm_config_prop:file { getattr open read map }; #line 169 #line 169 #line 169 neverallow { domain -init -vendor_init } mediadrm_config_prop:property_service set; #line 169 #line 170 #line 170 type mm_events_config_prop, property_type, system_property_type, system_public_property_type; #line 170 #line 170 #line 170 #line 170 allow vendor_init property_socket:sock_file write; #line 170 allow vendor_init init:unix_stream_socket connectto; #line 170 #line 170 allow vendor_init mm_events_config_prop:property_service set; #line 170 #line 170 allow vendor_init mm_events_config_prop:file { getattr open read map }; #line 170 #line 170 #line 170 neverallow { domain -init -vendor_init } mm_events_config_prop:property_service set; #line 170 #line 171 #line 171 type oem_unlock_prop, property_type, system_property_type, system_public_property_type; #line 171 #line 171 #line 171 #line 171 allow vendor_init property_socket:sock_file write; #line 171 allow vendor_init init:unix_stream_socket connectto; #line 171 #line 171 allow vendor_init oem_unlock_prop:property_service set; #line 171 #line 171 allow vendor_init oem_unlock_prop:file { getattr open read map }; #line 171 #line 171 #line 171 neverallow { domain -init -vendor_init } oem_unlock_prop:property_service set; #line 171 #line 172 #line 172 type ota_build_prop, property_type, system_property_type, system_public_property_type; #line 172 #line 172 #line 172 #line 172 allow vendor_init property_socket:sock_file write; #line 172 allow vendor_init init:unix_stream_socket connectto; #line 172 #line 172 allow vendor_init ota_build_prop:property_service set; #line 172 #line 172 allow vendor_init ota_build_prop:file { getattr open read map }; #line 172 #line 172 #line 172 neverallow { domain -init -vendor_init } ota_build_prop:property_service set; #line 172 #line 173 #line 173 type packagemanager_config_prop, property_type, system_property_type, system_public_property_type; #line 173 #line 173 #line 173 #line 173 allow vendor_init property_socket:sock_file write; #line 173 allow vendor_init init:unix_stream_socket connectto; #line 173 #line 173 allow vendor_init packagemanager_config_prop:property_service set; #line 173 #line 173 allow vendor_init packagemanager_config_prop:file { getattr open read map }; #line 173 #line 173 #line 173 neverallow { domain -init -vendor_init } packagemanager_config_prop:property_service set; #line 173 #line 174 #line 174 type quick_start_prop, property_type, system_property_type, system_public_property_type; #line 174 #line 174 #line 174 #line 174 allow vendor_init property_socket:sock_file write; #line 174 allow vendor_init init:unix_stream_socket connectto; #line 174 #line 174 allow vendor_init quick_start_prop:property_service set; #line 174 #line 174 allow vendor_init quick_start_prop:file { getattr open read map }; #line 174 #line 174 #line 174 neverallow { domain -init -vendor_init } quick_start_prop:property_service set; #line 174 #line 175 #line 175 type recovery_config_prop, property_type, system_property_type, system_public_property_type; #line 175 #line 175 #line 175 #line 175 allow vendor_init property_socket:sock_file write; #line 175 allow vendor_init init:unix_stream_socket connectto; #line 175 #line 175 allow vendor_init recovery_config_prop:property_service set; #line 175 #line 175 allow vendor_init recovery_config_prop:file { getattr open read map }; #line 175 #line 175 #line 175 neverallow { domain -init -vendor_init } recovery_config_prop:property_service set; #line 175 #line 176 #line 176 type recovery_usb_config_prop, property_type, system_property_type, system_public_property_type; #line 176 #line 176 #line 176 #line 176 allow vendor_init property_socket:sock_file write; #line 176 allow vendor_init init:unix_stream_socket connectto; #line 176 #line 176 allow vendor_init recovery_usb_config_prop:property_service set; #line 176 #line 176 allow vendor_init recovery_usb_config_prop:file { getattr open read map }; #line 176 #line 176 #line 176 neverallow { domain -init -vendor_init } recovery_usb_config_prop:property_service set; #line 176 #line 177 #line 177 type sendbug_config_prop, property_type, system_property_type, system_public_property_type; #line 177 #line 177 #line 177 #line 177 allow vendor_init property_socket:sock_file write; #line 177 allow vendor_init init:unix_stream_socket connectto; #line 177 #line 177 allow vendor_init sendbug_config_prop:property_service set; #line 177 #line 177 allow vendor_init sendbug_config_prop:file { getattr open read map }; #line 177 #line 177 #line 177 neverallow { domain -init -vendor_init } sendbug_config_prop:property_service set; #line 177 #line 178 #line 178 type soc_prop, property_type, system_property_type, system_public_property_type; #line 178 #line 178 #line 178 #line 178 allow vendor_init property_socket:sock_file write; #line 178 allow vendor_init init:unix_stream_socket connectto; #line 178 #line 178 allow vendor_init soc_prop:property_service set; #line 178 #line 178 allow vendor_init soc_prop:file { getattr open read map }; #line 178 #line 178 #line 178 neverallow { domain -init -vendor_init } soc_prop:property_service set; #line 178 #line 179 #line 179 type storage_config_prop, property_type, system_property_type, system_public_property_type; #line 179 #line 179 #line 179 #line 179 allow vendor_init property_socket:sock_file write; #line 179 allow vendor_init init:unix_stream_socket connectto; #line 179 #line 179 allow vendor_init storage_config_prop:property_service set; #line 179 #line 179 allow vendor_init storage_config_prop:file { getattr open read map }; #line 179 #line 179 #line 179 neverallow { domain -init -vendor_init } storage_config_prop:property_service set; #line 179 #line 180 #line 180 type storagemanager_config_prop, property_type, system_property_type, system_public_property_type; #line 180 #line 180 #line 180 #line 180 allow vendor_init property_socket:sock_file write; #line 180 allow vendor_init init:unix_stream_socket connectto; #line 180 #line 180 allow vendor_init storagemanager_config_prop:property_service set; #line 180 #line 180 allow vendor_init storagemanager_config_prop:file { getattr open read map }; #line 180 #line 180 #line 180 neverallow { domain -init -vendor_init } storagemanager_config_prop:property_service set; #line 180 #line 181 #line 181 type surfaceflinger_prop, property_type, system_property_type, system_public_property_type; #line 181 #line 181 #line 181 #line 181 allow vendor_init property_socket:sock_file write; #line 181 allow vendor_init init:unix_stream_socket connectto; #line 181 #line 181 allow vendor_init surfaceflinger_prop:property_service set; #line 181 #line 181 allow vendor_init surfaceflinger_prop:file { getattr open read map }; #line 181 #line 181 #line 181 neverallow { domain -init -vendor_init } surfaceflinger_prop:property_service set; #line 181 #line 182 #line 182 type suspend_prop, property_type, system_property_type, system_public_property_type; #line 182 #line 182 #line 182 #line 182 allow vendor_init property_socket:sock_file write; #line 182 allow vendor_init init:unix_stream_socket connectto; #line 182 #line 182 allow vendor_init suspend_prop:property_service set; #line 182 #line 182 allow vendor_init suspend_prop:file { getattr open read map }; #line 182 #line 182 #line 182 neverallow { domain -init -vendor_init } suspend_prop:property_service set; #line 182 #line 183 #line 183 type systemsound_config_prop, property_type, system_property_type, system_public_property_type; #line 183 #line 183 #line 183 #line 183 allow vendor_init property_socket:sock_file write; #line 183 allow vendor_init init:unix_stream_socket connectto; #line 183 #line 183 allow vendor_init systemsound_config_prop:property_service set; #line 183 #line 183 allow vendor_init systemsound_config_prop:file { getattr open read map }; #line 183 #line 183 #line 183 neverallow { domain -init -vendor_init } systemsound_config_prop:property_service set; #line 183 #line 184 #line 184 type telephony_config_prop, property_type, system_property_type, system_public_property_type; #line 184 #line 184 #line 184 #line 184 allow vendor_init property_socket:sock_file write; #line 184 allow vendor_init init:unix_stream_socket connectto; #line 184 #line 184 allow vendor_init telephony_config_prop:property_service set; #line 184 #line 184 allow vendor_init telephony_config_prop:file { getattr open read map }; #line 184 #line 184 #line 184 neverallow { domain -init -vendor_init } telephony_config_prop:property_service set; #line 184 #line 185 #line 185 type threadnetwork_config_prop, property_type, system_property_type, system_public_property_type; #line 185 #line 185 #line 185 #line 185 allow vendor_init property_socket:sock_file write; #line 185 allow vendor_init init:unix_stream_socket connectto; #line 185 #line 185 allow vendor_init threadnetwork_config_prop:property_service set; #line 185 #line 185 allow vendor_init threadnetwork_config_prop:file { getattr open read map }; #line 185 #line 185 #line 185 neverallow { domain -init -vendor_init } threadnetwork_config_prop:property_service set; #line 185 #line 186 #line 186 type tombstone_config_prop, property_type, system_property_type, system_public_property_type; #line 186 #line 186 #line 186 #line 186 allow vendor_init property_socket:sock_file write; #line 186 allow vendor_init init:unix_stream_socket connectto; #line 186 #line 186 allow vendor_init tombstone_config_prop:property_service set; #line 186 #line 186 allow vendor_init tombstone_config_prop:file { getattr open read map }; #line 186 #line 186 #line 186 neverallow { domain -init -vendor_init } tombstone_config_prop:property_service set; #line 186 #line 187 #line 187 type usb_config_prop, property_type, system_property_type, system_public_property_type; #line 187 #line 187 #line 187 #line 187 allow vendor_init property_socket:sock_file write; #line 187 allow vendor_init init:unix_stream_socket connectto; #line 187 #line 187 allow vendor_init usb_config_prop:property_service set; #line 187 #line 187 allow vendor_init usb_config_prop:file { getattr open read map }; #line 187 #line 187 #line 187 neverallow { domain -init -vendor_init } usb_config_prop:property_service set; #line 187 #line 188 #line 188 type userspace_reboot_config_prop, property_type, system_property_type, system_public_property_type; #line 188 #line 188 #line 188 #line 188 allow vendor_init property_socket:sock_file write; #line 188 allow vendor_init init:unix_stream_socket connectto; #line 188 #line 188 allow vendor_init userspace_reboot_config_prop:property_service set; #line 188 #line 188 allow vendor_init userspace_reboot_config_prop:file { getattr open read map }; #line 188 #line 188 #line 188 neverallow { domain -init -vendor_init } userspace_reboot_config_prop:property_service set; #line 188 #line 189 #line 189 type vehicle_hal_prop, property_type, system_property_type, system_public_property_type; #line 189 #line 189 #line 189 #line 189 allow vendor_init property_socket:sock_file write; #line 189 allow vendor_init init:unix_stream_socket connectto; #line 189 #line 189 allow vendor_init vehicle_hal_prop:property_service set; #line 189 #line 189 allow vendor_init vehicle_hal_prop:file { getattr open read map }; #line 189 #line 189 #line 189 neverallow { domain -init -vendor_init } vehicle_hal_prop:property_service set; #line 189 #line 190 #line 190 type vendor_security_patch_level_prop, property_type, system_property_type, system_public_property_type; #line 190 #line 190 #line 190 #line 190 allow vendor_init property_socket:sock_file write; #line 190 allow vendor_init init:unix_stream_socket connectto; #line 190 #line 190 allow vendor_init vendor_security_patch_level_prop:property_service set; #line 190 #line 190 allow vendor_init vendor_security_patch_level_prop:file { getattr open read map }; #line 190 #line 190 #line 190 neverallow { domain -init -vendor_init } vendor_security_patch_level_prop:property_service set; #line 190 #line 191 #line 191 type vendor_socket_hook_prop, property_type, system_property_type, system_public_property_type; #line 191 #line 191 #line 191 #line 191 allow vendor_init property_socket:sock_file write; #line 191 allow vendor_init init:unix_stream_socket connectto; #line 191 #line 191 allow vendor_init vendor_socket_hook_prop:property_service set; #line 191 #line 191 allow vendor_init vendor_socket_hook_prop:file { getattr open read map }; #line 191 #line 191 #line 191 neverallow { domain -init -vendor_init } vendor_socket_hook_prop:property_service set; #line 191 #line 192 #line 192 type virtual_ab_prop, property_type, system_property_type, system_public_property_type; #line 192 #line 192 #line 192 #line 192 allow vendor_init property_socket:sock_file write; #line 192 allow vendor_init init:unix_stream_socket connectto; #line 192 #line 192 allow vendor_init virtual_ab_prop:property_service set; #line 192 #line 192 allow vendor_init virtual_ab_prop:file { getattr open read map }; #line 192 #line 192 #line 192 neverallow { domain -init -vendor_init } virtual_ab_prop:property_service set; #line 192 #line 193 #line 193 type vndk_prop, property_type, system_property_type, system_public_property_type; #line 193 #line 193 #line 193 #line 193 allow vendor_init property_socket:sock_file write; #line 193 allow vendor_init init:unix_stream_socket connectto; #line 193 #line 193 allow vendor_init vndk_prop:property_service set; #line 193 #line 193 allow vendor_init vndk_prop:file { getattr open read map }; #line 193 #line 193 #line 193 neverallow { domain -init -vendor_init } vndk_prop:property_service set; #line 193 #line 194 #line 194 type vts_config_prop, property_type, system_property_type, system_public_property_type; #line 194 #line 194 #line 194 #line 194 allow vendor_init property_socket:sock_file write; #line 194 allow vendor_init init:unix_stream_socket connectto; #line 194 #line 194 allow vendor_init vts_config_prop:property_service set; #line 194 #line 194 allow vendor_init vts_config_prop:file { getattr open read map }; #line 194 #line 194 #line 194 neverallow { domain -init -vendor_init } vts_config_prop:property_service set; #line 194 #line 195 #line 195 type vold_config_prop, property_type, system_property_type, system_public_property_type; #line 195 #line 195 #line 195 #line 195 allow vendor_init property_socket:sock_file write; #line 195 allow vendor_init init:unix_stream_socket connectto; #line 195 #line 195 allow vendor_init vold_config_prop:property_service set; #line 195 #line 195 allow vendor_init vold_config_prop:file { getattr open read map }; #line 195 #line 195 #line 195 neverallow { domain -init -vendor_init } vold_config_prop:property_service set; #line 195 #line 196 #line 196 type wifi_config_prop, property_type, system_property_type, system_public_property_type; #line 196 #line 196 #line 196 #line 196 allow vendor_init property_socket:sock_file write; #line 196 allow vendor_init init:unix_stream_socket connectto; #line 196 #line 196 allow vendor_init wifi_config_prop:property_service set; #line 196 #line 196 allow vendor_init wifi_config_prop:file { getattr open read map }; #line 196 #line 196 #line 196 neverallow { domain -init -vendor_init } wifi_config_prop:property_service set; #line 196 #line 197 #line 197 type zram_config_prop, property_type, system_property_type, system_public_property_type; #line 197 #line 197 #line 197 #line 197 allow vendor_init property_socket:sock_file write; #line 197 allow vendor_init init:unix_stream_socket connectto; #line 197 #line 197 allow vendor_init zram_config_prop:property_service set; #line 197 #line 197 allow vendor_init zram_config_prop:file { getattr open read map }; #line 197 #line 197 #line 197 neverallow { domain -init -vendor_init } zram_config_prop:property_service set; #line 197 #line 198 #line 198 type zygote_config_prop, property_type, system_property_type, system_public_property_type; #line 198 #line 198 #line 198 #line 198 allow vendor_init property_socket:sock_file write; #line 198 allow vendor_init init:unix_stream_socket connectto; #line 198 #line 198 allow vendor_init zygote_config_prop:property_service set; #line 198 #line 198 allow vendor_init zygote_config_prop:file { getattr open read map }; #line 198 #line 198 #line 198 neverallow { domain -init -vendor_init } zygote_config_prop:property_service set; #line 198 #line 199 #line 199 type dck_prop, property_type, system_property_type, system_public_property_type; #line 199 #line 199 #line 199 #line 199 allow vendor_init property_socket:sock_file write; #line 199 allow vendor_init init:unix_stream_socket connectto; #line 199 #line 199 allow vendor_init dck_prop:property_service set; #line 199 #line 199 allow vendor_init dck_prop:file { getattr open read map }; #line 199 #line 199 #line 199 neverallow { domain -init -vendor_init } dck_prop:property_service set; #line 199 #line 200 #line 200 type tuner_config_prop, property_type, system_property_type, system_public_property_type; #line 200 #line 200 #line 200 #line 200 allow vendor_init property_socket:sock_file write; #line 200 allow vendor_init init:unix_stream_socket connectto; #line 200 #line 200 allow vendor_init tuner_config_prop:property_service set; #line 200 #line 200 allow vendor_init tuner_config_prop:file { getattr open read map }; #line 200 #line 200 #line 200 neverallow { domain -init -vendor_init } tuner_config_prop:property_service set; #line 200 #line 201 #line 201 type usb_uvc_enabled_prop, property_type, system_property_type, system_public_property_type; #line 201 #line 201 #line 201 #line 201 allow vendor_init property_socket:sock_file write; #line 201 allow vendor_init init:unix_stream_socket connectto; #line 201 #line 201 allow vendor_init usb_uvc_enabled_prop:property_service set; #line 201 #line 201 allow vendor_init usb_uvc_enabled_prop:file { getattr open read map }; #line 201 #line 201 #line 201 neverallow { domain -init -vendor_init } usb_uvc_enabled_prop:property_service set; #line 201 #line 202 #line 202 type setupwizard_mode_prop, property_type, system_property_type, system_public_property_type; #line 202 #line 202 #line 202 #line 202 allow vendor_init property_socket:sock_file write; #line 202 allow vendor_init init:unix_stream_socket connectto; #line 202 #line 202 allow vendor_init setupwizard_mode_prop:property_service set; #line 202 #line 202 allow vendor_init setupwizard_mode_prop:file { getattr open read map }; #line 202 #line 202 #line 202 neverallow { domain -init -vendor_init } setupwizard_mode_prop:property_service set; #line 202 #line 203 #line 203 type pm_archiving_enabled_prop, property_type, system_property_type, system_public_property_type; #line 203 #line 203 #line 203 #line 203 allow vendor_init property_socket:sock_file write; #line 203 allow vendor_init init:unix_stream_socket connectto; #line 203 #line 203 allow vendor_init pm_archiving_enabled_prop:property_service set; #line 203 #line 203 allow vendor_init pm_archiving_enabled_prop:file { getattr open read map }; #line 203 #line 203 #line 203 neverallow { domain -init -vendor_init } pm_archiving_enabled_prop:property_service set; #line 203 # Properties with no restrictions #line 206 type adbd_config_prop, property_type, system_property_type, system_public_property_type; #line 206 #line 207 type audio_prop, property_type, system_property_type, system_public_property_type; #line 207 #line 208 type bluetooth_a2dp_offload_prop, property_type, system_property_type, system_public_property_type; #line 208 #line 209 type bluetooth_audio_hal_prop, property_type, system_property_type, system_public_property_type; #line 209 #line 210 type bluetooth_prop, property_type, system_property_type, system_public_property_type; #line 210 #line 211 type bpf_progs_loaded_prop, property_type, system_property_type, system_public_property_type; #line 211 #line 212 type charger_status_prop, property_type, system_property_type, system_public_property_type; #line 212 #line 213 type ctl_default_prop, property_type, system_property_type, system_public_property_type; #line 213 #line 214 type ctl_interface_start_prop, property_type, system_property_type, system_public_property_type; #line 214 #line 215 type ctl_start_prop, property_type, system_property_type, system_public_property_type; #line 215 #line 216 type ctl_stop_prop, property_type, system_property_type, system_public_property_type; #line 216 #line 217 type dalvik_config_prop, property_type, system_property_type, system_public_property_type; #line 217 #line 218 type dalvik_dynamic_config_prop, property_type, system_property_type, system_public_property_type; #line 218 #line 219 type dalvik_runtime_prop, property_type, system_property_type, system_public_property_type; #line 219 #line 220 type debug_prop, property_type, system_property_type, system_public_property_type; #line 220 #line 221 type device_config_memory_safety_native_boot_prop, property_type, system_property_type, system_public_property_type; #line 221 #line 222 type device_config_memory_safety_native_prop, property_type, system_property_type, system_public_property_type; #line 222 #line 223 type dumpstate_options_prop, property_type, system_property_type, system_public_property_type; #line 223 #line 224 type exported_system_prop, property_type, system_property_type, system_public_property_type; #line 224 #line 225 type exported_bluetooth_prop, property_type, system_property_type, system_public_property_type; #line 225 #line 226 type exported_overlay_prop, property_type, system_property_type, system_public_property_type; #line 226 #line 227 type exported_pm_prop, property_type, system_property_type, system_public_property_type; #line 227 #line 228 type future_pm_prop, property_type, system_property_type, system_public_property_type; #line 228 #line 229 type ffs_control_prop, property_type, system_property_type, system_public_property_type; #line 229 #line 230 type framework_status_prop, property_type, system_property_type, system_public_property_type; #line 230 #line 231 type gesture_prop, property_type, system_property_type, system_public_property_type; #line 231 #line 232 type graphics_config_writable_prop, property_type, system_property_type, system_public_property_type; #line 232 #line 233 type hal_dumpstate_config_prop, property_type, system_property_type, system_public_property_type; #line 233 #line 234 type sota_prop, property_type, system_property_type, system_public_property_type; #line 234 #line 235 type hwservicemanager_prop, property_type, system_property_type, system_public_property_type; #line 235 #line 236 type lmkd_prop, property_type, system_property_type, system_public_property_type; #line 236 #line 237 type locale_prop, property_type, system_property_type, system_public_property_type; #line 237 #line 238 type logd_prop, property_type, system_property_type, system_public_property_type; #line 238 #line 239 type logpersistd_logging_prop, property_type, system_property_type, system_public_property_type; #line 239 #line 240 type log_prop, property_type, system_property_type, system_public_property_type; #line 240 #line 241 type log_tag_prop, property_type, system_property_type, system_public_property_type; #line 241 #line 242 type lowpan_prop, property_type, system_property_type, system_public_property_type; #line 242 #line 243 type nfc_prop, property_type, system_property_type, system_public_property_type; #line 243 #line 244 type ota_prop, property_type, system_property_type, system_public_property_type; #line 244 #line 245 type permissive_mte_prop, property_type, system_property_type, system_public_property_type; #line 245 #line 246 type powerctl_prop, property_type, system_property_type, system_public_property_type; #line 246 #line 247 type qemu_hw_prop, property_type, system_property_type, system_public_property_type; #line 247 #line 248 type qemu_sf_lcd_density_prop, property_type, system_property_type, system_public_property_type; #line 248 #line 249 type radio_control_prop, property_type, system_property_type, system_public_property_type; #line 249 #line 250 type radio_prop, property_type, system_property_type, system_public_property_type; #line 250 #line 251 type serialno_prop, property_type, system_property_type, system_public_property_type; #line 251 #line 252 type surfaceflinger_color_prop, property_type, system_property_type, system_public_property_type; #line 252 #line 253 type system_prop, property_type, system_property_type, system_public_property_type; #line 253 #line 254 type system_user_mode_emulation_prop, property_type, system_property_type, system_public_property_type; #line 254 #line 255 type telephony_status_prop, property_type, system_property_type, system_public_property_type; #line 255 #line 256 type timezone_prop, property_type, system_property_type, system_public_property_type; #line 256 #line 257 type usb_control_prop, property_type, system_property_type, system_public_property_type; #line 257 #line 258 type vold_post_fs_data_prop, property_type, system_property_type, system_public_property_type; #line 258 #line 259 type wifi_hal_prop, property_type, system_property_type, system_public_property_type; #line 259 #line 260 type wifi_log_prop, property_type, system_property_type, system_public_property_type; #line 260 #line 261 type wifi_prop, property_type, system_property_type, system_public_property_type; #line 261 #line 262 type zram_control_prop, property_type, system_property_type, system_public_property_type; #line 262 # Properties which don't have entries on property_contexts #line 265 #line 265 type default_prop, property_type, system_property_type, system_internal_property_type; #line 265 #line 265 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 265 #line 265 neverallow { domain -coredomain } default_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 265 #line 265 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 265 #line 265 # Properties used in default HAL implementations #line 268 #line 268 type rebootescrow_hal_prop, property_type, vendor_property_type, vendor_internal_property_type; #line 268 #line 268 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 268 #line 268 # init and dumpstate are in coredomain, but should be able to read all props. #line 268 neverallow { coredomain -init -dumpstate } rebootescrow_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 268 #line 268 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 268 #line 268 # Properties used in the default Face HAL implementations #line 271 #line 271 type virtual_face_hal_prop, property_type, vendor_property_type, vendor_internal_property_type; #line 271 #line 271 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 271 #line 271 # init and dumpstate are in coredomain, but should be able to read all props. #line 271 neverallow { coredomain -init -dumpstate } virtual_face_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 271 #line 271 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 271 #line 271 # Properties used in the default Fingerprint HAL implementations #line 274 #line 274 type virtual_fingerprint_hal_prop, property_type, vendor_property_type, vendor_internal_property_type; #line 274 #line 274 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 274 #line 274 # init and dumpstate are in coredomain, but should be able to read all props. #line 274 neverallow { coredomain -init -dumpstate } virtual_fingerprint_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 274 #line 274 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 274 #line 274 #line 276 type persist_vendor_debug_wifi_prop, property_type, vendor_property_type, vendor_public_property_type; #line 276 # Properties which are public for devices launching with Android O or earlier # This should not be used for any new properties. #line 280 # DO NOT ADD ANY PROPERTIES HERE #line 280 #line 280 type boottime_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type charger_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type cold_boot_done_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_adbd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_apexd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_bootanim_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_bugreport_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_console_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_dumpstate_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_fuse_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_gsid_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_interface_restart_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_interface_stop_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_mdnsd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_restart_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_rildaemon_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type ctl_sigstop_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type dynamic_system_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type heapprofd_enabled_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type llkd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type lpdumpd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type mmc_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type mock_ota_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type net_dns_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type overlay_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type persistent_properties_ready_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type safemode_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type system_lmk_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type system_trace_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type test_boot_reason_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type time_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type traced_enabled_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type traced_lazy_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 #line 280 type config_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type cppreopt_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type dalvik_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type debuggerd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type device_logging_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type dhcp_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type dumpstate_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type exported3_system_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type exported_dumpstate_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type exported_secure_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type heapprofd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type net_radio_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type pan_result_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type persist_debug_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type shell_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type test_harness_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type theme_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type use_memfd_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 280 #line 280 type vold_prop, property_type, system_property_type, system_public_property_type; #line 280 #line 335 #line 337 #line 337 type vendor_default_prop, property_type, vendor_property_type, vendor_public_property_type; #line 337 #line 339 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 341 #line 341 #line 341 #line 341 type vendor_default_prop, property_type, vendor_property_type, vendor_internal_property_type; #line 341 #line 341 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 341 #line 341 # init and dumpstate are in coredomain, but should be able to read all props. #line 341 neverallow { coredomain -init -dumpstate } vendor_default_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 341 #line 341 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 341 #line 341 #line 341 #line 341 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 343 typeattribute log_prop log_property_type; typeattribute log_tag_prop log_property_type; typeattribute wifi_log_prop log_property_type; allow property_type tmpfs:filesystem associate; # core_property_type should not be used for new properties or # device specific properties. Properties with this attribute # are readable to everyone, which is overly broad and should # be avoided. # New properties should have appropriate read / write access # control rules written. typeattribute audio_prop core_property_type; typeattribute config_prop core_property_type; typeattribute cppreopt_prop core_property_type; typeattribute dalvik_prop core_property_type; typeattribute debuggerd_prop core_property_type; typeattribute debug_prop core_property_type; typeattribute dhcp_prop core_property_type; typeattribute dumpstate_prop core_property_type; typeattribute logd_prop core_property_type; typeattribute net_radio_prop core_property_type; typeattribute nfc_prop core_property_type; typeattribute ota_prop core_property_type; typeattribute pan_result_prop core_property_type; typeattribute persist_debug_prop core_property_type; typeattribute powerctl_prop core_property_type; typeattribute radio_prop core_property_type; typeattribute restorecon_prop core_property_type; typeattribute shell_prop core_property_type; typeattribute system_prop core_property_type; typeattribute usb_prop core_property_type; typeattribute vold_prop core_property_type; typeattribute dalvik_config_prop dalvik_config_prop_type; typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type; #line 1 "system/sepolicy/public/radio.te" # phone subsystem type radio, domain, mlstrustedsubject; #line 4 typeattribute radio netdomain; #line 4 #line 5 typeattribute radio bluetoothdomain; #line 5 #line 6 typeattribute radio binderservicedomain; #line 6 # Talks to hal_telephony_server via the rild socket only for devices without full treble #line 9 allow radio rild_socket:sock_file write; #line 9 allow radio hal_telephony_server:unix_stream_socket connectto; #line 9 # Data file accesses. allow radio radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow radio radio_core_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow radio radio_core_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow radio net_data_file:dir search; allow radio net_data_file:file { getattr open read ioctl lock map watch watch_reads }; #line 20 allow radio radio_service:service_manager { add find }; #line 20 neverallow { domain -radio } radio_service:service_manager add; #line 20 #line 20 # On debug builds with root, allow binder services to use binder over TCP. #line 20 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 20 #line 20 allow radio audioserver_service:service_manager find; allow radio cameraserver_service:service_manager find; allow radio drmserver_service:service_manager find; allow radio mediaserver_service:service_manager find; allow radio nfc_service:service_manager find; allow radio app_api_service:service_manager find; allow radio system_api_service:service_manager find; allow radio timedetector_service:service_manager find; allow radio timezonedetector_service:service_manager find; # Perform HwBinder IPC. #line 32 # Call the hwservicemanager and transfer references to it. #line 32 allow radio hwservicemanager:binder { call transfer }; #line 32 # Allow hwservicemanager to send out callbacks #line 32 allow hwservicemanager radio:binder { call transfer }; #line 32 # hwservicemanager performs getpidcon on clients. #line 32 allow hwservicemanager radio:dir search; #line 32 allow hwservicemanager radio:file { read open map }; #line 32 allow hwservicemanager radio:process getattr; #line 32 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 32 # all domains in domain.te. #line 32 #line 33 typeattribute radio halclientdomain; #line 33 typeattribute radio hal_telephony_client; #line 33 #line 33 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 33 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 33 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 33 #line 33 typeattribute radio hal_telephony; #line 33 # Find passthrough HAL implementations #line 33 allow hal_telephony system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow hal_telephony vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow hal_telephony vendor_file:file { read open getattr execute map }; #line 33 #line 33 # Used by TelephonyManager allow radio proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/recovery.te" # recovery console (used in recovery init.rc for /sbin/recovery) # Declare the domain unconditionally so we can always reference it # in neverallow rules. type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. #line 144 ### ### neverallow rules ### # Recovery should never touch /data. # # In particular, if /data is encrypted, it is not accessible # to recovery anyway. # # For now, we only enforce write/execute restrictions, as domain.te # contains a number of read-only rules that apply to all # domains, including recovery. # # TODO: tighten this up further. neverallow recovery { data_file_type -cache_file -cache_recovery_file }:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; neverallow recovery { data_file_type -cache_file -cache_recovery_file }:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; #line 1 "system/sepolicy/public/recovery_persist.te" # android recovery persistent log manager type recovery_persist, domain; type recovery_persist_exec, system_file_type, exec_type, file_type; allow recovery_persist pstorefs:dir search; allow recovery_persist pstorefs:file { getattr open read ioctl lock map watch watch_reads }; allow recovery_persist recovery_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow recovery_persist recovery_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow recovery_persist cache_file:dir search; allow recovery_persist cache_file:lnk_file read; allow recovery_persist cache_recovery_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow recovery_persist cache_recovery_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; ### ### Neverallow rules ### ### recovery_persist should NEVER do any of this # Block device access. neverallow recovery_persist dev_type:blk_file { read write }; # ptrace any other app neverallow recovery_persist domain:process ptrace; # Write to /system. neverallow recovery_persist system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data neverallow recovery_persist { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; #line 1 "system/sepolicy/public/recovery_refresh.te" # android recovery refresh log manager type recovery_refresh, domain; type recovery_refresh_exec, system_file_type, exec_type, file_type; allow recovery_refresh pstorefs:dir search; allow recovery_refresh pstorefs:file { getattr open read ioctl lock map watch watch_reads }; # NB: domain inherits write_logd which hands us write to pmsg_device ### ### Neverallow rules ### ### recovery_refresh should NEVER do any of this # Block device access. neverallow recovery_refresh dev_type:blk_file { read write }; # ptrace any other app neverallow recovery_refresh domain:process ptrace; # Write to /system. neverallow recovery_refresh system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; # Write to files in /data/data or system files on /data neverallow recovery_refresh { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; #line 1 "system/sepolicy/public/remote_provisioning_service_server.te" # This service is hosted by system server, and provides a stable aidl # front-end for a mainline module that is loaded into system server. #line 3 allow remote_provisioning_service_server remote_provisioning_service:service_manager { add find }; #line 3 neverallow { domain -remote_provisioning_service_server } remote_provisioning_service:service_manager add; #line 3 #line 3 # On debug builds with root, allow binder services to use binder over TCP. #line 3 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 3 #line 3 #line 5 # Call the servicemanager and transfer references to it. #line 5 allow remote_provisioning_service_server servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager remote_provisioning_service_server:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager remote_provisioning_service_server:dir search; #line 5 allow servicemanager remote_provisioning_service_server:file { read open }; #line 5 allow servicemanager remote_provisioning_service_server:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 1 "system/sepolicy/public/rkpd_app.te" ### ### A domain for sandboxing the remote key provisioning daemon ### app that is shipped via mainline. ### type rkpdapp, domain; #line 1 "system/sepolicy/public/rootdisk_sysdev.te" allow rootdisk_sysdev sysfs:filesystem associate; #line 1 "system/sepolicy/public/rs.te" type rs, domain, coredomain; type rs_exec, system_file_type, exec_type, file_type; #line 1 "system/sepolicy/public/rss_hwm_reset.te" # rss_hwm_reset resets RSS high-water mark counters for all procesess. type rss_hwm_reset, domain, coredomain, mlstrustedsubject; #line 1 "system/sepolicy/public/runas.te" type runas, domain, mlstrustedsubject; type runas_exec, system_file_type, exec_type, file_type; allow runas adbd:fd use; allow runas adbd:process sigchld; allow runas adbd:unix_stream_socket { read write }; allow runas shell:fd use; allow runas shell:fifo_file { read write }; allow runas shell:unix_stream_socket { read write }; allow runas devpts:chr_file { read write ioctl }; allow runas shell_data_file:file { read write }; # run-as reads package information. allow runas system_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow runas system_data_file:lnk_file getattr; allow runas packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # The app's data dir may be accessed through a symlink. allow runas system_data_file:lnk_file read; # run-as checks and changes to the app data dir. dontaudit runas self:{ capability cap_userns } { dac_override dac_read_search }; allow runas app_data_file:dir { getattr search }; # run-as switches to the app UID/GID. allow runas self:{ capability cap_userns } { setuid setgid }; # run-as switches to the app security context. #line 29 #line 29 allow runas selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow runas selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 29 #line 29 allow runas selinuxfs:file { open append write lock map }; #line 29 allow runas kernel:security check_context; #line 29 # validate context allow runas self:process setcurrent; allow runas { appdomain -system_app }:process dyntransition; # setcon # runas/libselinux needs access to seapp_contexts_file to # determine which domain to transition to. allow runas seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; ### ### neverallow rules ### # run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID neverallow runas self:{ capability cap_userns } ~{ setuid setgid }; neverallow runas self:{ capability2 cap2_userns } *; #line 1 "system/sepolicy/public/runas_app.te" type runas_app, domain; #line 1 "system/sepolicy/public/scheduler_service_server.te" #line 1 allow scheduler_service_server fwk_scheduler_hwservice:hwservice_manager { add find }; #line 1 allow scheduler_service_server hidl_base_hwservice:hwservice_manager add; #line 1 neverallow { domain -scheduler_service_server } fwk_scheduler_hwservice:hwservice_manager add; #line 1 #line 1 "system/sepolicy/public/sdcardd.te" type sdcardd, domain; type sdcardd_exec, system_file_type, exec_type, file_type; allow sdcardd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow sdcardd cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow sdcardd rootfs:dir mounton; # TODO: deprecated in M allow sdcardd sdcardfs:filesystem remount; allow sdcardd tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; allow sdcardd mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads }; allow sdcardd storage_file:dir search; allow sdcardd storage_stub_file:dir { search mounton }; allow sdcardd { sdcard_type fuse }:filesystem { mount unmount }; allow sdcardd self:{ capability cap_userns } { setuid setgid dac_override dac_read_search sys_admin sys_resource }; allow sdcardd { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow sdcardd { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow sdcardd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow sdcardd media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read /data/system/packages.list. allow sdcardd system_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow sdcardd packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Read /data/misc/installd/layout_version allow sdcardd install_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow sdcardd install_data_file:dir search; # Allow stdin/out back to vold allow sdcardd vold:fd use; allow sdcardd vold:fifo_file { read write getattr }; # Allow running on top of expanded storage allow sdcardd mnt_expand_file:dir search; # access /proc/filesystems allow sdcardd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; ### ### neverallow rules ### # The sdcard daemon should no longer be started from init neverallow init sdcardd_exec:file execute; neverallow init sdcardd:process { transition dyntransition }; #line 1 "system/sepolicy/public/secure_element.te" # secure_element subsystem type secure_element, domain; #line 1 "system/sepolicy/public/sensor_service_server.te" #line 1 allow sensor_service_server fwk_sensor_hwservice:hwservice_manager { add find }; #line 1 allow sensor_service_server hidl_base_hwservice:hwservice_manager add; #line 1 neverallow { domain -sensor_service_server } fwk_sensor_hwservice:hwservice_manager add; #line 1 #line 1 "system/sepolicy/public/service.te" type aidl_lazy_test_service, service_manager_type; type apc_service, service_manager_type; type apex_service, service_manager_type; type artd_service, service_manager_type; type artd_pre_reboot_service, service_manager_type; type audioserver_service, service_manager_type, isolated_compute_allowed_service; type authorization_service, service_manager_type; type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; type bluetooth_service, service_manager_type; type cameraserver_service, service_manager_type, isolated_compute_allowed_service; type fwk_camera_service, service_manager_type; type default_android_service, service_manager_type; type device_config_updatable_service, system_api_service, system_server_service,service_manager_type; type dexopt_chroot_setup_service, service_manager_type; type dnsresolver_service, service_manager_type; type drmserver_service, service_manager_type; type dumpstate_service, service_manager_type; type evsmanagerd_service, service_manager_type; type fingerprintd_service, service_manager_type; type fwk_automotive_display_service, service_manager_type; type gatekeeper_service, app_api_service, service_manager_type; type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type; type idmap_service, service_manager_type; type incident_service, service_manager_type; type installd_service, service_manager_type; type credstore_service, app_api_service, service_manager_type; type keystore_compat_hal_service, service_manager_type; type keystore_maintenance_service, service_manager_type; type keystore_metrics_service, service_manager_type; type keystore_service, service_manager_type; type legacykeystore_service, service_manager_type; type lpdump_service, service_manager_type; type mdns_service, service_manager_type; type mediaserver_service, service_manager_type, isolated_compute_allowed_service; type mediametrics_service, service_manager_type; type mediaextractor_service, service_manager_type; type mediadrmserver_service, service_manager_type; type mediatranscoding_service, app_api_service, service_manager_type; type netd_service, service_manager_type; type nfc_service, service_manager_type; type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type; type ot_daemon_service, service_manager_type; type profiling_service, app_api_service, system_server_service, service_manager_type; type radio_service, service_manager_type; type secure_element_service, service_manager_type; type service_manager_service, service_manager_type; type storaged_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type system_app_service, service_manager_type; type system_net_netd_service, service_manager_type; type system_suspend_control_internal_service, service_manager_type; type system_suspend_control_service, service_manager_type; type update_engine_service, service_manager_type; type update_engine_stable_service, service_manager_type; type virtualization_service, service_manager_type; type virtual_camera_service, service_manager_type; type virtual_touchpad_service, service_manager_type; type vold_service, service_manager_type; type vr_hwc_service, service_manager_type; type vrflinger_vsync_service, service_manager_type; # system_server_services broken down type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type adb_service, system_api_service, system_server_service, service_manager_type; type adservices_manager_service, system_api_service, system_server_service, service_manager_type; type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type app_binding_service, system_server_service, service_manager_type; type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type; type app_integrity_service, system_api_service, system_server_service, service_manager_type; type app_prediction_service, app_api_service, system_server_service, service_manager_type; type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type archive_service, app_api_service, system_server_service, service_manager_type; type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type attestation_verification_service, app_api_service, system_server_service, service_manager_type; type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type auth_service, app_api_service, system_server_service, service_manager_type; type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type battery_service, system_server_service, service_manager_type; type binder_calls_stats_service, system_server_service, service_manager_type; type blob_store_service, app_api_service, system_server_service, service_manager_type; type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type broadcastradio_service, app_api_service, system_server_service, service_manager_type; type cacheinfo_service, system_api_service, system_server_service, service_manager_type; type cameraproxy_service, system_server_service, service_manager_type; type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type cloudsearch_service, app_api_service, system_server_service, service_manager_type; type contexthub_service, app_api_service, system_server_service, service_manager_type; type contextual_search_service, app_api_service, system_server_service, service_manager_type; type crossprofileapps_service, app_api_service, system_server_service, service_manager_type; type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled # with EMMA_INSTRUMENT=true. We should consider locking this down in the future. type coverage_service, system_server_service, service_manager_type; type cpuinfo_service, system_api_service, system_server_service, service_manager_type; type cpu_monitor_service, system_server_service, service_manager_type; type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type; type dataloader_manager_service, system_server_service, service_manager_type; type dbinfo_service, system_api_service, system_server_service, service_manager_type; type device_config_service, system_server_service, service_manager_type; type device_policy_service, app_api_service, system_server_service, service_manager_type; type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type devicestoragemonitor_service, system_server_service, service_manager_type; type diskstats_service, system_api_service, system_server_service, service_manager_type; type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type domain_verification_service, app_api_service, system_server_service, service_manager_type; type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type; type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type; type external_vibrator_service, system_server_service, service_manager_type; type file_integrity_service, app_api_service, system_server_service, service_manager_type; type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type netd_listener_service, system_server_service, service_manager_type; type network_watchlist_service, system_server_service, service_manager_type; type devicelock_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type DockObserver_service, system_server_service, service_manager_type; type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type ethernet_service, app_api_service, system_server_service, service_manager_type; type biometric_service, app_api_service, system_server_service, service_manager_type; type bugreport_service, app_api_service, system_server_service, service_manager_type; type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type face_service, app_api_service, system_server_service, service_manager_type; type fingerprint_service, app_api_service, system_server_service, service_manager_type; type fwk_altitude_service, system_server_service, service_manager_type; type fwk_stats_service, app_api_service, system_server_service, service_manager_type; type fwk_sensor_service, system_server_service, service_manager_type; type fwk_vibrator_control_service, system_server_service, service_manager_type; type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type gfxinfo_service, system_api_service, system_server_service, service_manager_type; type gnss_time_update_service, system_server_service, service_manager_type; type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type hardware_service, system_server_service, service_manager_type; type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type hdmi_control_service, app_api_service, system_server_service, service_manager_type; type healthconnect_service, app_api_service, system_server_service, service_manager_type; type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type incremental_service, system_server_service, service_manager_type; type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type iris_service, app_api_service, system_server_service, service_manager_type; type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type locale_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type location_time_zone_manager_service, system_server_service, service_manager_type; type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type; type looper_stats_service, system_server_service, service_manager_type; type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type meminfo_service, system_api_service, system_server_service, service_manager_type; type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type nearby_service, app_api_service, system_server_service, service_manager_type; type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type network_score_service, system_api_service, system_server_service, service_manager_type; type network_stack_service, system_server_service, service_manager_type; type network_time_update_service, system_server_service, service_manager_type; type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type oem_lock_service, system_api_service, system_server_service, service_manager_type; type otadexopt_service, system_server_service, service_manager_type; type overlay_service, system_api_service, system_server_service, service_manager_type; type pac_proxy_service, app_api_service, system_server_service, service_manager_type; type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type people_service, app_api_service, system_server_service, service_manager_type; type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; type pinner_service, system_server_service, service_manager_type; type powerstats_service, app_api_service, system_server_service, service_manager_type; type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type processinfo_service, system_server_service, service_manager_type; type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type reboot_readiness_service, app_api_service, system_server_service, service_manager_type; type recovery_service, system_server_service, service_manager_type; type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type remote_auth_service, app_api_service, system_server_service, service_manager_type; type remote_provisioning_service, system_server_service, service_manager_type; type resources_manager_service, system_api_service, system_server_service, service_manager_type; type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type role_service, app_api_service, system_server_service, service_manager_type; type rollback_service, app_api_service, system_server_service, service_manager_type; type runtime_service, system_server_service, service_manager_type; type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; type scheduling_policy_service, system_server_service, service_manager_type; type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type search_ui_service, app_api_service, system_server_service, service_manager_type; type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type; type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type; type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type serial_service, system_api_service, system_server_service, service_manager_type; type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type shortcut_service, app_api_service, system_server_service, service_manager_type; type slice_service, app_api_service, system_server_service, service_manager_type; type smartspace_service, app_api_service, system_server_service, service_manager_type; type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type; type system_config_service, system_api_service, system_server_service, service_manager_type; type system_server_dumper_service, system_api_service, system_server_service, service_manager_type; type system_update_service, system_server_service, service_manager_type; type soundtrigger_middleware_service, system_server_service, service_manager_type; type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service; type tare_service, app_api_service, system_server_service, service_manager_type; type task_service, system_server_service, service_manager_type; type testharness_service, system_server_service, service_manager_type; type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type threadnetwork_service, app_api_service, system_server_service, service_manager_type; type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type timezonedetector_service, app_api_service, system_server_service, service_manager_type; type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type trust_service, app_api_service, system_server_service, service_manager_type; type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type; type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type updatelock_service, system_api_service, system_server_service, service_manager_type; type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type usb_service, app_api_service, system_server_service, service_manager_type; type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type uwb_service, app_api_service, system_server_service, service_manager_type; type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type virtual_device_service, app_api_service, system_server_service, service_manager_type; type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type vpn_management_service, app_api_service, system_server_service, service_manager_type; type vr_manager_service, system_server_service, service_manager_type; type wallpaper_service, app_api_service, system_server_service, service_manager_type; type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type; type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type wifip2p_service, app_api_service, system_server_service, service_manager_type; type wifiscanner_service, system_api_service, system_server_service, service_manager_type; type wifi_service, app_api_service, system_server_service, service_manager_type; type wifinl80211_service, service_manager_type; type wifiaware_service, app_api_service, system_server_service, service_manager_type; type window_service, system_api_service, system_server_service, service_manager_type; type inputflinger_service, system_api_service, system_server_service, service_manager_type; type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type emergency_affordance_service, system_server_service, service_manager_type; ### ### HAL Services ### type hal_audio_service, protected_service, hal_service_type, service_manager_type; type hal_audiocontrol_service, hal_service_type, service_manager_type; type hal_authgraph_service, protected_service, hal_service_type, service_manager_type; type hal_authsecret_service, protected_service, hal_service_type, service_manager_type; type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type; type hal_bootctl_service, protected_service, hal_service_type, service_manager_type; type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type; type hal_camera_service, protected_service, hal_service_type, service_manager_type; type hal_can_controller_service, protected_service, hal_service_type, service_manager_type; type hal_cas_service, hal_service_type, service_manager_type; type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service; type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type; type hal_contexthub_service, protected_service, hal_service_type, service_manager_type; type hal_drm_service, hal_service_type, service_manager_type; type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type; type hal_evs_service, protected_service, hal_service_type, service_manager_type; type hal_face_service, protected_service, hal_service_type, service_manager_type; type hal_fastboot_service, protected_service, hal_service_type, service_manager_type; type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type; type hal_gnss_service, protected_service, hal_service_type, service_manager_type; type hal_graphics_allocator_service, hal_service_type, service_manager_type; type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type; type hal_graphics_mapper_service, hal_service_type, service_manager_type; type hal_health_service, protected_service, hal_service_type, service_manager_type; type hal_health_storage_service, protected_service, hal_service_type, service_manager_type; type hal_identity_service, protected_service, hal_service_type, service_manager_type; type hal_input_processor_service, protected_service, hal_service_type, service_manager_type; type hal_ir_service, protected_service, hal_service_type, service_manager_type; type hal_ivn_service, protected_service, hal_service_type, service_manager_type; type hal_keymint_service, protected_service, hal_service_type, service_manager_type; type hal_light_service, protected_service, hal_service_type, service_manager_type; type hal_macsec_service, protected_service, hal_service_type, service_manager_type; type hal_memtrack_service, protected_service, hal_service_type, service_manager_type; type hal_neuralnetworks_service, hal_service_type, service_manager_type; type hal_nfc_service, protected_service, hal_service_type, service_manager_type; type hal_oemlock_service, protected_service, hal_service_type, service_manager_type; type hal_power_service, protected_service, hal_service_type, service_manager_type; type hal_power_stats_service, protected_service, hal_service_type, service_manager_type; type hal_radio_service, protected_service, hal_service_type, service_manager_type; type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type; type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type; type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type; type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type; type hal_sensors_service, protected_service, hal_service_type, service_manager_type; type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type; type hal_secureclock_service, protected_service, hal_service_type, service_manager_type; type hal_secure_element_service, protected_service, hal_service_type, service_manager_type; type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type; type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type; type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type; type hal_thermal_service, protected_service, hal_service_type, service_manager_type; type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type; type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type; type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type; type hal_tv_input_service, protected_service, hal_service_type, service_manager_type; type hal_threadnetwork_service, protected_service, hal_service_type, service_manager_type; type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type; type hal_usb_service, protected_service, hal_service_type, service_manager_type; type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type; type hal_uwb_service, protected_service, hal_service_type, service_manager_type; type hal_vehicle_service, protected_service, hal_service_type, service_manager_type; type hal_vibrator_service, protected_service, hal_service_type, service_manager_type; type hal_weaver_service, protected_service, hal_service_type, service_manager_type; type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type; type hal_wifi_service, protected_service, hal_service_type, service_manager_type; type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type; type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type; type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type; ### ### Neverallow rules ### # servicemanager handles registering or looking up named services. # It does not make sense to register or lookup something which is not a service. # Trigger a compile error if this occurs. neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find }; #line 1 "system/sepolicy/public/servicemanager.te" # servicemanager - the Binder context manager type servicemanager, domain, mlstrustedsubject; type servicemanager_exec, system_file_type, exec_type, file_type; # Note that we do not use the binder_* macros here. # servicemanager is unique in that it only provides # name service (aka context manager) for Binder. # As such, it only ever receives and transfers other references # created by other domains. It never passes its own references # or initiates a Binder IPC. allow servicemanager self:binder set_context_mgr; allow servicemanager { domain -init -vendor_init -hwservicemanager -vndservicemanager }:binder transfer; allow servicemanager service_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow servicemanager vendor_service_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # nonplat_service_contexts only accessible on non full-treble devices allow servicemanager vendor_service_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; #line 27 allow servicemanager service_manager_service:service_manager { add find }; #line 27 neverallow { domain -servicemanager } service_manager_service:service_manager add; #line 27 #line 27 # On debug builds with root, allow binder services to use binder over TCP. #line 27 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 27 #line 27 allow servicemanager dumpstate:fd use; allow servicemanager dumpstate:fifo_file write; # Check SELinux permissions. #line 32 #line 32 allow servicemanager selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 32 allow servicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 32 #line 32 allow servicemanager selinuxfs:file { open append write lock map }; #line 32 allow servicemanager kernel:security compute_av; #line 32 allow servicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 32 allow servicemanager kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 39 #line 1 "system/sepolicy/public/sgdisk.te" # sgdisk called from vold type sgdisk, domain; type sgdisk_exec, system_file_type, exec_type, file_type; # Allowed to read/write low-level partition tables allow sgdisk block_device:dir search; allow sgdisk vold_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # HDIO_GETGEO needed to get the number of disk heads # on vold_device. How quaint. allowxperm sgdisk vold_device:blk_file ioctl { 0x00000301 }; # sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 # is granted to all block device users in domain.te, so # no need to mention it here. sgdisk should not be # using the BLKGETSIZE ioctl as it is useless for devices over # 2T in size, but we allow it for now and hope that sgdisk # will fix their bug. allowxperm sgdisk vold_device:blk_file ioctl { 0x00001260 }; # Force a re-read of the partition table. allowxperm sgdisk vold_device:blk_file ioctl { 0x0000125f }; # Allow reading of the physical block size. allowxperm sgdisk vold_device:blk_file ioctl { 0x0000127b }; # Inherit and use pty created by android_fork_execvp() allow sgdisk devpts:chr_file { read write ioctl getattr }; # Allow stdin/out back to vold allow sgdisk vold:fd use; allow sgdisk vold:fifo_file { read write getattr }; # Used to probe kernel to reload partition tables allow sgdisk self:{ capability cap_userns } sys_admin; # Only allow entry from vold neverallow { domain -vold } sgdisk:process transition; neverallow * sgdisk:process dyntransition; neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; #line 1 "system/sepolicy/public/shared_relro.te" # Process which creates/updates shared RELRO files to be used by other apps. type shared_relro, domain; #line 1 "system/sepolicy/public/shell.te" # Domain for shell processes spawned by ADB or console service. type shell, domain, mlstrustedsubject; type shell_exec, system_file_type, exec_type, file_type; # Create and use network sockets. #line 6 typeattribute shell netdomain; #line 6 # logcat #line 9 allow shell logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 9 #line 9 allow shell logdr_socket:sock_file write; #line 9 allow shell logd:unix_stream_socket connectto; #line 9 #line 9 #line 10 # Group AID_LOG checked by filesystem & logd #line 10 # to permit control commands #line 10 #line 10 allow shell logd_socket:sock_file write; #line 10 allow shell logd:unix_stream_socket connectto; #line 10 #line 10 #line 11 allow shell logd_prop:file { getattr open read map }; #line 11 # logcat -L (directly, or via dumpstate) allow shell pstorefs:dir search; allow shell pstorefs:file { getattr open read ioctl lock map watch watch_reads }; # Root fs. allow shell rootfs:dir { open getattr read search ioctl lock watch watch_reads }; # read files in /data/anr allow shell anr_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow shell anr_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Access /data/local/tmp. allow shell shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow shell shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow shell shell_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow shell shell_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access /data/local/tests. allow shell shell_test_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow shell shell_test_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow shell shell_test_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow shell shell_test_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow shell shell_test_data_file:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read and delete from /data/local/traces. allow shell trace_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow shell trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } remove_name write }; # Access /data/misc/profman. allow shell profman_dump_data_file:dir { write remove_name { open getattr read search ioctl lock watch watch_reads } }; allow shell profman_dump_data_file:file { unlink { getattr open read ioctl lock map watch watch_reads } }; # Read/execute files in /data/nativetest #line 48 # adb bugreport #line 51 allow shell dumpstate_socket:sock_file write; #line 51 allow shell dumpstate:unix_stream_socket connectto; #line 51 allow shell devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow shell tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow shell console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow shell input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow shell input_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 60 allow shell system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 60 allow shell system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 60 allow shell system_file:file { getattr execute execute_no_trans map }; allow shell toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow shell shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow shell zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 70 # allow shell access to services allow shell servicemanager:service_manager list; # don't allow shell to access GateKeeper service # TODO: why is this so broad? Tightening candidate? It needs at list: # - dumpstate_service (so it can receive dumpstate progress updates) allow shell { service_manager_type -apex_service -dnsresolver_service -gatekeeper_service -hal_keymint_service -hal_secureclock_service -hal_sharedsecret_service -incident_service -installd_service -mdns_service -netd_service -system_suspend_control_internal_service -system_suspend_control_service -virtual_touchpad_service -vold_service -default_android_service }:service_manager find; allow shell dumpstate:binder call; # allow shell to get information from hwservicemanager # for instance, listing hardware services with lshal #line 99 # Call the hwservicemanager and transfer references to it. #line 99 allow shell hwservicemanager:binder { call transfer }; #line 99 # Allow hwservicemanager to send out callbacks #line 99 allow hwservicemanager shell:binder { call transfer }; #line 99 # hwservicemanager performs getpidcon on clients. #line 99 allow hwservicemanager shell:dir search; #line 99 allow hwservicemanager shell:file { read open map }; #line 99 allow hwservicemanager shell:process getattr; #line 99 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 99 # all domains in domain.te. #line 99 allow shell hwservicemanager:hwservice_manager list; # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. #line 103 allow shell proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 103 allow shell proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 103 allow shell { proc_asound proc_filesystems proc_interrupts proc_loadavg # b/124024827 proc_meminfo proc_modules proc_pid_max proc_slabinfo proc_stat proc_timer proc_uptime proc_version proc_vmstat proc_zoneinfo }:file { getattr open read ioctl lock map watch watch_reads }; # allow listing network interfaces under /sys/class/net. allow shell sysfs_net:dir { open getattr read search ioctl lock watch watch_reads }; #line 125 allow shell cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 125 allow shell cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 125 allow shell cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell cgroup_desc_api_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell vendor_cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads }; #line 129 allow shell cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 129 allow shell cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 129 allow shell domain:dir { search open read getattr }; allow shell domain:{ file lnk_file } { open read getattr }; # statvfs() of /proc and other labeled filesystems # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) allow shell { proc labeledfs }:filesystem getattr; # stat() of /dev allow shell device:dir getattr; # allow shell to read /proc/pid/attr/current for ps -Z allow shell domain:process getattr; # Allow pulling the SELinux policy for CTS purposes allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; allow shell selinuxfs:file { getattr open read ioctl lock map watch watch_reads }; # enable shell domain to read/write files/dirs for bootchart data # User will creates the start and stop file via adb shell # and read other files created by init process under /data/bootchart allow shell bootchart_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow shell bootchart_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Make sure strace works for the non-privileged shell user allow shell self:process ptrace; # allow shell to get battery info allow shell sysfs:dir { open getattr read search ioctl lock watch watch_reads }; allow shell sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads }; allow shell sysfs_batteryinfo:file { getattr open read ioctl lock map watch watch_reads }; # Allow access to ion memory allocation device. allow shell ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # # filesystem test for insecure chr_file's is done # via a host side test # allow shell dev_type:dir { open getattr read search ioctl lock watch watch_reads }; allow shell dev_type:chr_file getattr; # /dev/fd is a symlink allow shell proc:lnk_file getattr; # # filesystem test for insucre blk_file's is done # via hostside test # allow shell dev_type:blk_file getattr; # read selinux policy files allow shell file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell property_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell service_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell sepolicy_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow shell to start up vendor shell allow shell vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Everything is labeled as rootfs in recovery mode. Allow shell to # execute them. #line 194 ### ### Neverallow rules ### # Do not allow shell to talk directly to security HAL services other than # hal_remotelyprovisionedcomponent_service neverallow shell { hal_keymint_service hal_secureclock_service hal_sharedsecret_service }:service_manager find; # Do not allow shell to hard link to any files. # In particular, if shell hard links to app data # files, installd will not be able to guarantee the deletion # of the linked to file. Hard links also contribute to security # bugs, so we want to ensure the shell user never has this # capability. neverallow shell file_type:file link; # Do not allow privileged socket ioctl commands neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 217 { #line 217 # qualcomm rmnet ioctls #line 217 0x00006900 0x00006902 #line 217 # socket ioctls #line 217 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 217 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 217 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 217 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 217 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 217 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 217 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 217 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 217 0x00008991 0x00008992 0x00008993 0x00008994 #line 217 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 217 # device and protocol specific ioctls #line 217 0x000089f0-0x000089ff #line 217 0x000089e0-0x000089ef #line 217 # Wireless extension ioctls #line 217 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 217 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 217 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 217 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 217 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 217 0x00008b34 0x00008b35 0x00008b36 #line 217 # Dev private ioctl i.e. hardware specific ioctls #line 217 0x00008be0-0x00008bff #line 217 }; # limit shell access to sensitive char drivers to # only getattr required for host side test. neverallow shell { fuse_device hw_random_device port_device }:chr_file ~getattr; # Limit shell to only getattr on blk devices for host side tests. neverallow shell dev_type:blk_file ~getattr; # b/30861057: Shell access to existing input devices is an abuse # vector. The shell user can inject events that look like they # originate from the touchscreen etc. # Everyone should have already moved to UiAutomation#injectInputEvent # if they are running instrumentation tests (i.e. CTS), Monkey for # their stress tests, and the input command (adb shell input ...) for # injecting swipes and things. neverallow shell input_device:chr_file { append create link unlink relabelfrom rename setattr write }; #line 1 "system/sepolicy/public/simpleperf.te" type simpleperf, domain; #line 1 "system/sepolicy/public/simpleperf_app_runner.te" type simpleperf_app_runner, domain, mlstrustedsubject; type simpleperf_app_runner_exec, system_file_type, exec_type, file_type; #line 1 "system/sepolicy/public/slideshow.te" # slideshow seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type slideshow, domain; allow slideshow kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 6 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 6 # deprecated. #line 6 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 6 allow slideshow sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 6 # Accessing these files requires CAP_BLOCK_SUSPEND #line 6 allow slideshow self:{ capability2 cap2_userns } block_suspend; #line 6 # system_suspend permissions #line 6 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow slideshow system_suspend_server:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow system_suspend_server slideshow:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow slideshow system_suspend_server:fd use; #line 6 #line 6 allow slideshow system_suspend_hwservice:hwservice_manager find; #line 6 # halclientdomain permissions #line 6 #line 6 # Call the hwservicemanager and transfer references to it. #line 6 allow slideshow hwservicemanager:binder { call transfer }; #line 6 # Allow hwservicemanager to send out callbacks #line 6 allow hwservicemanager slideshow:binder { call transfer }; #line 6 # hwservicemanager performs getpidcon on clients. #line 6 allow hwservicemanager slideshow:dir search; #line 6 allow hwservicemanager slideshow:file { read open map }; #line 6 allow hwservicemanager slideshow:process getattr; #line 6 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 6 #line 6 allow slideshow hwservicemanager_prop:file { getattr open read map }; #line 6 #line 6 allow slideshow hidl_manager_hwservice:hwservice_manager find; #line 6 # AIDL suspend hal permissions #line 6 allow slideshow hal_system_suspend_service:service_manager find; #line 6 #line 6 # Call the servicemanager and transfer references to it. #line 6 allow slideshow servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager slideshow:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager slideshow:dir search; #line 6 allow servicemanager slideshow:file { read open }; #line 6 allow servicemanager slideshow:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 6 allow slideshow device:dir { open getattr read search ioctl lock watch watch_reads }; allow slideshow self:{ capability cap_userns } sys_tty_config; allow slideshow graphics_device:dir { open getattr read search ioctl lock watch watch_reads }; allow slideshow graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow slideshow input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow slideshow input_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow slideshow tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/stats_service_server.te" #line 1 allow stats_service_server fwk_stats_hwservice:hwservice_manager { add find }; #line 1 allow stats_service_server hidl_base_hwservice:hwservice_manager add; #line 1 neverallow { domain -stats_service_server } fwk_stats_hwservice:hwservice_manager add; #line 1 #line 2 allow stats_service_server fwk_stats_service:service_manager { add find }; #line 2 neverallow { domain -stats_service_server } fwk_stats_service:service_manager add; #line 2 #line 2 # On debug builds with root, allow binder services to use binder over TCP. #line 2 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 2 #line 2 #line 4 # Call the servicemanager and transfer references to it. #line 4 allow stats_service_server servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager stats_service_server:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager stats_service_server:dir search; #line 4 allow servicemanager stats_service_server:file { read open }; #line 4 allow servicemanager stats_service_server:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 1 "system/sepolicy/public/statsd.te" type statsd, domain, mlstrustedsubject; type statsd_exec, system_file_type, exec_type, file_type; #line 4 # Call the servicemanager and transfer references to it. #line 4 allow statsd servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager statsd:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager statsd:dir search; #line 4 allow servicemanager statsd:file { read open }; #line 4 allow servicemanager statsd:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 # Allow statsd to scan through /proc/pid for all processes. #line 7 allow statsd domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow statsd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 7 # Allow executing files on system, such as running a shell or running: # /system/bin/toolbox # /system/bin/logcat # /system/bin/dumpsys allow statsd devpts:chr_file { getattr ioctl read write }; allow statsd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow statsd system_file:file execute_no_trans; allow statsd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 20 # Create, read, and write into # /data/misc/stats-active-metric # /data/misc/stats-data # /data/misc/stats-metadata # /data/misc/stats-service # /data/misc/train-info allow statsd stats_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow statsd stats_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow statsd stats_config_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow statsd stats_config_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow statsd to make binder calls to any binder service. #line 34 # Call the server domain and optionally transfer references to it. #line 34 allow statsd appdomain:binder { call transfer }; #line 34 # Allow the serverdomain to transfer references to the client on the reply. #line 34 allow appdomain statsd:binder transfer; #line 34 # Receive and use open files from the server. #line 34 allow statsd appdomain:fd use; #line 34 #line 35 # Call the server domain and optionally transfer references to it. #line 35 allow statsd incidentd:binder { call transfer }; #line 35 # Allow the serverdomain to transfer references to the client on the reply. #line 35 allow incidentd statsd:binder transfer; #line 35 # Receive and use open files from the server. #line 35 allow statsd incidentd:fd use; #line 35 #line 36 # Call the server domain and optionally transfer references to it. #line 36 allow statsd system_server:binder { call transfer }; #line 36 # Allow the serverdomain to transfer references to the client on the reply. #line 36 allow system_server statsd:binder transfer; #line 36 # Receive and use open files from the server. #line 36 allow statsd system_server:fd use; #line 36 #line 37 # Call the server domain and optionally transfer references to it. #line 37 allow statsd traced_probes:binder { call transfer }; #line 37 # Allow the serverdomain to transfer references to the client on the reply. #line 37 allow traced_probes statsd:binder transfer; #line 37 # Receive and use open files from the server. #line 37 allow statsd traced_probes:fd use; #line 37 # Allow statsd to interact with gpuservice allow statsd gpu_service:service_manager find; #line 41 # Call the server domain and optionally transfer references to it. #line 41 allow statsd gpuservice:binder { call transfer }; #line 41 # Allow the serverdomain to transfer references to the client on the reply. #line 41 allow gpuservice statsd:binder transfer; #line 41 # Receive and use open files from the server. #line 41 allow statsd gpuservice:fd use; #line 41 # Allow statsd to interact with keystore to pull atoms allow statsd keystore_service:service_manager find; #line 45 # Call the server domain and optionally transfer references to it. #line 45 allow statsd keystore:binder { call transfer }; #line 45 # Allow the serverdomain to transfer references to the client on the reply. #line 45 allow keystore statsd:binder transfer; #line 45 # Receive and use open files from the server. #line 45 allow statsd keystore:fd use; #line 45 # Allow statsd to interact with mediametrics allow statsd mediametrics_service:service_manager find; #line 49 # Call the server domain and optionally transfer references to it. #line 49 allow statsd mediametrics:binder { call transfer }; #line 49 # Allow the serverdomain to transfer references to the client on the reply. #line 49 allow mediametrics statsd:binder transfer; #line 49 # Receive and use open files from the server. #line 49 allow statsd mediametrics:fd use; #line 49 # Allow statsd to interact with mediametrics allow statsd mediaserver_service:service_manager find; #line 53 # Call the server domain and optionally transfer references to it. #line 53 allow statsd mediaserver:binder { call transfer }; #line 53 # Allow the serverdomain to transfer references to the client on the reply. #line 53 allow mediaserver statsd:binder transfer; #line 53 # Receive and use open files from the server. #line 53 allow statsd mediaserver:fd use; #line 53 # Allow logd access. #line 56 allow statsd logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 56 #line 56 allow statsd logdr_socket:sock_file write; #line 56 allow statsd logd:unix_stream_socket connectto; #line 56 #line 56 #line 57 # Group AID_LOG checked by filesystem & logd #line 57 # to permit control commands #line 57 #line 57 allow statsd logd_socket:sock_file write; #line 57 allow statsd logd:unix_stream_socket connectto; #line 57 #line 57 # Grant statsd with permissions to register the services. allow statsd { app_api_service incident_service system_api_service }:service_manager find; # Grant statsd to access health hal to access battery metrics. allow statsd hal_health_hwservice:hwservice_manager find; # Allow statsd to send dump info to dumpstate allow statsd dumpstate:fd use; allow statsd dumpstate:fifo_file { getattr write }; # Allow access to with hardware layer and process stats. allow statsd proc_uid_cputime_showstat:file { getattr open read }; #line 75 typeattribute statsd halclientdomain; #line 75 typeattribute statsd hal_health_client; #line 75 #line 75 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 75 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 75 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 75 #line 75 typeattribute statsd hal_health; #line 75 # Find passthrough HAL implementations #line 75 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 75 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 75 allow hal_health vendor_file:file { read open getattr execute map }; #line 75 #line 75 #line 76 typeattribute statsd halclientdomain; #line 76 typeattribute statsd hal_power_client; #line 76 #line 76 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 76 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 76 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 76 #line 76 typeattribute statsd hal_power; #line 76 # Find passthrough HAL implementations #line 76 allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_power vendor_file:file { read open getattr execute map }; #line 76 #line 76 #line 77 typeattribute statsd halclientdomain; #line 77 typeattribute statsd hal_power_stats_client; #line 77 #line 77 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 77 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 77 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 77 #line 77 typeattribute statsd hal_power_stats; #line 77 # Find passthrough HAL implementations #line 77 allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 77 allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 77 allow hal_power_stats vendor_file:file { read open getattr execute map }; #line 77 #line 77 #line 78 typeattribute statsd halclientdomain; #line 78 typeattribute statsd hal_thermal_client; #line 78 #line 78 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 78 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 78 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 78 #line 78 typeattribute statsd hal_thermal; #line 78 # Find passthrough HAL implementations #line 78 allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 78 allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 78 allow hal_thermal vendor_file:file { read open getattr execute map }; #line 78 #line 78 # Allow 'adb shell cmd' to upload configs and download output. allow statsd adbd:fd use; allow statsd adbd:unix_stream_socket { getattr read write }; allow statsd shell:fifo_file { getattr read write }; #line 85 allow statsd statsdw_socket:sock_file write; #line 85 allow statsd statsd:unix_dgram_socket sendto; #line 85 ### ### neverallow rules ### # Only statsd and the other root services in limited circumstances. # can get to the files in /data/misc/stats-data, /data/misc/stats-service. # Other services are prohibitted from accessing the file. neverallow { domain -statsd -init -vold } stats_data_file:file *; neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *; # Limited access to the directory itself. neverallow { domain -statsd -init -vold } stats_data_file:dir *; neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *; #line 1 "system/sepolicy/public/su.te" # Domain used for su processes, as well as for adbd and adb shell # after performing an adb root command. # All types must be defined regardless of build variant to ensure # policy compilation succeeds with userdebug/user combination at boot type su, domain; # File types must be defined for file_contexts. type su_exec, system_file_type, exec_type, file_type; #line 112 #line 1 "system/sepolicy/public/surfaceflinger.te" # surfaceflinger - display compositor service type surfaceflinger, domain; type surfaceflinger_tmpfs, file_type; #line 1 "system/sepolicy/public/system_app.te" ### ### Apps that run with the system UID, e.g. com.android.system.ui, ### com.android.settings. These are not as privileged as the system ### server. ### type system_app, domain; #line 1 "system/sepolicy/public/system_server.te" # # System Server aka system_server spawned by zygote. # Most of the framework services run in this process. # type system_server, domain; type system_server_tmpfs, file_type, mlstrustedobject; # Power controls for debugging/diagnostics #line 9 allow system_server power_debug_prop:file { getattr open read map }; #line 9 #line 10 #line 10 allow system_server property_socket:sock_file write; #line 10 allow system_server init:unix_stream_socket connectto; #line 10 #line 10 allow system_server power_debug_prop:property_service set; #line 10 #line 10 allow system_server power_debug_prop:file { getattr open read map }; #line 10 #line 10 neverallow { domain -init -vendor_init -system_server -shell } power_debug_prop:property_service set; #line 1 "system/sepolicy/public/system_suspend_internal_server.te" # To serve ISuspendControlServiceInternal. #line 2 allow system_suspend_internal_server system_suspend_control_internal_service:service_manager { add find }; #line 2 neverallow { domain -system_suspend_internal_server } system_suspend_control_internal_service:service_manager add; #line 2 #line 2 # On debug builds with root, allow binder services to use binder over TCP. #line 2 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 2 #line 2 neverallow { domain -atrace # tracing -dumpstate # bug reports -system_suspend_internal_server # implements system_suspend_control_internal_service -system_server # configures system_suspend via ISuspendControlServiceInternal -traceur_app # tracing } system_suspend_control_internal_service:service_manager find; #line 1 "system/sepolicy/public/system_suspend_server.te" # Required to export a HIDL interface. #line 2 # Call the hwservicemanager and transfer references to it. #line 2 allow system_suspend_server hwservicemanager:binder { call transfer }; #line 2 # Allow hwservicemanager to send out callbacks #line 2 allow hwservicemanager system_suspend_server:binder { call transfer }; #line 2 # hwservicemanager performs getpidcon on clients. #line 2 allow hwservicemanager system_suspend_server:dir search; #line 2 allow hwservicemanager system_suspend_server:file { read open map }; #line 2 allow hwservicemanager system_suspend_server:process getattr; #line 2 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 2 # all domains in domain.te. #line 2 #line 3 allow system_suspend_server hwservicemanager_prop:file { getattr open read map }; #line 3 # To serve ISystemSuspend.hal. #line 6 allow system_suspend_server system_suspend_hwservice:hwservice_manager { add find }; #line 6 allow system_suspend_server hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -system_suspend_server } system_suspend_hwservice:hwservice_manager add; #line 6 #line 1 "system/sepolicy/public/tee.te" ## # trusted execution environment (tee) daemon # type tee, domain; # Device(s) for communicating with the TEE type tee_device, dev_type; allow tee fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow tee fingerprint_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/public/tombstoned.te" # debugger interface type tombstoned, domain, mlstrustedsubject; type tombstoned_exec, system_file_type, exec_type, file_type; # Write to arbitrary pipes given to us. allow tombstoned domain:fd use; allow tombstoned domain:fifo_file write; allow tombstoned domain:dir { open getattr read search ioctl lock watch watch_reads }; allow tombstoned domain:file { getattr open read ioctl lock map watch watch_reads }; allow tombstoned tombstone_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow tombstoned tombstone_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link }; # Changes for the new stack dumping mechanism. Each trace goes into a # separate file, and these files are managed by tombstoned. allow tombstoned anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow tombstoned anr_data_file:file { append create getattr open link unlink }; #line 1 "system/sepolicy/public/toolbox.te" # Any toolbox command run by init. # Do NOT use this domain for toolbox when run by any other domain. type toolbox, domain; type toolbox_exec, system_file_type, exec_type, file_type; # /dev/__null__ created by init prior to policy load, # open fd inherited by fsck. allow toolbox tmpfs:chr_file { read write ioctl }; # Inherit and use pty created by android_fork_execvp_ext(). allow toolbox devpts:chr_file { read write getattr ioctl }; # mkswap-specific. # Read/write block devices used for swap partitions. # Assign swap_block_device type any such partition in your # device///sepolicy/file_contexts file. allow toolbox block_device:dir search; allow toolbox swap_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Only allow entry from init via the toolbox binary. neverallow { domain -init } toolbox:process transition; neverallow * toolbox:process dyntransition; neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; # rm -rf /data/per_boot allow toolbox system_data_root_file:dir { remove_name write }; allow toolbox system_data_file:dir { rmdir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow toolbox system_data_file:file { getattr unlink }; # chattr +F /data/media in init allow toolbox media_userdir_file:dir { { open getattr read search ioctl lock watch watch_reads } setattr }; allowxperm toolbox media_userdir_file:dir ioctl { 0x40086602 0x80086601 }; #line 1 "system/sepolicy/public/traced.te" type traced, domain, coredomain, mlstrustedsubject; type traced_tmpfs, file_type; #line 1 "system/sepolicy/public/traced_perf.te" type traced_perf, domain; #line 1 "system/sepolicy/public/traced_probes.te" type traced_probes, domain, coredomain, mlstrustedsubject; #line 1 "system/sepolicy/public/traceur_app.te" type traceur_app, domain; allow traceur_app servicemanager:service_manager list; allow traceur_app hwservicemanager:hwservice_manager list; allow traceur_app { service_manager_type -apex_service -dnsresolver_service -gatekeeper_service -incident_service -installd_service -lpdump_service -mdns_service -netd_service -virtual_touchpad_service -vold_service -default_android_service }:service_manager find; # Allow traceur_app to use atrace HAL #line 22 typeattribute traceur_app halclientdomain; #line 22 typeattribute traceur_app hal_atrace_client; #line 22 #line 22 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 22 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 22 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 22 #line 22 typeattribute traceur_app hal_atrace; #line 22 # Find passthrough HAL implementations #line 22 allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_atrace vendor_file:file { read open getattr execute map }; #line 22 #line 22 dontaudit traceur_app service_manager_type:service_manager find; dontaudit traceur_app hwservice_manager_type:hwservice_manager find; dontaudit traceur_app domain:binder call; #line 1 "system/sepolicy/public/ueventd.te" # ueventd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type ueventd, domain; type ueventd_tmpfs, file_type; # Write to /dev/kmsg. allow ueventd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow ueventd self:{ capability cap_userns } { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid }; allow ueventd device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 12 allow ueventd rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow ueventd rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 # ueventd needs write access to files in /sys to regenerate uevents allow ueventd sysfs_type:file { open append write lock map }; #line 16 allow ueventd sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow ueventd sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 16 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; allow ueventd tmpfs:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow ueventd dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:chr_file { getattr create setattr unlink }; allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; allow ueventd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow ueventd efs_file:dir search; allow ueventd efs_file:file { getattr open read ioctl lock map watch watch_reads }; # Get SELinux enforcing status. #line 29 allow ueventd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow ueventd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 29 # Access for /vendor/ueventd.rc and /vendor/firmware #line 32 allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:dir { open getattr read search ioctl lock watch watch_reads }; #line 32 allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 32 # Access for /apex/*/firmware allow ueventd apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; # Get file contexts for new device nodes allow ueventd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Use setfscreatecon() to label /dev directories and files. allow ueventd self:process setfscreate; # Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig. allow ueventd proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; allow ueventd proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads }; # Everything is labeled as rootfs in recovery mode. ueventd has to execute # the dynamic linker and shared libraries. #line 51 # Suppress denials for ueventd to getattr /postinstall. This occurs when the # linker tries to resolve paths in ld.config.txt. dontaudit ueventd postinstall_mnt_dir:dir getattr; # ueventd loads modules in response to modalias events. allow ueventd self:{ capability cap_userns } sys_module; allow ueventd vendor_file:system module_load; allow ueventd kernel:key search; # ueventd is using bootstrap bionic #line 63 allow ueventd system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 63 allow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; #line 63 # Allow ueventd to run shell scripts from vendor allow ueventd vendor_shell_exec:file execute; # Query device-mapper to extract name/uuid in response to uevents. allow ueventd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow ueventd self:capability sys_admin; # Allow ueventd to read apexd property #line 73 allow ueventd apexd_prop:file { getattr open read map }; #line 73 ##### ##### neverallow rules ##### # Restrict ueventd access on block devices to maintenence operations. neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; # Only relabelto as we would never want to relabelfrom port_device neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto }; # Nobody should be able to ptrace ueventd neverallow * ueventd:process ptrace; # ueventd should never execute a program without changing to another domain. neverallow ueventd { file_type fs_type }:file execute_no_trans; #line 1 "system/sepolicy/public/uncrypt.te" # uncrypt type uncrypt, domain, mlstrustedsubject; type uncrypt_exec, system_file_type, exec_type, file_type; allow uncrypt self:{ capability cap_userns } { dac_override dac_read_search }; #line 10 # Read /cache/recovery/command # Read /cache/recovery/uncrypt_file allow uncrypt cache_file:dir search; allow uncrypt cache_recovery_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow uncrypt cache_recovery_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/. allow uncrypt ota_package_file:dir { open getattr read search ioctl lock watch watch_reads }; allow uncrypt ota_package_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Write to /dev/socket/uncrypt #line 23 allow uncrypt uncrypt_socket:sock_file write; #line 23 allow uncrypt uncrypt:unix_stream_socket connectto; #line 23 # Raw writes to block device allow uncrypt self:{ capability cap_userns } sys_rawio; allow uncrypt misc_block_device:blk_file { open append write lock map }; allow uncrypt block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Access userdata block device. allow uncrypt userdata_block_device:blk_file { open append write lock map }; #line 33 allow uncrypt rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow uncrypt rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 # Access to bootconfig is needed when calling ReadDefaultFstab. allow uncrypt { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; # Read files in /sys #line 43 allow uncrypt sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; #line 43 allow uncrypt sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 43 # Allow ReadDefaultFstab(). #line 46 allow uncrypt { metadata_file gsi_metadata_file_type }:dir search; #line 46 allow uncrypt gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 46 allow uncrypt { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 46 #line 1 "system/sepolicy/public/untrusted_app.te" ### ### Untrusted apps. ### ### Apps are labeled based on mac_permissions.xml (maps signer and ### optionally package name to seinfo value) and seapp_contexts (maps UID ### and optionally seinfo value to domain for process and type for data ### directory). The untrusted_app domain is the default assignment in ### seapp_contexts for any app with UID between APP_AID (10000) ### and AID_ISOLATED_START (99000) if the app has no specific seinfo ### value as determined from mac_permissions.xml. In current AOSP, this ### domain is assigned to all non-system apps as well as to any system apps ### that are not signed by the platform key. To move ### a system app into a specific domain, add a signer entry for it to ### mac_permissions.xml and assign it one of the pre-existing seinfo values ### or define and use a new seinfo value in both mac_permissions.xml and ### seapp_contexts. ### # This file defines the rules for untrusted apps running with # targetSdkVersion >= 34. type untrusted_app, domain; # This file defines the rules for untrusted apps running with # 31 < targetSdkVersion <= 33. type untrusted_app_32, domain; # This file defines the rules for untrusted apps running with # 29 < targetSdkVersion <= 31. type untrusted_app_30, domain; # This file defines the rules for untrusted apps running with # targetSdkVersion = 29. type untrusted_app_29, domain; # This file defines the rules for untrusted apps running with # 25 < targetSdkVersion <= 28. type untrusted_app_27, domain; # This file defines the rules for untrusted apps running with # targetSdkVersion <= 25. type untrusted_app_25, domain; #line 1 "system/sepolicy/public/update_engine.te" # Domain for update_engine daemon. type update_engine, domain, update_engine_common; type update_engine_exec, system_file_type, exec_type, file_type; #line 5 typeattribute update_engine netdomain; #line 5 ; # Following permissions are needed for update_engine. allow update_engine self:process { setsched }; allow update_engine self:{ capability cap_userns } { fowner sys_admin }; # Note: fsetid checks are triggered when creating a file in a directory with # the setgid bit set to determine if the file should inherit setgid. In this # case, setgid on the file is undesirable so we should just suppress the # denial. dontaudit update_engine self:{ capability cap_userns } fsetid; allow update_engine kmsg_device:chr_file { getattr { open append write lock map } }; allow update_engine update_engine_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 18 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 18 # deprecated. #line 18 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 18 allow update_engine sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 18 # Accessing these files requires CAP_BLOCK_SUSPEND #line 18 allow update_engine self:{ capability2 cap2_userns } block_suspend; #line 18 # system_suspend permissions #line 18 #line 18 # Call the server domain and optionally transfer references to it. #line 18 allow update_engine system_suspend_server:binder { call transfer }; #line 18 # Allow the serverdomain to transfer references to the client on the reply. #line 18 allow system_suspend_server update_engine:binder transfer; #line 18 # Receive and use open files from the server. #line 18 allow update_engine system_suspend_server:fd use; #line 18 #line 18 allow update_engine system_suspend_hwservice:hwservice_manager find; #line 18 # halclientdomain permissions #line 18 #line 18 # Call the hwservicemanager and transfer references to it. #line 18 allow update_engine hwservicemanager:binder { call transfer }; #line 18 # Allow hwservicemanager to send out callbacks #line 18 allow hwservicemanager update_engine:binder { call transfer }; #line 18 # hwservicemanager performs getpidcon on clients. #line 18 allow hwservicemanager update_engine:dir search; #line 18 allow hwservicemanager update_engine:file { read open map }; #line 18 allow hwservicemanager update_engine:process getattr; #line 18 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 18 # all domains in domain.te. #line 18 #line 18 #line 18 allow update_engine hwservicemanager_prop:file { getattr open read map }; #line 18 #line 18 allow update_engine hidl_manager_hwservice:hwservice_manager find; #line 18 # AIDL suspend hal permissions #line 18 allow update_engine hal_system_suspend_service:service_manager find; #line 18 #line 18 # Call the servicemanager and transfer references to it. #line 18 allow update_engine servicemanager:binder { call transfer }; #line 18 # Allow servicemanager to send out callbacks #line 18 allow servicemanager update_engine:binder { call transfer }; #line 18 # servicemanager performs getpidcon on clients. #line 18 allow servicemanager update_engine:dir search; #line 18 allow servicemanager update_engine:file { read open }; #line 18 allow servicemanager update_engine:process getattr; #line 18 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 18 # all domains in domain.te. #line 18 #line 18 ; # Ignore these denials. dontaudit update_engine kernel:process setsched; dontaudit update_engine self:{ capability cap_userns } sys_rawio; # Allow using persistent storage in /data/misc/update_engine. allow update_engine update_engine_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow update_engine update_engine_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow using persistent storage in /data/misc/update_engine_log. allow update_engine update_engine_log_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow update_engine update_engine_log_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Register the service to perform Binder IPC. #line 33 # Call the servicemanager and transfer references to it. #line 33 allow update_engine servicemanager:binder { call transfer }; #line 33 # Allow servicemanager to send out callbacks #line 33 allow servicemanager update_engine:binder { call transfer }; #line 33 # servicemanager performs getpidcon on clients. #line 33 allow servicemanager update_engine:dir search; #line 33 allow servicemanager update_engine:file { read open }; #line 33 allow servicemanager update_engine:process getattr; #line 33 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 33 # all domains in domain.te. #line 33 #line 34 allow update_engine update_engine_service:service_manager { add find }; #line 34 neverallow { domain -update_engine } update_engine_service:service_manager add; #line 34 #line 34 # On debug builds with root, allow binder services to use binder over TCP. #line 34 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 34 #line 34 #line 35 allow update_engine update_engine_stable_service:service_manager { add find }; #line 35 neverallow { domain -update_engine } update_engine_stable_service:service_manager add; #line 35 #line 35 # On debug builds with root, allow binder services to use binder over TCP. #line 35 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 35 #line 35 # Allow update_engine to call the callback function provided by priv_app/GMS core. #line 38 # Call the server domain and optionally transfer references to it. #line 38 allow update_engine priv_app:binder { call transfer }; #line 38 # Allow the serverdomain to transfer references to the client on the reply. #line 38 allow priv_app update_engine:binder transfer; #line 38 # Receive and use open files from the server. #line 38 allow update_engine priv_app:fd use; #line 38 # b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. #line 44 #line 46 # Call the server domain and optionally transfer references to it. #line 46 allow update_engine gmscore_app:binder { call transfer }; #line 46 # Allow the serverdomain to transfer references to the client on the reply. #line 46 allow gmscore_app update_engine:binder transfer; #line 46 # Receive and use open files from the server. #line 46 allow update_engine gmscore_app:fd use; #line 46 # Allow update_engine to call the callback function provided by system_server. #line 49 # Call the server domain and optionally transfer references to it. #line 49 allow update_engine system_server:binder { call transfer }; #line 49 # Allow the serverdomain to transfer references to the client on the reply. #line 49 allow system_server update_engine:binder transfer; #line 49 # Receive and use open files from the server. #line 49 allow update_engine system_server:fd use; #line 49 # Read OTA zip file at /data/ota_package/. allow update_engine ota_package_file:file { getattr open read ioctl lock map watch watch_reads }; allow update_engine ota_package_file:dir { open getattr read search ioctl lock watch watch_reads }; # Use Boot Control HAL #line 56 typeattribute update_engine halclientdomain; #line 56 typeattribute update_engine hal_bootctl_client; #line 56 #line 56 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 56 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 56 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 56 #line 56 typeattribute update_engine hal_bootctl; #line 56 # Find passthrough HAL implementations #line 56 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 56 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 56 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 56 #line 56 # access /proc/misc allow update_engine proc_misc:file { getattr open read ioctl lock map watch watch_reads }; # read directories on /system and /vendor allow update_engine system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow ReadDefaultFstab(). # update_engine tries to determine the parent path for all devices (e.g. # /dev/block/by-name) by reading the default fstab and looking for the misc # device. #line 68 allow update_engine { metadata_file gsi_metadata_file_type }:dir search; #line 68 allow update_engine gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 68 allow update_engine { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 68 # Allow to write to snapshotctl_log logs. # TODO(b/148818798) revert when parent bug is fixed. #line 75 # Allow determining filesystems available on system. # Needed for checking if overlayfs is enabled allow update_engine proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/public/update_engine_common.te" # update_engine payload application permissions. These are shared between the # background daemon and the recovery tool to sideload an update. # Allow update_engine to reach block devices in /dev/block. allow update_engine_common block_device:dir search; # Allow read/write on system and boot partitions. allow update_engine_common boot_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow update_engine_common system_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Where ioctls are granted via standard allow rules to block devices, # automatically allow common ioctls that are generally needed by # update_engine. allowxperm update_engine_common dev_type:blk_file ioctl { 0x00001277 0x0000127c 0x0000125e 0x0000125d 0x0000127d 0x0000127f }; # Allow to set recovery options in the BCB. Used to trigger factory reset when # the update to an older version (channel change) or incompatible version # requires it. allow update_engine_common misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # read fstab allow update_engine_common rootfs:dir getattr; allow update_engine_common rootfs:file { getattr open read ioctl lock map watch watch_reads }; # Allow update_engine_common to mount on the /postinstall directory and reset the # labels on the mounted filesystem to postinstall_file. allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; # Allow update_engine_common to read and execute postinstall_file. allow update_engine_common postinstall_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow update_engine_common postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow update_engine_common postinstall_file:dir { open getattr read search ioctl lock watch watch_reads }; # install update.zip from cache #line 44 allow update_engine_common cache_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 44 allow update_engine_common cache_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 44 # A postinstall program is typically a shell script (with a #!), so we allow # to execute those. allow update_engine_common shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow update_engine_common to suspend, resume and kill the postinstall program. allow update_engine_common postinstall:process { signal sigstop sigkill }; # access /proc/cmdline allow update_engine_common proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; # Read files in /sys/firmware/devicetree/base/firmware/android/ #line 57 allow update_engine_common sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; #line 57 allow update_engine_common sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 57 # Needed because libdm reads sysfs to validate when a dm path is ready. #line 60 allow update_engine_common sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; #line 60 allow update_engine_common sysfs_dm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 60 # Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics. allow update_engine_common sysfs:dir { open getattr read search ioctl lock watch watch_reads }; allow update_engine_common sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads }; # read / write on /dev/device-mapper to map / unmap devices allow update_engine_common dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # apply / verify updates on devices mapped via device mapper allow update_engine_common dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # read /dev/dm-user, so that we can inotify wait for control devices to be # asynchronously created by ueventd. allow update_engine dm_user_device:dir { open getattr read search ioctl lock watch watch_reads }; allow update_engine dm_user_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # read / write metadata on super device to resize partitions allow update_engine_common super_block_device_type:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # ioctl on super device to get block device alignment and alignment offset allowxperm update_engine_common super_block_device_type:blk_file ioctl { 0x00001278 0x0000127a }; # get physical block device to map logical partitions on device mapper allow update_engine_common block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow update_engine_common to write to statsd socket. #line 87 allow update_engine_common statsdw_socket:sock_file write; #line 87 allow update_engine_common statsd:unix_dgram_socket sendto; #line 87 # Allow to read Virtual A/B feature flags. #line 90 allow update_engine_common virtual_ab_prop:file { getattr open read map }; #line 90 # Allow to read GKI related flags. #line 93 allow update_engine_common ab_update_gki_prop:file { getattr open read map }; #line 93 #line 94 allow update_engine_common build_bootimage_prop:file { getattr open read map }; #line 94 # Allow to read/write/create OTA metadata files for snapshot status and COW file status. allow update_engine_common metadata_file:dir search; allow update_engine_common ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow update_engine_common ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/public/update_verifier.te" # update_verifier type update_verifier, domain; type update_verifier_exec, system_file_type, exec_type, file_type; # Allow update_verifier to reach block devices in /dev/block. allow update_verifier block_device:dir search; # Read care map in /data/ota_package/. allow update_verifier ota_package_file:dir { open getattr read search ioctl lock watch watch_reads }; allow update_verifier ota_package_file:file { getattr open read ioctl lock map watch watch_reads }; # Read /sys/block to find all the DM directories like (/sys/block/dm-X). allow update_verifier sysfs:dir { open getattr read search ioctl lock watch watch_reads }; # Read /sys/block/dm-X/dm/name (which is a symlink to # /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between # dm-X and system/vendor partitions. allow update_verifier sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; allow update_verifier sysfs_dm:file { getattr open read ioctl lock map watch watch_reads }; # Read all blocks in DM wrapped system partition. allow update_verifier dm_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # Write to kernel message. allow update_verifier kmsg_device:chr_file { getattr { open append write lock map } }; # Use Boot Control HAL #line 28 typeattribute update_verifier halclientdomain; #line 28 typeattribute update_verifier hal_bootctl_client; #line 28 #line 28 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 28 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 28 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 28 #line 28 typeattribute update_verifier hal_bootctl; #line 28 # Find passthrough HAL implementations #line 28 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 28 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 28 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 28 #line 28 # Access Checkpoint commands over binder allow update_verifier vold_service:service_manager find; #line 32 # Call the server domain and optionally transfer references to it. #line 32 allow update_verifier servicemanager:binder { call transfer }; #line 32 # Allow the serverdomain to transfer references to the client on the reply. #line 32 allow servicemanager update_verifier:binder transfer; #line 32 # Receive and use open files from the server. #line 32 allow update_verifier servicemanager:fd use; #line 32 #line 33 # Call the server domain and optionally transfer references to it. #line 33 allow update_verifier vold:binder { call transfer }; #line 33 # Allow the serverdomain to transfer references to the client on the reply. #line 33 allow vold update_verifier:binder transfer; #line 33 # Receive and use open files from the server. #line 33 allow update_verifier vold:fd use; #line 33 #line 1 "system/sepolicy/public/usbd.te" type usbd, domain; type usbd_exec, system_file_type, exec_type, file_type; #line 4 # Call the server domain and optionally transfer references to it. #line 4 allow usbd servicemanager:binder { call transfer }; #line 4 # Allow the serverdomain to transfer references to the client on the reply. #line 4 allow servicemanager usbd:binder transfer; #line 4 # Receive and use open files from the server. #line 4 allow usbd servicemanager:fd use; #line 4 #line 1 "system/sepolicy/public/userdata_sysdev.te" allow userdata_sysdev sysfs:filesystem associate; #line 1 "system/sepolicy/public/vdc.te" # vdc is a helper program for making Binder calls to vold. It is spawned from # init for various reasons, such as initializing file-based encryption and # metadata encryption, and managing userdata checkpointing. # # We also transition into this domain from dumpstate, when # collecting bug reports. type vdc, domain; type vdc_exec, system_file_type, exec_type, file_type; # vdc can be invoked with logwrapper, so let it write to pty allow vdc devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # vdc writes directly to kmsg during the boot process allow vdc kmsg_device:chr_file { getattr { open append write lock map } }; # vdc talks to vold over Binder #line 18 # Call the servicemanager and transfer references to it. #line 18 allow vdc servicemanager:binder { call transfer }; #line 18 # Allow servicemanager to send out callbacks #line 18 allow servicemanager vdc:binder { call transfer }; #line 18 # servicemanager performs getpidcon on clients. #line 18 allow servicemanager vdc:dir search; #line 18 allow servicemanager vdc:file { read open }; #line 18 allow servicemanager vdc:process getattr; #line 18 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 18 # all domains in domain.te. #line 18 #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow vdc vold:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow vold vdc:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow vdc vold:fd use; #line 19 allow vdc vold_service:service_manager find; #line 1 "system/sepolicy/public/vendor_init.te" # vendor_init is its own domain. type vendor_init, domain, mlstrustedsubject; # Communication to the main init process allow vendor_init init:unix_stream_socket { read write }; # Logging to kmsg allow vendor_init kmsg_device:chr_file { open getattr write }; # Mount on /dev/usb-ffs/adb. allow vendor_init device:dir mounton; # Create and remove symlinks in /. allow vendor_init rootfs:lnk_file { create unlink }; # Create cgroups mount points in tmpfs and mount cgroups on them. allow vendor_init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vendor_init cgroup:file { open append write lock map }; allow vendor_init cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vendor_init cgroup_v2:file { open append write lock map }; # /config allow vendor_init configfs:dir mounton; allow vendor_init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vendor_init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Create directories under /dev/cpuctl after chowning it to system. allow vendor_init self:{ capability cap_userns } { dac_override dac_read_search }; # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). # system/core/init.rc requires at least cache_file and data_file_type. # init..rc files often include device-specific types, so # we just allow all file types except /system files here. allow vendor_init self:{ capability cap_userns } { chown fowner fsetid }; # mkdir with FBE requires reading /data/unencrypted/{ref,mode}. allow vendor_init unencrypted_data_file:dir search; allow vendor_init unencrypted_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Set encryption policy on dirs in /data allowxperm vendor_init data_file_type:dir ioctl { 0x400c6615 0x800c6613 }; allow vendor_init system_data_file:dir getattr; allow vendor_init { file_type -bpffs_type -core_data_file_type -exec_type -system_dlkm_file_type -system_file_type -mnt_product_file -password_slot_metadata_file -ota_metadata_file -unlabeled -vendor_file_type -vold_metadata_file -gsi_metadata_file_type -apex_metadata_file -userspace_reboot_metadata_file -aconfig_storage_metadata_file -aconfig_storage_flags_metadata_file }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; allow vendor_init unlabeled:{ dir { file lnk_file sock_file fifo_file } } { getattr relabelfrom }; allow vendor_init { file_type -bpffs_type -core_data_file_type -exec_type -password_slot_metadata_file -ota_metadata_file -runtime_event_log_tags_file -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type -vold_metadata_file -gsi_metadata_file_type -apex_metadata_file -apex_info_file -userspace_reboot_metadata_file -aconfig_storage_metadata_file -aconfig_storage_flags_metadata_file # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 90 -debugfs_type #line 90 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 90 }:file { create getattr open read write setattr relabelfrom unlink map }; allow vendor_init { file_type -bpffs_type -core_data_file_type -exec_type -password_slot_metadata_file -ota_metadata_file -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type -vold_metadata_file -gsi_metadata_file_type -apex_metadata_file -userspace_reboot_metadata_file -aconfig_storage_metadata_file -aconfig_storage_flags_metadata_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; allow vendor_init { file_type -apex_mnt_dir -bpffs_type -core_data_file_type -exec_type -password_slot_metadata_file -ota_metadata_file -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type -vold_metadata_file -gsi_metadata_file_type -apex_metadata_file -userspace_reboot_metadata_file -aconfig_storage_metadata_file -aconfig_storage_flags_metadata_file }:lnk_file { create getattr setattr relabelfrom unlink }; allow vendor_init { file_type -bpffs_type -core_data_file_type -exec_type -mnt_product_file -password_slot_metadata_file -ota_metadata_file -system_dlkm_file_type -system_file_type -vendor_file_type -vold_metadata_file -gsi_metadata_file_type -apex_metadata_file -userspace_reboot_metadata_file -aconfig_storage_metadata_file -aconfig_storage_flags_metadata_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; allow vendor_init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vendor_init dev_type:lnk_file create; # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on allow vendor_init debugfs_tracing:file { open append write lock map }; # chown/chmod on pseudo files. allow vendor_init { fs_type -bpffs_type -contextmount_type -keychord_device -sdcard_type -fusefs_type -rootfs -proc_uid_time_in_state -proc_uid_concurrent_active_time -proc_uid_concurrent_policy_time # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 169 -debugfs_type #line 169 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 169 }:file { open read setattr map }; allow vendor_init tracefs_type:file { open read setattr map }; allow vendor_init { fs_type -bpffs_type -contextmount_type -sdcard_type -fusefs_type -rootfs -proc_uid_time_in_state -proc_uid_concurrent_active_time -proc_uid_concurrent_policy_time }:dir { open read setattr search }; allow vendor_init dev_type:blk_file getattr; # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. #line 189 allow vendor_init proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 189 allow vendor_init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 189 allow vendor_init proc_net_type:file { open append write lock map }; allow vendor_init self:{ capability cap_userns } net_admin; # Write to /proc/sys/vm/page-cluster allow vendor_init proc_page_cluster:file { open append write lock map }; # Write to sysfs nodes. allow vendor_init sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; allow vendor_init sysfs_type:lnk_file read; allow vendor_init { sysfs_type -sysfs_usermodehelper }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # setfscreatecon() for labeling directories and socket files. allow vendor_init self:process { setfscreate }; #line 204 allow vendor_init vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 204 allow vendor_init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 204 # Vendor init can read properties allow vendor_init serialno_prop:file { getattr open read map }; # Vendor init can perform operations on trusted and security Extended Attributes allow vendor_init self:{ capability cap_userns } sys_admin; # Raw writes to misc block device allow vendor_init misc_block_device:blk_file { open append write lock map }; # vendor_init is using bootstrap bionic #line 216 allow vendor_init system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 216 allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map }; #line 216 # allow filesystem tuning allow vendor_init userdata_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Everything is labeled as rootfs in recovery mode. Vendor init has to execute # the dynamic linker and shared libraries. #line 225 #line 227 #line 227 #line 227 allow vendor_init property_socket:sock_file write; #line 227 allow vendor_init init:unix_stream_socket connectto; #line 227 #line 227 allow vendor_init { #line 227 property_type #line 227 -system_internal_property_type #line 227 -system_restricted_property_type #line 227 }:property_service set; #line 227 #line 227 allow vendor_init { #line 227 property_type #line 227 -system_internal_property_type #line 227 -system_restricted_property_type #line 227 }:file { getattr open read map }; #line 227 #line 227 #line 233 # Get file context allow vendor_init file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow vendor_init to (re)set nice allow vendor_init self:capability sys_nice; #line 241 #line 241 allow vendor_init property_socket:sock_file write; #line 241 allow vendor_init init:unix_stream_socket connectto; #line 241 #line 241 allow vendor_init apk_verity_prop:property_service set; #line 241 #line 241 allow vendor_init apk_verity_prop:file { getattr open read map }; #line 241 #line 241 #line 242 #line 242 allow vendor_init property_socket:sock_file write; #line 242 allow vendor_init init:unix_stream_socket connectto; #line 242 #line 242 allow vendor_init bluetooth_a2dp_offload_prop:property_service set; #line 242 #line 242 allow vendor_init bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 242 #line 242 #line 243 #line 243 allow vendor_init property_socket:sock_file write; #line 243 allow vendor_init init:unix_stream_socket connectto; #line 243 #line 243 allow vendor_init bluetooth_audio_hal_prop:property_service set; #line 243 #line 243 allow vendor_init bluetooth_audio_hal_prop:file { getattr open read map }; #line 243 #line 243 #line 244 #line 244 allow vendor_init property_socket:sock_file write; #line 244 allow vendor_init init:unix_stream_socket connectto; #line 244 #line 244 allow vendor_init bluetooth_config_prop:property_service set; #line 244 #line 244 allow vendor_init bluetooth_config_prop:file { getattr open read map }; #line 244 #line 244 #line 245 #line 245 allow vendor_init property_socket:sock_file write; #line 245 allow vendor_init init:unix_stream_socket connectto; #line 245 #line 245 allow vendor_init camera2_extensions_prop:property_service set; #line 245 #line 245 allow vendor_init camera2_extensions_prop:file { getattr open read map }; #line 245 #line 245 #line 246 #line 246 allow vendor_init property_socket:sock_file write; #line 246 allow vendor_init init:unix_stream_socket connectto; #line 246 #line 246 allow vendor_init camerax_extensions_prop:property_service set; #line 246 #line 246 allow vendor_init camerax_extensions_prop:file { getattr open read map }; #line 246 #line 246 #line 247 #line 247 allow vendor_init property_socket:sock_file write; #line 247 allow vendor_init init:unix_stream_socket connectto; #line 247 #line 247 allow vendor_init cpu_variant_prop:property_service set; #line 247 #line 247 allow vendor_init cpu_variant_prop:file { getattr open read map }; #line 247 #line 247 #line 248 #line 248 allow vendor_init property_socket:sock_file write; #line 248 allow vendor_init init:unix_stream_socket connectto; #line 248 #line 248 allow vendor_init dalvik_config_prop:property_service set; #line 248 #line 248 allow vendor_init dalvik_config_prop:file { getattr open read map }; #line 248 #line 248 #line 249 #line 249 allow vendor_init property_socket:sock_file write; #line 249 allow vendor_init init:unix_stream_socket connectto; #line 249 #line 249 allow vendor_init dalvik_dynamic_config_prop:property_service set; #line 249 #line 249 allow vendor_init dalvik_dynamic_config_prop:file { getattr open read map }; #line 249 #line 249 #line 250 #line 250 allow vendor_init property_socket:sock_file write; #line 250 allow vendor_init init:unix_stream_socket connectto; #line 250 #line 250 allow vendor_init dalvik_runtime_prop:property_service set; #line 250 #line 250 allow vendor_init dalvik_runtime_prop:file { getattr open read map }; #line 250 #line 250 #line 251 #line 251 allow vendor_init property_socket:sock_file write; #line 251 allow vendor_init init:unix_stream_socket connectto; #line 251 #line 251 allow vendor_init debug_prop:property_service set; #line 251 #line 251 allow vendor_init debug_prop:file { getattr open read map }; #line 251 #line 251 #line 252 #line 252 allow vendor_init property_socket:sock_file write; #line 252 allow vendor_init init:unix_stream_socket connectto; #line 252 #line 252 allow vendor_init exported_bluetooth_prop:property_service set; #line 252 #line 252 allow vendor_init exported_bluetooth_prop:file { getattr open read map }; #line 252 #line 252 #line 253 #line 253 allow vendor_init property_socket:sock_file write; #line 253 allow vendor_init init:unix_stream_socket connectto; #line 253 #line 253 allow vendor_init exported_camera_prop:property_service set; #line 253 #line 253 allow vendor_init exported_camera_prop:file { getattr open read map }; #line 253 #line 253 #line 254 #line 254 allow vendor_init property_socket:sock_file write; #line 254 allow vendor_init init:unix_stream_socket connectto; #line 254 #line 254 allow vendor_init exported_config_prop:property_service set; #line 254 #line 254 allow vendor_init exported_config_prop:file { getattr open read map }; #line 254 #line 254 #line 255 #line 255 allow vendor_init property_socket:sock_file write; #line 255 allow vendor_init init:unix_stream_socket connectto; #line 255 #line 255 allow vendor_init exported_default_prop:property_service set; #line 255 #line 255 allow vendor_init exported_default_prop:file { getattr open read map }; #line 255 #line 255 #line 256 #line 256 allow vendor_init property_socket:sock_file write; #line 256 allow vendor_init init:unix_stream_socket connectto; #line 256 #line 256 allow vendor_init exported_overlay_prop:property_service set; #line 256 #line 256 allow vendor_init exported_overlay_prop:file { getattr open read map }; #line 256 #line 256 #line 257 #line 257 allow vendor_init property_socket:sock_file write; #line 257 allow vendor_init init:unix_stream_socket connectto; #line 257 #line 257 allow vendor_init exported_pm_prop:property_service set; #line 257 #line 257 allow vendor_init exported_pm_prop:file { getattr open read map }; #line 257 #line 257 #line 258 #line 258 allow vendor_init property_socket:sock_file write; #line 258 allow vendor_init init:unix_stream_socket connectto; #line 258 #line 258 allow vendor_init ffs_control_prop:property_service set; #line 258 #line 258 allow vendor_init ffs_control_prop:file { getattr open read map }; #line 258 #line 258 #line 259 #line 259 allow vendor_init property_socket:sock_file write; #line 259 allow vendor_init init:unix_stream_socket connectto; #line 259 #line 259 allow vendor_init hw_timeout_multiplier_prop:property_service set; #line 259 #line 259 allow vendor_init hw_timeout_multiplier_prop:file { getattr open read map }; #line 259 #line 259 #line 260 #line 260 allow vendor_init property_socket:sock_file write; #line 260 allow vendor_init init:unix_stream_socket connectto; #line 260 #line 260 allow vendor_init incremental_prop:property_service set; #line 260 #line 260 allow vendor_init incremental_prop:file { getattr open read map }; #line 260 #line 260 #line 261 #line 261 allow vendor_init property_socket:sock_file write; #line 261 allow vendor_init init:unix_stream_socket connectto; #line 261 #line 261 allow vendor_init lmkd_prop:property_service set; #line 261 #line 261 allow vendor_init lmkd_prop:file { getattr open read map }; #line 261 #line 261 #line 262 #line 262 allow vendor_init property_socket:sock_file write; #line 262 allow vendor_init init:unix_stream_socket connectto; #line 262 #line 262 allow vendor_init logd_prop:property_service set; #line 262 #line 262 allow vendor_init logd_prop:file { getattr open read map }; #line 262 #line 262 #line 263 #line 263 allow vendor_init property_socket:sock_file write; #line 263 allow vendor_init init:unix_stream_socket connectto; #line 263 #line 263 allow vendor_init log_tag_prop:property_service set; #line 263 #line 263 allow vendor_init log_tag_prop:file { getattr open read map }; #line 263 #line 263 #line 264 #line 264 allow vendor_init property_socket:sock_file write; #line 264 allow vendor_init init:unix_stream_socket connectto; #line 264 #line 264 allow vendor_init log_prop:property_service set; #line 264 #line 264 allow vendor_init log_prop:file { getattr open read map }; #line 264 #line 264 #line 265 #line 265 allow vendor_init property_socket:sock_file write; #line 265 allow vendor_init init:unix_stream_socket connectto; #line 265 #line 265 allow vendor_init graphics_config_writable_prop:property_service set; #line 265 #line 265 allow vendor_init graphics_config_writable_prop:file { getattr open read map }; #line 265 #line 265 #line 266 #line 266 allow vendor_init property_socket:sock_file write; #line 266 allow vendor_init init:unix_stream_socket connectto; #line 266 #line 266 allow vendor_init qemu_hw_prop:property_service set; #line 266 #line 266 allow vendor_init qemu_hw_prop:file { getattr open read map }; #line 266 #line 266 #line 267 #line 267 allow vendor_init property_socket:sock_file write; #line 267 allow vendor_init init:unix_stream_socket connectto; #line 267 #line 267 allow vendor_init radio_control_prop:property_service set; #line 267 #line 267 allow vendor_init radio_control_prop:file { getattr open read map }; #line 267 #line 267 #line 268 #line 268 allow vendor_init property_socket:sock_file write; #line 268 allow vendor_init init:unix_stream_socket connectto; #line 268 #line 268 allow vendor_init rebootescrow_hal_prop:property_service set; #line 268 #line 268 allow vendor_init rebootescrow_hal_prop:file { getattr open read map }; #line 268 #line 268 #line 269 #line 269 allow vendor_init property_socket:sock_file write; #line 269 allow vendor_init init:unix_stream_socket connectto; #line 269 #line 269 allow vendor_init serialno_prop:property_service set; #line 269 #line 269 allow vendor_init serialno_prop:file { getattr open read map }; #line 269 #line 269 #line 270 #line 270 allow vendor_init property_socket:sock_file write; #line 270 allow vendor_init init:unix_stream_socket connectto; #line 270 #line 270 allow vendor_init soc_prop:property_service set; #line 270 #line 270 allow vendor_init soc_prop:file { getattr open read map }; #line 270 #line 270 #line 271 #line 271 allow vendor_init property_socket:sock_file write; #line 271 allow vendor_init init:unix_stream_socket connectto; #line 271 #line 271 allow vendor_init surfaceflinger_color_prop:property_service set; #line 271 #line 271 allow vendor_init surfaceflinger_color_prop:file { getattr open read map }; #line 271 #line 271 #line 272 #line 272 allow vendor_init property_socket:sock_file write; #line 272 allow vendor_init init:unix_stream_socket connectto; #line 272 #line 272 allow vendor_init usb_control_prop:property_service set; #line 272 #line 272 allow vendor_init usb_control_prop:file { getattr open read map }; #line 272 #line 272 #line 273 #line 273 allow vendor_init property_socket:sock_file write; #line 273 allow vendor_init init:unix_stream_socket connectto; #line 273 #line 273 allow vendor_init userspace_reboot_config_prop:property_service set; #line 273 #line 273 allow vendor_init userspace_reboot_config_prop:file { getattr open read map }; #line 273 #line 273 #line 274 #line 274 allow vendor_init property_socket:sock_file write; #line 274 allow vendor_init init:unix_stream_socket connectto; #line 274 #line 274 allow vendor_init vehicle_hal_prop:property_service set; #line 274 #line 274 allow vendor_init vehicle_hal_prop:file { getattr open read map }; #line 274 #line 274 #line 275 #line 275 allow vendor_init property_socket:sock_file write; #line 275 allow vendor_init init:unix_stream_socket connectto; #line 275 #line 275 allow vendor_init vendor_default_prop:property_service set; #line 275 #line 275 allow vendor_init vendor_default_prop:file { getattr open read map }; #line 275 #line 275 #line 276 #line 276 allow vendor_init property_socket:sock_file write; #line 276 allow vendor_init init:unix_stream_socket connectto; #line 276 #line 276 allow vendor_init keystore_config_prop:property_service set; #line 276 #line 276 allow vendor_init keystore_config_prop:file { getattr open read map }; #line 276 #line 276 #line 277 #line 277 allow vendor_init property_socket:sock_file write; #line 277 allow vendor_init init:unix_stream_socket connectto; #line 277 #line 277 allow vendor_init vendor_security_patch_level_prop:property_service set; #line 277 #line 277 allow vendor_init vendor_security_patch_level_prop:file { getattr open read map }; #line 277 #line 277 #line 278 #line 278 allow vendor_init property_socket:sock_file write; #line 278 allow vendor_init init:unix_stream_socket connectto; #line 278 #line 278 allow vendor_init vndk_prop:property_service set; #line 278 #line 278 allow vendor_init vndk_prop:file { getattr open read map }; #line 278 #line 278 #line 279 #line 279 allow vendor_init property_socket:sock_file write; #line 279 allow vendor_init init:unix_stream_socket connectto; #line 279 #line 279 allow vendor_init virtual_ab_prop:property_service set; #line 279 #line 279 allow vendor_init virtual_ab_prop:file { getattr open read map }; #line 279 #line 279 #line 280 #line 280 allow vendor_init property_socket:sock_file write; #line 280 allow vendor_init init:unix_stream_socket connectto; #line 280 #line 280 allow vendor_init vold_post_fs_data_prop:property_service set; #line 280 #line 280 allow vendor_init vold_post_fs_data_prop:file { getattr open read map }; #line 280 #line 280 #line 281 #line 281 allow vendor_init property_socket:sock_file write; #line 281 allow vendor_init init:unix_stream_socket connectto; #line 281 #line 281 allow vendor_init wifi_hal_prop:property_service set; #line 281 #line 281 allow vendor_init wifi_hal_prop:file { getattr open read map }; #line 281 #line 281 #line 282 #line 282 allow vendor_init property_socket:sock_file write; #line 282 allow vendor_init init:unix_stream_socket connectto; #line 282 #line 282 allow vendor_init wifi_log_prop:property_service set; #line 282 #line 282 allow vendor_init wifi_log_prop:file { getattr open read map }; #line 282 #line 282 #line 283 #line 283 allow vendor_init property_socket:sock_file write; #line 283 allow vendor_init init:unix_stream_socket connectto; #line 283 #line 283 allow vendor_init zram_control_prop:property_service set; #line 283 #line 283 allow vendor_init zram_control_prop:file { getattr open read map }; #line 283 #line 283 #line 285 allow vendor_init boot_status_prop:file { getattr open read map }; #line 285 #line 286 allow vendor_init exported3_system_prop:file { getattr open read map }; #line 286 #line 287 allow vendor_init ota_prop:file { getattr open read map }; #line 287 #line 288 allow vendor_init power_debug_prop:file { getattr open read map }; #line 288 #line 289 allow vendor_init provisioned_prop:file { getattr open read map }; #line 289 #line 290 allow vendor_init retaildemo_prop:file { getattr open read map }; #line 290 #line 291 allow vendor_init surfaceflinger_display_prop:file { getattr open read map }; #line 291 #line 292 allow vendor_init test_harness_prop:file { getattr open read map }; #line 292 #line 293 allow vendor_init theme_prop:file { getattr open read map }; #line 293 #line 294 #line 294 allow vendor_init property_socket:sock_file write; #line 294 allow vendor_init init:unix_stream_socket connectto; #line 294 #line 294 allow vendor_init dck_prop:property_service set; #line 294 #line 294 allow vendor_init dck_prop:file { getattr open read map }; #line 294 #line 294 # Allow vendor_init to read vendor_system_native device config changes #line 297 allow vendor_init device_config_vendor_system_native_prop:file { getattr open read map }; #line 297 #line 298 allow vendor_init device_config_vendor_system_native_boot_prop:file { getattr open read map }; #line 298 ### ### neverallow rules ### # Vendor init shouldn't communicate with any vendor process, nor most system processes. #line 305 neverallow vendor_init { #line 305 domain -init -logd -prng_seeder -su -vendor_init }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto }; #line 305 neverallow vendor_init { #line 305 domain -init -logd -prng_seeder -su -vendor_init }:unix_stream_socket connectto; ; # The vendor_init domain is only entered via an exec based transition from the # init domain, never via setcon(). neverallow domain vendor_init:process dyntransition; neverallow { domain -init } vendor_init:process transition; neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint; # Never read/follow symlinks created by shell or untrusted apps. neverallow vendor_init app_data_file_type:lnk_file read; neverallow vendor_init shell_data_file:lnk_file read; # Init should not be creating subdirectories in /data/local/tmp neverallow vendor_init shell_data_file:dir { write add_name remove_name }; # init should never execute a program without changing to another domain. neverallow vendor_init { file_type fs_type }:file execute_no_trans; # Init never adds or uses services via service_manager. neverallow vendor_init service_manager_type:service_manager { add find }; neverallow vendor_init servicemanager:service_manager list; # vendor_init should never be ptraced neverallow * vendor_init:process ptrace; #line 1 "system/sepolicy/public/vendor_misc_writer.te" # vendor_misc_writer type vendor_misc_writer, domain; type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; # Raw writes to misc_block_device allow vendor_misc_writer misc_block_device:blk_file { open append write lock map }; allow vendor_misc_writer block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to # load DT fstab. dontaudit vendor_misc_writer proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; dontaudit vendor_misc_writer proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads }; # Allow ReadDefaultFstab(). #line 16 allow vendor_misc_writer { metadata_file gsi_metadata_file_type }:dir search; #line 16 allow vendor_misc_writer gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 16 allow vendor_misc_writer { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 16 #line 1 "system/sepolicy/public/vendor_modprobe.te" type vendor_modprobe, domain; #line 1 "system/sepolicy/public/vendor_shell.te" type vendor_shell, domain; type vendor_shell_exec, exec_type, vendor_file_type, file_type; allow vendor_shell vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow vendor_shell vendor_toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Use fd from shell when vendor_shell is started from shell allow vendor_shell shell:fd use; # adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh` allow vendor_shell adbd:fd use; allow vendor_shell adbd:process sigchld; allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write }; allow vendor_shell devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vendor_shell tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vendor_shell console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vendor_shell input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow vendor_shell input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/vendor_toolbox.te" # Toolbox installation for vendor binaries / scripts # Non-vendor processes are not allowed to execute the binary # and is always executed without transition. type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # Do not allow domains to transition to vendor toolbox # or read, execute the vendor_toolbox file. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 8 #line 8 # Do not allow non-vendor domains to transition #line 8 # to vendor toolbox except for the allowlisted domains. #line 8 neverallow { #line 8 coredomain #line 8 -init #line 8 -modprobe #line 8 } vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; #line 8 #line 8 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 16 #line 1 "system/sepolicy/public/virtual_touchpad.te" type virtual_touchpad, domain; type virtual_touchpad_exec, system_file_type, exec_type, file_type; #line 4 # Call the servicemanager and transfer references to it. #line 4 allow virtual_touchpad servicemanager:binder { call transfer }; #line 4 # Allow servicemanager to send out callbacks #line 4 allow servicemanager virtual_touchpad:binder { call transfer }; #line 4 # servicemanager performs getpidcon on clients. #line 4 allow servicemanager virtual_touchpad:dir search; #line 4 allow servicemanager virtual_touchpad:file { read open }; #line 4 allow servicemanager virtual_touchpad:process getattr; #line 4 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 4 # all domains in domain.te. #line 4 #line 5 typeattribute virtual_touchpad binderservicedomain; #line 5 #line 6 allow virtual_touchpad virtual_touchpad_service:service_manager { add find }; #line 6 neverallow { domain -virtual_touchpad } virtual_touchpad_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 # Needed to check app permissions. #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow virtual_touchpad system_server:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow system_server virtual_touchpad:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow virtual_touchpad system_server:fd use; #line 9 # Requires access to /dev/uinput to create and feed the virtual device. allow virtual_touchpad uhid_device:chr_file { { open append write lock map } ioctl }; # Requires access to the permission service to validate that clients have the # appropriate VR permissions. allow virtual_touchpad permission_service:service_manager find; #line 1 "system/sepolicy/public/vndservice.te" type service_manager_vndservice, vndservice_manager_type; type default_android_vndservice, vndservice_manager_type; #line 1 "system/sepolicy/public/vndservicemanager.te" # vndservicemanager - the Binder context manager for vendor processes type vndservicemanager, domain; #line 1 "system/sepolicy/public/vold.te" # volume manager type vold, domain; type vold_exec, exec_type, file_type, system_file_type; # Read already opened /cache files. allow vold cache_file:dir { open getattr read search ioctl lock watch watch_reads }; allow vold cache_file:file { getattr read }; allow vold cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; #line 10 allow vold { sysfs_type -sysfs_batteryinfo }:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow vold { sysfs_type -sysfs_batteryinfo }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 # XXX Label sysfs files with a specific type? allow vold { sysfs # writing to /sys/*/uevent during coldboot. sysfs_devices_block sysfs_dm sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. sysfs_usb sysfs_zram_uevent sysfs_fs_f2fs }:file { open append write lock map }; #line 22 allow vold rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow vold rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 #line 23 allow vold metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow vold metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 23 allow vold { proc # b/67049235 processes /proc//* files are mislabeled. proc_bootconfig proc_cmdline proc_drop_caches proc_filesystems proc_meminfo proc_mounts }:file { getattr open read ioctl lock map watch watch_reads }; #Get file contexts allow vold file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow us to jump into execution domains of above tools allow vold self:process setexec; # For formatting adoptable storage devices allow vold e2fs_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Run fstrim on mounted partitions # allowxperm still requires the ioctl permission for the individual type allowxperm vold { fs_type file_type }:dir ioctl 0xc0185879; # Get/set file-based encryption policies on dirs in /data and adoptable storage, # and add/remove file-based encryption keys. allowxperm vold data_file_type:dir ioctl { 0x400c6615 0x800c6613 0xc0506617 0xc0406618 0xc080661a }; # Only vold and init should ever set file-based encryption policies. neverallowxperm { domain -vold -init -vendor_init } data_file_type:dir ioctl { 0x800c6613 }; # Only vold should ever add/remove file-based encryption keys. neverallowxperm { domain -vold } data_file_type:dir ioctl { 0xc0506617 0xc0406618 0xc080661a }; # Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is # tried first. Otherwise, FS_IOC_FIEMAP is needed to get the # location of the file's blocks on the raw block device to erase. allowxperm vold { vold_data_file vold_metadata_file }:file ioctl { 0xf514 0xc020660b }; typeattribute vold mlstrustedsubject; allow vold self:process setfscreate; allow vold system_file:file { getattr execute execute_no_trans map }; allow vold vendor_file:file { getattr execute execute_no_trans map }; allow vold block_device:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold device:dir write; allow vold devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold rootfs:dir mounton; allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M # Manage locations where storage is mounted allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access to storage that backs emulated FUSE daemons for migration optimization allow vold media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow mounting (lower filesystem) on parts of media for performance allow vold media_rw_data_file:dir mounton; # Allow setting project quota IDs and enabling project ID inheritance on # /data/media/$userId/* and /mnt/expand/$volume/media/$userId/* allowxperm vold media_rw_data_file:{ dir file } ioctl { 0x801c581f 0x401c5820 0x80086601 0x40086602 }; # Allow mounting of storage devices allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; # Manage per-user primary symlinks allow vold mnt_user_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow vold mnt_user_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow vold mnt_user_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage per-user pass_through primary symlinks allow vold mnt_pass_through_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow vold mnt_pass_through_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow to create and mount expanded storage allow vold mnt_expand_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow vold apk_data_file:dir { create getattr setattr }; allow vold shell_data_file:dir { create getattr setattr }; allow vold system_userdir_file:dir { create getattr setattr }; allow vold media_userdir_file:dir { create getattr setattr open read ioctl }; # Needed to set the casefold flag on /mnt/expand/$volume/media allowxperm vold media_userdir_file:dir ioctl { 0x80086601 0x40086602 }; # Allow to mount incremental file system on /data/incremental and create files allow vold apk_data_file:dir { mounton { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Allow to create and write files in /data/incremental allow vold apk_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink }; # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files allow vold apk_tmp_file:dir { mounton { open getattr read search ioctl lock watch watch_reads } }; # Allow to read incremental control file and call selinux restorecon on it allow vold incremental_control_file:file { { getattr open read ioctl lock map watch watch_reads } relabelto }; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold tmpfs:dir mounton; allow vold self:{ capability cap_userns } { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; allow vold self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow vold loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold loop_device:blk_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allowxperm vold loop_device:blk_file ioctl { 0x00004c01 0x00004c82 0x00004c05 0x00004c00 0x00004c04 }; allow vold vold_device:blk_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allowxperm vold vold_device:blk_file ioctl { 0x00001277 0x00001260 }; allow vold dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm vold dm_device:blk_file ioctl { 0x00001277 0x0000127d 0xc0101282 0x40101283 }; # For vold Process::killProcessesWithOpenFiles function. allow vold domain:dir { open getattr read search ioctl lock watch watch_reads }; allow vold domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; allow vold domain:process { signal sigkill }; allow vold self:{ capability cap_userns } { sys_ptrace kill }; allow vold kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Run fsck in the fsck domain. allow vold fsck_exec:file { { getattr open read ioctl lock map watch watch_reads } execute }; # Log fsck results allow vold fscklogs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow vold fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Mount and unmount filesystems. allow vold labeledfs:filesystem { mount unmount remount }; # Create and mount on /data/tmp_mnt and management of expansion mounts # # Also rename per-user encrypted directories such as /data/user/10 from their # temporary name ("10.new") to their final name ("10"). allow vold { system_data_file system_data_root_file }:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow vold system_data_file:lnk_file getattr; # Vold create users in /data/vendor_{ce,de}/[0-9]+ allow vold vendor_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # for secdiscard allow vold system_data_file:file read; # Set scheduling policy of kernel processes allow vold kernel:process setsched; # ASEC allow vold asec_image_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow vold asec_image_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow vold asec_apk_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; allow vold asec_apk_file:file { { getattr open read ioctl lock map watch watch_reads } setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; # restorecon files in asec containers created on 4.2 or earlier. allow vold unlabeled:dir { { open getattr read search ioctl lock watch watch_reads } setattr relabelfrom }; allow vold unlabeled:file { { getattr open read ioctl lock map watch watch_reads } setattr relabelfrom }; # Access to FUSE control filesystem to hard-abort FUSE mounts allow vold fusectlfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold fusectlfs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Allow vold to use wake locks. Needed for idle maintenance and moving storage. #line 214 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 214 # deprecated. #line 214 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 214 allow vold sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 214 # Accessing these files requires CAP_BLOCK_SUSPEND #line 214 allow vold self:{ capability2 cap2_userns } block_suspend; #line 214 # system_suspend permissions #line 214 #line 214 # Call the server domain and optionally transfer references to it. #line 214 allow vold system_suspend_server:binder { call transfer }; #line 214 # Allow the serverdomain to transfer references to the client on the reply. #line 214 allow system_suspend_server vold:binder transfer; #line 214 # Receive and use open files from the server. #line 214 allow vold system_suspend_server:fd use; #line 214 #line 214 allow vold system_suspend_hwservice:hwservice_manager find; #line 214 # halclientdomain permissions #line 214 #line 214 # Call the hwservicemanager and transfer references to it. #line 214 allow vold hwservicemanager:binder { call transfer }; #line 214 # Allow hwservicemanager to send out callbacks #line 214 allow hwservicemanager vold:binder { call transfer }; #line 214 # hwservicemanager performs getpidcon on clients. #line 214 allow hwservicemanager vold:dir search; #line 214 allow hwservicemanager vold:file { read open map }; #line 214 allow hwservicemanager vold:process getattr; #line 214 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 214 # all domains in domain.te. #line 214 #line 214 #line 214 allow vold hwservicemanager_prop:file { getattr open read map }; #line 214 #line 214 allow vold hidl_manager_hwservice:hwservice_manager find; #line 214 # AIDL suspend hal permissions #line 214 allow vold hal_system_suspend_service:service_manager find; #line 214 #line 214 # Call the servicemanager and transfer references to it. #line 214 allow vold servicemanager:binder { call transfer }; #line 214 # Allow servicemanager to send out callbacks #line 214 allow servicemanager vold:binder { call transfer }; #line 214 # servicemanager performs getpidcon on clients. #line 214 allow servicemanager vold:dir search; #line 214 allow servicemanager vold:file { read open }; #line 214 allow servicemanager vold:process getattr; #line 214 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 214 # all domains in domain.te. #line 214 #line 214 # Allow vold to publish a binder service and make binder calls. #line 217 # Call the servicemanager and transfer references to it. #line 217 allow vold servicemanager:binder { call transfer }; #line 217 # Allow servicemanager to send out callbacks #line 217 allow servicemanager vold:binder { call transfer }; #line 217 # servicemanager performs getpidcon on clients. #line 217 allow servicemanager vold:dir search; #line 217 allow servicemanager vold:file { read open }; #line 217 allow servicemanager vold:process getattr; #line 217 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 217 # all domains in domain.te. #line 217 #line 218 allow vold vold_service:service_manager { add find }; #line 218 neverallow { domain -vold } vold_service:service_manager add; #line 218 #line 218 # On debug builds with root, allow binder services to use binder over TCP. #line 218 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 218 #line 218 # Allow vold to call into the system server so it can check permissions. #line 221 # Call the server domain and optionally transfer references to it. #line 221 allow vold system_server:binder { call transfer }; #line 221 # Allow the serverdomain to transfer references to the client on the reply. #line 221 allow system_server vold:binder transfer; #line 221 # Receive and use open files from the server. #line 221 allow vold system_server:fd use; #line 221 allow vold permission_service:service_manager find; # talk to health storage HAL #line 225 typeattribute vold halclientdomain; #line 225 typeattribute vold hal_health_storage_client; #line 225 #line 225 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 225 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 225 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 225 #line 225 typeattribute vold hal_health_storage; #line 225 # Find passthrough HAL implementations #line 225 allow hal_health_storage system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 225 allow hal_health_storage vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 225 allow hal_health_storage vendor_file:file { read open getattr execute map }; #line 225 #line 225 # talk to bootloader HAL # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 228 #line 228 typeattribute vold halclientdomain; #line 228 typeattribute vold hal_bootctl_client; #line 228 #line 228 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 228 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 228 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 228 #line 228 typeattribute vold hal_bootctl; #line 228 # Find passthrough HAL implementations #line 228 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 228 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 228 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 228 #line 228 #line 228 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 228 # Access userdata block device. allow vold userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm vold userdata_block_device:blk_file ioctl 0x0000127d; # Access zoned block device. allow vold zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access metadata block device used for encryption meta-data. allow vold metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm vold metadata_block_device:blk_file ioctl 0x0000127d; # Allow vold to manipulate /data/unencrypted allow vold unencrypted_data_file:{ file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow vold unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Write to /proc/sys/vm/drop_caches allow vold proc_drop_caches:file { open append write lock map }; # Give vold a place where only vold can store files; everyone else is off limits allow vold vold_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold vold_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # And a similar place in the metadata partition allow vold vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow vold vold_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # linux keyring configuration allow vold init:key { write search setattr }; allow vold vold:key { write search setattr }; # vold temporarily changes its priority when running benchmarks allow vold self:{ capability cap_userns } sys_nice; # vold needs to chroot into app namespaces to remount when runtime permissions change allow vold self:{ capability cap_userns } sys_chroot; allow vold storage_file:dir mounton; # For AppFuse. allow vold fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold fuse:filesystem { relabelfrom }; allow vold app_fusefs:filesystem { relabelfrom relabelto }; allow vold app_fusefs:filesystem { mount unmount }; allow vold app_fuse_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow vold app_fuse_file:file { read write open getattr append }; # MoveStorage.cpp executes cp and rm allow vold toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Prepare profile dir for users. allow vold { user_profile_data_file user_profile_root_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Raw writes to misc block device allow vold misc_block_device:blk_file { open append write lock map }; # vold might need to search or mount /mnt/vendor/* allow vold mnt_vendor_file:dir search; dontaudit vold self:{ capability cap_userns } sys_resource; # Allow ReadDefaultFstab(). #line 290 allow vold { metadata_file gsi_metadata_file_type }:dir search; #line 290 allow vold gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 290 allow vold { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 290 # vold might need to search loopback apex files allow vold vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads }; neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; neverallow { domain -init -vold -vold_prepare_subdirs } vold_data_file:dir *; neverallow { domain -init -vold } vold_metadata_file:dir *; neverallow { domain -kernel -vold -vold_prepare_subdirs } vold_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; neverallow { domain -init -vold -vold_prepare_subdirs } vold_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; neverallow { domain -init -kernel -vold -vold_prepare_subdirs } { vold_data_file vold_metadata_file }:{ file lnk_file sock_file fifo_file } *; neverallow { domain -vold -init } restorecon_prop:property_service set; neverallow vold { domain -hal_health_storage_server -hal_keymaster_server -system_suspend_server -hal_bootctl_server -hwservicemanager -keystore -servicemanager -system_server }:binder call; neverallow vold fsck_exec:file execute_no_trans; neverallow { domain -init } vold:process { transition dyntransition }; neverallow vold *:process ptrace; neverallow vold *:rawip_socket *; #line 1 "system/sepolicy/public/vold_prepare_subdirs.te" # SELinux directory creation and labelling for vold-managed directories type vold_prepare_subdirs, domain; type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type; typeattribute vold_prepare_subdirs coredomain; #line 1 "system/sepolicy/public/watchdogd.te" # watchdogd seclabel is specified in init..rc type watchdogd, domain; type watchdogd_exec, system_file_type, exec_type, file_type; allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow watchdogd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/public/webview_zygote.te" # webview_zygote is an auxiliary zygote process that is used to spawn # isolated_app processes for rendering untrusted web content. type webview_zygote, domain; type webview_zygote_exec, exec_type, file_type; type webview_zygote_tmpfs, file_type; #line 1 "system/sepolicy/public/wificond.te" # wificond type wificond, domain; type wificond_exec, system_file_type, exec_type, file_type; #line 5 # Call the servicemanager and transfer references to it. #line 5 allow wificond servicemanager:binder { call transfer }; #line 5 # Allow servicemanager to send out callbacks #line 5 allow servicemanager wificond:binder { call transfer }; #line 5 # servicemanager performs getpidcon on clients. #line 5 allow servicemanager wificond:dir search; #line 5 allow servicemanager wificond:file { read open }; #line 5 allow servicemanager wificond:process getattr; #line 5 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 5 # all domains in domain.te. #line 5 #line 6 # Call the server domain and optionally transfer references to it. #line 6 allow wificond system_server:binder { call transfer }; #line 6 # Allow the serverdomain to transfer references to the client on the reply. #line 6 allow system_server wificond:binder transfer; #line 6 # Receive and use open files from the server. #line 6 allow wificond system_server:fd use; #line 6 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow wificond keystore:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow keystore wificond:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow wificond keystore:fd use; #line 7 #line 9 allow wificond wifinl80211_service:service_manager { add find }; #line 9 neverallow { domain -wificond } wifinl80211_service:service_manager add; #line 9 #line 9 # On debug builds with root, allow binder services to use binder over TCP. #line 9 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 9 #line 9 #line 10 typeattribute wificond halclientdomain; #line 10 typeattribute wificond hal_nlinterceptor_client; #line 10 #line 10 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 10 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 10 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 10 #line 10 typeattribute wificond hal_nlinterceptor; #line 10 # Find passthrough HAL implementations #line 10 allow hal_nlinterceptor system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow hal_nlinterceptor vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow hal_nlinterceptor vendor_file:file { read open getattr execute map }; #line 10 #line 10 # create sockets to set interfaces up and down allow wificond self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # setting interface state up/down is a privileged ioctl allowxperm wificond self:udp_socket ioctl { 0x00008914 0x00008924 }; allow wificond self:{ capability cap_userns } { net_admin net_raw }; # allow wificond to speak to nl80211 in the kernel allow wificond self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets allow wificond self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; #line 22 allow wificond proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow wificond proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 # allow wificond to check permission for dumping logs allow wificond permission_service:service_manager find; # dumpstate support allow wificond dumpstate:fd use; allow wificond dumpstate:fifo_file write; #### Offer the Wifi Keystore HwBinder service ### #line 32 # Call the hwservicemanager and transfer references to it. #line 32 allow wificond hwservicemanager:binder { call transfer }; #line 32 # Allow hwservicemanager to send out callbacks #line 32 allow hwservicemanager wificond:binder { call transfer }; #line 32 # hwservicemanager performs getpidcon on clients. #line 32 allow hwservicemanager wificond:dir search; #line 32 allow hwservicemanager wificond:file { read open map }; #line 32 allow hwservicemanager wificond:process getattr; #line 32 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 32 # all domains in domain.te. #line 32 typeattribute wificond wifi_keystore_service_server; #line 34 allow wificond system_wifi_keystore_hwservice:hwservice_manager { add find }; #line 34 allow wificond hidl_base_hwservice:hwservice_manager add; #line 34 neverallow { domain -wificond } system_wifi_keystore_hwservice:hwservice_manager add; #line 34 # Allow keystore2 binder access to serve the HwBinder service. allow wificond keystore_service:service_manager find; allow wificond wifi_key:keystore2_key { get_info use }; #line 1 "system/sepolicy/public/zygote.te" # zygote type zygote, domain; type zygote_tmpfs, file_type; type zygote_exec, system_file_type, exec_type, file_type; #line 1 "system/sepolicy/private/attributes" #line 1 attribute hal_lazy_test; #line 1 expandattribute hal_lazy_test true; #line 1 attribute hal_lazy_test_client; #line 1 expandattribute hal_lazy_test_client true; #line 1 attribute hal_lazy_test_server; #line 1 expandattribute hal_lazy_test_server false; #line 1 #line 1 neverallow { hal_lazy_test_server -halserverdomain } domain:process fork; #line 1 # hal_*_client and halclientdomain attributes are always expanded for #line 1 # performance reasons. Neverallow rules targeting expanded attributes can not be #line 1 # verified by CTS since these attributes are already expanded by that time. #line 1 #line 1 ; # This is applied to apps on vendor images with SDK <=30 only, # to exempt them from recent mls changes. It must not be applied # to any domain on newer system or vendor image. attribute mlsvendorcompat; # Attributes for property types having both system_property_type # and vendor_property_type. Such types are ill-formed because # property owner attributes must be exclusive. attribute system_and_vendor_property_type; expandattribute system_and_vendor_property_type false; # All SDK sandbox domains attribute sdk_sandbox_all; # The SDK sandbox domains for the current SDK level. attribute sdk_sandbox_current; #line 1 "system/sepolicy/private/aconfigd.te" # aconfigd -- manager for aconfig flags type aconfigd, domain; type aconfigd_exec, exec_type, file_type, system_file_type; typeattribute aconfigd coredomain; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init aconfigd_exec:file { getattr open read execute map }; #line 7 allow init aconfigd:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow aconfigd aconfigd_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init aconfigd:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init aconfigd:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init aconfigd_exec:process aconfigd; #line 7 #line 7 # only init is allowed to enter the aconfigd domain neverallow { domain -init } aconfigd:process transition; neverallow * aconfigd:process dyntransition; allow aconfigd metadata_file:dir search; allow aconfigd { aconfig_storage_metadata_file aconfig_storage_flags_metadata_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow aconfigd { aconfig_storage_metadata_file aconfig_storage_flags_metadata_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow aconfigd aconfigd_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # allow aconfigd to log to the kernel. allow aconfigd kmsg_device:chr_file { open append write lock map }; # allow aconfigd to read system/system_ext/product partition storage files allow aconfigd system_aconfig_storage_file:file { getattr open read ioctl lock map watch watch_reads }; allow aconfigd system_aconfig_storage_file:dir { open getattr read search ioctl lock watch watch_reads }; # allow aconfigd to read vendor partition storage files allow aconfigd vendor_aconfig_storage_file:file { getattr open read ioctl lock map watch watch_reads }; allow aconfigd vendor_aconfig_storage_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/private/adbd.te" ### ADB daemon typeattribute adbd coredomain; typeattribute adbd mlstrustedsubject; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init adbd_exec:file { getattr open read execute map }; #line 6 allow init adbd:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow adbd adbd_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init adbd:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init adbd:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init adbd_exec:process adbd; #line 6 #line 6 #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow adbd shell_exec:file { getattr open read execute map }; #line 8 allow adbd shell:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow shell shell_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 allow shell adbd:process sigchld; #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit adbd shell:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow adbd shell:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition adbd shell_exec:process shell; #line 8 #line 13 # When 'adb shell' is executed in recovery mode, adbd explicitly # switches into shell domain using setcon() because the shell executable # is not labeled as shell but as rootfs. #line 24 # Control Perfetto traced and obtain traces from it. # Needed to allow port forwarding directly to traced. #line 28 allow adbd traced_consumer_socket:sock_file write; #line 28 allow adbd traced:unix_stream_socket connectto; #line 28 # Do not sanitize the environment or open fds of the shell. Allow signaling # created processes. allow adbd shell:process { noatsecure signal }; # Set UID and GID to shell. Set supplementary groups. allow adbd self:{ capability cap_userns } { setuid setgid }; # Drop capabilities from bounding set on user builds. allow adbd self:{ capability cap_userns } setpcap; # ignore spurious denials for adbd when disk space is low. dontaudit adbd self:{ capability cap_userns } sys_resource; # adbd probes for vsock support. Do not generate denials when # this occurs. (b/123569840) dontaudit adbd self:{ socket vsock_socket } create; # Allow adbd inside vm to forward vm's vsock. allow adbd self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept }; # Create and use network sockets. #line 51 typeattribute adbd netdomain; #line 51 # Connect to mdnsd via mdnsd socket. #line 53 allow adbd mdnsd_socket:sock_file write; #line 53 allow adbd mdnsd:unix_stream_socket connectto; #line 53 # Access /dev/usb-ffs/adb/ep0 allow adbd functionfs:dir search; allow adbd functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm adbd functionfs:file ioctl { 0x80096782 0x00006703 }; # Use a pseudo tty. allow adbd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # adb push/pull /data/local/tmp. allow adbd shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow adbd shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # adb pull /data/local/traces/* allow adbd trace_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd trace_data_file:file { getattr open read ioctl lock map watch watch_reads }; # adb pull /data/misc/profman. allow adbd profman_dump_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd profman_dump_data_file:file { getattr open read ioctl lock map watch watch_reads }; # adb push/pull sdcard. allow adbd tmpfs:dir search; allow adbd rootfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; # /sdcard symlink allow adbd tmpfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; # /mnt/sdcard symlink allow adbd { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow adbd { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # adb pull /data/anr/traces.txt allow adbd anr_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd anr_data_file:file { getattr open read ioctl lock map watch watch_reads }; # adb pull /vendor/framework/* allow adbd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd vendor_framework_file:file { getattr open read ioctl lock map watch watch_reads }; # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. #line 94 #line 94 allow adbd property_socket:sock_file write; #line 94 allow adbd init:unix_stream_socket connectto; #line 94 #line 94 allow adbd shell_prop:property_service set; #line 94 #line 94 allow adbd shell_prop:file { getattr open read map }; #line 94 #line 94 #line 95 #line 95 allow adbd property_socket:sock_file write; #line 95 allow adbd init:unix_stream_socket connectto; #line 95 #line 95 allow adbd powerctl_prop:property_service set; #line 95 #line 95 allow adbd powerctl_prop:file { getattr open read map }; #line 95 #line 95 #line 96 allow adbd ffs_config_prop:file { getattr open read map }; #line 96 #line 97 #line 97 allow adbd property_socket:sock_file write; #line 97 allow adbd init:unix_stream_socket connectto; #line 97 #line 97 allow adbd ffs_control_prop:property_service set; #line 97 #line 97 allow adbd ffs_control_prop:file { getattr open read map }; #line 97 #line 97 # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties #line 100 #line 100 allow adbd property_socket:sock_file write; #line 100 allow adbd init:unix_stream_socket connectto; #line 100 #line 100 allow adbd adbd_prop:property_service set; #line 100 #line 100 allow adbd adbd_prop:file { getattr open read map }; #line 100 #line 100 #line 101 #line 101 allow adbd property_socket:sock_file write; #line 101 allow adbd init:unix_stream_socket connectto; #line 101 #line 101 allow adbd adbd_config_prop:property_service set; #line 101 #line 101 allow adbd adbd_config_prop:file { getattr open read map }; #line 101 #line 101 # Allow adbd start/stop mdnsd via ctl.start #line 104 #line 104 allow adbd property_socket:sock_file write; #line 104 allow adbd init:unix_stream_socket connectto; #line 104 #line 104 allow adbd ctl_mdnsd_prop:property_service set; #line 104 #line 104 allow adbd ctl_mdnsd_prop:file { getattr open read map }; #line 104 #line 104 # Access device logging gating property #line 107 allow adbd device_logging_prop:file { getattr open read map }; #line 107 # Read device's serial number from system properties #line 110 allow adbd serialno_prop:file { getattr open read map }; #line 110 # Read whether or not Test Harness Mode is enabled #line 113 allow adbd test_harness_prop:file { getattr open read map }; #line 113 # Read persist.adb.tls_server.enable property #line 116 allow adbd system_adbd_prop:file { getattr open read map }; #line 116 # Read device's overlayfs related properties and files #line 122 # Run /system/bin/bu allow adbd system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Perform binder IPC to surfaceflinger (screencap) # XXX Run screencap in a separate domain? #line 129 # Call the servicemanager and transfer references to it. #line 129 allow adbd servicemanager:binder { call transfer }; #line 129 # Allow servicemanager to send out callbacks #line 129 allow servicemanager adbd:binder { call transfer }; #line 129 # servicemanager performs getpidcon on clients. #line 129 allow servicemanager adbd:dir search; #line 129 allow servicemanager adbd:file { read open }; #line 129 allow servicemanager adbd:process getattr; #line 129 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 129 # all domains in domain.te. #line 129 #line 130 # Call the server domain and optionally transfer references to it. #line 130 allow adbd surfaceflinger:binder { call transfer }; #line 130 # Allow the serverdomain to transfer references to the client on the reply. #line 130 allow surfaceflinger adbd:binder transfer; #line 130 # Receive and use open files from the server. #line 130 allow adbd surfaceflinger:fd use; #line 130 #line 131 # Call the server domain and optionally transfer references to it. #line 131 allow adbd gpuservice:binder { call transfer }; #line 131 # Allow the serverdomain to transfer references to the client on the reply. #line 131 allow gpuservice adbd:binder transfer; #line 131 # Receive and use open files from the server. #line 131 allow adbd gpuservice:fd use; #line 131 # b/13188914 allow adbd gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow adbd gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 136 allow adbd system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 136 allow adbd system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 136 # Needed for various screenshots #line 139 typeattribute adbd halclientdomain; #line 139 typeattribute adbd hal_graphics_allocator_client; #line 139 #line 139 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 139 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 139 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 139 #line 139 typeattribute adbd hal_graphics_allocator; #line 139 # Find passthrough HAL implementations #line 139 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 139 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 139 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 139 #line 139 # Read /data/misc/adb/adb_keys. allow adbd adb_keys_file:dir search; allow adbd adb_keys_file:file { getattr open read ioctl lock map watch watch_reads }; #line 151 # ndk-gdb invokes adb forward to forward the gdbserver socket. allow adbd app_data_file:dir search; allow adbd app_data_file:sock_file write; allow adbd appdomain:unix_stream_socket connectto; # ndk-gdb invokes adb pull of app_process, linker, and libc.so. allow adbd zygote_exec:file { getattr open read ioctl lock map watch watch_reads }; allow adbd system_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow pulling the SELinux policy for CTS purposes allow adbd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd selinuxfs:file { getattr open read ioctl lock map watch watch_reads }; allow adbd kernel:security read_policy; allow adbd service_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow adbd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow adbd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow adbd property_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow adbd sepolicy_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file { getattr open read ioctl lock map watch watch_reads }; # For CTS listening ports test. allow adbd proc_net_tcp_udp:file { getattr open read ioctl lock map watch watch_reads }; allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; allow adbd bootchart_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary allow adbd storage_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd storage_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow adbd mnt_user_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd mnt_user_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Access to /data/media. # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. allow adbd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow adbd media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 196 allow adbd apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 196 allow adbd apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 196 allow adbd rootfs:dir { open getattr read search ioctl lock watch watch_reads }; # Allow killing child "perfetto" binary processes, which auto-transition to # their own domain. Allows propagating termination of "adb shell perfetto ..." # invocations. allow adbd perfetto:process signal; # Allow to pull Perfetto traces. allow adbd perfetto_traces_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow adbd perfetto_traces_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow to push and manage configs in /data/misc/perfetto-configs. allow adbd perfetto_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow adbd perfetto_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Connect to shell and use a socket transferred from it. # Used for e.g. abb. allow adbd shell:unix_stream_socket { read write shutdown }; allow adbd shell:fd use; # Allow pull /vendor/apex files for CTS tests allow adbd vendor_apex_file:dir search; allow adbd vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow adb pull of updated apex files in /data/apex/active. allow adbd apex_data_file:dir search; allow adbd staging_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow adbd to pull /apex/apex-info-list.xml for CTS tests. allow adbd apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # allow reading tombstones. users can already use bugreports to get those. allow adbd tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow adbd tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads }; ### ### Neverallow rules ### # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever # transitions to the shell domain (except when it crashes). In particular, we # never want to see a transition from adbd to su (aka "adb root") neverallow adbd { domain -crash_dump -shell }:process transition; neverallow adbd { domain }:process dyntransition; #line 5 "system/sepolicy/private/aidl_lazy_test_server.te" #line 1 "system/sepolicy/private/apex_test_prepostinstall.te" # APEX pre- & post-install test. # # Allow to run pre- and post-install hooks for APEX test modules # in debuggable builds. type apex_test_prepostinstall, domain, coredomain; type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type; #line 20 #line 1 "system/sepolicy/private/apexd.te" typeattribute apexd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init apexd_exec:file { getattr open read execute map }; #line 3 allow init apexd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow apexd apexd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init apexd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init apexd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init apexd_exec:process apexd; #line 3 #line 3 # Allow creating, reading and writing of APEX files/dirs in the APEX data dir allow apexd apex_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow apexd apex_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow relabeling file created in /data/apex/decompressed allow apexd apex_data_file:file relabelfrom; # Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir allow apexd metadata_file:dir search; allow apexd apex_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow apexd apex_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow reserving space on /data/apex/ota_reserved for apex decompression allow apexd apex_ota_reserved_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow apexd apex_ota_reserved_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow apexd to create files and directories for snapshots of apex data allow apexd apex_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow apexd apex_data_file_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelto }; allow apexd apex_module_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow apexd apex_module_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom }; allow apexd apex_rollback_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow apexd apex_rollback_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow apexd to read /data/misc_de and the directories under it, in order to # snapshot and restore apex data for all users. allow apexd { system_userdir_file system_data_file }:dir { open getattr read search ioctl lock watch watch_reads }; # allow apexd to create loop devices with /dev/loop-control allow apexd loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # allow apexd to access loop devices allow apexd loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm apexd loop_device:blk_file ioctl { 0x00004c05 0x00004c04 0x00004c00 0x00004c09 0x00004c08 0x00004c01 0x00001261 0x00004c0a }; # Allow apexd to access /dev/block allow apexd dev_type:dir { open getattr read search ioctl lock watch watch_reads }; allow apexd dev_type:blk_file getattr; #allow apexd to access virtual disks allow apexd vd_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # allow apexd to access /dev/block/dm-* (device-mapper entries) allow apexd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow apexd dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # sys_admin is required to access the device-mapper and mount # dac_override, chown, and fowner are needed for snapshot and restore allow apexd self:{ capability cap_userns } { sys_admin chown dac_override dac_read_search fowner }; # Note: fsetid is deliberately not included above. fsetid checks are # triggered by chmod on a directory or file owned by a group other # than one of the groups assigned to the current process to see if # the setgid bit should be cleared, regardless of whether the setgid # bit was even set. We do not appear to truly need this capability # for apexd to operate. dontaudit apexd self:{ capability cap_userns } fsetid; # allow apexd to create a mount point in /apex allow apexd apex_mnt_dir:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # allow apexd to mount in /apex allow apexd apex_mnt_dir:filesystem { mount unmount }; allow apexd apex_mnt_dir:dir mounton; # allow apexd to create symlinks in /apex allow apexd apex_mnt_dir:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file allow apexd apex_mnt_dir:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom mounton }; allow apexd apex_info_file:file relabelto; # apexd needs to update /apex/apex-info-list.xml after non-staged APEX update. allow apexd apex_info_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # allow apexd to unlink apex files in /data/apex/active # note that apexd won't be able to unlink files in /data/app-staging/session_XXXX, # because it doesn't have write permission for staging_data_file object. allow apexd staging_data_file:file unlink; # allow apexd to read files from /data/app-staging and hardlink them to /data/apex. allow apexd staging_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow apexd staging_data_file:file { { getattr open read ioctl lock map watch watch_reads } link }; # # Allow relabeling file created in /data/apex/decompressed allow apexd staging_data_file:file relabelto; # allow apexd to read files from /vendor/apex #line 97 allow apexd vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 97 allow apexd vendor_apex_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 97 #line 98 allow apexd vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 98 allow apexd vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 98 # Unmount and mount filesystems allow apexd labeledfs:filesystem { mount unmount }; # /sys directory tree traversal allow apexd sysfs_type:dir search; # Access to /sys/class/block allow apexd sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; allow apexd sysfs_type:file { getattr open read ioctl lock map watch watch_reads }; # Configure read-ahead of dm-verity and loop devices # for dm-X allow apexd sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; allow apexd sysfs_dm:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # for loopX allow apexd sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads }; allow apexd sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow apexd to log to the kernel. allow apexd kmsg_device:chr_file { open append write lock map }; # Allow apexd to reboot device. Required for rollbacks of apexes that are # not covered by rollback manager. #line 121 #line 121 allow apexd property_socket:sock_file write; #line 121 allow apexd init:unix_stream_socket connectto; #line 121 #line 121 allow apexd powerctl_prop:property_service set; #line 121 #line 121 allow apexd powerctl_prop:file { getattr open read map }; #line 121 #line 121 # Allow apexd to stop itself #line 124 #line 124 allow apexd property_socket:sock_file write; #line 124 allow apexd init:unix_stream_socket connectto; #line 124 #line 124 allow apexd ctl_apexd_prop:property_service set; #line 124 #line 124 allow apexd ctl_apexd_prop:file { getattr open read map }; #line 124 #line 124 # Allow apexd to send control messages to load/unload apex from init #line 127 #line 127 allow apexd property_socket:sock_file write; #line 127 allow apexd init:unix_stream_socket connectto; #line 127 #line 127 allow apexd ctl_apex_load_prop:property_service set; #line 127 #line 127 allow apexd ctl_apex_load_prop:file { getattr open read map }; #line 127 #line 127 # Find the vold service, and call into vold to manage FS checkpoints allow apexd vold_service:service_manager find; #line 131 # Call the server domain and optionally transfer references to it. #line 131 allow apexd vold:binder { call transfer }; #line 131 # Allow the serverdomain to transfer references to the client on the reply. #line 131 allow vold apexd:binder transfer; #line 131 # Receive and use open files from the server. #line 131 allow apexd vold:fd use; #line 131 # apexd is using bootstrap bionic #line 134 allow apexd system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 134 allow apexd system_bootstrap_lib_file:file { execute read open getattr map }; #line 134 # Allow apexd to be invoked with logwrapper from init during userspace reboot. allow apexd devpts:chr_file { read write }; # Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to # other processes #line 141 # Each domain gets a unique devpts type. #line 141 type apexd_devpts, fs_type; #line 141 # Label the pty with the unique type when created. #line 141 type_transition apexd devpts:chr_file apexd_devpts; #line 141 # Allow use of the pty after creation. #line 141 allow apexd apexd_devpts:chr_file { open getattr read write ioctl }; #line 141 allowxperm apexd apexd_devpts:chr_file ioctl { #line 141 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 141 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 141 }; #line 141 # TIOCSTI is only ever used for exploits. Block it. #line 141 # b/33073072, b/7530569 #line 141 # http://www.openwall.com/lists/oss-security/2016/09/26/14 #line 141 neverallowxperm * apexd_devpts:chr_file ioctl 0x00005412; #line 141 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms #line 141 # allowed to everyone via domain.te. #line 141 # Allow apexd to read file contexts when performing restorecon of snapshots. allow apexd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow apexd to execute toybox for snapshot & restore allow apexd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow apexd to release compressed blocks in case /data is f2fs-compressed fs. allowxperm apexd staging_data_file:file ioctl { 0x80086601 0xf512 }; # Allow apexd to read ro.cold_boot_done prop. # apexd uses it to decide whether it needs to keep retrying polling for loop device. #line 157 allow apexd cold_boot_done_prop:file { getattr open read map }; #line 157 # Allow apexd to read per-device configuration properties. #line 160 allow apexd apexd_config_prop:file { getattr open read map }; #line 160 # Allow apexd to read apex selection properties. # These are used to choose between multi-installed APEXes at activation time. #line 164 allow apexd apexd_select_prop:file { getattr open read map }; #line 164 # # Allow apexd to read apexd_payload_metadata_prop #line 167 allow apexd apexd_payload_metadata_prop:file { getattr open read map }; #line 167 neverallow { domain -apexd -init } apex_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -apexd -init } apex_metadata_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -apexd -init -kernel } apex_data_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -apexd -init -kernel } apex_metadata_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -apexd } apex_mnt_dir:lnk_file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file { append create link unlink relabelfrom rename setattr write }; # only apexd can set apexd sysprop #line 182 #line 182 allow apexd property_socket:sock_file write; #line 182 allow apexd init:unix_stream_socket connectto; #line 182 #line 182 allow apexd apexd_prop:property_service set; #line 182 #line 182 allow apexd apexd_prop:file { getattr open read map }; #line 182 #line 182 neverallow { domain -apexd -init } apexd_prop:property_service set; # only apexd can write apex-info-list.xml neverallow { domain -apexd } apex_info_file:file { append create link unlink relabelfrom rename setattr write }; # Only apexd and init should be allowed to manage /apex mounts # A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs, # but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies # around otapreopt_chroot are cleaned up we should be able to remove it from the lists below. neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount }; neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton }; # Allow for use in postinstall allow apexd otapreopt_chroot:fd use; allow apexd postinstall_apex_mnt_dir:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow apexd postinstall_apex_mnt_dir:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom }; allow apexd postinstall_apex_mnt_dir:lnk_file create; allow apexd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; # Allow calling derive_classpath to gather BCP information for staged sessions #line 203 # Allow the necessary permissions. #line 203 #line 203 # Old domain may exec the file and transition to the new domain. #line 203 allow apexd derive_classpath_exec:file { getattr open read execute map }; #line 203 allow apexd apexd_derive_classpath:process transition; #line 203 # New domain is entered by executing the file. #line 203 allow apexd_derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map }; #line 203 # New domain can send SIGCHLD to its caller. #line 203 allow apexd_derive_classpath apexd:process sigchld; #line 203 # Enable AT_SECURE, i.e. libc secure mode. #line 203 dontaudit apexd apexd_derive_classpath:process noatsecure; #line 203 # XXX dontaudit candidate but requires further study. #line 203 allow apexd apexd_derive_classpath:process { siginh rlimitinh }; #line 203 #line 203 # Make the transition occur by default. #line 203 type_transition apexd derive_classpath_exec:process apexd_derive_classpath; #line 203 ; # Allow set apex ready property #line 206 #line 206 allow apexd property_socket:sock_file write; #line 206 allow apexd init:unix_stream_socket connectto; #line 206 #line 206 allow apexd apex_ready_prop:property_service set; #line 206 #line 206 allow apexd apex_ready_prop:file { getattr open read map }; #line 206 #line 206 #line 1 "system/sepolicy/private/apexd_derive_classpath.te" # Exclusive domain for apexd calling into derive_classpath binary type apexd_derive_classpath, domain, coredomain; # Allow the binary to write into output file at location /apex/derive_classpath_temp allow apexd_derive_classpath apexd:fd use; allow apexd_derive_classpath apex_mnt_dir:file { write open }; # Allow the binary to log using logwrap allow apexd_derive_classpath apexd_devpts:chr_file { read write }; #line 1 "system/sepolicy/private/app.te" # /proc/net access. # TODO(b/9496886) Audit access for removal. # proc_net access for the negated domains below is granted (or not) in their # individual .te files. #line 5 allow { #line 5 appdomain #line 5 -ephemeral_app #line 5 -isolated_app_all #line 5 -platform_app #line 5 -priv_app #line 5 -shell #line 5 -sdk_sandbox_all #line 5 -system_app #line 5 -untrusted_app_all #line 5 } proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 5 allow { #line 5 appdomain #line 5 -ephemeral_app #line 5 -isolated_app_all #line 5 -platform_app #line 5 -priv_app #line 5 -shell #line 5 -sdk_sandbox_all #line 5 -system_app #line 5 -untrusted_app_all #line 5 } proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 # audit access for all these non-core app domains. #line 30 # Allow apps to read the Test Harness Mode property. This property is used in # the implementation of ActivityManager.isDeviceInTestHarnessMode() #line 34 allow appdomain test_harness_prop:file { getattr open read map }; #line 34 #line 36 allow appdomain boot_status_prop:file { getattr open read map }; #line 36 #line 37 allow appdomain dalvik_config_prop_type:file { getattr open read map }; #line 37 #line 38 allow appdomain media_config_prop:file { getattr open read map }; #line 38 #line 39 allow appdomain packagemanager_config_prop:file { getattr open read map }; #line 39 #line 40 allow appdomain radio_control_prop:file { getattr open read map }; #line 40 #line 41 allow appdomain surfaceflinger_color_prop:file { getattr open read map }; #line 41 #line 42 allow appdomain systemsound_config_prop:file { getattr open read map }; #line 42 #line 43 allow appdomain telephony_config_prop:file { getattr open read map }; #line 43 #line 44 allow appdomain userspace_reboot_config_prop:file { getattr open read map }; #line 44 #line 45 allow appdomain vold_config_prop:file { getattr open read map }; #line 45 #line 46 allow appdomain adbd_config_prop:file { getattr open read map }; #line 46 #line 47 allow appdomain dck_prop:file { getattr open read map }; #line 47 #line 48 allow appdomain persist_wm_debug_prop:file { getattr open read map }; #line 48 #line 49 allow appdomain persist_sysui_builder_extras_prop:file { getattr open read map }; #line 49 #line 50 allow appdomain persist_sysui_ranking_update_prop:file { getattr open read map }; #line 50 # Allow the heap dump ART plugin to the count of sessions waiting for OOME #line 53 allow appdomain traced_oome_heap_session_count_prop:file { getattr open read map }; #line 53 # Allow to read ro.vendor.camera.extensions.enabled #line 56 allow appdomain camera2_extensions_prop:file { getattr open read map }; #line 56 # Allow to ro.camerax.extensions.enabled #line 59 allow appdomain camerax_extensions_prop:file { getattr open read map }; #line 59 # Prevent apps from causing presubmit failures. # Apps can cause selinux denials by accessing CE storage # and/or external storage. In either case, the selinux denial is # not the cause of the failure, but just a symptom that # storage isn't ready. Many apps handle the failure appropriately. # # Apps cannot access external storage before it becomes available. dontaudit appdomain storage_stub_file:dir getattr; # Attempts to write to system_data_file is generally a sign # that apps are attempting to access encrypted storage before # the ACTION_USER_UNLOCKED intent is delivered. Apps are not # allowed to write to CE storage before it's available. # Attempting to do so will be blocked by both selinux and unix # permissions. dontaudit appdomain system_data_file:dir write; # Apps should not be reading vendor-defined properties. dontaudit appdomain vendor_default_prop:file read; # Access to /mnt/media_rw/ (limited by DAC to apps with external_storage gid) allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search; # allow apps to use UDP sockets provided by the system server but not # modify them other than to connect allow appdomain system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind relabelfrom relabelto setattr shutdown }; # Transition to a non-app domain. # Exception for the shell and su domains, can transition to runas, etc. # Exception for crash_dump to allow for app crash reporting. # Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc) # to allow renderscript to create privileged executable files. # Exception for virtualizationmanager to allow running VMs as child processes. neverallow { appdomain -shell } { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition }; neverallow { appdomain -shell } { domain -appdomain }:process { dyntransition }; # Don't allow regular apps access to storage configuration properties. neverallow { appdomain -mediaprovider_app } storage_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Don't allow apps reading /system/etc/font_fallback.xml dontaudit appdomain system_font_fallback_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow appdomain system_font_fallback_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow to read sendbug.preferred.domain #line 110 allow appdomain sendbug_config_prop:file { getattr open read map }; #line 110 # Allow to read graphics related properties. #line 113 allow appdomain graphics_config_prop:file { getattr open read map }; #line 113 # Allow to read persist.config.calibration_fac #line 116 allow appdomain camera_calibration_prop:file { getattr open read map }; #line 116 # Allow to read db.log.detailed, db.log.slow_query_threshold* #line 119 allow appdomain sqlite_log_prop:file { getattr open read map }; #line 119 # Allow to read system_user_mode_emulation_prop, which is used by UserManager.java # Allow font file read by apps. allow appdomain font_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow appdomain font_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Enter /data/misc/apexdata/ allow appdomain apex_module_data_file:dir search; # Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts. allow appdomain apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow appdomain apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow access to tombstones if an fd to one is given to you. # An app cannot open the tombstone itself because it lacks `open`. allow appdomain tombstone_data_file:file { getattr read }; neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read }; # Execute the shell or other system executables. allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file { getattr execute execute_no_trans map }; # Allow apps access to /vendor/app except for privileged # apps which cannot be in /vendor. #line 146 allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 146 allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 146 allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute; # Allow apps to read microdroid related files in vendor partition for CTS purpose. #line 150 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 150 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 150 # Perform binder IPC to sdk sandbox. #line 153 # Call the server domain and optionally transfer references to it. #line 153 allow appdomain sdk_sandbox_all:binder { call transfer }; #line 153 # Allow the serverdomain to transfer references to the client on the reply. #line 153 allow sdk_sandbox_all appdomain:binder transfer; #line 153 # Receive and use open files from the server. #line 153 allow appdomain sdk_sandbox_all:fd use; #line 153 # Allow apps to communicate via binder with virtual camera service. #line 156 # Call the server domain and optionally transfer references to it. #line 156 allow appdomain virtual_camera:binder { call transfer }; #line 156 # Allow the serverdomain to transfer references to the client on the reply. #line 156 allow virtual_camera appdomain:binder transfer; #line 156 # Receive and use open files from the server. #line 156 allow appdomain virtual_camera:fd use; #line 156 # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir { open getattr read search ioctl lock watch watch_reads }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir { open getattr read search ioctl lock watch watch_reads }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Read/write visible storage allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr }; #logd access #line 182 # Group AID_LOG checked by filesystem & logd #line 182 # to permit control commands #line 182 #line 182 allow { appdomain -ephemeral_app -sdk_sandbox_all } logd_socket:sock_file write; #line 182 allow { appdomain -ephemeral_app -sdk_sandbox_all } logd:unix_stream_socket connectto; #line 182 #line 182 # application inherit logd write socket (urge is to deprecate this long term) allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update }; allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find; #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:dir search; #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:file { read open }; #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:process getattr; #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } apc_service:service_manager find; #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_service:service_manager find; #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } legacykeystore_service:service_manager find; #line 189 #line 189 # Call the server domain and optionally transfer references to it. #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:binder { call transfer }; #line 189 # Allow the serverdomain to transfer references to the client on the reply. #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder transfer; #line 189 # Receive and use open files from the server. #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:fd use; #line 189 #line 189 #line 189 # Call the server domain and optionally transfer references to it. #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder { call transfer }; #line 189 # Allow the serverdomain to transfer references to the client on the reply. #line 189 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:binder transfer; #line 189 # Receive and use open files from the server. #line 189 allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 189 #line 189 #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:dir search; #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:file { read open }; #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:process getattr; #line 191 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore_service:service_manager find; #line 191 #line 191 # Call the server domain and optionally transfer references to it. #line 191 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:binder { call transfer }; #line 191 # Allow the serverdomain to transfer references to the client on the reply. #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder transfer; #line 191 # Receive and use open files from the server. #line 191 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:fd use; #line 191 #line 191 #line 191 # Call the server domain and optionally transfer references to it. #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder { call transfer }; #line 191 # Allow the serverdomain to transfer references to the client on the reply. #line 191 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:binder transfer; #line 191 # Receive and use open files from the server. #line 191 allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 191 #line 191 # For app fuse. #line 194 #line 194 # Allow client to open the service endpoint file. #line 194 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 194 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 194 # Allow the client to connect to endpoint socket. #line 194 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 194 #line 194 #line 194 # Allow the client to use the PDX channel socket. #line 194 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 194 # than we need (e.g. we don"t need "bind" or "connect"). #line 194 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 194 # Client needs to use an channel event fd from the server. #line 194 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_server_type:fd use; #line 194 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 194 # This could be tightened on a per-server basis, but keeping track of service #line 194 # clients is error prone. #line 194 allow pdx_display_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 194 #line 194 #line 195 #line 195 # Allow client to open the service endpoint file. #line 195 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 195 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 195 # Allow the client to connect to endpoint socket. #line 195 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 195 #line 195 #line 195 # Allow the client to use the PDX channel socket. #line 195 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 195 # than we need (e.g. we don"t need "bind" or "connect"). #line 195 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 195 # Client needs to use an channel event fd from the server. #line 195 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_server_type:fd use; #line 195 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 195 # This could be tightened on a per-server basis, but keeping track of service #line 195 # clients is error prone. #line 195 allow pdx_display_manager_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 195 #line 195 #line 196 #line 196 # Allow client to open the service endpoint file. #line 196 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 196 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 196 # Allow the client to connect to endpoint socket. #line 196 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 196 #line 196 #line 196 # Allow the client to use the PDX channel socket. #line 196 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 196 # than we need (e.g. we don"t need "bind" or "connect"). #line 196 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 196 # Client needs to use an channel event fd from the server. #line 196 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_server_type:fd use; #line 196 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 196 # This could be tightened on a per-server basis, but keeping track of service #line 196 # clients is error prone. #line 196 allow pdx_display_vsync_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 196 #line 196 #line 197 #line 197 # Allow client to open the service endpoint file. #line 197 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 197 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 197 # Allow the client to connect to endpoint socket. #line 197 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 197 #line 197 #line 197 # Allow the client to use the PDX channel socket. #line 197 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 197 # than we need (e.g. we don"t need "bind" or "connect"). #line 197 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 197 # Client needs to use an channel event fd from the server. #line 197 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_server_type:fd use; #line 197 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 197 # This could be tightened on a per-server basis, but keeping track of service #line 197 # clients is error prone. #line 197 allow pdx_performance_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 197 #line 197 # Apps do not directly open the IPC socket for bufferhubd. #line 199 # Allow the client to use the PDX channel socket. #line 199 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 199 # than we need (e.g. we don"t need "bind" or "connect"). #line 199 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_bufferhub_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 199 # Client needs to use an channel event fd from the server. #line 199 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_bufferhub_client_server_type:fd use; #line 199 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 199 # This could be tightened on a per-server basis, but keeping track of service #line 199 # clients is error prone. #line 199 allow pdx_bufferhub_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use; #line 199 # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl }; allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl 0x800454d2; # WebView and other application-specific JIT compilers allow appdomain self:process execmem; allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute; # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use; # Receive and use open file descriptors inherited from app zygote. allow appdomain app_zygote:fd use; # gdbserver for ndk-gdb reads the zygote. # valgrind needs mmap exec for zygote allow appdomain zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Notify zygote of death; allow appdomain zygote:process sigchld; # Read /data/dalvik-cache. allow appdomain dalvikcache_data_file:dir { search getattr }; allow appdomain dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Read the /sdcard and /mnt/sdcard symlinks allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Search /storage/emulated tmpfs mount. allow { appdomain -sdk_sandbox_all } tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; # Notify zygote of the wrapped process PID when using --invoke-with. allow appdomain zygote:fifo_file write; #line 243 # Notify shell and adbd of death when spawned via runas for ndk-gdb. allow appdomain shell:process sigchld; allow appdomain adbd:process sigchld; # child shell or gdbserver pty access for runas. allow appdomain devpts:chr_file { getattr read write ioctl }; # Use pipes and sockets provided by system_server via binder or local socket. allow appdomain system_server:fd use; allow appdomain system_server:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; # For AppFuse. allow appdomain vold:fd use; # Communication with other apps via fifos allow appdomain appdomain:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Communicate with surfaceflinger. allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl 0x6686; # Access via already open fds is ok even for mlstrustedsubject. allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; # Access open fds from SDK sandbox allow appdomain sdk_sandbox_data_file:file { getattr read }; # Traverse into expanded storage allow appdomain mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads }; # Keychain and user-trusted credentials #line 282 allow appdomain keychain_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 282 allow appdomain keychain_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 282 allow appdomain misc_user_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow appdomain misc_user_data_file:file { getattr open read ioctl lock map watch watch_reads }; # TextClassifier #line 287 allow { appdomain -isolated_app_all } textclassifier_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 287 allow { appdomain -isolated_app_all } textclassifier_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 287 # Access to OEM provided data and apps allow appdomain oemfs:dir { open getattr read search ioctl lock watch watch_reads }; allow appdomain oemfs:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow appdomain system_file:file { getattr execute execute_no_trans map }; # Renderscript needs the ability to read directories on /system allow appdomain system_file:dir { open getattr read search ioctl lock watch watch_reads }; allow appdomain system_file:lnk_file { getattr open read }; # Renderscript specific permissions to open /system/vendor/lib64. #line 299 allow appdomain vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 299 allow appdomain vendor_file_type:lnk_file { getattr open read }; #line 302 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 304 #line 304 # For looking up Renderscript vendor drivers #line 304 allow { appdomain -isolated_app_all } vendor_file:dir { open read }; #line 304 #line 304 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 307 # Allow apps access to /vendor/overlay #line 310 allow appdomain vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 310 allow appdomain vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 310 # Allow apps access to /vendor/framework # for vendor provided libraries. #line 314 allow appdomain vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 314 allow appdomain vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 314 # Allow apps read / execute access to vendor public libraries. allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir { open getattr read search ioctl lock watch watch_reads }; allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map }; # Read/write wallpaper file (opened by system). allow appdomain wallpaper_file:file { getattr read write map }; # Read/write cached ringtones (opened by system). allow appdomain ringtone_file:file { getattr read write map }; # Read ShortcutManager icon files (opened by system). allow appdomain shortcut_manager_icons:file { getattr read map }; # Read icon file (opened by system). allow appdomain icon_file:file { getattr read map }; # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). # # TODO: All of these permissions except for anr_data_file:file append can be # withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 # and the rules below. allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; # New stack dumping scheme : request an output FD from tombstoned via a unix # domain socket. # # Allow apps to connect and write to the tombstoned java trace socket in # order to dump their traces. Also allow them to append traces to pipes # created by dumptrace. (Also see the rules below where they are given # additional permissions to dumpstate pipes for other aspects of bug report # creation). #line 348 allow appdomain tombstoned_java_trace_socket:sock_file write; #line 348 allow appdomain tombstoned:unix_stream_socket connectto; #line 348 allow appdomain tombstoned:fd use; allow appdomain dumpstate:fifo_file append; allow appdomain incidentd:fifo_file append; # Allow apps to send dump information to dumpstate allow appdomain dumpstate:fd use; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; allow appdomain dumpstate:fifo_file { write getattr }; allow appdomain shell_data_file:file { write getattr }; # Allow apps to send dump information to incidentd allow appdomain incidentd:fd use; allow appdomain incidentd:fifo_file { write getattr }; # Allow apps to send information to statsd socket. #line 364 allow appdomain statsdw_socket:sock_file write; #line 364 allow appdomain statsd:unix_dgram_socket sendto; #line 364 # Write profiles /data/misc/profiles allow appdomain user_profile_root_file:dir search; allow appdomain user_profile_data_file:dir { open search write add_name remove_name lock }; allow appdomain user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow writing performance tracing data into the perfetto traced daemon. # Needed for java heap graph ART plugin (perfetto_hprof). # The perfetto profiling daemon will check for the specific application's # opt-in/opt-out. #line 375 allow appdomain traced:fd use; #line 375 allow appdomain traced_tmpfs:file { read write getattr map }; #line 375 #line 375 allow appdomain traced_producer_socket:sock_file write; #line 375 allow appdomain traced:unix_stream_socket connectto; #line 375 #line 375 #line 375 # Also allow the service to use the producer file descriptors. This is #line 375 # necessary when the producer is creating the shared memory, as it will be #line 375 # passed to the service as a file descriptor (obtained from memfd_create). #line 375 allow traced appdomain:fd use; #line 375 # Send heap dumps to system_server via an already open file descriptor # % adb shell am set-watch-heap com.android.systemui 1048576 # % adb shell dumpsys procstats --start-testing # debuggable builds only. #line 383 # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. allow { appdomain -isolated_app_all } gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow { appdomain -isolated_app_all } gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow { appdomain -isolated_app_all } sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads }; # Use the Binder. #line 393 # Call the servicemanager and transfer references to it. #line 393 allow appdomain servicemanager:binder { call transfer }; #line 393 # Allow servicemanager to send out callbacks #line 393 allow servicemanager appdomain:binder { call transfer }; #line 393 # servicemanager performs getpidcon on clients. #line 393 allow servicemanager appdomain:dir search; #line 393 allow servicemanager appdomain:file { read open }; #line 393 allow servicemanager appdomain:process getattr; #line 393 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 393 # all domains in domain.te. #line 393 # Perform binder IPC to binder services. #line 395 # Call the server domain and optionally transfer references to it. #line 395 allow appdomain binderservicedomain:binder { call transfer }; #line 395 # Allow the serverdomain to transfer references to the client on the reply. #line 395 allow binderservicedomain appdomain:binder transfer; #line 395 # Receive and use open files from the server. #line 395 allow appdomain binderservicedomain:fd use; #line 395 # Perform binder IPC to other apps. #line 397 # Call the server domain and optionally transfer references to it. #line 397 allow appdomain appdomain:binder { call transfer }; #line 397 # Allow the serverdomain to transfer references to the client on the reply. #line 397 allow appdomain appdomain:binder transfer; #line 397 # Receive and use open files from the server. #line 397 allow appdomain appdomain:fd use; #line 397 # Perform binder IPC to ephemeral apps. #line 399 # Call the server domain and optionally transfer references to it. #line 399 allow appdomain ephemeral_app:binder { call transfer }; #line 399 # Allow the serverdomain to transfer references to the client on the reply. #line 399 allow ephemeral_app appdomain:binder transfer; #line 399 # Receive and use open files from the server. #line 399 allow appdomain ephemeral_app:fd use; #line 399 # Perform binder IPC to gpuservice. #line 401 # Call the server domain and optionally transfer references to it. #line 401 allow { appdomain -isolated_app_all } gpuservice:binder { call transfer }; #line 401 # Allow the serverdomain to transfer references to the client on the reply. #line 401 allow gpuservice { appdomain -isolated_app_all }:binder transfer; #line 401 # Receive and use open files from the server. #line 401 allow { appdomain -isolated_app_all } gpuservice:fd use; #line 401 # Talk with graphics composer fences allow appdomain hal_graphics_composer:fd use; # Already connected, unnamed sockets being passed over some other IPC # hence no sock_file or connectto permission. This appears to be how # Chrome works, may need to be updated as more apps using isolated services # are examined. allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; # Backup ability for every app. BMS opens and passes the fd # to any app that has backup ability. Hence, no open permissions here. allow appdomain backup_data_file:file { read write getattr map }; allow appdomain cache_backup_file:file { read write getattr map }; allow appdomain cache_backup_file:dir getattr; # Backup ability using 'adb backup' allow appdomain system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow appdomain system_data_file:file { getattr read map }; # Allow read/stat of /data/media files passed by Binder or local socket IPC. allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr }; # For art. allow appdomain dalvikcache_data_file:file execute; allow appdomain dalvikcache_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Allow any app to read shared RELRO files. allow appdomain shared_relro_file:dir search; allow appdomain shared_relro_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow apps to read/execute installed binaries allow appdomain apk_data_file:dir { open getattr read search ioctl lock }; allow appdomain apk_data_file:file { getattr open read ioctl lock map { getattr execute execute_no_trans map } }; # /data/resource-cache allow appdomain resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow appdomain resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # logd access #line 444 allow appdomain logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 444 #line 444 allow appdomain logdr_socket:sock_file write; #line 444 allow appdomain logd:unix_stream_socket connectto; #line 444 #line 444 allow appdomain zygote:unix_dgram_socket write; allow appdomain console_device:chr_file { read write }; # only allow unprivileged socket ioctl commands allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl { #line 452 { #line 452 # Socket ioctls for gathering information about the interface #line 452 0x00008906 0x00008907 #line 452 0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919 #line 452 0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942 #line 452 # Wireless extension ioctls. Primarily get functions. #line 452 0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d #line 452 0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23 #line 452 0x00008b25 0x00008b27 0x00008b29 0x00008b2d #line 452 } { #line 452 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 452 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 452 } }; allow { appdomain -isolated_app_all } ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow AAudio apps to use shared memory file descriptors from the HAL allow { appdomain -isolated_app_all } hal_audio:fd use; # Allow app to access shared memory created by camera HAL1 allow { appdomain -isolated_app_all } hal_camera:fd use; # Allow apps to access shared memory file descriptor from the tuner HAL allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use; # RenderScript always-passthrough HAL allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find; allow appdomain same_process_hal_file:file { execute read open getattr map }; # TODO: switch to meminfo service allow appdomain proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; # For app fuse. allow appdomain app_fuse_file:file { getattr read append write map }; ### ### CTS-specific rules ### # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. # testRunAsHasCorrectCapabilities allow appdomain runas_exec:file getattr; # Others are either allowed elsewhere or not desired. # Connect to adbd and use a socket transferred from it. # This is used for e.g. adb backup/restore. allow appdomain adbd:unix_stream_socket connectto; allow appdomain adbd:fd use; allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; allow appdomain cache_file:dir getattr; # Allow apps to run with asanwrapper. # Read access to FDs from the DropboxManagerService. allow appdomain dropbox_data_file:file { getattr read }; # Read tmpfs types from these processes. allow appdomain audioserver_tmpfs:file { getattr map read write }; allow appdomain system_server_tmpfs:file { getattr map read write }; allow appdomain zygote_tmpfs:file { map read }; # Sensitive app domains are not allowed to execute from /data # to prevent persistence attacks and ensure all code is executed # from read-only locations. neverallow { bluetooth isolated_app_all nfc radio shared_relro sdk_sandbox_all system_app } { data_file_type -apex_art_data_file -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file { execute execute_no_trans }; # Don't allow apps access to any of the following character devices. neverallow appdomain { audio_device camera_device dm_device radio_device rpmsg_device }:chr_file { read write }; # Block video device access for all apps except the DeviceAsWebcam Service which # needs access to /dev/video* for interfacing with the host neverallow { appdomain -device_as_webcam } video_device:chr_file { read write }; # Prevent calling inotify on APKs. This can be used as a side channel # to observer app launches, so it must be disallowed. b/231587164 # Gate by targetSdkVersion to avoid breaking existing apps. neverallow { appdomain -untrusted_app_25 -untrusted_app_27 -untrusted_app_29 -untrusted_app_30 -untrusted_app_32 } apk_data_file:dir { watch watch_reads }; neverallow { appdomain -untrusted_app_25 -untrusted_app_27 -untrusted_app_29 -untrusted_app_30 -untrusted_app_32 } apk_data_file:file { watch watch_reads }; #line 1 "system/sepolicy/private/app_neverallows.te" ### ### neverallow rules for untrusted app domains ### #line 18 # Receive or send uevent messages. neverallow { #line 20 ephemeral_app #line 20 isolated_app #line 20 isolated_app_all #line 20 isolated_compute_app #line 20 mediaprovider #line 20 mediaprovider_app #line 20 untrusted_app #line 20 untrusted_app_25 #line 20 untrusted_app_27 #line 20 untrusted_app_29 #line 20 untrusted_app_30 #line 20 untrusted_app_all #line 20 } domain:netlink_kobject_uevent_socket *; # Receive or send generic netlink messages neverallow { #line 23 ephemeral_app #line 23 isolated_app #line 23 isolated_app_all #line 23 isolated_compute_app #line 23 mediaprovider #line 23 mediaprovider_app #line 23 untrusted_app #line 23 untrusted_app_25 #line 23 untrusted_app_27 #line 23 untrusted_app_29 #line 23 untrusted_app_30 #line 23 untrusted_app_all #line 23 } domain:netlink_socket *; # Read or write kernel printk buffer neverallow { #line 26 ephemeral_app #line 26 isolated_app #line 26 isolated_app_all #line 26 isolated_compute_app #line 26 mediaprovider #line 26 mediaprovider_app #line 26 untrusted_app #line 26 untrusted_app_25 #line 26 untrusted_app_27 #line 26 untrusted_app_29 #line 26 untrusted_app_30 #line 26 untrusted_app_all #line 26 } kmsg_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Too much leaky information in debugfs. It's a security # best practice to ensure these files aren't readable. neverallow { #line 30 ephemeral_app #line 30 isolated_app #line 30 isolated_app_all #line 30 isolated_compute_app #line 30 mediaprovider #line 30 mediaprovider_app #line 30 untrusted_app #line 30 untrusted_app_25 #line 30 untrusted_app_27 #line 30 untrusted_app_29 #line 30 untrusted_app_30 #line 30 untrusted_app_all #line 30 } { debugfs_type -debugfs_kcov }:file read; neverallow {{ #line 31 ephemeral_app #line 31 isolated_app #line 31 isolated_app_all #line 31 isolated_compute_app #line 31 mediaprovider #line 31 mediaprovider_app #line 31 untrusted_app #line 31 untrusted_app_25 #line 31 untrusted_app_27 #line 31 untrusted_app_29 #line 31 untrusted_app_30 #line 31 untrusted_app_all #line 31 } } debugfs_type:{ file lnk_file } read; # Do not allow untrusted apps to register services. # Only trusted components of Android should be registering # services. neverallow { #line 36 ephemeral_app #line 36 isolated_app #line 36 isolated_app_all #line 36 isolated_compute_app #line 36 mediaprovider #line 36 mediaprovider_app #line 36 untrusted_app #line 36 untrusted_app_25 #line 36 untrusted_app_27 #line 36 untrusted_app_29 #line 36 untrusted_app_30 #line 36 untrusted_app_all #line 36 } service_manager_type:service_manager add; # Do not allow untrusted apps to use VendorBinder neverallow { #line 39 ephemeral_app #line 39 isolated_app #line 39 isolated_app_all #line 39 isolated_compute_app #line 39 mediaprovider #line 39 mediaprovider_app #line 39 untrusted_app #line 39 untrusted_app_25 #line 39 untrusted_app_27 #line 39 untrusted_app_29 #line 39 untrusted_app_30 #line 39 untrusted_app_all #line 39 } vndbinder_device:chr_file *; neverallow { #line 40 ephemeral_app #line 40 isolated_app #line 40 isolated_app_all #line 40 isolated_compute_app #line 40 mediaprovider #line 40 mediaprovider_app #line 40 untrusted_app #line 40 untrusted_app_25 #line 40 untrusted_app_27 #line 40 untrusted_app_29 #line 40 untrusted_app_30 #line 40 untrusted_app_all #line 40 } vndservice_manager_type:service_manager *; # Do not allow untrusted apps to connect to the property service # or set properties. b/10243159 neverallow { { #line 44 ephemeral_app #line 44 isolated_app #line 44 isolated_app_all #line 44 isolated_compute_app #line 44 mediaprovider #line 44 mediaprovider_app #line 44 untrusted_app #line 44 untrusted_app_25 #line 44 untrusted_app_27 #line 44 untrusted_app_29 #line 44 untrusted_app_30 #line 44 untrusted_app_all #line 44 } -mediaprovider } property_socket:sock_file write; neverallow { { #line 45 ephemeral_app #line 45 isolated_app #line 45 isolated_app_all #line 45 isolated_compute_app #line 45 mediaprovider #line 45 mediaprovider_app #line 45 untrusted_app #line 45 untrusted_app_25 #line 45 untrusted_app_27 #line 45 untrusted_app_29 #line 45 untrusted_app_30 #line 45 untrusted_app_all #line 45 } -mediaprovider } init:unix_stream_socket connectto; neverallow { { #line 46 ephemeral_app #line 46 isolated_app #line 46 isolated_app_all #line 46 isolated_compute_app #line 46 mediaprovider #line 46 mediaprovider_app #line 46 untrusted_app #line 46 untrusted_app_25 #line 46 untrusted_app_27 #line 46 untrusted_app_29 #line 46 untrusted_app_30 #line 46 untrusted_app_all #line 46 } -mediaprovider } property_type:property_service set; # net.dns properties are not a public API. Disallow untrusted apps from reading this property. neverallow { { #line 49 ephemeral_app #line 49 isolated_app #line 49 isolated_app_all #line 49 isolated_compute_app #line 49 mediaprovider #line 49 mediaprovider_app #line 49 untrusted_app #line 49 untrusted_app_25 #line 49 untrusted_app_27 #line 49 untrusted_app_29 #line 49 untrusted_app_30 #line 49 untrusted_app_all #line 49 } } net_dns_prop:file read; # radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property. neverallow { { #line 52 ephemeral_app #line 52 isolated_app #line 52 isolated_app_all #line 52 isolated_compute_app #line 52 mediaprovider #line 52 mediaprovider_app #line 52 untrusted_app #line 52 untrusted_app_25 #line 52 untrusted_app_27 #line 52 untrusted_app_29 #line 52 untrusted_app_30 #line 52 untrusted_app_all #line 52 } } radio_cdma_ecm_prop:file read; # Shared libraries created by trusted components within an app home # directory can be dlopen()ed. To maintain the W^X property, these files # must never be writable to the app. neverallow { #line 57 ephemeral_app #line 57 isolated_app #line 57 isolated_app_all #line 57 isolated_compute_app #line 57 mediaprovider #line 57 mediaprovider_app #line 57 untrusted_app #line 57 untrusted_app_25 #line 57 untrusted_app_27 #line 57 untrusted_app_29 #line 57 untrusted_app_30 #line 57 untrusted_app_all #line 57 } app_exec_data_file:file { append create link relabelfrom relabelto rename setattr write }; # Block calling execve() on files in an apps home directory. # This is a W^X violation (loading executable code from a writable # home directory). For compatibility, allow for targetApi <= 28. # b/112357170 neverallow { { #line 65 ephemeral_app #line 65 isolated_app #line 65 isolated_app_all #line 65 isolated_compute_app #line 65 mediaprovider #line 65 mediaprovider_app #line 65 untrusted_app #line 65 untrusted_app_25 #line 65 untrusted_app_27 #line 65 untrusted_app_29 #line 65 untrusted_app_30 #line 65 untrusted_app_all #line 65 } -untrusted_app_25 -untrusted_app_27 -runas_app } { app_data_file privapp_data_file }:file execute_no_trans; # Do not allow untrusted apps to invoke dex2oat. This was historically required # by ART for compiling secondary dex files but has been removed in Q. # Exempt legacy apps (targetApi<=28) for compatibility. neverallow { { #line 75 ephemeral_app #line 75 isolated_app #line 75 isolated_app_all #line 75 isolated_compute_app #line 75 mediaprovider #line 75 mediaprovider_app #line 75 untrusted_app #line 75 untrusted_app_25 #line 75 untrusted_app_27 #line 75 untrusted_app_29 #line 75 untrusted_app_30 #line 75 untrusted_app_all #line 75 } -untrusted_app_25 -untrusted_app_27 } dex2oat_exec:file { execute execute_no_trans }; # Do not allow untrusted apps to be assigned mlstrustedsubject. # This would undermine the per-user isolation model being # enforced via levelFrom=user in seapp_contexts and the mls # constraints. As there is no direct way to specify a neverallow # on attribute assignment, this relies on the fact that fork # permission only makes sense within a domain (hence should # never be granted to any other domain within mlstrustedsubject) # and an untrusted app is allowed fork permission to itself. neverallow { #line 88 ephemeral_app #line 88 isolated_app #line 88 isolated_app_all #line 88 isolated_compute_app #line 88 mediaprovider #line 88 mediaprovider_app #line 88 untrusted_app #line 88 untrusted_app_25 #line 88 untrusted_app_27 #line 88 untrusted_app_29 #line 88 untrusted_app_30 #line 88 untrusted_app_all #line 88 } mlstrustedsubject:process fork; # Do not allow untrusted apps to hard link to any files. # In particular, if an untrusted app links to other app data # files, installd will not be able to guarantee the deletion # of the linked to file. Hard links also contribute to security # bugs, so we want to ensure untrusted apps never have this # capability. neverallow { #line 96 ephemeral_app #line 96 isolated_app #line 96 isolated_app_all #line 96 isolated_compute_app #line 96 mediaprovider #line 96 mediaprovider_app #line 96 untrusted_app #line 96 untrusted_app_25 #line 96 untrusted_app_27 #line 96 untrusted_app_29 #line 96 untrusted_app_30 #line 96 untrusted_app_all #line 96 } file_type:file link; # Do not allow untrusted apps to access network MAC address file neverallow { #line 99 ephemeral_app #line 99 isolated_app #line 99 isolated_app_all #line 99 isolated_compute_app #line 99 mediaprovider #line 99 mediaprovider_app #line 99 untrusted_app #line 99 untrusted_app_25 #line 99 untrusted_app_27 #line 99 untrusted_app_29 #line 99 untrusted_app_30 #line 99 untrusted_app_all #line 99 } sysfs_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Do not allow any write access to files in /sys neverallow { #line 102 ephemeral_app #line 102 isolated_app #line 102 isolated_app_all #line 102 isolated_compute_app #line 102 mediaprovider #line 102 mediaprovider_app #line 102 untrusted_app #line 102 untrusted_app_25 #line 102 untrusted_app_27 #line 102 untrusted_app_29 #line 102 untrusted_app_30 #line 102 untrusted_app_all #line 102 } sysfs_type:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } }; # Apps may never access the default sysfs label. neverallow { #line 105 ephemeral_app #line 105 isolated_app #line 105 isolated_app_all #line 105 isolated_compute_app #line 105 mediaprovider #line 105 mediaprovider_app #line 105 untrusted_app #line 105 untrusted_app_25 #line 105 untrusted_app_27 #line 105 untrusted_app_29 #line 105 untrusted_app_30 #line 105 untrusted_app_all #line 105 } sysfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm { #line 109 ephemeral_app #line 109 isolated_app #line 109 isolated_app_all #line 109 isolated_compute_app #line 109 mediaprovider #line 109 mediaprovider_app #line 109 untrusted_app #line 109 untrusted_app_25 #line 109 untrusted_app_27 #line 109 untrusted_app_29 #line 109 untrusted_app_30 #line 109 untrusted_app_all #line 109 } domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl #line 109 { #line 109 # qualcomm rmnet ioctls #line 109 0x00006900 0x00006902 #line 109 # socket ioctls #line 109 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 109 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 109 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 109 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 109 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 109 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 109 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 109 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 109 0x00008991 0x00008992 0x00008993 0x00008994 #line 109 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 109 # device and protocol specific ioctls #line 109 0x000089f0-0x000089ff #line 109 0x000089e0-0x000089ef #line 109 # Wireless extension ioctls #line 109 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 109 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 109 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 109 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 109 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 109 0x00008b34 0x00008b35 0x00008b36 #line 109 # Dev private ioctl i.e. hardware specific ioctls #line 109 0x00008be0-0x00008bff #line 109 }; neverallow { #line 110 ephemeral_app #line 110 isolated_app #line 110 isolated_app_all #line 110 isolated_compute_app #line 110 mediaprovider #line 110 mediaprovider_app #line 110 untrusted_app #line 110 untrusted_app_25 #line 110 untrusted_app_27 #line 110 untrusted_app_29 #line 110 untrusted_app_30 #line 110 untrusted_app_all #line 110 } *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow { #line 111 ephemeral_app #line 111 isolated_app #line 111 isolated_app_all #line 111 isolated_compute_app #line 111 mediaprovider #line 111 mediaprovider_app #line 111 untrusted_app #line 111 untrusted_app_25 #line 111 untrusted_app_27 #line 111 untrusted_app_29 #line 111 untrusted_app_30 #line 111 untrusted_app_all #line 111 } *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; # Apps can read/write an already open vsock (e.g. created by # virtualizationservice) but nothing more than that (e.g. creating a # new vsock, etc.) neverallow { #line 128 ephemeral_app #line 128 isolated_app #line 128 isolated_app_all #line 128 isolated_compute_app #line 128 mediaprovider #line 128 mediaprovider_app #line 128 untrusted_app #line 128 untrusted_app_25 #line 128 untrusted_app_27 #line 128 untrusted_app_29 #line 128 untrusted_app_30 #line 128 untrusted_app_all #line 128 } *:vsock_socket ~{ getattr getopt read write }; # Disallow sending RTM_GETLINK messages on netlink sockets. neverallow { #line 131 ephemeral_app #line 131 isolated_app #line 131 isolated_app_all #line 131 isolated_compute_app #line 131 mediaprovider #line 131 mediaprovider_app #line 131 untrusted_app #line 131 untrusted_app_25 #line 131 untrusted_app_27 #line 131 untrusted_app_29 #line 131 untrusted_app_30 #line 131 untrusted_app_all #line 131 } domain:netlink_route_socket { bind nlmsg_readpriv }; neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv }; # Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets. neverallow { { #line 136 ephemeral_app #line 136 isolated_app #line 136 isolated_app_all #line 136 isolated_compute_app #line 136 mediaprovider #line 136 mediaprovider_app #line 136 untrusted_app #line 136 untrusted_app_25 #line 136 untrusted_app_27 #line 136 untrusted_app_29 #line 136 untrusted_app_30 #line 136 untrusted_app_all #line 136 } -untrusted_app_25 -untrusted_app_27 -untrusted_app_29 -untrusted_app_30 } domain:netlink_route_socket nlmsg_getneigh; # Do not allow untrusted apps access to /cache neverallow { { #line 144 ephemeral_app #line 144 isolated_app #line 144 isolated_app_all #line 144 isolated_compute_app #line 144 mediaprovider #line 144 mediaprovider_app #line 144 untrusted_app #line 144 untrusted_app_25 #line 144 untrusted_app_27 #line 144 untrusted_app_29 #line 144 untrusted_app_30 #line 144 untrusted_app_all #line 144 } -mediaprovider } { cache_file cache_recovery_file }:dir ~{ { open getattr read search ioctl lock watch watch_reads } }; neverallow { { #line 145 ephemeral_app #line 145 isolated_app #line 145 isolated_app_all #line 145 isolated_compute_app #line 145 mediaprovider #line 145 mediaprovider_app #line 145 untrusted_app #line 145 untrusted_app_25 #line 145 untrusted_app_27 #line 145 untrusted_app_29 #line 145 untrusted_app_30 #line 145 untrusted_app_all #line 145 } -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; # Do not allow untrusted apps to create/unlink files outside of its sandbox, # internal storage or sdcard. # World accessible data locations allow application to fill the device # with unaccounted for data. This data will not get removed during # application un-installation. neverallow { { #line 152 ephemeral_app #line 152 isolated_app #line 152 isolated_app_all #line 152 isolated_compute_app #line 152 mediaprovider #line 152 mediaprovider_app #line 152 untrusted_app #line 152 untrusted_app_25 #line 152 untrusted_app_27 #line 152 untrusted_app_29 #line 152 untrusted_app_30 #line 152 untrusted_app_all #line 152 } -mediaprovider } { fs_type -sdcard_type -fuse file_type -app_data_file # The apps sandbox itself -privapp_data_file -app_exec_data_file # stored within the app sandbox directory -media_rw_data_file # Internal storage. Known that apps can # leave artfacts here after uninstall. -user_profile_data_file # Access to profile files #line 167 }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink }; # No untrusted component except mediaprovider_app should be touching /dev/fuse neverallow { { #line 170 ephemeral_app #line 170 isolated_app #line 170 isolated_app_all #line 170 isolated_compute_app #line 170 mediaprovider #line 170 mediaprovider_app #line 170 untrusted_app #line 170 untrusted_app_25 #line 170 untrusted_app_27 #line 170 untrusted_app_29 #line 170 untrusted_app_30 #line 170 untrusted_app_all #line 170 } -mediaprovider_app } fuse_device:chr_file *; # Do not allow untrusted apps to directly open the tun_device neverallow { #line 173 ephemeral_app #line 173 isolated_app #line 173 isolated_app_all #line 173 isolated_compute_app #line 173 mediaprovider #line 173 mediaprovider_app #line 173 untrusted_app #line 173 untrusted_app_25 #line 173 untrusted_app_27 #line 173 untrusted_app_29 #line 173 untrusted_app_30 #line 173 untrusted_app_all #line 173 } tun_device:chr_file open; # The tun_device ioctls below are not allowed, to prove equivalence # to the kernel patch at # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21 neverallowxperm { #line 177 ephemeral_app #line 177 isolated_app #line 177 isolated_app_all #line 177 isolated_compute_app #line 177 mediaprovider #line 177 mediaprovider_app #line 177 untrusted_app #line 177 untrusted_app_25 #line 177 untrusted_app_27 #line 177 untrusted_app_29 #line 177 untrusted_app_30 #line 177 untrusted_app_all #line 177 } tun_device:chr_file ioctl ~{ 0x00005451 0x00005450 0x800454d2 }; # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) neverallow { #line 180 ephemeral_app #line 180 isolated_app #line 180 isolated_app_all #line 180 isolated_compute_app #line 180 mediaprovider #line 180 mediaprovider_app #line 180 untrusted_app #line 180 untrusted_app_25 #line 180 untrusted_app_27 #line 180 untrusted_app_29 #line 180 untrusted_app_30 #line 180 untrusted_app_all #line 180 } anr_data_file:file ~{ open append }; neverallow { #line 181 ephemeral_app #line 181 isolated_app #line 181 isolated_app_all #line 181 isolated_compute_app #line 181 mediaprovider #line 181 mediaprovider_app #line 181 untrusted_app #line 181 untrusted_app_25 #line 181 untrusted_app_27 #line 181 untrusted_app_29 #line 181 untrusted_app_30 #line 181 untrusted_app_all #line 181 } anr_data_file:dir ~search; # Avoid reads from generically labeled /proc files # Create a more specific label if needed neverallow { #line 185 ephemeral_app #line 185 isolated_app #line 185 isolated_app_all #line 185 isolated_compute_app #line 185 mediaprovider #line 185 mediaprovider_app #line 185 untrusted_app #line 185 untrusted_app_25 #line 185 untrusted_app_27 #line 185 untrusted_app_29 #line 185 untrusted_app_30 #line 185 untrusted_app_all #line 185 } { proc proc_asound proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_slabinfo proc_stat proc_swaps proc_uptime proc_version proc_vmallocinfo proc_vmstat }:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } }; # /proc/filesystems is accessible to mediaprovider_app only since it handles # external storage neverallow { { #line 203 ephemeral_app #line 203 isolated_app #line 203 isolated_app_all #line 203 isolated_compute_app #line 203 mediaprovider #line 203 mediaprovider_app #line 203 untrusted_app #line 203 untrusted_app_25 #line 203 untrusted_app_27 #line 203 untrusted_app_29 #line 203 untrusted_app_30 #line 203 untrusted_app_all #line 203 } - mediaprovider_app } proc_filesystems:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } }; # Avoid all access to kernel configuration neverallow { #line 206 ephemeral_app #line 206 isolated_app #line 206 isolated_app_all #line 206 isolated_compute_app #line 206 mediaprovider #line 206 mediaprovider_app #line 206 untrusted_app #line 206 untrusted_app_25 #line 206 untrusted_app_27 #line 206 untrusted_app_29 #line 206 untrusted_app_30 #line 206 untrusted_app_all #line 206 } config_gz:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } }; # Do not allow untrusted apps access to preloads data files neverallow { #line 209 ephemeral_app #line 209 isolated_app #line 209 isolated_app_all #line 209 isolated_compute_app #line 209 mediaprovider #line 209 mediaprovider_app #line 209 untrusted_app #line 209 untrusted_app_25 #line 209 untrusted_app_27 #line 209 untrusted_app_29 #line 209 untrusted_app_30 #line 209 untrusted_app_all #line 209 } preloads_data_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Locking of files on /system could lead to denial of service attacks # against privileged system components neverallow { #line 213 ephemeral_app #line 213 isolated_app #line 213 isolated_app_all #line 213 isolated_compute_app #line 213 mediaprovider #line 213 mediaprovider_app #line 213 untrusted_app #line 213 untrusted_app_25 #line 213 untrusted_app_27 #line 213 untrusted_app_29 #line 213 untrusted_app_30 #line 213 untrusted_app_all #line 213 } system_file:file lock; # Do not permit untrusted apps to perform actions on HwBinder service_manager # other than find actions for services listed below neverallow { #line 217 ephemeral_app #line 217 isolated_app #line 217 isolated_app_all #line 217 isolated_compute_app #line 217 mediaprovider #line 217 mediaprovider_app #line 217 untrusted_app #line 217 untrusted_app_25 #line 217 untrusted_app_27 #line 217 untrusted_app_29 #line 217 untrusted_app_30 #line 217 untrusted_app_all #line 217 } *:hwservice_manager ~find; # Do not permit access from apps which host arbitrary code to the protected services # The two main reasons for this are: # 1. Protected HwBinder servers do not perform client authentication because # vendor code does not have a way to understand apps or their relation to # caller UID information and, even if it did, those services either operate # at a level below that of apps (e.g., HALs) or must not rely on app identity # for authorization. Thus, to be safe, the default assumption for all added # vendor services is that they treat all their clients as equally authorized # to perform operations offered by the service. # 2. HAL servers contain code with higher incidence rate of security issues # than system/core components and have access to lower layes of the stack # (all the way down to hardware) thus increasing opportunities for bypassing # the Android security model. neverallow { #line 232 ephemeral_app #line 232 isolated_app #line 232 isolated_app_all #line 232 isolated_compute_app #line 232 mediaprovider #line 232 mediaprovider_app #line 232 untrusted_app #line 232 untrusted_app_25 #line 232 untrusted_app_27 #line 232 untrusted_app_29 #line 232 untrusted_app_30 #line 232 untrusted_app_all #line 232 } protected_hwservice:hwservice_manager find; neverallow { #line 233 ephemeral_app #line 233 isolated_app #line 233 isolated_app_all #line 233 isolated_compute_app #line 233 mediaprovider #line 233 mediaprovider_app #line 233 untrusted_app #line 233 untrusted_app_25 #line 233 untrusted_app_27 #line 233 untrusted_app_29 #line 233 untrusted_app_30 #line 233 untrusted_app_all #line 233 } protected_service:service_manager find; # SELinux is not an API for untrusted apps to use neverallow { #line 236 ephemeral_app #line 236 isolated_app #line 236 isolated_app_all #line 236 isolated_compute_app #line 236 mediaprovider #line 236 mediaprovider_app #line 236 untrusted_app #line 236 untrusted_app_25 #line 236 untrusted_app_27 #line 236 untrusted_app_29 #line 236 untrusted_app_30 #line 236 untrusted_app_all #line 236 } selinuxfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Access to /proc/tty/drivers, to allow apps to determine if they # are running in an emulated environment. # b/33214085 b/33814662 b/33791054 b/33211769 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java # This will go away in a future Android release neverallow { { #line 243 ephemeral_app #line 243 isolated_app #line 243 isolated_app_all #line 243 isolated_compute_app #line 243 mediaprovider #line 243 mediaprovider_app #line 243 untrusted_app #line 243 untrusted_app_25 #line 243 untrusted_app_27 #line 243 untrusted_app_29 #line 243 untrusted_app_30 #line 243 untrusted_app_all #line 243 } -untrusted_app_25 } proc_tty_drivers:file { getattr open read ioctl lock map watch watch_reads }; neverallow { #line 244 ephemeral_app #line 244 isolated_app #line 244 isolated_app_all #line 244 isolated_compute_app #line 244 mediaprovider #line 244 mediaprovider_app #line 244 untrusted_app #line 244 untrusted_app_25 #line 244 untrusted_app_27 #line 244 untrusted_app_29 #line 244 untrusted_app_30 #line 244 untrusted_app_all #line 244 } proc_tty_drivers:file ~{ getattr open read ioctl lock map watch watch_reads }; # Untrusted apps are not allowed to use cgroups. neverallow { #line 247 ephemeral_app #line 247 isolated_app #line 247 isolated_app_all #line 247 isolated_compute_app #line 247 mediaprovider #line 247 mediaprovider_app #line 247 untrusted_app #line 247 untrusted_app_25 #line 247 untrusted_app_27 #line 247 untrusted_app_29 #line 247 untrusted_app_30 #line 247 untrusted_app_all #line 247 } cgroup:file *; neverallow { #line 248 ephemeral_app #line 248 isolated_app #line 248 isolated_app_all #line 248 isolated_compute_app #line 248 mediaprovider #line 248 mediaprovider_app #line 248 untrusted_app #line 248 untrusted_app_25 #line 248 untrusted_app_27 #line 248 untrusted_app_29 #line 248 untrusted_app_30 #line 248 untrusted_app_all #line 248 } cgroup_v2:file *; # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps # must not use it. neverallow { { #line 253 ephemeral_app #line 253 isolated_app #line 253 isolated_app_all #line 253 isolated_compute_app #line 253 mediaprovider #line 253 mediaprovider_app #line 253 untrusted_app #line 253 untrusted_app_25 #line 253 untrusted_app_27 #line 253 untrusted_app_29 #line 253 untrusted_app_30 #line 253 untrusted_app_all #line 253 } -untrusted_app_25 -untrusted_app_27 } mnt_sdcard_file:lnk_file *; # Only privileged apps may find the incident service neverallow { #line 259 ephemeral_app #line 259 isolated_app #line 259 isolated_app_all #line 259 isolated_compute_app #line 259 mediaprovider #line 259 mediaprovider_app #line 259 untrusted_app #line 259 untrusted_app_25 #line 259 untrusted_app_27 #line 259 untrusted_app_29 #line 259 untrusted_app_30 #line 259 untrusted_app_all #line 259 } incident_service:service_manager find; # Only privileged apps may find stats service neverallow { #line 262 ephemeral_app #line 262 isolated_app #line 262 isolated_app_all #line 262 isolated_compute_app #line 262 mediaprovider #line 262 mediaprovider_app #line 262 untrusted_app #line 262 untrusted_app_25 #line 262 untrusted_app_27 #line 262 untrusted_app_29 #line 262 untrusted_app_30 #line 262 untrusted_app_all #line 262 } stats_service:service_manager find; # Do not allow untrusted app to read hidden system proprerties. # We do not include in the exclusions other normally untrusted applications such as mediaprovider # due to the specific logging use cases. # Context: b/193912100 neverallow { { #line 269 ephemeral_app #line 269 isolated_app #line 269 isolated_app_all #line 269 isolated_compute_app #line 269 mediaprovider #line 269 mediaprovider_app #line 269 untrusted_app #line 269 untrusted_app_25 #line 269 untrusted_app_27 #line 269 untrusted_app_29 #line 269 untrusted_app_30 #line 269 untrusted_app_all #line 269 } -mediaprovider -mediaprovider_app } { userdebug_or_eng_prop }:file read; # Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is # used to communicate to the mdnsd responder. The mdnsd responder will be # replaced by a java implementation which is integrated into the system server. # For untrusted apps running with API level 33-, they still have access to # /dev/socket/mdnsd for backward compatibility. neverallow { { #line 280 ephemeral_app #line 280 isolated_app #line 280 isolated_app_all #line 280 isolated_compute_app #line 280 mediaprovider #line 280 mediaprovider_app #line 280 untrusted_app #line 280 untrusted_app_25 #line 280 untrusted_app_27 #line 280 untrusted_app_29 #line 280 untrusted_app_30 #line 280 untrusted_app_all #line 280 } -untrusted_app_25 -untrusted_app_27 -untrusted_app_29 -untrusted_app_30 -untrusted_app_32 } mdnsd_socket:sock_file write; neverallow { { #line 288 ephemeral_app #line 288 isolated_app #line 288 isolated_app_all #line 288 isolated_compute_app #line 288 mediaprovider #line 288 mediaprovider_app #line 288 untrusted_app #line 288 untrusted_app_25 #line 288 untrusted_app_27 #line 288 untrusted_app_29 #line 288 untrusted_app_30 #line 288 untrusted_app_all #line 288 } -untrusted_app_25 -untrusted_app_27 -untrusted_app_29 -untrusted_app_30 -untrusted_app_32 } mdnsd:unix_stream_socket connectto; # Do not allow untrusted apps to use anonymous inodes. At the moment, # type transitions are the only way to distinguish between different # anon_inode usages like userfaultfd and io_uring. This prevents us from # creating a more fine-grained neverallow policy for each anon_inode usage. neverallow { #line 300 ephemeral_app #line 300 isolated_app #line 300 isolated_app_all #line 300 isolated_compute_app #line 300 mediaprovider #line 300 mediaprovider_app #line 300 untrusted_app #line 300 untrusted_app_25 #line 300 untrusted_app_27 #line 300 untrusted_app_29 #line 300 untrusted_app_30 #line 300 untrusted_app_all #line 300 } domain:anon_inode *; # Do not allow untrusted app access to hidraw devices. neverallow { #line 303 ephemeral_app #line 303 isolated_app #line 303 isolated_app_all #line 303 isolated_compute_app #line 303 mediaprovider #line 303 mediaprovider_app #line 303 untrusted_app #line 303 untrusted_app_25 #line 303 untrusted_app_27 #line 303 untrusted_app_29 #line 303 untrusted_app_30 #line 303 untrusted_app_all #line 303 } hidraw_device:chr_file *; #line 1 "system/sepolicy/private/app_zygote.te" typeattribute app_zygote coredomain; ###### ###### Policy below is different from regular zygote-spawned apps ###### # Allow access to temporary files, which is normally permitted through # a domain macro. #line 9 type_transition app_zygote tmpfs:file app_zygote_tmpfs; #line 9 allow app_zygote app_zygote_tmpfs:file { read write getattr map }; #line 9 ; # Set the UID/GID of the process. # This will be further limited to a range of isolated UIDs with seccomp. allow app_zygote self:{ capability cap_userns } { setgid setuid }; # Drop capabilities from bounding set. allow app_zygote self:{ capability cap_userns } setpcap; # Switch SELinux context to isolated app domain. allow app_zygote self:process setcurrent; allow app_zygote isolated_app:process dyntransition; # For JIT allow app_zygote self:process execmem; # Allow exec mapping from tmpfs (memfds) for binary translation allow app_zygote app_zygote_tmpfs:file execute; # Allow app_zygote to stat the files that it opens. It must # be able to inspect them so that it can reopen them on fork # if necessary: b/30963384. allow app_zygote debugfs_trace_marker:file getattr; # get system_server process group allow app_zygote system_server:process getpgid; # Interaction between the app_zygote and its children. allow app_zygote isolated_app:process setpgid; # TODO (b/63631799) fix this access dontaudit app_zygote mnt_expand_file:dir getattr; # Get seapp_contexts allow app_zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Check validity of SELinux context before use. #line 43 #line 43 allow app_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 43 allow app_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 43 #line 43 allow app_zygote selinuxfs:file { open append write lock map }; #line 43 allow app_zygote kernel:security check_context; #line 43 # Check SELinux permissions. #line 45 #line 45 allow app_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 45 allow app_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 45 #line 45 allow app_zygote selinuxfs:file { open append write lock map }; #line 45 allow app_zygote kernel:security compute_av; #line 45 allow app_zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 45 # Read and inspect temporary files managed by zygote. allow app_zygote zygote_tmpfs:file { read getattr }; ###### ###### Policy below is shared with regular zygote-spawned apps ###### # Child of zygote. allow app_zygote zygote:fd use; allow app_zygote zygote:process sigchld; # For ART (read /data/dalvik-cache). #line 59 allow app_zygote dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 59 allow app_zygote dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 59 ; allow app_zygote dalvikcache_data_file:file execute; # For ART (allow userfaultfd and related ioctls) #line 63 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 63 type app_zygote_userfaultfd; #line 63 type_transition app_zygote app_zygote:anon_inode app_zygote_userfaultfd "[userfaultfd]"; #line 63 # Allow domain to create/use userfaultfd anon_inode. #line 63 allow app_zygote app_zygote_userfaultfd:anon_inode { create ioctl read }; #line 63 # Suppress errors generate during bugreport #line 63 dontaudit su app_zygote_userfaultfd:anon_inode *; #line 63 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 63 neverallow { domain -app_zygote } app_zygote_userfaultfd:anon_inode *; #line 63 # Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache). allow app_zygote apex_module_data_file:dir search; # For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache). #line 68 allow app_zygote apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 68 allow app_zygote apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 68 # Allow reading/executing installed binaries to enable preloading # application data allow app_zygote apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow app_zygote apk_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # /oem accesses. allow app_zygote oemfs:dir search; # Allow app_zygote access to /vendor/overlay #line 79 allow app_zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 79 allow app_zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 79 # Allow app_zygote to read vendor_overlay_file from vendor apex as well allow app_zygote vendor_apex_metadata_file:dir { getattr search }; allow app_zygote system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow app_zygote system_data_file:file { getattr read map }; # Send unsolicited message to system_server #line 87 allow app_zygote system_unsolzygote_socket:sock_file write; #line 87 allow app_zygote system_server:unix_dgram_socket sendto; #line 87 # Allow the app_zygote to access the runtime feature flag properties. #line 90 allow app_zygote device_config_runtime_native_prop:file { getattr open read map }; #line 90 #line 91 allow app_zygote device_config_runtime_native_boot_prop:file { getattr open read map }; #line 91 # Allow app_zygote to access odsign verification status #line 94 allow app_zygote odsign_prop:file { getattr open read map }; #line 94 # /data/resource-cache allow app_zygote resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow app_zygote resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; ##### ##### Neverallow ##### # Only permit transition to isolated_app. neverallow app_zygote { domain -isolated_app }:process dyntransition; # Only setcon() transitions, no exec() based transitions, except for crash_dump. neverallow app_zygote { domain -crash_dump }:process transition; # Must not exec() a program without changing domains. # Having said that, exec() above is not allowed. neverallow app_zygote *:file execute_no_trans; # The only way to enter this domain is for the zygote to fork a new # app_zygote child. neverallow { domain -zygote } app_zygote:process dyntransition; # Disallow write access to properties. neverallow app_zygote property_socket:sock_file write; neverallow app_zygote property_type:property_service set; # Should not have any access to data files. neverallow app_zygote app_data_file_type:file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } }; neverallow app_zygote { service_manager_type -activity_service -webviewupdate_service }:service_manager find; # Isolated apps should not be able to access the driver directly. neverallow app_zygote gpu_device:chr_file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } }; # Do not allow app_zygote access to /cache. neverallow app_zygote cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } }; neverallow app_zygote cache_file:file ~{ read getattr }; # Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket, # unix_stream_socket, and netlink_selinux_socket. neverallow app_zygote domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket } *; # Only allow app_zygote to talk to the logd socket, and su on eng/userdebug. # This is because cap_setuid/cap_setgid allow to forge uid/gid in # SCM_CREDENTIALS. Think twice before changing. neverallow app_zygote { domain -app_zygote -logd -system_server }:unix_dgram_socket *; neverallow app_zygote { domain -app_zygote -prng_seeder }:unix_stream_socket *; # Never allow ptrace neverallow app_zygote *:process ptrace; # Do not allow access to Bluetooth-related system properties. # neverallow rules for Bluetooth-related data files are listed above. neverallow app_zygote { bluetooth_a2dp_offload_prop bluetooth_audio_hal_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/private/art_boot.te" # ART boot oneshot service type art_boot, domain, coredomain; type art_boot_exec, exec_type, file_type, system_file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init art_boot_exec:file { getattr open read execute map }; #line 5 allow init art_boot:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow art_boot art_boot_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init art_boot:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init art_boot:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init art_boot_exec:process art_boot; #line 5 #line 5 # Allow query of device config properties, typically experiment flags. #line 8 allow art_boot device_config_runtime_native_boot_prop:file { getattr open read map }; #line 8 #line 9 allow art_boot device_config_runtime_native_prop:file { getattr open read map }; #line 9 # Allow ART to set its config properties at boot, mainly to be able to propagate # experiment flags to properties that only may change at boot. #line 13 #line 13 allow art_boot property_socket:sock_file write; #line 13 allow art_boot init:unix_stream_socket connectto; #line 13 #line 13 allow art_boot dalvik_config_prop_type:property_service set; #line 13 #line 13 allow art_boot dalvik_config_prop_type:file { getattr open read map }; #line 13 #line 13 #line 1 "system/sepolicy/private/artd.te" # ART service daemon. typeattribute artd coredomain; typeattribute artd mlstrustedsubject; type artd_exec, system_file_type, exec_type, file_type; type artd_tmpfs, file_type; # Allow artd to publish a binder service and make binder calls. #line 8 # Call the servicemanager and transfer references to it. #line 8 allow artd servicemanager:binder { call transfer }; #line 8 # Allow servicemanager to send out callbacks #line 8 allow servicemanager artd:binder { call transfer }; #line 8 # servicemanager performs getpidcon on clients. #line 8 allow servicemanager artd:dir search; #line 8 allow servicemanager artd:file { read open }; #line 8 allow servicemanager artd:process getattr; #line 8 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 8 # all domains in domain.te. #line 8 #line 9 allow artd artd_service:service_manager { add find }; #line 9 neverallow { domain -artd } artd_service:service_manager add; #line 9 #line 9 # On debug builds with root, allow binder services to use binder over TCP. #line 9 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 9 #line 9 #line 10 allow artd artd_pre_reboot_service:service_manager { add find }; #line 10 neverallow { domain -artd } artd_pre_reboot_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 allow artd dumpstate:fifo_file { getattr write }; allow artd dumpstate:fd use; #line 14 #line 14 # Allow the necessary permissions. #line 14 #line 14 # Old domain may exec the file and transition to the new domain. #line 14 allow init artd_exec:file { getattr open read execute map }; #line 14 allow init artd:process transition; #line 14 # New domain is entered by executing the file. #line 14 allow artd artd_exec:file { entrypoint open read execute getattr map }; #line 14 # New domain can send SIGCHLD to its caller. #line 14 #line 14 # Enable AT_SECURE, i.e. libc secure mode. #line 14 dontaudit init artd:process noatsecure; #line 14 # XXX dontaudit candidate but requires further study. #line 14 allow init artd:process { siginh rlimitinh }; #line 14 #line 14 # Make the transition occur by default. #line 14 type_transition init artd_exec:process artd; #line 14 #line 14 # Allow query ART device config properties #line 17 allow artd device_config_runtime_native_prop:file { getattr open read map }; #line 17 #line 18 allow artd device_config_runtime_native_boot_prop:file { getattr open read map }; #line 18 # Access to "odsign.verification.success" for deciding whether to deny files in # the ART APEX data directory. #line 22 allow artd odsign_prop:file { getattr open read map }; #line 22 # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by artd their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by artd vs other # processes. #line 29 type_transition artd tmpfs:file artd_tmpfs; #line 29 allow artd artd_tmpfs:file { read write getattr map }; #line 29 # Allow testing userfaultfd support. #line 32 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 32 type artd_userfaultfd; #line 32 type_transition artd artd:anon_inode artd_userfaultfd "[userfaultfd]"; #line 32 # Allow domain to create/use userfaultfd anon_inode. #line 32 allow artd artd_userfaultfd:anon_inode { create ioctl read }; #line 32 # Suppress errors generate during bugreport #line 32 dontaudit su artd_userfaultfd:anon_inode *; #line 32 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 32 neverallow { domain -artd } artd_userfaultfd:anon_inode *; #line 32 # Read access to primary dex'es on writable partitions # ({/data,/mnt/expand/}/app/...). # Also allow creating the "oat" directory before restorecon. allow artd mnt_expand_file:dir { getattr search }; allow artd apk_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } create setattr relabelfrom }; allow artd apk_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). #line 42 allow artd vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 42 allow artd vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 42 # Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...). allow artd oemfs:dir { getattr search }; #line 46 allow artd vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 46 allow artd vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 46 # Vendor overlay can be found in vendor apex allow artd vendor_apex_metadata_file:dir { getattr search }; # Read access to vendor shared libraries ({/vendor,/odm}/framework/...). #line 51 allow artd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 51 allow artd vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 51 # Read/write access to all compilation artifacts generated on device for apps' # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) allow artd dalvikcache_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow artd dalvikcache_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelto }; # Read access to the ART APEX data directory. # Needed for reading the boot image generated on device. allow artd apex_module_data_file:dir { getattr search }; #line 61 allow artd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 61 allow artd apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 61 # Read access to /apex/apex-info-list.xml # Needed for getting APEX versions. allow artd apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow getting root capabilities to bypass permission checks. # - "dac_override" and "dac_read_search" are for # - reading secondary dex'es in app data directories (reading primary dex'es # doesn't need root capabilities) # - managing (CRUD) compilation artifacts in both APK directories for primary # dex'es and in app data directories for secondary dex'es # - managing (CRUD) profile files for both primary dex'es and secondary dex'es # - "fowner" is for adjusting the file permissions of compilation artifacts and # profile files based on whether they include user data or not. # - "chown" is for transferring the ownership of compilation artifacts and # profile files to the system or apps. allow artd self:{ capability cap_userns } { dac_override dac_read_search fowner chown }; # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow # scanning /data/misc/profiles/cur, for cleaning up obsolete managed files. allow artd user_profile_root_file:dir { open getattr read search ioctl lock watch watch_reads }; allow artd user_profile_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow artd user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read/write access to secondary dex files, their profiles, and their # compilation artifacts # ({/data,/mnt/expand/}/{user,user_de}///...). allow artd app_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom relabelto }; allow artd app_data_file_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom relabelto }; # Allow symlinks for secondary dex files. This has be to restricted because # symlinks can cause various security issues. We allow "privapp_data_file" just # for GMS because so far we only see GMS using symlinks. allow artd privapp_data_file:lnk_file { getattr read }; # Read access to SELinux context files, for restorecon. allow artd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow artd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Check validity of SELinux context, for restorecon. #line 102 #line 102 allow artd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 102 allow artd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 102 #line 102 allow artd selinuxfs:file { open append write lock map }; #line 102 allow artd kernel:security check_context; #line 102 # Allow scanning /, for cleaning up obsolete managed files. allow artd rootfs:dir { open getattr read search ioctl lock watch watch_reads }; # Allow scanning /data, for cleaning up obsolete managed files. allow artd system_data_root_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow scanning /mnt, for cleaning up obsolete managed files. allow artd tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; # Allow scanning /mnt/expand, for cleaning up obsolete managed files. allow artd mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow scanning {/data,/mnt/expand/}/{user,user_de}, for cleaning # up obsolete managed files. allow artd system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow scanning {/data,/mnt/expand/}/{user,user_de}/ and # /mnt/expand/, for cleaning up obsolete managed files. allow artd system_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Never allow running other binaries without a domain transition. # The only exception is art_exec. It is allowed to use the artd domain because # it is a thin wrapper that executes other binaries on behalf of artd. neverallow artd ~{art_exec_exec}:file execute_no_trans; allow artd art_exec_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow running other binaries in their own domains. #line 131 # Allow the necessary permissions. #line 131 #line 131 # Old domain may exec the file and transition to the new domain. #line 131 allow artd profman_exec:file { getattr open read execute map }; #line 131 allow artd profman:process transition; #line 131 # New domain is entered by executing the file. #line 131 allow profman profman_exec:file { entrypoint open read execute getattr map }; #line 131 # New domain can send SIGCHLD to its caller. #line 131 allow profman artd:process sigchld; #line 131 # Enable AT_SECURE, i.e. libc secure mode. #line 131 dontaudit artd profman:process noatsecure; #line 131 # XXX dontaudit candidate but requires further study. #line 131 allow artd profman:process { siginh rlimitinh }; #line 131 #line 131 # Make the transition occur by default. #line 131 type_transition artd profman_exec:process profman; #line 131 #line 132 # Allow the necessary permissions. #line 132 #line 132 # Old domain may exec the file and transition to the new domain. #line 132 allow artd dex2oat_exec:file { getattr open read execute map }; #line 132 allow artd dex2oat:process transition; #line 132 # New domain is entered by executing the file. #line 132 allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map }; #line 132 # New domain can send SIGCHLD to its caller. #line 132 allow dex2oat artd:process sigchld; #line 132 # Enable AT_SECURE, i.e. libc secure mode. #line 132 dontaudit artd dex2oat:process noatsecure; #line 132 # XXX dontaudit candidate but requires further study. #line 132 allow artd dex2oat:process { siginh rlimitinh }; #line 132 #line 132 # Make the transition occur by default. #line 132 type_transition artd dex2oat_exec:process dex2oat; #line 132 # Allow sending sigkill to subprocesses. allow artd { profman dex2oat }:process sigkill; # Allow reading process info (/proc//...). # This is needed for getting CPU time and wall time spent on subprocesses. #line 139 allow artd profman:dir { open getattr read search ioctl lock watch watch_reads }; #line 139 allow artd profman:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 139 ; #line 140 allow artd dex2oat:dir { open getattr read search ioctl lock watch watch_reads }; #line 140 allow artd dex2oat:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 140 ; # Allow artd to reopen its own memfd. # artd needs to reopen a memfd with readonly in order to pass it to subprocesses # that don't have write permissions on memfds. allow artd artd_tmpfs:file open; #line 1 "system/sepolicy/private/asan_extract.te" # type_transition must be private policy the domain_trans rules could stay # public, but conceptually should go with this # Technically not a daemon but we do want the transition from init domain to # asan_extract to occur. #line 11 #line 1 "system/sepolicy/private/atrace.te" # Domain for atrace process. # It is spawned either by traced_probes or by init for the boottrace service. type atrace_exec, exec_type, file_type, system_file_type; # boottrace services uses /data/misc/boottrace/categories allow atrace boottrace_data_file:dir search; allow atrace boottrace_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow atrace to access tracefs. allow atrace debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads }; allow atrace debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow atrace debugfs_trace_marker:file getattr; # Allow atrace to write data when a pipe is used for stdout/stderr. # This is used by Perfetto to capture atrace stdout/stderr. allow atrace traced_probes:fd use; allow atrace traced_probes:fifo_file { getattr write }; # atrace sets debug.atrace.* properties #line 21 #line 21 allow atrace property_socket:sock_file write; #line 21 allow atrace init:unix_stream_socket connectto; #line 21 #line 21 allow atrace debug_prop:property_service set; #line 21 #line 21 allow atrace debug_prop:file { getattr open read map }; #line 21 #line 21 # atrace pokes all the binder-enabled processes at startup with a # SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties. # Allow discovery of binder services. allow atrace { service_manager_type -apex_service -dnsresolver_service -dumpstate_service -incident_service -installd_service -lpdump_service -mdns_service -netd_service -stats_service -tracingproxy_service -vold_service -default_android_service }:service_manager { find }; allow atrace servicemanager:service_manager list; # Allow notifying the processes hosting specific binder services that # trace-related system properties have changed. #line 46 # Call the servicemanager and transfer references to it. #line 46 allow atrace servicemanager:binder { call transfer }; #line 46 # Allow servicemanager to send out callbacks #line 46 allow servicemanager atrace:binder { call transfer }; #line 46 # servicemanager performs getpidcon on clients. #line 46 allow servicemanager atrace:dir search; #line 46 allow servicemanager atrace:file { read open }; #line 46 allow servicemanager atrace:process getattr; #line 46 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 46 # all domains in domain.te. #line 46 allow atrace surfaceflinger:binder call; allow atrace system_server:binder call; allow atrace cameraserver:binder call; # Similarly, on debug builds, allow specific HALs to be notified that # trace-related system properties have changed. #line 59 # Remove logspam from notification attempts to non-allowlisted services. dontaudit atrace hwservice_manager_type:hwservice_manager find; dontaudit atrace service_manager_type:service_manager find; dontaudit atrace domain:binder call; # atrace can call atrace HAL #line 67 typeattribute atrace halclientdomain; #line 67 typeattribute atrace hal_atrace_client; #line 67 #line 67 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 67 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 67 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 67 #line 67 typeattribute atrace hal_atrace; #line 67 # Find passthrough HAL implementations #line 67 allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 67 allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 67 allow hal_atrace vendor_file:file { read open getattr execute map }; #line 67 #line 67 #line 69 allow atrace hwservicemanager_prop:file { getattr open read map }; #line 69 #line 79 dontaudit atrace debugfs_tracing_debug:file audit_access; #line 1 "system/sepolicy/private/audioserver.te" # audioserver - audio services daemon typeattribute audioserver coredomain; type audioserver_exec, exec_type, file_type, system_file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init audioserver_exec:file { getattr open read execute map }; #line 6 allow init audioserver:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow audioserver audioserver_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init audioserver:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init audioserver:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init audioserver_exec:process audioserver; #line 6 #line 6 #line 7 type_transition audioserver tmpfs:file audioserver_tmpfs; #line 7 allow audioserver audioserver_tmpfs:file { read write getattr map }; #line 7 #line 9 allow audioserver sdcard_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow audioserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 9 #line 10 allow audioserver fuse:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow audioserver fuse:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 #line 12 # Call the servicemanager and transfer references to it. #line 12 allow audioserver servicemanager:binder { call transfer }; #line 12 # Allow servicemanager to send out callbacks #line 12 allow servicemanager audioserver:binder { call transfer }; #line 12 # servicemanager performs getpidcon on clients. #line 12 allow servicemanager audioserver:dir search; #line 12 allow servicemanager audioserver:file { read open }; #line 12 allow servicemanager audioserver:process getattr; #line 12 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 12 # all domains in domain.te. #line 12 #line 13 # Call the server domain and optionally transfer references to it. #line 13 allow audioserver binderservicedomain:binder { call transfer }; #line 13 # Allow the serverdomain to transfer references to the client on the reply. #line 13 allow binderservicedomain audioserver:binder transfer; #line 13 # Receive and use open files from the server. #line 13 allow audioserver binderservicedomain:fd use; #line 13 #line 14 # Call the server domain and optionally transfer references to it. #line 14 allow audioserver appdomain:binder { call transfer }; #line 14 # Allow the serverdomain to transfer references to the client on the reply. #line 14 allow appdomain audioserver:binder transfer; #line 14 # Receive and use open files from the server. #line 14 allow audioserver appdomain:fd use; #line 14 #line 15 typeattribute audioserver binderservicedomain; #line 15 #line 17 typeattribute audioserver halclientdomain; #line 17 typeattribute audioserver hal_allocator_client; #line 17 #line 17 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 17 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 17 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 17 #line 17 typeattribute audioserver hal_allocator; #line 17 # Find passthrough HAL implementations #line 17 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 17 #line 17 # /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so #line 19 allow audioserver system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow audioserver system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 19 #line 21 typeattribute audioserver halclientdomain; #line 21 typeattribute audioserver hal_audio_client; #line 21 #line 21 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 21 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 21 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 21 #line 21 typeattribute audioserver hal_audio; #line 21 # Find passthrough HAL implementations #line 21 allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_audio vendor_file:file { read open getattr execute map }; #line 21 #line 21 #line 31 #line 33 allow audioserver audioserver_service:service_manager { add find }; #line 33 neverallow { domain -audioserver } audioserver_service:service_manager add; #line 33 #line 33 # On debug builds with root, allow binder services to use binder over TCP. #line 33 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 33 #line 33 allow audioserver activity_service:service_manager find; allow audioserver appops_service:service_manager find; allow audioserver batterystats_service:service_manager find; allow audioserver external_vibrator_service:service_manager find; allow audioserver package_native_service:service_manager find; allow audioserver permission_service:service_manager find; allow audioserver permission_checker_service:service_manager find; allow audioserver power_service:service_manager find; allow audioserver scheduling_policy_service:service_manager find; allow audioserver mediametrics_service:service_manager find; allow audioserver sensor_privacy_service:service_manager find; allow audioserver soundtrigger_middleware_service:service_manager find; allow audioserver audio_service:service_manager find; # Allow read/write access to bluetooth-specific properties #line 49 #line 49 allow audioserver property_socket:sock_file write; #line 49 allow audioserver init:unix_stream_socket connectto; #line 49 #line 49 allow audioserver bluetooth_a2dp_offload_prop:property_service set; #line 49 #line 49 allow audioserver bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 49 #line 49 #line 50 #line 50 allow audioserver property_socket:sock_file write; #line 50 allow audioserver init:unix_stream_socket connectto; #line 50 #line 50 allow audioserver bluetooth_audio_hal_prop:property_service set; #line 50 #line 50 allow audioserver bluetooth_audio_hal_prop:file { getattr open read map }; #line 50 #line 50 #line 51 #line 51 allow audioserver property_socket:sock_file write; #line 51 allow audioserver init:unix_stream_socket connectto; #line 51 #line 51 allow audioserver bluetooth_prop:property_service set; #line 51 #line 51 allow audioserver bluetooth_prop:file { getattr open read map }; #line 51 #line 51 #line 52 #line 52 allow audioserver property_socket:sock_file write; #line 52 allow audioserver init:unix_stream_socket connectto; #line 52 #line 52 allow audioserver exported_bluetooth_prop:property_service set; #line 52 #line 52 allow audioserver exported_bluetooth_prop:file { getattr open read map }; #line 52 #line 52 # Grant access to audio files to audioserver allow audioserver audio_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write }; allow audioserver audio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow access to ALSA MMAP FDs for AAudio API allow audioserver audio_device:chr_file { read write }; allow audioserver audio_device:dir { open getattr read search ioctl lock watch watch_reads }; allow audioserver audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # For A2DP bridge which is loaded directly into audioserver #line 65 allow audioserver bluetooth_socket:sock_file write; #line 65 allow audioserver bluetooth:unix_stream_socket connectto; #line 65 # Allow shell commands from ADB and shell for CTS testing/dumping allow audioserver adbd:fd use; allow audioserver adbd:unix_stream_socket { read write }; allow audioserver shell:fifo_file { read write }; # Allow shell commands from ADB for CTS testing/dumping #line 77 # Allow write access to log tag property #line 80 #line 80 allow audioserver property_socket:sock_file write; #line 80 allow audioserver init:unix_stream_socket connectto; #line 80 #line 80 allow audioserver log_tag_prop:property_service set; #line 80 #line 80 allow audioserver log_tag_prop:file { getattr open read map }; #line 80 #line 80 ; ### ### neverallow rules ### # audioserver should never execute any executable without a # domain transition neverallow audioserver { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow audioserver domain:{ udp_socket rawip_socket } *; neverallow audioserver { domain }:tcp_socket *; # Allow using wake locks #line 104 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 104 # deprecated. #line 104 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 104 allow audioserver sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 104 # Accessing these files requires CAP_BLOCK_SUSPEND #line 104 allow audioserver self:{ capability2 cap2_userns } block_suspend; #line 104 # system_suspend permissions #line 104 #line 104 # Call the server domain and optionally transfer references to it. #line 104 allow audioserver system_suspend_server:binder { call transfer }; #line 104 # Allow the serverdomain to transfer references to the client on the reply. #line 104 allow system_suspend_server audioserver:binder transfer; #line 104 # Receive and use open files from the server. #line 104 allow audioserver system_suspend_server:fd use; #line 104 #line 104 allow audioserver system_suspend_hwservice:hwservice_manager find; #line 104 # halclientdomain permissions #line 104 #line 104 # Call the hwservicemanager and transfer references to it. #line 104 allow audioserver hwservicemanager:binder { call transfer }; #line 104 # Allow hwservicemanager to send out callbacks #line 104 allow hwservicemanager audioserver:binder { call transfer }; #line 104 # hwservicemanager performs getpidcon on clients. #line 104 allow hwservicemanager audioserver:dir search; #line 104 allow hwservicemanager audioserver:file { read open map }; #line 104 allow hwservicemanager audioserver:process getattr; #line 104 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 104 # all domains in domain.te. #line 104 #line 104 #line 104 allow audioserver hwservicemanager_prop:file { getattr open read map }; #line 104 #line 104 allow audioserver hidl_manager_hwservice:hwservice_manager find; #line 104 # AIDL suspend hal permissions #line 104 allow audioserver hal_system_suspend_service:service_manager find; #line 104 #line 104 # Call the servicemanager and transfer references to it. #line 104 allow audioserver servicemanager:binder { call transfer }; #line 104 # Allow servicemanager to send out callbacks #line 104 allow servicemanager audioserver:binder { call transfer }; #line 104 # servicemanager performs getpidcon on clients. #line 104 allow servicemanager audioserver:dir search; #line 104 allow servicemanager audioserver:file { read open }; #line 104 allow servicemanager audioserver:process getattr; #line 104 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 104 # all domains in domain.te. #line 104 #line 104 # Allow reading audio config props, e.g. af.fast_track_multiplier #line 107 allow audioserver audio_config_prop:file { getattr open read map }; #line 107 #line 108 allow audioserver system_audio_config_prop:file { getattr open read map }; #line 108 #line 1 "system/sepolicy/private/auditctl.te" # # /system/bin/auditctl executed for logd # # Performs maintenance of the kernel auditing system, including # setting rate limits on SELinux denials. # type auditctl, domain, coredomain; type auditctl_exec, file_type, system_file_type, exec_type; # Uncomment the line below to put this domain into permissive # mode. This helps speed SELinux policy development. # userdebug_or_eng(`permissive auditctl;') #line 15 #line 15 # Allow the necessary permissions. #line 15 #line 15 # Old domain may exec the file and transition to the new domain. #line 15 allow init auditctl_exec:file { getattr open read execute map }; #line 15 allow init auditctl:process transition; #line 15 # New domain is entered by executing the file. #line 15 allow auditctl auditctl_exec:file { entrypoint open read execute getattr map }; #line 15 # New domain can send SIGCHLD to its caller. #line 15 #line 15 # Enable AT_SECURE, i.e. libc secure mode. #line 15 dontaudit init auditctl:process noatsecure; #line 15 # XXX dontaudit candidate but requires further study. #line 15 allow init auditctl:process { siginh rlimitinh }; #line 15 #line 15 # Make the transition occur by default. #line 15 type_transition init auditctl_exec:process auditctl; #line 15 #line 15 allow auditctl self:{ capability cap_userns } audit_control; allow auditctl self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write }; #line 1 "system/sepolicy/private/automotive_display_service.te" # Display proxy service for Automotive type automotive_display_service, domain, coredomain; type automotive_display_service_exec, system_file_type, exec_type, file_type; typeattribute automotive_display_service automotive_display_service_server; # Allow to add a display service to the hwservicemanager #line 8 allow automotive_display_service fwk_automotive_display_hwservice:hwservice_manager { add find }; #line 8 allow automotive_display_service hidl_base_hwservice:hwservice_manager add; #line 8 neverallow { domain -automotive_display_service } fwk_automotive_display_hwservice:hwservice_manager add; #line 8 ; # Allow init to launch automotive display service #line 11 #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow init automotive_display_service_exec:file { getattr open read execute map }; #line 11 allow init automotive_display_service:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow automotive_display_service automotive_display_service_exec:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit init automotive_display_service:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow init automotive_display_service:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition init automotive_display_service_exec:process automotive_display_service; #line 11 #line 11 # Allow to use Binder IPC for SurfaceFlinger. #line 14 # Call the servicemanager and transfer references to it. #line 14 allow automotive_display_service servicemanager:binder { call transfer }; #line 14 # Allow servicemanager to send out callbacks #line 14 allow servicemanager automotive_display_service:binder { call transfer }; #line 14 # servicemanager performs getpidcon on clients. #line 14 allow servicemanager automotive_display_service:dir search; #line 14 allow servicemanager automotive_display_service:file { read open }; #line 14 allow servicemanager automotive_display_service:process getattr; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 # Allow to use HwBinder IPC for HAL implementations. #line 17 # Call the hwservicemanager and transfer references to it. #line 17 allow automotive_display_service hwservicemanager:binder { call transfer }; #line 17 # Allow hwservicemanager to send out callbacks #line 17 allow hwservicemanager automotive_display_service:binder { call transfer }; #line 17 # hwservicemanager performs getpidcon on clients. #line 17 allow hwservicemanager automotive_display_service:dir search; #line 17 allow hwservicemanager automotive_display_service:file { read open map }; #line 17 allow hwservicemanager automotive_display_service:process getattr; #line 17 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 17 # all domains in domain.te. #line 17 #line 18 typeattribute automotive_display_service halclientdomain; #line 18 typeattribute automotive_display_service hal_graphics_composer_client; #line 18 #line 18 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 18 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 18 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 18 #line 18 typeattribute automotive_display_service hal_graphics_composer; #line 18 # Find passthrough HAL implementations #line 18 allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_graphics_composer vendor_file:file { read open getattr execute map }; #line 18 #line 18 #line 19 typeattribute automotive_display_service halclientdomain; #line 19 typeattribute automotive_display_service hal_graphics_allocator_client; #line 19 #line 19 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 19 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 19 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 19 #line 19 typeattribute automotive_display_service hal_graphics_allocator; #line 19 # Find passthrough HAL implementations #line 19 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 19 #line 19 # Allow to read the target property. #line 22 allow automotive_display_service hwservicemanager_prop:file { getattr open read map }; #line 22 # Allow to find SurfaceFlinger. allow automotive_display_service surfaceflinger_service:service_manager find; # Allow client domain to do binder IPC to serverdomain. #line 28 # Call the server domain and optionally transfer references to it. #line 28 allow automotive_display_service surfaceflinger:binder { call transfer }; #line 28 # Allow the serverdomain to transfer references to the client on the reply. #line 28 allow surfaceflinger automotive_display_service:binder transfer; #line 28 # Receive and use open files from the server. #line 28 allow automotive_display_service surfaceflinger:fd use; #line 28 # Allow to use a graphics mapper allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find; # Allow to use hidl token service allow automotive_display_service hidl_token_hwservice:hwservice_manager find; # Allow to access EGL files allow automotive_display_service gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow automotive_display_service gpu_device:dir search; # Allow to add a service to the servicemanager #line 41 allow automotive_display_service fwk_automotive_display_service:service_manager { add find }; #line 41 neverallow { domain -automotive_display_service } fwk_automotive_display_service:service_manager add; #line 41 #line 41 # On debug builds with root, allow binder services to use binder over TCP. #line 41 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 41 #line 41 ; # Allow to communicate with EVS services #line 44 # Call the server domain and optionally transfer references to it. #line 44 allow automotive_display_service hal_evs:binder { call transfer }; #line 44 # Allow the serverdomain to transfer references to the client on the reply. #line 44 allow hal_evs automotive_display_service:binder transfer; #line 44 # Receive and use open files from the server. #line 44 allow automotive_display_service hal_evs:fd use; #line 44 #line 1 "system/sepolicy/private/binderservicedomain.te" # Rules common to some specific binder service domains. # Deprecated. Consider granting the exact permissions required by your service. # Allow dumpstate and incidentd to collect information from binder services allow binderservicedomain { dumpstate incidentd }:fd use; allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; allow binderservicedomain shell_data_file:file { getattr write }; # Allow dumpsys to work from adb shell or the serial console allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow binderservicedomain console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Receive and write to a pipe received over Binder from an app. allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; # allow all services to run permission checks allow binderservicedomain permission_service:service_manager find; allow binderservicedomain keystore:keystore2_key { delete get_info rebind use }; #line 23 allow keystore binderservicedomain:dir search; #line 23 allow keystore binderservicedomain:file { read open }; #line 23 allow keystore binderservicedomain:process getattr; #line 23 allow binderservicedomain apc_service:service_manager find; #line 23 allow binderservicedomain keystore_service:service_manager find; #line 23 allow binderservicedomain legacykeystore_service:service_manager find; #line 23 #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow binderservicedomain keystore:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow keystore binderservicedomain:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow binderservicedomain keystore:fd use; #line 23 #line 23 #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow keystore binderservicedomain:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow binderservicedomain keystore:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow keystore binderservicedomain:fd use; #line 23 #line 23 # binderservicedomain is using apex_info via libvintf #line 25 allow binderservicedomain apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; #line 25 allow binderservicedomain apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 25 #line 25 allow binderservicedomain vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 25 allow binderservicedomain vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 25 #line 25 #line 1 "system/sepolicy/private/blank_screen.te" type blank_screen, domain, coredomain; type blank_screen_exec, exec_type, file_type, system_file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init blank_screen_exec:file { getattr open read execute map }; #line 4 allow init blank_screen:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow blank_screen blank_screen_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init blank_screen:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init blank_screen:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init blank_screen_exec:process blank_screen; #line 4 #line 4 # hal_light_client has access to hal_light_server #line 7 typeattribute blank_screen halclientdomain; #line 7 typeattribute blank_screen hal_light_client; #line 7 #line 7 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 7 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 7 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 7 #line 7 typeattribute blank_screen hal_light; #line 7 # Find passthrough HAL implementations #line 7 allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_light vendor_file:file { read open getattr execute map }; #line 7 #line 7 #line 1 "system/sepolicy/private/blkid.te" # blkid called from vold typeattribute blkid coredomain; type blkid_exec, system_file_type, exec_type, file_type; # Allowed read-only access to encrypted devices to extract UUID/label allow blkid block_device:dir search; allow blkid userdata_block_device:blk_file { getattr open read ioctl lock map watch watch_reads }; allow blkid dm_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # Allow stdin/out back to vold allow blkid vold:fd use; allow blkid vold:fifo_file { read write getattr }; # For blkid launched through popen() allow blkid blkid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Only allow entry from vold neverallow { domain -vold } blkid:process transition; neverallow * blkid:process dyntransition; neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; #line 1 "system/sepolicy/private/blkid_untrusted.te" # blkid for untrusted block devices typeattribute blkid_untrusted coredomain; # Allowed read-only access to vold block devices to extract UUID/label allow blkid_untrusted block_device:dir search; allow blkid_untrusted vold_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # Allow stdin/out back to vold allow blkid_untrusted vold:fd use; allow blkid_untrusted vold:fifo_file { read write getattr }; # For blkid launched through popen() allow blkid_untrusted blkid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; ### ### neverallow rules ### # Untrusted blkid should never be run on block devices holding sensitive data neverallow blkid_untrusted { boot_block_device frp_block_device metadata_block_device recovery_block_device root_block_device swap_block_device system_block_device userdata_block_device cache_block_device dm_device }:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only allow entry from vold via blkid binary neverallow { domain -vold } blkid_untrusted:process transition; neverallow * blkid_untrusted:process dyntransition; neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; #line 1 "system/sepolicy/private/bluetooth.te" # bluetooth app typeattribute bluetooth coredomain, mlstrustedsubject; #line 5 typeattribute bluetooth appdomain; #line 5 # Label tmpfs objects for all apps. #line 5 type_transition bluetooth tmpfs:file appdomain_tmpfs; #line 5 #line 5 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 5 type bluetooth_userfaultfd; #line 5 type_transition bluetooth bluetooth:anon_inode bluetooth_userfaultfd "[userfaultfd]"; #line 5 # Allow domain to create/use userfaultfd anon_inode. #line 5 allow bluetooth bluetooth_userfaultfd:anon_inode { create ioctl read }; #line 5 # Suppress errors generate during bugreport #line 5 dontaudit su bluetooth_userfaultfd:anon_inode *; #line 5 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 5 neverallow { domain -bluetooth } bluetooth_userfaultfd:anon_inode *; #line 5 #line 5 allow bluetooth appdomain_tmpfs:file { execute getattr map read write }; #line 5 neverallow { bluetooth -runas_app -shell -simpleperf } { domain -bluetooth }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 5 neverallow { appdomain -runas_app -shell -simpleperf -bluetooth } bluetooth:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 5 # The Android security model guarantees the confidentiality and integrity #line 5 # of application data and execution state. Ptrace bypasses those #line 5 # confidentiality guarantees. Disallow ptrace access from system components to #line 5 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 5 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 5 # simpleperf is excluded, as it operates only on debuggable or profileable #line 5 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 5 # live lock conditions. #line 5 neverallow { domain -bluetooth -crash_dump -runas_app -simpleperf } bluetooth:process ptrace; #line 5 #line 6 typeattribute bluetooth netdomain; #line 6 # Socket creation under /data/misc/bluedroid. type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; # Allow access to net_admin ioctls allowxperm bluetooth self:udp_socket ioctl #line 12 { #line 12 # qualcomm rmnet ioctls #line 12 0x00006900 0x00006902 #line 12 # socket ioctls #line 12 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 12 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 12 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 12 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 12 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 12 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 12 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 12 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 12 0x00008991 0x00008992 0x00008993 0x00008994 #line 12 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 12 # device and protocol specific ioctls #line 12 0x000089f0-0x000089ff #line 12 0x000089e0-0x000089ef #line 12 # Wireless extension ioctls #line 12 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 12 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 12 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 12 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 12 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 12 0x00008b34 0x00008b35 0x00008b36 #line 12 # Dev private ioctl i.e. hardware specific ioctls #line 12 0x00008be0-0x00008bff #line 12 }; #line 14 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 14 # deprecated. #line 14 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 14 allow bluetooth sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 14 # Accessing these files requires CAP_BLOCK_SUSPEND #line 14 allow bluetooth self:{ capability2 cap2_userns } block_suspend; #line 14 # system_suspend permissions #line 14 #line 14 # Call the server domain and optionally transfer references to it. #line 14 allow bluetooth system_suspend_server:binder { call transfer }; #line 14 # Allow the serverdomain to transfer references to the client on the reply. #line 14 allow system_suspend_server bluetooth:binder transfer; #line 14 # Receive and use open files from the server. #line 14 allow bluetooth system_suspend_server:fd use; #line 14 #line 14 allow bluetooth system_suspend_hwservice:hwservice_manager find; #line 14 # halclientdomain permissions #line 14 #line 14 # Call the hwservicemanager and transfer references to it. #line 14 allow bluetooth hwservicemanager:binder { call transfer }; #line 14 # Allow hwservicemanager to send out callbacks #line 14 allow hwservicemanager bluetooth:binder { call transfer }; #line 14 # hwservicemanager performs getpidcon on clients. #line 14 allow hwservicemanager bluetooth:dir search; #line 14 allow hwservicemanager bluetooth:file { read open map }; #line 14 allow hwservicemanager bluetooth:process getattr; #line 14 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 #line 14 #line 14 allow bluetooth hwservicemanager_prop:file { getattr open read map }; #line 14 #line 14 allow bluetooth hidl_manager_hwservice:hwservice_manager find; #line 14 # AIDL suspend hal permissions #line 14 allow bluetooth hal_system_suspend_service:service_manager find; #line 14 #line 14 # Call the servicemanager and transfer references to it. #line 14 allow bluetooth servicemanager:binder { call transfer }; #line 14 # Allow servicemanager to send out callbacks #line 14 allow servicemanager bluetooth:binder { call transfer }; #line 14 # servicemanager performs getpidcon on clients. #line 14 allow servicemanager bluetooth:dir search; #line 14 allow servicemanager bluetooth:file { read open }; #line 14 allow servicemanager bluetooth:process getattr; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 #line 14 ; # Data file accesses. allow bluetooth bluetooth_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link }; allow bluetooth bluetooth_logs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow bluetooth bluetooth_logs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Socket creation under /data/misc/bluedroid. allow bluetooth bluetooth_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow bluetooth self:{ capability cap_userns } net_admin; allow bluetooth self:{ capability2 cap2_userns } wake_alarm; # tethering allow bluetooth self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow bluetooth self:{ capability cap_userns } { net_admin net_raw net_bind_service }; allow bluetooth self:tun_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow bluetooth tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm bluetooth tun_device:chr_file ioctl { 0x800454d2 0x400454ca }; allow bluetooth efs_file:dir search; # allow Bluetooth to access uhid device for HID profile allow bluetooth uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow bluetooth gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow bluetooth gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; # proc access. allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # For Bluetooth to check what profile are available allow bluetooth proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; #line 47 allow bluetooth incremental_prop:file { getattr open read map }; #line 47 # For Bluetooth to check security logging state #line 50 allow bluetooth device_logging_prop:file { getattr open read map }; #line 50 # Allow write access to bluetooth specific properties #line 53 #line 53 allow bluetooth property_socket:sock_file write; #line 53 allow bluetooth init:unix_stream_socket connectto; #line 53 #line 53 allow bluetooth binder_cache_bluetooth_server_prop:property_service set; #line 53 #line 53 allow bluetooth binder_cache_bluetooth_server_prop:file { getattr open read map }; #line 53 #line 53 ; neverallow { domain -bluetooth -init } binder_cache_bluetooth_server_prop:property_service set; #line 56 #line 56 allow bluetooth property_socket:sock_file write; #line 56 allow bluetooth init:unix_stream_socket connectto; #line 56 #line 56 allow bluetooth bluetooth_a2dp_offload_prop:property_service set; #line 56 #line 56 allow bluetooth bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 56 #line 56 #line 57 #line 57 allow bluetooth property_socket:sock_file write; #line 57 allow bluetooth init:unix_stream_socket connectto; #line 57 #line 57 allow bluetooth bluetooth_audio_hal_prop:property_service set; #line 57 #line 57 allow bluetooth bluetooth_audio_hal_prop:file { getattr open read map }; #line 57 #line 57 #line 58 #line 58 allow bluetooth property_socket:sock_file write; #line 58 allow bluetooth init:unix_stream_socket connectto; #line 58 #line 58 allow bluetooth bluetooth_prop:property_service set; #line 58 #line 58 allow bluetooth bluetooth_prop:file { getattr open read map }; #line 58 #line 58 #line 59 #line 59 allow bluetooth property_socket:sock_file write; #line 59 allow bluetooth init:unix_stream_socket connectto; #line 59 #line 59 allow bluetooth exported_bluetooth_prop:property_service set; #line 59 #line 59 allow bluetooth exported_bluetooth_prop:file { getattr open read map }; #line 59 #line 59 #line 60 #line 60 allow bluetooth property_socket:sock_file write; #line 60 allow bluetooth init:unix_stream_socket connectto; #line 60 #line 60 allow bluetooth pan_result_prop:property_service set; #line 60 #line 60 allow bluetooth pan_result_prop:file { getattr open read map }; #line 60 #line 60 allow bluetooth audioserver_service:service_manager find; allow bluetooth bluetooth_service:service_manager find; allow bluetooth drmserver_service:service_manager find; allow bluetooth mediaserver_service:service_manager find; allow bluetooth radio_service:service_manager find; allow bluetooth app_api_service:service_manager find; allow bluetooth system_api_service:service_manager find; allow bluetooth network_stack_service:service_manager find; allow bluetooth system_suspend_control_service:service_manager find; allow bluetooth hal_audio_service:service_manager find; # already open bugreport file descriptors may be shared with # the bluetooth process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. allow bluetooth shell_data_file:file read; # Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice allow bluetooth self:{ capability cap_userns } sys_nice; #line 81 typeattribute bluetooth halclientdomain; #line 81 typeattribute bluetooth hal_bluetooth_client; #line 81 #line 81 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 81 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 81 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 81 #line 81 typeattribute bluetooth hal_bluetooth; #line 81 # Find passthrough HAL implementations #line 81 allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 81 allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 81 allow hal_bluetooth vendor_file:file { read open getattr execute map }; #line 81 #line 81 #line 82 typeattribute bluetooth halclientdomain; #line 82 typeattribute bluetooth hal_telephony_client; #line 82 #line 82 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 82 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 82 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 82 #line 82 typeattribute bluetooth hal_telephony; #line 82 # Find passthrough HAL implementations #line 82 allow hal_telephony system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 82 allow hal_telephony vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 82 allow hal_telephony vendor_file:file { read open getattr execute map }; #line 82 #line 82 # Bluetooth A2DP offload requires binding with audio HAL #line 85 typeattribute bluetooth halclientdomain; #line 85 typeattribute bluetooth hal_audio_client; #line 85 #line 85 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 85 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 85 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 85 #line 85 typeattribute bluetooth hal_audio; #line 85 # Find passthrough HAL implementations #line 85 allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 85 allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 85 allow hal_audio vendor_file:file { read open getattr execute map }; #line 85 #line 85 #line 87 allow bluetooth runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 87 ### ### Neverallow rules ### ### These are things that the bluetooth app should NEVER be able to do ### # Superuser capabilities. # Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice. neverallow bluetooth self:{ capability cap_userns } ~{ net_admin net_raw net_bind_service sys_nice}; neverallow bluetooth self:{ capability2 cap2_userns } ~{ wake_alarm block_suspend }; #line 1 "system/sepolicy/private/bluetoothdomain.te" # Allow clients to use a socket provided by the bluetooth app. allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; #line 1 "system/sepolicy/private/bootanim.te" typeattribute bootanim coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init bootanim_exec:file { getattr open read execute map }; #line 3 allow init bootanim:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow bootanim bootanim_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init bootanim:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init bootanim:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init bootanim_exec:process bootanim; #line 3 #line 3 # b/68864350 dontaudit bootanim unlabeled:dir search; # Bootanim should not be reading default vendor-defined properties. dontaudit bootanim vendor_default_prop:file read; # Read ro.boot.bootreason b/30654343 #line 12 allow bootanim bootloader_boot_reason_prop:file { getattr open read map }; #line 12 #line 14 allow bootanim bootanim_config_prop:file { getattr open read map }; #line 14 # Allow updating boot animation status. #line 17 #line 17 allow bootanim property_socket:sock_file write; #line 17 allow bootanim init:unix_stream_socket connectto; #line 17 #line 17 allow bootanim bootanim_system_prop:property_service set; #line 17 #line 17 allow bootanim bootanim_system_prop:file { getattr open read map }; #line 17 #line 17 # Allow accessing /data/misc/bootanim #line 20 allow bootanim bootanim_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow bootanim bootanim_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 # Allow accessing vendor apex for EGL/GLES allow bootanim vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/private/bootstat.te" typeattribute bootstat coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init bootstat_exec:file { getattr open read execute map }; #line 3 allow init bootstat:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow bootstat bootstat_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init bootstat:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init bootstat:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init bootstat_exec:process bootstat; #line 3 #line 3 # Collect metrics on boot time created by init #line 6 allow bootstat boottime_prop:file { getattr open read map }; #line 6 # Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) #line 9 #line 9 allow bootstat property_socket:sock_file write; #line 9 allow bootstat init:unix_stream_socket connectto; #line 9 #line 9 allow bootstat bootloader_boot_reason_prop:property_service set; #line 9 #line 9 allow bootstat bootloader_boot_reason_prop:file { getattr open read map }; #line 9 #line 9 #line 10 #line 10 allow bootstat property_socket:sock_file write; #line 10 allow bootstat init:unix_stream_socket connectto; #line 10 #line 10 allow bootstat system_boot_reason_prop:property_service set; #line 10 #line 10 allow bootstat system_boot_reason_prop:file { getattr open read map }; #line 10 #line 10 #line 11 #line 11 allow bootstat property_socket:sock_file write; #line 11 allow bootstat init:unix_stream_socket connectto; #line 11 #line 11 allow bootstat last_boot_reason_prop:property_service set; #line 11 #line 11 allow bootstat last_boot_reason_prop:file { getattr open read map }; #line 11 #line 11 neverallow { domain -bootanim -bootstat -dumpstate -init -platform_app -recovery -shell -system_server } { bootloader_boot_reason_prop last_boot_reason_prop }:file { getattr open read ioctl lock map watch watch_reads }; # ... and refine, as these components should not set the last boot reason neverallow { bootanim recovery } last_boot_reason_prop:file { getattr open read ioctl lock map watch watch_reads }; neverallow { domain -bootstat -init -system_server } { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; # ... and refine ... for a ro propertly no less ... keep this _tight_ neverallow system_server bootloader_boot_reason_prop:property_service set; #line 1 "system/sepolicy/private/boringssl_self_test.te" # System and vendor domains for BoringSSL self test binaries. # # For FIPS compliance, all processes linked against libcrypto perform a startup # self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once # per device boot, also run a series of Known Answer Tests (KAT) to verify functionality. # # The KATs are expensive, and to ensure they are run as few times as possible, they # are skipped if a marker file exists in /dev/boringssl/selftest whose name is # the hash of the BCM that was computed earlier. The files are zero length and their contents # should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl # to create these marker files, there are dedicated self test binaries which this policy # gives access to and which are run during early-init. # # Due to build skew, the version of libcrypto in /vendor may have a different hash than # the system one. To cater for this there are vendor variants of the self test binaries # which also have permission to write to the same files in /dev/boringssl. In the case where # vendor and system libcrypto have the same hash, there will be a race to create the file, # but this is harmless. # # If the self tests fail, then the device should reboot into firmware and for this reason # the system boringssl_self_test domain needs to be in coredomain. As vendor domains # are not allowed in coredomain, this means that the vendor self tests cannot trigger a # reboot. However every binary linked against the vendor libcrypto will abort on startup, # so in practice the device will crash anyway in this unlikely scenario. # System boringssl_self_test domain type boringssl_self_test, domain, coredomain; type boringssl_self_test_exec, system_file_type, exec_type, file_type; # Vendor boringssl_self_test domain type vendor_boringssl_self_test, domain; type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type; # Switch to boringssl_self_test security domain when running boringssl_self_test_exec #line 35 #line 35 # Allow the necessary permissions. #line 35 #line 35 # Old domain may exec the file and transition to the new domain. #line 35 allow init boringssl_self_test_exec:file { getattr open read execute map }; #line 35 allow init boringssl_self_test:process transition; #line 35 # New domain is entered by executing the file. #line 35 allow boringssl_self_test boringssl_self_test_exec:file { entrypoint open read execute getattr map }; #line 35 # New domain can send SIGCHLD to its caller. #line 35 #line 35 # Enable AT_SECURE, i.e. libc secure mode. #line 35 dontaudit init boringssl_self_test:process noatsecure; #line 35 # XXX dontaudit candidate but requires further study. #line 35 allow init boringssl_self_test:process { siginh rlimitinh }; #line 35 #line 35 # Make the transition occur by default. #line 35 type_transition init boringssl_self_test_exec:process boringssl_self_test; #line 35 #line 35 # Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec #line 38 #line 38 # Allow the necessary permissions. #line 38 #line 38 # Old domain may exec the file and transition to the new domain. #line 38 allow init vendor_boringssl_self_test_exec:file { getattr open read execute map }; #line 38 allow init vendor_boringssl_self_test:process transition; #line 38 # New domain is entered by executing the file. #line 38 allow vendor_boringssl_self_test vendor_boringssl_self_test_exec:file { entrypoint open read execute getattr map }; #line 38 # New domain can send SIGCHLD to its caller. #line 38 #line 38 # Enable AT_SECURE, i.e. libc secure mode. #line 38 dontaudit init vendor_boringssl_self_test:process noatsecure; #line 38 # XXX dontaudit candidate but requires further study. #line 38 allow init vendor_boringssl_self_test:process { siginh rlimitinh }; #line 38 #line 38 # Make the transition occur by default. #line 38 type_transition init vendor_boringssl_self_test_exec:process vendor_boringssl_self_test; #line 38 #line 38 # Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto # # The files are zero length so there is no issue if both vendor and system code # try to create the same file simultaneously. One will succeed and the other will fail # silently, i.e. still indicate success. Similar harmless naming collisions will happen in the # system domain e.g. when system and APEX copies of libcrypto are identical. type boringssl_self_test_marker, file_type; # Allow self test binaries to create/check for the existence of boringssl_self_test_marker files allow { boringssl_self_test vendor_boringssl_self_test } boringssl_self_test_marker:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow { boringssl_self_test vendor_boringssl_self_test } boringssl_self_test_marker:dir { { open getattr read search ioctl lock watch watch_reads } add_name write }; # Allow self test binaries to write their stdout/stderr messages to kmsg_debug allow { boringssl_self_test vendor_boringssl_self_test } kmsg_debug_device:chr_file { { open append write lock map } getattr ioctl }; # No other process should be able to create marker files because their existence causes the # boringssl KAT to be skipped. neverallow { domain -vendor_boringssl_self_test -boringssl_self_test -init -vendor_init } boringssl_self_test_marker:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -vendor_boringssl_self_test -boringssl_self_test -init -vendor_init } boringssl_self_test_marker:dir write; #line 1 "system/sepolicy/private/bpfdomain.te" # platform should have ownership of network attachpoints for BPF neverallow { bpfdomain -bpfloader -netd -netutils_wrapper -network_stack -system_server } self:{ capability cap_userns } { net_admin net_raw }; # any domain which uses bpf is a bpfdomain neverallow { domain -bpfdomain } *:bpf *; allow bpfdomain fs_bpf:dir search; # genfscon doesn't seem to trigger during symlink creation, # and thus any created symlinks end up as 'fs_bpf:lnk_type', # however this feels like a kernel bug / missing feature, # so let's allow all bpffs_type's instead, # this will keep things working even if this is fixed. allow bpfdomain bpffs_type:lnk_file read; # Needed for //frameworks/libs/net: # common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h #line 25 allow bpfdomain bpf_progs_loaded_prop:file { getattr open read map }; #line 25 #line 1 "system/sepolicy/private/bpfloader.te" type bpfloader_exec, system_file_type, exec_type, file_type; typeattribute bpfloader bpfdomain; # allow bpfloader to write to the kernel log (starts early) allow bpfloader kmsg_device:chr_file { open append write lock map }; # These permissions are required to pin ebpf maps & programs. allow bpfloader bpffs_type:dir { add_name create remove_name search write }; allow bpfloader bpffs_type:file { create getattr read rename setattr }; allow bpfloader bpffs_type:lnk_file { create getattr read }; allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate; # Allow bpfloader to create bpf maps and programs. allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run }; allow bpfloader self:capability { chown sys_admin net_admin }; allow bpfloader sysfs_fs_fuse_bpf:file { getattr open read ioctl lock map watch watch_reads }; allow bpfloader proc_bpf:file { open append write lock map }; #line 23 #line 23 allow bpfloader property_socket:sock_file write; #line 23 allow bpfloader init:unix_stream_socket connectto; #line 23 #line 23 allow bpfloader bpf_progs_loaded_prop:property_service set; #line 23 #line 23 allow bpfloader bpf_progs_loaded_prop:file { getattr open read map }; #line 23 #line 23 allow bpfloader bpfloader_exec:file execute_no_trans; ### ### Neverallow rules ### # Note: we don't care about getattr/mounton/search neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write }; neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write }; neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write }; neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr }; neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read }; neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read }; neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read }; neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read }; neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read }; neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read }; neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read }; neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read }; neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write; neverallow { domain -bpfloader } bpffs_type:lnk_file ~read; neverallow { domain -bpfdomain } bpffs_type:lnk_file read; neverallow { domain -bpfloader } *:bpf { map_create prog_load }; neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run }; # 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process. neverallow { domain -bpfloader } fs_bpf_loader:bpf *; neverallow { domain -bpfloader } fs_bpf_loader:file *; neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *; neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *; # No domain should be allowed to ptrace bpfloader neverallow { domain } bpfloader:process ptrace; neverallow { domain -bpfloader } proc_bpf:file write; #line 1 "system/sepolicy/private/bufferhubd.te" typeattribute bufferhubd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init bufferhubd_exec:file { getattr open read execute map }; #line 3 allow init bufferhubd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow bufferhubd bufferhubd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init bufferhubd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init bufferhubd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init bufferhubd_exec:process bufferhubd; #line 3 #line 3 #line 1 "system/sepolicy/private/cameraserver.te" typeattribute cameraserver coredomain; typeattribute cameraserver camera_service_server; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init cameraserver_exec:file { getattr open read execute map }; #line 5 allow init cameraserver:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow cameraserver cameraserver_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init cameraserver:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init cameraserver:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init cameraserver_exec:process cameraserver; #line 5 #line 5 #line 6 type_transition cameraserver tmpfs:file cameraserver_tmpfs; #line 6 allow cameraserver cameraserver_tmpfs:file { read write getattr map }; #line 6 allow cameraserver gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow cameraserver gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow cameraserver virtual_camera:binder call; #line 1 "system/sepolicy/private/canhalconfigurator.te" type canhalconfigurator, domain, coredomain; type canhalconfigurator_exec, exec_type, system_file_type, file_type; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init canhalconfigurator_exec:file { getattr open read execute map }; #line 3 allow init canhalconfigurator:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow canhalconfigurator canhalconfigurator_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init canhalconfigurator:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init canhalconfigurator:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init canhalconfigurator_exec:process canhalconfigurator; #line 3 #line 3 # This allows the configurator to look up the CAN HAL controller via # hwservice_manager and communicate with it. #line 7 typeattribute canhalconfigurator halclientdomain; #line 7 typeattribute canhalconfigurator hal_can_controller_client; #line 7 #line 7 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 7 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 7 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 7 #line 7 typeattribute canhalconfigurator hal_can_controller; #line 7 # Find passthrough HAL implementations #line 7 allow hal_can_controller system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_can_controller vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow hal_can_controller vendor_file:file { read open getattr execute map }; #line 7 #line 7 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow canhalconfigurator servicemanager:binder { call transfer }; #line 9 # Allow servicemanager to send out callbacks #line 9 allow servicemanager canhalconfigurator:binder { call transfer }; #line 9 # servicemanager performs getpidcon on clients. #line 9 allow servicemanager canhalconfigurator:dir search; #line 9 allow servicemanager canhalconfigurator:file { read open }; #line 9 allow servicemanager canhalconfigurator:process getattr; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow hal_can_controller canhalconfigurator:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow canhalconfigurator hal_can_controller:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow hal_can_controller canhalconfigurator:fd use; #line 10 #line 1 "system/sepolicy/private/charger.te" typeattribute charger coredomain; # charger needs to tell init to continue the boot # process when running in charger mode. # The system charger needs to be allowed to set these properties on legacy devices. #line 6 #line 6 allow charger property_socket:sock_file write; #line 6 allow charger init:unix_stream_socket connectto; #line 6 #line 6 allow charger system_prop:property_service set; #line 6 #line 6 allow charger system_prop:file { getattr open read map }; #line 6 #line 6 #line 7 #line 7 allow charger property_socket:sock_file write; #line 7 allow charger init:unix_stream_socket connectto; #line 7 #line 7 allow charger exported_system_prop:property_service set; #line 7 #line 7 allow charger exported_system_prop:file { getattr open read map }; #line 7 #line 7 #line 8 #line 8 allow charger property_socket:sock_file write; #line 8 allow charger init:unix_stream_socket connectto; #line 8 #line 8 allow charger exported3_system_prop:property_service set; #line 8 #line 8 allow charger exported3_system_prop:file { getattr open read map }; #line 8 #line 8 # The system charger can read ro.charger.* #line 11 allow charger charger_prop:file { getattr open read map }; #line 11 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 13 #line 13 neverallow { #line 13 domain #line 13 -init #line 13 -dumpstate #line 13 -charger #line 13 } charger_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 #line 13 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 20 #line 1 "system/sepolicy/private/charger_type.te" # charger needs to tell init to continue the boot # process when running in charger mode. #line 3 #line 3 allow charger_type property_socket:sock_file write; #line 3 allow charger_type init:unix_stream_socket connectto; #line 3 #line 3 allow charger_type charger_status_prop:property_service set; #line 3 #line 3 allow charger_type charger_status_prop:file { getattr open read map }; #line 3 #line 3 #line 4 allow charger_type charger_config_prop:file { getattr open read map }; #line 4 # get minui properties #line 7 allow charger_type recovery_config_prop:file { getattr open read map }; #line 7 ### Neverallow rules for charger properties # charger_config_prop: Only init and vendor_init is allowed to set it neverallow { domain -init -vendor_init } charger_config_prop:property_service set; # charger_status_prop: Only init, vendor_init, charger, and charger_vendor # are allowed to set it neverallow { domain -init -vendor_init -charger -charger_vendor } charger_status_prop:property_service set; # Both charger_config_prop and charger_status_prop: # Only init, vendor_init, dumpstate, charger, and charger_vendor # are allowed to read it neverallow { domain -init -dumpstate -vendor_init -charger -charger_vendor } { charger_config_prop charger_status_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 1 "system/sepolicy/private/clatd.te" # 464xlat daemon type clatd, domain, coredomain; type clatd_exec, system_file_type, exec_type, file_type; #line 5 typeattribute clatd netdomain; #line 5 # Access objects inherited from system_server. allow clatd system_server:fd use; allow clatd system_server:packet_socket { read write }; allow clatd system_server:rawip_socket { read write }; allow clatd tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/private/compos_fd_server.te" # Make ART inputs and outputs available to the CompOS VM type compos_fd_server, domain, coredomain; # Allow access to open fds inherited from composd allow compos_fd_server composd:fd use; # Allow creating new files and directories in the staging directory. allow compos_fd_server apex_art_staging_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow compos_fd_server apex_art_staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow creating new files and directories in the artifacts directory. allow compos_fd_server apex_art_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow compos_fd_server apex_art_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Use a pipe to signal readiness allow compos_fd_server composd:fifo_file write; # TODO(b/196109647) - remove this when no longer needed by minijail allow compos_fd_server composd:fifo_file read; # Create a listening vsock for the VM to connect back to allow compos_fd_server self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept }; # Only composd can enter the domain via exec neverallow { domain -composd } compos_fd_server:process transition; neverallow * compos_fd_server:process dyntransition; #line 1 "system/sepolicy/private/compos_verify.te" # Run by odsign to verify a CompOS signature type compos_verify, domain, coredomain; type compos_verify_exec, exec_type, file_type, system_file_type; # Start a VM #line 6 # Call the servicemanager and transfer references to it. #line 6 allow compos_verify servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager compos_verify:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager compos_verify:dir search; #line 6 allow servicemanager compos_verify:file { read open }; #line 6 allow servicemanager compos_verify:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 ; #line 7 # Transition to virtualizationmanager when the client executes it. #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow compos_verify virtualizationmanager_exec:file { getattr open read execute map }; #line 7 allow compos_verify virtualizationmanager:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 allow virtualizationmanager compos_verify:process sigchld; #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit compos_verify virtualizationmanager:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow compos_verify virtualizationmanager:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition compos_verify virtualizationmanager_exec:process virtualizationmanager; #line 7 #line 7 # Allow virtualizationmanager to communicate over UDS with the client. #line 7 allow { virtualizationmanager crosvm } compos_verify:unix_stream_socket { ioctl getattr read write }; #line 7 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 7 allow { virtualizationmanager crosvm } compos_verify:fd use; #line 7 # Let the client use file descriptors created by virtualizationmanager. #line 7 allow compos_verify virtualizationmanager:fd use; #line 7 # Allow piping console log to the client #line 7 allow { virtualizationmanager crosvm } compos_verify:fifo_file { ioctl getattr read write }; #line 7 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 7 # that it created. Notice that we do not grant permission to create a vsock; #line 7 # the client can only connect to VMs that it owns. #line 7 allow compos_verify virtualizationmanager:vsock_socket { getattr getopt read write }; #line 7 # Allow client to inspect hypervisor capabilities #line 7 #line 7 allow compos_verify hypervisor_prop:file { getattr open read map }; #line 7 #line 7 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 7 allow compos_verify virtualizationservice_data_file:file { getattr read }; #line 7 ; # Read instance image & write VM logs allow compos_verify apex_module_data_file:dir search; allow compos_verify apex_compos_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow compos_verify apex_compos_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } create }; # Read CompOS info & signature files allow compos_verify apex_art_data_file:dir search; allow compos_verify apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow odsign to redirect our stdout/stderr to log allow compos_verify odsign:fd use; allow compos_verify odsign_devpts:chr_file { read write }; # Only odsign can enter the domain via exec neverallow { domain -odsign } compos_verify:process transition; neverallow * compos_verify:process dyntransition; #line 1 "system/sepolicy/private/composd.te" type composd, domain, coredomain; type composd_exec, system_file_type, exec_type, file_type; # Host dynamic AIDL services #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init composd_exec:file { getattr open read execute map }; #line 5 allow init composd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow composd composd_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init composd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init composd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init composd_exec:process composd; #line 5 #line 5 #line 6 # Call the servicemanager and transfer references to it. #line 6 allow composd servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager composd:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager composd:dir search; #line 6 allow servicemanager composd:file { read open }; #line 6 allow servicemanager composd:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 allow composd compos_service:service_manager { add find }; #line 7 neverallow { domain -composd } compos_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 # Call back into system server #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow composd system_server:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow system_server composd:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow composd system_server:fd use; #line 10 # Start a VM #line 13 # Transition to virtualizationmanager when the client executes it. #line 13 #line 13 # Allow the necessary permissions. #line 13 #line 13 # Old domain may exec the file and transition to the new domain. #line 13 allow composd virtualizationmanager_exec:file { getattr open read execute map }; #line 13 allow composd virtualizationmanager:process transition; #line 13 # New domain is entered by executing the file. #line 13 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 13 # New domain can send SIGCHLD to its caller. #line 13 allow virtualizationmanager composd:process sigchld; #line 13 # Enable AT_SECURE, i.e. libc secure mode. #line 13 dontaudit composd virtualizationmanager:process noatsecure; #line 13 # XXX dontaudit candidate but requires further study. #line 13 allow composd virtualizationmanager:process { siginh rlimitinh }; #line 13 #line 13 # Make the transition occur by default. #line 13 type_transition composd virtualizationmanager_exec:process virtualizationmanager; #line 13 #line 13 # Allow virtualizationmanager to communicate over UDS with the client. #line 13 allow { virtualizationmanager crosvm } composd:unix_stream_socket { ioctl getattr read write }; #line 13 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 13 allow { virtualizationmanager crosvm } composd:fd use; #line 13 # Let the client use file descriptors created by virtualizationmanager. #line 13 allow composd virtualizationmanager:fd use; #line 13 # Allow piping console log to the client #line 13 allow { virtualizationmanager crosvm } composd:fifo_file { ioctl getattr read write }; #line 13 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 13 # that it created. Notice that we do not grant permission to create a vsock; #line 13 # the client can only connect to VMs that it owns. #line 13 allow composd virtualizationmanager:vsock_socket { getattr getopt read write }; #line 13 # Allow client to inspect hypervisor capabilities #line 13 #line 13 allow composd hypervisor_prop:file { getattr open read map }; #line 13 #line 13 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 13 allow composd virtualizationservice_data_file:file { getattr read }; #line 13 # Prepare staging directory for odrefresh allow composd apex_art_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow composd apex_art_staging_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow composd apex_art_staging_data_file:file { getattr unlink }; # Delete files or enable fs-verity in the odrefresh target directory allow composd apex_art_data_file:file { open ioctl read unlink write }; allowxperm composd apex_art_data_file:file ioctl 0x6685; # Access our APEX data files allow composd apex_module_data_file:dir search; allow composd apex_compos_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow composd apex_compos_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Run fd_server in its own domain, and send SIGTERM when finished. #line 30 # Allow the necessary permissions. #line 30 #line 30 # Old domain may exec the file and transition to the new domain. #line 30 allow composd fd_server_exec:file { getattr open read execute map }; #line 30 allow composd compos_fd_server:process transition; #line 30 # New domain is entered by executing the file. #line 30 allow compos_fd_server fd_server_exec:file { entrypoint open read execute getattr map }; #line 30 # New domain can send SIGCHLD to its caller. #line 30 allow compos_fd_server composd:process sigchld; #line 30 # Enable AT_SECURE, i.e. libc secure mode. #line 30 dontaudit composd compos_fd_server:process noatsecure; #line 30 # XXX dontaudit candidate but requires further study. #line 30 allow composd compos_fd_server:process { siginh rlimitinh }; #line 30 #line 30 # Make the transition occur by default. #line 30 type_transition composd fd_server_exec:process compos_fd_server; #line 30 allow composd compos_fd_server:process signal; # Read properties used to configure the CompOS VM #line 34 allow composd composd_vm_art_prop:file { getattr open read map }; #line 34 #line 35 allow composd composd_vm_vendor_prop:file { getattr open read map }; #line 35 # Read ART's properties #line 38 allow composd dalvik_config_prop_type:file { getattr open read map }; #line 38 #line 39 allow composd device_config_runtime_native_boot_prop:file { getattr open read map }; #line 39 # We never create any artifact files directly neverallow composd apex_art_data_file:file create; # ART sets these properties via init script, nothing else should neverallow { domain -init } composd_vm_art_prop:property_service set; #line 1 "system/sepolicy/private/coredomain.te" #line 1 allow coredomain apex_ready_prop:file { getattr open read map }; #line 1 #line 2 allow coredomain boot_status_prop:file { getattr open read map }; #line 2 #line 3 allow coredomain camera_config_prop:file { getattr open read map }; #line 3 #line 4 allow coredomain dalvik_config_prop_type:file { getattr open read map }; #line 4 #line 5 allow coredomain dalvik_runtime_prop:file { getattr open read map }; #line 5 #line 6 allow coredomain exported_pm_prop:file { getattr open read map }; #line 6 #line 7 allow coredomain ffs_config_prop:file { getattr open read map }; #line 7 #line 8 allow coredomain graphics_config_prop:file { getattr open read map }; #line 8 #line 9 allow coredomain graphics_config_writable_prop:file { getattr open read map }; #line 9 #line 10 allow coredomain hdmi_config_prop:file { getattr open read map }; #line 10 #line 11 allow coredomain init_service_status_private_prop:file { getattr open read map }; #line 11 #line 12 allow coredomain lmkd_config_prop:file { getattr open read map }; #line 12 #line 13 allow coredomain localization_prop:file { getattr open read map }; #line 13 #line 14 allow coredomain pm_prop:file { getattr open read map }; #line 14 #line 15 allow coredomain radio_control_prop:file { getattr open read map }; #line 15 #line 16 allow coredomain rollback_test_prop:file { getattr open read map }; #line 16 #line 17 allow coredomain setupwizard_prop:file { getattr open read map }; #line 17 #line 18 allow coredomain setupwizard_mode_prop:file { getattr open read map }; #line 18 #line 19 allow coredomain sqlite_log_prop:file { getattr open read map }; #line 19 #line 20 allow coredomain storagemanager_config_prop:file { getattr open read map }; #line 20 #line 21 allow coredomain surfaceflinger_color_prop:file { getattr open read map }; #line 21 #line 22 allow coredomain systemsound_config_prop:file { getattr open read map }; #line 22 #line 23 allow coredomain telephony_config_prop:file { getattr open read map }; #line 23 #line 24 allow coredomain usb_config_prop:file { getattr open read map }; #line 24 #line 25 allow coredomain usb_control_prop:file { getattr open read map }; #line 25 #line 26 allow coredomain userspace_reboot_config_prop:file { getattr open read map }; #line 26 #line 27 allow coredomain vold_config_prop:file { getattr open read map }; #line 27 #line 28 allow coredomain vts_status_prop:file { getattr open read map }; #line 28 #line 29 allow coredomain zygote_config_prop:file { getattr open read map }; #line 29 #line 30 allow coredomain zygote_wrap_prop:file { getattr open read map }; #line 30 # TODO(b/170590987): remove this after cleaning up default_prop #line 33 allow coredomain default_prop:file { getattr open read map }; #line 33 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 35 #line 35 neverallow { #line 35 coredomain #line 35 #line 35 # for chowning #line 35 -init #line 35 #line 35 # generic access to sysfs_type #line 35 -apexd #line 35 -ueventd #line 35 -vold #line 35 } sysfs_leds:file *; #line 35 #line 35 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 47 # On TREBLE devices, a limited set of files in /vendor are accessible to # only a few allowlisted coredomains to keep system/vendor separation. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 51 #line 51 # Limit access to /vendor/app #line 51 neverallow { #line 51 coredomain #line 51 -appdomain #line 51 -artd #line 51 -dex2oat #line 51 -dexoptanalyzer #line 51 -idmap #line 51 -init #line 51 -installd #line 51 -heapprofd #line 51 -postinstall_dexopt #line 51 -rs # spawned by appdomain, so carryover the exception above #line 51 -system_server #line 51 -traced_perf #line 51 } vendor_app_file:dir { open read getattr search }; #line 51 #line 51 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 68 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 70 #line 70 neverallow { #line 70 coredomain #line 70 -appdomain #line 70 -artd #line 70 -dex2oat #line 70 -dexoptanalyzer #line 70 -idmap #line 70 -init #line 70 -installd #line 70 -heapprofd #line 70 #line 70 -postinstall_dexopt #line 70 -profman #line 70 -rs # spawned by appdomain, so carryover the exception above #line 70 #line 70 -system_server #line 70 -traced_perf #line 70 -mediaserver #line 70 } vendor_app_file:file { getattr open read ioctl lock map watch watch_reads }; #line 70 #line 70 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 90 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 92 #line 92 # Limit access to /vendor/overlay #line 92 neverallow { #line 92 coredomain #line 92 -appdomain #line 92 -artd #line 92 -dex2oat #line 92 -dexoptanalyzer #line 92 -idmap #line 92 -init #line 92 -installd #line 92 -postinstall_dexopt #line 92 -rs # spawned by appdomain, so carryover the exception above #line 92 -system_server #line 92 -traced_perf #line 92 -app_zygote #line 92 -webview_zygote #line 92 -zygote #line 92 -heapprofd #line 92 } vendor_overlay_file:dir { getattr open read search }; #line 92 #line 92 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 112 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 114 #line 114 neverallow { #line 114 coredomain #line 114 -appdomain #line 114 -artd #line 114 -dex2oat #line 114 -dexoptanalyzer #line 114 -idmap #line 114 -init #line 114 -installd #line 114 -postinstall_dexopt #line 114 -rs # spawned by appdomain, so carryover the exception above #line 114 -system_server #line 114 -traced_perf #line 114 -app_zygote #line 114 -webview_zygote #line 114 -zygote #line 114 -heapprofd #line 114 #line 114 #line 114 } vendor_overlay_file:file open; #line 114 #line 114 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 135 # Core domains are not permitted to use kernel interfaces which are not # explicitly labeled. # TODO(b/65643247): Apply these neverallow rules to all coredomain. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 140 #line 140 # /proc #line 140 neverallow { #line 140 coredomain #line 140 -init #line 140 -vold #line 140 } proc:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # /sys #line 140 neverallow { #line 140 coredomain #line 140 -apexd #line 140 -init #line 140 -ueventd #line 140 #line 140 -vold #line 140 } sysfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # /dev #line 140 neverallow { #line 140 coredomain #line 140 -apexd #line 140 -fsck #line 140 -init #line 140 -ueventd #line 140 } device:{ blk_file file } { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # debugfs #line 140 neverallow { #line 140 coredomain #line 140 #line 140 -dumpstate #line 140 -init #line 140 -system_server #line 140 #line 140 } debugfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # tracefs #line 140 neverallow { #line 140 coredomain #line 140 -atrace #line 140 -dumpstate #line 140 -gpuservice #line 140 -init #line 140 -traced_perf #line 140 -traced_probes #line 140 -shell #line 140 -system_server #line 140 -traceur_app #line 140 #line 140 #line 140 } debugfs_tracing:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # inotifyfs #line 140 neverallow { #line 140 coredomain #line 140 -init #line 140 } inotify:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # pstorefs #line 140 neverallow { #line 140 coredomain #line 140 -bootstat #line 140 -charger #line 140 -dumpstate #line 140 #line 140 -init #line 140 -logd #line 140 -logpersist #line 140 -recovery_persist #line 140 -recovery_refresh #line 140 -shell #line 140 -system_server #line 140 } pstorefs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # configfs #line 140 neverallow { #line 140 coredomain #line 140 -init #line 140 -system_server #line 140 } configfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # functionfs #line 140 neverallow { #line 140 coredomain #line 140 -adbd #line 140 -init #line 140 -mediaprovider #line 140 -system_server #line 140 } functionfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # usbfs and binfmt_miscfs #line 140 neverallow { #line 140 coredomain #line 140 -init #line 140 }{ usbfs binfmt_miscfs }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # dmabuf heaps #line 140 neverallow { #line 140 coredomain #line 140 -init #line 140 -ueventd #line 140 }{ #line 140 dmabuf_heap_device_type #line 140 -dmabuf_system_heap_device #line 140 -dmabuf_system_secure_heap_device #line 140 }:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 140 #line 140 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 247 # Following /dev nodes must not be directly accessed by coredomain, but should # instead be wrapped by HALs. neverallow coredomain { iio_device radio_device }:chr_file { open read append write ioctl }; # TODO(b/120243891): HAL permission to tee_device is included into coredomain # on non-Treble devices. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 258 #line 258 neverallow coredomain tee_device:chr_file { open read append write ioctl }; #line 258 #line 258 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 260 #line 1 "system/sepolicy/private/cppreopts.te" # cppreopts # # This command copies preopted files from the system_b partition to the data # partition. This domain ensures that we are only copying into specific # directories. type cppreopts, domain, mlstrustedsubject, coredomain; type cppreopts_exec, system_file_type, exec_type, file_type; # Technically not a daemon but we do want the transition from init domain to # cppreopts to occur. #line 12 #line 12 # Allow the necessary permissions. #line 12 #line 12 # Old domain may exec the file and transition to the new domain. #line 12 allow init cppreopts_exec:file { getattr open read execute map }; #line 12 allow init cppreopts:process transition; #line 12 # New domain is entered by executing the file. #line 12 allow cppreopts cppreopts_exec:file { entrypoint open read execute getattr map }; #line 12 # New domain can send SIGCHLD to its caller. #line 12 #line 12 # Enable AT_SECURE, i.e. libc secure mode. #line 12 dontaudit init cppreopts:process noatsecure; #line 12 # XXX dontaudit candidate but requires further study. #line 12 allow init cppreopts:process { siginh rlimitinh }; #line 12 #line 12 # Make the transition occur by default. #line 12 type_transition init cppreopts_exec:process cppreopts; #line 12 #line 12 #line 13 # Allow the necessary permissions. #line 13 #line 13 # Old domain may exec the file and transition to the new domain. #line 13 allow cppreopts preopt2cachename_exec:file { getattr open read execute map }; #line 13 allow cppreopts preopt2cachename:process transition; #line 13 # New domain is entered by executing the file. #line 13 allow preopt2cachename preopt2cachename_exec:file { entrypoint open read execute getattr map }; #line 13 # New domain can send SIGCHLD to its caller. #line 13 allow preopt2cachename cppreopts:process sigchld; #line 13 # Enable AT_SECURE, i.e. libc secure mode. #line 13 dontaudit cppreopts preopt2cachename:process noatsecure; #line 13 # XXX dontaudit candidate but requires further study. #line 13 allow cppreopts preopt2cachename:process { siginh rlimitinh }; #line 13 #line 13 # Make the transition occur by default. #line 13 type_transition cppreopts preopt2cachename_exec:process preopt2cachename; #line 13 ; # Allow cppreopts copy files into the dalvik-cache allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write }; allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink }; # Allow cppreopts to execute itself using #!/system/bin/sh allow cppreopts shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow us to run find on /postinstall allow cppreopts system_file:dir { open read }; # Allow running the cp command using cppreopts permissions. Needed so we can # write into dalvik-cache allow cppreopts toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Silence the denial when /postinstall cannot be mounted, e.g., system_other # is wiped, but cppreopts.sh still runs. dontaudit cppreopts postinstall_mnt_dir:dir search; #line 1 "system/sepolicy/private/crash_dump.te" typeattribute crash_dump coredomain; # Crash dump does not need to access devices passed across exec(). dontaudit crash_dump { devpts dev_type }:chr_file { read write }; allow crash_dump { domain -apexd -bpfloader -crash_dump -init -kernel -keystore -llkd -logd -ueventd -vendor_init -vold }:process { ptrace signal sigchld sigstop sigkill }; #line 29 # Read ART APEX data directory allow crash_dump apex_art_data_file:dir { getattr search }; allow crash_dump apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow crash dump to read bootstrap libraries allow crash_dump system_bootstrap_lib_file:dir { getattr search }; allow crash_dump system_bootstrap_lib_file:file { getattr open read ioctl lock map watch watch_reads }; # Read Vendor APEX directories allow crash_dump vendor_apex_metadata_file:dir { getattr search }; ### ### neverallow assertions ### # sigchld not explicitly forbidden since it's part of the # domain-transition-on-exec macros, and is by itself not sensitive neverallow crash_dump { apexd bpfloader init kernel keystore llkd logd ueventd vendor_init vold }:process { ptrace signal sigstop sigkill }; neverallow crash_dump self:process ptrace; neverallow crash_dump gpu_device:chr_file *; #line 1 "system/sepolicy/private/credstore.te" typeattribute credstore coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init credstore_exec:file { getattr open read execute map }; #line 3 allow init credstore:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow credstore credstore_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init credstore:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init credstore:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init credstore_exec:process credstore; #line 3 #line 3 # talk to Identity Credential #line 6 typeattribute credstore halclientdomain; #line 6 typeattribute credstore hal_identity_client; #line 6 #line 6 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 6 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 6 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 6 #line 6 typeattribute credstore hal_identity; #line 6 # Find passthrough HAL implementations #line 6 allow hal_identity system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_identity vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_identity vendor_file:file { read open getattr execute map }; #line 6 #line 6 # talk to keymint, specifically for IRemotelyProvisionedComponent/default #line 9 typeattribute credstore halclientdomain; #line 9 typeattribute credstore hal_keymint_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute credstore hal_keymint; #line 9 # Find passthrough HAL implementations #line 9 allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_keymint vendor_file:file { read open getattr execute map }; #line 9 #line 9 # credstore needs to get keys from the RKPD #line 12 allow credstore remote_prov_prop:file { getattr open read map }; #line 12 allow credstore remote_provisioning_service:service_manager find; #line 1 "system/sepolicy/private/crosvm.te" type crosvm, domain, coredomain; type crosvm_exec, system_file_type, exec_type, file_type; type crosvm_tmpfs, file_type; # Let crosvm open VM manager devices such as /dev/kvm. allow crosvm vm_manager_device_type:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Most other domains shouldn't access /dev/kvm. neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ 0x0000ae03 }; # Most other domains shouldn't access other vm managers either. # These restrictions need to be slightly looser than for kvm_device to allow # for different implementations. neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr; neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr; # Let crosvm create temporary files. #line 20 type_transition crosvm tmpfs:file crosvm_tmpfs; #line 20 allow crosvm crosvm_tmpfs:file { read write getattr map }; #line 20 # Let crosvm receive file descriptors from VirtualizationService. allow crosvm virtualizationmanager:fd use; # Allow sending VirtualizationService the failure reason and console/log from the VM via pipe. allow crosvm virtualizationmanager:fifo_file write; # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in # /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file). # Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file. # Note that the open permission is not given as the files are passed as file descriptors. allow crosvm { virtualizationservice_data_file staging_data_file apk_data_file app_data_file privapp_data_file apex_compos_data_file apex_virt_data_file shell_data_file vendor_microdroid_file }:file { getattr read ioctl lock }; # Allow searching the directory where the composite disk images are. allow crosvm virtualizationservice_data_file:dir search; # When running a VM as root we get spurious capability denials. # Suppress them. #line 52 # Allow crosvm to tune for performance. allow crosvm self:{ capability cap_userns } sys_nice; # Let crosvm access its control socket as created by VS. # read, write, getattr: listener socket polling # accept: listener socket accepting new connection # Note that the open permission is not given as the socket is passed by FD. allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt }; # Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img) #line 67 # The instance image and the composite image should be writable as well because they could represent # mutable disks. allow crosvm { virtualizationservice_data_file app_data_file privapp_data_file apex_compos_data_file apex_virt_data_file }:file write; # Allow crosvm to pipe console log to shell or app which could be the owner of a VM. allow crosvm adbd:fd use; allow crosvm adbd:unix_stream_socket { read write }; allow crosvm devpts:chr_file { read write getattr ioctl }; # crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254) dontaudit crosvm self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by # compliance tests and demo apps. Write access to instance.img is particularily important because # the VM has to initialize the disk image on its first boot. Note that open access is still not # granted because the files are expected to be opened by the owner of the VM (apps or shell in case # when the vm is created by the `vm` tool) and handed over to crosvm as FD. allow crosvm shell_data_file:file write; # crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to # forward console/log to the host logcat). # crosvm only needs write permission, so dontaudit read dontaudit crosvm virtualizationmanager:fifo_file { read getattr }; # Required for crosvm to start gdb-server to enable debugging of guest kernel. allow crosvm self:tcp_socket { bind create read setopt write accept listen }; allow crosvm port:tcp_socket name_bind; allow crosvm adbd:unix_stream_socket ioctl; allow crosvm node:tcp_socket node_bind; # Allow crosvm to interact to VFIO device allow crosvm vfio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow crosvm vfio_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow crosvm to access VM DTBO via a file created by virtualizationmanager. allow crosvm virtualizationmanager:fd use; allow crosvm virtualizationservice_data_file:file read; # Don't allow crosvm to open files that it doesn't own. # This is important because a malicious application could try to start a VM with a composite disk # image referring by name to files which it doesn't have permission to open, trying to get crosvm to # open them on its behalf. By preventing crosvm from opening any other files we prevent this # potential privilege escalation. See http://b/192453819 for more discussion. neverallow crosvm { virtualizationservice_data_file staging_data_file apk_data_file app_data_file privapp_data_file }:file open; # Don't allow crosvm to have access to ordinary vendor files that are not for VMs. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 128 #line 128 neverallow crosvm { #line 128 vendor_file_type #line 128 -vendor_vm_file #line 128 -vendor_vm_data_file #line 128 # These types are not required for crosvm, but the access is granted to globally in domain.te #line 128 # thus should be exempted here. #line 128 -vendor_configs_file #line 128 -vendor_microdroid_file #line 128 -vndk_sp_file #line 128 -vendor_task_profiles_file #line 128 }:file *; #line 128 #line 128 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 140 # Only allow crosvm to read app data files for clients that can start # VMs. Note that the use of app data files is further restricted # inside the virtualizationservice by checking the label of all disk # image files. neverallow crosvm { app_data_file_type -app_data_file -privapp_data_file -shell_data_file }:file read; # Only virtualizationmanager can run crosvm neverallow { domain -crosvm -virtualizationmanager } crosvm_exec:file { execute execute_no_trans }; #line 1 "system/sepolicy/private/derive_classpath.te" # Domain for derive_classpath type derive_classpath, domain, coredomain; type derive_classpath_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init derive_classpath_exec:file { getattr open read execute map }; #line 5 allow init derive_classpath:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init derive_classpath:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init derive_classpath:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init derive_classpath_exec:process derive_classpath; #line 5 #line 5 # Read /apex allow derive_classpath apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; allow derive_classpath vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; # Create /data/system/environ/classpath file allow derive_classpath environ_system_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow derive_classpath environ_system_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # b/183079517 fails on gphone targets otherwise allow derive_classpath unlabeled:dir search; # Allow derive_classpath to write the classpath into ota dexopt # - Read the ota's apex dir allow derive_classpath postinstall_apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; # - Report the BCP to the ota's dexopt allow derive_classpath postinstall_dexopt:dir search; allow derive_classpath postinstall_dexopt:fd use; allow derive_classpath postinstall_dexopt:file read; allow derive_classpath postinstall_dexopt:lnk_file read; allow derive_classpath postinstall_dexopt_tmpfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/private/derive_sdk.te" # Domain for derive_sdk type derive_sdk, domain, coredomain; type derive_sdk_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init derive_sdk_exec:file { getattr open read execute map }; #line 5 allow init derive_sdk:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow derive_sdk derive_sdk_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init derive_sdk:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init derive_sdk:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init derive_sdk_exec:process derive_sdk; #line 5 #line 5 # Read /apex allow derive_sdk apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; allow derive_sdk vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; # Prop rules: writable by derive_sdk, readable by bootclasspath (apps) #line 12 #line 12 allow derive_sdk property_socket:sock_file write; #line 12 allow derive_sdk init:unix_stream_socket connectto; #line 12 #line 12 allow derive_sdk module_sdkextensions_prop:property_service set; #line 12 #line 12 allow derive_sdk module_sdkextensions_prop:file { getattr open read map }; #line 12 #line 12 neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; # Allow derive_sdk to write data back to dumpstate when forked from dumpstate. # The shell_data_file permissions are needed when a bugreport is taken: # dumpstate will redirect its stdout to a temporary shell_data_file:file, and # this makes derive_sdk append to that file. allow derive_sdk dumpstate:fd use; allow derive_sdk dumpstate:unix_stream_socket { read write }; allow derive_sdk shell_data_file:file { getattr append read write }; #line 1 "system/sepolicy/private/device_as_webcam.te" # Domain for DeviceAsWebcam Service type device_as_webcam, domain, coredomain, mlstrustedsubject; #line 4 typeattribute device_as_webcam appdomain; #line 4 # Label tmpfs objects for all apps. #line 4 type_transition device_as_webcam tmpfs:file appdomain_tmpfs; #line 4 #line 4 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 4 type device_as_webcam_userfaultfd; #line 4 type_transition device_as_webcam device_as_webcam:anon_inode device_as_webcam_userfaultfd "[userfaultfd]"; #line 4 # Allow domain to create/use userfaultfd anon_inode. #line 4 allow device_as_webcam device_as_webcam_userfaultfd:anon_inode { create ioctl read }; #line 4 # Suppress errors generate during bugreport #line 4 dontaudit su device_as_webcam_userfaultfd:anon_inode *; #line 4 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 4 neverallow { domain -device_as_webcam } device_as_webcam_userfaultfd:anon_inode *; #line 4 #line 4 allow device_as_webcam appdomain_tmpfs:file { execute getattr map read write }; #line 4 neverallow { device_as_webcam -runas_app -shell -simpleperf } { domain -device_as_webcam }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 4 neverallow { appdomain -runas_app -shell -simpleperf -device_as_webcam } device_as_webcam:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 4 # The Android security model guarantees the confidentiality and integrity #line 4 # of application data and execution state. Ptrace bypasses those #line 4 # confidentiality guarantees. Disallow ptrace access from system components to #line 4 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 4 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 4 # simpleperf is excluded, as it operates only on debuggable or profileable #line 4 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 4 # live lock conditions. #line 4 neverallow { domain -device_as_webcam -crash_dump -runas_app -simpleperf } device_as_webcam:process ptrace; #line 4 allow device_as_webcam system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow device_as_webcam system_app_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow device_as_webcam { app_api_service cameraserver_service }:service_manager find; # Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to # enale/disable itself #line 13 allow device_as_webcam usb_uvc_enabled_prop:file { getattr open read map }; #line 13 # need to access /dev to list all devices allow device_as_webcam device:dir { open getattr read search ioctl lock watch watch_reads }; # UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to # be accessed by the DeviceAsWebcam Service. allow device_as_webcam video_device:dir { open getattr read search ioctl lock watch watch_reads }; allow device_as_webcam video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/private/dex2oat.te" # dex2oat type dex2oat, domain, coredomain; type dex2oat_exec, system_file_type, exec_type, file_type; #line 5 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 5 type dex2oat_userfaultfd; #line 5 type_transition dex2oat dex2oat:anon_inode dex2oat_userfaultfd "[userfaultfd]"; #line 5 # Allow domain to create/use userfaultfd anon_inode. #line 5 allow dex2oat dex2oat_userfaultfd:anon_inode { create ioctl read }; #line 5 # Suppress errors generate during bugreport #line 5 dontaudit su dex2oat_userfaultfd:anon_inode *; #line 5 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 5 neverallow { domain -dex2oat } dex2oat_userfaultfd:anon_inode *; #line 5 #line 7 allow dex2oat apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 7 allow dex2oat apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 7 # Access to /vendor/app #line 9 allow dex2oat vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow dex2oat vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 9 # Access /vendor/framework allow dex2oat vendor_framework_file:dir { getattr search }; allow dex2oat vendor_framework_file:file { getattr open read map }; # Access /vendor/overlay #line 14 allow dex2oat vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow dex2oat vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 14 ; # Vendor overlay can be found in vendor apex allow dex2oat vendor_apex_metadata_file:dir { getattr search }; allow dex2oat tmpfs:file { read getattr map }; #line 20 allow dex2oat dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow dex2oat dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 allow dex2oat dalvikcache_data_file:file write; # Acquire advisory lock on /system/framework/arm/* allow dex2oat system_file:file lock; allow dex2oat postinstall_file:file lock; # Read already open asec_apk_file file descriptors passed by installd. # Also allow reading unlabeled files, to allow for upgrading forward # locked APKs. allow dex2oat asec_apk_file:file { read map }; allow dex2oat unlabeled:file { read map }; allow dex2oat oemfs:file { read map }; allow dex2oat apk_tmp_file:dir search; allow dex2oat apk_tmp_file:file { getattr open read ioctl lock map watch watch_reads }; allow dex2oat user_profile_data_file:file { getattr read lock map }; # Allow dex2oat to compile app's secondary dex files which were reported back to # the framework. allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map }; # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime. allow dex2oat apex_module_data_file:dir search; # Allow dex2oat to use devpts passed from odsign. allow dex2oat odsign_devpts:chr_file { read write }; # Allow dex2oat to write to file descriptors from odrefresh for files # in the staging area. allow dex2oat apex_art_staging_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink }; # Allow dex2oat to read artifacts from odrefresh. allow dex2oat apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dex2oat apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow dex2oat to read runtime native flag properties. #line 57 allow dex2oat device_config_runtime_native_prop:file { getattr open read map }; #line 57 #line 58 allow dex2oat device_config_runtime_native_boot_prop:file { getattr open read map }; #line 58 # Allow dex2oat to read /apex/apex-info-list.xml allow dex2oat apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow dex2oat to use file descriptors passed from privileged programs. allow dex2oat { artd installd odrefresh odsign }:fd use; # Allow dex2oat to read the /proc filesystem for CPU features, etc. allow dex2oat proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; ################## # A/B OTA Dexopt # ################## # Allow dex2oat to use file descriptors from otapreopt. allow dex2oat postinstall_dexopt:fd use; # Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). allow dex2oat postinstall_file:dir { open getattr read search ioctl lock watch watch_reads }; allow dex2oat postinstall_file:filesystem getattr; allow dex2oat postinstall_file:lnk_file { getattr read }; allow dex2oat postinstall_file:file read; # Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). # TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. allow dex2oat postinstall_file:file { execute getattr open }; # Allow dex2oat access to /postinstall/apex. allow dex2oat postinstall_apex_mnt_dir:dir { getattr search }; allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; # Allow dex2oat access to files in /data/ota. allow dex2oat ota_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write }; allow dex2oat ota_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, # where the oat file is symlinked to the original file in /system. allow dex2oat ota_data_file:lnk_file { create read }; # It would be nice to tie this down, but currently, because of how images are written, we can't # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to # create them itself (and make them world-readable). allow dex2oat ota_data_file:file { create { open append write lock map } setattr }; ############### # APEX Update # ############### # /dev/zero is inherited. allow dex2oat apexd:fd use; # Allow dex2oat to use file descriptors from preinstall. ############## # Neverallow # ############## neverallow dex2oat app_data_file_type:{ file lnk_file sock_file fifo_file } open; #line 1 "system/sepolicy/private/dexopt_chroot_setup.te" type dexopt_chroot_setup, domain, coredomain; type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type; type dexopt_chroot_setup_tmpfs, file_type; # Allow dexopt_chroot_setup to publish a binder service and make binder calls. #line 6 # Call the servicemanager and transfer references to it. #line 6 allow dexopt_chroot_setup servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager dexopt_chroot_setup:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager dexopt_chroot_setup:dir search; #line 6 allow servicemanager dexopt_chroot_setup:file { read open }; #line 6 allow servicemanager dexopt_chroot_setup:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 allow dexopt_chroot_setup dexopt_chroot_setup_service:service_manager { add find }; #line 7 neverallow { domain -dexopt_chroot_setup } dexopt_chroot_setup_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 allow dexopt_chroot_setup dumpstate:fifo_file { getattr write }; allow dexopt_chroot_setup dumpstate:fd use; #line 11 #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow init dexopt_chroot_setup_exec:file { getattr open read execute map }; #line 11 allow init dexopt_chroot_setup:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow dexopt_chroot_setup dexopt_chroot_setup_exec:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit init dexopt_chroot_setup:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow init dexopt_chroot_setup:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition init dexopt_chroot_setup_exec:process dexopt_chroot_setup; #line 11 #line 11 # Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by dexopt_chroot_setup vs other # processes. #line 17 type_transition dexopt_chroot_setup tmpfs:file dexopt_chroot_setup_tmpfs; #line 17 allow dexopt_chroot_setup dexopt_chroot_setup_tmpfs:file { read write getattr map }; #line 17 # libart (mark_compact.cc) has some intialization code that touches the cache # info file and userfaultfd. allow dexopt_chroot_setup apex_module_data_file:dir { getattr search }; #line 22 allow dexopt_chroot_setup apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow dexopt_chroot_setup apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 #line 23 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 23 type dexopt_chroot_setup_userfaultfd; #line 23 type_transition dexopt_chroot_setup dexopt_chroot_setup:anon_inode dexopt_chroot_setup_userfaultfd "[userfaultfd]"; #line 23 # Allow domain to create/use userfaultfd anon_inode. #line 23 allow dexopt_chroot_setup dexopt_chroot_setup_userfaultfd:anon_inode { create ioctl read }; #line 23 # Suppress errors generate during bugreport #line 23 dontaudit su dexopt_chroot_setup_userfaultfd:anon_inode *; #line 23 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 23 neverallow { domain -dexopt_chroot_setup } dexopt_chroot_setup_userfaultfd:anon_inode *; #line 23 #line 1 "system/sepolicy/private/dexoptanalyzer.te" # dexoptanalyzer type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; type dexoptanalyzer_tmpfs, file_type; #line 6 allow dexoptanalyzer apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow dexoptanalyzer apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 6 # Access to /vendor/app #line 8 allow dexoptanalyzer vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow dexoptanalyzer vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 8 # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by dexoptanalyzer vs other # processes. #line 15 type_transition dexoptanalyzer tmpfs:file dexoptanalyzer_tmpfs; #line 15 allow dexoptanalyzer dexoptanalyzer_tmpfs:file { read write getattr map }; #line 15 #line 17 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 17 type dexoptanalyzer_userfaultfd; #line 17 type_transition dexoptanalyzer dexoptanalyzer:anon_inode dexoptanalyzer_userfaultfd "[userfaultfd]"; #line 17 # Allow domain to create/use userfaultfd anon_inode. #line 17 allow dexoptanalyzer dexoptanalyzer_userfaultfd:anon_inode { create ioctl read }; #line 17 # Suppress errors generate during bugreport #line 17 dontaudit su dexoptanalyzer_userfaultfd:anon_inode *; #line 17 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 17 neverallow { domain -dexoptanalyzer } dexoptanalyzer_userfaultfd:anon_inode *; #line 17 # Allow dexoptanalyzer to read files in the dalvik cache. allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; allow dexoptanalyzer dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot # app_data_file the oat file is symlinked to the original file in /system. allow dexoptanalyzer dalvikcache_data_file:lnk_file read; # Allow dexoptanalyzer to read files in the ART APEX data directory. allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search }; allow dexoptanalyzer apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow dexoptanalyzer to use file descriptors from odrefresh. allow dexoptanalyzer odrefresh:fd use; # Use devpts and fd from odsign (which exec()'s odrefresh) allow dexoptanalyzer odsign:fd use; allow dexoptanalyzer odsign_devpts:chr_file { read write }; allow dexoptanalyzer installd:fd use; allow dexoptanalyzer installd:fifo_file { getattr write }; # Acquire advisory lock on /system/framework/arm/* allow dexoptanalyzer system_file:file lock; # Allow reading secondary dex files that were reported by the app to the # package manager. allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; # dexoptanalyzer checks the DM files next to dex files. We don't need this check # for secondary dex files, but it's not harmful. Just deny it and ignore it. dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search; # Allow testing /data/user/0 which symlinks to /data/data allow dexoptanalyzer system_data_file:lnk_file { getattr }; # Allow query ART device config properties #line 56 allow dexoptanalyzer device_config_runtime_native_prop:file { getattr open read map }; #line 56 #line 57 allow dexoptanalyzer device_config_runtime_native_boot_prop:file { getattr open read map }; #line 57 # Allow dexoptanalyzer to read /apex/apex-info-list.xml allow dexoptanalyzer apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/private/dhcp.te" typeattribute dhcp coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init dhcp_exec:file { getattr open read execute map }; #line 3 allow init dhcp:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow dhcp dhcp_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init dhcp:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init dhcp:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init dhcp_exec:process dhcp; #line 3 #line 3 type_transition dhcp system_data_file:{ dir file } dhcp_data_file; #line 6 #line 6 allow dhcp property_socket:sock_file write; #line 6 allow dhcp init:unix_stream_socket connectto; #line 6 #line 6 allow dhcp dhcp_prop:property_service set; #line 6 #line 6 allow dhcp dhcp_prop:file { getattr open read map }; #line 6 #line 6 #line 7 #line 7 allow dhcp property_socket:sock_file write; #line 7 allow dhcp init:unix_stream_socket connectto; #line 7 #line 7 allow dhcp pan_result_prop:property_service set; #line 7 #line 7 allow dhcp pan_result_prop:file { getattr open read map }; #line 7 #line 7 #line 1 "system/sepolicy/private/dmesgd.te" type dmesgd, domain, coredomain; type dmesgd_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init dmesgd_exec:file { getattr open read execute map }; #line 4 allow init dmesgd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow dmesgd dmesgd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init dmesgd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init dmesgd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init dmesgd_exec:process dmesgd; #line 4 #line 4 allow dmesgd dmesgd_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow dmesgd dmesgd_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow dmesgd kernel:system syslog_read; allow dmesgd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow dmesgd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 12 # Call the servicemanager and transfer references to it. #line 12 allow dmesgd servicemanager:binder { call transfer }; #line 12 # Allow servicemanager to send out callbacks #line 12 allow servicemanager dmesgd:binder { call transfer }; #line 12 # servicemanager performs getpidcon on clients. #line 12 allow servicemanager dmesgd:dir search; #line 12 allow servicemanager dmesgd:file { read open }; #line 12 allow servicemanager dmesgd:process getattr; #line 12 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 12 # all domains in domain.te. #line 12 #line 13 # Call the server domain and optionally transfer references to it. #line 13 allow dmesgd system_server:binder { call transfer }; #line 13 # Allow the serverdomain to transfer references to the client on the reply. #line 13 allow system_server dmesgd:binder transfer; #line 13 # Receive and use open files from the server. #line 13 allow dmesgd system_server:fd use; #line 13 allow dmesgd dropbox_service:service_manager find; allow dmesgd proc_version:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/private/dnsmasq.te" typeattribute dnsmasq coredomain; #line 1 "system/sepolicy/private/domain.te" # Transition to crash_dump when /system/bin/crash_dump* is executed. # This occurs when the process crashes. # We do not apply this to the su domain to avoid interfering with # tests (b/114136122) #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow { domain } crash_dump_exec:file { getattr open read execute map }; #line 5 allow { domain } crash_dump:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow crash_dump crash_dump_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 allow crash_dump { domain }:process sigchld; #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit { domain } crash_dump:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow { domain } crash_dump:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition { domain } crash_dump_exec:process crash_dump; #line 5 ; allow domain crash_dump:process sigchld; # Allow every process to check the heapprofd.enable properties to determine # whether to load the heap profiling library. This does not necessarily enable # heap profiling, as initialization will fail if it does not have the # necessary SELinux permissions. #line 12 allow domain heapprofd_prop:file { getattr open read map }; #line 12 ; # See private/crash_dump.te #line 29 # Allow heap profiling by heapprofd. # Zygotes are excluded due to potential issues with holding open file # descriptors or other state across forks. Other exclusions conflict with # neverallows, and are not considered important to profile. #line 35 # Allow central daemon to send signal for client initialization. #line 35 allow heapprofd { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 }:process signal; #line 35 # Allow connecting to the daemon. #line 35 #line 35 allow { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 } heapprofd_socket:sock_file write; #line 35 allow { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 } heapprofd:unix_stream_socket connectto; #line 35 #line 35 # Allow daemon to use the passed fds. #line 35 allow heapprofd { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 }:fd use; #line 35 # Allow to read and write to heapprofd shmem. #line 35 # The client needs to read the read and write pointers in order to write. #line 35 allow { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 } heapprofd_tmpfs:file { read write getattr map }; #line 35 # Use shared memory received over the unix socket. #line 35 allow { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 } heapprofd:fd use; #line 35 #line 35 # To read and write from the received file descriptors. #line 35 # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the #line 35 # process they relate to. #line 35 # We need to write to /proc/$PID/page_idle to find idle allocations. #line 35 # The client only opens /proc/self/page_idle with RDWR, everything else #line 35 # with RDONLY. #line 35 # heapprofd cannot open /proc/$PID/mem itself, as it does not have #line 35 # sys_ptrace. #line 35 allow heapprofd { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 35 # Allow searching the /proc/[pid] directory for cmdline. #line 35 allow heapprofd { #line 35 { #line 35 domain #line 35 -apexd #line 35 -bpfloader #line 35 -crash_dump #line 35 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 35 -init #line 35 -kernel #line 35 -keystore #line 35 -llkd #line 35 -logd #line 35 -ueventd #line 35 -vendor_init #line 35 -vold #line 35 } #line 35 -app_zygote #line 35 -hal_configstore_server #line 35 -logpersist #line 35 -recovery #line 35 -recovery_persist #line 35 -recovery_refresh #line 35 -webview_zygote #line 35 -zygote #line 35 }:dir { open getattr read search ioctl lock watch watch_reads }; #line 45 # Allow profiling using perf_event_open by traced_perf. #line 48 # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and #line 48 # reads /proc/[pid]/cmdline. #line 48 allow traced_perf { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 }:file { getattr open read ioctl lock map watch watch_reads }; #line 48 allow traced_perf { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 }:dir { open getattr read search ioctl lock watch watch_reads }; #line 48 #line 48 # Allow central daemon to send signal to request /proc/[pid]/maps and #line 48 # /proc/[pid]/mem fds from this process. #line 48 allow traced_perf { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 }:process signal; #line 48 #line 48 # Allow connecting to the daemon. #line 48 #line 48 allow { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 } traced_perf_socket:sock_file write; #line 48 allow { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 } traced_perf:unix_stream_socket connectto; #line 48 #line 48 # Allow daemon to use the passed fds. #line 48 allow traced_perf { #line 48 { #line 48 domain #line 48 -apexd #line 48 -bpfloader #line 48 -crash_dump #line 48 -crosvm # TODO(b/236672526): Remove exception for crosvm #line 48 -init #line 48 -kernel #line 48 -keystore #line 48 -llkd #line 48 -logd #line 48 -ueventd #line 48 -vendor_init #line 48 -vold #line 48 } #line 48 -app_zygote #line 48 -hal_configstore_server #line 48 -webview_zygote #line 48 -zygote #line 48 }:fd use; #line 54 # Everyone can access the IncFS list of features. #line 57 allow domain sysfs_fs_incfs_features:dir { open getattr read search ioctl lock watch watch_reads }; #line 57 allow domain sysfs_fs_incfs_features:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 57 ; # Everyone can access the fuse list of features. #line 60 allow domain sysfs_fs_fuse_features:dir { open getattr read search ioctl lock watch watch_reads }; #line 60 allow domain sysfs_fs_fuse_features:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 60 ; # Path resolution access in cgroups. allow domain cgroup:dir search; allow { domain -appdomain -rs } cgroup:dir { open search write add_name remove_name lock }; allow { domain -appdomain -rs } cgroup:file { open append write lock map }; allow domain cgroup_v2:dir search; allow { domain -appdomain -rs } cgroup_v2:dir { open search write add_name remove_name lock }; allow { domain -appdomain -rs } cgroup_v2:file { open append write lock map }; allow domain cgroup_rc_file:dir search; allow domain cgroup_rc_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain task_profiles_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain task_profiles_api_file:file { getattr open read ioctl lock map watch watch_reads }; allow domain vendor_task_profiles_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow all domains to read sys.use_memfd to determine # if memfd support can be used if device supports it #line 79 allow domain use_memfd_prop:file { getattr open read map }; #line 79 ; # Read access to sdkextensions props #line 82 allow domain module_sdkextensions_prop:file { getattr open read map }; #line 82 # Read access to bq configuration values #line 85 allow domain bq_config_prop:file { getattr open read map }; #line 85 ; # Allow all domains to check whether MTE is set to permissive mode. #line 88 allow domain permissive_mte_prop:file { getattr open read map }; #line 88 ; # Allow ART to be configurable via device_config properties # (ART "runs" inside the app process), and MTE bootloader override to be # observed by everything #line 93 allow domain device_config_memory_safety_native_boot_prop:file { getattr open read map }; #line 93 ; #line 94 allow domain device_config_memory_safety_native_prop:file { getattr open read map }; #line 94 ; #line 95 allow domain device_config_runtime_native_boot_prop:file { getattr open read map }; #line 95 ; #line 96 allow domain device_config_runtime_native_prop:file { getattr open read map }; #line 96 ; # For now, everyone can access core property files # Device specific properties are not granted by default #line 100 # DO NOT ADD ANY PROPERTIES HERE #line 100 #line 100 allow domain core_property_type:file { getattr open read map }; #line 100 #line 100 #line 100 allow domain exported3_system_prop:file { getattr open read map }; #line 100 #line 100 #line 100 allow domain vendor_default_prop:file { getattr open read map }; #line 100 #line 105 # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 106 #line 106 # DO NOT ADD ANY PROPERTIES HERE #line 106 #line 106 allow {coredomain appdomain shell} core_property_type:file { getattr open read map }; #line 106 #line 106 #line 106 allow {coredomain appdomain shell} exported3_system_prop:file { getattr open read map }; #line 106 #line 106 #line 106 allow {coredomain appdomain shell} exported_camera_prop:file { getattr open read map }; #line 106 #line 106 #line 106 allow {coredomain shell} userspace_reboot_exported_prop:file { getattr open read map }; #line 106 #line 106 #line 106 allow {coredomain shell} userspace_reboot_log_prop:file { getattr open read map }; #line 106 #line 106 #line 106 allow {coredomain shell} userspace_reboot_test_prop:file { getattr open read map }; #line 106 #line 106 #line 106 allow {domain -coredomain -appdomain} vendor_default_prop:file { getattr open read map }; #line 106 #line 106 #line 106 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 115 # Public readable properties #line 118 allow domain aaudio_config_prop:file { getattr open read map }; #line 118 #line 119 allow domain apexd_select_prop:file { getattr open read map }; #line 119 #line 120 allow domain arm64_memtag_prop:file { getattr open read map }; #line 120 #line 121 allow domain bluetooth_config_prop:file { getattr open read map }; #line 121 #line 122 allow domain bootloader_prop:file { getattr open read map }; #line 122 #line 123 allow domain build_odm_prop:file { getattr open read map }; #line 123 #line 124 allow domain build_prop:file { getattr open read map }; #line 124 #line 125 allow domain build_vendor_prop:file { getattr open read map }; #line 125 #line 126 allow domain debug_prop:file { getattr open read map }; #line 126 #line 127 allow domain exported_config_prop:file { getattr open read map }; #line 127 #line 128 allow domain exported_default_prop:file { getattr open read map }; #line 128 #line 129 allow domain exported_dumpstate_prop:file { getattr open read map }; #line 129 #line 130 allow domain exported_secure_prop:file { getattr open read map }; #line 130 #line 131 allow domain exported_system_prop:file { getattr open read map }; #line 131 #line 132 allow domain fingerprint_prop:file { getattr open read map }; #line 132 #line 133 allow domain framework_status_prop:file { getattr open read map }; #line 133 #line 134 allow domain gwp_asan_prop:file { getattr open read map }; #line 134 #line 135 allow domain hal_instrumentation_prop:file { getattr open read map }; #line 135 #line 136 allow domain hw_timeout_multiplier_prop:file { getattr open read map }; #line 136 #line 137 allow domain init_service_status_prop:file { getattr open read map }; #line 137 #line 138 allow domain libc_debug_prop:file { getattr open read map }; #line 138 #line 139 allow domain locale_prop:file { getattr open read map }; #line 139 #line 140 allow domain logd_prop:file { getattr open read map }; #line 140 #line 141 allow domain mediadrm_config_prop:file { getattr open read map }; #line 141 #line 142 allow domain property_service_version_prop:file { getattr open read map }; #line 142 #line 143 allow domain soc_prop:file { getattr open read map }; #line 143 #line 144 allow domain socket_hook_prop:file { getattr open read map }; #line 144 #line 145 allow domain surfaceflinger_prop:file { getattr open read map }; #line 145 #line 146 allow domain telephony_status_prop:file { getattr open read map }; #line 146 #line 147 allow domain timezone_prop:file { getattr open read map }; #line 147 #line 148 allow {domain -untrusted_app_all -isolated_app_all -ephemeral_app } userdebug_or_eng_prop:file { getattr open read map }; #line 148 #line 149 allow domain vendor_socket_hook_prop:file { getattr open read map }; #line 149 #line 150 allow domain vndk_prop:file { getattr open read map }; #line 150 #line 151 allow domain vold_status_prop:file { getattr open read map }; #line 151 #line 152 allow domain vts_config_prop:file { getattr open read map }; #line 152 # Binder cache properties are world-readable #line 155 allow domain binder_cache_bluetooth_server_prop:file { getattr open read map }; #line 155 #line 156 allow domain binder_cache_system_server_prop:file { getattr open read map }; #line 156 #line 157 allow domain binder_cache_telephony_server_prop:file { getattr open read map }; #line 157 # Allow access to fsverity keyring. allow domain kernel:key search; # Allow access to keys in the fsverity keyring that were installed at boot. allow domain fsverity_init:key search; # For testing purposes, allow access to keys installed with su. #line 166 # Allow access to linkerconfig file allow domain linkerconfig_file:dir search; allow domain linkerconfig_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow all processes to check for the existence of the boringssl_self_test_marker files. allow domain boringssl_self_test_marker:dir search; # Allow all processes to read the file_logger property that liblog uses to check if file_logger # should be used. #line 177 allow domain log_file_logger_prop:file { getattr open read map }; #line 177 # Allow all processes to connect to PRNG seeder daemon. #line 180 allow domain prng_seeder_socket:sock_file write; #line 180 allow domain prng_seeder:unix_stream_socket connectto; #line 180 # Allow calls to system(3), popen(3), ... allow { domain # Except domains that explicitly neverallow it. -kernel -init -vendor_init -app_zygote -webview_zygote -system_server -artd -audioserver -cameraserver -mediadrmserver -mediaextractor -mediametrics -mediaserver -mediatuner -mediatranscoding -ueventd -hal_audio_server -hal_camera_server -hal_cas_server -hal_codec2_server -hal_configstore_server -hal_drm_server -hal_omx_server } {shell_exec toolbox_exec}:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # No domains other than a select few can access the misc_block_device. This # block device is reserved for OTA use. # Do not assert this rule on userdebug/eng builds, due to some devices using # this partition for testing purposes. neverallow { domain # exclude debuggable builds -fastbootd -hal_bootctl_server -init -uncrypt -update_engine -vendor_init -vendor_misc_writer -vold -recovery -ueventd -mtectrl -misctrl } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these allowlisted domains. neverallow { domain -vold -dumpstate -storaged -system_server } self:{ capability cap_userns } sys_ptrace; # Limit ability to generate hardware unique device ID attestations to priv_apps neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; neverallow { domain -system_server } *:keystore2_key use_dev_id; neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; neverallow { domain -init -vendor_init } debugfs_tracing_debug:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # System_server owns dropbox data, and init creates/restorecons the directory # Disallow direct access by other processes. neverallow { domain -init -system_server } dropbox_data_file:dir *; neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; ### # Services should respect app sandboxes neverallow { domain -appdomain -artd # compile secondary dex files -installd # creation of sandbox } { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink }; # Only the following processes should be directly accessing private app # directories. neverallow { domain -adbd -appdomain -app_zygote -artd # compile secondary dex files -dexoptanalyzer -installd -profman -rs # spawned by appdomain, so carryover the exception above -runas -system_server -viewcompiler -zygote } { privapp_data_file app_data_file }:dir *; # Only apps should be modifying app data. installd is exempted for # restorecon and package install/uninstall. neverallow { domain -appdomain -artd # compile secondary dex files -installd -rs # spawned by appdomain, so carryover the exception above } { privapp_data_file app_data_file }:dir ~{ open getattr read search ioctl lock watch watch_reads }; neverallow { domain -appdomain -app_zygote -artd # compile secondary dex files -installd -rs # spawned by appdomain, so carryover the exception above } { privapp_data_file app_data_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } open; neverallow { domain -appdomain -artd # compile secondary dex files -installd # creation of sandbox } { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink }; neverallow { domain -artd # compile secondary dex files -installd } { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { relabelfrom relabelto }; # The staging directory contains APEX and APK files. It is important to ensure # that these files cannot be accessed by other domains to ensure that the files # do not change between system_server staging the files and apexd processing # the files. neverallow { domain -init -system_server -apexd -installd -priv_app -virtualizationmanager } staging_data_file:dir *; neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -priv_app -shell -virtualizationmanager -crosvm } staging_data_file:file *; neverallow { domain -init -system_server -installd} staging_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; # apexd needs the link and unlink permissions, so list every `no_w_file_perms` # except for `link` and `unlink`. neverallow { domain -init -system_server } staging_data_file:file { append create relabelfrom rename setattr write { execute execute_no_trans } }; neverallow { domain -appdomain # for oemfs -bootanim # for oemfs -recovery # for /tmp/update_binary in tmpfs } { fs_type -rootfs }:file execute; # # Assert that, to the extent possible, we're not loading executable content from # outside the rootfs or /system partition except for a few allowlisted domains. # Executable files loaded from /data is a persistence vector # we want to avoid. See # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. # neverallow { domain -appdomain -shell -system_server_startup # for memfd backed executable regions -app_zygote -webview_zygote -zygote } { file_type -system_file_type -system_lib_file -system_linker_exec -vendor_file_type -exec_type -postinstall_file }:file execute; # Only init is allowed to write cgroup.rc file neverallow { domain -init -vendor_init } cgroup_rc_file:file { append create link unlink relabelfrom rename setattr write }; # Only authorized processes should be writing to files in /data/dalvik-cache neverallow { domain -init # TODO: limit init to relabelfrom for files -zygote -installd -postinstall_dexopt -cppreopts -dex2oat -otapreopt_slot -artd } dalvikcache_data_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -init -installd -postinstall_dexopt -cppreopts -dex2oat -zygote -otapreopt_slot -artd } dalvikcache_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it # contains boot class path and system server AOT artifacts following an ART APEX Mainline update. neverallow { domain # art-related processes -composd -compos_fd_server -odrefresh -odsign # others -apexd -init -vold_prepare_subdirs } apex_art_data_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain # art-related processes -composd -compos_fd_server -odrefresh -odsign # others -apexd -init -vold_prepare_subdirs } apex_art_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; # Protect most domains from executing arbitrary content from /data. neverallow { domain -appdomain } { data_file_type -apex_art_data_file -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file { execute execute_no_trans }; # Minimize dac_override and dac_read_search. # Instead of granting them it is usually better to add the domain to # a Unix group or change the permissions of a file. #line 498 neverallow ~{ #line 499 apexd #line 499 artd #line 499 dnsmasq #line 499 dumpstate #line 499 init #line 499 installd #line 499 #line 499 lmkd #line 499 migrate_legacy_obb_data #line 499 netd #line 499 postinstall_dexopt #line 499 recovery #line 499 rss_hwm_reset #line 499 sdcardd #line 499 tee #line 499 ueventd #line 499 uncrypt #line 499 vendor_init #line 499 vold #line 499 vold_prepare_subdirs #line 499 zygote #line 499 } self:{ capability cap_userns } dac_override; # Since the kernel checks dac_read_search before dac_override, domains that # have dac_override should also have dac_read_search to eliminate spurious # denials. Some domains have dac_read_search without having dac_override, so # this list should be a superset of the one above. neverallow ~{ { #line 505 apexd #line 505 artd #line 505 dnsmasq #line 505 dumpstate #line 505 init #line 505 installd #line 505 #line 505 lmkd #line 505 migrate_legacy_obb_data #line 505 netd #line 505 postinstall_dexopt #line 505 recovery #line 505 rss_hwm_reset #line 505 sdcardd #line 505 tee #line 505 ueventd #line 505 uncrypt #line 505 vendor_init #line 505 vold #line 505 vold_prepare_subdirs #line 505 zygote #line 505 } traced_perf traced_probes heapprofd } self:{ capability cap_userns } dac_read_search; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger # set of domains need this capability, including device-specific domains. neverallow { domain -apexd -init -kernel -otapreopt_chroot -recovery -update_engine -vold -zygote } { fs_type -sdcard_type -fusefs_type }:filesystem { mount remount relabelfrom relabelto }; # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 530 #line 530 neverallow { #line 530 domain #line 530 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; #line 530 #line 530 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 534 # Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain -kernel -gsid -init -recovery -ueventd -uncrypt -tee -hal_bootctl_server -fastbootd } self:{ capability cap_userns } sys_rawio; # Limit directory operations that doesn't need to do app data isolation. neverallow { domain -fsck -init -installd -zygote } mirror_data_file:dir *; # This property is being removed. Remove remaining access. neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; # Only core domains are allowed to access package_manager properties neverallow { domain -init -system_server } pm_prop:property_service set; neverallow { domain -coredomain } pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Do not allow reading the last boot timestamp from system properties neverallow { domain -init -system_server -dumpstate } firstboot_prop:file { getattr open read ioctl lock map watch watch_reads }; # Allow ART to set its config properties in its oneshot boot service, in # addition to the common init and vendor_init access. neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; # Kprobes should only be used by adb root neverallow { domain -init -vendor_init } debugfs_kprobes:file *; # On TREBLE devices, most coredomains should not access vendor_files. # TODO(b/71553434): Remove exceptions here. # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 580 #line 580 neverallow { #line 580 coredomain #line 580 -appdomain #line 580 -bootanim #line 580 -crash_dump #line 580 -heapprofd #line 580 #line 580 -init #line 580 -kernel #line 580 #line 580 -traced_perf #line 580 -ueventd #line 580 } vendor_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } open }; #line 580 #line 580 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 594 # Vendor domains are not permitted to initiate communications to core domain sockets # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 597 #line 597 #line 597 neverallow { #line 597 domain #line 597 -coredomain #line 597 -appdomain #line 597 -socket_between_core_and_vendor_violators #line 597 } { #line 597 coredomain #line 597 -logd # Logging by writing to logd Unix domain socket is public API #line 597 -netd # netdomain needs this #line 597 -mdnsd # netdomain needs this #line 597 -prng_seeder # Any process using libcrypto needs this #line 597 # communications with su are permitted only on userdebug or eng builds #line 597 -init #line 597 -tombstoned # linker to tombstoned #line 597 -heapprofd #line 597 -traced #line 597 -traced_perf #line 597 }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto }; #line 597 neverallow { #line 597 domain #line 597 -coredomain #line 597 -appdomain #line 597 -socket_between_core_and_vendor_violators #line 597 } { #line 597 coredomain #line 597 -logd # Logging by writing to logd Unix domain socket is public API #line 597 -netd # netdomain needs this #line 597 -mdnsd # netdomain needs this #line 597 -prng_seeder # Any process using libcrypto needs this #line 597 # communications with su are permitted only on userdebug or eng builds #line 597 -init #line 597 -tombstoned # linker to tombstoned #line 597 -heapprofd #line 597 -traced #line 597 -traced_perf #line 597 }:unix_stream_socket connectto; #line 597 ; #line 597 #line 597 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 616 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 618 #line 618 # Do not allow system components access to /vendor files except for the #line 618 # ones allowed here. #line 618 neverallow { #line 618 coredomain #line 618 # TODO(b/37168747): clean up fwk access to /vendor #line 618 -crash_dump #line 618 -crosvm # loads vendor-specific disk images #line 618 -init # starts vendor executables #line 618 -kernel # loads /vendor/firmware #line 618 -heapprofd #line 618 #line 618 -shell #line 618 #line 618 -system_executes_vendor_violators #line 618 -traced_perf # library/binary access for symbolization #line 618 -ueventd # reads /vendor/ueventd.rc #line 618 -vold # loads incremental fs driver #line 618 } { #line 618 vendor_file_type #line 618 -same_process_hal_file #line 618 -vendor_app_file #line 618 -vendor_apex_file #line 618 -vendor_apex_metadata_file #line 618 -vendor_configs_file #line 618 -vendor_microdroid_file #line 618 -vendor_service_contexts_file #line 618 -vendor_framework_file #line 618 -vendor_idc_file #line 618 -vendor_keychars_file #line 618 -vendor_keylayout_file #line 618 -vendor_overlay_file #line 618 -vendor_public_framework_file #line 618 -vendor_public_lib_file #line 618 -vendor_task_profiles_file #line 618 -vendor_uuid_mapping_config_file #line 618 -vndk_sp_file #line 618 -vendor_aconfig_storage_file #line 618 }:file *; #line 618 #line 618 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 657 # mlsvendorcompat is only for compatibility support for older vendor # images, and should not be granted to any domain in current policy. # (Every domain is allowed self:fork, so this will trigger if the # intsersection of domain & mlsvendorcompat is not empty.) neverallow domain mlsvendorcompat:process fork; # Only init and otapreopt_chroot should be mounting filesystems on locations # labeled system or vendor (/product and /vendor respectively). neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton; # Only allow init and vendor_init to read/write mm_events properties # NOTE: dumpstate is allowed to read any system property neverallow { domain -init -vendor_init -dumpstate } mm_events_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow the tracing daemon and callstack sampler to use kallsyms to symbolize # kernel traces. Addresses are not disclosed, they are repalced with symbol # names (if available). Traces don't disclose KASLR. neverallow { domain -init -vendor_init -traced_probes -traced_perf } proc_kallsyms:file { open read }; # debugfs_kcov type is not included in this neverallow statement since the KCOV # tool uses it for kernel fuzzing. # vendor_modprobe is also exempted since the kernel modules it loads may create # debugfs files in its context. # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 695 #line 695 neverallow { #line 695 domain #line 695 -vendor_modprobe #line 695 #line 695 } { debugfs_type #line 695 #line 695 -tracefs_type #line 695 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 695 #line 695 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 708 # Restrict write access to etm sysfs interface. neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file { append create link unlink relabelfrom rename setattr write }; # Restrict CAP_PERFMON. neverallow { domain -init -vendor_modprobe -kernel -uprobestats } self:capability2 perfmon; # Restrict direct access to shell owned files. The /data/local/tmp directory is # untrustworthy, and non-allowed domains should not be trusting any content in # those directories. We allow shell files to be passed around by file # descriptor, but not directly opened. # artd doesn't need to access /data/local/tmp, but it needs to access # /data/{user,user_de}//com.android.shell/... for compiling secondary # dex files. neverallow { domain -adbd -appdomain -artd -dumpstate -installd } shell_data_file:file open; # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp # directory is untrustworthy, and non-allowed domains should # not be trusting any content in those directories. # artd doesn't need to access /data/local/tmp, but it needs to access # /data/{user,user_de}//com.android.shell/... for compiling secondary # dex files. neverallow { domain -adbd -artd -dumpstate -installd -init -shell -vold } shell_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -adbd -appdomain -artd -dumpstate -init -installd -simpleperf_app_runner -system_server # why? } shell_data_file:dir open; neverallow { domain -adbd -appdomain -artd -dumpstate -init -installd -simpleperf_app_runner -system_server # why? } shell_data_file:dir search; # respect system_app sandboxes neverallow { domain -appdomain -artd # compile secondary dex files -system_server #populate com.android.providers.settings/databases/settings.db. -installd # creation of app sandbox -traced_probes # resolve inodes for i/o tracing. # only needs open and read, the rest is neverallow in # traced_probes.te. } system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open }; neverallow { isolated_app_all ephemeral_app priv_app sdk_sandbox_all untrusted_app_all } system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open }; neverallow { domain -init } mtectrl:process { dyntransition transition }; # For now, don't allow processes other than gmscore to access /data/misc_ce//checkin neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; # Do not allow write access to aconfig flag value files except init and aconfigd neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *; neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file { append create link unlink relabelfrom rename setattr write }; #line 1 "system/sepolicy/private/drmserver.te" typeattribute drmserver coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init drmserver_exec:file { getattr open read execute map }; #line 3 allow init drmserver:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow drmserver drmserver_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init drmserver:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init drmserver:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init drmserver_exec:process drmserver; #line 3 #line 3 type_transition drmserver apk_data_file:sock_file drmserver_socket; typeattribute drmserver_socket coredomain_socket; #line 9 allow drmserver drm_service_config_prop:file { getattr open read map }; #line 9 #line 1 "system/sepolicy/private/dumpstate.te" typeattribute dumpstate coredomain; type dumpstate_tmpfs, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init dumpstate_exec:file { getattr open read execute map }; #line 4 allow init dumpstate:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow dumpstate dumpstate_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init dumpstate:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init dumpstate:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init dumpstate_exec:process dumpstate; #line 4 #line 4 # Execute and transition to the vdc domain #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow dumpstate vdc_exec:file { getattr open read execute map }; #line 7 allow dumpstate vdc:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow vdc vdc_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 allow vdc dumpstate:process sigchld; #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit dumpstate vdc:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow dumpstate vdc:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition dumpstate vdc_exec:process vdc; #line 7 # Create tmpfs files for using memfd descriptors to get output from child # processes. #line 11 type_transition dumpstate tmpfs:file dumpstate_tmpfs; #line 11 allow dumpstate dumpstate_tmpfs:file { read write getattr map }; #line 11 # Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables allow dumpstate system_file:file lock; allow dumpstate storaged_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # /data/misc/a11ytrace for accessibility traces #line 22 # /data/misc/wmtrace for wm traces #line 28 # /data/system/dropbox for dropbox entries #line 34 # Allow dumpstate to make binder calls to incidentd #line 37 # Call the server domain and optionally transfer references to it. #line 37 allow dumpstate incidentd:binder { call transfer }; #line 37 # Allow the serverdomain to transfer references to the client on the reply. #line 37 allow incidentd dumpstate:binder transfer; #line 37 # Receive and use open files from the server. #line 37 allow dumpstate incidentd:fd use; #line 37 # Kill incident in case of a timeout allow dumpstate incident:process { signal sigkill }; # Allow dumpstate to make binder calls to storaged service #line 43 # Call the server domain and optionally transfer references to it. #line 43 allow dumpstate storaged:binder { call transfer }; #line 43 # Allow the serverdomain to transfer references to the client on the reply. #line 43 allow storaged dumpstate:binder transfer; #line 43 # Receive and use open files from the server. #line 43 allow dumpstate storaged:fd use; #line 43 # Allow dumpstate to make binder calls to statsd #line 46 # Call the server domain and optionally transfer references to it. #line 46 allow dumpstate statsd:binder { call transfer }; #line 46 # Allow the serverdomain to transfer references to the client on the reply. #line 46 allow statsd dumpstate:binder transfer; #line 46 # Receive and use open files from the server. #line 46 allow dumpstate statsd:fd use; #line 46 # Allow dumpstate to talk to gpuservice over binder #line 49 # Call the server domain and optionally transfer references to it. #line 49 allow dumpstate gpuservice:binder { call transfer }; #line 49 # Allow the serverdomain to transfer references to the client on the reply. #line 49 allow gpuservice dumpstate:binder transfer; #line 49 # Receive and use open files from the server. #line 49 allow dumpstate gpuservice:fd use; #line 49 ; # Allow dumpstate to talk to idmap over binder #line 52 # Call the server domain and optionally transfer references to it. #line 52 allow dumpstate idmap:binder { call transfer }; #line 52 # Allow the serverdomain to transfer references to the client on the reply. #line 52 allow idmap dumpstate:binder transfer; #line 52 # Receive and use open files from the server. #line 52 allow dumpstate idmap:fd use; #line 52 ; # Allow dumpstate to talk to profcollectd over binder #line 57 # Allow dumpstate to talk to automotive_display_service over binder #line 60 # Call the server domain and optionally transfer references to it. #line 60 allow dumpstate automotive_display_service:binder { call transfer }; #line 60 # Allow the serverdomain to transfer references to the client on the reply. #line 60 allow automotive_display_service dumpstate:binder transfer; #line 60 # Receive and use open files from the server. #line 60 allow dumpstate automotive_display_service:fd use; #line 60 # Allow dumpstate to talk to virtual_camera service over binder #line 63 # Call the server domain and optionally transfer references to it. #line 63 allow dumpstate virtual_camera:binder { call transfer }; #line 63 # Allow the serverdomain to transfer references to the client on the reply. #line 63 allow virtual_camera dumpstate:binder transfer; #line 63 # Receive and use open files from the server. #line 63 allow dumpstate virtual_camera:fd use; #line 63 # Allow dumpstate to talk to ot_daemon service over binder #line 66 # Call the server domain and optionally transfer references to it. #line 66 allow dumpstate ot_daemon:binder { call transfer }; #line 66 # Allow the serverdomain to transfer references to the client on the reply. #line 66 allow ot_daemon dumpstate:binder transfer; #line 66 # Receive and use open files from the server. #line 66 allow dumpstate ot_daemon:fd use; #line 66 # Collect metrics on boot time created by init #line 69 allow dumpstate boottime_prop:file { getattr open read map }; #line 69 #line 71 allow dumpstate misctrl_prop:file { getattr open read map }; #line 71 # Signal native processes to dump their stack. allow dumpstate { mediatranscoding statsd netd virtual_camera ot_daemon }:process signal; # Only allow dumpstate to dump Keystore on debuggable builds. #line 85 dontaudit dumpstate keystore:process { signal }; # For collecting bugreports. #line 89 allow dumpstate debugfs_wakeup_sources:file { getattr open read ioctl lock map watch watch_reads }; #line 91 allow dumpstate dev_type:blk_file getattr; allow dumpstate webview_zygote:process signal; allow dumpstate sysfs_dmabuf_stats:file { getattr open read ioctl lock map watch watch_reads }; dontaudit dumpstate update_engine:binder call; # Read files in /proc allow dumpstate { config_gz proc_net_tcp_udp proc_pid_max }:file { getattr open read ioctl lock map watch watch_reads }; # For comminucating with the system process to do confirmation ui. #line 106 # Call the server domain and optionally transfer references to it. #line 106 allow dumpstate incidentcompanion_service:binder { call transfer }; #line 106 # Allow the serverdomain to transfer references to the client on the reply. #line 106 allow incidentcompanion_service dumpstate:binder transfer; #line 106 # Receive and use open files from the server. #line 106 allow dumpstate incidentcompanion_service:fd use; #line 106 # Set properties. # dumpstate_prop is used to share state with the Shell app. #line 110 #line 110 allow dumpstate property_socket:sock_file write; #line 110 allow dumpstate init:unix_stream_socket connectto; #line 110 #line 110 allow dumpstate dumpstate_prop:property_service set; #line 110 #line 110 allow dumpstate dumpstate_prop:file { getattr open read map }; #line 110 #line 110 #line 111 #line 111 allow dumpstate property_socket:sock_file write; #line 111 allow dumpstate init:unix_stream_socket connectto; #line 111 #line 111 allow dumpstate exported_dumpstate_prop:property_service set; #line 111 #line 111 allow dumpstate exported_dumpstate_prop:file { getattr open read map }; #line 111 #line 111 # dumpstate_options_prop is used to pass extra command-line args. #line 114 #line 114 allow dumpstate property_socket:sock_file write; #line 114 allow dumpstate init:unix_stream_socket connectto; #line 114 #line 114 allow dumpstate dumpstate_options_prop:property_service set; #line 114 #line 114 allow dumpstate dumpstate_options_prop:file { getattr open read map }; #line 114 #line 114 # Allow dumpstate to kill vendor dumpstate service by init #line 117 #line 117 allow dumpstate property_socket:sock_file write; #line 117 allow dumpstate init:unix_stream_socket connectto; #line 117 #line 117 allow dumpstate ctl_dumpstate_prop:property_service set; #line 117 #line 117 allow dumpstate ctl_dumpstate_prop:file { getattr open read map }; #line 117 #line 117 # For dumping dynamic partition information. #line 120 #line 120 allow dumpstate property_socket:sock_file write; #line 120 allow dumpstate init:unix_stream_socket connectto; #line 120 #line 120 allow dumpstate lpdumpd_prop:property_service set; #line 120 #line 120 allow dumpstate lpdumpd_prop:file { getattr open read map }; #line 120 #line 120 #line 121 # Call the server domain and optionally transfer references to it. #line 121 allow dumpstate lpdumpd:binder { call transfer }; #line 121 # Allow the serverdomain to transfer references to the client on the reply. #line 121 allow lpdumpd dumpstate:binder transfer; #line 121 # Receive and use open files from the server. #line 121 allow dumpstate lpdumpd:fd use; #line 121 # For dumping hypervisor information. #line 124 allow dumpstate hypervisor_prop:file { getattr open read map }; #line 124 # For dumping device-mapper and snapshot information. allow dumpstate gsid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 128 #line 128 allow dumpstate property_socket:sock_file write; #line 128 allow dumpstate init:unix_stream_socket connectto; #line 128 #line 128 allow dumpstate ctl_gsid_prop:property_service set; #line 128 #line 128 allow dumpstate ctl_gsid_prop:file { getattr open read map }; #line 128 #line 128 #line 129 # Call the server domain and optionally transfer references to it. #line 129 allow dumpstate gsid:binder { call transfer }; #line 129 # Allow the serverdomain to transfer references to the client on the reply. #line 129 allow gsid dumpstate:binder transfer; #line 129 # Receive and use open files from the server. #line 129 allow dumpstate gsid:fd use; #line 129 #line 131 allow dumpstate ota_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 131 allow dumpstate ota_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 131 # For starting (and killing) perfetto --save-for-bugreport. If a labelled trace # is being recorded, the command above will serialize it into # /data/misc/perfetto-traces/bugreport/*.pftrace . #line 136 # Allow the necessary permissions. #line 136 #line 136 # Old domain may exec the file and transition to the new domain. #line 136 allow dumpstate perfetto_exec:file { getattr open read execute map }; #line 136 allow dumpstate perfetto:process transition; #line 136 # New domain is entered by executing the file. #line 136 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 136 # New domain can send SIGCHLD to its caller. #line 136 allow perfetto dumpstate:process sigchld; #line 136 # Enable AT_SECURE, i.e. libc secure mode. #line 136 dontaudit dumpstate perfetto:process noatsecure; #line 136 # XXX dontaudit candidate but requires further study. #line 136 allow dumpstate perfetto:process { siginh rlimitinh }; #line 136 #line 136 # Make the transition occur by default. #line 136 type_transition dumpstate perfetto_exec:process perfetto; #line 136 allow dumpstate perfetto:process signal; allow dumpstate perfetto_traces_data_file:dir { search }; allow dumpstate perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow dumpstate perfetto_traces_bugreport_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; # When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null # (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport # zip file. These rules are to allow perfetto.te to inherit dumpstate's # /dev/null. allow perfetto dumpstate_tmpfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow perfetto dumpstate:fd use; # system_dlkm_file for /system_dlkm partition allow dumpstate system_dlkm_file:dir getattr; # Allow dumpstate to execute derive_sdk in its own domain #line 153 # Allow the necessary permissions. #line 153 #line 153 # Old domain may exec the file and transition to the new domain. #line 153 allow dumpstate derive_sdk_exec:file { getattr open read execute map }; #line 153 allow dumpstate derive_sdk:process transition; #line 153 # New domain is entered by executing the file. #line 153 allow derive_sdk derive_sdk_exec:file { entrypoint open read execute getattr map }; #line 153 # New domain can send SIGCHLD to its caller. #line 153 allow derive_sdk dumpstate:process sigchld; #line 153 # Enable AT_SECURE, i.e. libc secure mode. #line 153 dontaudit dumpstate derive_sdk:process noatsecure; #line 153 # XXX dontaudit candidate but requires further study. #line 153 allow dumpstate derive_sdk:process { siginh rlimitinh }; #line 153 #line 153 # Make the transition occur by default. #line 153 type_transition dumpstate derive_sdk_exec:process derive_sdk; #line 153 #line 1 "system/sepolicy/private/ephemeral_app.te" ### ### Ephemeral apps. ### ### This file defines the security policy for apps with the ephemeral ### feature. ### ### The ephemeral_app domain is a reduced permissions sandbox allowing ### ephemeral applications to be safely installed and run. Non ephemeral ### applications may also opt-in to ephemeral to take advantage of the ### additional security features. ### ### PackageManager flags an app as ephemeral at install time. typeattribute ephemeral_app coredomain; #line 16 typeattribute ephemeral_app netdomain; #line 16 #line 17 typeattribute ephemeral_app appdomain; #line 17 # Label tmpfs objects for all apps. #line 17 type_transition ephemeral_app tmpfs:file appdomain_tmpfs; #line 17 #line 17 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 17 type ephemeral_app_userfaultfd; #line 17 type_transition ephemeral_app ephemeral_app:anon_inode ephemeral_app_userfaultfd "[userfaultfd]"; #line 17 # Allow domain to create/use userfaultfd anon_inode. #line 17 allow ephemeral_app ephemeral_app_userfaultfd:anon_inode { create ioctl read }; #line 17 # Suppress errors generate during bugreport #line 17 dontaudit su ephemeral_app_userfaultfd:anon_inode *; #line 17 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 17 neverallow { domain -ephemeral_app } ephemeral_app_userfaultfd:anon_inode *; #line 17 #line 17 allow ephemeral_app appdomain_tmpfs:file { execute getattr map read write }; #line 17 neverallow { ephemeral_app -runas_app -shell -simpleperf } { domain -ephemeral_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 17 neverallow { appdomain -runas_app -shell -simpleperf -ephemeral_app } ephemeral_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 17 # The Android security model guarantees the confidentiality and integrity #line 17 # of application data and execution state. Ptrace bypasses those #line 17 # confidentiality guarantees. Disallow ptrace access from system components to #line 17 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 17 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 17 # simpleperf is excluded, as it operates only on debuggable or profileable #line 17 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 17 # live lock conditions. #line 17 neverallow { domain -ephemeral_app -crash_dump -runas_app -simpleperf } ephemeral_app:process ptrace; #line 17 # Allow ephemeral apps to read/write files in visible storage if provided fds allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append}; # Some apps ship with shared libraries and binaries that they write out # to their sandbox directory and then execute. allow ephemeral_app privapp_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; allow ephemeral_app app_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # Follow priv-app symlinks. This is used for dynamite functionality. allow ephemeral_app privapp_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Allow the renderscript compiler to be run. #line 31 # Allow the necessary permissions. #line 31 #line 31 # Old domain may exec the file and transition to the new domain. #line 31 allow ephemeral_app rs_exec:file { getattr open read execute map }; #line 31 allow ephemeral_app rs:process transition; #line 31 # New domain is entered by executing the file. #line 31 allow rs rs_exec:file { entrypoint open read execute getattr map }; #line 31 # New domain can send SIGCHLD to its caller. #line 31 allow rs ephemeral_app:process sigchld; #line 31 # Enable AT_SECURE, i.e. libc secure mode. #line 31 dontaudit ephemeral_app rs:process noatsecure; #line 31 # XXX dontaudit candidate but requires further study. #line 31 allow ephemeral_app rs:process { siginh rlimitinh }; #line 31 #line 31 # Make the transition occur by default. #line 31 type_transition ephemeral_app rs_exec:process rs; #line 31 # Allow loading and deleting shared libraries created by trusted system # components within an application home directory. allow ephemeral_app app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink }; # services allow ephemeral_app audioserver_service:service_manager find; allow ephemeral_app cameraserver_service:service_manager find; allow ephemeral_app mediaserver_service:service_manager find; allow ephemeral_app mediaextractor_service:service_manager find; allow ephemeral_app mediametrics_service:service_manager find; allow ephemeral_app mediadrmserver_service:service_manager find; allow ephemeral_app drmserver_service:service_manager find; allow ephemeral_app radio_service:service_manager find; allow ephemeral_app ephemeral_app_api_service:service_manager find; # allow ephemeral apps to use UDP sockets provided by the system server but not # modify them other than to connect allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; allow ephemeral_app ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; ### ### neverallow rules ### neverallow ephemeral_app app_data_file_type:file execute_no_trans; # Receive or send uevent messages. neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; # Receive or send generic netlink messages neverallow ephemeral_app domain:netlink_socket *; # Too much leaky information in debugfs. It's a security # best practice to ensure these files aren't readable. neverallow ephemeral_app debugfs_type:file read; # execute gpu_device neverallow ephemeral_app gpu_device:chr_file execute; # access files in /sys with the default sysfs label neverallow ephemeral_app sysfs:file *; # Avoid reads from generically labeled /proc files # Create a more specific label if needed neverallow ephemeral_app proc:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } }; # Directly access external storage neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create}; neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search; # Avoid reads to proc_net, it contains too much device wide information about # ongoing connections. neverallow ephemeral_app proc_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 1 "system/sepolicy/private/evsmanagerd.te" # evsmanager typeattribute evsmanagerd coredomain; typeattribute evsmanagerd evsmanager_service_server; type evsmanagerd_exec, system_file_type, exec_type, file_type; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init evsmanagerd_exec:file { getattr open read execute map }; #line 7 allow init evsmanagerd:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow evsmanagerd evsmanagerd_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init evsmanagerd:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init evsmanagerd:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init evsmanagerd_exec:process evsmanagerd; #line 7 #line 7 ; # Declares as a binder service #line 10 typeattribute evsmanagerd binderservicedomain; #line 10 # Allows to add a service to service_manager #line 13 allow evsmanagerd evsmanagerd_service:service_manager { add find }; #line 13 neverallow { domain -evsmanagerd } evsmanagerd_service:service_manager add; #line 13 #line 13 # On debug builds with root, allow binder services to use binder over TCP. #line 13 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 13 #line 13 # Allows to use the binder IPC #line 16 # Call the servicemanager and transfer references to it. #line 16 allow evsmanagerd servicemanager:binder { call transfer }; #line 16 # Allow servicemanager to send out callbacks #line 16 allow servicemanager evsmanagerd:binder { call transfer }; #line 16 # servicemanager performs getpidcon on clients. #line 16 allow servicemanager evsmanagerd:dir search; #line 16 allow servicemanager evsmanagerd:file { read open }; #line 16 allow servicemanager evsmanagerd:process getattr; #line 16 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 16 # all domains in domain.te. #line 16 # Allows binder IPCs to the various system services #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow evsmanagerd system_server:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow system_server evsmanagerd:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow evsmanagerd system_server:fd use; #line 19 # Allows to use EVS HAL implementations #line 22 typeattribute evsmanagerd halclientdomain; #line 22 typeattribute evsmanagerd hal_evs_client; #line 22 #line 22 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 22 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 22 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 22 #line 22 typeattribute evsmanagerd hal_evs; #line 22 # Find passthrough HAL implementations #line 22 allow hal_evs system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_evs vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_evs vendor_file:file { read open getattr execute map }; #line 22 #line 22 # Allows to write messages to the shell allow evsmanagerd shell:fd use; allow evsmanagerd shell:fifo_file write; # Allows to use the graphics allocator allow evsmanagerd hal_graphics_allocator:fd use; # Allows to use a bootstrap statsd allow evsmanagerd statsbootstrap_service:service_manager find; # Allows binder IPCs to the CarService #line 35 # Call the server domain and optionally transfer references to it. #line 35 allow evsmanagerd appdomain:binder { call transfer }; #line 35 # Allow the serverdomain to transfer references to the client on the reply. #line 35 allow appdomain evsmanagerd:binder transfer; #line 35 # Receive and use open files from the server. #line 35 allow evsmanagerd appdomain:fd use; #line 35 # For HIDL evs manager implementation allow evsmanagerd hal_evs_hwservice:hwservice_manager add; allow evsmanagerd hidl_base_hwservice:hwservice_manager add; #line 1 "system/sepolicy/private/extra_free_kbytes.te" typeattribute extra_free_kbytes coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init extra_free_kbytes_exec:file { getattr open read execute map }; #line 3 allow init extra_free_kbytes:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow extra_free_kbytes extra_free_kbytes_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init extra_free_kbytes:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init extra_free_kbytes:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init extra_free_kbytes_exec:process extra_free_kbytes; #line 3 #line 3 # Only extra_free_kbytes script is allowed to store these properties #line 6 #line 6 allow extra_free_kbytes property_socket:sock_file write; #line 6 allow extra_free_kbytes init:unix_stream_socket connectto; #line 6 #line 6 allow extra_free_kbytes init_storage_prop:property_service set; #line 6 #line 6 allow extra_free_kbytes init_storage_prop:file { getattr open read map }; #line 6 #line 6 #line 1 "system/sepolicy/private/fastbootd.te" typeattribute fastbootd coredomain; # The allow rules are only included in the recovery policy. # Otherwise fastbootd is only allowed the domain rules. #line 52 # This capability allows fastbootd to circumvent memlock rlimits while using # io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service. allow fastbootd self:capability ipc_lock; #line 57 # Set up a type_transition to "io_uring" named anonymous inode object. #line 57 type fastbootd_iouring; #line 57 type_transition fastbootd fastbootd:anon_inode fastbootd_iouring "[io_uring]"; #line 57 # Allow domain to create/use io_uring anon_inode. #line 57 allow fastbootd fastbootd_iouring:anon_inode { create map read write }; #line 57 allow fastbootd self:io_uring sqpoll; #line 57 # Other domains may not use iouring anon_inodes created by this domain. #line 57 neverallow { domain -fastbootd } fastbootd_iouring:anon_inode *; #line 57 # io_uring checks for CAP_IPC_LOCK to determine whether or not to track #line 57 # memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to #line 57 # grant CAP_IPC_LOCK to silence avc denials, which is undesireable. #line 57 dontaudit fastbootd self:{ capability cap_userns } ipc_lock; #line 57 #line 1 "system/sepolicy/private/file.te" # /proc/config.gz type config_gz, fs_type, proc_type; # /sys/fs/bpf/ for mainline tethering use # TODO: move S+ fs_bpf_tethering here from public/file.te type fs_bpf_net_private, fs_type, bpffs_type; type fs_bpf_net_shared, fs_type, bpffs_type; type fs_bpf_netd_readonly, fs_type, bpffs_type; type fs_bpf_netd_shared, fs_type, bpffs_type; type fs_bpf_loader, fs_type, bpffs_type; type fs_bpf_uprobestats, fs_type, bpffs_type; # /data/misc/storaged type storaged_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/wmtrace for wm traces type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/misc/a11ytrace for accessibility traces type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/perfetto-traces for perfetto traces type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports. type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis. type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/perfetto-configs for perfetto configs type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/uprobestats-configs for uprobestats configs type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type; # /apex/com.android.art/bin/oatdump type oatdump_exec, system_file_type, exec_type, file_type; # /data/misc_{ce/de}//sdksandbox root data directory for sdk sandbox processes type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type; # /data/misc_{ce/de}//sdksandbox//* subdirectory for sdk sandbox processes type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. type debugfs_kcov, fs_type, debugfs_type; # App executable files in /data/data directories type app_exec_data_file, file_type, data_file_type, core_data_file_type; typealias app_exec_data_file alias rs_data_file; # /data/misc_[ce|de]/rollback : Used by installd to store snapshots # of application data. type rollback_data_file, file_type, data_file_type, core_data_file_type; # /data/misc_ce/checkin for checkin apps. type checkin_data_file, file_type, data_file_type, core_data_file_type; # /data/gsi/ota type ota_image_data_file, file_type, data_file_type, core_data_file_type; # /data/gsi_persistent_data type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/emergencynumberdb type emergency_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/profcollectd type profcollectd_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/apexdata/com.android.art type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; # /data/misc/apexdata/com.android.art/staging type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/apexdata/com.android.compos type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; # /data/misc/apexdata/com.android.virt type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; # /data/misc/apexdata/com.android.tethering type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained # for backward compatibility b/217581286 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; # /data/font/files type font_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/dmesgd type dmesgd_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/odrefresh type odrefresh_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/odsign type odsign_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/odsign_metrics type odsign_metrics_file, file_type, data_file_type, core_data_file_type; # /data/misc/virtualizationservice # The type needs to be mlstrustedobject to allow for being accessed from # virtualizationmanager, which runs at a more constrained MLS level. type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # /data/system/environ type environ_system_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/bootanim type bootanim_data_file, file_type, data_file_type, core_data_file_type; # /dev/kvm # The type needs to be mlstrustedobject to allow for being accessed from # crosvm, which runs at a more constrained MLS level. type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type; # /apex/com.android.virt/bin/fd_server type fd_server_exec, system_file_type, exec_type, file_type; # /apex/com.android.compos/bin/compsvc type compos_exec, exec_type, file_type, system_file_type; # /apex/com.android.compos/bin/compos_key_helper type compos_key_helper_exec, exec_type, file_type, system_file_type; # /apex/com.android.art/bin/art_exec # This executable does not have its own domain because it is executed in the caller's domain. For # example, it is executed in the `artd` domain when artd calls it. type art_exec_exec, system_file_type, exec_type, file_type; # Filesystem entry for for PRNG seeder socket. Processes require # write permission on this to connect, and needs to be mlstrustedobject # in to satisfy MLS constraints for trusted domains. type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject; # /proc/device-tree/avf and /sys/firmware/devicetree/base/avf type sysfs_dt_avf, fs_type, sysfs_type; type proc_dt_avf, fs_type, proc_type; # Type for /system/fonts/font_fallback.xm type system_font_fallback_file, system_file_type, file_type; # Type for /sys/devices/uprobe. type sysfs_uprobe, fs_type, sysfs_type; # Type for aconfig daemon socket type aconfigd_socket, file_type, coredomain_socket; # Type for /(system|system_ext|product)/etc/aconfig type system_aconfig_storage_file, system_file_type, file_type; # Type for /vendor/etc/aconfig type vendor_aconfig_storage_file, vendor_file_type, file_type; #line 1 "system/sepolicy/private/fingerprintd.te" typeattribute fingerprintd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init fingerprintd_exec:file { getattr open read execute map }; #line 3 allow init fingerprintd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow fingerprintd fingerprintd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init fingerprintd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init fingerprintd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init fingerprintd_exec:process fingerprintd; #line 3 #line 3 #line 1 "system/sepolicy/private/flags_health_check.te" typeattribute flags_health_check coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init flags_health_check_exec:file { getattr open read execute map }; #line 3 allow init flags_health_check:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow flags_health_check flags_health_check_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init flags_health_check:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init flags_health_check:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init flags_health_check_exec:process flags_health_check; #line 3 #line 3 #line 5 #line 5 allow flags_health_check property_socket:sock_file write; #line 5 allow flags_health_check init:unix_stream_socket connectto; #line 5 #line 5 allow flags_health_check device_config_boot_count_prop:property_service set; #line 5 #line 5 allow flags_health_check device_config_boot_count_prop:file { getattr open read map }; #line 5 #line 5 #line 6 #line 6 allow flags_health_check property_socket:sock_file write; #line 6 allow flags_health_check init:unix_stream_socket connectto; #line 6 #line 6 allow flags_health_check device_config_core_experiments_team_internal_prop:property_service set; #line 6 #line 6 allow flags_health_check device_config_core_experiments_team_internal_prop:file { getattr open read map }; #line 6 #line 6 #line 7 #line 7 allow flags_health_check property_socket:sock_file write; #line 7 allow flags_health_check init:unix_stream_socket connectto; #line 7 #line 7 allow flags_health_check device_config_edgetpu_native_prop:property_service set; #line 7 #line 7 allow flags_health_check device_config_edgetpu_native_prop:file { getattr open read map }; #line 7 #line 7 #line 8 #line 8 allow flags_health_check property_socket:sock_file write; #line 8 allow flags_health_check init:unix_stream_socket connectto; #line 8 #line 8 allow flags_health_check device_config_reset_performed_prop:property_service set; #line 8 #line 8 allow flags_health_check device_config_reset_performed_prop:file { getattr open read map }; #line 8 #line 8 #line 9 #line 9 allow flags_health_check property_socket:sock_file write; #line 9 allow flags_health_check init:unix_stream_socket connectto; #line 9 #line 9 allow flags_health_check device_config_runtime_native_boot_prop:property_service set; #line 9 #line 9 allow flags_health_check device_config_runtime_native_boot_prop:file { getattr open read map }; #line 9 #line 9 #line 10 #line 10 allow flags_health_check property_socket:sock_file write; #line 10 allow flags_health_check init:unix_stream_socket connectto; #line 10 #line 10 allow flags_health_check device_config_runtime_native_prop:property_service set; #line 10 #line 10 allow flags_health_check device_config_runtime_native_prop:file { getattr open read map }; #line 10 #line 10 #line 11 #line 11 allow flags_health_check property_socket:sock_file write; #line 11 allow flags_health_check init:unix_stream_socket connectto; #line 11 #line 11 allow flags_health_check device_config_input_native_boot_prop:property_service set; #line 11 #line 11 allow flags_health_check device_config_input_native_boot_prop:file { getattr open read map }; #line 11 #line 11 #line 12 #line 12 allow flags_health_check property_socket:sock_file write; #line 12 allow flags_health_check init:unix_stream_socket connectto; #line 12 #line 12 allow flags_health_check device_config_lmkd_native_prop:property_service set; #line 12 #line 12 allow flags_health_check device_config_lmkd_native_prop:file { getattr open read map }; #line 12 #line 12 #line 13 #line 13 allow flags_health_check property_socket:sock_file write; #line 13 allow flags_health_check init:unix_stream_socket connectto; #line 13 #line 13 allow flags_health_check device_config_netd_native_prop:property_service set; #line 13 #line 13 allow flags_health_check device_config_netd_native_prop:file { getattr open read map }; #line 13 #line 13 #line 14 #line 14 allow flags_health_check property_socket:sock_file write; #line 14 allow flags_health_check init:unix_stream_socket connectto; #line 14 #line 14 allow flags_health_check device_config_nnapi_native_prop:property_service set; #line 14 #line 14 allow flags_health_check device_config_nnapi_native_prop:file { getattr open read map }; #line 14 #line 14 #line 15 #line 15 allow flags_health_check property_socket:sock_file write; #line 15 allow flags_health_check init:unix_stream_socket connectto; #line 15 #line 15 allow flags_health_check device_config_activity_manager_native_boot_prop:property_service set; #line 15 #line 15 allow flags_health_check device_config_activity_manager_native_boot_prop:file { getattr open read map }; #line 15 #line 15 #line 16 #line 16 allow flags_health_check property_socket:sock_file write; #line 16 allow flags_health_check init:unix_stream_socket connectto; #line 16 #line 16 allow flags_health_check device_config_media_native_prop:property_service set; #line 16 #line 16 allow flags_health_check device_config_media_native_prop:file { getattr open read map }; #line 16 #line 16 #line 17 #line 17 allow flags_health_check property_socket:sock_file write; #line 17 allow flags_health_check init:unix_stream_socket connectto; #line 17 #line 17 allow flags_health_check device_config_mglru_native_prop:property_service set; #line 17 #line 17 allow flags_health_check device_config_mglru_native_prop:file { getattr open read map }; #line 17 #line 17 #line 18 #line 18 allow flags_health_check property_socket:sock_file write; #line 18 allow flags_health_check init:unix_stream_socket connectto; #line 18 #line 18 allow flags_health_check device_config_profcollect_native_boot_prop:property_service set; #line 18 #line 18 allow flags_health_check device_config_profcollect_native_boot_prop:file { getattr open read map }; #line 18 #line 18 #line 19 #line 19 allow flags_health_check property_socket:sock_file write; #line 19 allow flags_health_check init:unix_stream_socket connectto; #line 19 #line 19 allow flags_health_check device_config_statsd_native_prop:property_service set; #line 19 #line 19 allow flags_health_check device_config_statsd_native_prop:file { getattr open read map }; #line 19 #line 19 #line 20 #line 20 allow flags_health_check property_socket:sock_file write; #line 20 allow flags_health_check init:unix_stream_socket connectto; #line 20 #line 20 allow flags_health_check device_config_statsd_native_boot_prop:property_service set; #line 20 #line 20 allow flags_health_check device_config_statsd_native_boot_prop:file { getattr open read map }; #line 20 #line 20 #line 21 #line 21 allow flags_health_check property_socket:sock_file write; #line 21 allow flags_health_check init:unix_stream_socket connectto; #line 21 #line 21 allow flags_health_check device_config_storage_native_boot_prop:property_service set; #line 21 #line 21 allow flags_health_check device_config_storage_native_boot_prop:file { getattr open read map }; #line 21 #line 21 #line 22 #line 22 allow flags_health_check property_socket:sock_file write; #line 22 allow flags_health_check init:unix_stream_socket connectto; #line 22 #line 22 allow flags_health_check device_config_swcodec_native_prop:property_service set; #line 22 #line 22 allow flags_health_check device_config_swcodec_native_prop:file { getattr open read map }; #line 22 #line 22 #line 23 #line 23 allow flags_health_check property_socket:sock_file write; #line 23 allow flags_health_check init:unix_stream_socket connectto; #line 23 #line 23 allow flags_health_check device_config_sys_traced_prop:property_service set; #line 23 #line 23 allow flags_health_check device_config_sys_traced_prop:file { getattr open read map }; #line 23 #line 23 #line 24 #line 24 allow flags_health_check property_socket:sock_file write; #line 24 allow flags_health_check init:unix_stream_socket connectto; #line 24 #line 24 allow flags_health_check device_config_window_manager_native_boot_prop:property_service set; #line 24 #line 24 allow flags_health_check device_config_window_manager_native_boot_prop:file { getattr open read map }; #line 24 #line 24 #line 25 #line 25 allow flags_health_check property_socket:sock_file write; #line 25 allow flags_health_check init:unix_stream_socket connectto; #line 25 #line 25 allow flags_health_check device_config_configuration_prop:property_service set; #line 25 #line 25 allow flags_health_check device_config_configuration_prop:file { getattr open read map }; #line 25 #line 25 #line 26 #line 26 allow flags_health_check property_socket:sock_file write; #line 26 allow flags_health_check init:unix_stream_socket connectto; #line 26 #line 26 allow flags_health_check device_config_connectivity_prop:property_service set; #line 26 #line 26 allow flags_health_check device_config_connectivity_prop:file { getattr open read map }; #line 26 #line 26 #line 27 #line 27 allow flags_health_check property_socket:sock_file write; #line 27 allow flags_health_check init:unix_stream_socket connectto; #line 27 #line 27 allow flags_health_check device_config_surface_flinger_native_boot_prop:property_service set; #line 27 #line 27 allow flags_health_check device_config_surface_flinger_native_boot_prop:file { getattr open read map }; #line 27 #line 27 #line 28 #line 28 allow flags_health_check property_socket:sock_file write; #line 28 allow flags_health_check init:unix_stream_socket connectto; #line 28 #line 28 allow flags_health_check device_config_aconfig_flags_prop:property_service set; #line 28 #line 28 allow flags_health_check device_config_aconfig_flags_prop:file { getattr open read map }; #line 28 #line 28 #line 29 #line 29 allow flags_health_check property_socket:sock_file write; #line 29 allow flags_health_check init:unix_stream_socket connectto; #line 29 #line 29 allow flags_health_check device_config_vendor_system_native_prop:property_service set; #line 29 #line 29 allow flags_health_check device_config_vendor_system_native_prop:file { getattr open read map }; #line 29 #line 29 #line 30 #line 30 allow flags_health_check property_socket:sock_file write; #line 30 allow flags_health_check init:unix_stream_socket connectto; #line 30 #line 30 allow flags_health_check device_config_vendor_system_native_boot_prop:property_service set; #line 30 #line 30 allow flags_health_check device_config_vendor_system_native_boot_prop:file { getattr open read map }; #line 30 #line 30 #line 31 #line 31 allow flags_health_check property_socket:sock_file write; #line 31 allow flags_health_check init:unix_stream_socket connectto; #line 31 #line 31 allow flags_health_check device_config_virtualization_framework_native_prop:property_service set; #line 31 #line 31 allow flags_health_check device_config_virtualization_framework_native_prop:file { getattr open read map }; #line 31 #line 31 #line 32 #line 32 allow flags_health_check property_socket:sock_file write; #line 32 allow flags_health_check init:unix_stream_socket connectto; #line 32 #line 32 allow flags_health_check device_config_memory_safety_native_boot_prop:property_service set; #line 32 #line 32 allow flags_health_check device_config_memory_safety_native_boot_prop:file { getattr open read map }; #line 32 #line 32 #line 33 #line 33 allow flags_health_check property_socket:sock_file write; #line 33 allow flags_health_check init:unix_stream_socket connectto; #line 33 #line 33 allow flags_health_check device_config_memory_safety_native_prop:property_service set; #line 33 #line 33 allow flags_health_check device_config_memory_safety_native_prop:file { getattr open read map }; #line 33 #line 33 #line 34 #line 34 allow flags_health_check property_socket:sock_file write; #line 34 allow flags_health_check init:unix_stream_socket connectto; #line 34 #line 34 allow flags_health_check device_config_remote_key_provisioning_native_prop:property_service set; #line 34 #line 34 allow flags_health_check device_config_remote_key_provisioning_native_prop:file { getattr open read map }; #line 34 #line 34 #line 35 #line 35 allow flags_health_check property_socket:sock_file write; #line 35 allow flags_health_check init:unix_stream_socket connectto; #line 35 #line 35 allow flags_health_check device_config_camera_native_prop:property_service set; #line 35 #line 35 allow flags_health_check device_config_camera_native_prop:file { getattr open read map }; #line 35 #line 35 #line 36 #line 36 allow flags_health_check property_socket:sock_file write; #line 36 allow flags_health_check init:unix_stream_socket connectto; #line 36 #line 36 allow flags_health_check device_config_tethering_u_or_later_native_prop:property_service set; #line 36 #line 36 allow flags_health_check device_config_tethering_u_or_later_native_prop:file { getattr open read map }; #line 36 #line 36 #line 37 #line 37 allow flags_health_check property_socket:sock_file write; #line 37 allow flags_health_check init:unix_stream_socket connectto; #line 37 #line 37 allow flags_health_check next_boot_prop:property_service set; #line 37 #line 37 allow flags_health_check next_boot_prop:file { getattr open read map }; #line 37 #line 37 # system property device_config_boot_count_prop is used for deciding when to perform server # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a # wrong timing, trigger server configurable flag related disaster recovery, which will override # server configured values of all flags with default values. neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set; # system property device_config_reset_performed_prop is used for indicating whether server # configurable flags have been reset during booting. Mistakenly modified by unrelated components can # cause bad server configurable flags synced back to device. neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set; #line 1 "system/sepolicy/private/fsck.te" typeattribute fsck coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init fsck_exec:file { getattr open read execute map }; #line 3 allow init fsck:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow fsck fsck_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init fsck:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init fsck:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init fsck_exec:process fsck; #line 3 #line 3 allow fsck metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/private/fsck_untrusted.te" typeattribute fsck_untrusted coredomain; #line 1 "system/sepolicy/private/fsverity_init.te" type fsverity_init, domain, coredomain; type fsverity_init_exec, exec_type, file_type, system_file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init fsverity_init_exec:file { getattr open read execute map }; #line 4 allow init fsverity_init:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow fsverity_init fsverity_init_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init fsverity_init:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init fsverity_init:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init fsverity_init_exec:process fsverity_init; #line 4 #line 4 # Allow to read /proc/keys for searching key id. allow fsverity_init proc_keys:file { getattr open read ioctl lock map watch watch_reads }; # Ignore denials to access irrelevant keys, as a side effect to access /proc/keys. dontaudit fsverity_init domain:key view; allow fsverity_init kernel:key { view search write setattr }; allow fsverity_init fsverity_init:key { view search write }; # Read the on-device signing certificate, to be able to add it to the keyring allow fsverity_init odsign:fd use; allow fsverity_init odsign_data_file:file { getattr read }; #line 1 "system/sepolicy/private/fuseblkd.te" # Compartmentalized domain specifically for mounting fuseblk filesystems. # We need this to not grant fuseblkd_untrusted sys_admin permissions. type fuseblkd_exec, system_file_type, exec_type, file_type; type fuseblkd, domain; typeattribute fuseblkd coredomain; # Required for mount and unmounting. We can't minimize this permission, # even though we only allow mount/unmount. allow fuseblkd self:{ capability cap_userns } sys_admin; # Permissions for the fuseblk filesystem. allow fuseblkd fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow fuseblkd fuseblk:filesystem { mount unmount }; allow fuseblkd fuseblkd_untrusted:fd use; # Look through block devices to find the correct one. allow fuseblkd block_device:dir search; # Permissions to mount on the media_rw directory for USB drives. allow fuseblkd mnt_media_rw_file:dir search; allow fuseblkd mnt_media_rw_stub_file:dir mounton; ### ### neverallow rules ### # Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary. neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition; neverallow * fuseblkd:process dyntransition; neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint; #line 1 "system/sepolicy/private/fuseblkd_untrusted.te" # Fuseblk is a Filesystem in USErspace for block device. It should only be used # to mount untrusted blocks like USB drives. type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type; type fuseblkd_untrusted, domain; typeattribute fuseblkd_untrusted coredomain; #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow fuseblkd_untrusted fuseblkd_exec:file { getattr open read execute map }; #line 8 allow fuseblkd_untrusted fuseblkd:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow fuseblkd fuseblkd_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 allow fuseblkd fuseblkd_untrusted:process sigchld; #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit fuseblkd_untrusted fuseblkd:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow fuseblkd_untrusted fuseblkd:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition fuseblkd_untrusted fuseblkd_exec:process fuseblkd; #line 8 ; # Allow stdin/out back to vold. allow fuseblkd_untrusted vold:fd use; # Allows fuseblk to read block devices. allow fuseblkd_untrusted block_device:dir search; # Permissions to read dynamic partitions blocks. allow fuseblkd_untrusted super_block_device:blk_file getattr; # Permissions to access FUSE character devices. allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write }; # Permissions to access /mnt/media_rw/. allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search }; allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr; # Permissions to read device mappers. allow fuseblkd_untrusted sysfs_dm:dir search; allow fuseblkd_untrusted sysfs_dm:file { getattr open read }; allow fuseblkd_untrusted dm_device:blk_file getattr; # Permissions to read links in tmpfs. allow fuseblkd_untrusted tmpfs:lnk_file read; # Permissions to read loop device blocks. allow fuseblkd_untrusted loop_device:blk_file getattr; # Permissions to access the /proc/filesystems file. allow fuseblkd_untrusted proc_filesystems:file { open read getattr }; ### ### dontaudit rules ### # ntfs-3g wants this permission to read a fork return code, for some reason. # It's unclear why, because it still reads the fork return code correctly, # and nothing breaks. If enforce is set to permissive, the audit goes away. dontaudit fuseblkd_untrusted self:capability sys_admin; ### ### neverallow rules ### # Fuseblk should never be run on block devices holding sensitive data. neverallow fuseblkd_untrusted { boot_block_device frp_block_device metadata_block_device recovery_block_device root_block_device swap_block_device system_block_device userdata_block_device cache_block_device dm_device }:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries. neverallow { domain -vold } fuseblkd_untrusted:process transition; neverallow * fuseblkd_untrusted:process dyntransition; neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint; # Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be # given sys_admin access. They are fundementally untrusted, insecure filesystems. # The correct solution here is to compartmentalize permissions correctly so that # a smaller binary can get the required permissions. See fuseblkd.te. # Similar to above, we don't need setgid or setuid permissions. neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin }; neverallow fuseblkd_untrusted self:{ capability cap_userns } { setgid setuid sys_admin }; # Since we can't have sys_admin permissions, we definitely can't have mount/unmount # permissions, since we won't be able to use them. Same with relabel permissions. neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom}; #line 1 "system/sepolicy/private/fwk_bufferhub.te" type fwk_bufferhub, domain, coredomain; type fwk_bufferhub_exec, system_file_type, exec_type, file_type; #line 4 typeattribute fwk_bufferhub halclientdomain; #line 4 typeattribute fwk_bufferhub hal_graphics_allocator_client; #line 4 #line 4 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 4 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 4 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 4 #line 4 typeattribute fwk_bufferhub hal_graphics_allocator; #line 4 # Find passthrough HAL implementations #line 4 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 4 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 4 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 4 #line 4 allow fwk_bufferhub ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init fwk_bufferhub_exec:file { getattr open read execute map }; #line 7 allow init fwk_bufferhub:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow fwk_bufferhub fwk_bufferhub_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init fwk_bufferhub:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init fwk_bufferhub:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init fwk_bufferhub_exec:process fwk_bufferhub; #line 7 #line 7 #line 1 "system/sepolicy/private/gatekeeperd.te" typeattribute gatekeeperd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init gatekeeperd_exec:file { getattr open read execute map }; #line 3 allow init gatekeeperd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow gatekeeperd gatekeeperd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init gatekeeperd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init gatekeeperd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init gatekeeperd_exec:process gatekeeperd; #line 3 #line 3 # For checking whether GSI is running #line 6 allow gatekeeperd gsid_prop:file { getattr open read map }; #line 6 #line 1 "system/sepolicy/private/gki_apex_prepostinstall.te" # GKI pre- & post-install hooks. # # Allow to run pre- and post-install hooks for GKI APEXes type gki_apex_prepostinstall, domain, coredomain; type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type; # Execute /system/bin/sh. allow gki_apex_prepostinstall shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Execute various toolsbox utilities. allow gki_apex_prepostinstall toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow preinstall.sh to execute update_engine_stable_client binary. allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans; # Allow preinstall hook to communicate with update_engine to execute update. #line 18 # Call the servicemanager and transfer references to it. #line 18 allow gki_apex_prepostinstall servicemanager:binder { call transfer }; #line 18 # Allow servicemanager to send out callbacks #line 18 allow servicemanager gki_apex_prepostinstall:binder { call transfer }; #line 18 # servicemanager performs getpidcon on clients. #line 18 allow servicemanager gki_apex_prepostinstall:dir search; #line 18 allow servicemanager gki_apex_prepostinstall:file { read open }; #line 18 allow servicemanager gki_apex_prepostinstall:process getattr; #line 18 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 18 # all domains in domain.te. #line 18 allow gki_apex_prepostinstall update_engine_stable_service:service_manager find; #line 20 # Call the server domain and optionally transfer references to it. #line 20 allow gki_apex_prepostinstall update_engine:binder { call transfer }; #line 20 # Allow the serverdomain to transfer references to the client on the reply. #line 20 allow update_engine gki_apex_prepostinstall:binder transfer; #line 20 # Receive and use open files from the server. #line 20 allow gki_apex_prepostinstall update_engine:fd use; #line 20 # /dev/zero is inherited although it is not used. See b/126787589. allow gki_apex_prepostinstall apexd:fd use; #line 1 "system/sepolicy/private/gmscore_app.te" ### ### A domain for further sandboxing the PrebuiltGMSCore app. ### typeattribute gmscore_app coredomain; #line 6 typeattribute gmscore_app appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition gmscore_app tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type gmscore_app_userfaultfd; #line 6 type_transition gmscore_app gmscore_app:anon_inode gmscore_app_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow gmscore_app gmscore_app_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su gmscore_app_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -gmscore_app } gmscore_app_userfaultfd:anon_inode *; #line 6 #line 6 allow gmscore_app appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { gmscore_app -runas_app -shell -simpleperf } { domain -gmscore_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -gmscore_app } gmscore_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -gmscore_app -crash_dump -runas_app -simpleperf } gmscore_app:process ptrace; #line 6 allow gmscore_app sysfs_type:dir search; # Read access to /sys/block/zram*/mm_stat #line 10 allow gmscore_app sysfs_zram:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow gmscore_app sysfs_zram:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 #line 12 allow gmscore_app rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow gmscore_app rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 # Allow GMS core to open kernel config for OTA matching through libvintf allow gmscore_app config_gz:file { open read getattr }; # Allow GMS core to communicate with update_engine for A/B update. #line 18 # Call the server domain and optionally transfer references to it. #line 18 allow gmscore_app update_engine:binder { call transfer }; #line 18 # Allow the serverdomain to transfer references to the client on the reply. #line 18 allow update_engine gmscore_app:binder transfer; #line 18 # Receive and use open files from the server. #line 18 allow gmscore_app update_engine:fd use; #line 18 allow gmscore_app update_engine_service:service_manager find; # Allow GMS core to communicate with dumpsys storaged. #line 22 # Call the server domain and optionally transfer references to it. #line 22 allow gmscore_app storaged:binder { call transfer }; #line 22 # Allow the serverdomain to transfer references to the client on the reply. #line 22 allow storaged gmscore_app:binder transfer; #line 22 # Receive and use open files from the server. #line 22 allow gmscore_app storaged:fd use; #line 22 allow gmscore_app storaged_service:service_manager find; # Allow GMS core to access system_update_service (e.g. to publish pending # system update info). allow gmscore_app system_update_service:service_manager find; # Allow GMS core to communicate with statsd. #line 30 # Call the server domain and optionally transfer references to it. #line 30 allow gmscore_app statsd:binder { call transfer }; #line 30 # Allow the serverdomain to transfer references to the client on the reply. #line 30 allow statsd gmscore_app:binder transfer; #line 30 # Receive and use open files from the server. #line 30 allow gmscore_app statsd:fd use; #line 30 # Allow GMS core to receive Perfetto traces through the framework # (i.e. TracingServiceProxy) and sendfile them into its private directory # for reporting when network and battery conditions are appropriate. allow gmscore_app perfetto:fd use; allow gmscore_app perfetto_traces_data_file:file { read getattr }; # Allow GMS core to generate unique hardware IDs allow gmscore_app keystore:keystore2_key gen_unique_id; # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check allow gmscore_app selinuxfs:file { getattr open read ioctl lock map watch watch_reads }; # suppress denials for non-API accesses. dontaudit gmscore_app exec_type:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app device:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit gmscore_app fs_bpf:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit gmscore_app kernel:security *; dontaudit gmscore_app net_dns_prop:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc_interrupts:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc_modules:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc_net:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc_stat:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app proc_version:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit gmscore_app sysfs:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs_android_usb:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs_dm:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs_loop:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs_net:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app sysfs_net:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file { getattr open read ioctl lock map watch watch_reads }; dontaudit gmscore_app mirror_data_file:dir search; dontaudit gmscore_app mnt_vendor_file:dir search; # Access the network #line 68 typeattribute gmscore_app netdomain; #line 68 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) allow gmscore_app self:process ptrace; # Allow loading executable code from writable priv-app home # directories. This is a W^X violation, however, it needs # to be supported for now for the following reasons. # * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) # 1) com.android.opengl.shaders_cache # 2) com.android.skia.shaders_cache # 3) com.android.renderscript.cache # * /data/user_de/0/com.google.android.gms/app_chimera # TODO: Tighten (b/112357170) allow gmscore_app privapp_data_file:file execute; # Chrome Crashpad uses the the dynamic linker to load native executables # from an APK (b/112050209, crbug.com/928422) allow gmscore_app system_linker_exec:file execute_no_trans; allow gmscore_app privapp_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # /proc access allow gmscore_app proc_vmstat:file { getattr open read ioctl lock map watch watch_reads }; # Allow interaction with gpuservice #line 94 # Call the server domain and optionally transfer references to it. #line 94 allow gmscore_app gpuservice:binder { call transfer }; #line 94 # Allow the serverdomain to transfer references to the client on the reply. #line 94 allow gpuservice gmscore_app:binder transfer; #line 94 # Receive and use open files from the server. #line 94 allow gmscore_app gpuservice:fd use; #line 94 allow gmscore_app gpu_service:service_manager find; # find services that expose both @SystemAPI and normal APIs. allow gmscore_app app_api_service:service_manager find; allow gmscore_app system_api_service:service_manager find; allow gmscore_app audioserver_service:service_manager find; allow gmscore_app cameraserver_service:service_manager find; allow gmscore_app drmserver_service:service_manager find; allow gmscore_app mediadrmserver_service:service_manager find; allow gmscore_app mediaextractor_service:service_manager find; allow gmscore_app mediametrics_service:service_manager find; allow gmscore_app mediaserver_service:service_manager find; allow gmscore_app network_watchlist_service:service_manager find; allow gmscore_app nfc_service:service_manager find; allow gmscore_app oem_lock_service:service_manager find; allow gmscore_app persistent_data_block_service:service_manager find; allow gmscore_app radio_service:service_manager find; allow gmscore_app recovery_service:service_manager find; allow gmscore_app stats_service:service_manager find; # Used by Finsky / Android "Verify Apps" functionality when # running "adb install foo.apk". allow gmscore_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow gmscore_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Write to /cache. allow gmscore_app { cache_file cache_recovery_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow gmscore_app { cache_file cache_recovery_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # /cache is a symlink to /data/cache on some devices. Allow reading the link. allow gmscore_app cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Write to /data/ota_package for OTA packages. allow gmscore_app ota_package_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow gmscore_app ota_package_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Write the checkin metadata to /data/misc_ce//checkin allow gmscore_app checkin_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow gmscore_app checkin_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Used by Finsky / Android "Verify Apps" functionality when # running "adb install foo.apk". allow gmscore_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow gmscore_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # b/18504118: Allow reads from /data/anr/traces.txt allow gmscore_app anr_data_file:file { getattr open read ioctl lock map watch watch_reads }; # b/148974132: com.android.vending needs this allow gmscore_app priv_app:tcp_socket { read write }; # b/168059475 Allow GMSCore to read Virtual AB properties to determine # if device supports VAB. #line 147 allow gmscore_app virtual_ab_prop:file { getattr open read map }; #line 147 # b/186488185: Allow GMSCore to read dck properties #line 150 allow gmscore_app dck_prop:file { getattr open read map }; #line 150 # Allow GMSCore to read RKP properties for the purpose of GTS testing. #line 153 allow gmscore_app remote_prov_prop:file { getattr open read map }; #line 153 # Allow GmsCore to read Quick Start properties and prevent access from other # policies. #line 157 allow gmscore_app quick_start_prop:file { getattr open read map }; #line 157 neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Do not allow getting permission-protected network information from sysfs. neverallow gmscore_app sysfs_net:file *; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl #line 165 { #line 165 # qualcomm rmnet ioctls #line 165 0x00006900 0x00006902 #line 165 # socket ioctls #line 165 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 165 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 165 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 165 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 165 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 165 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 165 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 165 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 165 0x00008991 0x00008992 0x00008993 0x00008994 #line 165 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 165 # device and protocol specific ioctls #line 165 0x000089f0-0x000089ff #line 165 0x000089e0-0x000089ef #line 165 # Wireless extension ioctls #line 165 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 165 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 165 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 165 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 165 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 165 0x00008b34 0x00008b35 0x00008b36 #line 165 # Dev private ioctl i.e. hardware specific ioctls #line 165 0x00008be0-0x00008bff #line 165 }; neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow gmscore_app *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; #line 1 "system/sepolicy/private/gpuservice.te" # gpuservice - server for gpu stats and other gpu related services typeattribute gpuservice coredomain; typeattribute gpuservice bpfdomain; type gpuservice_exec, system_file_type, exec_type, file_type; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init gpuservice_exec:file { getattr open read execute map }; #line 7 allow init gpuservice:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow gpuservice gpuservice_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init gpuservice:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init gpuservice:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init gpuservice_exec:process gpuservice; #line 7 #line 7 #line 9 # Call the server domain and optionally transfer references to it. #line 9 allow gpuservice adbd:binder { call transfer }; #line 9 # Allow the serverdomain to transfer references to the client on the reply. #line 9 allow adbd gpuservice:binder transfer; #line 9 # Receive and use open files from the server. #line 9 allow gpuservice adbd:fd use; #line 9 #line 10 # Call the server domain and optionally transfer references to it. #line 10 allow gpuservice shell:binder { call transfer }; #line 10 # Allow the serverdomain to transfer references to the client on the reply. #line 10 allow shell gpuservice:binder transfer; #line 10 # Receive and use open files from the server. #line 10 allow gpuservice shell:fd use; #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow gpuservice system_server:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow system_server gpuservice:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow gpuservice system_server:fd use; #line 11 #line 12 # Call the servicemanager and transfer references to it. #line 12 allow gpuservice servicemanager:binder { call transfer }; #line 12 # Allow servicemanager to send out callbacks #line 12 allow servicemanager gpuservice:binder { call transfer }; #line 12 # servicemanager performs getpidcon on clients. #line 12 allow servicemanager gpuservice:dir search; #line 12 allow servicemanager gpuservice:file { read open }; #line 12 allow servicemanager gpuservice:process getattr; #line 12 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 12 # all domains in domain.te. #line 12 # Access the GPU. allow gpuservice gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # GPU service will need to load GPU driver, for example Vulkan driver in order # to get the capability of the driver. allow gpuservice same_process_hal_file:file { open read getattr execute map }; allow gpuservice ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 21 allow gpuservice hwservicemanager_prop:file { getattr open read map }; #line 21 #line 22 # Call the hwservicemanager and transfer references to it. #line 22 allow gpuservice hwservicemanager:binder { call transfer }; #line 22 # Allow hwservicemanager to send out callbacks #line 22 allow hwservicemanager gpuservice:binder { call transfer }; #line 22 # hwservicemanager performs getpidcon on clients. #line 22 allow hwservicemanager gpuservice:dir search; #line 22 allow hwservicemanager gpuservice:file { read open map }; #line 22 allow hwservicemanager gpuservice:process getattr; #line 22 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 22 # all domains in domain.te. #line 22 # Access /dev/graphics/fb0. allow gpuservice graphics_device:dir search; allow gpuservice graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow shell access allow gpuservice adbd:fd use; allow gpuservice adbd:unix_stream_socket { getattr read write }; allow gpuservice shell:fifo_file { getattr read write }; # Needed for perfetto producer. #line 34 allow gpuservice traced:fd use; #line 34 allow gpuservice traced_tmpfs:file { read write getattr map }; #line 34 #line 34 allow gpuservice traced_producer_socket:sock_file write; #line 34 allow gpuservice traced:unix_stream_socket connectto; #line 34 #line 34 #line 34 # Also allow the service to use the producer file descriptors. This is #line 34 # necessary when the producer is creating the shared memory, as it will be #line 34 # passed to the service as a file descriptor (obtained from memfd_create). #line 34 allow traced gpuservice:fd use; #line 34 # Needed for interactive shell allow gpuservice devpts:chr_file { read write getattr }; # Needed for dumpstate to dumpsys gpu. allow gpuservice dumpstate:fd use; allow gpuservice dumpstate:fifo_file write; # Needed for stats callback registration to statsd. allow gpuservice stats_service:service_manager find; allow gpuservice statsmanager_service:service_manager find; # TODO(b/146461633): remove this once native pullers talk to StatsManagerService #line 47 # Call the server domain and optionally transfer references to it. #line 47 allow gpuservice statsd:binder { call transfer }; #line 47 # Allow the serverdomain to transfer references to the client on the reply. #line 47 allow statsd gpuservice:binder transfer; #line 47 # Receive and use open files from the server. #line 47 allow gpuservice statsd:fd use; #line 47 ; # Needed for reading tracepoint ids in order to attach bpf programs. allow gpuservice debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads }; allow gpuservice self:perf_event { cpu kernel open write }; neverallow gpuservice self:perf_event ~{ cpu kernel open write }; # Needed for interact with bpf fs. # Write is needed to open read/write bpf maps. allow gpuservice fs_bpf:file { read write }; # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). allow gpuservice bpfloader:bpf { map_read map_write prog_run }; #line 61 allow gpuservice gpu_service:service_manager { add find }; #line 61 neverallow { domain -gpuservice } gpu_service:service_manager add; #line 61 #line 61 # On debug builds with root, allow binder services to use binder over TCP. #line 61 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 61 #line 61 # Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. #line 64 #line 64 allow gpuservice property_socket:sock_file write; #line 64 allow gpuservice init:unix_stream_socket connectto; #line 64 #line 64 allow gpuservice graphics_config_writable_prop:property_service set; #line 64 #line 64 allow gpuservice graphics_config_writable_prop:file { getattr open read map }; #line 64 #line 64 neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; # Needed for querying permission allow gpuservice permission_service:service_manager find; # Only uncomment below line when in development # userdebug_or_eng(`permissive gpuservice;') #line 1 "system/sepolicy/private/gsid.te" # gsid - Manager for GSI Installation type gsid, domain; type gsid_exec, exec_type, file_type, system_file_type; typeattribute gsid coredomain; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init gsid_exec:file { getattr open read execute map }; #line 7 allow init gsid:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow gsid gsid_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init gsid:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init gsid:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init gsid_exec:process gsid; #line 7 #line 7 #line 9 # Call the servicemanager and transfer references to it. #line 9 allow gsid servicemanager:binder { call transfer }; #line 9 # Allow servicemanager to send out callbacks #line 9 allow servicemanager gsid:binder { call transfer }; #line 9 # servicemanager performs getpidcon on clients. #line 9 allow servicemanager gsid:dir search; #line 9 allow servicemanager gsid:file { read open }; #line 9 allow servicemanager gsid:process getattr; #line 9 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 9 # all domains in domain.te. #line 9 #line 10 typeattribute gsid binderservicedomain; #line 10 #line 11 allow gsid gsi_service:service_manager { add find }; #line 11 neverallow { domain -gsid } gsi_service:service_manager add; #line 11 #line 11 # On debug builds with root, allow binder services to use binder over TCP. #line 11 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 11 #line 11 # Manage DSU metadata encryption key through vold. allow gsid vold_service:service_manager find; #line 15 # Call the server domain and optionally transfer references to it. #line 15 allow gsid vold:binder { call transfer }; #line 15 # Allow the serverdomain to transfer references to the client on the reply. #line 15 allow vold gsid:binder transfer; #line 15 # Receive and use open files from the server. #line 15 allow gsid vold:fd use; #line 15 #line 17 #line 17 allow gsid property_socket:sock_file write; #line 17 allow gsid init:unix_stream_socket connectto; #line 17 #line 17 allow gsid gsid_prop:property_service set; #line 17 #line 17 allow gsid gsid_prop:file { getattr open read map }; #line 17 #line 17 # Needed to create/delete device-mapper nodes, and read/write to them. allow gsid dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow gsid dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow gsid self:{ capability cap_userns } sys_admin; dontaudit gsid self:{ capability cap_userns } dac_override; # On FBE devices (not using dm-default-key), gsid will use loop devices to map # images rather than device-mapper. allow gsid loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow gsid loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm gsid loop_device:blk_file ioctl { 0x00004c05 0x00004c04 0x00004c00 0x00004c09 0x00004c08 0x00004c01 0x00001261 }; # libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking. # This requires traversing /sys/block/dm-N/slaves/* and reading the list of # file names. #line 42 allow gsid sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads }; #line 42 allow gsid sysfs_dm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 42 # libfiemap_writer needs to read /sys/fs/f2fs//features to determine # whether pin_file support is enabled. #line 46 allow gsid sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads }; #line 46 allow gsid sysfs_fs_f2fs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 46 # Needed to read fstab, which is used to validate that system verity does not # use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed # to get the A/B slot suffix). #line 51 allow gsid { metadata_file gsi_metadata_file_type }:dir search; #line 51 allow gsid gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 51 allow gsid { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 51 allow gsid sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; allow gsid sysfs_dt_firmware_android:file { getattr open read ioctl lock map watch watch_reads }; # Needed to stat /data/gsi/* and realpath on /dev/block/by-name/* allow gsid block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow querying the size of super_block_device_type. allow gsid super_block_device_type:blk_file { getattr open read ioctl lock map watch watch_reads }; # liblp queries these block alignment properties. allowxperm gsid { userdata_block_device sdcard_block_device super_block_device_type }:blk_file ioctl { 0x00001278 0x0000127a }; # When installing images to an sdcard, gsid needs to be able to stat() the # block device. gsid also calls realpath() to remove symlinks. allow gsid mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads }; allow gsid mnt_media_rw_stub_file:dir { open getattr read search ioctl lock watch watch_reads }; # When installing images to an sdcard, gsid must bypass sdcardfs and install # directly to vfat, which supports the FIBMAP ioctl. allow gsid vfat:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow gsid vfat:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow gsid sdcard_block_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this # requirement, but the kernel does not implement FIEMAP support for VFAT. allow gsid self:{ capability cap_userns } sys_rawio; # Allow rules for gsi_tool. #line 95 neverallow { domain -gsid -init -update_engine_common -recovery -fastbootd } gsid_prop:property_service set; # gsid needs to store images on /data, but cannot use file I/O. If it did, the # underlying blocks would be encrypted, and we couldn't mount the GSI image in # first-stage init. So instead of directly writing to /data, we: # # 1. fallocate a file large enough to hold the signed GSI # 2. extract its block layout with FIEMAP # 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata # 4. write system_gsi into that dm device # # To make this process work, we need to unwrap the device-mapper stacking for # userdata to reach the underlying block device. To verify the result we use # stat(), which requires read access. allow gsid userdata_block_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # gsid uses /metadata/gsi to communicate GSI boot information to first-stage # init. It cannot use userdata since data cannot be decrypted during this # stage. # # gsid uses /metadata/gsi to store three files: # install_status - A short string indicating whether a GSI image is bootable. # lp_metadata - LpMetadata blob describing the block ranges on userdata # where system_gsi resides. # booted - An empty file that, if exists, indicates that a GSI is # currently running. # allow gsid metadata_file:dir { search getattr }; allow gsid { gsi_metadata_file_type }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow gsid { ota_metadata_file }:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow gsid { gsi_metadata_file_type ota_metadata_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow restorecon to fix context of gsi_public_metadata_file. allow gsid file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow gsid gsi_metadata_file:file relabelfrom; allow gsid gsi_public_metadata_file:file relabelto; allow gsid { gsi_data_file ota_image_data_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow gsid { gsi_data_file ota_image_data_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allowxperm gsid { gsi_data_file ota_image_data_file }:file ioctl { 0xc020660b 0x80086601 }; allow gsid system_server:binder call; # Prevent most processes from writing to gsi_metadata_file_type, but allow # adding rules for path resolution of gsi_public_metadata_file and reading # gsi_public_metadata_file. neverallow { domain -init -gsid -fastbootd } gsi_metadata_file_type:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain -init -gsid -fastbootd } { gsi_metadata_file_type -gsi_public_metadata_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } *; neverallow { domain -init -gsid -fastbootd } gsi_public_metadata_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ { getattr open read ioctl lock map watch watch_reads } }; # Prevent apps from accessing gsi_metadata_file_type. neverallow { appdomain -shell } gsi_metadata_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *; neverallow { domain -init -gsid } gsi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *; neverallow { domain -gsid } gsi_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ relabelto getattr }; #line 1 "system/sepolicy/private/hal_allocator_default.te" type hal_allocator_default, domain, coredomain; #line 2 typeattribute hal_allocator_default halserverdomain; #line 2 typeattribute hal_allocator_default hal_allocator_server; #line 2 typeattribute hal_allocator_default hal_allocator; #line 2 type hal_allocator_default_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init hal_allocator_default_exec:file { getattr open read execute map }; #line 5 allow init hal_allocator_default:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow hal_allocator_default hal_allocator_default_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init hal_allocator_default:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init hal_allocator_default:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init hal_allocator_default_exec:process hal_allocator_default; #line 5 #line 5 # to force stop the service when it's not supported #line 8 #line 8 allow hal_allocator_default property_socket:sock_file write; #line 8 allow hal_allocator_default init:unix_stream_socket connectto; #line 8 #line 8 allow hal_allocator_default hidl_memory_prop:property_service set; #line 8 #line 8 allow hal_allocator_default hidl_memory_prop:file { getattr open read map }; #line 8 #line 8 #line 3 "system/sepolicy/private/hal_lazy_test.te" #line 1 "system/sepolicy/private/halclientdomain.te" ### ### Rules for all domains which are clients of a HAL ### # Find out whether a HAL in passthrough/in-process mode or # binderized/out-of-process mode #line 7 # Call the hwservicemanager and transfer references to it. #line 7 allow halclientdomain hwservicemanager:binder { call transfer }; #line 7 # Allow hwservicemanager to send out callbacks #line 7 allow hwservicemanager halclientdomain:binder { call transfer }; #line 7 # hwservicemanager performs getpidcon on clients. #line 7 allow hwservicemanager halclientdomain:dir search; #line 7 allow hwservicemanager halclientdomain:file { read open map }; #line 7 allow hwservicemanager halclientdomain:process getattr; #line 7 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 # Used to wait for hwservicemanager #line 10 allow halclientdomain hwservicemanager_prop:file { getattr open read map }; #line 10 # Wait for HAL server to be up (used by getService) allow halclientdomain hidl_manager_hwservice:hwservice_manager find; #line 1 "system/sepolicy/private/halserverdomain.te" ### ### Rules for all domains which offer a HAL service over HwBinder ### # Register the HAL service with hwservicemanager #line 6 # Call the hwservicemanager and transfer references to it. #line 6 allow halserverdomain hwservicemanager:binder { call transfer }; #line 6 # Allow hwservicemanager to send out callbacks #line 6 allow hwservicemanager halserverdomain:binder { call transfer }; #line 6 # hwservicemanager performs getpidcon on clients. #line 6 allow hwservicemanager halserverdomain:dir search; #line 6 allow hwservicemanager halserverdomain:file { read open map }; #line 6 allow hwservicemanager halserverdomain:process getattr; #line 6 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 # Find HAL implementations allow halserverdomain system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Used to wait for hwservicemanager #line 12 allow halserverdomain hwservicemanager_prop:file { getattr open read map }; #line 12 #line 1 "system/sepolicy/private/healthd.te" typeattribute healthd coredomain; #line 1 "system/sepolicy/private/heapprofd.te" # Android heap profiling daemon. go/heapprofd. type heapprofd_exec, exec_type, file_type, system_file_type; type heapprofd_tmpfs, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init heapprofd_exec:file { getattr open read execute map }; #line 5 allow init heapprofd:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow heapprofd heapprofd_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init heapprofd:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init heapprofd:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init heapprofd_exec:process heapprofd; #line 5 #line 5 #line 6 type_transition heapprofd tmpfs:file heapprofd_tmpfs; #line 6 allow heapprofd heapprofd_tmpfs:file { read write getattr map }; #line 6 # Allow apps in other MLS contexts (for multi-user) to access # shared memory buffers created by heapprofd. typeattribute heapprofd_tmpfs mlstrustedobject; #line 12 #line 12 allow heapprofd property_socket:sock_file write; #line 12 allow heapprofd init:unix_stream_socket connectto; #line 12 #line 12 allow heapprofd heapprofd_prop:property_service set; #line 12 #line 12 allow heapprofd heapprofd_prop:file { getattr open read map }; #line 12 #line 12 ; # Necessary for /proc/[pid]/cmdline access & sending signals. typeattribute heapprofd mlstrustedsubject; # Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and # SIGCHLD, which are controlled by separate permissions. allow heapprofd self:capability kill; # When scanning /proc/[pid]/cmdline to find matching processes for by-name # profiling, only allowlisted domains will be allowed by SELinux. Avoid # spamming logs with denials for entries that we can not access. dontaudit heapprofd domain:dir { search open }; # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. #line 28 allow heapprofd traced:fd use; #line 28 allow heapprofd traced_tmpfs:file { read write getattr map }; #line 28 #line 28 allow heapprofd traced_producer_socket:sock_file write; #line 28 allow heapprofd traced:unix_stream_socket connectto; #line 28 #line 28 #line 28 # Also allow the service to use the producer file descriptors. This is #line 28 # necessary when the producer is creating the shared memory, as it will be #line 28 # passed to the service as a file descriptor (obtained from memfd_create). #line 28 allow traced heapprofd:fd use; #line 28 # When handling profiling for all processes, heapprofd needs to read # executables/libraries/etc to do stack unwinding. #line 32 allow heapprofd nativetest_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 32 allow heapprofd nativetest_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 32 #line 33 allow heapprofd system_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow heapprofd system_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 #line 34 allow heapprofd apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 34 allow heapprofd apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 34 #line 35 allow heapprofd dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow heapprofd dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 35 #line 36 allow heapprofd vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 36 allow heapprofd vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 36 #line 37 allow heapprofd shell_test_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 37 allow heapprofd shell_test_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 37 # ART apex files and directory access to the containing /data/misc/apexdata. #line 39 allow heapprofd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 39 allow heapprofd apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 39 allow heapprofd apex_module_data_file:dir { getattr search }; # Some dex files are not world-readable. # We are still constrained by the SELinux rules above. allow heapprofd self:{ capability cap_userns } dac_read_search; # For checking profileability. allow heapprofd packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Never allow profiling privileged or otherwise incompatible domains. # Corresponding allow-rule is in private/domain.te. #line 51 neverallow heapprofd { #line 51 apexd #line 51 app_zygote #line 51 bpfloader #line 51 hal_configstore_server #line 51 init #line 51 kernel #line 51 keystore #line 51 llkd #line 51 logd #line 51 logpersist #line 51 recovery #line 51 recovery_persist #line 51 recovery_refresh #line 51 ueventd #line 51 vendor_init #line 51 vold #line 51 webview_zygote #line 51 zygote #line 51 }:file read; #line 51 neverallow heapprofd { #line 51 apexd #line 51 app_zygote #line 51 bpfloader #line 51 hal_configstore_server #line 51 init #line 51 kernel #line 51 keystore #line 51 llkd #line 51 logd #line 51 logpersist #line 51 recovery #line 51 recovery_persist #line 51 recovery_refresh #line 51 ueventd #line 51 vendor_init #line 51 vold #line 51 webview_zygote #line 51 zygote #line 51 }:process signal; #line 70 # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 72 #line 72 neverallow heapprofd vendor_file_type:file { append create link unlink relabelfrom rename setattr write }; #line 72 neverallow heapprofd { vendor_file_type -vndk_sp_file }:file { execute execute_no_trans }; #line 72 #line 72 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify #line 75 #line 1 "system/sepolicy/private/hidl_lazy_test_server.te" type hidl_lazy_test_server, domain; type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type; #line 8 #line 1 "system/sepolicy/private/hwservice.te" type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice; #line 1 "system/sepolicy/private/hwservicemanager.te" typeattribute hwservicemanager coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init hwservicemanager_exec:file { getattr open read execute map }; #line 3 allow init hwservicemanager:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow hwservicemanager hwservicemanager_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init hwservicemanager:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init hwservicemanager:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init hwservicemanager_exec:process hwservicemanager; #line 3 #line 3 #line 5 allow hwservicemanager hidl_manager_hwservice:hwservice_manager { add find }; #line 5 allow hwservicemanager hidl_base_hwservice:hwservice_manager add; #line 5 neverallow { domain -hwservicemanager } hidl_manager_hwservice:hwservice_manager add; #line 5 #line 6 allow hwservicemanager hidl_token_hwservice:hwservice_manager { add find }; #line 6 allow hwservicemanager hidl_base_hwservice:hwservice_manager add; #line 6 neverallow { domain -hwservicemanager } hidl_token_hwservice:hwservice_manager add; #line 6 #line 8 #line 8 allow hwservicemanager property_socket:sock_file write; #line 8 allow hwservicemanager init:unix_stream_socket connectto; #line 8 #line 8 allow hwservicemanager ctl_interface_start_prop:property_service set; #line 8 #line 8 allow hwservicemanager ctl_interface_start_prop:file { getattr open read map }; #line 8 #line 8 #line 9 #line 9 allow hwservicemanager property_socket:sock_file write; #line 9 allow hwservicemanager init:unix_stream_socket connectto; #line 9 #line 9 allow hwservicemanager hwservicemanager_prop:property_service set; #line 9 #line 9 allow hwservicemanager hwservicemanager_prop:file { getattr open read map }; #line 9 #line 9 # hwservicemanager is using bootstrap bionic #line 12 allow hwservicemanager system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hwservicemanager system_bootstrap_lib_file:file { execute read open getattr map }; #line 12 # hwservicemanager is using apex_info via libvintf #line 15 allow hwservicemanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hwservicemanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 15 #line 15 allow hwservicemanager vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hwservicemanager vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 15 #line 15 #line 1 "system/sepolicy/private/idmap.te" typeattribute idmap coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init idmap_exec:file { getattr open read execute map }; #line 3 allow init idmap:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow idmap idmap_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init idmap:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init idmap:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init idmap_exec:process idmap; #line 3 #line 3 #line 1 "system/sepolicy/private/incident.te" typeattribute incident coredomain; type incident_exec, system_file_type, exec_type, file_type; # switch to incident domain for incident command #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow shell incident_exec:file { getattr open read execute map }; #line 6 allow shell incident:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow incident incident_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow incident shell:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit shell incident:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow shell incident:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition shell incident_exec:process incident; #line 6 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow dumpstate incident_exec:file { getattr open read execute map }; #line 7 allow dumpstate incident:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow incident incident_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 allow incident dumpstate:process sigchld; #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit dumpstate incident:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow dumpstate incident:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition dumpstate incident_exec:process incident; #line 7 # allow incident access to stdout from its parent shell. allow incident shell:fd use; # allow incident to communicate with dumpstate, and write incident report to # /data/data/com.android.shell/files/bugreports/tmp_incident_report allow incident dumpstate:fd use; allow incident dumpstate:unix_stream_socket { read write }; allow incident shell_data_file:file write; # allow incident be able to output data for CTS to fetch. allow incident devpts:chr_file { read write }; # allow incident to communicate use, read and write over the adb # connection. allow incident adbd:fd use; allow incident adbd:unix_stream_socket { read write }; # allow adbd to reap incident allow incident adbd:process { sigchld }; # Allow the incident command to talk to the incidentd over the binder, and get # back the incident report data from a ParcelFileDescriptor. #line 31 # Call the servicemanager and transfer references to it. #line 31 allow incident servicemanager:binder { call transfer }; #line 31 # Allow servicemanager to send out callbacks #line 31 allow servicemanager incident:binder { call transfer }; #line 31 # servicemanager performs getpidcon on clients. #line 31 allow servicemanager incident:dir search; #line 31 allow servicemanager incident:file { read open }; #line 31 allow servicemanager incident:process getattr; #line 31 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 31 # all domains in domain.te. #line 31 allow incident incident_service:service_manager find; #line 33 # Call the server domain and optionally transfer references to it. #line 33 allow incident incidentd:binder { call transfer }; #line 33 # Allow the serverdomain to transfer references to the client on the reply. #line 33 allow incidentd incident:binder transfer; #line 33 # Receive and use open files from the server. #line 33 allow incident incidentd:fd use; #line 33 allow incident incidentd:fifo_file write; # only allow incident being called by shell or dumpstate neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans }; #line 1 "system/sepolicy/private/incident_helper.te" typeattribute incident_helper coredomain; type incident_helper_exec, system_file_type, exec_type, file_type; # switch to incident_helper domain for incident_helper command #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow incidentd incident_helper_exec:file { getattr open read execute map }; #line 6 allow incidentd incident_helper:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow incident_helper incident_helper_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow incident_helper incidentd:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit incidentd incident_helper:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow incidentd incident_helper:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition incidentd incident_helper_exec:process incident_helper; #line 6 # use pipe to transmit data from/to incidentd/incident_helper for parsing allow incident_helper { shell incident incidentd dumpstate }:fd use; allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write }; allow incident_helper incidentd:unix_stream_socket { read write }; # only allow incidentd and shell to call incident_helper neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans }; #line 1 "system/sepolicy/private/incidentd.te" typeattribute incidentd coredomain; typeattribute incidentd mlstrustedsubject; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init incidentd_exec:file { getattr open read execute map }; #line 4 allow init incidentd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow incidentd incidentd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init incidentd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init incidentd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init incidentd_exec:process incidentd; #line 4 #line 4 type incidentd_exec, system_file_type, exec_type, file_type; #line 6 # Call the servicemanager and transfer references to it. #line 6 allow incidentd servicemanager:binder { call transfer }; #line 6 # Allow servicemanager to send out callbacks #line 6 allow servicemanager incidentd:binder { call transfer }; #line 6 # servicemanager performs getpidcon on clients. #line 6 allow servicemanager incidentd:dir search; #line 6 allow servicemanager incidentd:file { read open }; #line 6 allow servicemanager incidentd:process getattr; #line 6 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 6 # all domains in domain.te. #line 6 #line 7 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 7 # deprecated. #line 7 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 7 allow incidentd sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 7 # Accessing these files requires CAP_BLOCK_SUSPEND #line 7 allow incidentd self:{ capability2 cap2_userns } block_suspend; #line 7 # system_suspend permissions #line 7 #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow incidentd system_suspend_server:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow system_suspend_server incidentd:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow incidentd system_suspend_server:fd use; #line 7 #line 7 allow incidentd system_suspend_hwservice:hwservice_manager find; #line 7 # halclientdomain permissions #line 7 #line 7 # Call the hwservicemanager and transfer references to it. #line 7 allow incidentd hwservicemanager:binder { call transfer }; #line 7 # Allow hwservicemanager to send out callbacks #line 7 allow hwservicemanager incidentd:binder { call transfer }; #line 7 # hwservicemanager performs getpidcon on clients. #line 7 allow hwservicemanager incidentd:dir search; #line 7 allow hwservicemanager incidentd:file { read open map }; #line 7 allow hwservicemanager incidentd:process getattr; #line 7 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 7 #line 7 allow incidentd hwservicemanager_prop:file { getattr open read map }; #line 7 #line 7 allow incidentd hidl_manager_hwservice:hwservice_manager find; #line 7 # AIDL suspend hal permissions #line 7 allow incidentd hal_system_suspend_service:service_manager find; #line 7 #line 7 # Call the servicemanager and transfer references to it. #line 7 allow incidentd servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager incidentd:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager incidentd:dir search; #line 7 allow servicemanager incidentd:file { read open }; #line 7 allow servicemanager incidentd:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 7 # Allow incidentd to scan through /proc/pid for all processes #line 10 allow incidentd domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow incidentd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 10 # Allow incidentd to kill incident_helper when timeout allow incidentd incident_helper:process sigkill; # Allow executing files on system, such as: # /system/bin/toolbox # /system/bin/logcat # /system/bin/dumpsys allow incidentd system_file:file execute_no_trans; allow incidentd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # section id 1002, allow reading kernel version /proc/version allow incidentd proc_version:file { getattr open read ioctl lock map watch watch_reads }; # section id 1116, allow accessing statsd socket #line 26 allow incidentd statsdw_socket:sock_file write; #line 26 allow incidentd statsd:unix_dgram_socket sendto; #line 26 # section id 2001, allow reading /proc/pagetypeinfo allow incidentd proc_pagetypeinfo:file { getattr open read ioctl lock map watch watch_reads }; # section id 2002, allow reading /d/wakeup_sources ; # section id 2003, allow executing top allow incidentd proc_meminfo:file { open read }; # section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state allow incidentd sysfs_devices_system_cpu:file { getattr open read ioctl lock map watch watch_reads }; # section id 2005, allow reading ps dump in full allow incidentd domain:process getattr; # section id 2006, allow reading /sys/class/power_supply/bms/battery_type allow incidentd sysfs_batteryinfo:dir { search }; allow incidentd sysfs_batteryinfo:file { getattr open read ioctl lock map watch watch_reads }; # section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops ; ; # section id 3023, allow obtaining stats report allow incidentd stats_service:service_manager find; #line 53 # Call the server domain and optionally transfer references to it. #line 53 allow incidentd statsd:binder { call transfer }; #line 53 # Allow the serverdomain to transfer references to the client on the reply. #line 53 allow statsd incidentd:binder transfer; #line 53 # Receive and use open files from the server. #line 53 allow incidentd statsd:fd use; #line 53 # section id 3026, allow reading /data/misc/perfetto-traces. allow incidentd perfetto_traces_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow incidentd perfetto_traces_data_file:file { getattr open read ioctl lock map watch watch_reads }; # section id 3052, allow accessing nfc_service allow incidentd nfc_service:service_manager find; # Create and write into /data/misc/incidents allow incidentd incident_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow incidentd incident_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Enable incidentd to get stack traces. #line 67 # Call the servicemanager and transfer references to it. #line 67 allow incidentd servicemanager:binder { call transfer }; #line 67 # Allow servicemanager to send out callbacks #line 67 allow servicemanager incidentd:binder { call transfer }; #line 67 # servicemanager performs getpidcon on clients. #line 67 allow servicemanager incidentd:dir search; #line 67 allow servicemanager incidentd:file { read open }; #line 67 allow servicemanager incidentd:process getattr; #line 67 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 67 # all domains in domain.te. #line 67 #line 68 # Call the hwservicemanager and transfer references to it. #line 68 allow incidentd hwservicemanager:binder { call transfer }; #line 68 # Allow hwservicemanager to send out callbacks #line 68 allow hwservicemanager incidentd:binder { call transfer }; #line 68 # hwservicemanager performs getpidcon on clients. #line 68 allow hwservicemanager incidentd:dir search; #line 68 allow hwservicemanager incidentd:file { read open map }; #line 68 allow hwservicemanager incidentd:process getattr; #line 68 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 68 # all domains in domain.te. #line 68 allow incidentd hwservicemanager:hwservice_manager { list }; #line 70 allow incidentd hwservicemanager_prop:file { getattr open read map }; #line 70 allow incidentd hidl_manager_hwservice:hwservice_manager { find }; # Read files in /proc allow incidentd { proc_cmdline proc_pid_max proc_pipe_conf proc_stat }:file { getattr open read ioctl lock map watch watch_reads }; # Signal java processes to dump their stack and get the results allow incidentd { appdomain ephemeral_app system_server }:process signal; # Signal native processes to dump their stack. # This list comes from native_processes_to_dump in incidentd/utils.c allow incidentd { # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp audioserver cameraserver drmserver inputflinger mediadrmserver mediaextractor mediametrics mediaserver sdcardd statsd surfaceflinger # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp hal_audio_server hal_bluetooth_server hal_camera_server hal_codec2_server hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server hal_omx_server hal_sensors_server hal_vr_server }:process signal; # Allow incidentd to make binder calls to any binder service #line 115 # Call the server domain and optionally transfer references to it. #line 115 allow incidentd system_server:binder { call transfer }; #line 115 # Allow the serverdomain to transfer references to the client on the reply. #line 115 allow system_server incidentd:binder transfer; #line 115 # Receive and use open files from the server. #line 115 allow incidentd system_server:fd use; #line 115 #line 116 # Call the server domain and optionally transfer references to it. #line 116 allow incidentd appdomain:binder { call transfer }; #line 116 # Allow the serverdomain to transfer references to the client on the reply. #line 116 allow appdomain incidentd:binder transfer; #line 116 # Receive and use open files from the server. #line 116 allow incidentd appdomain:fd use; #line 116 # Reading /proc/PID/maps of other processes ; # incidentd has capability sys_ptrace, but should only use that capability for # accessing sensitive /proc/PID files, never for using ptrace attach. neverallow incidentd *:process ptrace; allow incidentd self:{ capability cap_userns } { # Send signals to processes kill }; # Connect to tombstoned to intercept dumps. #line 130 allow incidentd tombstoned_intercept_socket:sock_file write; #line 130 allow incidentd tombstoned:unix_stream_socket connectto; #line 130 # Run a shell. allow incidentd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # For running am, incident-helper-cmd and similar framework commands. # Run /system/bin/app_process. allow incidentd zygote_exec:file { { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } } }; # Access the runtime feature flag properties. #line 139 allow incidentd device_config_runtime_native_prop:file { getattr open read map }; #line 139 #line 140 allow incidentd device_config_runtime_native_boot_prop:file { getattr open read map }; #line 140 # Access odsign verification status. #line 142 allow incidentd odsign_prop:file { getattr open read map }; #line 142 # ART locks profile files. allow incidentd system_file:file lock; # Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected. dontaudit incidentd dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit incidentd apex_module_data_file:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit incidentd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit incidentd tmpfs:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } }; # Allow incidentd to read /apex/apex-info-list.xml allow incidentd apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # logd access - work to be done is a PII safe log (possibly an event log?) # TODO control_logd(incidentd) # Access /data/misc/logd #line 159 allow incidentd misc_logd_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 159 allow incidentd misc_logd_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 159 # Allow incidentd to find these standard groups of services. # Others can be allowlisted individually. allow incidentd { system_server_service app_api_service system_api_service -tracingproxy_service }:service_manager find; # Only incidentd can publish the binder service #line 171 allow incidentd incident_service:service_manager { add find }; #line 171 neverallow { domain -incidentd } incident_service:service_manager add; #line 171 #line 171 # On debug builds with root, allow binder services to use binder over TCP. #line 171 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 171 #line 171 # Allow pipes only from dumpstate and incident allow incidentd { dumpstate incident }:fd use; allow incidentd { dumpstate incident }:fifo_file write; # Allow incident to call back to incident with status updates. #line 178 # Call the server domain and optionally transfer references to it. #line 178 allow incidentd incident:binder { call transfer }; #line 178 # Allow the serverdomain to transfer references to the client on the reply. #line 178 allow incident incidentd:binder transfer; #line 178 # Receive and use open files from the server. #line 178 allow incidentd incident:fd use; #line 178 # Read device serial number from system properties # This is used to track reports from lab testing devices #line 184 # Read ro.boot.bootreason, persist.sys.boot.bootreason # This is used to track reports from lab testing devices #line 192 # Allow incident to read the build properties for attestation feature #line 195 allow incidentd build_attestation_prop:file { getattr open read map }; #line 195 ; ### ### neverallow rules ### # only incidentd and the other root services in limited circumstances # can get to the files in /data/misc/incidents # # write, execute, append are forbidden almost everywhere neverallow { domain -incidentd -init -vold } incident_data_file:file { { open append write lock map } { getattr execute execute_no_trans map } create rename setattr unlink append }; # read is also allowed by system_server, for when the file is handed to dropbox neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file { getattr open read ioctl lock map watch watch_reads }; # limited access to the directory itself neverallow { domain -incidentd -init -vold } incident_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; #line 1 "system/sepolicy/private/init.te" typeattribute init coredomain; #line 3 type_transition init tmpfs:file init_tmpfs; #line 3 allow init init_tmpfs:file { read write getattr map }; #line 3 # Transitions to seclabel processes in init.rc #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init rootfs:file { getattr open read execute map }; #line 6 allow init slideshow:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow slideshow rootfs:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init slideshow:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init slideshow:process { siginh rlimitinh }; #line 6 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init charger_exec:file { getattr open read execute map }; #line 7 allow init charger:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow charger charger_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init charger:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init charger:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init charger_exec:process charger; #line 7 #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow init e2fs_exec:file { getattr open read execute map }; #line 8 allow init e2fs:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow e2fs e2fs_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit init e2fs:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow init e2fs:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition init e2fs_exec:process e2fs; #line 8 #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow init bpfloader_exec:file { getattr open read execute map }; #line 9 allow init bpfloader:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow bpfloader bpfloader_exec:file { entrypoint open read execute getattr map }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit init bpfloader:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow init bpfloader:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition init bpfloader_exec:process bpfloader; #line 9 #line 23 #line 24 # Old domain may exec the file and transition to the new domain. #line 24 allow init shell_exec:file { getattr open read execute map }; #line 24 allow init shell:process transition; #line 24 # New domain is entered by executing the file. #line 24 allow shell shell_exec:file { entrypoint open read execute getattr map }; #line 24 # New domain can send SIGCHLD to its caller. #line 24 #line 24 # Enable AT_SECURE, i.e. libc secure mode. #line 24 dontaudit init shell:process noatsecure; #line 24 # XXX dontaudit candidate but requires further study. #line 24 allow init shell:process { siginh rlimitinh }; #line 24 #line 25 # Old domain may exec the file and transition to the new domain. #line 25 allow init init_exec:file { getattr open read execute map }; #line 25 allow init ueventd:process transition; #line 25 # New domain is entered by executing the file. #line 25 allow ueventd init_exec:file { entrypoint open read execute getattr map }; #line 25 # New domain can send SIGCHLD to its caller. #line 25 #line 25 # Enable AT_SECURE, i.e. libc secure mode. #line 25 dontaudit init ueventd:process noatsecure; #line 25 # XXX dontaudit candidate but requires further study. #line 25 allow init ueventd:process { siginh rlimitinh }; #line 25 #line 26 # Old domain may exec the file and transition to the new domain. #line 26 allow init init_exec:file { getattr open read execute map }; #line 26 allow init vendor_init:process transition; #line 26 # New domain is entered by executing the file. #line 26 allow vendor_init init_exec:file { entrypoint open read execute getattr map }; #line 26 # New domain can send SIGCHLD to its caller. #line 26 #line 26 # Enable AT_SECURE, i.e. libc secure mode. #line 26 dontaudit init vendor_init:process noatsecure; #line 26 # XXX dontaudit candidate but requires further study. #line 26 allow init vendor_init:process { siginh rlimitinh }; #line 26 #line 27 # Old domain may exec the file and transition to the new domain. #line 27 allow init { rootfs toolbox_exec }:file { getattr open read execute map }; #line 27 allow init modprobe:process transition; #line 27 # New domain is entered by executing the file. #line 27 allow modprobe { rootfs toolbox_exec }:file { entrypoint open read execute getattr map }; #line 27 # New domain can send SIGCHLD to its caller. #line 27 #line 27 # Enable AT_SECURE, i.e. libc secure mode. #line 27 dontaudit init modprobe:process noatsecure; #line 27 # XXX dontaudit candidate but requires further study. #line 27 allow init modprobe:process { siginh rlimitinh }; #line 27 #line 36 # Allow init to figure out name of dm-device from it's /dev/block/dm-XX path. # This is useful in case of remounting ext4 userdata into checkpointing mode, # since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto) # that userdata is mounted onto. allow init sysfs_dm:file read; # Allow init to modify the properties of loop devices. allow init sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads }; allow init sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow init to examine the properties of block devices. allow init sysfs_type:file { getattr read }; # Allow init get the attributes of block devices in /dev/block. allow init dev_type:dir { open getattr read search ioctl lock watch watch_reads }; allow init dev_type:blk_file getattr; # Allow init to write to the drop_caches file. allow init proc_drop_caches:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow the BoringSSL self test to request a reboot upon failure #line 58 #line 58 allow init property_socket:sock_file write; #line 58 allow init init:unix_stream_socket connectto; #line 58 #line 58 allow init powerctl_prop:property_service set; #line 58 #line 58 allow init powerctl_prop:file { getattr open read map }; #line 58 #line 58 # Only init is allowed to set userspace reboot related properties. #line 61 #line 61 allow init property_socket:sock_file write; #line 61 allow init init:unix_stream_socket connectto; #line 61 #line 61 allow init userspace_reboot_exported_prop:property_service set; #line 61 #line 61 allow init userspace_reboot_exported_prop:file { getattr open read map }; #line 61 #line 61 neverallow { domain -init } userspace_reboot_exported_prop:property_service set; # Second-stage init performs a test for whether the kernel has SELinux hooks # for the perf_event_open() syscall. This is done by testing for the syscall # outcomes corresponding to this policy. # TODO(b/137092007): this can be removed once the platform stops supporting # kernels that precede the perf_event_open hooks (Android common kernels 4.4 # and 4.9). allow init self:perf_event { open cpu }; allow init self:{ capability2 cap2_userns } perfmon; neverallow init self:perf_event { kernel tracepoint read write }; dontaudit init self:perf_event { kernel tracepoint read write }; # Allow init to communicate with snapuserd to transition Virtual A/B devices # from the first-stage daemon to the second-stage. allow init snapuserd_socket:sock_file write; allow init snapuserd:unix_stream_socket connectto; # Allow for libsnapshot's use of flock() on /metadata/ota. allow init ota_metadata_file:dir lock; # Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling # /dev/block. allow init vd_device:blk_file relabelto; # Only init is allowed to set the sysprop indicating whether perf_event_open() # SELinux hooks were detected. #line 88 #line 88 allow init property_socket:sock_file write; #line 88 allow init init:unix_stream_socket connectto; #line 88 #line 88 allow init init_perf_lsm_hooks_prop:property_service set; #line 88 #line 88 allow init init_perf_lsm_hooks_prop:file { getattr open read map }; #line 88 #line 88 neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; # Only init can write vts.native_server.on #line 92 #line 92 allow init property_socket:sock_file write; #line 92 allow init init:unix_stream_socket connectto; #line 92 #line 92 allow init vts_status_prop:property_service set; #line 92 #line 92 allow init vts_status_prop:file { getattr open read map }; #line 92 #line 92 neverallow { domain -init } vts_status_prop:property_service set; # Only init can write normal ro.boot. properties neverallow { domain -init } bootloader_prop:property_service set; # Only init can write hal.instrumentation.enable neverallow { domain -init } hal_instrumentation_prop:property_service set; # Only init can write ro.property_service.version neverallow { domain -init } property_service_version_prop:property_service set; # Only init can set keystore.boot_level neverallow { domain -init } keystore_listen_prop:property_service set; # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. allow init debugfs_bootreceiver_tracing:file { open append write lock map }; # PRNG seeder daemon socket is created and listened on by init before forking. allow init prng_seeder:unix_stream_socket { create bind listen }; # Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will # attempt to write a non exisiting 'synthetic_events' file, when setting # up synthetic events. This is a no-op in tracefs. dontaudit init debugfs_tracing_debug:dir { write add_name }; # chown/chmod on devices. allow init { dev_type -hw_random_device -keychord_device -vm_manager_device_type -port_device }:chr_file setattr; #line 1 "system/sepolicy/private/inputflinger.te" typeattribute inputflinger coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init inputflinger_exec:file { getattr open read execute map }; #line 3 allow init inputflinger:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow inputflinger inputflinger_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init inputflinger:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init inputflinger:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init inputflinger_exec:process inputflinger; #line 3 #line 3 #line 1 "system/sepolicy/private/installd.te" typeattribute installd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init installd_exec:file { getattr open read execute map }; #line 3 allow init installd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow installd installd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init installd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init installd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init installd_exec:process installd; #line 3 #line 3 # Run migrate_legacy_obb_data.sh in its own sandbox. #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow installd migrate_legacy_obb_data_exec:file { getattr open read execute map }; #line 6 allow installd migrate_legacy_obb_data:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow migrate_legacy_obb_data migrate_legacy_obb_data_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow migrate_legacy_obb_data installd:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit installd migrate_legacy_obb_data:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow installd migrate_legacy_obb_data:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition installd migrate_legacy_obb_data_exec:process migrate_legacy_obb_data; #line 6 allow installd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Run dex2oat in its own sandbox. #line 10 # Allow the necessary permissions. #line 10 #line 10 # Old domain may exec the file and transition to the new domain. #line 10 allow installd dex2oat_exec:file { getattr open read execute map }; #line 10 allow installd dex2oat:process transition; #line 10 # New domain is entered by executing the file. #line 10 allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map }; #line 10 # New domain can send SIGCHLD to its caller. #line 10 allow dex2oat installd:process sigchld; #line 10 # Enable AT_SECURE, i.e. libc secure mode. #line 10 dontaudit installd dex2oat:process noatsecure; #line 10 # XXX dontaudit candidate but requires further study. #line 10 allow installd dex2oat:process { siginh rlimitinh }; #line 10 #line 10 # Make the transition occur by default. #line 10 type_transition installd dex2oat_exec:process dex2oat; #line 10 # Run dexoptanalyzer in its own sandbox. #line 13 # Allow the necessary permissions. #line 13 #line 13 # Old domain may exec the file and transition to the new domain. #line 13 allow installd dexoptanalyzer_exec:file { getattr open read execute map }; #line 13 allow installd dexoptanalyzer:process transition; #line 13 # New domain is entered by executing the file. #line 13 allow dexoptanalyzer dexoptanalyzer_exec:file { entrypoint open read execute getattr map }; #line 13 # New domain can send SIGCHLD to its caller. #line 13 allow dexoptanalyzer installd:process sigchld; #line 13 # Enable AT_SECURE, i.e. libc secure mode. #line 13 dontaudit installd dexoptanalyzer:process noatsecure; #line 13 # XXX dontaudit candidate but requires further study. #line 13 allow installd dexoptanalyzer:process { siginh rlimitinh }; #line 13 #line 13 # Make the transition occur by default. #line 13 type_transition installd dexoptanalyzer_exec:process dexoptanalyzer; #line 13 # Run viewcompiler in its own sandbox. #line 16 # Allow the necessary permissions. #line 16 #line 16 # Old domain may exec the file and transition to the new domain. #line 16 allow installd viewcompiler_exec:file { getattr open read execute map }; #line 16 allow installd viewcompiler:process transition; #line 16 # New domain is entered by executing the file. #line 16 allow viewcompiler viewcompiler_exec:file { entrypoint open read execute getattr map }; #line 16 # New domain can send SIGCHLD to its caller. #line 16 allow viewcompiler installd:process sigchld; #line 16 # Enable AT_SECURE, i.e. libc secure mode. #line 16 dontaudit installd viewcompiler:process noatsecure; #line 16 # XXX dontaudit candidate but requires further study. #line 16 allow installd viewcompiler:process { siginh rlimitinh }; #line 16 #line 16 # Make the transition occur by default. #line 16 type_transition installd viewcompiler_exec:process viewcompiler; #line 16 # Run profman in its own sandbox. #line 19 # Allow the necessary permissions. #line 19 #line 19 # Old domain may exec the file and transition to the new domain. #line 19 allow installd profman_exec:file { getattr open read execute map }; #line 19 allow installd profman:process transition; #line 19 # New domain is entered by executing the file. #line 19 allow profman profman_exec:file { entrypoint open read execute getattr map }; #line 19 # New domain can send SIGCHLD to its caller. #line 19 allow profman installd:process sigchld; #line 19 # Enable AT_SECURE, i.e. libc secure mode. #line 19 dontaudit installd profman:process noatsecure; #line 19 # XXX dontaudit candidate but requires further study. #line 19 allow installd profman:process { siginh rlimitinh }; #line 19 #line 19 # Make the transition occur by default. #line 19 type_transition installd profman_exec:process profman; #line 19 # Run idmap in its own sandbox. #line 22 # Allow the necessary permissions. #line 22 #line 22 # Old domain may exec the file and transition to the new domain. #line 22 allow installd idmap_exec:file { getattr open read execute map }; #line 22 allow installd idmap:process transition; #line 22 # New domain is entered by executing the file. #line 22 allow idmap idmap_exec:file { entrypoint open read execute getattr map }; #line 22 # New domain can send SIGCHLD to its caller. #line 22 allow idmap installd:process sigchld; #line 22 # Enable AT_SECURE, i.e. libc secure mode. #line 22 dontaudit installd idmap:process noatsecure; #line 22 # XXX dontaudit candidate but requires further study. #line 22 allow installd idmap:process { siginh rlimitinh }; #line 22 #line 22 # Make the transition occur by default. #line 22 type_transition installd idmap_exec:process idmap; #line 22 # For collecting bugreports. allow installd dumpstate:fd use; allow installd dumpstate:fifo_file { getattr open read ioctl lock map watch watch_reads }; # Delete /system/bin/bcc generated artifacts allow installd app_exec_data_file:file unlink; # Capture userdata snapshots to /data/misc_[ce|de]/rollback and # subsequently restore them. allow installd rollback_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow installd rollback_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow installd to access the runtime feature flag properties. #line 37 allow installd device_config_runtime_native_prop:file { getattr open read map }; #line 37 #line 38 allow installd device_config_runtime_native_boot_prop:file { getattr open read map }; #line 38 # Allow installd to access apk verity feature flag (for legacy case). #line 41 allow installd apk_verity_prop:file { getattr open read map }; #line 41 # Allow installd to access odsign verification status #line 44 allow installd odsign_prop:file { getattr open read map }; #line 44 # Allow installd to delete files in /data/staging allow installd staging_data_file:file unlink; allow installd staging_data_file:dir { open read remove_name rmdir search write getattr }; allow installd { dex2oat dexoptanalyzer }:process signal; # installd kills subprocesses if they time out. allow installd { dex2oat dexoptanalyzer profman }:process sigkill; # Allow installd manage dirs in /data/misc_ce/0/sdksandbox allow installd sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; # Allow installd to enable fs-verity for app file passed as FD; allow installd { untrusted_app_all priv_app gmscore_app }:fd use; allowxperm installd app_data_file_type:file ioctl 0x6685; #line 1 "system/sepolicy/private/isolated_app.te" ### ### isolated_apps. ### ### This file defines the rules for isolated apps that does not wish to use ### service managers and does not require extra computational resources. ### typeattribute isolated_app coredomain; #line 10 typeattribute isolated_app appdomain; #line 10 # Label tmpfs objects for all apps. #line 10 type_transition isolated_app tmpfs:file appdomain_tmpfs; #line 10 #line 10 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 10 type isolated_app_userfaultfd; #line 10 type_transition isolated_app isolated_app:anon_inode isolated_app_userfaultfd "[userfaultfd]"; #line 10 # Allow domain to create/use userfaultfd anon_inode. #line 10 allow isolated_app isolated_app_userfaultfd:anon_inode { create ioctl read }; #line 10 # Suppress errors generate during bugreport #line 10 dontaudit su isolated_app_userfaultfd:anon_inode *; #line 10 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 10 neverallow { domain -isolated_app } isolated_app_userfaultfd:anon_inode *; #line 10 #line 10 allow isolated_app appdomain_tmpfs:file { execute getattr map read write }; #line 10 neverallow { isolated_app -runas_app -shell -simpleperf } { domain -isolated_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 10 neverallow { appdomain -runas_app -shell -simpleperf -isolated_app } isolated_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 10 # The Android security model guarantees the confidentiality and integrity #line 10 # of application data and execution state. Ptrace bypasses those #line 10 # confidentiality guarantees. Disallow ptrace access from system components to #line 10 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 10 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 10 # simpleperf is excluded, as it operates only on debuggable or profileable #line 10 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 10 # live lock conditions. #line 10 neverallow { domain -isolated_app -crash_dump -runas_app -simpleperf } isolated_app:process ptrace; #line 10 #line 11 typeattribute isolated_app isolated_app_all; #line 11 allow isolated_app webviewupdate_service:service_manager find; # Allow access to network sockets received over IPC. New socket creation is not # permitted. allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps # by other processes. Open should never be allowed, and is blocked by # neverallow rules in isolated_app_all attribute. # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs # is modified to change the secontext when accessing the lower filesystem. allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; # For webviews, isolated_app processes can be forked from the webview_zygote # in addition to the zygote. Allow access to resources inherited from the # webview_zygote process. These rules are specialized copies of the ones in app.te. # Inherit FDs from the webview_zygote. allow isolated_app webview_zygote:fd use; # Notify webview_zygote of child death. allow isolated_app webview_zygote:process sigchld; # Inherit logd write socket. allow isolated_app webview_zygote:unix_dgram_socket write; # Read system properties managed by webview_zygote. allow isolated_app webview_zygote_tmpfs:file read; #line 1 "system/sepolicy/private/isolated_app_all.te" ### ### isolated_app_all. ### ### Services with isolatedProcess=true in their manifest. ### ### This file defines the rules shared by all isolated apps. An "isolated ### app" is an APP with UID between AID_ISOLATED_START (99000) ### and AID_ISOLATED_END (99999). ### # Access already open app data files received over Binder or local socket IPC. allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map }; allow isolated_app_all activity_service:service_manager find; allow isolated_app_all display_service:service_manager find; # Google Breakpad (crash reporter for Chrome) relies on ptrace # functionality. Without the ability to ptrace, the crash reporter # tool is broken. # b/20150694 # https://code.google.com/p/chromium/issues/detail?id=475270 allow isolated_app_all self:process ptrace; # Inherit FDs from the app_zygote. allow isolated_app_all app_zygote:fd use; # Notify app_zygote of child death. allow isolated_app_all app_zygote:process sigchld; # Inherit logd write socket. allow isolated_app_all app_zygote:unix_dgram_socket write; # TODO (b/63631799) fix this access # suppress denials to /data/local/tmp dontaudit isolated_app_all shell_data_file:dir search; # Allow to read (but not open) staged apks. allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr }; ##### ##### Neverallow ##### # Isolated apps should not directly open app data files themselves. neverallow isolated_app_all app_data_file_type:file open; # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) # TODO: are there situations where isolated_apps write to this file? # TODO: should we tighten these restrictions further? neverallow isolated_app_all anr_data_file:file ~{ open append }; neverallow isolated_app_all anr_data_file:dir ~search; # Isolated apps must not be permitted to use HwBinder neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *; neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *; # Isolated apps must not be permitted to use VndBinder neverallow isolated_app_all vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager # except the find actions for services allowlisted below. neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find; # b/17487348 # Isolated apps can only access three services, # activity_service, display_service, webviewupdate_service. neverallow { isolated_app_all -isolated_compute_app } { service_manager_type -activity_service -display_service -webviewupdate_service }:service_manager find; # Isolated apps shouldn't be able to access the driver directly. neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute }; # Do not allow isolated_apps access to /cache neverallow isolated_app_all cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } }; neverallow isolated_app_all cache_file:file ~{ read getattr }; # Do not allow isolated_app_all to access external storage, except for files passed # via file descriptors (b/32896414). neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr; neverallow isolated_app_all { storage_file mnt_user_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } *; neverallow isolated_app_all { sdcard_type fuse }:{ { chr_file blk_file } lnk_file sock_file fifo_file } *; neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map }; # Do not allow USB access neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *; # Restrict the webview_zygote control socket. neverallow isolated_app_all webview_zygote:sock_file write; # Limit the /sys files which isolated_app_all can access. This is important # for controlling isolated_app_all attack surface. # TODO (b/266555480): The permission should be guarded by compliance test. # Remove the negation for member domains when refactorization is done. neverallow { isolated_app_all -isolated_compute_app } { sysfs_type -sysfs_devices_system_cpu -sysfs_transparent_hugepage -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852) -sysfs_fs_fuse_features -sysfs_fs_incfs_features }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # No creation of sockets families other than AF_UNIX sockets. # List taken from system/sepolicy/public/global_macros - socket_class_set # excluding unix_stream_socket and unix_dgram_socket. # Many of these are socket families which have never and will never # be compiled into the Android kernel. neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } create; #line 1 "system/sepolicy/private/isolated_compute_app.te" ### ### isolated_compute_apps. ### ### This file defines the rules for isolated apps that requires the permission ### to gather data with service manager and require computational resources to ### improve the performance to process data under a sandbox. This ### isolated_compute_app restricts data egress to protect the privacy. ### ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics ### typeattribute isolated_compute_app coredomain; #line 14 typeattribute isolated_compute_app appdomain; #line 14 # Label tmpfs objects for all apps. #line 14 type_transition isolated_compute_app tmpfs:file appdomain_tmpfs; #line 14 #line 14 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 14 type isolated_compute_app_userfaultfd; #line 14 type_transition isolated_compute_app isolated_compute_app:anon_inode isolated_compute_app_userfaultfd "[userfaultfd]"; #line 14 # Allow domain to create/use userfaultfd anon_inode. #line 14 allow isolated_compute_app isolated_compute_app_userfaultfd:anon_inode { create ioctl read }; #line 14 # Suppress errors generate during bugreport #line 14 dontaudit su isolated_compute_app_userfaultfd:anon_inode *; #line 14 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 14 neverallow { domain -isolated_compute_app } isolated_compute_app_userfaultfd:anon_inode *; #line 14 #line 14 allow isolated_compute_app appdomain_tmpfs:file { execute getattr map read write }; #line 14 neverallow { isolated_compute_app -runas_app -shell -simpleperf } { domain -isolated_compute_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 14 neverallow { appdomain -runas_app -shell -simpleperf -isolated_compute_app } isolated_compute_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 14 # The Android security model guarantees the confidentiality and integrity #line 14 # of application data and execution state. Ptrace bypasses those #line 14 # confidentiality guarantees. Disallow ptrace access from system components to #line 14 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 14 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 14 # simpleperf is excluded, as it operates only on debuggable or profileable #line 14 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 14 # live lock conditions. #line 14 neverallow { domain -isolated_compute_app -crash_dump -runas_app -simpleperf } isolated_compute_app:process ptrace; #line 14 #line 15 typeattribute isolated_compute_app isolated_app_all; #line 15 allow isolated_compute_app isolated_compute_allowed_service:service_manager find; allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; # Enable access to hardware services for camera functionalilites #line 21 typeattribute isolated_compute_app halclientdomain; #line 21 typeattribute isolated_compute_app hal_allocator_client; #line 21 #line 21 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 21 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 21 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 21 #line 21 typeattribute isolated_compute_app hal_allocator; #line 21 # Find passthrough HAL implementations #line 21 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 21 #line 21 #line 22 # Call the hwservicemanager and transfer references to it. #line 22 allow isolated_compute_app hwservicemanager:binder { call transfer }; #line 22 # Allow hwservicemanager to send out callbacks #line 22 allow hwservicemanager isolated_compute_app:binder { call transfer }; #line 22 # hwservicemanager performs getpidcon on clients. #line 22 allow hwservicemanager isolated_compute_app:dir search; #line 22 allow hwservicemanager isolated_compute_app:file { read open map }; #line 22 allow hwservicemanager isolated_compute_app:process getattr; #line 22 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 22 # all domains in domain.te. #line 22 #line 24 typeattribute isolated_compute_app halclientdomain; #line 24 typeattribute isolated_compute_app hal_codec2_client; #line 24 #line 24 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 24 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 24 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 24 #line 24 typeattribute isolated_compute_app hal_codec2; #line 24 # Find passthrough HAL implementations #line 24 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 24 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 24 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 24 #line 24 allow isolated_compute_app dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Allow access to network sockets received over IPC. New socket creation is not # permitted. allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Allow access to the toybox: b/275024392 allow isolated_compute_app toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; ##### ##### Neverallow ##### # Do not allow isolated_compute_app to access hardware service except for the # ones necessary for camera service. # TODO (b/266555480): The permission should be guarded by compliance test. # Remove the negation for member domains when refactorization is done. # neverallow isolated_compute_app { # hwservice_manager_type # -hal_graphics_allocator_hwservice # -hal_graphics_mapper_hwservice # -hidl_allocator_hwservice # -hidl_manager_hwservice # -hidl_memory_hwservice # }:hwservice_manager *; #line 1 "system/sepolicy/private/iw.te" type iw, domain, coredomain; type iw_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init iw_exec:file { getattr open read execute map }; #line 4 allow init iw:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow iw iw_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init iw:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init iw:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init iw_exec:process iw; #line 4 #line 4 #line 1 "system/sepolicy/private/kernel.te" typeattribute kernel coredomain; #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow kernel init_exec:file { getattr open read execute map }; #line 3 allow kernel init:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow init init_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 allow init kernel:process sigchld; #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit kernel init:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow kernel init:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition kernel init_exec:process init; #line 3 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow kernel snapuserd_exec:file { getattr open read execute map }; #line 4 allow kernel snapuserd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow snapuserd snapuserd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 allow snapuserd kernel:process sigchld; #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit kernel snapuserd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow kernel snapuserd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition kernel snapuserd_exec:process snapuserd; #line 4 # Allow the kernel to read otapreopt_chroot's file descriptors and files under # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. allow kernel otapreopt_chroot:fd use; allow kernel postinstall_file:file read; # The following sections are for the transition period during a Virtual A/B # OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct # context, and with properly labelled devices. This must be done before # enabling enforcement, eg, in permissive mode while still in the kernel # context. allow kernel tmpfs:blk_file { getattr relabelfrom }; allow kernel tmpfs:chr_file { getattr relabelfrom }; allow kernel tmpfs:lnk_file { getattr relabelfrom }; allow kernel tmpfs:dir { open read relabelfrom }; allow kernel block_device:blk_file relabelto; allow kernel block_device:lnk_file relabelto; allow kernel dm_device:chr_file relabelto; allow kernel dm_device:blk_file relabelto; allow kernel dm_user_device:dir { read open search relabelto }; allow kernel dm_user_device:chr_file relabelto; allow kernel kmsg_device:chr_file relabelto; allow kernel null_device:chr_file relabelto; allow kernel random_device:chr_file relabelto; allow kernel snapuserd_exec:file relabelto; allow kernel kmsg_device:chr_file write; allow kernel gsid:fd use; dontaudit kernel metadata_file:dir search; dontaudit kernel ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; dontaudit kernel sysfs:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit kernel sysfs:file { open read write }; dontaudit kernel sysfs:chr_file { open read write }; dontaudit kernel dm_device:chr_file ioctl; dontaudit kernel self:capability { sys_admin setgid mknod }; dontaudit kernel dm_user_device:dir { write add_name }; dontaudit kernel dm_user_device:chr_file { create setattr }; dontaudit kernel tmpfs:lnk_file read; dontaudit kernel tmpfs:blk_file { open read }; #line 1 "system/sepolicy/private/keystore.te" typeattribute keystore coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init keystore_exec:file { getattr open read execute map }; #line 3 allow init keystore:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow keystore keystore_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init keystore:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init keystore:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init keystore_exec:process keystore; #line 3 #line 3 # talk to keymaster #line 6 typeattribute keystore halclientdomain; #line 6 typeattribute keystore hal_keymaster_client; #line 6 #line 6 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 6 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 6 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 6 #line 6 typeattribute keystore hal_keymaster; #line 6 # Find passthrough HAL implementations #line 6 allow hal_keymaster system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_keymaster vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_keymaster vendor_file:file { read open getattr execute map }; #line 6 #line 6 # talk to confirmationui #line 9 typeattribute keystore halclientdomain; #line 9 typeattribute keystore hal_confirmationui_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute keystore hal_confirmationui; #line 9 # Find passthrough HAL implementations #line 9 allow hal_confirmationui system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_confirmationui vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_confirmationui vendor_file:file { read open getattr execute map }; #line 9 #line 9 # talk to keymint #line 12 typeattribute keystore halclientdomain; #line 12 typeattribute keystore hal_keymint_client; #line 12 #line 12 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 12 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 12 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 12 #line 12 typeattribute keystore hal_keymint; #line 12 # Find passthrough HAL implementations #line 12 allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_keymint vendor_file:file { read open getattr execute map }; #line 12 #line 12 # Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to # access it. # TODO(b/312427637): Investigate the reason and fix the denial. dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find }; # This is used for the ConfirmationUI async callback. allow keystore platform_app:binder call; # Allow to check whether security logging is enabled. #line 23 allow keystore device_logging_prop:file { getattr open read map }; #line 23 # Allow keystore to check if the system is rkp only. #line 26 allow keystore remote_prov_prop:file { getattr open read map }; #line 26 # Allow keystore to check rkpd feature flags #line 29 allow keystore device_config_remote_key_provisioning_native_prop:file { getattr open read map }; #line 29 # Allow keystore to write to statsd. #line 32 allow keystore statsdw_socket:sock_file write; #line 32 allow keystore statsd:unix_dgram_socket sendto; #line 32 # Keystore need access to the keystore2_key_contexts file to load the keystore key backend. allow keystore keystore2_key_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow keystore to listen to changing boot levels #line 38 allow keystore keystore_listen_prop:file { getattr open read map }; #line 38 # Keystore needs to transfer binder references to vold so that it # can call keystore methods on those references. allow keystore vold:binder transfer; # Only keystore can set keystore.crash_count system property. Since init is allowed to set any # system property, an exception is added for init as well. #line 46 #line 46 allow keystore property_socket:sock_file write; #line 46 allow keystore init:unix_stream_socket connectto; #line 46 #line 46 allow keystore keystore_crash_prop:property_service set; #line 46 #line 46 allow keystore keystore_crash_prop:file { getattr open read map }; #line 46 #line 46 neverallow { domain -keystore -init } keystore_crash_prop:property_service set; # keystore is using apex_info via libvintf #line 50 allow keystore apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; #line 50 allow keystore apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 50 #line 50 allow keystore vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 50 allow keystore vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 50 #line 50 #line 1 "system/sepolicy/private/keystore_keys.te" # Specify keystore2_key namespaces in this file. # Please keep the names in alphabetical order and comment each new entry. # A keystore2_key namespace for the shell domain. Mainly used for native tests. type shell_key, keystore2_key_type; # A keystore2 namespace for the su domain. Mainly used for native tests. type su_key, keystore2_key_type; # A keystore2 namespace for vold. Vold need special permission to handle # its own Keymint blobs. type vold_key, keystore2_key_type; # A keystore2 namespace for the on-device signing daemon. type odsign_key, keystore2_key_type; # A keystore2 namespace for LockSettingsService. type locksettings_key, keystore2_key_type; # A keystore2 namespace for resume on reboot. type resume_on_reboot_key, keystore2_key_type; #line 1 "system/sepolicy/private/linkerconfig.te" type linkerconfig, domain, coredomain; type linkerconfig_exec, exec_type, file_type, system_file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init linkerconfig_exec:file { getattr open read execute map }; #line 4 allow init linkerconfig:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow linkerconfig linkerconfig_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init linkerconfig:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init linkerconfig:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init linkerconfig_exec:process linkerconfig; #line 4 #line 4 ## Read and write linkerconfig subdirectory. allow linkerconfig linkerconfig_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow linkerconfig linkerconfig_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow linkerconfig to log to the kernel. allow linkerconfig kmsg_device:chr_file { open append write lock map }; # Allow linkerconfig to be invoked with logwrapper from init. allow linkerconfig devpts:chr_file { getattr ioctl read write }; # Allow linkerconfig to scan for apex modules allow linkerconfig apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; # Allow linkerconfig to read apex-info-list.xml allow linkerconfig apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow linkerconfig to read apex_manifest.pb file from vendor apex #line 23 allow linkerconfig vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow linkerconfig vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 23 # Allow linkerconfig to be called in the otapreopt_chroot allow linkerconfig otapreopt_chroot:fd use; allow linkerconfig postinstall_apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; allow linkerconfig postinstall_apex_mnt_dir:file { getattr open read ioctl lock map watch watch_reads }; neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file { execute execute_no_trans }; #line 1 "system/sepolicy/private/llkd.te" # llkd Live LocK Daemon typeattribute llkd coredomain; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init llkd_exec:file { getattr open read execute map }; #line 4 allow init llkd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow llkd llkd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init llkd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init llkd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init llkd_exec:process llkd; #line 4 #line 4 #line 6 allow llkd llkd_prop:file { getattr open read map }; #line 6 allow llkd self:{ capability cap_userns } kill; #line 12 # llkd optionally locks itself in memory, to prevent it from being # swapped out and unable to discover a kernel in live-lock state. allow llkd self:{ capability cap_userns } ipc_lock; # Send kill signals to _anyone_ suffering from Live Lock allow llkd domain:process sigkill; # read stack to check for Live Lock #line 33 # live lock watchdog process allowed to look through /proc/ allow llkd domain:dir { open getattr read search ioctl lock watch watch_reads }; allow llkd domain:file { getattr open read ioctl lock map watch watch_reads }; allow llkd domain:lnk_file read; # Set /proc/sys/kernel/hung_task_* allow llkd proc_hung_task:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # live lock watchdog process allowed to dump process trace and # reboot because orderly shutdown may not be possible. allow llkd proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow llkd kmsg_device:chr_file { open append write lock map }; ### neverallow rules neverallow { domain -init } llkd:process { dyntransition transition }; neverallow { domain } llkd:process ptrace; # never honor LD_PRELOAD neverallow * llkd:process noatsecure; #line 1 "system/sepolicy/private/lmkd.te" typeattribute lmkd coredomain; typeattribute lmkd bpfdomain; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init lmkd_exec:file { getattr open read execute map }; #line 4 allow init lmkd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow lmkd lmkd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init lmkd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init lmkd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init lmkd_exec:process lmkd; #line 4 #line 4 # Set sys.lmk.* properties. #line 7 #line 7 allow lmkd property_socket:sock_file write; #line 7 allow lmkd init:unix_stream_socket connectto; #line 7 #line 7 allow lmkd system_lmk_prop:property_service set; #line 7 #line 7 allow lmkd system_lmk_prop:file { getattr open read map }; #line 7 #line 7 # Set lmkd.* properties. #line 10 #line 10 allow lmkd property_socket:sock_file write; #line 10 allow lmkd init:unix_stream_socket connectto; #line 10 #line 10 allow lmkd lmkd_prop:property_service set; #line 10 #line 10 allow lmkd lmkd_prop:file { getattr open read map }; #line 10 #line 10 # Get persist.device_config.lmk_native.* properties. #line 13 allow lmkd device_config_lmkd_native_prop:file { getattr open read map }; #line 13 allow lmkd fs_bpf:file read; allow lmkd bpfloader:bpf map_read; neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set; #line 1 "system/sepolicy/private/logd.te" typeattribute logd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init logd_exec:file { getattr open read execute map }; #line 3 allow init logd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow logd logd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init logd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init logd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init logd_exec:process logd; #line 3 #line 3 # Access device logging gating property #line 6 allow logd device_logging_prop:file { getattr open read map }; #line 6 # logd is not allowed to write anywhere other than /data/misc/logd, and then # only on userdebug or eng builds neverallow logd { file_type -runtime_event_log_tags_file # shell_data_file access is needed to dump bugreports -shell_data_file }:file { create write append }; # protect the event-log-tags file neverallow { domain -appdomain # covered below -bootstat -dumpstate -init -logd -servicemanager -system_server -surfaceflinger -zygote } runtime_event_log_tags_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { appdomain -bluetooth -platform_app -priv_app -radio -shell -system_app } runtime_event_log_tags_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only binder communication between logd and system_server is allowed #line 46 # Call the servicemanager and transfer references to it. #line 46 allow logd servicemanager:binder { call transfer }; #line 46 # Allow servicemanager to send out callbacks #line 46 allow servicemanager logd:binder { call transfer }; #line 46 # servicemanager performs getpidcon on clients. #line 46 allow servicemanager logd:dir search; #line 46 allow servicemanager logd:file { read open }; #line 46 allow servicemanager logd:process getattr; #line 46 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 46 # all domains in domain.te. #line 46 #line 47 typeattribute logd binderservicedomain; #line 47 #line 48 # Call the server domain and optionally transfer references to it. #line 48 allow logd system_server:binder { call transfer }; #line 48 # Allow the serverdomain to transfer references to the client on the reply. #line 48 allow system_server logd:binder transfer; #line 48 # Receive and use open files from the server. #line 48 allow logd system_server:fd use; #line 48 #line 50 allow logd logd_service:service_manager { add find }; #line 50 neverallow { domain -logd } logd_service:service_manager add; #line 50 #line 50 # On debug builds with root, allow binder services to use binder over TCP. #line 50 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 50 #line 50 allow logd logcat_service:service_manager find; #line 1 "system/sepolicy/private/logpersist.te" typeattribute logpersist coredomain; # android debug log storage in logpersist domains (eng and userdebug only) #line 21 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds neverallow logpersist { file_type }:file { create write append }; neverallow { domain -init -dumpstate -incidentd } misc_logd_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init } misc_logd_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -init } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; #line 1 "system/sepolicy/private/lpdumpd.te" type lpdumpd, domain, coredomain; type lpdumpd_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init lpdumpd_exec:file { getattr open read execute map }; #line 4 allow init lpdumpd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow lpdumpd lpdumpd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init lpdumpd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init lpdumpd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init lpdumpd_exec:process lpdumpd; #line 4 #line 4 # Allow lpdumpd to register itself as a service. #line 7 # Call the servicemanager and transfer references to it. #line 7 allow lpdumpd servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager lpdumpd:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager lpdumpd:dir search; #line 7 allow servicemanager lpdumpd:file { read open }; #line 7 allow servicemanager lpdumpd:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 allow lpdumpd lpdump_service:service_manager { add find }; #line 8 neverallow { domain -lpdumpd } lpdump_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 # Allow lpdumpd to find the super partition block device. allow lpdumpd block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow lpdumpd to read super partition metadata. allow lpdumpd super_block_device_type:blk_file { getattr open read ioctl lock map watch watch_reads }; # Allow lpdumpd to read fstab. allow lpdumpd sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; allow lpdumpd sysfs_dt_firmware_android:file { getattr open read ioctl lock map watch watch_reads }; #line 19 allow lpdumpd { metadata_file gsi_metadata_file_type }:dir search; #line 19 allow lpdumpd gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 19 allow lpdumpd { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 19 # Allow to get A/B slot suffix from device tree or kernel cmdline. #line 22 allow lpdumpd sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow lpdumpd sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 ; allow lpdumpd proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; # Allow reading Virtual A/B status information. #line 26 allow lpdumpd virtual_ab_prop:file { getattr open read map }; #line 26 allow lpdumpd metadata_file:dir search; allow lpdumpd ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } lock }; allow lpdumpd ota_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; ### Neverallow rules # Disallow other domains to get lpdump_service and call lpdumpd. neverallow { domain -dumpstate -lpdumpd -shell } lpdump_service:service_manager find; neverallow { domain -dumpstate -lpdumpd -shell -servicemanager } lpdumpd:binder call; #line 1 "system/sepolicy/private/mdnsd.te" # mdns daemon typeattribute mdnsd coredomain; typeattribute mdnsd mlstrustedsubject; type mdnsd_exec, system_file_type, exec_type, file_type; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init mdnsd_exec:file { getattr open read execute map }; #line 7 allow init mdnsd:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow mdnsd mdnsd_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init mdnsd:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init mdnsd:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init mdnsd_exec:process mdnsd; #line 7 #line 7 #line 9 typeattribute mdnsd netdomain; #line 9 # Read from /proc/net #line 12 allow mdnsd proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow mdnsd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 12 #line 1 "system/sepolicy/private/mediadrmserver.te" typeattribute mediadrmserver coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init mediadrmserver_exec:file { getattr open read execute map }; #line 3 allow init mediadrmserver:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow mediadrmserver mediadrmserver_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init mediadrmserver:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init mediadrmserver:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init mediadrmserver_exec:process mediadrmserver; #line 3 #line 3 # allocate and use graphic buffers #line 6 typeattribute mediadrmserver halclientdomain; #line 6 typeattribute mediadrmserver hal_graphics_allocator_client; #line 6 #line 6 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 6 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 6 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 6 #line 6 typeattribute mediadrmserver hal_graphics_allocator; #line 6 # Find passthrough HAL implementations #line 6 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 6 #line 6 auditallow mediadrmserver hal_graphics_allocator_server:binder call; #line 1 "system/sepolicy/private/mediaextractor.te" typeattribute mediaextractor coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init mediaextractor_exec:file { getattr open read execute map }; #line 3 allow init mediaextractor:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow mediaextractor mediaextractor_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init mediaextractor:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init mediaextractor:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init mediaextractor_exec:process mediaextractor; #line 3 #line 3 #line 4 type_transition mediaextractor tmpfs:file mediaextractor_tmpfs; #line 4 allow mediaextractor mediaextractor_tmpfs:file { read write getattr map }; #line 4 allow mediaextractor appdomain_tmpfs:file { getattr map read write }; allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; allow mediaextractor system_server_tmpfs:file { getattr map read write }; #line 9 allow mediaextractor device_config_media_native_prop:file { getattr open read map }; #line 9 #line 10 allow mediaextractor device_config_swcodec_native_prop:file { getattr open read map }; #line 10 #line 1 "system/sepolicy/private/mediametrics.te" typeattribute mediametrics coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init mediametrics_exec:file { getattr open read execute map }; #line 3 allow init mediametrics:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow mediametrics mediametrics_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init mediametrics:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init mediametrics:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init mediametrics_exec:process mediametrics; #line 3 #line 3 # Needed for stats callback registration to statsd. allow mediametrics stats_service:service_manager find; allow mediametrics statsmanager_service:service_manager find; #line 8 # Call the server domain and optionally transfer references to it. #line 8 allow mediametrics statsd:binder { call transfer }; #line 8 # Allow the serverdomain to transfer references to the client on the reply. #line 8 allow statsd mediametrics:binder transfer; #line 8 # Receive and use open files from the server. #line 8 allow mediametrics statsd:fd use; #line 8 #line 1 "system/sepolicy/private/mediaprovider.te" ### ### A domain for android.process.media, which contains both ### MediaProvider and DownloadProvider and associated services. ### typeattribute mediaprovider coredomain; #line 7 typeattribute mediaprovider appdomain; #line 7 # Label tmpfs objects for all apps. #line 7 type_transition mediaprovider tmpfs:file appdomain_tmpfs; #line 7 #line 7 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 7 type mediaprovider_userfaultfd; #line 7 type_transition mediaprovider mediaprovider:anon_inode mediaprovider_userfaultfd "[userfaultfd]"; #line 7 # Allow domain to create/use userfaultfd anon_inode. #line 7 allow mediaprovider mediaprovider_userfaultfd:anon_inode { create ioctl read }; #line 7 # Suppress errors generate during bugreport #line 7 dontaudit su mediaprovider_userfaultfd:anon_inode *; #line 7 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 7 neverallow { domain -mediaprovider } mediaprovider_userfaultfd:anon_inode *; #line 7 #line 7 allow mediaprovider appdomain_tmpfs:file { execute getattr map read write }; #line 7 neverallow { mediaprovider -runas_app -shell -simpleperf } { domain -mediaprovider }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 neverallow { appdomain -runas_app -shell -simpleperf -mediaprovider } mediaprovider:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 # The Android security model guarantees the confidentiality and integrity #line 7 # of application data and execution state. Ptrace bypasses those #line 7 # confidentiality guarantees. Disallow ptrace access from system components to #line 7 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 7 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 7 # simpleperf is excluded, as it operates only on debuggable or profileable #line 7 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 7 # live lock conditions. #line 7 neverallow { domain -mediaprovider -crash_dump -runas_app -simpleperf } mediaprovider:process ptrace; #line 7 # DownloadProvider accesses the network. #line 10 typeattribute mediaprovider netdomain; #line 10 # DownloadProvider uses /cache. allow mediaprovider cache_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow mediaprovider cache_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # /cache is a symlink to /data/cache on some devices. Allow reading the link. allow mediaprovider cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # mediaprovider searches through /cache looking for orphans # Ignore denials to /cache/recovery and /cache/backup. dontaudit mediaprovider cache_private_backup_file:dir getattr; dontaudit mediaprovider cache_recovery_file:dir getattr; # Access external sdcards through /mnt/media_rw allow mediaprovider { mnt_media_rw_file }:dir search; allow mediaprovider app_api_service:service_manager find; allow mediaprovider audioserver_service:service_manager find; allow mediaprovider cameraserver_service:service_manager find; allow mediaprovider drmserver_service:service_manager find; allow mediaprovider mediaextractor_service:service_manager find; allow mediaprovider mediaserver_service:service_manager find; # Allow MediaProvider to read/write cached ringtones (opened by system). allow mediaprovider ringtone_file:file { getattr read write }; # MtpServer uses /dev/mtp_usb allow mediaprovider mtp_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # MtpServer uses /dev/usb-ffs/mtp allow mediaprovider functionfs:dir search; allow mediaprovider functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm mediaprovider functionfs:file ioctl 0x80096782; allowxperm mediaprovider functionfs:file ioctl 0x000067e7; # MtpServer sets sys.usb.ffs.mtp.ready #line 45 allow mediaprovider ffs_config_prop:file { getattr open read map }; #line 45 #line 46 #line 46 allow mediaprovider property_socket:sock_file write; #line 46 allow mediaprovider init:unix_stream_socket connectto; #line 46 #line 46 allow mediaprovider ffs_control_prop:property_service set; #line 46 #line 46 allow mediaprovider ffs_control_prop:file { getattr open read map }; #line 46 #line 46 # DownloadManager may retrieve DRM status #line 49 allow mediaprovider drm_service_config_prop:file { getattr open read map }; #line 49 #line 1 "system/sepolicy/private/mediaprovider_app.te" ### ### A domain for further sandboxing the MediaProvider mainline module. ### type mediaprovider_app, domain, coredomain, bpfdomain; #line 6 typeattribute mediaprovider_app appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition mediaprovider_app tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type mediaprovider_app_userfaultfd; #line 6 type_transition mediaprovider_app mediaprovider_app:anon_inode mediaprovider_app_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow mediaprovider_app mediaprovider_app_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su mediaprovider_app_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -mediaprovider_app } mediaprovider_app_userfaultfd:anon_inode *; #line 6 #line 6 allow mediaprovider_app appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { mediaprovider_app -runas_app -shell -simpleperf } { domain -mediaprovider_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -mediaprovider_app } mediaprovider_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -mediaprovider_app -crash_dump -runas_app -simpleperf } mediaprovider_app:process ptrace; #line 6 # Access to /mnt/pass_through. #line 9 allow mediaprovider_app mnt_pass_through_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow mediaprovider_app mnt_pass_through_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 9 # Allow MediaProvider to host a FUSE daemon for external storage allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr }; # Allow MediaProvider to access fuseblk devices for external storage. allow mediaprovider_app fuseblk:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow mediaprovider_app fuseblk:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow MediaProvider to read/write media_rw_data_file files and dirs allow mediaprovider_app media_userdir_file:dir { open getattr read search ioctl lock watch watch_reads }; allow mediaprovider_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow mediaprovider_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Talk to the DRM service allow mediaprovider_app drmserver_service:service_manager find; # Talk to the MediaServer service allow mediaprovider_app mediaserver_service:service_manager find; # Talk to the AudioServer service allow mediaprovider_app audioserver_service:service_manager find; # Talk to the MediaCodec APIs that log media metrics allow mediaprovider_app mediametrics_service:service_manager find; # Talk to regular app services allow mediaprovider_app app_api_service:service_manager find; # Talk to the GPU service #line 39 # Call the server domain and optionally transfer references to it. #line 39 allow mediaprovider_app gpuservice:binder { call transfer }; #line 39 # Allow the serverdomain to transfer references to the client on the reply. #line 39 allow gpuservice mediaprovider_app:binder transfer; #line 39 # Receive and use open files from the server. #line 39 allow mediaprovider_app gpuservice:fd use; #line 39 # Talk to statsd allow mediaprovider_app statsmanager_service:service_manager find; #line 43 # Call the server domain and optionally transfer references to it. #line 43 allow mediaprovider_app statsd:binder { call transfer }; #line 43 # Allow the serverdomain to transfer references to the client on the reply. #line 43 allow statsd mediaprovider_app:binder transfer; #line 43 # Receive and use open files from the server. #line 43 allow mediaprovider_app statsd:fd use; #line 43 # read pipe-max-size configuration allow mediaprovider_app proc_pipe_conf:file { getattr open read ioctl lock map watch watch_reads }; # Allow MediaProvider to set extended attributes (such as quota project ID) # on media files. allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl { 0x801c581f 0x401c5820 0x80086601 0x40086602 }; # Access external sdcards through /mnt/media_rw allow mediaprovider_app { mnt_media_rw_file }:dir search; allow mediaprovider_app proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; #Allow MediaProvider to see if sdcardfs is in use #line 63 allow mediaprovider_app storage_config_prop:file { getattr open read map }; #line 63 #line 65 allow mediaprovider_app drm_service_config_prop:file { getattr open read map }; #line 65 allow mediaprovider_app gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow mediaprovider_app gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; dontaudit mediaprovider_app sysfs_vendor_sched:dir search; dontaudit mediaprovider_app sysfs_vendor_sched:file { open append write lock map }; # bpfprog access for FUSE BPF allow mediaprovider_app fs_bpf:file read; allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run }; # boot animations on oem are stored with specific label allow mediaprovider_app bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/private/mediaserver.te" typeattribute mediaserver coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init mediaserver_exec:file { getattr open read execute map }; #line 3 allow init mediaserver:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow mediaserver mediaserver_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init mediaserver:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init mediaserver:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init mediaserver_exec:process mediaserver; #line 3 #line 3 #line 4 type_transition mediaserver tmpfs:file mediaserver_tmpfs; #line 4 allow mediaserver mediaserver_tmpfs:file { read write getattr map }; #line 4 allow mediaserver appdomain_tmpfs:file { getattr map read write }; # allocate and use graphic buffers #line 8 typeattribute mediaserver halclientdomain; #line 8 typeattribute mediaserver hal_graphics_allocator_client; #line 8 #line 8 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 8 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 8 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 8 #line 8 typeattribute mediaserver hal_graphics_allocator; #line 8 # Find passthrough HAL implementations #line 8 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 8 #line 8 #line 9 typeattribute mediaserver halclientdomain; #line 9 typeattribute mediaserver hal_configstore_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute mediaserver hal_configstore; #line 9 # Find passthrough HAL implementations #line 9 allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_configstore vendor_file:file { read open getattr execute map }; #line 9 #line 9 #line 10 typeattribute mediaserver halclientdomain; #line 10 typeattribute mediaserver hal_drm_client; #line 10 #line 10 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 10 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 10 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 10 #line 10 typeattribute mediaserver hal_drm; #line 10 # Find passthrough HAL implementations #line 10 allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 10 allow hal_drm vendor_file:file { read open getattr execute map }; #line 10 #line 10 #line 11 typeattribute mediaserver halclientdomain; #line 11 typeattribute mediaserver hal_omx_client; #line 11 #line 11 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 11 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 11 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 11 #line 11 typeattribute mediaserver hal_omx; #line 11 # Find passthrough HAL implementations #line 11 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_omx vendor_file:file { read open getattr execute map }; #line 11 #line 11 #line 12 typeattribute mediaserver halclientdomain; #line 12 typeattribute mediaserver hal_codec2_client; #line 12 #line 12 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 12 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 12 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 12 #line 12 typeattribute mediaserver hal_codec2; #line 12 # Find passthrough HAL implementations #line 12 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 12 #line 12 #line 14 #line 14 allow mediaserver property_socket:sock_file write; #line 14 allow mediaserver init:unix_stream_socket connectto; #line 14 #line 14 allow mediaserver audio_prop:property_service set; #line 14 #line 14 allow mediaserver audio_prop:file { getattr open read map }; #line 14 #line 14 #line 16 allow mediaserver drm_service_config_prop:file { getattr open read map }; #line 16 #line 17 allow mediaserver media_config_prop:file { getattr open read map }; #line 17 # Allow MediaCodec running on mediaserver to read media_native flags #line 20 allow mediaserver device_config_media_native_prop:file { getattr open read map }; #line 20 # Allow mediaserver to start media.transcoding service via ctl.start. #line 23 #line 23 allow mediaserver property_socket:sock_file write; #line 23 allow mediaserver init:unix_stream_socket connectto; #line 23 #line 23 allow mediaserver ctl_mediatranscoding_prop:property_service set; #line 23 #line 23 allow mediaserver ctl_mediatranscoding_prop:file { getattr open read map }; #line 23 #line 23 ; # Allow mediaserver to read SDK sandbox data files allow mediaserver sdk_sandbox_data_file:file { getattr read }; # Needed for stats callback registration to statsd. allow mediaserver stats_service:service_manager find; allow mediaserver statsmanager_service:service_manager find; #line 31 # Call the server domain and optionally transfer references to it. #line 31 allow mediaserver statsd:binder { call transfer }; #line 31 # Allow the serverdomain to transfer references to the client on the reply. #line 31 allow statsd mediaserver:binder transfer; #line 31 # Receive and use open files from the server. #line 31 allow mediaserver statsd:fd use; #line 31 # Allow mediaserver to communicate with Surface provided # by virtual camera. #line 35 # Call the server domain and optionally transfer references to it. #line 35 allow mediaserver virtual_camera:binder { call transfer }; #line 35 # Allow the serverdomain to transfer references to the client on the reply. #line 35 allow virtual_camera mediaserver:binder transfer; #line 35 # Receive and use open files from the server. #line 35 allow mediaserver virtual_camera:fd use; #line 35 #line 1 "system/sepolicy/private/mediaswcodec.te" typeattribute mediaswcodec coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init mediaswcodec_exec:file { getattr open read execute map }; #line 3 allow init mediaswcodec:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow mediaswcodec mediaswcodec_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init mediaswcodec:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init mediaswcodec:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init mediaswcodec_exec:process mediaswcodec; #line 3 #line 3 #line 5 allow mediaswcodec device_config_media_native_prop:file { getattr open read map }; #line 5 #line 6 allow mediaswcodec device_config_swcodec_native_prop:file { getattr open read map }; #line 6 #line 1 "system/sepolicy/private/mediatranscoding.te" # mediatranscoding - daemon for transcoding video and image. type mediatranscoding_exec, system_file_type, exec_type, file_type; type mediatranscoding_tmpfs, file_type; typeattribute mediatranscoding coredomain; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init mediatranscoding_exec:file { getattr open read execute map }; #line 6 allow init mediatranscoding:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow mediatranscoding mediatranscoding_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init mediatranscoding:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init mediatranscoding:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init mediatranscoding_exec:process mediatranscoding; #line 6 #line 6 #line 7 type_transition mediatranscoding tmpfs:file mediatranscoding_tmpfs; #line 7 allow mediatranscoding mediatranscoding_tmpfs:file { read write getattr map }; #line 7 allow mediatranscoding appdomain_tmpfs:file { getattr map read write }; #line 10 # Call the servicemanager and transfer references to it. #line 10 allow mediatranscoding servicemanager:binder { call transfer }; #line 10 # Allow servicemanager to send out callbacks #line 10 allow servicemanager mediatranscoding:binder { call transfer }; #line 10 # servicemanager performs getpidcon on clients. #line 10 allow servicemanager mediatranscoding:dir search; #line 10 allow servicemanager mediatranscoding:file { read open }; #line 10 allow servicemanager mediatranscoding:process getattr; #line 10 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 10 # all domains in domain.te. #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow mediatranscoding binderservicedomain:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow binderservicedomain mediatranscoding:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow mediatranscoding binderservicedomain:fd use; #line 11 #line 12 # Call the server domain and optionally transfer references to it. #line 12 allow mediatranscoding appdomain:binder { call transfer }; #line 12 # Allow the serverdomain to transfer references to the client on the reply. #line 12 allow appdomain mediatranscoding:binder transfer; #line 12 # Receive and use open files from the server. #line 12 allow mediatranscoding appdomain:fd use; #line 12 #line 13 typeattribute mediatranscoding binderservicedomain; #line 13 #line 15 allow mediatranscoding mediatranscoding_service:service_manager { add find }; #line 15 neverallow { domain -mediatranscoding } mediatranscoding_service:service_manager add; #line 15 #line 15 # On debug builds with root, allow binder services to use binder over TCP. #line 15 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 15 #line 15 #line 17 typeattribute mediatranscoding halclientdomain; #line 17 typeattribute mediatranscoding hal_graphics_allocator_client; #line 17 #line 17 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 17 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 17 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 17 #line 17 typeattribute mediatranscoding hal_graphics_allocator; #line 17 # Find passthrough HAL implementations #line 17 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 17 #line 17 #line 18 typeattribute mediatranscoding halclientdomain; #line 18 typeattribute mediatranscoding hal_configstore_client; #line 18 #line 18 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 18 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 18 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 18 #line 18 typeattribute mediatranscoding hal_configstore; #line 18 # Find passthrough HAL implementations #line 18 allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_configstore vendor_file:file { read open getattr execute map }; #line 18 #line 18 #line 19 typeattribute mediatranscoding halclientdomain; #line 19 typeattribute mediatranscoding hal_omx_client; #line 19 #line 19 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 19 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 19 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 19 #line 19 typeattribute mediatranscoding hal_omx; #line 19 # Find passthrough HAL implementations #line 19 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_omx vendor_file:file { read open getattr execute map }; #line 19 #line 19 #line 20 typeattribute mediatranscoding halclientdomain; #line 20 typeattribute mediatranscoding hal_codec2_client; #line 20 #line 20 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 20 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 20 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 20 #line 20 typeattribute mediatranscoding hal_codec2; #line 20 # Find passthrough HAL implementations #line 20 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 20 #line 20 #line 21 typeattribute mediatranscoding halclientdomain; #line 21 typeattribute mediatranscoding hal_allocator_client; #line 21 #line 21 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 21 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 21 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 21 #line 21 typeattribute mediatranscoding hal_allocator; #line 21 # Find passthrough HAL implementations #line 21 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 21 #line 21 allow mediatranscoding mediaserver_service:service_manager find; allow mediatranscoding mediametrics_service:service_manager find; allow mediatranscoding mediaextractor_service:service_manager find; allow mediatranscoding package_native_service:service_manager find; allow mediatranscoding thermal_service:service_manager find; allow mediatranscoding system_server:fd use; allow mediatranscoding activity_service:service_manager find; # allow mediatranscoding service read/write permissions for file sources allow mediatranscoding sdcardfs:file { getattr read write }; allow mediatranscoding media_rw_data_file:file { getattr read write }; allow mediatranscoding apk_data_file:file { getattr read }; allow mediatranscoding app_data_file:file { getattr read write }; allow mediatranscoding shell_data_file:file { getattr read write }; # allow mediatranscoding service write permission to statsd socket #line 40 allow mediatranscoding statsdw_socket:sock_file write; #line 40 allow mediatranscoding statsd:unix_dgram_socket sendto; #line 40 # Allow mediatranscoding to access the DMA-BUF system heap allow mediatranscoding dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow mediatranscoding gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow mediatranscoding gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow mediatranscoding service to access media-related system properties #line 49 allow mediatranscoding media_config_prop:file { getattr open read map }; #line 49 # mediatranscoding should never execute any executable without a # domain transition neverallow mediatranscoding { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediatranscoding domain:{ udp_socket rawip_socket } *; neverallow mediatranscoding { domain }:tcp_socket *; #line 1 "system/sepolicy/private/mediatuner.te" # mediatuner - mediatuner daemon type mediatuner, domain; type mediatuner_exec, system_file_type, exec_type, file_type; typeattribute mediatuner coredomain; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init mediatuner_exec:file { getattr open read execute map }; #line 7 allow init mediatuner:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow mediatuner mediatuner_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init mediatuner:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init mediatuner:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init mediatuner_exec:process mediatuner; #line 7 #line 7 #line 8 typeattribute mediatuner halclientdomain; #line 8 typeattribute mediatuner hal_tv_tuner_client; #line 8 #line 8 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 8 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 8 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 8 #line 8 typeattribute mediatuner hal_tv_tuner; #line 8 # Find passthrough HAL implementations #line 8 allow hal_tv_tuner system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_tv_tuner vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow hal_tv_tuner vendor_file:file { read open getattr execute map }; #line 8 #line 8 #line 10 # Call the servicemanager and transfer references to it. #line 10 allow mediatuner servicemanager:binder { call transfer }; #line 10 # Allow servicemanager to send out callbacks #line 10 allow servicemanager mediatuner:binder { call transfer }; #line 10 # servicemanager performs getpidcon on clients. #line 10 allow servicemanager mediatuner:dir search; #line 10 allow servicemanager mediatuner:file { read open }; #line 10 allow servicemanager mediatuner:process getattr; #line 10 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 10 # all domains in domain.te. #line 10 #line 11 # Call the server domain and optionally transfer references to it. #line 11 allow mediatuner appdomain:binder { call transfer }; #line 11 # Allow the serverdomain to transfer references to the client on the reply. #line 11 allow appdomain mediatuner:binder transfer; #line 11 # Receive and use open files from the server. #line 11 allow mediatuner appdomain:fd use; #line 11 #line 12 typeattribute mediatuner binderservicedomain; #line 12 #line 14 allow mediatuner mediatuner_service:service_manager { add find }; #line 14 neverallow { domain -mediatuner } mediatuner_service:service_manager add; #line 14 #line 14 # On debug builds with root, allow binder services to use binder over TCP. #line 14 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 14 #line 14 allow mediatuner system_server:fd use; allow mediatuner tv_tuner_resource_mgr_service:service_manager find; allow mediatuner package_native_service:service_manager find; #line 18 # Call the server domain and optionally transfer references to it. #line 18 allow mediatuner system_server:binder { call transfer }; #line 18 # Allow the serverdomain to transfer references to the client on the reply. #line 18 allow system_server mediatuner:binder transfer; #line 18 # Receive and use open files from the server. #line 18 allow mediatuner system_server:fd use; #line 18 # Read ro.tuner.lazyhal #line 21 allow mediatuner tuner_config_prop:file { getattr open read map }; #line 21 # Read tuner.server.enable #line 24 allow mediatuner tuner_server_ctl_prop:file { getattr open read map }; #line 24 ### ### neverallow rules ### # mediatuner should never execute any executable without a # domain transition neverallow mediatuner { file_type fs_type }:file execute_no_trans; # do not allow privileged socket ioctl commands neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl #line 35 { #line 35 # qualcomm rmnet ioctls #line 35 0x00006900 0x00006902 #line 35 # socket ioctls #line 35 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 35 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 35 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 35 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 35 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 35 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 35 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 35 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 35 0x00008991 0x00008992 0x00008993 0x00008994 #line 35 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 35 # device and protocol specific ioctls #line 35 0x000089f0-0x000089ff #line 35 0x000089e0-0x000089ef #line 35 # Wireless extension ioctls #line 35 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 35 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 35 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 35 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 35 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 35 0x00008b34 0x00008b35 0x00008b36 #line 35 # Dev private ioctl i.e. hardware specific ioctls #line 35 0x00008be0-0x00008bff #line 35 }; #line 1 "system/sepolicy/private/migrate_legacy_obb_data.te" type migrate_legacy_obb_data, domain, coredomain; type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type; allow migrate_legacy_obb_data media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow migrate_legacy_obb_data media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow migrate_legacy_obb_data shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow migrate_legacy_obb_data toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid }; allow migrate_legacy_obb_data mnt_user_file:dir search; allow migrate_legacy_obb_data mnt_user_file:lnk_file read; allow migrate_legacy_obb_data storage_file:dir search; allow migrate_legacy_obb_data storage_file:lnk_file read; allow migrate_legacy_obb_data sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow migrate_legacy_obb_data sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # TODO: This should not be necessary. We don't deliberately hand over # any open file descriptors to this domain, so anything that triggers this # should be a candidate for O_CLOEXEC. allow migrate_legacy_obb_data installd:fd use; # This rule is required to let this process read /proc/{parent_pid}/mount. # TODO: Why is this required ? allow migrate_legacy_obb_data installd:file read; #line 1 "system/sepolicy/private/misctrl.te" # binary for generic misc partition management type misctrl, domain, coredomain; type misctrl_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init misctrl_exec:file { getattr open read execute map }; #line 5 allow init misctrl:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow misctrl misctrl_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init misctrl:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init misctrl:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init misctrl_exec:process misctrl; #line 5 #line 5 allow misctrl misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow misctrl block_device:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow misctrl { metadata_file gsi_metadata_file_type }:dir search; #line 9 allow misctrl gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 9 allow misctrl { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 9 #line 11 #line 11 allow misctrl property_socket:sock_file write; #line 11 allow misctrl init:unix_stream_socket connectto; #line 11 #line 11 allow misctrl misctrl_prop:property_service set; #line 11 #line 11 allow misctrl misctrl_prop:file { getattr open read map }; #line 11 #line 11 # bootloader_message tries to find the fstab in the device config path first, # but because we've already booted up we can use the ro.boot properties instead, # so we can just ignore the SELinux denial. dontaudit misctrl sysfs_dt_firmware_android:dir search; dontaudit misctrl vendor_property_type:file read; #line 1 "system/sepolicy/private/mlstrustedsubject.te" # MLS override can't be used to access private app data. # Apps should not normally be mlstrustedsubject, but if they must be # they cannot use this to access app private data files; their own app # data files must use a different label. neverallow { mlstrustedsubject -artd # compile secondary dex files -installd } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append }; neverallow { mlstrustedsubject -artd # compile secondary dex files -installd } { app_data_file privapp_data_file }:dir ~{ read getattr search }; neverallow { mlstrustedsubject -artd # compile secondary dex files -installd -system_server -adbd -runas -zygote } { app_data_file privapp_data_file }:dir { read getattr search }; #line 1 "system/sepolicy/private/mm_events.te" type mm_events, domain, coredomain; type mm_events_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init mm_events_exec:file { getattr open read execute map }; #line 4 allow init mm_events:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow mm_events mm_events_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init mm_events:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init mm_events:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init mm_events_exec:process mm_events; #line 4 #line 4 allow mm_events shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow running the sleep command to rate limit attempts # to arm mm_events on failure. allow mm_events toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow mm_events perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 14 # Allow the necessary permissions. #line 14 #line 14 # Old domain may exec the file and transition to the new domain. #line 14 allow mm_events perfetto_exec:file { getattr open read execute map }; #line 14 allow mm_events perfetto:process transition; #line 14 # New domain is entered by executing the file. #line 14 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 14 # New domain can send SIGCHLD to its caller. #line 14 allow perfetto mm_events:process sigchld; #line 14 # Enable AT_SECURE, i.e. libc secure mode. #line 14 dontaudit mm_events perfetto:process noatsecure; #line 14 # XXX dontaudit candidate but requires further study. #line 14 allow mm_events perfetto:process { siginh rlimitinh }; #line 14 #line 14 # Make the transition occur by default. #line 14 type_transition mm_events perfetto_exec:process perfetto; #line 14 #line 1 "system/sepolicy/private/modprobe.te" typeattribute modprobe coredomain; #line 1 "system/sepolicy/private/mtectrl.te" # mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. type mtectrl, domain, coredomain; type mtectrl_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init mtectrl_exec:file { getattr open read execute map }; #line 5 allow init mtectrl:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow mtectrl mtectrl_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init mtectrl:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init mtectrl:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init mtectrl_exec:process mtectrl; #line 5 #line 5 # to set the sys prop to match the bootloader message state. #line 8 #line 8 allow mtectrl property_socket:sock_file write; #line 8 allow mtectrl init:unix_stream_socket connectto; #line 8 #line 8 allow mtectrl arm64_memtag_prop:property_service set; #line 8 #line 8 allow mtectrl arm64_memtag_prop:file { getattr open read map }; #line 8 #line 8 # mtectrl communicates the request to the bootloader via the misc partition. # needs to write to update the request in misc partition, and read to sync # back to the property. allow mtectrl misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow mtectrl block_device:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow mtectrl { metadata_file gsi_metadata_file_type }:dir search; #line 15 allow mtectrl gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 15 allow mtectrl { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 15 # bootloader_message tries to find the fstab in the device config path first, # but because we've already booted up we can use the ro.boot properties instead, # so we can just ignore the SELinux denial. dontaudit mtectrl sysfs_dt_firmware_android:dir search; dontaudit mtectrl vendor_property_type:file read; #line 1 "system/sepolicy/private/net.te" # Bind to ports. allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind; allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind; # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from # untrusted_apps. # b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from # untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere # to avoid app-compat breakage. allow { netdomain -ephemeral_app -mediaprovider -priv_app -sdk_sandbox_all -untrusted_app_all } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; #line 1 "system/sepolicy/private/netd.te" typeattribute netd coredomain; typeattribute netd bpfdomain; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init netd_exec:file { getattr open read execute map }; #line 4 allow init netd:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow netd netd_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init netd:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init netd:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init netd_exec:process netd; #line 4 #line 4 # Allow netd to spawn dnsmasq in it's own domain #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow netd dnsmasq_exec:file { getattr open read execute map }; #line 7 allow netd dnsmasq:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow dnsmasq dnsmasq_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 allow dnsmasq netd:process sigchld; #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit netd dnsmasq:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow netd dnsmasq:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition netd dnsmasq_exec:process dnsmasq; #line 7 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search; allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read }; allow netd { fs_bpf fs_bpf_netd_shared }:file write; # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write # the map created by bpfloader allow netd bpfloader:bpf { prog_run map_read map_write }; # in order to invoke side effect of close() on such a socket calling synchronize_rcu() # TODO: Remove this permission when 4.9 kernel is deprecated. # TODO: Remove this after we remove all bpf interactions from netd. allow netd self:key_socket create; #line 22 #line 22 allow netd property_socket:sock_file write; #line 22 allow netd init:unix_stream_socket connectto; #line 22 #line 22 allow netd ctl_mdnsd_prop:property_service set; #line 22 #line 22 allow netd ctl_mdnsd_prop:file { getattr open read map }; #line 22 #line 22 #line 23 #line 23 allow netd property_socket:sock_file write; #line 23 allow netd init:unix_stream_socket connectto; #line 23 #line 23 allow netd netd_stable_secret_prop:property_service set; #line 23 #line 23 allow netd netd_stable_secret_prop:file { getattr open read map }; #line 23 #line 23 #line 25 allow netd adbd_config_prop:file { getattr open read map }; #line 25 #line 26 allow netd hwservicemanager_prop:file { getattr open read map }; #line 26 #line 27 allow netd device_config_netd_native_prop:file { getattr open read map }; #line 27 # Allow netd to write to statsd. #line 30 allow netd statsdw_socket:sock_file write; #line 30 allow netd statsd:unix_dgram_socket sendto; #line 30 # Allow netd to send callbacks to network_stack #line 33 # Call the server domain and optionally transfer references to it. #line 33 allow netd network_stack:binder { call transfer }; #line 33 # Allow the serverdomain to transfer references to the client on the reply. #line 33 allow network_stack netd:binder transfer; #line 33 # Receive and use open files from the server. #line 33 allow netd network_stack:fd use; #line 33 # Allow netd to send dump info to dumpstate allow netd dumpstate:fd use; allow netd dumpstate:fifo_file { getattr write }; # persist.netd.stable_secret contains RFC 7217 secret key which should never be # leaked to other processes. Make sure it never leaks. neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file { getattr open read ioctl lock map watch watch_reads }; # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; #line 1 "system/sepolicy/private/netutils_wrapper.te" typeattribute netutils_wrapper coredomain; typeattribute netutils_wrapper bpfdomain; #line 4 allow netutils_wrapper system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 4 allow netutils_wrapper system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 4 ; # For netutils (ip, iptables, tc) allow netutils_wrapper self:{ capability cap_userns } net_raw; allow netutils_wrapper system_file:file { execute execute_no_trans }; allow netutils_wrapper proc_net_type:file { open read getattr }; allow netutils_wrapper self:rawip_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netutils_wrapper self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow netutils_wrapper self:{ capability cap_userns } net_admin; # ip utils need everything but ioctl allow netutils_wrapper self:netlink_route_socket ~ioctl; allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; # For netutils (ndc) to be able to talk to netd allow netutils_wrapper netd_service:service_manager find; allow netutils_wrapper dnsresolver_service:service_manager find; allow netutils_wrapper mdns_service:service_manager find; #line 22 # Call the servicemanager and transfer references to it. #line 22 allow netutils_wrapper servicemanager:binder { call transfer }; #line 22 # Allow servicemanager to send out callbacks #line 22 allow servicemanager netutils_wrapper:binder { call transfer }; #line 22 # servicemanager performs getpidcon on clients. #line 22 allow servicemanager netutils_wrapper:dir search; #line 22 allow servicemanager netutils_wrapper:file { read open }; #line 22 allow servicemanager netutils_wrapper:process getattr; #line 22 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 22 # all domains in domain.te. #line 22 ; #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow netutils_wrapper netd:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow netd netutils_wrapper:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow netutils_wrapper netd:fd use; #line 23 ; # For vendor code that update the iptables rules at runtime. They need to reload # the whole chain including the xt_bpf rules. They need to access to the pinned # program when reloading the rule. allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search; allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read }; allow netutils_wrapper { fs_bpf }:file write; allow netutils_wrapper bpfloader:bpf prog_run; # For /data/misc/net access to ndc and ip #line 34 allow netutils_wrapper net_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 34 allow netutils_wrapper net_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 34 #line 36 # Allow the necessary permissions. #line 36 #line 36 # Old domain may exec the file and transition to the new domain. #line 36 allow { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 } netutils_wrapper_exec:file { getattr open read execute map }; #line 36 allow { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 } netutils_wrapper:process transition; #line 36 # New domain is entered by executing the file. #line 36 allow netutils_wrapper netutils_wrapper_exec:file { entrypoint open read execute getattr map }; #line 36 # New domain can send SIGCHLD to its caller. #line 36 allow netutils_wrapper { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 }:process sigchld; #line 36 # Enable AT_SECURE, i.e. libc secure mode. #line 36 dontaudit { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 } netutils_wrapper:process noatsecure; #line 36 # XXX dontaudit candidate but requires further study. #line 36 allow { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 } netutils_wrapper:process { siginh rlimitinh }; #line 36 #line 36 # Make the transition occur by default. #line 36 type_transition { #line 36 domain #line 36 -coredomain #line 36 -appdomain #line 36 } netutils_wrapper_exec:process netutils_wrapper; #line 40 # suppress spurious denials dontaudit netutils_wrapper self:{ capability cap_userns } sys_resource; dontaudit netutils_wrapper sysfs_type:file read; # netutils wrapper may only use the following capabilities. neverallow netutils_wrapper self:{ capability cap_userns } ~{ net_admin net_raw }; #line 1 "system/sepolicy/private/network_stack.te" # Networking service app typeattribute network_stack coredomain; typeattribute network_stack mlstrustedsubject; typeattribute network_stack bpfdomain; #line 6 typeattribute network_stack appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition network_stack tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type network_stack_userfaultfd; #line 6 type_transition network_stack network_stack:anon_inode network_stack_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow network_stack network_stack_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su network_stack_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -network_stack } network_stack_userfaultfd:anon_inode *; #line 6 #line 6 allow network_stack appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { network_stack -runas_app -shell -simpleperf } { domain -network_stack }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -network_stack } network_stack:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -network_stack -crash_dump -runas_app -simpleperf } network_stack:process ptrace; #line 6 ; #line 7 typeattribute network_stack netdomain; #line 7 ; allow network_stack self:{ capability cap_userns } { net_admin net_bind_service net_broadcast net_raw }; allow network_stack self:{ capability2 cap2_userns } wake_alarm; # Allow access to net_admin ioctl, DHCP server uses SIOCSARP allowxperm network_stack self:udp_socket ioctl #line 19 { #line 19 # qualcomm rmnet ioctls #line 19 0x00006900 0x00006902 #line 19 # socket ioctls #line 19 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 19 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 19 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 19 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 19 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 19 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 19 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 19 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 19 0x00008991 0x00008992 0x00008993 0x00008994 #line 19 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 19 # device and protocol specific ioctls #line 19 0x000089f0-0x000089ff #line 19 0x000089e0-0x000089ef #line 19 # Wireless extension ioctls #line 19 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 19 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 19 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 19 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 19 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 19 0x00008b34 0x00008b35 0x00008b36 #line 19 # Dev private ioctl i.e. hardware specific ioctls #line 19 0x00008be0-0x00008bff #line 19 }; # The DhcpClient uses packet_sockets allow network_stack self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Monitor neighbors via netlink. allow network_stack self:netlink_route_socket nlmsg_write; # Use netlink uevent sockets. allow network_stack self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # give network_stack the same netlink permissions as netd allow network_stack self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow network_stack self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow network_stack self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow network_stack app_api_service:service_manager find; allow network_stack dnsresolver_service:service_manager find; allow network_stack mdns_service:service_manager find; allow network_stack netd_service:service_manager find; allow network_stack network_watchlist_service:service_manager find; allow network_stack radio_service:service_manager find; allow network_stack system_config_service:service_manager find; allow network_stack radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow network_stack radio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 45 # Call the server domain and optionally transfer references to it. #line 45 allow network_stack netd:binder { call transfer }; #line 45 # Allow the serverdomain to transfer references to the client on the reply. #line 45 allow netd network_stack:binder transfer; #line 45 # Receive and use open files from the server. #line 45 allow network_stack netd:fd use; #line 45 ; # in order to invoke side effect of close() on such a socket calling synchronize_rcu() allow network_stack self:key_socket create; # Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 # calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... dontaudit network_stack self:key_socket getopt; # Grant read permission of connectivity namespace system property prefix. #line 54 allow network_stack device_config_connectivity_prop:file { getattr open read map }; #line 54 # Create/use netlink_tcpdiag_socket to get tcp info allow network_stack self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write }; ############### Tethering Service app - Tethering.apk ############## #line 59 typeattribute network_stack halclientdomain; #line 59 typeattribute network_stack hal_tetheroffload_client; #line 59 #line 59 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 59 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 59 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 59 #line 59 typeattribute network_stack hal_tetheroffload; #line 59 # Find passthrough HAL implementations #line 59 allow hal_tetheroffload system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 59 allow hal_tetheroffload vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 59 allow hal_tetheroffload vendor_file:file { read open getattr execute map }; #line 59 #line 59 # Create and share netlink_netfilter_sockets for tetheroffload. allow network_stack self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow network_stack network_stack_service:service_manager find; # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF. allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search; allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write }; allow network_stack bpfloader:bpf { map_read map_write prog_run }; # allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace #line 68 allow network_stack device_config_tethering_u_or_later_native_prop:file { getattr open read map }; #line 68 # Use XFRM (IPsec) netlink sockets allow network_stack self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read }; # tun device used for 3rd party vpn apps and test network manager allow network_stack tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm network_stack tun_device:chr_file ioctl { 0x800454d2 0x400454ca 0x400454cd 0x400454e2 }; ############### NEVER ALLOW RULES # This place is as good as any for these rules, # and it is probably the most appropriate because # network_stack itself is entirely mainline code. # T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps. neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr; neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *; # T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps. neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr; neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *; # T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps. # netd's access should be readonly neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr; neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *; neverallow netd fs_bpf_netd_readonly:file write; # T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps. # netutils_wrapper requires access to be able to run iptables and only needs readonly access neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr; neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *; neverallow netutils_wrapper fs_bpf_netd_shared:file write; # S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps. neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr; neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *; #line 1 "system/sepolicy/private/nfc.te" # nfc subsystem typeattribute nfc coredomain, mlstrustedsubject; #line 3 typeattribute nfc appdomain; #line 3 # Label tmpfs objects for all apps. #line 3 type_transition nfc tmpfs:file appdomain_tmpfs; #line 3 #line 3 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 3 type nfc_userfaultfd; #line 3 type_transition nfc nfc:anon_inode nfc_userfaultfd "[userfaultfd]"; #line 3 # Allow domain to create/use userfaultfd anon_inode. #line 3 allow nfc nfc_userfaultfd:anon_inode { create ioctl read }; #line 3 # Suppress errors generate during bugreport #line 3 dontaudit su nfc_userfaultfd:anon_inode *; #line 3 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 3 neverallow { domain -nfc } nfc_userfaultfd:anon_inode *; #line 3 #line 3 allow nfc appdomain_tmpfs:file { execute getattr map read write }; #line 3 neverallow { nfc -runas_app -shell -simpleperf } { domain -nfc }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 neverallow { appdomain -runas_app -shell -simpleperf -nfc } nfc:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 # The Android security model guarantees the confidentiality and integrity #line 3 # of application data and execution state. Ptrace bypasses those #line 3 # confidentiality guarantees. Disallow ptrace access from system components to #line 3 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 3 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 3 # simpleperf is excluded, as it operates only on debuggable or profileable #line 3 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 3 # live lock conditions. #line 3 neverallow { domain -nfc -crash_dump -runas_app -simpleperf } nfc:process ptrace; #line 3 #line 4 typeattribute nfc netdomain; #line 4 #line 6 typeattribute nfc binderservicedomain; #line 6 #line 7 allow nfc nfc_service:service_manager { add find }; #line 7 neverallow { domain -nfc } nfc_service:service_manager add; #line 7 #line 7 # On debug builds with root, allow binder services to use binder over TCP. #line 7 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 7 #line 7 #line 9 typeattribute nfc halclientdomain; #line 9 typeattribute nfc hal_nfc_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute nfc hal_nfc; #line 9 # Find passthrough HAL implementations #line 9 allow hal_nfc system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_nfc vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_nfc vendor_file:file { read open getattr execute map }; #line 9 #line 9 # Data file accesses. allow nfc nfc_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow nfc nfc_logs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow nfc nfc_logs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # SoundPool loading and playback allow nfc audioserver_service:service_manager find; allow nfc drmserver_service:service_manager find; allow nfc mediametrics_service:service_manager find; allow nfc mediaextractor_service:service_manager find; allow nfc mediaserver_service:service_manager find; allow nfc radio_service:service_manager find; allow nfc app_api_service:service_manager find; allow nfc system_api_service:service_manager find; allow nfc vr_manager_service:service_manager find; allow nfc secure_element_service:service_manager find; #line 30 #line 30 allow nfc property_socket:sock_file write; #line 30 allow nfc init:unix_stream_socket connectto; #line 30 #line 30 allow nfc nfc_prop:property_service set; #line 30 #line 30 allow nfc nfc_prop:file { getattr open read map }; #line 30 #line 30 ; # already open bugreport file descriptors may be shared with # the nfc process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. allow nfc shell_data_file:file read; #line 1 "system/sepolicy/private/odrefresh.te" # odrefresh type odrefresh, domain, coredomain; type odrefresh_exec, system_file_type, exec_type, file_type; # Allow odrefresh to create files and directories for on device signing. allow odrefresh apex_module_data_file:dir { getattr search }; allow odrefresh apex_art_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom }; allow odrefresh apex_art_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow odrefresh to create data files (typically for metrics before statsd starts). allow odrefresh odrefresh_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow odrefresh odrefresh_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 14 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 14 type odrefresh_userfaultfd; #line 14 type_transition odrefresh odrefresh:anon_inode odrefresh_userfaultfd "[userfaultfd]"; #line 14 # Allow domain to create/use userfaultfd anon_inode. #line 14 allow odrefresh odrefresh_userfaultfd:anon_inode { create ioctl read }; #line 14 # Suppress errors generate during bugreport #line 14 dontaudit su odrefresh_userfaultfd:anon_inode *; #line 14 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 14 neverallow { domain -odrefresh } odrefresh_userfaultfd:anon_inode *; #line 14 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh # sets up files here and passes file descriptors for dex2oat to write to. allow odrefresh apex_art_staging_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow odrefresh apex_art_staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Run dex2oat in its own sandbox. #line 22 # Allow the necessary permissions. #line 22 #line 22 # Old domain may exec the file and transition to the new domain. #line 22 allow odrefresh dex2oat_exec:file { getattr open read execute map }; #line 22 allow odrefresh dex2oat:process transition; #line 22 # New domain is entered by executing the file. #line 22 allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map }; #line 22 # New domain can send SIGCHLD to its caller. #line 22 allow dex2oat odrefresh:process sigchld; #line 22 # Enable AT_SECURE, i.e. libc secure mode. #line 22 dontaudit odrefresh dex2oat:process noatsecure; #line 22 # XXX dontaudit candidate but requires further study. #line 22 allow odrefresh dex2oat:process { siginh rlimitinh }; #line 22 #line 22 # Make the transition occur by default. #line 22 type_transition odrefresh dex2oat_exec:process dex2oat; #line 22 # Allow odrefresh to kill dex2oat if compilation times out. allow odrefresh dex2oat:process sigkill; # Run dexoptanalyzer in its own sandbox. #line 28 # Allow the necessary permissions. #line 28 #line 28 # Old domain may exec the file and transition to the new domain. #line 28 allow odrefresh dexoptanalyzer_exec:file { getattr open read execute map }; #line 28 allow odrefresh dexoptanalyzer:process transition; #line 28 # New domain is entered by executing the file. #line 28 allow dexoptanalyzer dexoptanalyzer_exec:file { entrypoint open read execute getattr map }; #line 28 # New domain can send SIGCHLD to its caller. #line 28 allow dexoptanalyzer odrefresh:process sigchld; #line 28 # Enable AT_SECURE, i.e. libc secure mode. #line 28 dontaudit odrefresh dexoptanalyzer:process noatsecure; #line 28 # XXX dontaudit candidate but requires further study. #line 28 allow odrefresh dexoptanalyzer:process { siginh rlimitinh }; #line 28 #line 28 # Make the transition occur by default. #line 28 type_transition odrefresh dexoptanalyzer_exec:process dexoptanalyzer; #line 28 # Allow odrefresh to kill dexoptanalyzer if analysis times out. allow odrefresh dexoptanalyzer:process sigkill; # Use devpts and fd from odsign (which exec()'s odrefresh) allow odrefresh odsign_devpts:chr_file { read write }; allow odrefresh odsign:fd use; # Allow odrefresh to read /apex/apex-info-list.xml to determine # whether current apex is in /system or /data. allow odrefresh apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow updating boot animation status. #line 42 #line 42 allow odrefresh property_socket:sock_file write; #line 42 allow odrefresh init:unix_stream_socket connectto; #line 42 #line 42 allow odrefresh bootanim_system_prop:property_service set; #line 42 #line 42 allow odrefresh bootanim_system_prop:file { getattr open read map }; #line 42 #line 42 # Allow query ART device config properties #line 45 allow odrefresh device_config_runtime_native_prop:file { getattr open read map }; #line 45 #line 46 allow odrefresh device_config_runtime_native_boot_prop:file { getattr open read map }; #line 46 # Do not audit unused resources from parent processes (adb, shell, su). # These appear to be unnecessary for odrefresh. dontaudit odrefresh { adbd shell }:fd use; dontaudit odrefresh devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; dontaudit odrefresh adbd:unix_stream_socket { getattr read write }; # No other processes should be creating files in the staging area. neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open; # No processes other than init, odrefresh and system_server access # odrefresh_data_files. neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *; neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *; #line 1 "system/sepolicy/private/odsign.te" # odsign - on-device signing. type odsign, domain; # odsign - Binary for signing ART artifacts. typeattribute odsign coredomain; type odsign_exec, exec_type, file_type, system_file_type; # Allow init to start odsign #line 10 #line 10 # Allow the necessary permissions. #line 10 #line 10 # Old domain may exec the file and transition to the new domain. #line 10 allow init odsign_exec:file { getattr open read execute map }; #line 10 allow init odsign:process transition; #line 10 # New domain is entered by executing the file. #line 10 allow odsign odsign_exec:file { entrypoint open read execute getattr map }; #line 10 # New domain can send SIGCHLD to its caller. #line 10 #line 10 # Enable AT_SECURE, i.e. libc secure mode. #line 10 dontaudit init odsign:process noatsecure; #line 10 # XXX dontaudit candidate but requires further study. #line 10 allow init odsign:process { siginh rlimitinh }; #line 10 #line 10 # Make the transition occur by default. #line 10 type_transition init odsign_exec:process odsign; #line 10 #line 10 # Allow using persistent storage in /data/odsign allow odsign odsign_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow odsign odsign_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow using persistent storage in /data/odsign/metrics - to add metrics related files allow odsign odsign_metrics_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow odsign odsign_metrics_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Create and use pty created by android_fork_execvp(). #line 21 # Each domain gets a unique devpts type. #line 21 type odsign_devpts, fs_type; #line 21 # Label the pty with the unique type when created. #line 21 type_transition odsign devpts:chr_file odsign_devpts; #line 21 # Allow use of the pty after creation. #line 21 allow odsign odsign_devpts:chr_file { open getattr read write ioctl }; #line 21 allowxperm odsign odsign_devpts:chr_file ioctl { #line 21 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 21 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 21 }; #line 21 # TIOCSTI is only ever used for exploits. Block it. #line 21 # b/33073072, b/7530569 #line 21 # http://www.openwall.com/lists/oss-security/2016/09/26/14 #line 21 neverallowxperm * odsign_devpts:chr_file ioctl 0x00005412; #line 21 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms #line 21 # allowed to everyone via domain.te. #line 21 # FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files allowxperm odsign apex_art_data_file:file ioctl { 0x6685 0x6686 0x80086601 }; # talk to binder services (for keystore) #line 29 # Call the servicemanager and transfer references to it. #line 29 allow odsign servicemanager:binder { call transfer }; #line 29 # Allow servicemanager to send out callbacks #line 29 allow servicemanager odsign:binder { call transfer }; #line 29 # servicemanager performs getpidcon on clients. #line 29 allow servicemanager odsign:dir search; #line 29 allow servicemanager odsign:file { read open }; #line 29 allow servicemanager odsign:process getattr; #line 29 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 29 # all domains in domain.te. #line 29 ; # talk to keystore specifically #line 32 allow keystore odsign:dir search; #line 32 allow keystore odsign:file { read open }; #line 32 allow keystore odsign:process getattr; #line 32 allow odsign apc_service:service_manager find; #line 32 allow odsign keystore_service:service_manager find; #line 32 allow odsign legacykeystore_service:service_manager find; #line 32 #line 32 # Call the server domain and optionally transfer references to it. #line 32 allow odsign keystore:binder { call transfer }; #line 32 # Allow the serverdomain to transfer references to the client on the reply. #line 32 allow keystore odsign:binder transfer; #line 32 # Receive and use open files from the server. #line 32 allow odsign keystore:fd use; #line 32 #line 32 #line 32 # Call the server domain and optionally transfer references to it. #line 32 allow keystore odsign:binder { call transfer }; #line 32 # Allow the serverdomain to transfer references to the client on the reply. #line 32 allow odsign keystore:binder transfer; #line 32 # Receive and use open files from the server. #line 32 allow keystore odsign:fd use; #line 32 #line 32 ; # Use our dedicated keystore key allow odsign odsign_key:keystore2_key { delete get_info rebind use }; # talk to keymaster #line 43 typeattribute odsign halclientdomain; #line 43 typeattribute odsign hal_keymaster_client; #line 43 #line 43 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 43 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 43 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 43 #line 43 typeattribute odsign hal_keymaster; #line 43 # Find passthrough HAL implementations #line 43 allow hal_keymaster system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 43 allow hal_keymaster vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 43 allow hal_keymaster vendor_file:file { read open getattr execute map }; #line 43 #line 43 # For ART apex data dir access allow odsign apex_module_data_file:dir { getattr search }; allow odsign apex_art_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rmdir rename }; allow odsign apex_art_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink }; # Run odrefresh to refresh ART artifacts #line 52 # Allow the necessary permissions. #line 52 #line 52 # Old domain may exec the file and transition to the new domain. #line 52 allow odsign odrefresh_exec:file { getattr open read execute map }; #line 52 allow odsign odrefresh:process transition; #line 52 # New domain is entered by executing the file. #line 52 allow odrefresh odrefresh_exec:file { entrypoint open read execute getattr map }; #line 52 # New domain can send SIGCHLD to its caller. #line 52 allow odrefresh odsign:process sigchld; #line 52 # Enable AT_SECURE, i.e. libc secure mode. #line 52 dontaudit odsign odrefresh:process noatsecure; #line 52 # XXX dontaudit candidate but requires further study. #line 52 allow odsign odrefresh:process { siginh rlimitinh }; #line 52 #line 52 # Make the transition occur by default. #line 52 type_transition odsign odrefresh_exec:process odrefresh; #line 52 # Run fsverity_init to add key to fsverity keyring #line 55 # Allow the necessary permissions. #line 55 #line 55 # Old domain may exec the file and transition to the new domain. #line 55 allow odsign fsverity_init_exec:file { getattr open read execute map }; #line 55 allow odsign fsverity_init:process transition; #line 55 # New domain is entered by executing the file. #line 55 allow fsverity_init fsverity_init_exec:file { entrypoint open read execute getattr map }; #line 55 # New domain can send SIGCHLD to its caller. #line 55 allow fsverity_init odsign:process sigchld; #line 55 # Enable AT_SECURE, i.e. libc secure mode. #line 55 dontaudit odsign fsverity_init:process noatsecure; #line 55 # XXX dontaudit candidate but requires further study. #line 55 allow odsign fsverity_init:process { siginh rlimitinh }; #line 55 #line 55 # Make the transition occur by default. #line 55 type_transition odsign fsverity_init_exec:process fsverity_init; #line 55 # Run compos_verify to verify CompOs signatures #line 58 # Allow the necessary permissions. #line 58 #line 58 # Old domain may exec the file and transition to the new domain. #line 58 allow odsign compos_verify_exec:file { getattr open read execute map }; #line 58 allow odsign compos_verify:process transition; #line 58 # New domain is entered by executing the file. #line 58 allow compos_verify compos_verify_exec:file { entrypoint open read execute getattr map }; #line 58 # New domain can send SIGCHLD to its caller. #line 58 allow compos_verify odsign:process sigchld; #line 58 # Enable AT_SECURE, i.e. libc secure mode. #line 58 dontaudit odsign compos_verify:process noatsecure; #line 58 # XXX dontaudit candidate but requires further study. #line 58 allow odsign compos_verify:process { siginh rlimitinh }; #line 58 #line 58 # Make the transition occur by default. #line 58 type_transition odsign compos_verify_exec:process compos_verify; #line 58 # only odsign can set odsign sysprop #line 61 #line 61 allow odsign property_socket:sock_file write; #line 61 allow odsign init:unix_stream_socket connectto; #line 61 #line 61 allow odsign odsign_prop:property_service set; #line 61 #line 61 allow odsign odsign_prop:file { getattr open read map }; #line 61 #line 61 neverallow { domain -odsign -init } odsign_prop:property_service set; # Allow odsign to stop itself #line 65 #line 65 allow odsign property_socket:sock_file write; #line 65 allow odsign init:unix_stream_socket connectto; #line 65 #line 65 allow odsign ctl_odsign_prop:property_service set; #line 65 #line 65 allow odsign ctl_odsign_prop:file { getattr open read map }; #line 65 #line 65 # Neverallows neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search; neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *; #line 1 "system/sepolicy/private/ot_daemon.te" # # ot_daemon is the native Thread network stack on the host (Android) side. # Refer to https://www.threadgroup.org for Thread network knowledge. # # ot_daemon type ot_daemon, domain, coredomain; type ot_daemon_exec, exec_type, file_type, system_file_type; # Allow init ot_daemon #line 11 #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow init ot_daemon_exec:file { getattr open read execute map }; #line 11 allow init ot_daemon:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow ot_daemon ot_daemon_exec:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit init ot_daemon:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow init ot_daemon:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition init ot_daemon_exec:process ot_daemon; #line 11 #line 11 # Allow the ot_daemon to use the net domain. #line 13 typeattribute ot_daemon netdomain; #line 13 # Allow ot_daemon to find /data/misc/apexdata/com.android.tethering allow ot_daemon apex_module_data_file:dir search; # Allow the ot_daemon to access files and subdirectories under # /data/misc/apexdata/com\.android\.tethering allow ot_daemon apex_tethering_data_file:dir {create { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }}; allow ot_daemon apex_tethering_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow OT daemon to read/write the Thread tunnel interface allow ot_daemon tun_device:chr_file {read write}; # Allow OT daemon to read/write on the socket created by System Server allow ot_daemon system_server:rawip_socket { read getattr write setattr lock append bind connect getopt setopt shutdown map }; #line 29 typeattribute ot_daemon halclientdomain; #line 29 typeattribute ot_daemon hal_threadnetwork_client; #line 29 #line 29 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 29 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 29 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 29 #line 29 typeattribute ot_daemon hal_threadnetwork; #line 29 # Find passthrough HAL implementations #line 29 allow hal_threadnetwork system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow hal_threadnetwork vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow hal_threadnetwork vendor_file:file { read open getattr execute map }; #line 29 #line 29 # Only ot_daemon can publish the binder service #line 32 # Call the servicemanager and transfer references to it. #line 32 allow ot_daemon servicemanager:binder { call transfer }; #line 32 # Allow servicemanager to send out callbacks #line 32 allow servicemanager ot_daemon:binder { call transfer }; #line 32 # servicemanager performs getpidcon on clients. #line 32 allow servicemanager ot_daemon:dir search; #line 32 allow servicemanager ot_daemon:file { read open }; #line 32 allow servicemanager ot_daemon:process getattr; #line 32 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 32 # all domains in domain.te. #line 32 #line 33 allow ot_daemon ot_daemon_service:service_manager { add find }; #line 33 neverallow { domain -ot_daemon } ot_daemon_service:service_manager add; #line 33 #line 33 # On debug builds with root, allow binder services to use binder over TCP. #line 33 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 33 #line 33 #line 34 # Call the server domain and optionally transfer references to it. #line 34 allow ot_daemon system_server:binder { call transfer }; #line 34 # Allow the serverdomain to transfer references to the client on the reply. #line 34 allow system_server ot_daemon:binder transfer; #line 34 # Receive and use open files from the server. #line 34 allow ot_daemon system_server:fd use; #line 34 # Allow OT daemon to write to statsd #line 37 allow ot_daemon statsdw_socket:sock_file write; #line 37 allow ot_daemon statsd:unix_dgram_socket sendto; #line 37 # For collecting bugreports. allow ot_daemon dumpstate:fd use; allow ot_daemon dumpstate:fifo_file write; #line 1 "system/sepolicy/private/otapreopt_chroot.te" # otapreopt_chroot executable typeattribute otapreopt_chroot coredomain; type otapreopt_chroot_exec, exec_type, file_type, system_file_type; # Chroot preparation and execution. # We need to create an unshared mount namespace, and then mount /data. allow otapreopt_chroot postinstall_file:dir { search mounton }; allow otapreopt_chroot apex_mnt_dir:dir mounton; allow otapreopt_chroot device:dir mounton; allow otapreopt_chroot linkerconfig_file:dir mounton; allow otapreopt_chroot rootfs:dir mounton; allow otapreopt_chroot sysfs:dir mounton; allow otapreopt_chroot system_data_root_file:dir mounton; allow otapreopt_chroot system_file:dir mounton; allow otapreopt_chroot vendor_file:dir mounton; allow otapreopt_chroot self:{ capability cap_userns } { sys_admin sys_chroot }; # This is required to mount /vendor and mount/unmount ext4 images from # APEX packages in /postinstall/apex. allow otapreopt_chroot block_device:dir search; allow otapreopt_chroot labeledfs:filesystem { mount unmount }; # This is required for dynamic partitions. allow otapreopt_chroot dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # This is required to unmount flattened APEX packages under # /postinstall/system/apex (which are bind-mounted in /postinstall/apex). allow otapreopt_chroot postinstall_file:filesystem unmount; # Mounting /vendor can have this side-effect. Ignore denial. dontaudit otapreopt_chroot kernel:process setsched; # Allow otapreopt_chroot to read SELinux policy files. allow otapreopt_chroot file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. allow otapreopt_chroot postinstall_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. #line 37 allow otapreopt_chroot apexd_prop:file { getattr open read map }; #line 37 # Allow otapreopt to use file descriptors from update-engine and the postinstall # script. It will read dexopt commands from stdin and write progress to stdout. allow otapreopt_chroot postinstall:fd use; allow otapreopt_chroot postinstall:fifo_file { read write getattr }; allow otapreopt_chroot update_engine:fd use; allow otapreopt_chroot update_engine:fifo_file write; # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox. #line 47 # Allow the necessary permissions. #line 47 #line 47 # Old domain may exec the file and transition to the new domain. #line 47 allow otapreopt_chroot postinstall_dexopt_exec:file { getattr open read execute map }; #line 47 allow otapreopt_chroot postinstall_dexopt:process transition; #line 47 # New domain is entered by executing the file. #line 47 allow postinstall_dexopt postinstall_dexopt_exec:file { entrypoint open read execute getattr map }; #line 47 # New domain can send SIGCHLD to its caller. #line 47 allow postinstall_dexopt otapreopt_chroot:process sigchld; #line 47 # Enable AT_SECURE, i.e. libc secure mode. #line 47 dontaudit otapreopt_chroot postinstall_dexopt:process noatsecure; #line 47 # XXX dontaudit candidate but requires further study. #line 47 allow otapreopt_chroot postinstall_dexopt:process { siginh rlimitinh }; #line 47 #line 47 # Make the transition occur by default. #line 47 type_transition otapreopt_chroot postinstall_dexopt_exec:process postinstall_dexopt; #line 47 #line 48 # Allow the necessary permissions. #line 48 #line 48 # Old domain may exec the file and transition to the new domain. #line 48 allow otapreopt_chroot linkerconfig_exec:file { getattr open read execute map }; #line 48 allow otapreopt_chroot linkerconfig:process transition; #line 48 # New domain is entered by executing the file. #line 48 allow linkerconfig linkerconfig_exec:file { entrypoint open read execute getattr map }; #line 48 # New domain can send SIGCHLD to its caller. #line 48 allow linkerconfig otapreopt_chroot:process sigchld; #line 48 # Enable AT_SECURE, i.e. libc secure mode. #line 48 dontaudit otapreopt_chroot linkerconfig:process noatsecure; #line 48 # XXX dontaudit candidate but requires further study. #line 48 allow otapreopt_chroot linkerconfig:process { siginh rlimitinh }; #line 48 #line 48 # Make the transition occur by default. #line 48 type_transition otapreopt_chroot linkerconfig_exec:process linkerconfig; #line 48 #line 49 # Allow the necessary permissions. #line 49 #line 49 # Old domain may exec the file and transition to the new domain. #line 49 allow otapreopt_chroot apexd_exec:file { getattr open read execute map }; #line 49 allow otapreopt_chroot apexd:process transition; #line 49 # New domain is entered by executing the file. #line 49 allow apexd apexd_exec:file { entrypoint open read execute getattr map }; #line 49 # New domain can send SIGCHLD to its caller. #line 49 allow apexd otapreopt_chroot:process sigchld; #line 49 # Enable AT_SECURE, i.e. libc secure mode. #line 49 dontaudit otapreopt_chroot apexd:process noatsecure; #line 49 # XXX dontaudit candidate but requires further study. #line 49 allow otapreopt_chroot apexd:process { siginh rlimitinh }; #line 49 #line 49 # Make the transition occur by default. #line 49 type_transition otapreopt_chroot apexd_exec:process apexd; #line 49 # Allow otapreopt_chroot to control linkerconfig allow otapreopt_chroot linkerconfig_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow otapreopt_chroot linkerconfig_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow otapreopt_chroot to create loop devices with /dev/loop-control. allow otapreopt_chroot loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow otapreopt_chroot to access loop devices. allow otapreopt_chroot loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm otapreopt_chroot loop_device:blk_file ioctl { 0x00004c0a 0x00004c05 0x00004c04 0x00004c00 0x00004c09 0x00004c08 0x00004c01 0x00001261 }; # Allow otapreopt_chroot to configure read-ahead of loop devices. allow otapreopt_chroot sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads }; allow otapreopt_chroot sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex. allow otapreopt_chroot tmpfs:filesystem mount; # Allow otapreopt_chroot to restore the security context of /postinstall/apex. allow otapreopt_chroot tmpfs:dir relabelfrom; allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto; # Allow otapreopt_chroot to manipulate directory /postinstall/apex. allow otapreopt_chroot postinstall_apex_mnt_dir:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow otapreopt_chroot postinstall_apex_mnt_dir:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton; # Allow otapreopt_chroot to access /dev/block (needed to detach loop # devices used by ext4 images from APEX packages). allow otapreopt_chroot block_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow to access the linker through the symlink. allow otapreopt_chroot postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Allow otapreopt_chroot to read ro.cold_boot_done prop. # This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly. # TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount. #line 96 allow otapreopt_chroot cold_boot_done_prop:file { getattr open read map }; #line 96 # allow otapreopt_chroot to run the linkerconfig from the new image. allow otapreopt_chroot linkerconfig_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 1 "system/sepolicy/private/otapreopt_slot.te" # This command set moves the artifact corresponding to the current slot # from /data/ota to /data/dalvik-cache. type otapreopt_slot, domain, mlstrustedsubject, coredomain; type otapreopt_slot_exec, system_file_type, exec_type, file_type; # Technically not a daemon but we do want the transition from init domain to # cppreopts to occur. #line 9 #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow init otapreopt_slot_exec:file { getattr open read execute map }; #line 9 allow init otapreopt_slot:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow otapreopt_slot otapreopt_slot_exec:file { entrypoint open read execute getattr map }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit init otapreopt_slot:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow init otapreopt_slot:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition init otapreopt_slot_exec:process otapreopt_slot; #line 9 #line 9 # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up # the directory afterwards. For logging of aggregate size, we need getattr. allow otapreopt_slot ota_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rename reparent rmdir }; allow otapreopt_slot ota_data_file:{ file lnk_file } getattr; # (du follows symlinks) allow otapreopt_slot ota_data_file:lnk_file read; # Delete old content of the dalvik-cache. allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write }; allow otapreopt_slot dalvikcache_data_file:file { getattr unlink }; allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink }; # Allow cppreopts to execute itself using #!/system/bin/sh allow otapreopt_slot shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow running the mv and rm/rmdir commands using otapreopt_slot permissions. # Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache. allow otapreopt_slot toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 1 "system/sepolicy/private/perfetto.te" # Perfetto command-line client. Can be used only from the domains that are # explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). # This command line client accesses the privileged socket of the traced # daemon. type perfetto_exec, system_file_type, exec_type, file_type; type perfetto_tmpfs, file_type; #line 9 type_transition perfetto tmpfs:file perfetto_tmpfs; #line 9 allow perfetto perfetto_tmpfs:file { read write getattr map }; #line 9 ; # Allow init to start a trace (for perfetto_boottrace). #line 12 #line 12 # Allow the necessary permissions. #line 12 #line 12 # Old domain may exec the file and transition to the new domain. #line 12 allow init perfetto_exec:file { getattr open read execute map }; #line 12 allow init perfetto:process transition; #line 12 # New domain is entered by executing the file. #line 12 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 12 # New domain can send SIGCHLD to its caller. #line 12 #line 12 # Enable AT_SECURE, i.e. libc secure mode. #line 12 dontaudit init perfetto:process noatsecure; #line 12 # XXX dontaudit candidate but requires further study. #line 12 allow init perfetto:process { siginh rlimitinh }; #line 12 #line 12 # Make the transition occur by default. #line 12 type_transition init perfetto_exec:process perfetto; #line 12 #line 12 # Allow to access traced's privileged consumer socket. #line 15 allow perfetto traced_consumer_socket:sock_file write; #line 15 allow perfetto traced:unix_stream_socket connectto; #line 15 # Connect to the Perfetto traced daemon as a producer. This requires # connecting to its producer socket and obtaining a (per-process) tmpfs fd. #line 19 allow perfetto traced:fd use; #line 19 allow perfetto traced_tmpfs:file { read write getattr map }; #line 19 #line 19 allow perfetto traced_producer_socket:sock_file write; #line 19 allow perfetto traced:unix_stream_socket connectto; #line 19 #line 19 #line 19 # Also allow the service to use the producer file descriptors. This is #line 19 # necessary when the producer is creating the shared memory, as it will be #line 19 # passed to the service as a file descriptor (obtained from memfd_create). #line 19 allow traced perfetto:fd use; #line 19 # Allow to write and unlink traces into /data/misc/perfetto-traces. allow perfetto perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow perfetto perfetto_traces_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport* allow perfetto perfetto_traces_bugreport_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow perfetto perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Allow to write and unlink traces into /data/misc/perfetto-traces/profiling. allow perfetto perfetto_traces_profiling_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow perfetto perfetto_traces_profiling_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow perfetto to access the proxy service for reporting traces. allow perfetto tracingproxy_service:service_manager find; #line 35 # Call the servicemanager and transfer references to it. #line 35 allow perfetto servicemanager:binder { call transfer }; #line 35 # Allow servicemanager to send out callbacks #line 35 allow servicemanager perfetto:binder { call transfer }; #line 35 # servicemanager performs getpidcon on clients. #line 35 allow servicemanager perfetto:dir search; #line 35 allow servicemanager perfetto:file { read open }; #line 35 allow servicemanager perfetto:process getattr; #line 35 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 35 # all domains in domain.te. #line 35 #line 36 # Call the server domain and optionally transfer references to it. #line 36 allow perfetto system_server:binder { call transfer }; #line 36 # Allow the serverdomain to transfer references to the client on the reply. #line 36 allow system_server perfetto:binder transfer; #line 36 # Receive and use open files from the server. #line 36 allow perfetto system_server:fd use; #line 36 # Allow perfetto to read the trace config from /data/misc/perfetto-configs. # shell and adb can write files into that directory. allow perfetto perfetto_configs_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow perfetto perfetto_configs_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow perfetto to read the trace config from statsd, mm_events and shell # (both root and non-root) on stdin and also to write the resulting trace to # stdout. allow perfetto { statsd mm_events shell su }:fd use; allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl }; # Allow to communicate use, read and write over the adb connection. allow perfetto adbd:fd use; allow perfetto adbd:unix_stream_socket { read write }; # Allow adbd to reap perfetto. allow perfetto adbd:process { sigchld }; # Allow perfetto to write to statsd. #line 57 allow perfetto statsdw_socket:sock_file write; #line 57 allow perfetto statsd:unix_dgram_socket sendto; #line 57 # Allow to access /dev/pts when launched in an adb shell. allow perfetto devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow perfetto to ask incidentd to start a report. # TODO(lalitm): remove all incidentd rules when proxy service is stable. allow perfetto incident_service:service_manager find; #line 65 # Call the server domain and optionally transfer references to it. #line 65 allow perfetto incidentd:binder { call transfer }; #line 65 # Allow the serverdomain to transfer references to the client on the reply. #line 65 allow incidentd perfetto:binder transfer; #line 65 # Receive and use open files from the server. #line 65 allow perfetto incidentd:fd use; #line 65 # perfetto log formatter calls isatty() on its stderr. Denial when running # under adbd is harmless. Avoid generating denial logs. dontaudit perfetto adbd:unix_stream_socket getattr; dontauditxperm perfetto adbd:unix_stream_socket ioctl { #line 70 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 70 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 70 }; # As above, when adbd is running in "su" domain (only the ioctl is denied in # practice). dontauditxperm perfetto su:unix_stream_socket ioctl { #line 73 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 73 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 73 }; # Similarly, CTS tests end up hitting a denial on shell pipes. dontauditxperm perfetto shell:fifo_file ioctl { #line 75 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 75 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 75 }; ### ### Neverallow rules ### # Disallow anyone else from being able to handle traces except selected system # components. neverallow { domain -init # The creator of the folder. -perfetto # The owner of the folder. -adbd # For pulling traces. -shell # For devepment purposes. -traced # For write_into_file traces. -dumpstate # For attaching traces to bugreports. -incidentd # For receiving reported traces. TODO(lalitm): remove this. -priv_app # For stating traces for bug-report UI. -system_server # For accessing traces started by profiling apis. } perfetto_traces_data_file:dir *; neverallow { domain -init # The creator of the folder. -perfetto # The owner of the folder. -adbd # For pulling traces. -shell # For devepment purposes. -traced # For write_into_file traces. -incidentd # For receiving reported traces. TODO(lalitm): remove this. } perfetto_traces_data_file:file ~{ getattr read }; ### perfetto should NEVER do any of the following # Disallow mapping executable memory (execstack and exec are already disallowed # globally in domain.te). neverallow perfetto self:process execmem; # Block device access. neverallow perfetto dev_type:blk_file { read write }; # ptrace any other process neverallow perfetto domain:process ptrace; # Disallows access to other /data files. neverallow perfetto { data_file_type -system_data_file -system_data_root_file -media_userdir_file -system_userdir_file -vendor_userdir_file # TODO(b/72998741) Remove exemption. Further restricted in a subsequent # neverallow. Currently only getattr and search are allowed. -vendor_data_file -perfetto_traces_data_file -perfetto_traces_bugreport_data_file -perfetto_traces_profiling_data_file -perfetto_configs_data_file }:dir *; neverallow perfetto { system_data_file -perfetto_traces_data_file -perfetto_traces_profiling_data_file }:dir ~{ getattr search }; neverallow perfetto { data_file_type -perfetto_traces_data_file -perfetto_traces_bugreport_data_file -perfetto_traces_profiling_data_file -perfetto_configs_data_file }:file ~write; #line 1 "system/sepolicy/private/performanced.te" typeattribute performanced coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init performanced_exec:file { getattr open read execute map }; #line 3 allow init performanced:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow performanced performanced_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init performanced:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init performanced:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init performanced_exec:process performanced; #line 3 #line 3 #line 1 "system/sepolicy/private/permissioncontroller_app.te" ### ### A domain for further sandboxing the GooglePermissionController app. ### type permissioncontroller_app, domain, coredomain; #line 6 typeattribute permissioncontroller_app appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition permissioncontroller_app tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type permissioncontroller_app_userfaultfd; #line 6 type_transition permissioncontroller_app permissioncontroller_app:anon_inode permissioncontroller_app_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow permissioncontroller_app permissioncontroller_app_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su permissioncontroller_app_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -permissioncontroller_app } permissioncontroller_app_userfaultfd:anon_inode *; #line 6 #line 6 allow permissioncontroller_app appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { permissioncontroller_app -runas_app -shell -simpleperf } { domain -permissioncontroller_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -permissioncontroller_app } permissioncontroller_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -permissioncontroller_app -crash_dump -runas_app -simpleperf } permissioncontroller_app:process ptrace; #line 6 allow permissioncontroller_app app_api_service:service_manager find; allow permissioncontroller_app system_api_service:service_manager find; # Allow interaction with gpuservice #line 12 # Call the server domain and optionally transfer references to it. #line 12 allow permissioncontroller_app gpuservice:binder { call transfer }; #line 12 # Allow the serverdomain to transfer references to the client on the reply. #line 12 allow gpuservice permissioncontroller_app:binder transfer; #line 12 # Receive and use open files from the server. #line 12 allow permissioncontroller_app gpuservice:fd use; #line 12 allow permissioncontroller_app radio_service:service_manager find; # Allow the app to request and collect incident reports. # (Also requires DUMP and PACKAGE_USAGE_STATS permissions) allow permissioncontroller_app incident_service:service_manager find; #line 19 # Call the server domain and optionally transfer references to it. #line 19 allow permissioncontroller_app incidentd:binder { call transfer }; #line 19 # Allow the serverdomain to transfer references to the client on the reply. #line 19 allow incidentd permissioncontroller_app:binder transfer; #line 19 # Receive and use open files from the server. #line 19 allow permissioncontroller_app incidentd:fd use; #line 19 allow permissioncontroller_app incidentd:fifo_file { read write }; allow permissioncontroller_app gpu_device:dir search; #line 1 "system/sepolicy/private/platform_app.te" ### ### Apps signed with the platform key. ### typeattribute platform_app coredomain; #line 7 typeattribute platform_app appdomain; #line 7 # Label tmpfs objects for all apps. #line 7 type_transition platform_app tmpfs:file appdomain_tmpfs; #line 7 #line 7 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 7 type platform_app_userfaultfd; #line 7 type_transition platform_app platform_app:anon_inode platform_app_userfaultfd "[userfaultfd]"; #line 7 # Allow domain to create/use userfaultfd anon_inode. #line 7 allow platform_app platform_app_userfaultfd:anon_inode { create ioctl read }; #line 7 # Suppress errors generate during bugreport #line 7 dontaudit su platform_app_userfaultfd:anon_inode *; #line 7 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 7 neverallow { domain -platform_app } platform_app_userfaultfd:anon_inode *; #line 7 #line 7 allow platform_app appdomain_tmpfs:file { execute getattr map read write }; #line 7 neverallow { platform_app -runas_app -shell -simpleperf } { domain -platform_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 neverallow { appdomain -runas_app -shell -simpleperf -platform_app } platform_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 # The Android security model guarantees the confidentiality and integrity #line 7 # of application data and execution state. Ptrace bypasses those #line 7 # confidentiality guarantees. Disallow ptrace access from system components to #line 7 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 7 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 7 # simpleperf is excluded, as it operates only on debuggable or profileable #line 7 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 7 # live lock conditions. #line 7 neverallow { domain -platform_app -crash_dump -runas_app -simpleperf } platform_app:process ptrace; #line 7 # Access the network. #line 10 typeattribute platform_app netdomain; #line 10 # Access bluetooth. #line 12 typeattribute platform_app bluetoothdomain; #line 12 # Read from /data/local/tmp or /data/data/com.android.shell. allow platform_app shell_data_file:dir search; allow platform_app shell_data_file:file { open getattr read }; allow platform_app icon_file:file { open getattr read }; # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files # created by system server. allow platform_app { apk_tmp_file apk_private_tmp_file }:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow platform_app apk_private_data_file:dir search; # ASEC allow platform_app asec_apk_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow platform_app asec_apk_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access to /data/media. allow platform_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow platform_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Write to /cache. allow platform_app cache_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow platform_app cache_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Direct access to vold-mounted storage under /mnt/media_rw # This is a performance optimization that allows platform apps to bypass the FUSE layer allow platform_app mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads }; allow platform_app sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow platform_app sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # com.android.systemui allow platform_app rootfs:dir getattr; #line 42 allow platform_app radio_cdma_ecm_prop:file { getattr open read map }; #line 42 #line 45 neverallow { domain -init -dumpstate } persist_wm_debug_prop:property_service set; #line 50 #line 53 # com.android.captiveportallogin reads /proc/vmstat allow platform_app { proc_vmstat }:file { getattr open read ioctl lock map watch watch_reads }; # /proc/net access. # TODO(b/9496886) Audit access for removal. #line 62 allow platform_app proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 62 allow platform_app proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 62 #line 65 # Allow writing and removing wmshell protolog in /data/misc/wmtrace. #line 71 allow platform_app audioserver_service:service_manager find; allow platform_app cameraserver_service:service_manager find; allow platform_app drmserver_service:service_manager find; allow platform_app mediaserver_service:service_manager find; allow platform_app mediametrics_service:service_manager find; allow platform_app mediaextractor_service:service_manager find; allow platform_app mediadrmserver_service:service_manager find; allow platform_app persistent_data_block_service:service_manager find; allow platform_app radio_service:service_manager find; allow platform_app thermal_service:service_manager find; allow platform_app app_api_service:service_manager find; allow platform_app system_api_service:service_manager find; allow platform_app vr_manager_service:service_manager find; allow platform_app stats_service:service_manager find; # Allow platform apps to log via statsd. #line 89 # Call the server domain and optionally transfer references to it. #line 89 allow platform_app statsd:binder { call transfer }; #line 89 # Allow the serverdomain to transfer references to the client on the reply. #line 89 allow statsd platform_app:binder transfer; #line 89 # Receive and use open files from the server. #line 89 allow platform_app statsd:fd use; #line 89 # Allow platform applications to find and call artd for testing #line 95 # Access to /data/preloads allow platform_app preloads_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow platform_app preloads_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow platform_app preloads_media_file:file { getattr open read ioctl lock map watch watch_reads }; allow platform_app preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 103 allow platform_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 103 # allow platform apps to use UDP sockets provided by the system server but not # modify them other than to connect allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; # allow platform apps to connect to the property service #line 111 #line 111 allow platform_app property_socket:sock_file write; #line 111 allow platform_app init:unix_stream_socket connectto; #line 111 #line 111 allow platform_app test_boot_reason_prop:property_service set; #line 111 #line 111 allow platform_app test_boot_reason_prop:file { getattr open read map }; #line 111 #line 111 # allow platform apps to read keyguard.no_require_sim #line 114 allow platform_app keyguard_config_prop:file { getattr open read map }; #line 114 # allow platform apps to read qemu.hw.mainkeys #line 117 allow platform_app qemu_hw_prop:file { getattr open read map }; #line 117 # allow platform apps to read sys.boot.reason.last #line 120 allow platform_app last_boot_reason_prop:file { getattr open read map }; #line 120 # allow platform apps to create symbolic link allow platform_app app_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # suppress denials caused by debugfs_tracing dontaudit platform_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow platform apps to create VMs #line 129 # Transition to virtualizationmanager when the client executes it. #line 129 #line 129 # Allow the necessary permissions. #line 129 #line 129 # Old domain may exec the file and transition to the new domain. #line 129 allow platform_app virtualizationmanager_exec:file { getattr open read execute map }; #line 129 allow platform_app virtualizationmanager:process transition; #line 129 # New domain is entered by executing the file. #line 129 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 129 # New domain can send SIGCHLD to its caller. #line 129 allow virtualizationmanager platform_app:process sigchld; #line 129 # Enable AT_SECURE, i.e. libc secure mode. #line 129 dontaudit platform_app virtualizationmanager:process noatsecure; #line 129 # XXX dontaudit candidate but requires further study. #line 129 allow platform_app virtualizationmanager:process { siginh rlimitinh }; #line 129 #line 129 # Make the transition occur by default. #line 129 type_transition platform_app virtualizationmanager_exec:process virtualizationmanager; #line 129 #line 129 # Allow virtualizationmanager to communicate over UDS with the client. #line 129 allow { virtualizationmanager crosvm } platform_app:unix_stream_socket { ioctl getattr read write }; #line 129 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 129 allow { virtualizationmanager crosvm } platform_app:fd use; #line 129 # Let the client use file descriptors created by virtualizationmanager. #line 129 allow platform_app virtualizationmanager:fd use; #line 129 # Allow piping console log to the client #line 129 allow { virtualizationmanager crosvm } platform_app:fifo_file { ioctl getattr read write }; #line 129 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 129 # that it created. Notice that we do not grant permission to create a vsock; #line 129 # the client can only connect to VMs that it owns. #line 129 allow platform_app virtualizationmanager:vsock_socket { getattr getopt read write }; #line 129 # Allow client to inspect hypervisor capabilities #line 129 #line 129 allow platform_app hypervisor_prop:file { getattr open read map }; #line 129 #line 129 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 129 allow platform_app virtualizationservice_data_file:file { getattr read }; #line 129 ### ### Neverallow rules ### neverallow { domain -init } persist_sysui_builder_extras_prop:property_service set; # app domains which access /dev/fuse should not run as platform_app neverallow platform_app fuse_device:chr_file *; #line 1 "system/sepolicy/private/postinstall.te" typeattribute postinstall coredomain; type postinstall_exec, system_file_type, exec_type, file_type; #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow postinstall otapreopt_chroot_exec:file { getattr open read execute map }; #line 3 allow postinstall otapreopt_chroot:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow otapreopt_chroot otapreopt_chroot_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 allow otapreopt_chroot postinstall:process sigchld; #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit postinstall otapreopt_chroot:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow postinstall otapreopt_chroot:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition postinstall otapreopt_chroot_exec:process otapreopt_chroot; #line 3 allow postinstall rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 1 "system/sepolicy/private/postinstall_dexopt.te" # Domain for the otapreopt executable, running under postinstall_dexopt # # Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such, # this is derived and adapted from installd.te. type postinstall_dexopt, domain, coredomain, mlstrustedsubject; type postinstall_dexopt_exec, system_file_type, exec_type, file_type; type postinstall_dexopt_tmpfs, file_type; # Run dex2oat/patchoat in its own sandbox. # We have to manually transition, as we don't have an entrypoint. # - Case where dex2oat is in a non-flattened APEX, which has retained # the correct type (`dex2oat_exec`). #line 14 # Allow the necessary permissions. #line 14 #line 14 # Old domain may exec the file and transition to the new domain. #line 14 allow postinstall_dexopt dex2oat_exec:file { getattr open read execute map }; #line 14 allow postinstall_dexopt dex2oat:process transition; #line 14 # New domain is entered by executing the file. #line 14 allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map }; #line 14 # New domain can send SIGCHLD to its caller. #line 14 allow dex2oat postinstall_dexopt:process sigchld; #line 14 # Enable AT_SECURE, i.e. libc secure mode. #line 14 dontaudit postinstall_dexopt dex2oat:process noatsecure; #line 14 # XXX dontaudit candidate but requires further study. #line 14 allow postinstall_dexopt dex2oat:process { siginh rlimitinh }; #line 14 #line 14 # Make the transition occur by default. #line 14 type_transition postinstall_dexopt dex2oat_exec:process dex2oat; #line 14 # - Case where dex2oat is in a flattened APEX, which has been tagged # with the `postinstall_file` type by update_engine. #line 17 # Allow the necessary permissions. #line 17 #line 17 # Old domain may exec the file and transition to the new domain. #line 17 allow postinstall_dexopt postinstall_file:file { getattr open read execute map }; #line 17 allow postinstall_dexopt dex2oat:process transition; #line 17 # New domain is entered by executing the file. #line 17 allow dex2oat postinstall_file:file { entrypoint open read execute getattr map }; #line 17 # New domain can send SIGCHLD to its caller. #line 17 allow dex2oat postinstall_dexopt:process sigchld; #line 17 # Enable AT_SECURE, i.e. libc secure mode. #line 17 dontaudit postinstall_dexopt dex2oat:process noatsecure; #line 17 # XXX dontaudit candidate but requires further study. #line 17 allow postinstall_dexopt dex2oat:process { siginh rlimitinh }; #line 17 #line 17 # Make the transition occur by default. #line 17 type_transition postinstall_dexopt postinstall_file:process dex2oat; #line 17 # Run derive_classpath to get the current BCP. #line 20 # Allow the necessary permissions. #line 20 #line 20 # Old domain may exec the file and transition to the new domain. #line 20 allow postinstall_dexopt derive_classpath_exec:file { getattr open read execute map }; #line 20 allow postinstall_dexopt derive_classpath:process transition; #line 20 # New domain is entered by executing the file. #line 20 allow derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map }; #line 20 # New domain can send SIGCHLD to its caller. #line 20 allow derive_classpath postinstall_dexopt:process sigchld; #line 20 # Enable AT_SECURE, i.e. libc secure mode. #line 20 dontaudit postinstall_dexopt derive_classpath:process noatsecure; #line 20 # XXX dontaudit candidate but requires further study. #line 20 allow postinstall_dexopt derive_classpath:process { siginh rlimitinh }; #line 20 #line 20 # Make the transition occur by default. #line 20 type_transition postinstall_dexopt derive_classpath_exec:process derive_classpath; #line 20 # Allow postinstall_dexopt to make a tempfile for derive_classpath to write into #line 22 type_transition postinstall_dexopt tmpfs:file postinstall_dexopt_tmpfs; #line 22 allow postinstall_dexopt postinstall_dexopt_tmpfs:file { read write getattr map }; #line 22 ; allow postinstall_dexopt postinstall_dexopt_tmpfs:file open; allow postinstall_dexopt self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid setgid setuid }; allow postinstall_dexopt postinstall_file:filesystem getattr; allow postinstall_dexopt postinstall_file:dir { getattr read search }; allow postinstall_dexopt postinstall_file:lnk_file { getattr read }; allow postinstall_dexopt proc_filesystems:file { getattr open read }; allow postinstall_dexopt rootfs:file { getattr open read ioctl lock map watch watch_reads }; allow postinstall_dexopt tmpfs:file read; # Allow access odsign verification status #line 36 allow postinstall_dexopt odsign_prop:file { getattr open read map }; #line 36 # Allow access to /postinstall/apex. allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search }; # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access # here and having to relabel the directory. # Read app data (APKs) as input to dex2oat. #line 45 allow postinstall_dexopt apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 45 allow postinstall_dexopt apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 45 # Read vendor app data (APKs) as input to dex2oat. #line 47 allow postinstall_dexopt vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 47 allow postinstall_dexopt vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 47 # Read vendor overlay files (APKs) as input to dex2oat. #line 49 allow postinstall_dexopt vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 49 allow postinstall_dexopt vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 49 # Vendor overlay can be found in vendor apex allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search }; # Access to app oat directory. #line 53 allow postinstall_dexopt dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 53 allow postinstall_dexopt dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 53 # Read profile data. allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search }; allow postinstall_dexopt user_profile_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Suppress deletion denial (we do not want to update the profile). dontaudit postinstall_dexopt user_profile_data_file:file { write }; # Write to /data/ota(/*). Create symlinks in /data/ota(/*) allow postinstall_dexopt ota_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow postinstall_dexopt ota_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow postinstall_dexopt ota_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Need to write .b files, which are dalvikcache_data_file, not ota_data_file. # TODO: See whether we can apply ota_data_file? allow postinstall_dexopt dalvikcache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow postinstall_dexopt dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow labeling of files under /data/app/com.example/oat/ # TODO: Restrict to .b suffix? allow postinstall_dexopt dalvikcache_data_file:dir relabelto; allow postinstall_dexopt dalvikcache_data_file:file { relabelto link }; # Check validity of SELinux context before use. #line 77 #line 77 allow postinstall_dexopt selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 77 allow postinstall_dexopt selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 77 #line 77 allow postinstall_dexopt selinuxfs:file { open append write lock map }; #line 77 allow postinstall_dexopt kernel:security check_context; #line 77 #line 78 #line 78 allow postinstall_dexopt selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 78 allow postinstall_dexopt selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 78 #line 78 allow postinstall_dexopt selinuxfs:file { open append write lock map }; #line 78 allow postinstall_dexopt kernel:security compute_av; #line 78 allow postinstall_dexopt self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 78 # Postinstall wants to know about our child. allow postinstall_dexopt postinstall:process sigchld; # Allow otapreopt to use file descriptors from otapreopt_chroot. # TODO: Probably we can actually close file descriptors... allow postinstall_dexopt otapreopt_chroot:fd use; # Allow postinstall_dexopt to access the runtime feature flag properties. #line 89 allow postinstall_dexopt device_config_runtime_native_prop:file { getattr open read map }; #line 89 #line 90 allow postinstall_dexopt device_config_runtime_native_boot_prop:file { getattr open read map }; #line 90 #line 1 "system/sepolicy/private/preloads_copy.te" type preloads_copy, domain, coredomain; type preloads_copy_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init preloads_copy_exec:file { getattr open read execute map }; #line 4 allow init preloads_copy:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow preloads_copy preloads_copy_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init preloads_copy:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init preloads_copy:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init preloads_copy_exec:process preloads_copy; #line 4 #line 4 allow preloads_copy shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow preloads_copy toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow preloads_copy preloads_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow preloads_copy preloads_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow preloads_copy preloads_media_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow preloads_copy preloads_media_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow to copy from /postinstall allow preloads_copy system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Silence the denial when /postinstall cannot be mounted, e.g., system_other # is wiped, but preloads_copy.sh still runs. dontaudit preloads_copy postinstall_mnt_dir:dir search; #line 1 "system/sepolicy/private/preopt2cachename.te" # preopt2cachename executable # # This executable translates names from the preopted versions the build system # creates to the names the runtime expects in the data directory. type preopt2cachename, domain, coredomain; type preopt2cachename_exec, system_file_type, exec_type, file_type; # Allow write to stdout. allow preopt2cachename cppreopts:fd use; allow preopt2cachename cppreopts:fifo_file { getattr read write }; # Allow write to logcat. allow preopt2cachename proc_net_type:file { getattr open read ioctl lock map watch watch_reads }; #line 17 #line 1 "system/sepolicy/private/priv_app.te" ### ### A domain for further sandboxing privileged apps. ### typeattribute priv_app coredomain; #line 6 typeattribute priv_app appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition priv_app tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type priv_app_userfaultfd; #line 6 type_transition priv_app priv_app:anon_inode priv_app_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow priv_app priv_app_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su priv_app_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -priv_app } priv_app_userfaultfd:anon_inode *; #line 6 #line 6 allow priv_app appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { priv_app -runas_app -shell -simpleperf } { domain -priv_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -priv_app } priv_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -priv_app -crash_dump -runas_app -simpleperf } priv_app:process ptrace; #line 6 # Access the network. #line 9 typeattribute priv_app netdomain; #line 9 # Access bluetooth. #line 11 typeattribute priv_app bluetoothdomain; #line 11 # Allow the allocation and use of ptys # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm #line 15 # Each domain gets a unique devpts type. #line 15 type priv_app_devpts, fs_type; #line 15 # Label the pty with the unique type when created. #line 15 type_transition priv_app devpts:chr_file priv_app_devpts; #line 15 # Allow use of the pty after creation. #line 15 allow priv_app priv_app_devpts:chr_file { open getattr read write ioctl }; #line 15 allowxperm priv_app priv_app_devpts:chr_file ioctl { #line 15 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 15 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 15 }; #line 15 # TIOCSTI is only ever used for exploits. Block it. #line 15 # b/33073072, b/7530569 #line 15 # http://www.openwall.com/lists/oss-security/2016/09/26/14 #line 15 neverallowxperm * priv_app_devpts:chr_file ioctl 0x00005412; #line 15 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms #line 15 # allowed to everyone via domain.te. #line 15 # Allow loading executable code from writable priv-app home # directories. This is a W^X violation, however, it needs # to be supported for now for the following reasons. # * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) # 1) com.android.opengl.shaders_cache # 2) com.android.skia.shaders_cache # 3) com.android.renderscript.cache # * /data/user_de/0/com.google.android.gms/app_chimera # TODO: Tighten (b/112357170) allow priv_app privapp_data_file:file execute; # Chrome Crashpad uses the the dynamic linker to load native executables # from an APK (b/112050209, crbug.com/928422) allow priv_app system_linker_exec:file execute_no_trans; allow priv_app privapp_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Priv apps can find services that expose both @SystemAPI and normal APIs. allow priv_app app_api_service:service_manager find; allow priv_app system_api_service:service_manager find; allow priv_app audioserver_service:service_manager find; allow priv_app cameraserver_service:service_manager find; allow priv_app drmserver_service:service_manager find; allow priv_app mediadrmserver_service:service_manager find; allow priv_app mediaextractor_service:service_manager find; allow priv_app mediametrics_service:service_manager find; allow priv_app mediaserver_service:service_manager find; allow priv_app music_recognition_service:service_manager find; allow priv_app network_watchlist_service:service_manager find; allow priv_app nfc_service:service_manager find; allow priv_app oem_lock_service:service_manager find; allow priv_app persistent_data_block_service:service_manager find; allow priv_app radio_service:service_manager find; allow priv_app recovery_service:service_manager find; allow priv_app stats_service:service_manager find; # Write to /cache. allow priv_app { cache_file cache_recovery_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow priv_app { cache_file cache_recovery_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # /cache is a symlink to /data/cache on some devices. Allow reading the link. allow priv_app cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Access to /data/media. allow priv_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow priv_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Used by Finsky / Android "Verify Apps" functionality when # running "adb install foo.apk". allow priv_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow priv_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow traceur to pass file descriptors through a content provider to betterbug allow priv_app trace_data_file:file { getattr read }; # Allow betterbug to read profile reports generated by profcollect. #line 75 # Allow the bug reporting frontend to read the presence and timestamp of the # trace attached to the bugreport (but not its contents, which will go in the # usual bugreport .zip file). This is used by the bug reporting UI to tell if # the bugreport will contain a system trace or not while the bugreport is still # in progress. allow priv_app wm_trace_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow priv_app wm_trace_data_file:file getattr; allow priv_app perfetto_traces_bugreport_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow priv_app perfetto_traces_bugreport_data_file:file { getattr }; # Required to traverse the parent dir (/data/misc/perfetto-traces). allow priv_app perfetto_traces_data_file:dir { search }; # Allow priv apps (e.g. BetterBug) to receive Perfetto traces through # the framework (i.e. TracingServiceProxy) and sendfile them into their private # directories for reporting when network and battery conditions are # appropriate. allow priv_app perfetto:fd use; allow priv_app perfetto_traces_data_file:file { read getattr }; # Allow verifier to access staged apks. allow priv_app { apk_tmp_file apk_private_tmp_file }:dir { open getattr read search ioctl lock watch watch_reads }; allow priv_app { apk_tmp_file apk_private_tmp_file }:file { getattr open read ioctl lock map watch watch_reads }; # For AppFuse. allow priv_app vold:fd use; allow priv_app fuse_device:chr_file { read write }; # /proc access allow priv_app { proc_vmstat }:file { getattr open read ioctl lock map watch watch_reads }; allow priv_app sysfs_type:dir search; # Read access to /sys/block/zram*/mm_stat #line 111 allow priv_app sysfs_zram:dir { open getattr read search ioctl lock watch watch_reads }; #line 111 allow priv_app sysfs_zram:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 111 #line 113 allow priv_app rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 113 allow priv_app rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 113 # Allow com.android.vending to communicate with statsd. #line 116 # Call the server domain and optionally transfer references to it. #line 116 allow priv_app statsd:binder { call transfer }; #line 116 # Allow the serverdomain to transfer references to the client on the reply. #line 116 allow statsd priv_app:binder transfer; #line 116 # Receive and use open files from the server. #line 116 allow priv_app statsd:fd use; #line 116 # Allow Phone to read/write cached ringtones (opened by system). allow priv_app ringtone_file:file { getattr read write }; # Access to /data/preloads allow priv_app preloads_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow priv_app preloads_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow priv_app preloads_media_file:file { getattr open read ioctl lock map watch watch_reads }; allow priv_app preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 127 allow priv_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 127 # Allow priv_apps to request and collect incident reports. # (Also requires DUMP and PACKAGE_USAGE_STATS permissions) allow priv_app incident_service:service_manager find; #line 132 # Call the server domain and optionally transfer references to it. #line 132 allow priv_app incidentd:binder { call transfer }; #line 132 # Allow the serverdomain to transfer references to the client on the reply. #line 132 allow incidentd priv_app:binder transfer; #line 132 # Receive and use open files from the server. #line 132 allow priv_app incidentd:fd use; #line 132 allow priv_app incidentd:fifo_file { read write }; # Allow priv_apps to check whether Dynamic System Update is enabled #line 136 allow priv_app dynamic_system_prop:file { getattr open read map }; #line 136 # suppress denials for non-API accesses. dontaudit priv_app exec_type:file getattr; dontaudit priv_app device:dir read; dontaudit priv_app fs_bpf:dir search; dontaudit priv_app net_dns_prop:file read; dontaudit priv_app proc:file read; dontaudit priv_app proc_interrupts:file read; dontaudit priv_app proc_modules:file read; dontaudit priv_app proc_net:file read; dontaudit priv_app proc_stat:file read; dontaudit priv_app proc_version:file read; dontaudit priv_app sysfs:dir read; dontaudit priv_app sysfs:file read; dontaudit priv_app sysfs_android_usb:file read; dontaudit priv_app sysfs_dm:file { getattr open read ioctl lock map watch watch_reads }; dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read; # allow privileged apps to use UDP sockets provided by the system server but not # modify them other than to connect allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; # allow apps like Phonesky to check the file signature of an apk installed on # the Incremental File System, fill missing blocks and get the app status and loading progress allowxperm priv_app apk_data_file:file ioctl { 0x0000671f 0x00006720 0x00006724 0x00006722 }; # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System allow priv_app incremental_control_file:file { read getattr ioctl }; # allow apps like Phonesky to request permission to fill blocks of an apk file # on the Incremental File System. allowxperm priv_app incremental_control_file:file ioctl 0x00006721; # allow privileged apps to read the vendor property that indicates if Incremental File System is enabled #line 177 allow priv_app incremental_prop:file { getattr open read map }; #line 177 # allow privileged apps to read the device config flags. #line 180 allow priv_app device_config_aconfig_flags_prop:file { getattr open read map }; #line 180 # allow privileged apps to read boot reason property #line 183 allow priv_app system_boot_reason_prop:file { getattr open read map }; #line 183 # Required for Phonesky to be able to read APEX files under /data/apex/active/. allow priv_app apex_data_file:dir search; allow priv_app staging_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Required for Phonesky to be able to read staged files under /data/app-staging. allow priv_app staging_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow com.android.vending to access files under vendor/apex as well as system apex files. # This is required for com.android.vending to handle APEXes for e.g. delta patch optimization. allow priv_app vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads }; allow priv_app vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads }; # allow priv app to access the system app data files for ContentProvider case. allow priv_app system_app_data_file:file { read getattr }; # Allow the renderscript compiler to be run. #line 200 # Allow the necessary permissions. #line 200 #line 200 # Old domain may exec the file and transition to the new domain. #line 200 allow priv_app rs_exec:file { getattr open read execute map }; #line 200 allow priv_app rs:process transition; #line 200 # New domain is entered by executing the file. #line 200 allow rs rs_exec:file { entrypoint open read execute getattr map }; #line 200 # New domain can send SIGCHLD to its caller. #line 200 allow rs priv_app:process sigchld; #line 200 # Enable AT_SECURE, i.e. libc secure mode. #line 200 dontaudit priv_app rs:process noatsecure; #line 200 # XXX dontaudit candidate but requires further study. #line 200 allow priv_app rs:process { siginh rlimitinh }; #line 200 #line 200 # Make the transition occur by default. #line 200 type_transition priv_app rs_exec:process rs; #line 200 # Allow loading and deleting executable shared libraries # within an application home directory. Such shared libraries would be # created by things like renderscript or via other mechanisms. allow priv_app app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink }; # Allow privileged apps to create a VM. Note that access is still # guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE` # permission. #line 210 # Transition to virtualizationmanager when the client executes it. #line 210 #line 210 # Allow the necessary permissions. #line 210 #line 210 # Old domain may exec the file and transition to the new domain. #line 210 allow priv_app virtualizationmanager_exec:file { getattr open read execute map }; #line 210 allow priv_app virtualizationmanager:process transition; #line 210 # New domain is entered by executing the file. #line 210 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 210 # New domain can send SIGCHLD to its caller. #line 210 allow virtualizationmanager priv_app:process sigchld; #line 210 # Enable AT_SECURE, i.e. libc secure mode. #line 210 dontaudit priv_app virtualizationmanager:process noatsecure; #line 210 # XXX dontaudit candidate but requires further study. #line 210 allow priv_app virtualizationmanager:process { siginh rlimitinh }; #line 210 #line 210 # Make the transition occur by default. #line 210 type_transition priv_app virtualizationmanager_exec:process virtualizationmanager; #line 210 #line 210 # Allow virtualizationmanager to communicate over UDS with the client. #line 210 allow { virtualizationmanager crosvm } priv_app:unix_stream_socket { ioctl getattr read write }; #line 210 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 210 allow { virtualizationmanager crosvm } priv_app:fd use; #line 210 # Let the client use file descriptors created by virtualizationmanager. #line 210 allow priv_app virtualizationmanager:fd use; #line 210 # Allow piping console log to the client #line 210 allow { virtualizationmanager crosvm } priv_app:fifo_file { ioctl getattr read write }; #line 210 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 210 # that it created. Notice that we do not grant permission to create a vsock; #line 210 # the client can only connect to VMs that it owns. #line 210 allow priv_app virtualizationmanager:vsock_socket { getattr getopt read write }; #line 210 # Allow client to inspect hypervisor capabilities #line 210 #line 210 allow priv_app hypervisor_prop:file { getattr open read map }; #line 210 #line 210 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 210 allow priv_app virtualizationservice_data_file:file { getattr read }; #line 210 ### ### neverallow rules ### # Receive or send uevent messages. neverallow priv_app domain:netlink_kobject_uevent_socket *; # Receive or send generic netlink messages neverallow priv_app domain:netlink_socket *; # Read or write kernel printk buffer neverallow priv_app kmsg_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Too much leaky information in debugfs. It's a security # best practice to ensure these files aren't readable. neverallow priv_app debugfs_type:file read; # Do not allow privileged apps to register services. # Only trusted components of Android should be registering # services. neverallow priv_app service_manager_type:service_manager add; # Do not allow privileged apps to connect to the property service # or set properties. b/10243159 neverallow priv_app property_socket:sock_file write; neverallow priv_app init:unix_stream_socket connectto; neverallow priv_app property_type:property_service set; # Do not allow priv_app to be assigned mlstrustedsubject. # This would undermine the per-user isolation model being # enforced via levelFrom=user in seapp_contexts and the mls # constraints. As there is no direct way to specify a neverallow # on attribute assignment, this relies on the fact that fork # permission only makes sense within a domain (hence should # never be granted to any other domain within mlstrustedsubject) # and priv_app is allowed fork permission to itself. neverallow priv_app mlstrustedsubject:process fork; # Do not allow priv_app to hard link to any files. # In particular, if priv_app links to other app data # files, installd will not be able to guarantee the deletion # of the linked to file. Hard links also contribute to security # bugs, so we want to ensure priv_app never has this # capability. neverallow priv_app file_type:file link; # priv apps should not be able to open trace data files, they should depend # upon traceur to pass a file descriptor which they can then read neverallow priv_app trace_data_file:dir *; neverallow priv_app trace_data_file:file { { append create link unlink relabelfrom rename setattr write } open }; # Do not allow priv_app access to cgroups. neverallow priv_app cgroup:file *; neverallow priv_app cgroup_v2:file *; # Do not allow loading executable code from non-privileged # application home directories. Code loading across a security boundary # is dangerous and allows a full compromise of a privileged process # by an unprivileged process. b/112357170 neverallow priv_app { app_data_file_type -privapp_data_file }:file { execute execute_no_trans }; # Do not follow any app provided symlinks neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr }; # Do not allow getting permission-protected network information from sysfs. neverallow priv_app sysfs_net:file *; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl #line 281 { #line 281 # qualcomm rmnet ioctls #line 281 0x00006900 0x00006902 #line 281 # socket ioctls #line 281 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 281 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 281 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 281 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 281 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 281 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 281 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 281 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 281 0x00008991 0x00008992 0x00008993 0x00008994 #line 281 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 281 # device and protocol specific ioctls #line 281 0x000089f0-0x000089ff #line 281 0x000089e0-0x000089ef #line 281 # Wireless extension ioctls #line 281 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 281 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 281 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 281 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 281 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 281 0x00008b34 0x00008b35 0x00008b36 #line 281 # Dev private ioctl i.e. hardware specific ioctls #line 281 0x00008be0-0x00008bff #line 281 }; neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow priv_app *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; # Allow priv apps to report off body events to keystore2. allow priv_app keystore:keystore2 report_off_body; # Allow priv_apps to check if archiving is enabled #line 301 allow priv_app pm_archiving_enabled_prop:file { getattr open read map }; #line 301 #line 1 "system/sepolicy/private/prng_seeder.te" # PRNG seeder daemon # Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from # /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its # internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a # fixed size block of entropy then disconnect. No other IO is performed. typeattribute prng_seeder coredomain; # mlstrustedsubject required in order to allow connections from trusted app domains. typeattribute prng_seeder mlstrustedsubject; type prng_seeder_exec, system_file_type, exec_type, file_type; #line 12 #line 12 # Allow the necessary permissions. #line 12 #line 12 # Old domain may exec the file and transition to the new domain. #line 12 allow init prng_seeder_exec:file { getattr open read execute map }; #line 12 allow init prng_seeder:process transition; #line 12 # New domain is entered by executing the file. #line 12 allow prng_seeder prng_seeder_exec:file { entrypoint open read execute getattr map }; #line 12 # New domain can send SIGCHLD to its caller. #line 12 #line 12 # Enable AT_SECURE, i.e. libc secure mode. #line 12 dontaudit init prng_seeder:process noatsecure; #line 12 # XXX dontaudit candidate but requires further study. #line 12 allow init prng_seeder:process { siginh rlimitinh }; #line 12 #line 12 # Make the transition occur by default. #line 12 type_transition init prng_seeder_exec:process prng_seeder; #line 12 #line 12 # Socket open and listen are performed by init. allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept }; allow prng_seeder hw_random_device:chr_file { read open }; allow prng_seeder kmsg_debug_device:chr_file { { open append write lock map } getattr ioctl }; #line 1 "system/sepolicy/private/profcollectd.te" # profcollectd - hardware profile collection daemon type profcollectd, domain, coredomain, mlstrustedsubject; type profcollectd_exec, system_file_type, exec_type, file_type; #line 66 #line 1 "system/sepolicy/private/profman.te" typeattribute profman coredomain; # Allow profman to read APKs and profile files next to them by FDs passed from # other programs. In addition, allow profman to acquire flocks on those files. allow profman { system_file apk_data_file vendor_app_file }:file { getattr read map lock }; # Allow profman to use file descriptors passed from privileged programs. allow profman { artd installd }:fd use; # Allow profman to read from memfd created by artd. # profman needs to read the embedded profile that artd extracts from an APK, # which is passed by a memfd. allow profman artd_tmpfs:file { getattr read map lock }; #line 1 "system/sepolicy/private/property.te" # Properties used only in /system #line 2 #line 2 type adbd_prop, property_type, system_property_type, system_internal_property_type; #line 2 #line 2 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 2 #line 2 neverallow { domain -coredomain } adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 2 #line 2 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 2 #line 2 #line 3 #line 3 type apexd_payload_metadata_prop, property_type, system_property_type, system_internal_property_type; #line 3 #line 3 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 3 #line 3 neverallow { domain -coredomain } apexd_payload_metadata_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 #line 3 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 3 #line 3 #line 4 #line 4 type ctl_snapuserd_prop, property_type, system_property_type, system_internal_property_type; #line 4 #line 4 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 4 #line 4 neverallow { domain -coredomain } ctl_snapuserd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 4 #line 4 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 4 #line 4 #line 5 #line 5 type crashrecovery_prop, property_type, system_property_type, system_internal_property_type; #line 5 #line 5 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 5 #line 5 neverallow { domain -coredomain } crashrecovery_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 5 #line 5 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 5 #line 5 #line 6 #line 6 type device_config_core_experiments_team_internal_prop, property_type, system_property_type, system_internal_property_type; #line 6 #line 6 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 6 #line 6 neverallow { domain -coredomain } device_config_core_experiments_team_internal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 #line 6 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 6 #line 6 #line 7 #line 7 type device_config_lmkd_native_prop, property_type, system_property_type, system_internal_property_type; #line 7 #line 7 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 7 #line 7 neverallow { domain -coredomain } device_config_lmkd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 #line 7 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 7 #line 7 #line 8 #line 8 type device_config_mglru_native_prop, property_type, system_property_type, system_internal_property_type; #line 8 #line 8 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 8 #line 8 neverallow { domain -coredomain } device_config_mglru_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 8 #line 8 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 8 #line 8 #line 9 #line 9 type device_config_profcollect_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 9 #line 9 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 9 #line 9 neverallow { domain -coredomain } device_config_profcollect_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 #line 9 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 9 #line 9 #line 10 #line 10 type device_config_remote_key_provisioning_native_prop, property_type, system_property_type, system_internal_property_type; #line 10 #line 10 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 10 #line 10 neverallow { domain -coredomain } device_config_remote_key_provisioning_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 10 #line 10 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 10 #line 10 #line 11 #line 11 type device_config_statsd_native_prop, property_type, system_property_type, system_internal_property_type; #line 11 #line 11 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 11 #line 11 neverallow { domain -coredomain } device_config_statsd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 11 #line 11 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 11 #line 11 #line 12 #line 12 type device_config_statsd_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 12 #line 12 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 12 #line 12 neverallow { domain -coredomain } device_config_statsd_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 12 #line 12 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 12 #line 12 #line 13 #line 13 type device_config_storage_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 13 #line 13 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 13 #line 13 neverallow { domain -coredomain } device_config_storage_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 #line 13 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 13 #line 13 #line 14 #line 14 type device_config_sys_traced_prop, property_type, system_property_type, system_internal_property_type; #line 14 #line 14 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 14 #line 14 neverallow { domain -coredomain } device_config_sys_traced_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 14 #line 14 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 14 #line 14 #line 15 #line 15 type device_config_window_manager_native_boot_prop, property_type, system_property_type, system_internal_property_type; #line 15 #line 15 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 neverallow { domain -coredomain } device_config_window_manager_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 #line 15 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 15 #line 15 #line 16 #line 16 type device_config_configuration_prop, property_type, system_property_type, system_internal_property_type; #line 16 #line 16 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 16 #line 16 neverallow { domain -coredomain } device_config_configuration_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 16 #line 16 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 16 #line 16 #line 17 #line 17 type device_config_connectivity_prop, property_type, system_property_type, system_internal_property_type; #line 17 #line 17 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 17 #line 17 neverallow { domain -coredomain } device_config_connectivity_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 17 #line 17 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 17 #line 17 #line 18 #line 18 type device_config_swcodec_native_prop, property_type, system_property_type, system_internal_property_type; #line 18 #line 18 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 18 #line 18 neverallow { domain -coredomain } device_config_swcodec_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 18 #line 18 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 18 #line 18 #line 19 #line 19 type device_config_tethering_u_or_later_native_prop, property_type, system_property_type, system_internal_property_type; #line 19 #line 19 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 19 #line 19 neverallow { domain -coredomain } device_config_tethering_u_or_later_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 19 #line 19 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 19 #line 19 #line 20 #line 20 type dmesgd_start_prop, property_type, system_property_type, system_internal_property_type; #line 20 #line 20 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 20 #line 20 neverallow { domain -coredomain } dmesgd_start_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 20 #line 20 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 20 #line 20 #line 21 #line 21 type fastbootd_protocol_prop, property_type, system_property_type, system_internal_property_type; #line 21 #line 21 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 21 #line 21 neverallow { domain -coredomain } fastbootd_protocol_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 21 #line 21 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 21 #line 21 #line 22 #line 22 type gsid_prop, property_type, system_property_type, system_internal_property_type; #line 22 #line 22 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 22 #line 22 neverallow { domain -coredomain } gsid_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 22 #line 22 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 22 #line 22 #line 23 #line 23 type init_perf_lsm_hooks_prop, property_type, system_property_type, system_internal_property_type; #line 23 #line 23 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 23 #line 23 neverallow { domain -coredomain } init_perf_lsm_hooks_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 23 #line 23 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 23 #line 23 #line 24 #line 24 type init_service_status_private_prop, property_type, system_property_type, system_internal_property_type; #line 24 #line 24 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 24 #line 24 neverallow { domain -coredomain } init_service_status_private_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 24 #line 24 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 24 #line 24 #line 25 #line 25 type init_storage_prop, property_type, system_property_type, system_internal_property_type; #line 25 #line 25 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 25 #line 25 neverallow { domain -coredomain } init_storage_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 25 #line 25 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 25 #line 25 #line 26 #line 26 type init_svc_debug_prop, property_type, system_property_type, system_internal_property_type; #line 26 #line 26 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 26 #line 26 neverallow { domain -coredomain } init_svc_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 26 #line 26 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 26 #line 26 #line 27 #line 27 type keystore_crash_prop, property_type, system_property_type, system_internal_property_type; #line 27 #line 27 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 27 #line 27 neverallow { domain -coredomain } keystore_crash_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 27 #line 27 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 27 #line 27 #line 28 #line 28 type keystore_listen_prop, property_type, system_property_type, system_internal_property_type; #line 28 #line 28 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 28 #line 28 neverallow { domain -coredomain } keystore_listen_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 28 #line 28 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 28 #line 28 #line 29 #line 29 type last_boot_reason_prop, property_type, system_property_type, system_internal_property_type; #line 29 #line 29 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 29 #line 29 neverallow { domain -coredomain } last_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 29 #line 29 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 29 #line 29 #line 30 #line 30 type localization_prop, property_type, system_property_type, system_internal_property_type; #line 30 #line 30 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 30 #line 30 neverallow { domain -coredomain } localization_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 30 #line 30 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 30 #line 30 #line 31 #line 31 type logd_auditrate_prop, property_type, system_property_type, system_internal_property_type; #line 31 #line 31 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 31 #line 31 neverallow { domain -coredomain } logd_auditrate_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 31 #line 31 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 31 #line 31 #line 32 #line 32 type lower_kptr_restrict_prop, property_type, system_property_type, system_internal_property_type; #line 32 #line 32 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 32 #line 32 neverallow { domain -coredomain } lower_kptr_restrict_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 32 #line 32 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 32 #line 32 #line 33 #line 33 type net_464xlat_fromvendor_prop, property_type, system_property_type, system_internal_property_type; #line 33 #line 33 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 33 #line 33 neverallow { domain -coredomain } net_464xlat_fromvendor_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 33 #line 33 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 33 #line 33 #line 34 #line 34 type net_connectivity_prop, property_type, system_property_type, system_internal_property_type; #line 34 #line 34 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 34 #line 34 neverallow { domain -coredomain } net_connectivity_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 34 #line 34 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 34 #line 34 #line 35 #line 35 type netd_stable_secret_prop, property_type, system_property_type, system_internal_property_type; #line 35 #line 35 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 35 #line 35 neverallow { domain -coredomain } netd_stable_secret_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 35 #line 35 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 35 #line 35 #line 36 #line 36 type next_boot_prop, property_type, system_property_type, system_internal_property_type; #line 36 #line 36 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 36 #line 36 neverallow { domain -coredomain } next_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 36 #line 36 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 36 #line 36 #line 37 #line 37 type odsign_prop, property_type, system_property_type, system_internal_property_type; #line 37 #line 37 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 37 #line 37 neverallow { domain -coredomain } odsign_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 37 #line 37 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 37 #line 37 #line 38 #line 38 type misctrl_prop, property_type, system_property_type, system_internal_property_type; #line 38 #line 38 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 38 #line 38 neverallow { domain -coredomain } misctrl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 38 #line 38 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 38 #line 38 #line 39 #line 39 type perf_drop_caches_prop, property_type, system_property_type, system_internal_property_type; #line 39 #line 39 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 39 #line 39 neverallow { domain -coredomain } perf_drop_caches_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 39 #line 39 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 39 #line 39 #line 40 #line 40 type pm_prop, property_type, system_property_type, system_internal_property_type; #line 40 #line 40 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 40 #line 40 neverallow { domain -coredomain } pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 40 #line 40 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 40 #line 40 #line 41 #line 41 type profcollectd_node_id_prop, property_type, system_property_type, system_internal_property_type; #line 41 #line 41 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 41 #line 41 neverallow { domain -coredomain } profcollectd_node_id_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 41 #line 41 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 41 #line 41 #line 42 #line 42 type radio_cdma_ecm_prop, property_type, system_property_type, system_internal_property_type; #line 42 #line 42 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 42 #line 42 neverallow { domain -coredomain } radio_cdma_ecm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 42 #line 42 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 42 #line 42 #line 43 #line 43 type remote_prov_prop, property_type, system_property_type, system_internal_property_type; #line 43 #line 43 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 43 #line 43 neverallow { domain -coredomain } remote_prov_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 43 #line 43 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 43 #line 43 #line 44 #line 44 type rollback_test_prop, property_type, system_property_type, system_internal_property_type; #line 44 #line 44 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 44 #line 44 neverallow { domain -coredomain } rollback_test_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 44 #line 44 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 44 #line 44 #line 45 #line 45 type setupwizard_prop, property_type, system_property_type, system_internal_property_type; #line 45 #line 45 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 45 #line 45 neverallow { domain -coredomain } setupwizard_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 45 #line 45 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 45 #line 45 #line 46 #line 46 type snapuserd_prop, property_type, system_property_type, system_internal_property_type; #line 46 #line 46 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 46 #line 46 neverallow { domain -coredomain } snapuserd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 46 #line 46 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 46 #line 46 #line 47 #line 47 type system_adbd_prop, property_type, system_property_type, system_internal_property_type; #line 47 #line 47 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 47 #line 47 neverallow { domain -coredomain } system_adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 47 #line 47 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 47 #line 47 #line 48 #line 48 type system_audio_config_prop, property_type, system_property_type, system_internal_property_type; #line 48 #line 48 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 48 #line 48 neverallow { domain -coredomain } system_audio_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 48 #line 48 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 48 #line 48 #line 49 #line 49 type timezone_metadata_prop, property_type, system_property_type, system_internal_property_type; #line 49 #line 49 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 49 #line 49 neverallow { domain -coredomain } timezone_metadata_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 49 #line 49 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 49 #line 49 #line 50 #line 50 type traced_perf_enabled_prop, property_type, system_property_type, system_internal_property_type; #line 50 #line 50 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 50 #line 50 neverallow { domain -coredomain } traced_perf_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 50 #line 50 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 50 #line 50 #line 51 #line 51 type uprobestats_start_with_config_prop, property_type, system_property_type, system_internal_property_type; #line 51 #line 51 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 51 #line 51 neverallow { domain -coredomain } uprobestats_start_with_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 51 #line 51 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 51 #line 51 #line 52 #line 52 type tuner_server_ctl_prop, property_type, system_property_type, system_internal_property_type; #line 52 #line 52 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 52 #line 52 neverallow { domain -coredomain } tuner_server_ctl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 52 #line 52 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 52 #line 52 #line 53 #line 53 type userspace_reboot_log_prop, property_type, system_property_type, system_internal_property_type; #line 53 #line 53 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 53 #line 53 neverallow { domain -coredomain } userspace_reboot_log_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 53 #line 53 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 53 #line 53 #line 54 #line 54 type userspace_reboot_test_prop, property_type, system_property_type, system_internal_property_type; #line 54 #line 54 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 54 #line 54 neverallow { domain -coredomain } userspace_reboot_test_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 54 #line 54 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 54 #line 54 #line 55 #line 55 type verity_status_prop, property_type, system_property_type, system_internal_property_type; #line 55 #line 55 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 55 #line 55 neverallow { domain -coredomain } verity_status_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 55 #line 55 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 55 #line 55 #line 56 #line 56 type zygote_wrap_prop, property_type, system_property_type, system_internal_property_type; #line 56 #line 56 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 56 #line 56 neverallow { domain -coredomain } zygote_wrap_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 56 #line 56 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 56 #line 56 #line 57 #line 57 type ctl_mediatranscoding_prop, property_type, system_property_type, system_internal_property_type; #line 57 #line 57 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 57 #line 57 neverallow { domain -coredomain } ctl_mediatranscoding_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 57 #line 57 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 57 #line 57 #line 58 #line 58 type ctl_odsign_prop, property_type, system_property_type, system_internal_property_type; #line 58 #line 58 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 58 #line 58 neverallow { domain -coredomain } ctl_odsign_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 58 #line 58 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 58 #line 58 #line 59 #line 59 type virtualizationservice_prop, property_type, system_property_type, system_internal_property_type; #line 59 #line 59 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 59 #line 59 neverallow { domain -coredomain } virtualizationservice_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 59 #line 59 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 59 #line 59 #line 60 #line 60 type ctl_apex_load_prop, property_type, system_property_type, system_internal_property_type; #line 60 #line 60 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 60 #line 60 neverallow { domain -coredomain } ctl_apex_load_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 60 #line 60 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 60 #line 60 #line 61 #line 61 type enable_16k_pages_prop, property_type, system_property_type, system_internal_property_type; #line 61 #line 61 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 61 #line 61 neverallow { domain -coredomain } enable_16k_pages_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 61 #line 61 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 61 #line 61 #line 62 #line 62 type sensors_config_prop, property_type, system_property_type, system_internal_property_type; #line 62 #line 62 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 62 #line 62 neverallow { domain -coredomain } sensors_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 62 #line 62 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 62 #line 62 #line 63 #line 63 type hypervisor_pvmfw_prop, property_type, system_property_type, system_internal_property_type; #line 63 #line 63 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 63 #line 63 neverallow { domain -coredomain } hypervisor_pvmfw_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 63 #line 63 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 63 #line 63 #line 64 #line 64 type hypervisor_virtualizationmanager_prop, property_type, system_property_type, system_internal_property_type; #line 64 #line 64 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 64 #line 64 neverallow { domain -coredomain } hypervisor_virtualizationmanager_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 64 #line 64 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 64 #line 64 #line 65 #line 65 type game_manager_config_prop, property_type, system_property_type, system_internal_property_type; #line 65 #line 65 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 65 #line 65 neverallow { domain -coredomain } game_manager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 65 #line 65 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 65 #line 65 #line 66 #line 66 type hidl_memory_prop, property_type, system_property_type, system_internal_property_type; #line 66 #line 66 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 66 #line 66 neverallow { domain -coredomain } hidl_memory_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 66 #line 66 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 66 #line 66 #line 67 #line 67 type suspend_debug_prop, property_type, system_property_type, system_internal_property_type; #line 67 #line 67 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 67 #line 67 neverallow { domain -coredomain } suspend_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 67 #line 67 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 67 #line 67 # Properties which can't be written outside system #line 70 #line 70 type device_config_virtualization_framework_native_prop, property_type, system_property_type, system_restricted_property_type; #line 70 #line 70 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 70 #line 70 neverallow { domain -coredomain } device_config_virtualization_framework_native_prop:property_service set; #line 70 #line 70 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 70 #line 70 #line 71 #line 71 type log_file_logger_prop, property_type, system_property_type, system_restricted_property_type; #line 71 #line 71 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 71 #line 71 neverallow { domain -coredomain } log_file_logger_prop:property_service set; #line 71 #line 71 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 71 #line 71 #line 72 #line 72 type persist_sysui_builder_extras_prop, property_type, system_property_type, system_restricted_property_type; #line 72 #line 72 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 72 #line 72 neverallow { domain -coredomain } persist_sysui_builder_extras_prop:property_service set; #line 72 #line 72 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 72 #line 72 #line 73 #line 73 type persist_sysui_ranking_update_prop, property_type, system_property_type, system_restricted_property_type; #line 73 #line 73 # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 73 #line 73 neverallow { domain -coredomain } persist_sysui_ranking_update_prop:property_service set; #line 73 #line 73 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 73 #line 73 ### ### Neverallow rules ### # BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 79 #line 79 #line 79 # BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 79 #line 79 neverallow domain { #line 79 property_type #line 79 -system_property_type #line 79 -system_property_type #line 79 -vendor_property_type #line 79 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 79 #line 79 # END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify #line 79 #line 79 #line 79 neverallow { domain -coredomain } { #line 79 system_property_type #line 79 system_internal_property_type #line 79 -system_restricted_property_type #line 79 -system_public_property_type #line 79 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 79 #line 79 neverallow { domain -coredomain } { #line 79 system_property_type #line 79 -system_public_property_type #line 79 }:property_service set; #line 79 #line 79 # init is in coredomain, but should be able to read/write all props. #line 79 # dumpstate is also in coredomain, but should be able to read all props. #line 79 neverallow { coredomain -init -dumpstate } { #line 79 vendor_property_type #line 79 vendor_internal_property_type #line 79 -vendor_restricted_property_type #line 79 -vendor_public_property_type #line 79 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 79 #line 79 neverallow { coredomain -init } { #line 79 vendor_property_type #line 79 -vendor_public_property_type #line 79 }:property_service set; #line 79 #line 79 #line 79 # END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify #line 116 # There is no need to perform ioctl or advisory locking operations on # property files. If this neverallow is being triggered, it is # likely that the policy is using r_file_perms directly instead of # the get_prop() macro. neverallow domain property_type:file { ioctl lock }; neverallow * { core_property_type -audio_prop -config_prop -cppreopt_prop -dalvik_prop -debuggerd_prop -debug_prop -dhcp_prop -dumpstate_prop -fingerprint_prop -logd_prop -net_radio_prop -nfc_prop -ota_prop -pan_result_prop -persist_debug_prop -powerctl_prop -radio_prop -restorecon_prop -shell_prop -system_prop -usb_prop -vold_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # sigstop property is only used for debugging; should only be set by su which is permissive # for userdebug/eng neverallow { domain -init -vendor_init } ctl_sigstop_prop:property_service set; # Don't audit legacy ctl. property handling. We only want the newer permission check to appear # in the audit log dontaudit domain { ctl_bootanim_prop ctl_bugreport_prop ctl_console_prop ctl_default_prop ctl_dumpstate_prop ctl_fuse_prop ctl_mdnsd_prop ctl_rildaemon_prop }:property_service set; neverallow { domain -init -extra_free_kbytes } init_storage_prop:property_service set; neverallow { domain -init } init_svc_debug_prop:property_service set; neverallow { domain -init -dumpstate } init_svc_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # DO NOT ADD: compat risk neverallow { domain -init -dumpstate -misctrl } misctrl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -misctrl } misctrl_prop:property_service set; # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 204 #line 204 # Prevent properties from being set #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -vendor_init #line 204 } { #line 204 core_property_type #line 204 extended_core_property_type #line 204 exported_config_prop #line 204 exported_default_prop #line 204 exported_dumpstate_prop #line 204 exported_system_prop #line 204 exported3_system_prop #line 204 usb_control_prop #line 204 -nfc_prop #line 204 -powerctl_prop #line 204 -radio_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -hal_nfc_server #line 204 } { #line 204 nfc_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -hal_telephony_server #line 204 -vendor_init #line 204 } { #line 204 radio_control_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -hal_telephony_server #line 204 } { #line 204 radio_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -bluetooth #line 204 -hal_bluetooth_server #line 204 } { #line 204 bluetooth_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -bluetooth #line 204 -hal_bluetooth_server #line 204 -vendor_init #line 204 } { #line 204 exported_bluetooth_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -hal_camera_server #line 204 -cameraserver #line 204 -vendor_init #line 204 } { #line 204 exported_camera_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -hal_wifi_server #line 204 -wificond #line 204 } { #line 204 wifi_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -init #line 204 -dumpstate #line 204 -hal_wifi_server #line 204 -wificond #line 204 -vendor_init #line 204 } { #line 204 wifi_hal_prop #line 204 }:property_service set; #line 204 #line 204 # Prevent properties from being read #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -vendor_init #line 204 } { #line 204 core_property_type #line 204 dalvik_config_prop_type #line 204 extended_core_property_type #line 204 exported3_system_prop #line 204 systemsound_config_prop #line 204 -debug_prop #line 204 -logd_prop #line 204 -nfc_prop #line 204 -powerctl_prop #line 204 -radio_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -hal_nfc_server #line 204 } { #line 204 nfc_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -appdomain #line 204 -hal_telephony_server #line 204 } { #line 204 radio_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -bluetooth #line 204 -hal_bluetooth_server #line 204 } { #line 204 bluetooth_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -hal_wifi_server #line 204 -wificond #line 204 } { #line 204 wifi_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 neverallow { #line 204 domain #line 204 -coredomain #line 204 -vendor_init #line 204 } { #line 204 suspend_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -init #line 204 } { #line 204 suspend_debug_prop #line 204 }:property_service set; #line 204 #line 204 neverallow { #line 204 domain #line 204 -init #line 204 -dumpstate #line 204 #line 204 } { #line 204 suspend_debug_prop #line 204 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 204 #line 204 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 380 dontaudit system_suspend suspend_debug_prop:file { getattr open read ioctl lock map watch watch_reads }; # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 384 #line 384 # Neverallow coredomain to set vendor properties #line 384 neverallow { #line 384 coredomain #line 384 -init #line 384 -system_writes_vendor_properties_violators #line 384 } { #line 384 property_type #line 384 -system_property_type #line 384 -extended_core_property_type #line 384 }:property_service set; #line 384 #line 384 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify #line 395 neverallow { domain -coredomain -vendor_init } { ffs_config_prop ffs_control_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -system_server } { userspace_reboot_log_prop }:property_service set; neverallow { # Only allow init and system_server to set system_adbd_prop domain -init -system_server } { system_adbd_prop }:property_service set; # Let (vendor_)init, adbd, and system_server set service.adb.tcp.port neverallow { domain -init -vendor_init -adbd -system_server } { adbd_config_prop }:property_service set; neverallow { # Only allow init and adbd to set adbd_prop domain -init -adbd } { adbd_prop }:property_service set; neverallow { # Only allow init to set apexd_payload_metadata_prop domain -init } { apexd_payload_metadata_prop }:property_service set; neverallow { # Only allow init and shell to set userspace_reboot_test_prop domain -init -shell } { userspace_reboot_test_prop }:property_service set; neverallow { domain -init -system_server -vendor_init } { surfaceflinger_color_prop }:property_service set; neverallow { domain -init } { libc_debug_prop }:property_service set; # Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb # shell access can control the settings on their device. Allow system apps to # set MTE props, so Developer Options can set them. neverallow { domain -init -shell -system_app -system_server -mtectrl } { arm64_memtag_prop gwp_asan_prop }:property_service set; neverallow { domain -init -system_server -vendor_init } zram_control_prop:property_service set; neverallow { domain -init -system_server -vendor_init } dalvik_runtime_prop:property_service set; neverallow { domain -coredomain -vendor_init } { usb_config_prop usb_control_prop }:property_service set; neverallow { domain -init -system_server } { provisioned_prop retaildemo_prop }:property_service set; neverallow { domain -coredomain -vendor_init } { provisioned_prop retaildemo_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init } { init_service_status_private_prop init_service_status_prop }:property_service set; neverallow { domain -init -radio -appdomain -hal_telephony_server -vendor_init } telephony_status_prop:property_service set; neverallow { domain -init -vendor_init } { graphics_config_prop }:property_service set; neverallow { domain -init -surfaceflinger } { surfaceflinger_display_prop }:property_service set; neverallow { domain -coredomain -appdomain -vendor_init } packagemanager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -coredomain -vendor_init } keyguard_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init } { localization_prop }:property_service set; neverallow { domain -init -vendor_init -dumpstate -system_app } oem_unlock_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -coredomain -vendor_init } storagemanager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -vendor_init -dumpstate -appdomain } sendbug_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -vendor_init -dumpstate -appdomain } camera_calibration_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -dumpstate -hal_dumpstate_server -vendor_init } hal_dumpstate_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init } { lower_kptr_restrict_prop }:property_service set; neverallow { domain -init } zygote_wrap_prop:property_service set; neverallow { domain -init } verity_status_prop:property_service set; neverallow { domain -init -vendor_init } setupwizard_mode_prop:property_service set; neverallow { domain -init } setupwizard_prop:property_service set; # ro.product.property_source_order is useless after initialization of ro.product.* props. # So making it accessible only from init and vendor_init. neverallow { domain -init -dumpstate -vendor_init } build_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -shell } sqlite_log_prop:property_service set; neverallow { domain -coredomain -appdomain } sqlite_log_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init } default_prop:property_service set; # Only one of system_property_type and vendor_property_type can be assigned. # Property types having both attributes won't be accessible from anywhere. neverallow domain system_and_vendor_property_type:{file property_service} *; neverallow { domain -init -shell -rkpdapp } remote_prov_prop:property_service set; neverallow { # Only allow init and shell to set rollback_test_prop domain -init -shell } rollback_test_prop:property_service set; neverallow { domain -init -apexd } ctl_apex_load_prop:property_service set; neverallow { domain -coredomain -init -dumpstate -apexd } ctl_apex_load_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -apexd } apex_ready_prop:property_service set; neverallow { domain -coredomain -dumpstate -apexd -vendor_init } apex_ready_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { # Only allow init and profcollectd to access profcollectd_node_id_prop domain -init -dumpstate -profcollectd } profcollectd_node_id_prop:file { getattr open read ioctl lock map watch watch_reads }; neverallow { domain -init } log_file_logger_prop:property_service set; neverallow { domain -init -vendor_init } usb_uvc_enabled_prop:property_service set; # Disallow non system apps from reading ro.usb.uvc.enabled neverallow { appdomain -system_app -device_as_webcam } usb_uvc_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { domain -init -vendor_init } pm_archiving_enabled_prop:property_service set; #line 1 "system/sepolicy/private/radio.te" typeattribute radio coredomain, mlstrustedsubject; #line 3 typeattribute radio appdomain; #line 3 # Label tmpfs objects for all apps. #line 3 type_transition radio tmpfs:file appdomain_tmpfs; #line 3 #line 3 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 3 type radio_userfaultfd; #line 3 type_transition radio radio:anon_inode radio_userfaultfd "[userfaultfd]"; #line 3 # Allow domain to create/use userfaultfd anon_inode. #line 3 allow radio radio_userfaultfd:anon_inode { create ioctl read }; #line 3 # Suppress errors generate during bugreport #line 3 dontaudit su radio_userfaultfd:anon_inode *; #line 3 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 3 neverallow { domain -radio } radio_userfaultfd:anon_inode *; #line 3 #line 3 allow radio appdomain_tmpfs:file { execute getattr map read write }; #line 3 neverallow { radio -runas_app -shell -simpleperf } { domain -radio }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 neverallow { appdomain -runas_app -shell -simpleperf -radio } radio:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 # The Android security model guarantees the confidentiality and integrity #line 3 # of application data and execution state. Ptrace bypasses those #line 3 # confidentiality guarantees. Disallow ptrace access from system components to #line 3 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 3 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 3 # simpleperf is excluded, as it operates only on debuggable or profileable #line 3 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 3 # live lock conditions. #line 3 neverallow { domain -radio -crash_dump -runas_app -simpleperf } radio:process ptrace; #line 3 #line 5 allow radio runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 5 # Property service #line 8 #line 8 allow radio property_socket:sock_file write; #line 8 allow radio init:unix_stream_socket connectto; #line 8 #line 8 allow radio radio_control_prop:property_service set; #line 8 #line 8 allow radio radio_control_prop:file { getattr open read map }; #line 8 #line 8 #line 9 #line 9 allow radio property_socket:sock_file write; #line 9 allow radio init:unix_stream_socket connectto; #line 9 #line 9 allow radio radio_prop:property_service set; #line 9 #line 9 allow radio radio_prop:file { getattr open read map }; #line 9 #line 9 #line 10 #line 10 allow radio property_socket:sock_file write; #line 10 allow radio init:unix_stream_socket connectto; #line 10 #line 10 allow radio net_radio_prop:property_service set; #line 10 #line 10 allow radio net_radio_prop:file { getattr open read map }; #line 10 #line 10 #line 11 #line 11 allow radio property_socket:sock_file write; #line 11 allow radio init:unix_stream_socket connectto; #line 11 #line 11 allow radio telephony_status_prop:property_service set; #line 11 #line 11 allow radio telephony_status_prop:file { getattr open read map }; #line 11 #line 11 #line 12 #line 12 allow radio property_socket:sock_file write; #line 12 allow radio init:unix_stream_socket connectto; #line 12 #line 12 allow radio radio_cdma_ecm_prop:property_service set; #line 12 #line 12 allow radio radio_cdma_ecm_prop:file { getattr open read map }; #line 12 #line 12 # ctl interface #line 15 #line 15 allow radio property_socket:sock_file write; #line 15 allow radio init:unix_stream_socket connectto; #line 15 #line 15 allow radio ctl_rildaemon_prop:property_service set; #line 15 #line 15 allow radio ctl_rildaemon_prop:file { getattr open read map }; #line 15 #line 15 # Telephony code contains time / time zone detection logic so it reads the associated properties. #line 18 allow radio time_prop:file { getattr open read map }; #line 18 # allow telephony to access platform compat to log permission denials allow radio platform_compat_service:service_manager find; allow radio uce_service:service_manager find; # Manage /data/misc/emergencynumberdb allow radio emergency_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow radio emergency_data_file:file { getattr open read ioctl lock map watch watch_reads }; # allow telephony to access related cache properties #line 30 #line 30 allow radio property_socket:sock_file write; #line 30 allow radio init:unix_stream_socket connectto; #line 30 #line 30 allow radio binder_cache_telephony_server_prop:property_service set; #line 30 #line 30 allow radio binder_cache_telephony_server_prop:file { getattr open read map }; #line 30 #line 30 ; neverallow { domain -radio -init } binder_cache_telephony_server_prop:property_service set; # allow sending pulled atoms to statsd #line 35 # Call the server domain and optionally transfer references to it. #line 35 allow radio statsd:binder { call transfer }; #line 35 # Allow the serverdomain to transfer references to the client on the reply. #line 35 allow statsd radio:binder transfer; #line 35 # Receive and use open files from the server. #line 35 allow radio statsd:fd use; #line 35 #line 1 "system/sepolicy/private/recovery.te" typeattribute recovery coredomain; # The allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. #line 50 #line 1 "system/sepolicy/private/recovery_persist.te" typeattribute recovery_persist coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init recovery_persist_exec:file { getattr open read execute map }; #line 3 allow init recovery_persist:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow recovery_persist recovery_persist_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init recovery_persist:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init recovery_persist:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init recovery_persist_exec:process recovery_persist; #line 3 #line 3 # recovery_persist is not allowed to write anywhere other than recovery_data_file neverallow recovery_persist { file_type -recovery_data_file }:file write; #line 1 "system/sepolicy/private/recovery_refresh.te" typeattribute recovery_refresh coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init recovery_refresh_exec:file { getattr open read execute map }; #line 3 allow init recovery_refresh:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow recovery_refresh recovery_refresh_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init recovery_refresh:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init recovery_refresh:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init recovery_refresh_exec:process recovery_refresh; #line 3 #line 3 # recovery_refresh is not allowed to write anywhere neverallow recovery_refresh { file_type }:file write; #line 1 "system/sepolicy/private/remount.te" type remount, domain, coredomain; type remount_exec, system_file_type, exec_type, file_type; #line 25 #line 1 "system/sepolicy/private/rkpd.te" # Policies for Remote Key Provisioning Daemon (rkpd) type rkpd, domain; type rkpd_exec, system_file_type, exec_type, file_type; typeattribute rkpd coredomain; #line 7 # Call the servicemanager and transfer references to it. #line 7 allow rkpd servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager rkpd:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager rkpd:dir search; #line 7 allow servicemanager rkpd:file { read open }; #line 7 allow servicemanager rkpd:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 typeattribute rkpd binderservicedomain; #line 8 #line 10 #line 10 # Allow the necessary permissions. #line 10 #line 10 # Old domain may exec the file and transition to the new domain. #line 10 allow init rkpd_exec:file { getattr open read execute map }; #line 10 allow init rkpd:process transition; #line 10 # New domain is entered by executing the file. #line 10 allow rkpd rkpd_exec:file { entrypoint open read execute getattr map }; #line 10 # New domain can send SIGCHLD to its caller. #line 10 #line 10 # Enable AT_SECURE, i.e. libc secure mode. #line 10 dontaudit init rkpd:process noatsecure; #line 10 # XXX dontaudit candidate but requires further study. #line 10 allow init rkpd:process { siginh rlimitinh }; #line 10 #line 10 # Make the transition occur by default. #line 10 type_transition init rkpd_exec:process rkpd; #line 10 #line 10 #line 12 allow rkpd rkpd_registrar_service:service_manager { add find }; #line 12 neverallow { domain -rkpd } rkpd_registrar_service:service_manager add; #line 12 #line 12 # On debug builds with root, allow binder services to use binder over TCP. #line 12 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 12 #line 12 #line 13 allow rkpd rkpd_refresh_service:service_manager { add find }; #line 13 neverallow { domain -rkpd } rkpd_refresh_service:service_manager add; #line 13 #line 13 # On debug builds with root, allow binder services to use binder over TCP. #line 13 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 13 #line 13 #line 15 allow rkpd device_config_remote_key_provisioning_native_prop:file { getattr open read map }; #line 15 #line 1 "system/sepolicy/private/rkpd_app.te" ### ### A domain for sandboxing the remote key provisioning daemon ### app that is shipped via mainline. ### typeattribute rkpdapp coredomain; #line 7 typeattribute rkpdapp appdomain; #line 7 # Label tmpfs objects for all apps. #line 7 type_transition rkpdapp tmpfs:file appdomain_tmpfs; #line 7 #line 7 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 7 type rkpdapp_userfaultfd; #line 7 type_transition rkpdapp rkpdapp:anon_inode rkpdapp_userfaultfd "[userfaultfd]"; #line 7 # Allow domain to create/use userfaultfd anon_inode. #line 7 allow rkpdapp rkpdapp_userfaultfd:anon_inode { create ioctl read }; #line 7 # Suppress errors generate during bugreport #line 7 dontaudit su rkpdapp_userfaultfd:anon_inode *; #line 7 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 7 neverallow { domain -rkpdapp } rkpdapp_userfaultfd:anon_inode *; #line 7 #line 7 allow rkpdapp appdomain_tmpfs:file { execute getattr map read write }; #line 7 neverallow { rkpdapp -runas_app -shell -simpleperf } { domain -rkpdapp }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 neverallow { appdomain -runas_app -shell -simpleperf -rkpdapp } rkpdapp:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 7 # The Android security model guarantees the confidentiality and integrity #line 7 # of application data and execution state. Ptrace bypasses those #line 7 # confidentiality guarantees. Disallow ptrace access from system components to #line 7 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 7 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 7 # simpleperf is excluded, as it operates only on debuggable or profileable #line 7 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 7 # live lock conditions. #line 7 neverallow { domain -rkpdapp -crash_dump -runas_app -simpleperf } rkpdapp:process ptrace; #line 7 #line 8 typeattribute rkpdapp netdomain; #line 8 # RKPD needs to be able to call the remote provisioning HALs #line 11 typeattribute rkpdapp halclientdomain; #line 11 typeattribute rkpdapp hal_keymint_client; #line 11 #line 11 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 11 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 11 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 11 #line 11 typeattribute rkpdapp hal_keymint; #line 11 # Find passthrough HAL implementations #line 11 allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow hal_keymint vendor_file:file { read open getattr execute map }; #line 11 #line 11 #line 12 typeattribute rkpdapp halclientdomain; #line 12 typeattribute rkpdapp hal_remotelyprovisionedcomponent_avf_client; #line 12 #line 12 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 12 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 12 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 12 #line 12 typeattribute rkpdapp hal_remotelyprovisionedcomponent_avf; #line 12 # Find passthrough HAL implementations #line 12 allow hal_remotelyprovisionedcomponent_avf system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_remotelyprovisionedcomponent_avf vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 12 allow hal_remotelyprovisionedcomponent_avf vendor_file:file { read open getattr execute map }; #line 12 #line 12 # Grant access to certain system properties related to RKP #line 15 allow rkpdapp device_config_remote_key_provisioning_native_prop:file { getattr open read map }; #line 15 #line 16 #line 16 allow rkpdapp property_socket:sock_file write; #line 16 allow rkpdapp init:unix_stream_socket connectto; #line 16 #line 16 allow rkpdapp remote_prov_prop:property_service set; #line 16 #line 16 allow rkpdapp remote_prov_prop:file { getattr open read map }; #line 16 #line 16 # Grant access to the normal services that are available to all apps allow rkpdapp app_api_service:service_manager find; # Grant access to media.metrics service, needed for widevine. This # access is granted to all other apps already (e.g. untrusted_app_all). allow rkpdapp mediametrics_service:service_manager find; # Grant access to statsd allow rkpdapp statsmanager_service:service_manager find; #line 27 # Call the server domain and optionally transfer references to it. #line 27 allow rkpdapp statsd:binder { call transfer }; #line 27 # Allow the serverdomain to transfer references to the client on the reply. #line 27 allow statsd rkpdapp:binder transfer; #line 27 # Receive and use open files from the server. #line 27 allow rkpdapp statsd:fd use; #line 27 #line 1 "system/sepolicy/private/rs.te" # Any files which would have been created as app_data_file and # privapp_data_file will be created as app_exec_data_file instead. allow rs { app_data_file privapp_data_file }:dir { { open getattr read search ioctl lock watch watch_reads } add_name write }; allow rs app_exec_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; type_transition rs app_data_file:file app_exec_data_file; type_transition rs privapp_data_file:file app_exec_data_file; # Follow /data/user/0 symlink allow rs system_data_file:lnk_file read; # Read files from the app home directory. allow rs { app_data_file privapp_data_file }:file { getattr open read ioctl lock map watch watch_reads }; allow rs { app_data_file privapp_data_file }:dir { open getattr read search ioctl lock watch watch_reads }; # Cleanup app_exec_data_file files in the app home directory. allow rs { app_data_file privapp_data_file }:dir remove_name; # Use vendor resources allow rs vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow rs vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow rs vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 20 #line 21 allow rs vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow rs vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 21 # Vendor overlay can be found in vendor apex allow rs vendor_apex_metadata_file:dir { getattr search }; # Read contents of app apks #line 26 allow rs apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 26 allow rs apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 26 allow rs gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow rs ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow rs same_process_hal_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # File descriptors passed from app to renderscript allow rs { untrusted_app_all ephemeral_app priv_app }:fd use; # See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new # renderscript usages shouldn't be popping up. dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use; # rs can access app data, so ensure it can only be entered via an app domain and cannot have # CAP_DAC_OVERRIDE. neverallow rs rs:{ capability capability2 cap_userns cap2_userns } *; neverallow { domain -appdomain } rs:process { dyntransition transition }; neverallow rs { domain -crash_dump }:process { dyntransition transition }; neverallow rs app_data_file_type:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ getattr open read ioctl lock map watch watch_reads }; # rs should never use network sockets neverallow rs *:{ icmp_socket rawip_socket tcp_socket udp_socket } *; #line 1 "system/sepolicy/private/rss_hwm_reset.te" type rss_hwm_reset_exec, system_file_type, exec_type, file_type; # Start rss_hwm_reset from init. #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init rss_hwm_reset_exec:file { getattr open read execute map }; #line 4 allow init rss_hwm_reset:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow rss_hwm_reset rss_hwm_reset_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init rss_hwm_reset:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init rss_hwm_reset:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init rss_hwm_reset_exec:process rss_hwm_reset; #line 4 #line 4 # Search /proc/pid directories. allow rss_hwm_reset domain:dir search; # Write to /proc/pid/clear_refs of other processes. # /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c allow rss_hwm_reset self:{ capability cap_userns } { dac_override }; # Write to /prc/pid/clear_refs. allow rss_hwm_reset domain:file { open append write lock map }; #line 1 "system/sepolicy/private/runas.te" typeattribute runas coredomain; # ndk-gdb invokes adb shell run-as. #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow shell runas_exec:file { getattr open read execute map }; #line 4 allow shell runas:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow runas runas_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 allow runas shell:process sigchld; #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit shell runas:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow shell runas:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition shell runas_exec:process runas; #line 4 #line 1 "system/sepolicy/private/runas_app.te" typeattribute runas_app coredomain; #line 3 typeattribute runas_app appdomain; #line 3 # Label tmpfs objects for all apps. #line 3 type_transition runas_app tmpfs:file appdomain_tmpfs; #line 3 #line 3 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 3 type runas_app_userfaultfd; #line 3 type_transition runas_app runas_app:anon_inode runas_app_userfaultfd "[userfaultfd]"; #line 3 # Allow domain to create/use userfaultfd anon_inode. #line 3 allow runas_app runas_app_userfaultfd:anon_inode { create ioctl read }; #line 3 # Suppress errors generate during bugreport #line 3 dontaudit su runas_app_userfaultfd:anon_inode *; #line 3 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 3 neverallow { domain -runas_app } runas_app_userfaultfd:anon_inode *; #line 3 #line 3 allow runas_app appdomain_tmpfs:file { execute getattr map read write }; #line 3 neverallow { runas_app -runas_app -shell -simpleperf } { domain -runas_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 neverallow { appdomain -runas_app -shell -simpleperf -runas_app } runas_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 # The Android security model guarantees the confidentiality and integrity #line 3 # of application data and execution state. Ptrace bypasses those #line 3 # confidentiality guarantees. Disallow ptrace access from system components to #line 3 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 3 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 3 # simpleperf is excluded, as it operates only on debuggable or profileable #line 3 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 3 # live lock conditions. #line 3 neverallow { domain -runas_app -crash_dump -runas_app -simpleperf } runas_app:process ptrace; #line 3 #line 4 typeattribute runas_app untrusted_app_all; #line 4 #line 5 typeattribute runas_app netdomain; #line 5 #line 6 typeattribute runas_app bluetoothdomain; #line 6 # The ability to call exec() on files in the apps home directories # when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf, # which are copied to the apps home directories. allow runas_app app_data_file:file execute_no_trans; # Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes. #line 14 allow runas_app untrusted_app_all:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow runas_app untrusted_app_all:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 14 # Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes. allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop }; allow runas_app untrusted_app_all:unix_stream_socket connectto; # Allow executing system image simpleperf without a domain transition. allow runas_app simpleperf_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Suppress denial logspam when simpleperf is trying to find a matching process # by scanning /proc//cmdline files. The /proc/ directories are within # the same domain as their respective process, most of which this domain is not # allowed to see. dontaudit runas_app domain:dir search; # Allow runas_app to call perf_event_open for profiling debuggable app # processes, but not the whole system. allow runas_app self:perf_event { open read write kernel }; neverallow runas_app self:perf_event ~{ open read write kernel }; # Suppress bionic loader denial /data/local/tests directories. dontaudit runas_app shell_test_data_file:dir search; #line 1 "system/sepolicy/private/sdcardd.te" typeattribute sdcardd coredomain; type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; #line 1 "system/sepolicy/private/sdk_sandbox_34.te" ### ### SDK Sandbox process. ### ### This file defines the security policy for the sdk sandbox processes ### for targetSdkVersion=34. type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; #line 8 typeattribute sdk_sandbox_34 netdomain; #line 8 #line 9 typeattribute sdk_sandbox_34 appdomain; #line 9 # Label tmpfs objects for all apps. #line 9 type_transition sdk_sandbox_34 tmpfs:file appdomain_tmpfs; #line 9 #line 9 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 9 type sdk_sandbox_34_userfaultfd; #line 9 type_transition sdk_sandbox_34 sdk_sandbox_34:anon_inode sdk_sandbox_34_userfaultfd "[userfaultfd]"; #line 9 # Allow domain to create/use userfaultfd anon_inode. #line 9 allow sdk_sandbox_34 sdk_sandbox_34_userfaultfd:anon_inode { create ioctl read }; #line 9 # Suppress errors generate during bugreport #line 9 dontaudit su sdk_sandbox_34_userfaultfd:anon_inode *; #line 9 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 9 neverallow { domain -sdk_sandbox_34 } sdk_sandbox_34_userfaultfd:anon_inode *; #line 9 #line 9 allow sdk_sandbox_34 appdomain_tmpfs:file { execute getattr map read write }; #line 9 neverallow { sdk_sandbox_34 -runas_app -shell -simpleperf } { domain -sdk_sandbox_34 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_34 } sdk_sandbox_34:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 # The Android security model guarantees the confidentiality and integrity #line 9 # of application data and execution state. Ptrace bypasses those #line 9 # confidentiality guarantees. Disallow ptrace access from system components to #line 9 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 9 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 9 # simpleperf is excluded, as it operates only on debuggable or profileable #line 9 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 9 # live lock conditions. #line 9 neverallow { domain -sdk_sandbox_34 -crash_dump -runas_app -simpleperf } sdk_sandbox_34:process ptrace; #line 9 #line 1 "system/sepolicy/private/sdk_sandbox_all.te" ### ### sdk_sandbox_all ### ### This file defines the rules shared by all sdk_sandbox_all domains. ### Apps are labeled based on mac_permissions.xml (maps signer and ### optionally package name to seinfo value) and seapp_contexts (maps UID ### and optionally seinfo value to domain for process and type for data ### directory). The sdk_sandbox_all_all attribute is assigned to all default ### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000) ### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo ### value as determined from mac_permissions.xml. allow sdk_sandbox_all system_linker_exec:file execute_no_trans; # Required to read CTS tests data from the shell_data_file location. allow sdk_sandbox_all shell_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow sdk_sandbox_all shell_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # allow sdk sandbox to use UDP sockets provided by the system server but not # modify them other than to connect allow sdk_sandbox_all system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; # allow sandbox to search in sdk system server directory # additionally, for webview to work, getattr has been permitted allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search }; # allow sandbox to create files and dirs in sdk data directory allow sdk_sandbox_all sdk_sandbox_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow sdk_sandbox_all sdk_sandbox_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow apps to pass open fds to the sdk sandbox allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read }; ### ### neverallow rules ### neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans }; # Receive or send uevent messages. neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *; # Receive or send generic netlink messages neverallow sdk_sandbox_all domain:netlink_socket *; # Too much leaky information in debugfs. It's a security # best practice to ensure these files aren't readable. neverallow sdk_sandbox_all debugfs_type:file read; # execute gpu_device neverallow sdk_sandbox_all gpu_device:chr_file execute; # access files in /sys with the default sysfs label neverallow sdk_sandbox_all sysfs:file *; # Avoid reads from generically labeled /proc files # Create a more specific label if needed neverallow sdk_sandbox_all proc:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } }; # Directly access external storage neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create}; neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search; # Avoid reads to proc_net, it contains too much device wide information about # ongoing connections. neverallow sdk_sandbox_all proc_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file # TODO(b/280514080): shell_data_file shouldn't be allowed here neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read }; # SDK sandbox processes don't have any access to external storage neverallow sdk_sandbox_all { media_rw_data_file }:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow sdk_sandbox_all { media_rw_data_file }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow { sdk_sandbox_all } tmpfs:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; neverallow sdk_sandbox_all hal_drm_service:service_manager find; # Only certain system components should have access to sdk_sandbox_system_data_file # sdk_sandbox only needs search. Restricted in follow up neverallow rule. neverallow { domain -init -installd -system_server -vold_prepare_subdirs } sdk_sandbox_system_data_file:dir { relabelfrom }; neverallow { domain -init -installd -sdk_sandbox_all -system_server -vold_prepare_subdirs -zygote } sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; # Only certain system components should have access to sdk_sandbox_all_system_data_file # sdk_sandbox_all only needs search. Restricted in follow up neverallow rule. neverallow { domain -init -installd -system_server -vold_prepare_subdirs } sdk_sandbox_system_data_file:dir { relabelfrom }; neverallow { domain -init -installd -sdk_sandbox_all -system_server -vold_prepare_subdirs -zygote } sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; # sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search }; # Only dirs should be created at sdk_sandbox_all_system_data_file level neverallow { domain -init } sdk_sandbox_system_data_file:file *; #line 1 "system/sepolicy/private/sdk_sandbox_audit.te" ### ### SDK Sandbox process. ### ### This file defines the audit sdk sandbox security policy for ### the set of restrictions proposed for the next SDK level. ### ### The sdk_sandbox_audit domain has the same rules as the ### sdk_sandbox_current domain and additional auditing rules ### for the accesses we are considering forbidding in the upcoming ### sdk_sandbox_next domain. type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; #line 13 typeattribute sdk_sandbox_audit netdomain; #line 13 #line 14 typeattribute sdk_sandbox_audit appdomain; #line 14 # Label tmpfs objects for all apps. #line 14 type_transition sdk_sandbox_audit tmpfs:file appdomain_tmpfs; #line 14 #line 14 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 14 type sdk_sandbox_audit_userfaultfd; #line 14 type_transition sdk_sandbox_audit sdk_sandbox_audit:anon_inode sdk_sandbox_audit_userfaultfd "[userfaultfd]"; #line 14 # Allow domain to create/use userfaultfd anon_inode. #line 14 allow sdk_sandbox_audit sdk_sandbox_audit_userfaultfd:anon_inode { create ioctl read }; #line 14 # Suppress errors generate during bugreport #line 14 dontaudit su sdk_sandbox_audit_userfaultfd:anon_inode *; #line 14 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 14 neverallow { domain -sdk_sandbox_audit } sdk_sandbox_audit_userfaultfd:anon_inode *; #line 14 #line 14 allow sdk_sandbox_audit appdomain_tmpfs:file { execute getattr map read write }; #line 14 neverallow { sdk_sandbox_audit -runas_app -shell -simpleperf } { domain -sdk_sandbox_audit }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 14 neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_audit } sdk_sandbox_audit:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 14 # The Android security model guarantees the confidentiality and integrity #line 14 # of application data and execution state. Ptrace bypasses those #line 14 # confidentiality guarantees. Disallow ptrace access from system components to #line 14 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 14 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 14 # simpleperf is excluded, as it operates only on debuggable or profileable #line 14 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 14 # live lock conditions. #line 14 neverallow { domain -sdk_sandbox_audit -crash_dump -runas_app -simpleperf } sdk_sandbox_audit:process ptrace; #line 14 # Auditallow rules for accesses that are currently allowed but we # might remove in the future. auditallow sdk_sandbox_audit { cameraserver_service ephemeral_app_api_service mediadrmserver_service radio_service }:service_manager find; auditallow sdk_sandbox_audit { property_type -system_property_type }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; auditallow sdk_sandbox_audit { property_type -system_property_type }:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; #line 1 "system/sepolicy/private/sdk_sandbox_current.te" ### ### SDK Sandbox process. ### ### This file defines the security policy for the sdk sandbox processes ### for the current SDK level. # Allow finding services. This is different from ephemeral_app policy. # Adding services manually to the allowlist is preferred hence app_api_service is not used. allow sdk_sandbox_current { activity_service activity_task_service appops_service audio_service audioserver_service batteryproperties_service batterystats_service cameraserver_service connectivity_service connmetrics_service deviceidle_service display_service dropbox_service ephemeral_app_api_service font_service game_service gpu_service graphicsstats_service hardware_properties_service hint_service imms_service input_method_service input_service IProxyService_service ipsec_service launcherapps_service legacy_permission_service light_service locale_service media_communication_service mediadrmserver_service mediaextractor_service mediametrics_service media_projection_service media_router_service mediaserver_service media_session_service memtrackproxy_service midi_service netpolicy_service netstats_service network_management_service notification_service package_service permission_checker_service permission_service permissionmgr_service platform_compat_service power_service procstats_service radio_service registry_service restrictions_service rttmanager_service search_service selection_toolbar_service sensor_privacy_service sensorservice_service servicediscovery_service settings_service speech_recognition_service statusbar_service storagestats_service surfaceflinger_service telecom_service tethering_service textclassification_service textservices_service texttospeech_service thermal_service translation_service tv_iapp_service tv_input_service uimode_service vcn_management_service webviewupdate_service }:service_manager find; #line 1 "system/sepolicy/private/sdk_sandbox_next.te" ### ### SDK Sandbox process. ### ### This file defines the security policy for the sdk sandbox processes ### for a test set of restrictions. These restrictions will be adapted ### with modifications, into the set of restrictions for the next SDK ### level. type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all; #line 10 typeattribute sdk_sandbox_next netdomain; #line 10 #line 11 typeattribute sdk_sandbox_next appdomain; #line 11 # Label tmpfs objects for all apps. #line 11 type_transition sdk_sandbox_next tmpfs:file appdomain_tmpfs; #line 11 #line 11 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 11 type sdk_sandbox_next_userfaultfd; #line 11 type_transition sdk_sandbox_next sdk_sandbox_next:anon_inode sdk_sandbox_next_userfaultfd "[userfaultfd]"; #line 11 # Allow domain to create/use userfaultfd anon_inode. #line 11 allow sdk_sandbox_next sdk_sandbox_next_userfaultfd:anon_inode { create ioctl read }; #line 11 # Suppress errors generate during bugreport #line 11 dontaudit su sdk_sandbox_next_userfaultfd:anon_inode *; #line 11 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 11 neverallow { domain -sdk_sandbox_next } sdk_sandbox_next_userfaultfd:anon_inode *; #line 11 #line 11 allow sdk_sandbox_next appdomain_tmpfs:file { execute getattr map read write }; #line 11 neverallow { sdk_sandbox_next -runas_app -shell -simpleperf } { domain -sdk_sandbox_next }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 11 neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_next } sdk_sandbox_next:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 11 # The Android security model guarantees the confidentiality and integrity #line 11 # of application data and execution state. Ptrace bypasses those #line 11 # confidentiality guarantees. Disallow ptrace access from system components to #line 11 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 11 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 11 # simpleperf is excluded, as it operates only on debuggable or profileable #line 11 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 11 # live lock conditions. #line 11 neverallow { domain -sdk_sandbox_next -crash_dump -runas_app -simpleperf } sdk_sandbox_next:process ptrace; #line 11 # Allow finding services. This is different from ephemeral_app policy. # Adding services manually to the allowlist is preferred hence app_api_service is not used. allow sdk_sandbox_next { activity_service activity_task_service appops_service audio_service audioserver_service batteryproperties_service batterystats_service connectivity_service connmetrics_service deviceidle_service display_service dropbox_service font_service game_service gpu_service graphicsstats_service hardware_properties_service hint_service imms_service input_method_service input_service IProxyService_service ipsec_service launcherapps_service legacy_permission_service light_service locale_service media_communication_service mediaextractor_service mediametrics_service media_projection_service media_router_service mediaserver_service media_session_service memtrackproxy_service midi_service netpolicy_service netstats_service network_management_service notification_service package_service permission_checker_service permission_service permissionmgr_service platform_compat_service power_service procstats_service registry_service restrictions_service rttmanager_service search_service selection_toolbar_service sensor_privacy_service sensorservice_service servicediscovery_service settings_service speech_recognition_service statusbar_service storagestats_service surfaceflinger_service telecom_service tethering_service textclassification_service textservices_service texttospeech_service thermal_service translation_service tv_iapp_service tv_input_service uimode_service vcn_management_service webviewupdate_service }:service_manager find; #line 1 "system/sepolicy/private/secure_element.te" # secure element subsystem typeattribute secure_element coredomain; #line 3 typeattribute secure_element appdomain; #line 3 # Label tmpfs objects for all apps. #line 3 type_transition secure_element tmpfs:file appdomain_tmpfs; #line 3 #line 3 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 3 type secure_element_userfaultfd; #line 3 type_transition secure_element secure_element:anon_inode secure_element_userfaultfd "[userfaultfd]"; #line 3 # Allow domain to create/use userfaultfd anon_inode. #line 3 allow secure_element secure_element_userfaultfd:anon_inode { create ioctl read }; #line 3 # Suppress errors generate during bugreport #line 3 dontaudit su secure_element_userfaultfd:anon_inode *; #line 3 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 3 neverallow { domain -secure_element } secure_element_userfaultfd:anon_inode *; #line 3 #line 3 allow secure_element appdomain_tmpfs:file { execute getattr map read write }; #line 3 neverallow { secure_element -runas_app -shell -simpleperf } { domain -secure_element }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 neverallow { appdomain -runas_app -shell -simpleperf -secure_element } secure_element:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 # The Android security model guarantees the confidentiality and integrity #line 3 # of application data and execution state. Ptrace bypasses those #line 3 # confidentiality guarantees. Disallow ptrace access from system components to #line 3 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 3 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 3 # simpleperf is excluded, as it operates only on debuggable or profileable #line 3 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 3 # live lock conditions. #line 3 neverallow { domain -secure_element -crash_dump -runas_app -simpleperf } secure_element:process ptrace; #line 3 #line 5 typeattribute secure_element binderservicedomain; #line 5 #line 6 allow secure_element secure_element_service:service_manager { add find }; #line 6 neverallow { domain -secure_element } secure_element_service:service_manager add; #line 6 #line 6 # On debug builds with root, allow binder services to use binder over TCP. #line 6 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 6 #line 6 allow secure_element app_api_service:service_manager find; #line 9 typeattribute secure_element halclientdomain; #line 9 typeattribute secure_element hal_secure_element_client; #line 9 #line 9 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 9 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 9 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 9 #line 9 typeattribute secure_element hal_secure_element; #line 9 # Find passthrough HAL implementations #line 9 allow hal_secure_element system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_secure_element vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow hal_secure_element vendor_file:file { read open getattr execute map }; #line 9 #line 9 # already open bugreport file descriptors may be shared with # the secure element process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. allow secure_element shell_data_file:file read; allow secure_element vendor_uuid_mapping_config_file:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/private/service.te" type adaptive_auth_service, system_server_service, service_manager_type; type ambient_context_service, app_api_service, system_server_service, service_manager_type; type attention_service, system_server_service, service_manager_type; type bg_install_control_service, system_api_service, system_server_service, service_manager_type; type compos_service, service_manager_type; type communal_service, app_api_service, system_server_service, service_manager_type; type dynamic_system_service, system_api_service, system_server_service, service_manager_type; type feature_flags_service, app_api_service, system_server_service, service_manager_type; type gsi_service, service_manager_type; type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type; type logcat_service, system_server_service, service_manager_type; type logd_service, service_manager_type; type mediatuner_service, app_api_service, service_manager_type; type profcollectd_service, service_manager_type; type resolver_service, system_server_service, service_manager_type; type rkpd_registrar_service, service_manager_type; type rkpd_refresh_service, service_manager_type; type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type; type stats_service, service_manager_type; type statsbootstrap_service, system_server_service, service_manager_type; type statscompanion_service, system_server_service, service_manager_type; type statsmanager_service, system_api_service, system_server_service, service_manager_type; type tracingproxy_service, system_server_service, service_manager_type; type transparency_service, system_server_service, service_manager_type; #line 28 #line 31 type uce_service, service_manager_type; type wearable_sensing_service, app_api_service, system_server_service, service_manager_type; #line 1 "system/sepolicy/private/servicemanager.te" typeattribute servicemanager coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init servicemanager_exec:file { getattr open read execute map }; #line 3 allow init servicemanager:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow servicemanager servicemanager_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init servicemanager:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init servicemanager:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init servicemanager_exec:process servicemanager; #line 3 #line 3 #line 5 allow servicemanager runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 5 #line 7 #line 7 allow servicemanager property_socket:sock_file write; #line 7 allow servicemanager init:unix_stream_socket connectto; #line 7 #line 7 allow servicemanager ctl_interface_start_prop:property_service set; #line 7 #line 7 allow servicemanager ctl_interface_start_prop:file { getattr open read map }; #line 7 #line 7 #line 8 #line 8 allow servicemanager property_socket:sock_file write; #line 8 allow servicemanager init:unix_stream_socket connectto; #line 8 #line 8 allow servicemanager servicemanager_prop:property_service set; #line 8 #line 8 allow servicemanager servicemanager_prop:file { getattr open read map }; #line 8 #line 8 # servicemanager is using bootstrap bionic #line 11 allow servicemanager system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 11 allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map }; #line 11 # servicemanager is using apex_info via libvintf #line 14 allow servicemanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow servicemanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; #line 14 #line 14 allow servicemanager vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 14 allow servicemanager vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 14 #line 14 #line 1 "system/sepolicy/private/sgdisk.te" typeattribute sgdisk coredomain; #line 1 "system/sepolicy/private/shared_relro.te" typeattribute shared_relro coredomain; # The shared relro process is a Java program forked from the zygote, so it # inherits from app to get basic permissions it needs to run. #line 5 typeattribute shared_relro appdomain; #line 5 # Label tmpfs objects for all apps. #line 5 type_transition shared_relro tmpfs:file appdomain_tmpfs; #line 5 #line 5 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 5 type shared_relro_userfaultfd; #line 5 type_transition shared_relro shared_relro:anon_inode shared_relro_userfaultfd "[userfaultfd]"; #line 5 # Allow domain to create/use userfaultfd anon_inode. #line 5 allow shared_relro shared_relro_userfaultfd:anon_inode { create ioctl read }; #line 5 # Suppress errors generate during bugreport #line 5 dontaudit su shared_relro_userfaultfd:anon_inode *; #line 5 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 5 neverallow { domain -shared_relro } shared_relro_userfaultfd:anon_inode *; #line 5 #line 5 allow shared_relro appdomain_tmpfs:file { execute getattr map read write }; #line 5 neverallow { shared_relro -runas_app -shell -simpleperf } { domain -shared_relro }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 5 neverallow { appdomain -runas_app -shell -simpleperf -shared_relro } shared_relro:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 5 # The Android security model guarantees the confidentiality and integrity #line 5 # of application data and execution state. Ptrace bypasses those #line 5 # confidentiality guarantees. Disallow ptrace access from system components to #line 5 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 5 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 5 # simpleperf is excluded, as it operates only on debuggable or profileable #line 5 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 5 # live lock conditions. #line 5 neverallow { domain -shared_relro -crash_dump -runas_app -simpleperf } shared_relro:process ptrace; #line 5 allow shared_relro shared_relro_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow shared_relro shared_relro_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow shared_relro activity_service:service_manager find; allow shared_relro webviewupdate_service:service_manager find; allow shared_relro package_service:service_manager find; # StrictMode may attempt to find this service, failure is harmless. dontaudit shared_relro network_management_service:service_manager find; #line 1 "system/sepolicy/private/shell.te" typeattribute shell coredomain, mlstrustedsubject; # allow shell input injection allow shell uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # systrace support - allow atrace to run allow shell debugfs_tracing_debug:dir { open getattr read search ioctl lock watch watch_reads }; allow shell debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads }; allow shell debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow shell debugfs_trace_marker:file getattr; allow shell atrace_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 15 # read config.gz for CTS purposes allow shell config_gz:file { getattr open read ioctl lock map watch watch_reads }; # allow reading tombstones. users can already use bugreports to get those. allow shell tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow shell tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Run app_process. # XXX Transition into its own domain? #line 26 typeattribute shell appdomain; #line 26 # Label tmpfs objects for all apps. #line 26 type_transition shell tmpfs:file appdomain_tmpfs; #line 26 #line 26 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 26 type shell_userfaultfd; #line 26 type_transition shell shell:anon_inode shell_userfaultfd "[userfaultfd]"; #line 26 # Allow domain to create/use userfaultfd anon_inode. #line 26 allow shell shell_userfaultfd:anon_inode { create ioctl read }; #line 26 # Suppress errors generate during bugreport #line 26 dontaudit su shell_userfaultfd:anon_inode *; #line 26 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 26 neverallow { domain -shell } shell_userfaultfd:anon_inode *; #line 26 #line 26 allow shell appdomain_tmpfs:file { execute getattr map read write }; #line 26 neverallow { shell -runas_app -shell -simpleperf } { domain -shell }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 26 neverallow { appdomain -runas_app -shell -simpleperf -shell } shell:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 26 # The Android security model guarantees the confidentiality and integrity #line 26 # of application data and execution state. Ptrace bypasses those #line 26 # confidentiality guarantees. Disallow ptrace access from system components to #line 26 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 26 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 26 # simpleperf is excluded, as it operates only on debuggable or profileable #line 26 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 26 # live lock conditions. #line 26 neverallow { domain -shell -crash_dump -runas_app -simpleperf } shell:process ptrace; #line 26 # allow shell to call dumpsys storaged #line 29 # Call the server domain and optionally transfer references to it. #line 29 allow shell storaged:binder { call transfer }; #line 29 # Allow the serverdomain to transfer references to the client on the reply. #line 29 allow storaged shell:binder transfer; #line 29 # Receive and use open files from the server. #line 29 allow shell storaged:fd use; #line 29 # Perform SELinux access checks, needed for CTS #line 32 #line 32 allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 32 allow shell selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 32 #line 32 allow shell selinuxfs:file { open append write lock map }; #line 32 allow shell kernel:security compute_av; #line 32 allow shell self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 32 #line 33 #line 33 allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow shell selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 #line 33 allow shell selinuxfs:file { open append write lock map }; #line 33 allow shell kernel:security check_context; #line 33 # Control Perfetto traced and obtain traces from it. # Needed for Studio and debugging. #line 37 allow shell traced_consumer_socket:sock_file write; #line 37 allow shell traced:unix_stream_socket connectto; #line 37 # Allow shell binaries to write trace data to Perfetto. Used for testing and # cmdline utils. #line 41 allow shell traced:fd use; #line 41 allow shell traced_tmpfs:file { read write getattr map }; #line 41 #line 41 allow shell traced_producer_socket:sock_file write; #line 41 allow shell traced:unix_stream_socket connectto; #line 41 #line 41 #line 41 # Also allow the service to use the producer file descriptors. This is #line 41 # necessary when the producer is creating the shared memory, as it will be #line 41 # passed to the service as a file descriptor (obtained from memfd_create). #line 41 allow traced shell:fd use; #line 41 #line 43 # Allow the necessary permissions. #line 43 #line 43 # Old domain may exec the file and transition to the new domain. #line 43 allow shell vendor_shell_exec:file { getattr open read execute map }; #line 43 allow shell vendor_shell:process transition; #line 43 # New domain is entered by executing the file. #line 43 allow vendor_shell vendor_shell_exec:file { entrypoint open read execute getattr map }; #line 43 # New domain can send SIGCHLD to its caller. #line 43 allow vendor_shell shell:process sigchld; #line 43 # Enable AT_SECURE, i.e. libc secure mode. #line 43 dontaudit shell vendor_shell:process noatsecure; #line 43 # XXX dontaudit candidate but requires further study. #line 43 allow shell vendor_shell:process { siginh rlimitinh }; #line 43 #line 43 # Make the transition occur by default. #line 43 type_transition shell vendor_shell_exec:process vendor_shell; #line 43 # Allow shell binaries to exec the perfetto cmdline util and have that # transition into its own domain, so that it behaves consistently to # when exec()-d by statsd. #line 48 # Allow the necessary permissions. #line 48 #line 48 # Old domain may exec the file and transition to the new domain. #line 48 allow shell perfetto_exec:file { getattr open read execute map }; #line 48 allow shell perfetto:process transition; #line 48 # New domain is entered by executing the file. #line 48 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 48 # New domain can send SIGCHLD to its caller. #line 48 allow perfetto shell:process sigchld; #line 48 # Enable AT_SECURE, i.e. libc secure mode. #line 48 dontaudit shell perfetto:process noatsecure; #line 48 # XXX dontaudit candidate but requires further study. #line 48 allow shell perfetto:process { siginh rlimitinh }; #line 48 #line 48 # Make the transition occur by default. #line 48 type_transition shell perfetto_exec:process perfetto; #line 48 # Allow to send SIGINT to perfetto when daemonized. allow shell perfetto:process signal; # Allow shell to run adb shell cmd stats commands. Needed for CTS. #line 53 # Call the server domain and optionally transfer references to it. #line 53 allow shell statsd:binder { call transfer }; #line 53 # Allow the serverdomain to transfer references to the client on the reply. #line 53 allow statsd shell:binder transfer; #line 53 # Receive and use open files from the server. #line 53 allow shell statsd:fd use; #line 53 ; # Allow shell to read and unlink traces stored in /data/misc/a11ytraces. #line 59 # Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. allow shell perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow shell perfetto_traces_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; # ... and /data/misc/perfetto-traces/bugreport/ . allow shell perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow shell perfetto_traces_bugreport_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; # Allow shell to create/remove configs stored in /data/misc/perfetto-configs. allow shell perfetto_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow shell perfetto_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow shell to run adb shell cmd gpu commands. #line 73 # Call the server domain and optionally transfer references to it. #line 73 allow shell gpuservice:binder { call transfer }; #line 73 # Allow the serverdomain to transfer references to the client on the reply. #line 73 allow gpuservice shell:binder transfer; #line 73 # Receive and use open files from the server. #line 73 allow shell gpuservice:fd use; #line 73 ; # Allow shell to use atrace HAL #line 76 typeattribute shell halclientdomain; #line 76 typeattribute shell hal_atrace_client; #line 76 #line 76 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 76 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 76 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 76 #line 76 typeattribute shell hal_atrace; #line 76 # Find passthrough HAL implementations #line 76 allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 76 allow hal_atrace vendor_file:file { read open getattr execute map }; #line 76 #line 76 # For hostside tests such as CTS listening ports test. allow shell proc_net_tcp_udp:file { getattr open read ioctl lock map watch watch_reads }; # The dl.exec_linker* tests need to execute /system/bin/linker # b/124789393 allow shell system_linker_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Renderscript host side tests depend on being able to execute # /system/bin/bcc (b/126388046) allow shell rs_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow (host-driven) ART run-tests to execute dex2oat, in order to # check ART's compiler. allow shell dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow shell dex2oat_exec:lnk_file read; # Allow shell to start and comminicate with lpdumpd. #line 95 #line 95 allow shell property_socket:sock_file write; #line 95 allow shell init:unix_stream_socket connectto; #line 95 #line 95 allow shell lpdumpd_prop:property_service set; #line 95 #line 95 allow shell lpdumpd_prop:file { getattr open read map }; #line 95 #line 95 ; #line 96 # Call the server domain and optionally transfer references to it. #line 96 allow shell lpdumpd:binder { call transfer }; #line 96 # Allow the serverdomain to transfer references to the client on the reply. #line 96 allow lpdumpd shell:binder transfer; #line 96 # Receive and use open files from the server. #line 96 allow shell lpdumpd:fd use; #line 96 # Allow shell to set and read value of properties used for CTS tests of # userspace reboot #line 100 #line 100 allow shell property_socket:sock_file write; #line 100 allow shell init:unix_stream_socket connectto; #line 100 #line 100 allow shell userspace_reboot_test_prop:property_service set; #line 100 #line 100 allow shell userspace_reboot_test_prop:file { getattr open read map }; #line 100 #line 100 # Allow shell to set this property to disable charging. #line 103 #line 103 allow shell property_socket:sock_file write; #line 103 allow shell init:unix_stream_socket connectto; #line 103 #line 103 allow shell power_debug_prop:property_service set; #line 103 #line 103 allow shell power_debug_prop:file { getattr open read map }; #line 103 #line 103 # Allow shell to set this property used for rollback tests #line 106 #line 106 allow shell property_socket:sock_file write; #line 106 allow shell init:unix_stream_socket connectto; #line 106 #line 106 allow shell rollback_test_prop:property_service set; #line 106 #line 106 allow shell rollback_test_prop:file { getattr open read map }; #line 106 #line 106 # Allow shell to set RKP properties for testing purposes #line 109 #line 109 allow shell property_socket:sock_file write; #line 109 allow shell init:unix_stream_socket connectto; #line 109 #line 109 allow shell remote_prov_prop:property_service set; #line 109 #line 109 allow shell remote_prov_prop:file { getattr open read map }; #line 109 #line 109 # Allow shell to get encryption policy of /data/local/tmp/, for CTS allowxperm shell shell_data_file:dir ioctl { 0x400c6615 0xc0096616 }; # Allow shell to execute simpleperf without a domain transition. allow shell simpleperf_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 129 # Allow shell to run remount command. allow shell remount_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow shell to call perf_event_open for profiling other shell processes, but # not the whole system. allow shell self:perf_event { open read write kernel }; neverallow shell self:perf_event ~{ open read write kernel }; # Allow shell to read microdroid vendor image #line 140 allow shell vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 140 allow shell vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 140 # Allow shell to read /apex/apex-info-list.xml and the vendor apexes allow shell apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads }; allow shell vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads }; allow shell vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow shell to read updated APEXes under /data/apex allow shell apex_data_file:dir search; allow shell staging_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Set properties. #line 153 #line 153 allow shell property_socket:sock_file write; #line 153 allow shell init:unix_stream_socket connectto; #line 153 #line 153 allow shell shell_prop:property_service set; #line 153 #line 153 allow shell shell_prop:file { getattr open read map }; #line 153 #line 153 #line 154 #line 154 allow shell property_socket:sock_file write; #line 154 allow shell init:unix_stream_socket connectto; #line 154 #line 154 allow shell ctl_bugreport_prop:property_service set; #line 154 #line 154 allow shell ctl_bugreport_prop:file { getattr open read map }; #line 154 #line 154 #line 155 #line 155 allow shell property_socket:sock_file write; #line 155 allow shell init:unix_stream_socket connectto; #line 155 #line 155 allow shell ctl_dumpstate_prop:property_service set; #line 155 #line 155 allow shell ctl_dumpstate_prop:file { getattr open read map }; #line 155 #line 155 #line 156 #line 156 allow shell property_socket:sock_file write; #line 156 allow shell init:unix_stream_socket connectto; #line 156 #line 156 allow shell dumpstate_prop:property_service set; #line 156 #line 156 allow shell dumpstate_prop:file { getattr open read map }; #line 156 #line 156 #line 157 #line 157 allow shell property_socket:sock_file write; #line 157 allow shell init:unix_stream_socket connectto; #line 157 #line 157 allow shell exported_dumpstate_prop:property_service set; #line 157 #line 157 allow shell exported_dumpstate_prop:file { getattr open read map }; #line 157 #line 157 #line 158 #line 158 allow shell property_socket:sock_file write; #line 158 allow shell init:unix_stream_socket connectto; #line 158 #line 158 allow shell debug_prop:property_service set; #line 158 #line 158 allow shell debug_prop:file { getattr open read map }; #line 158 #line 158 #line 159 #line 159 allow shell property_socket:sock_file write; #line 159 allow shell init:unix_stream_socket connectto; #line 159 #line 159 allow shell perf_drop_caches_prop:property_service set; #line 159 #line 159 allow shell perf_drop_caches_prop:file { getattr open read map }; #line 159 #line 159 #line 160 #line 160 allow shell property_socket:sock_file write; #line 160 allow shell init:unix_stream_socket connectto; #line 160 #line 160 allow shell powerctl_prop:property_service set; #line 160 #line 160 allow shell powerctl_prop:file { getattr open read map }; #line 160 #line 160 #line 161 #line 161 allow shell property_socket:sock_file write; #line 161 allow shell init:unix_stream_socket connectto; #line 161 #line 161 allow shell log_tag_prop:property_service set; #line 161 #line 161 allow shell log_tag_prop:file { getattr open read map }; #line 161 #line 161 #line 162 #line 162 allow shell property_socket:sock_file write; #line 162 allow shell init:unix_stream_socket connectto; #line 162 #line 162 allow shell wifi_log_prop:property_service set; #line 162 #line 162 allow shell wifi_log_prop:file { getattr open read map }; #line 162 #line 162 # Allow shell to start/stop traced via the persist.traced.enable # property (which also takes care of /data/misc initialization). #line 165 #line 165 allow shell property_socket:sock_file write; #line 165 allow shell init:unix_stream_socket connectto; #line 165 #line 165 allow shell traced_enabled_prop:property_service set; #line 165 #line 165 allow shell traced_enabled_prop:file { getattr open read map }; #line 165 #line 165 # adjust SELinux audit rates #line 167 #line 167 allow shell property_socket:sock_file write; #line 167 allow shell init:unix_stream_socket connectto; #line 167 #line 167 allow shell logd_auditrate_prop:property_service set; #line 167 #line 167 allow shell logd_auditrate_prop:file { getattr open read map }; #line 167 #line 167 # adjust is_loggable properties # logpersist script # Allow shell to start/stop heapprofd via the persist.heapprofd.enable # property. #line 174 #line 174 allow shell property_socket:sock_file write; #line 174 allow shell init:unix_stream_socket connectto; #line 174 #line 174 allow shell heapprofd_enabled_prop:property_service set; #line 174 #line 174 allow shell heapprofd_enabled_prop:file { getattr open read map }; #line 174 #line 174 # Allow shell to start/stop traced_perf via the persist.traced_perf.enable # property. #line 177 #line 177 allow shell property_socket:sock_file write; #line 177 allow shell init:unix_stream_socket connectto; #line 177 #line 177 allow shell traced_perf_enabled_prop:property_service set; #line 177 #line 177 allow shell traced_perf_enabled_prop:file { getattr open read map }; #line 177 #line 177 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid. #line 179 #line 179 allow shell property_socket:sock_file write; #line 179 allow shell init:unix_stream_socket connectto; #line 179 #line 179 allow shell ctl_gsid_prop:property_service set; #line 179 #line 179 allow shell ctl_gsid_prop:file { getattr open read map }; #line 179 #line 179 #line 180 #line 180 allow shell property_socket:sock_file write; #line 180 allow shell init:unix_stream_socket connectto; #line 180 #line 180 allow shell ctl_snapuserd_prop:property_service set; #line 180 #line 180 allow shell ctl_snapuserd_prop:file { getattr open read map }; #line 180 #line 180 # Allow shell to enable Dynamic System Update #line 182 #line 182 allow shell property_socket:sock_file write; #line 182 allow shell init:unix_stream_socket connectto; #line 182 #line 182 allow shell dynamic_system_prop:property_service set; #line 182 #line 182 allow shell dynamic_system_prop:file { getattr open read map }; #line 182 #line 182 # Allow shell to mock an OTA using persist.pm.mock-upgrade #line 184 #line 184 allow shell property_socket:sock_file write; #line 184 allow shell init:unix_stream_socket connectto; #line 184 #line 184 allow shell mock_ota_prop:property_service set; #line 184 #line 184 allow shell mock_ota_prop:file { getattr open read map }; #line 184 #line 184 # Read device's serial number from system properties #line 187 allow shell serialno_prop:file { getattr open read map }; #line 187 # Allow shell to read the vendor security patch level for CTS #line 190 allow shell vendor_security_patch_level_prop:file { getattr open read map }; #line 190 # Read state of logging-related properties #line 193 allow shell device_logging_prop:file { getattr open read map }; #line 193 # Read state of boot reason properties #line 196 allow shell bootloader_boot_reason_prop:file { getattr open read map }; #line 196 #line 197 allow shell last_boot_reason_prop:file { getattr open read map }; #line 197 #line 198 allow shell system_boot_reason_prop:file { getattr open read map }; #line 198 # Allow shell to execute the remote key provisioning factory tool #line 201 # Call the server domain and optionally transfer references to it. #line 201 allow shell hal_keymint:binder { call transfer }; #line 201 # Allow the serverdomain to transfer references to the client on the reply. #line 201 allow hal_keymint shell:binder transfer; #line 201 # Receive and use open files from the server. #line 201 allow shell hal_keymint:fd use; #line 201 # Allow reading the outcome of perf_event_open LSM support test for CTS. #line 204 allow shell init_perf_lsm_hooks_prop:file { getattr open read map }; #line 204 # Allow shell to read boot image timestamps and fingerprints. #line 207 allow shell build_bootimage_prop:file { getattr open read map }; #line 207 # Allow shell to read odsign verification properties #line 210 allow shell odsign_prop:file { getattr open read map }; #line 210 # Allow shell to read the keystore key contexts files. Used by native tests to test label lookup. allow shell keystore2_key_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests. allow shell shell_key:keystore2_key { delete rebind use get_info update }; # Allow shell to open and execute memfd files for minijail unit tests. #line 223 # Allow shell to write db.log.detailed, db.log.slow_query_threshold* #line 226 #line 226 allow shell property_socket:sock_file write; #line 226 allow shell init:unix_stream_socket connectto; #line 226 #line 226 allow shell sqlite_log_prop:property_service set; #line 226 #line 226 allow shell sqlite_log_prop:file { getattr open read map }; #line 226 #line 226 # Allow shell to write MTE properties even on user builds. #line 229 #line 229 allow shell property_socket:sock_file write; #line 229 allow shell init:unix_stream_socket connectto; #line 229 #line 229 allow shell arm64_memtag_prop:property_service set; #line 229 #line 229 allow shell arm64_memtag_prop:file { getattr open read map }; #line 229 #line 229 # Allow shell to read the dm-verity props on user builds. #line 232 allow shell verity_status_prop:file { getattr open read map }; #line 232 # Allow shell to read Virtual A/B related properties #line 235 allow shell virtual_ab_prop:file { getattr open read map }; #line 235 # Never allow others to set or get the perf.drop_caches property. neverallow { domain -shell -init } perf_drop_caches_prop:property_service set; neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read; # Allow ReadDefaultFstab() for CTS. #line 242 allow shell { metadata_file gsi_metadata_file_type }:dir search; #line 242 allow shell gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads }; #line 242 allow shell { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads }; #line 242 # Allow shell read access to /apex/apex-info-list.xml for CTS. allow shell apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Let the shell user call virtualizationservice (and # virtualizationservice call back to shell) for debugging. #line 249 # Transition to virtualizationmanager when the client executes it. #line 249 #line 249 # Allow the necessary permissions. #line 249 #line 249 # Old domain may exec the file and transition to the new domain. #line 249 allow shell virtualizationmanager_exec:file { getattr open read execute map }; #line 249 allow shell virtualizationmanager:process transition; #line 249 # New domain is entered by executing the file. #line 249 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 249 # New domain can send SIGCHLD to its caller. #line 249 allow virtualizationmanager shell:process sigchld; #line 249 # Enable AT_SECURE, i.e. libc secure mode. #line 249 dontaudit shell virtualizationmanager:process noatsecure; #line 249 # XXX dontaudit candidate but requires further study. #line 249 allow shell virtualizationmanager:process { siginh rlimitinh }; #line 249 #line 249 # Make the transition occur by default. #line 249 type_transition shell virtualizationmanager_exec:process virtualizationmanager; #line 249 #line 249 # Allow virtualizationmanager to communicate over UDS with the client. #line 249 allow { virtualizationmanager crosvm } shell:unix_stream_socket { ioctl getattr read write }; #line 249 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 249 allow { virtualizationmanager crosvm } shell:fd use; #line 249 # Let the client use file descriptors created by virtualizationmanager. #line 249 allow shell virtualizationmanager:fd use; #line 249 # Allow piping console log to the client #line 249 allow { virtualizationmanager crosvm } shell:fifo_file { ioctl getattr read write }; #line 249 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 249 # that it created. Notice that we do not grant permission to create a vsock; #line 249 # the client can only connect to VMs that it owns. #line 249 allow shell virtualizationmanager:vsock_socket { getattr getopt read write }; #line 249 # Allow client to inspect hypervisor capabilities #line 249 #line 249 allow shell hypervisor_prop:file { getattr open read map }; #line 249 #line 249 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 249 allow shell virtualizationservice_data_file:file { getattr read }; #line 249 # Allow shell to set persist.wm.debug properties # Allow shell to write GWP-ASan properties even on user builds. #line 255 #line 255 allow shell property_socket:sock_file write; #line 255 allow shell init:unix_stream_socket connectto; #line 255 #line 255 allow shell gwp_asan_prop:property_service set; #line 255 #line 255 allow shell gwp_asan_prop:file { getattr open read map }; #line 255 #line 255 # Allow shell to set persist.sysui.notification.builder_extras_override property # Allow shell to set persist.sysui.notification.ranking_update_ashmem property # Allow shell to read the build properties for attestation feature #line 263 allow shell build_attestation_prop:file { getattr open read map }; #line 263 # Allow shell to execute oatdump. allow shell oatdump_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 1 "system/sepolicy/private/simpleperf.te" # Domain used when running /system/bin/simpleperf to profile a specific app. # Entered either by the app itself exec-ing the binary, or through # simpleperf_app_runner (with shell as its origin). Certain other domains # (runas_app, shell) can also exec this binary without a domain transition. typeattribute simpleperf coredomain; type simpleperf_exec, system_file_type, exec_type, file_type; # Define apps that can be marked debuggable/profileable and be profiled by simpleperf. #line 15 #line 17 # Allow the necessary permissions. #line 17 #line 17 # Old domain may exec the file and transition to the new domain. #line 17 allow { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app } simpleperf_exec:file { getattr open read execute map }; #line 17 allow { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app } simpleperf:process transition; #line 17 # New domain is entered by executing the file. #line 17 allow simpleperf simpleperf_exec:file { entrypoint open read execute getattr map }; #line 17 # New domain can send SIGCHLD to its caller. #line 17 allow simpleperf { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app }:process sigchld; #line 17 # Enable AT_SECURE, i.e. libc secure mode. #line 17 dontaudit { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app } simpleperf:process noatsecure; #line 17 # XXX dontaudit candidate but requires further study. #line 17 allow { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app } simpleperf:process { siginh rlimitinh }; #line 17 #line 17 # Make the transition occur by default. #line 17 type_transition { { #line 17 ephemeral_app #line 17 isolated_app #line 17 platform_app #line 17 priv_app #line 17 untrusted_app_all #line 17 } -runas_app } simpleperf_exec:process simpleperf; #line 17 # When running in this domain, simpleperf is scoped to profiling an individual # app. The necessary MAC permissions for profiling are more maintainable and # consistent if simpleperf is marked as an app domain as well (as, for example, # it will then see the same set of system libraries as the app). #line 23 typeattribute simpleperf appdomain; #line 23 # Label tmpfs objects for all apps. #line 23 type_transition simpleperf tmpfs:file appdomain_tmpfs; #line 23 #line 23 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 23 type simpleperf_userfaultfd; #line 23 type_transition simpleperf simpleperf:anon_inode simpleperf_userfaultfd "[userfaultfd]"; #line 23 # Allow domain to create/use userfaultfd anon_inode. #line 23 allow simpleperf simpleperf_userfaultfd:anon_inode { create ioctl read }; #line 23 # Suppress errors generate during bugreport #line 23 dontaudit su simpleperf_userfaultfd:anon_inode *; #line 23 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 23 neverallow { domain -simpleperf } simpleperf_userfaultfd:anon_inode *; #line 23 #line 23 allow simpleperf appdomain_tmpfs:file { execute getattr map read write }; #line 23 neverallow { simpleperf -runas_app -shell -simpleperf } { domain -simpleperf }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 23 neverallow { appdomain -runas_app -shell -simpleperf -simpleperf } simpleperf:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 23 # The Android security model guarantees the confidentiality and integrity #line 23 # of application data and execution state. Ptrace bypasses those #line 23 # confidentiality guarantees. Disallow ptrace access from system components to #line 23 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 23 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 23 # simpleperf is excluded, as it operates only on debuggable or profileable #line 23 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 23 # live lock conditions. #line 23 neverallow { domain -simpleperf -crash_dump -runas_app -simpleperf } simpleperf:process ptrace; #line 23 #line 24 typeattribute simpleperf untrusted_app_all; #line 24 # Allow ptrace attach to the target app, for reading JIT debug info (using # process_vm_readv) during unwinding and symbolization. allow simpleperf { #line 28 ephemeral_app #line 28 isolated_app #line 28 platform_app #line 28 priv_app #line 28 untrusted_app_all #line 28 }:process ptrace; # Allow using perf_event_open syscall for profiling the target app. allow simpleperf self:perf_event { open read write kernel }; # Allow /proc/ access for the target app (for example, when trying to # discover it by cmdline). #line 35 allow simpleperf { #line 35 ephemeral_app #line 35 isolated_app #line 35 platform_app #line 35 priv_app #line 35 untrusted_app_all #line 35 }:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow simpleperf { #line 35 ephemeral_app #line 35 isolated_app #line 35 platform_app #line 35 priv_app #line 35 untrusted_app_all #line 35 }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 35 # Allow apps signalling simpleperf domain, which is the domain that the simpleperf # profiler runs as when executed by the app. The signals are used to control # the profiler (which would be profiling the app that is sending the signal). allow { #line 40 ephemeral_app #line 40 isolated_app #line 40 platform_app #line 40 priv_app #line 40 untrusted_app_all #line 40 } simpleperf:process signal; # Suppress denial logspam when simpleperf is trying to find a matching process # by scanning /proc//cmdline files. The /proc/ directories are within # the same domain as their respective processes, most of which this domain is # not allowed to see. dontaudit simpleperf domain:dir search; # Neverallows: # Profiling must be confined to the scope of an individual app. neverallow simpleperf self:perf_event ~{ open read write kernel }; #line 1 "system/sepolicy/private/simpleperf_app_runner.te" typeattribute simpleperf_app_runner coredomain; #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow shell simpleperf_app_runner_exec:file { getattr open read execute map }; #line 3 allow shell simpleperf_app_runner:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow simpleperf_app_runner simpleperf_app_runner_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 allow simpleperf_app_runner shell:process sigchld; #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit shell simpleperf_app_runner:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow shell simpleperf_app_runner:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition shell simpleperf_app_runner_exec:process simpleperf_app_runner; #line 3 # run simpleperf_app_runner in adb shell. allow simpleperf_app_runner adbd:fd use; allow simpleperf_app_runner shell:fd use; allow simpleperf_app_runner devpts:chr_file { read write ioctl }; # simpleperf_app_runner reads package information. allow simpleperf_app_runner system_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow simpleperf_app_runner system_data_file:lnk_file getattr; allow simpleperf_app_runner packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # The app's data dir may be accessed through a symlink. allow simpleperf_app_runner system_data_file:lnk_file read; # simpleperf_app_runner switches to the app UID/GID. allow simpleperf_app_runner self:{ capability cap_userns } { setuid setgid }; # simpleperf_app_runner switches to the app security context. #line 22 #line 22 allow simpleperf_app_runner selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow simpleperf_app_runner selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 22 #line 22 allow simpleperf_app_runner selinuxfs:file { open append write lock map }; #line 22 allow simpleperf_app_runner kernel:security check_context; #line 22 # validate context allow simpleperf_app_runner self:process setcurrent; allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon # simpleperf_app_runner/libselinux needs access to seapp_contexts_file to # determine which domain to transition to. allow simpleperf_app_runner seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # simpleperf_app_runner passes pipe fds. # simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds. allow simpleperf_app_runner shell:fifo_file { read write }; # simpleperf_app_runner checks shell data paths. # simpleperf_app_runner passes shell data fds. allow simpleperf_app_runner shell_data_file:dir { getattr search }; allow simpleperf_app_runner shell_data_file:file { getattr write }; ### ### neverallow rules ### # simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID neverallow simpleperf_app_runner self:{ capability cap_userns } ~{ setuid setgid }; neverallow simpleperf_app_runner self:{ capability2 cap2_userns } *; #line 1 "system/sepolicy/private/simpleperf_boot.te" # Domain used when running /system/bin/simpleperf to record boot-time profiles. # It is started by init process. It's only available on userdebug/eng build. type simpleperf_boot, domain, coredomain, mlstrustedsubject; # /data/simpleperf_boot_data, used to store boot-time profiles. type simpleperf_boot_data_file, file_type; #line 59 #line 1 "system/sepolicy/private/slideshow.te" typeattribute slideshow coredomain; #line 1 "system/sepolicy/private/snapshotctl.te" type snapshotctl, domain, coredomain; type snapshotctl_exec, system_file_type, exec_type, file_type; # Allow init to run snapshotctl and do auto domain transfer. #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init snapshotctl_exec:file { getattr open read execute map }; #line 5 allow init snapshotctl:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow snapshotctl snapshotctl_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init snapshotctl:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init snapshotctl:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init snapshotctl_exec:process snapshotctl; #line 5 #line 5 ; # Allow to start gsid service. #line 8 #line 8 allow snapshotctl property_socket:sock_file write; #line 8 allow snapshotctl init:unix_stream_socket connectto; #line 8 #line 8 allow snapshotctl ctl_gsid_prop:property_service set; #line 8 #line 8 allow snapshotctl ctl_gsid_prop:file { getattr open read map }; #line 8 #line 8 # Allow to talk to gsid. #line 11 # Call the servicemanager and transfer references to it. #line 11 allow snapshotctl servicemanager:binder { call transfer }; #line 11 # Allow servicemanager to send out callbacks #line 11 allow servicemanager snapshotctl:binder { call transfer }; #line 11 # servicemanager performs getpidcon on clients. #line 11 allow servicemanager snapshotctl:dir search; #line 11 allow servicemanager snapshotctl:file { read open }; #line 11 allow servicemanager snapshotctl:process getattr; #line 11 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 11 # all domains in domain.te. #line 11 allow snapshotctl gsi_service:service_manager find; #line 13 # Call the server domain and optionally transfer references to it. #line 13 allow snapshotctl gsid:binder { call transfer }; #line 13 # Allow the serverdomain to transfer references to the client on the reply. #line 13 allow gsid snapshotctl:binder transfer; #line 13 # Receive and use open files from the server. #line 13 allow snapshotctl gsid:fd use; #line 13 # Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status. allow snapshotctl metadata_file:dir search; allow snapshotctl ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow snapshotctl ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow to get A/B slot suffix from device tree or kernel cmdline. #line 21 allow snapshotctl sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow snapshotctl sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 21 ; allow snapshotctl proc_cmdline:file { getattr open read ioctl lock map watch watch_reads }; # Needed to (re-)map logical partitions. allow snapshotctl block_device:dir { open getattr read search ioctl lock watch watch_reads }; allow snapshotctl super_block_device:blk_file { getattr open read ioctl lock map watch watch_reads }; # Interact with device-mapper to collapse snapshots. allow snapshotctl dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Needed to mutate device-mapper nodes. allow snapshotctl self:{ capability cap_userns } sys_admin; # Snapshotctl talk to boot control HAL to set merge status. #line 35 # Call the hwservicemanager and transfer references to it. #line 35 allow snapshotctl hwservicemanager:binder { call transfer }; #line 35 # Allow hwservicemanager to send out callbacks #line 35 allow hwservicemanager snapshotctl:binder { call transfer }; #line 35 # hwservicemanager performs getpidcon on clients. #line 35 allow hwservicemanager snapshotctl:dir search; #line 35 allow hwservicemanager snapshotctl:file { read open map }; #line 35 allow hwservicemanager snapshotctl:process getattr; #line 35 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 35 # all domains in domain.te. #line 35 #line 36 typeattribute snapshotctl halclientdomain; #line 36 typeattribute snapshotctl hal_bootctl_client; #line 36 #line 36 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 36 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 36 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 36 #line 36 typeattribute snapshotctl hal_bootctl; #line 36 # Find passthrough HAL implementations #line 36 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 36 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 36 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 36 #line 36 # Allow snapshotctl to write to statsd socket. #line 39 allow snapshotctl statsdw_socket:sock_file write; #line 39 allow snapshotctl statsd:unix_dgram_socket sendto; #line 39 # Logging #line 45 #line 1 "system/sepolicy/private/snapuserd.te" # snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots. type snapuserd, domain; type snapuserd_exec, exec_type, file_type, system_file_type; typeattribute snapuserd coredomain; #line 7 #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow init snapuserd_exec:file { getattr open read execute map }; #line 7 allow init snapuserd:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow snapuserd snapuserd_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit init snapuserd:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow init snapuserd:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition init snapuserd_exec:process snapuserd; #line 7 #line 7 allow snapuserd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow snapuserd to reach block devices in /dev/block. allow snapuserd block_device:dir search; # Read /sys/block to find all the DM directories like (/sys/block/dm-X). allow snapuserd sysfs:dir { open read }; # Read /sys/block/dm-X/dm/name (which is a symlink to # /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between # dm-X and dynamic partitions. allow snapuserd sysfs_dm:dir { open read search }; allow snapuserd sysfs_dm:file { getattr open read ioctl lock map watch watch_reads }; # Reading and writing to /dev/block/dm-* (device-mapper) nodes. allow snapuserd block_device:dir { open getattr read search ioctl lock watch watch_reads }; allow snapuserd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow snapuserd dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Reading and writing to dm-user control nodes. allow snapuserd dm_user_device:dir { open getattr read search ioctl lock watch watch_reads }; allow snapuserd dm_user_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Reading and writing to /dev/socket/snapuserd and snapuserd_proxy. allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write }; allow snapuserd snapuserd_proxy_socket:sock_file write; # Required for setting GID to system while calling SetTaskProfile() API allow snapuserd self:{ capability cap_userns } { setgid }; # This arises due to first-stage init opening /dev/null without F_CLOEXEC # (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd # again, the descriptor leaks into the new process. allow snapuserd kernel:fd use; # snapuserd.* properties #line 45 #line 45 allow snapuserd property_socket:sock_file write; #line 45 allow snapuserd init:unix_stream_socket connectto; #line 45 #line 45 allow snapuserd snapuserd_prop:property_service set; #line 45 #line 45 allow snapuserd snapuserd_prop:file { getattr open read map }; #line 45 #line 45 #line 46 allow snapuserd virtual_ab_prop:file { getattr open read map }; #line 46 # For inotify watching for /dev/socket/snapuserd_proxy to appear. allow snapuserd tmpfs:dir { read watch }; # Forbid anything other than snapuserd and init setting snapuserd properties. neverallow { domain -snapuserd -init } snapuserd_prop:property_service set; # Allow to read/write/create OTA metadata files allow snapuserd metadata_file:dir search; allow snapuserd ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow snapuserd ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # write to /data/misc/snapuserd_log allow snapuserd snapuserd_log_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow snapuserd snapuserd_log_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read /proc/stat to determine boot time allow snapuserd proc_stat:file { getattr open read ioctl lock map watch watch_reads }; # This capability allows snapuserd to circumvent memlock rlimits while using # io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service. allow snapuserd self:capability ipc_lock; #line 73 # Set up a type_transition to "io_uring" named anonymous inode object. #line 73 type snapuserd_iouring; #line 73 type_transition snapuserd snapuserd:anon_inode snapuserd_iouring "[io_uring]"; #line 73 # Allow domain to create/use io_uring anon_inode. #line 73 allow snapuserd snapuserd_iouring:anon_inode { create map read write }; #line 73 allow snapuserd self:io_uring sqpoll; #line 73 # Other domains may not use iouring anon_inodes created by this domain. #line 73 neverallow { domain -snapuserd } snapuserd_iouring:anon_inode *; #line 73 # io_uring checks for CAP_IPC_LOCK to determine whether or not to track #line 73 # memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to #line 73 # grant CAP_IPC_LOCK to silence avc denials, which is undesireable. #line 73 dontaudit snapuserd self:{ capability cap_userns } ipc_lock; #line 73 #line 1 "system/sepolicy/private/stats.te" type stats, domain; typeattribute stats coredomain; type stats_exec, system_file_type, exec_type, file_type; # switch to stats domain for stats command #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow shell stats_exec:file { getattr open read execute map }; #line 6 allow shell stats:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow stats stats_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow stats shell:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit shell stats:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow shell stats:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition shell stats_exec:process stats; #line 6 # allow stats access to stdout from its parent shell. allow stats shell:fd use; # allow stats to communicate use, read and write over the adb # connection. allow stats adbd:fd use; allow stats adbd:unix_stream_socket { read write }; # allow adbd to reap stats allow stats adbd:process { sigchld }; # Allow the stats command to talk to the statsd over the binder, and get # back the stats report data from a ParcelFileDescriptor. #line 21 # Call the servicemanager and transfer references to it. #line 21 allow stats servicemanager:binder { call transfer }; #line 21 # Allow servicemanager to send out callbacks #line 21 allow servicemanager stats:binder { call transfer }; #line 21 # servicemanager performs getpidcon on clients. #line 21 allow servicemanager stats:dir search; #line 21 allow servicemanager stats:file { read open }; #line 21 allow servicemanager stats:process getattr; #line 21 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 21 # all domains in domain.te. #line 21 allow stats stats_service:service_manager find; #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow stats statsd:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow statsd stats:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow stats statsd:fd use; #line 23 allow stats statsd:fifo_file write; # Only statsd can publish the binder service. #line 27 allow statsd stats_service:service_manager { add find }; #line 27 neverallow { domain -statsd } stats_service:service_manager add; #line 27 #line 27 # On debug builds with root, allow binder services to use binder over TCP. #line 27 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 27 #line 27 # Allow pipes from (and only from) stats. allow statsd stats:fd use; allow statsd stats:fifo_file write; # Allow statsd to call back to stats with status updates. #line 34 # Call the server domain and optionally transfer references to it. #line 34 allow statsd stats:binder { call transfer }; #line 34 # Allow the serverdomain to transfer references to the client on the reply. #line 34 allow stats statsd:binder transfer; #line 34 # Receive and use open files from the server. #line 34 allow statsd stats:fd use; #line 34 #line 1 "system/sepolicy/private/statsd.te" typeattribute statsd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init statsd_exec:file { getattr open read execute map }; #line 3 allow init statsd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow statsd statsd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init statsd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init statsd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init statsd_exec:process statsd; #line 3 #line 3 # Allow to exec the perfetto cmdline client and pass it the trace config on # stdint through a pipe. It allows statsd to capture traces and hand them # to Android dropbox. allow statsd perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 9 # Allow the necessary permissions. #line 9 #line 9 # Old domain may exec the file and transition to the new domain. #line 9 allow statsd perfetto_exec:file { getattr open read execute map }; #line 9 allow statsd perfetto:process transition; #line 9 # New domain is entered by executing the file. #line 9 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 9 # New domain can send SIGCHLD to its caller. #line 9 allow perfetto statsd:process sigchld; #line 9 # Enable AT_SECURE, i.e. libc secure mode. #line 9 dontaudit statsd perfetto:process noatsecure; #line 9 # XXX dontaudit candidate but requires further study. #line 9 allow statsd perfetto:process { siginh rlimitinh }; #line 9 #line 9 # Make the transition occur by default. #line 9 type_transition statsd perfetto_exec:process perfetto; #line 9 # Grant statsd with permissions to register the services. allow statsd { statscompanion_service }:service_manager find; # Allow incidentd to obtain the statsd incident section. allow statsd incidentd:fifo_file write; # Allow StatsCompanionService to pipe data to statsd. allow statsd system_server:fifo_file { read write getattr }; # Allow Statsd to pipe data to privileged apps. allow statsd priv_app:fifo_file { read write getattr }; # Allow statsd to retrieve SF statistics over binder #line 26 # Call the server domain and optionally transfer references to it. #line 26 allow statsd surfaceflinger:binder { call transfer }; #line 26 # Allow the serverdomain to transfer references to the client on the reply. #line 26 allow surfaceflinger statsd:binder transfer; #line 26 # Receive and use open files from the server. #line 26 allow statsd surfaceflinger:fd use; #line 26 ; # Allow statsd to read its system properties #line 29 allow statsd device_config_statsd_native_prop:file { getattr open read map }; #line 29 #line 30 allow statsd device_config_statsd_native_boot_prop:file { getattr open read map }; #line 30 # Allow statsd to write uprobestats configs. allow statsd uprobestats_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow statsd uprobestats_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow statsd to trigger uprobestats via property. #line 37 #line 37 allow statsd property_socket:sock_file write; #line 37 allow statsd init:unix_stream_socket connectto; #line 37 #line 37 allow statsd uprobestats_start_with_config_prop:property_service set; #line 37 #line 37 allow statsd uprobestats_start_with_config_prop:file { getattr open read map }; #line 37 #line 37 ; #line 1 "system/sepolicy/private/storaged.te" # storaged daemon type storaged, domain, coredomain, mlstrustedsubject; type storaged_exec, system_file_type, exec_type, file_type; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init storaged_exec:file { getattr open read execute map }; #line 5 allow init storaged:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow storaged storaged_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init storaged:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init storaged:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init storaged_exec:process storaged; #line 5 #line 5 # Read access to pseudo filesystems #line 8 allow storaged domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 8 allow storaged domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 8 # Read /proc/uid_io/stats allow storaged proc_uid_io_stats:file { getattr open read ioctl lock map watch watch_reads }; # Read /data/system/packages.list allow storaged system_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow storaged packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Store storaged proto file allow storaged storaged_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow storaged storaged_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 21 #line 27 # Needed to provide debug dump output via dumpsys pipes. allow storaged shell:fd use; allow storaged shell:fifo_file write; # Needed for GMScore to call dumpsys storaged allow storaged priv_app:fd use; # b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain. # Remove after no logs are seen for this rule. #line 39 allow storaged gmscore_app:fd use; allow storaged { privapp_data_file app_data_file }:file write; allow storaged permission_service:service_manager find; # Binder permissions #line 45 allow storaged storaged_service:service_manager { add find }; #line 45 neverallow { domain -storaged } storaged_service:service_manager add; #line 45 #line 45 # On debug builds with root, allow binder services to use binder over TCP. #line 45 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 45 #line 45 #line 47 # Call the servicemanager and transfer references to it. #line 47 allow storaged servicemanager:binder { call transfer }; #line 47 # Allow servicemanager to send out callbacks #line 47 allow servicemanager storaged:binder { call transfer }; #line 47 # servicemanager performs getpidcon on clients. #line 47 allow servicemanager storaged:dir search; #line 47 allow servicemanager storaged:file { read open }; #line 47 allow servicemanager storaged:process getattr; #line 47 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 47 # all domains in domain.te. #line 47 #line 48 # Call the server domain and optionally transfer references to it. #line 48 allow storaged system_server:binder { call transfer }; #line 48 # Allow the serverdomain to transfer references to the client on the reply. #line 48 allow system_server storaged:binder transfer; #line 48 # Receive and use open files from the server. #line 48 allow storaged system_server:fd use; #line 48 #line 50 typeattribute storaged halclientdomain; #line 50 typeattribute storaged hal_health_client; #line 50 #line 50 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 50 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 50 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 50 #line 50 typeattribute storaged hal_health; #line 50 # Find passthrough HAL implementations #line 50 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 50 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 50 allow hal_health vendor_file:file { read open getattr execute map }; #line 50 #line 50 # Implements a dumpsys interface. allow storaged dumpstate:fd use; # use a subset of the package manager service allow storaged package_native_service:service_manager find; # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is # running as root. See b/35323867 #3. dontaudit storaged self:{ capability cap_userns } { dac_override dac_read_search }; # For collecting bugreports. allow storaged dumpstate:fifo_file write; ### ### neverallow ### neverallow storaged domain:process ptrace; neverallow storaged self:{ capability capability2 cap_userns cap2_userns } *; #line 36 "system/sepolicy/private/su.te" #line 1 "system/sepolicy/private/surfaceflinger.te" # surfaceflinger - display compositor service typeattribute surfaceflinger coredomain; type surfaceflinger_exec, system_file_type, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init surfaceflinger_exec:file { getattr open read execute map }; #line 6 allow init surfaceflinger:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow surfaceflinger surfaceflinger_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init surfaceflinger:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init surfaceflinger:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init surfaceflinger_exec:process surfaceflinger; #line 6 #line 6 #line 7 type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs; #line 7 allow surfaceflinger surfaceflinger_tmpfs:file { read write getattr map }; #line 7 typeattribute surfaceflinger mlstrustedsubject; typeattribute surfaceflinger display_service_server; #line 12 allow surfaceflinger runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 12 # Perform HwBinder IPC. #line 15 typeattribute surfaceflinger halclientdomain; #line 15 typeattribute surfaceflinger hal_graphics_allocator_client; #line 15 #line 15 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 15 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 15 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 15 #line 15 typeattribute surfaceflinger hal_graphics_allocator; #line 15 # Find passthrough HAL implementations #line 15 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 15 #line 15 #line 16 typeattribute surfaceflinger halclientdomain; #line 16 typeattribute surfaceflinger hal_graphics_composer_client; #line 16 #line 16 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 16 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 16 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 16 #line 16 typeattribute surfaceflinger hal_graphics_composer; #line 16 # Find passthrough HAL implementations #line 16 allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow hal_graphics_composer vendor_file:file { read open getattr execute map }; #line 16 #line 16 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; #line 18 typeattribute surfaceflinger halclientdomain; #line 18 typeattribute surfaceflinger hal_codec2_client; #line 18 #line 18 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 18 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 18 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 18 #line 18 typeattribute surfaceflinger hal_codec2; #line 18 # Find passthrough HAL implementations #line 18 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 18 #line 18 #line 19 typeattribute surfaceflinger halclientdomain; #line 19 typeattribute surfaceflinger hal_omx_client; #line 19 #line 19 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 19 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 19 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 19 #line 19 typeattribute surfaceflinger hal_omx; #line 19 # Find passthrough HAL implementations #line 19 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 19 allow hal_omx vendor_file:file { read open getattr execute map }; #line 19 #line 19 #line 20 typeattribute surfaceflinger halclientdomain; #line 20 typeattribute surfaceflinger hal_configstore_client; #line 20 #line 20 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 20 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 20 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 20 #line 20 typeattribute surfaceflinger hal_configstore; #line 20 # Find passthrough HAL implementations #line 20 allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 20 allow hal_configstore vendor_file:file { read open getattr execute map }; #line 20 #line 20 #line 21 typeattribute surfaceflinger halclientdomain; #line 21 typeattribute surfaceflinger hal_power_client; #line 21 #line 21 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 21 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 21 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 21 #line 21 typeattribute surfaceflinger hal_power; #line 21 # Find passthrough HAL implementations #line 21 allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 21 allow hal_power vendor_file:file { read open getattr execute map }; #line 21 #line 21 allow surfaceflinger hidl_token_hwservice:hwservice_manager find; # Perform Binder IPC. #line 25 # Call the servicemanager and transfer references to it. #line 25 allow surfaceflinger servicemanager:binder { call transfer }; #line 25 # Allow servicemanager to send out callbacks #line 25 allow servicemanager surfaceflinger:binder { call transfer }; #line 25 # servicemanager performs getpidcon on clients. #line 25 allow servicemanager surfaceflinger:dir search; #line 25 allow servicemanager surfaceflinger:file { read open }; #line 25 allow servicemanager surfaceflinger:process getattr; #line 25 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 25 # all domains in domain.te. #line 25 #line 26 # Call the server domain and optionally transfer references to it. #line 26 allow surfaceflinger binderservicedomain:binder { call transfer }; #line 26 # Allow the serverdomain to transfer references to the client on the reply. #line 26 allow binderservicedomain surfaceflinger:binder transfer; #line 26 # Receive and use open files from the server. #line 26 allow surfaceflinger binderservicedomain:fd use; #line 26 #line 27 # Call the server domain and optionally transfer references to it. #line 27 allow surfaceflinger appdomain:binder { call transfer }; #line 27 # Allow the serverdomain to transfer references to the client on the reply. #line 27 allow appdomain surfaceflinger:binder transfer; #line 27 # Receive and use open files from the server. #line 27 allow surfaceflinger appdomain:fd use; #line 27 #line 28 # Call the server domain and optionally transfer references to it. #line 28 allow surfaceflinger bootanim:binder { call transfer }; #line 28 # Allow the serverdomain to transfer references to the client on the reply. #line 28 allow bootanim surfaceflinger:binder transfer; #line 28 # Receive and use open files from the server. #line 28 allow surfaceflinger bootanim:fd use; #line 28 #line 29 # Call the server domain and optionally transfer references to it. #line 29 allow surfaceflinger system_server:binder { call transfer }; #line 29 # Allow the serverdomain to transfer references to the client on the reply. #line 29 allow system_server surfaceflinger:binder transfer; #line 29 # Receive and use open files from the server. #line 29 allow surfaceflinger system_server:fd use; #line 29 ; #line 30 typeattribute surfaceflinger binderservicedomain; #line 30 # Binder IPC to bu, presently runs in adbd domain. #line 33 # Call the server domain and optionally transfer references to it. #line 33 allow surfaceflinger adbd:binder { call transfer }; #line 33 # Allow the serverdomain to transfer references to the client on the reply. #line 33 allow adbd surfaceflinger:binder transfer; #line 33 # Receive and use open files from the server. #line 33 allow surfaceflinger adbd:fd use; #line 33 # Read /proc/pid files for Binder clients. #line 36 allow surfaceflinger binderservicedomain:dir { open getattr read search ioctl lock watch watch_reads }; #line 36 allow surfaceflinger binderservicedomain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 36 #line 37 allow surfaceflinger appdomain:dir { open getattr read search ioctl lock watch watch_reads }; #line 37 allow surfaceflinger appdomain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 37 # Access the GPU. allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow surfaceflinger gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow surfaceflinger sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads }; # Access /dev/graphics/fb0. allow surfaceflinger graphics_device:dir search; allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access /dev/video1. allow surfaceflinger video_device:dir { open getattr read search ioctl lock watch watch_reads }; allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access the secure heap. allow surfaceflinger dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Create and use netlink kobject uevent sockets. allow surfaceflinger self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Set properties. #line 59 #line 59 allow surfaceflinger property_socket:sock_file write; #line 59 allow surfaceflinger init:unix_stream_socket connectto; #line 59 #line 59 allow surfaceflinger system_prop:property_service set; #line 59 #line 59 allow surfaceflinger system_prop:file { getattr open read map }; #line 59 #line 59 #line 60 #line 60 allow surfaceflinger property_socket:sock_file write; #line 60 allow surfaceflinger init:unix_stream_socket connectto; #line 60 #line 60 allow surfaceflinger bootanim_system_prop:property_service set; #line 60 #line 60 allow surfaceflinger bootanim_system_prop:file { getattr open read map }; #line 60 #line 60 #line 61 #line 61 allow surfaceflinger property_socket:sock_file write; #line 61 allow surfaceflinger init:unix_stream_socket connectto; #line 61 #line 61 allow surfaceflinger exported_system_prop:property_service set; #line 61 #line 61 allow surfaceflinger exported_system_prop:file { getattr open read map }; #line 61 #line 61 #line 62 #line 62 allow surfaceflinger property_socket:sock_file write; #line 62 allow surfaceflinger init:unix_stream_socket connectto; #line 62 #line 62 allow surfaceflinger exported3_system_prop:property_service set; #line 62 #line 62 allow surfaceflinger exported3_system_prop:file { getattr open read map }; #line 62 #line 62 #line 63 #line 63 allow surfaceflinger property_socket:sock_file write; #line 63 allow surfaceflinger init:unix_stream_socket connectto; #line 63 #line 63 allow surfaceflinger ctl_bootanim_prop:property_service set; #line 63 #line 63 allow surfaceflinger ctl_bootanim_prop:file { getattr open read map }; #line 63 #line 63 #line 64 #line 64 allow surfaceflinger property_socket:sock_file write; #line 64 allow surfaceflinger init:unix_stream_socket connectto; #line 64 #line 64 allow surfaceflinger locale_prop:property_service set; #line 64 #line 64 allow surfaceflinger locale_prop:file { getattr open read map }; #line 64 #line 64 #line 65 #line 65 allow surfaceflinger property_socket:sock_file write; #line 65 allow surfaceflinger init:unix_stream_socket connectto; #line 65 #line 65 allow surfaceflinger surfaceflinger_display_prop:property_service set; #line 65 #line 65 allow surfaceflinger surfaceflinger_display_prop:file { getattr open read map }; #line 65 #line 65 #line 66 #line 66 allow surfaceflinger property_socket:sock_file write; #line 66 allow surfaceflinger init:unix_stream_socket connectto; #line 66 #line 66 allow surfaceflinger timezone_prop:property_service set; #line 66 #line 66 allow surfaceflinger timezone_prop:file { getattr open read map }; #line 66 #line 66 # Get properties. #line 69 allow surfaceflinger qemu_sf_lcd_density_prop:file { getattr open read map }; #line 69 #line 70 allow surfaceflinger device_config_surface_flinger_native_boot_prop:file { getattr open read map }; #line 70 # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; allow surfaceflinger { app_data_file privapp_data_file }:file { read write }; # Allow writing surface traces to /data/misc/wmtrace. #line 80 # Needed to register as a Perfetto producer. #line 83 allow surfaceflinger traced:fd use; #line 83 allow surfaceflinger traced_tmpfs:file { read write getattr map }; #line 83 #line 83 allow surfaceflinger traced_producer_socket:sock_file write; #line 83 allow surfaceflinger traced:unix_stream_socket connectto; #line 83 #line 83 #line 83 # Also allow the service to use the producer file descriptors. This is #line 83 # necessary when the producer is creating the shared memory, as it will be #line 83 # passed to the service as a file descriptor (obtained from memfd_create). #line 83 allow traced surfaceflinger:fd use; #line 83 # Use socket supplied by adbd, for cmd gpu vkjson etc. allow surfaceflinger adbd:unix_stream_socket { read write getattr }; # Allow a dumpstate triggered screenshot #line 89 # Call the server domain and optionally transfer references to it. #line 89 allow surfaceflinger dumpstate:binder { call transfer }; #line 89 # Allow the serverdomain to transfer references to the client on the reply. #line 89 allow dumpstate surfaceflinger:binder transfer; #line 89 # Receive and use open files from the server. #line 89 allow surfaceflinger dumpstate:fd use; #line 89 #line 90 # Call the server domain and optionally transfer references to it. #line 90 allow surfaceflinger shell:binder { call transfer }; #line 90 # Allow the serverdomain to transfer references to the client on the reply. #line 90 allow shell surfaceflinger:binder transfer; #line 90 # Receive and use open files from the server. #line 90 allow surfaceflinger shell:fd use; #line 90 #line 91 allow surfaceflinger dumpstate:dir { open getattr read search ioctl lock watch watch_reads }; #line 91 allow surfaceflinger dumpstate:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 91 # media.player service # do not use add_service() as hal_graphics_composer_default may be the # provider as well #add_service(surfaceflinger, surfaceflinger_service) allow surfaceflinger surfaceflinger_service:service_manager { add find }; allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger permission_service:service_manager find; allow surfaceflinger power_service:service_manager find; allow surfaceflinger vr_manager_service:service_manager find; allow surfaceflinger window_service:service_manager find; allow surfaceflinger inputflinger_service:service_manager find; # allow self to set SCHED_FIFO allow surfaceflinger self:{ capability cap_userns } sys_nice; allow surfaceflinger proc_meminfo:file { getattr open read ioctl lock map watch watch_reads }; #line 111 allow surfaceflinger cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 111 allow surfaceflinger cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 111 #line 112 allow surfaceflinger cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 112 allow surfaceflinger cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 112 #line 113 allow surfaceflinger system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 113 allow surfaceflinger system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 113 allow surfaceflinger tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; allow surfaceflinger system_server:fd use; allow surfaceflinger system_server:unix_stream_socket { read write }; allow surfaceflinger ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow surfaceflinger dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # pdx IPC #line 121 # Mark the server domain as a PDX server. #line 121 typeattribute surfaceflinger pdx_display_client_server_type; #line 121 # Allow the init process to create the initial endpoint socket. #line 121 allow init pdx_display_client_endpoint_socket_type:unix_stream_socket { create bind }; #line 121 # Allow the server domain to use the endpoint socket and accept connections on it. #line 121 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 121 # than we need (e.g. we don"t need "bind" or "connect"). #line 121 allow surfaceflinger pdx_display_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 121 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 121 allow surfaceflinger self:process setsockcreate; #line 121 # Allow the server domain to create a client channel socket. #line 121 allow surfaceflinger pdx_display_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 121 # Prevent other processes from claiming to be a server for the same service. #line 121 neverallow {domain -surfaceflinger} pdx_display_client_endpoint_socket_type:unix_stream_socket { listen accept }; #line 121 #line 122 # Mark the server domain as a PDX server. #line 122 typeattribute surfaceflinger pdx_display_manager_server_type; #line 122 # Allow the init process to create the initial endpoint socket. #line 122 allow init pdx_display_manager_endpoint_socket_type:unix_stream_socket { create bind }; #line 122 # Allow the server domain to use the endpoint socket and accept connections on it. #line 122 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 122 # than we need (e.g. we don"t need "bind" or "connect"). #line 122 allow surfaceflinger pdx_display_manager_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 122 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 122 allow surfaceflinger self:process setsockcreate; #line 122 # Allow the server domain to create a client channel socket. #line 122 allow surfaceflinger pdx_display_manager_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 122 # Prevent other processes from claiming to be a server for the same service. #line 122 neverallow {domain -surfaceflinger} pdx_display_manager_endpoint_socket_type:unix_stream_socket { listen accept }; #line 122 #line 123 # Mark the server domain as a PDX server. #line 123 typeattribute surfaceflinger pdx_display_screenshot_server_type; #line 123 # Allow the init process to create the initial endpoint socket. #line 123 allow init pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { create bind }; #line 123 # Allow the server domain to use the endpoint socket and accept connections on it. #line 123 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 123 # than we need (e.g. we don"t need "bind" or "connect"). #line 123 allow surfaceflinger pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 123 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 123 allow surfaceflinger self:process setsockcreate; #line 123 # Allow the server domain to create a client channel socket. #line 123 allow surfaceflinger pdx_display_screenshot_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 123 # Prevent other processes from claiming to be a server for the same service. #line 123 neverallow {domain -surfaceflinger} pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { listen accept }; #line 123 #line 124 # Mark the server domain as a PDX server. #line 124 typeattribute surfaceflinger pdx_display_vsync_server_type; #line 124 # Allow the init process to create the initial endpoint socket. #line 124 allow init pdx_display_vsync_endpoint_socket_type:unix_stream_socket { create bind }; #line 124 # Allow the server domain to use the endpoint socket and accept connections on it. #line 124 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 124 # than we need (e.g. we don"t need "bind" or "connect"). #line 124 allow surfaceflinger pdx_display_vsync_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; #line 124 # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). #line 124 allow surfaceflinger self:process setsockcreate; #line 124 # Allow the server domain to create a client channel socket. #line 124 allow surfaceflinger pdx_display_vsync_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } }; #line 124 # Prevent other processes from claiming to be a server for the same service. #line 124 neverallow {domain -surfaceflinger} pdx_display_vsync_endpoint_socket_type:unix_stream_socket { listen accept }; #line 124 #line 126 #line 126 # Allow client to open the service endpoint file. #line 126 allow surfaceflinger pdx_bufferhub_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 126 allow surfaceflinger pdx_bufferhub_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 126 # Allow the client to connect to endpoint socket. #line 126 allow surfaceflinger pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 126 #line 126 #line 126 # Allow the client to use the PDX channel socket. #line 126 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 126 # than we need (e.g. we don"t need "bind" or "connect"). #line 126 allow surfaceflinger pdx_bufferhub_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 126 # Client needs to use an channel event fd from the server. #line 126 allow surfaceflinger pdx_bufferhub_client_server_type:fd use; #line 126 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 126 # This could be tightened on a per-server basis, but keeping track of service #line 126 # clients is error prone. #line 126 allow pdx_bufferhub_client_server_type surfaceflinger:fd use; #line 126 #line 126 #line 127 #line 127 # Allow client to open the service endpoint file. #line 127 allow surfaceflinger pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 127 allow surfaceflinger pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 127 # Allow the client to connect to endpoint socket. #line 127 allow surfaceflinger pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; #line 127 #line 127 #line 127 # Allow the client to use the PDX channel socket. #line 127 # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights #line 127 # than we need (e.g. we don"t need "bind" or "connect"). #line 127 allow surfaceflinger pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; #line 127 # Client needs to use an channel event fd from the server. #line 127 allow surfaceflinger pdx_performance_client_server_type:fd use; #line 127 # Servers may receive sync fences, gralloc buffers, etc, from clients. #line 127 # This could be tightened on a per-server basis, but keeping track of service #line 127 # clients is error prone. #line 127 allow pdx_performance_client_server_type surfaceflinger:fd use; #line 127 #line 127 # Allow supplying timestats statistics to statsd allow surfaceflinger stats_service:service_manager find; allow surfaceflinger statsmanager_service:service_manager find; # TODO(146461633): remove this once native pullers talk to StatsManagerService #line 133 # Call the server domain and optionally transfer references to it. #line 133 allow surfaceflinger statsd:binder { call transfer }; #line 133 # Allow the serverdomain to transfer references to the client on the reply. #line 133 allow statsd surfaceflinger:binder transfer; #line 133 # Receive and use open files from the server. #line 133 allow surfaceflinger statsd:fd use; #line 133 ; # Allow to use files supplied by hal_evs allow surfaceflinger hal_evs:fd use; # Allow to use release fence fds supplied by hal_camera allow surfaceflinger hal_camera:fd use; # Allow pushing jank event atoms to statsd #line 144 # Surfaceflinger should not be reading default vendor-defined properties. dontaudit surfaceflinger vendor_default_prop:file read; ### ### Neverallow rules ### ### surfaceflinger should NEVER do any of this # Do not allow accessing SDcard files as unsafe ejection could # cause the kernel to kill the process. neverallow surfaceflinger { sdcard_type fuse }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # b/68864350 dontaudit surfaceflinger unlabeled:dir search; #line 1 "system/sepolicy/private/system_app.te" ### ### Apps that run with the system UID, e.g. com.android.system.ui, ### com.android.settings. These are not as privileged as the system ### server. ### typeattribute system_app coredomain, mlstrustedsubject; #line 9 typeattribute system_app appdomain; #line 9 # Label tmpfs objects for all apps. #line 9 type_transition system_app tmpfs:file appdomain_tmpfs; #line 9 #line 9 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 9 type system_app_userfaultfd; #line 9 type_transition system_app system_app:anon_inode system_app_userfaultfd "[userfaultfd]"; #line 9 # Allow domain to create/use userfaultfd anon_inode. #line 9 allow system_app system_app_userfaultfd:anon_inode { create ioctl read }; #line 9 # Suppress errors generate during bugreport #line 9 dontaudit su system_app_userfaultfd:anon_inode *; #line 9 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 9 neverallow { domain -system_app } system_app_userfaultfd:anon_inode *; #line 9 #line 9 allow system_app appdomain_tmpfs:file { execute getattr map read write }; #line 9 neverallow { system_app -runas_app -shell -simpleperf } { domain -system_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 neverallow { appdomain -runas_app -shell -simpleperf -system_app } system_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 9 # The Android security model guarantees the confidentiality and integrity #line 9 # of application data and execution state. Ptrace bypasses those #line 9 # confidentiality guarantees. Disallow ptrace access from system components to #line 9 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 9 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 9 # simpleperf is excluded, as it operates only on debuggable or profileable #line 9 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 9 # live lock conditions. #line 9 neverallow { domain -system_app -crash_dump -runas_app -simpleperf } system_app:process ptrace; #line 9 #line 10 typeattribute system_app netdomain; #line 10 #line 11 typeattribute system_app binderservicedomain; #line 11 # android.ui and system.ui allow system_app rootfs:dir getattr; # Read and write /data/data subdirectory. allow system_app system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_app system_app_data_file:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read and write to /data/misc/user. allow system_app misc_user_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_app misc_user_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access to apex files stored on /data (b/136063500) # Needed so that Settings can access NOTICE files inside apex # files located in the assets/ directory. allow system_app apex_data_file:dir search; allow system_app staging_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Read wallpaper file. allow system_app wallpaper_file:file { getattr open read ioctl lock map watch watch_reads }; # Read icon file. allow system_app icon_file:file { getattr open read ioctl lock map watch watch_reads }; # Write to properties #line 37 #line 37 allow system_app property_socket:sock_file write; #line 37 allow system_app init:unix_stream_socket connectto; #line 37 #line 37 allow system_app adaptive_haptics_prop:property_service set; #line 37 #line 37 allow system_app adaptive_haptics_prop:file { getattr open read map }; #line 37 #line 37 #line 38 #line 38 allow system_app property_socket:sock_file write; #line 38 allow system_app init:unix_stream_socket connectto; #line 38 #line 38 allow system_app arm64_memtag_prop:property_service set; #line 38 #line 38 allow system_app arm64_memtag_prop:file { getattr open read map }; #line 38 #line 38 #line 39 #line 39 allow system_app property_socket:sock_file write; #line 39 allow system_app init:unix_stream_socket connectto; #line 39 #line 39 allow system_app bluetooth_a2dp_offload_prop:property_service set; #line 39 #line 39 allow system_app bluetooth_a2dp_offload_prop:file { getattr open read map }; #line 39 #line 39 #line 40 #line 40 allow system_app property_socket:sock_file write; #line 40 allow system_app init:unix_stream_socket connectto; #line 40 #line 40 allow system_app bluetooth_audio_hal_prop:property_service set; #line 40 #line 40 allow system_app bluetooth_audio_hal_prop:file { getattr open read map }; #line 40 #line 40 #line 41 #line 41 allow system_app property_socket:sock_file write; #line 41 allow system_app init:unix_stream_socket connectto; #line 41 #line 41 allow system_app bluetooth_prop:property_service set; #line 41 #line 41 allow system_app bluetooth_prop:file { getattr open read map }; #line 41 #line 41 #line 42 #line 42 allow system_app property_socket:sock_file write; #line 42 allow system_app init:unix_stream_socket connectto; #line 42 #line 42 allow system_app debug_prop:property_service set; #line 42 #line 42 allow system_app debug_prop:file { getattr open read map }; #line 42 #line 42 #line 43 #line 43 allow system_app property_socket:sock_file write; #line 43 allow system_app init:unix_stream_socket connectto; #line 43 #line 43 allow system_app system_prop:property_service set; #line 43 #line 43 allow system_app system_prop:file { getattr open read map }; #line 43 #line 43 #line 44 #line 44 allow system_app property_socket:sock_file write; #line 44 allow system_app init:unix_stream_socket connectto; #line 44 #line 44 allow system_app exported_bluetooth_prop:property_service set; #line 44 #line 44 allow system_app exported_bluetooth_prop:file { getattr open read map }; #line 44 #line 44 #line 45 #line 45 allow system_app property_socket:sock_file write; #line 45 allow system_app init:unix_stream_socket connectto; #line 45 #line 45 allow system_app exported_system_prop:property_service set; #line 45 #line 45 allow system_app exported_system_prop:file { getattr open read map }; #line 45 #line 45 #line 46 #line 46 allow system_app property_socket:sock_file write; #line 46 allow system_app init:unix_stream_socket connectto; #line 46 #line 46 allow system_app exported3_system_prop:property_service set; #line 46 #line 46 allow system_app exported3_system_prop:file { getattr open read map }; #line 46 #line 46 #line 47 #line 47 allow system_app property_socket:sock_file write; #line 47 allow system_app init:unix_stream_socket connectto; #line 47 #line 47 allow system_app gesture_prop:property_service set; #line 47 #line 47 allow system_app gesture_prop:file { getattr open read map }; #line 47 #line 47 #line 48 #line 48 allow system_app property_socket:sock_file write; #line 48 allow system_app init:unix_stream_socket connectto; #line 48 #line 48 allow system_app locale_prop:property_service set; #line 48 #line 48 allow system_app locale_prop:file { getattr open read map }; #line 48 #line 48 #line 49 #line 49 allow system_app property_socket:sock_file write; #line 49 allow system_app init:unix_stream_socket connectto; #line 49 #line 49 allow system_app logd_prop:property_service set; #line 49 #line 49 allow system_app logd_prop:file { getattr open read map }; #line 49 #line 49 #line 50 #line 50 allow system_app property_socket:sock_file write; #line 50 allow system_app init:unix_stream_socket connectto; #line 50 #line 50 allow system_app net_radio_prop:property_service set; #line 50 #line 50 allow system_app net_radio_prop:file { getattr open read map }; #line 50 #line 50 #line 51 #line 51 allow system_app property_socket:sock_file write; #line 51 allow system_app init:unix_stream_socket connectto; #line 51 #line 51 allow system_app timezone_prop:property_service set; #line 51 #line 51 allow system_app timezone_prop:file { getattr open read map }; #line 51 #line 51 #line 52 #line 52 allow system_app property_socket:sock_file write; #line 52 allow system_app init:unix_stream_socket connectto; #line 52 #line 52 allow system_app usb_control_prop:property_service set; #line 52 #line 52 allow system_app usb_control_prop:file { getattr open read map }; #line 52 #line 52 #line 53 #line 53 allow system_app property_socket:sock_file write; #line 53 allow system_app init:unix_stream_socket connectto; #line 53 #line 53 allow system_app usb_prop:property_service set; #line 53 #line 53 allow system_app usb_prop:file { getattr open read map }; #line 53 #line 53 #line 54 #line 54 allow system_app property_socket:sock_file write; #line 54 allow system_app init:unix_stream_socket connectto; #line 54 #line 54 allow system_app log_tag_prop:property_service set; #line 54 #line 54 allow system_app log_tag_prop:file { getattr open read map }; #line 54 #line 54 #line 55 #line 55 allow system_app property_socket:sock_file write; #line 55 allow system_app init:unix_stream_socket connectto; #line 55 #line 55 allow system_app drm_forcel3_prop:property_service set; #line 55 #line 55 allow system_app drm_forcel3_prop:file { getattr open read map }; #line 55 #line 55 auditallow system_app net_radio_prop:property_service set; auditallow system_app usb_control_prop:property_service set; auditallow system_app usb_prop:property_service set; # Allow Settings to enable Dynamic System Update #line 61 #line 61 allow system_app property_socket:sock_file write; #line 61 allow system_app init:unix_stream_socket connectto; #line 61 #line 61 allow system_app dynamic_system_prop:property_service set; #line 61 #line 61 allow system_app dynamic_system_prop:file { getattr open read map }; #line 61 #line 61 # ctl interface #line 64 #line 64 allow system_app property_socket:sock_file write; #line 64 allow system_app init:unix_stream_socket connectto; #line 64 #line 64 allow system_app ctl_default_prop:property_service set; #line 64 #line 64 allow system_app ctl_default_prop:file { getattr open read map }; #line 64 #line 64 #line 65 #line 65 allow system_app property_socket:sock_file write; #line 65 allow system_app init:unix_stream_socket connectto; #line 65 #line 65 allow system_app ctl_bugreport_prop:property_service set; #line 65 #line 65 allow system_app ctl_bugreport_prop:file { getattr open read map }; #line 65 #line 65 # Allow developer settings to query gsid status #line 68 allow system_app gsid_prop:file { getattr open read map }; #line 68 # Allow developer settings to check 16k pages boot option status #line 71 allow system_app enable_16k_pages_prop:file { getattr open read map }; #line 71 # Create /data/anr/traces.txt. allow system_app anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write }; allow system_app anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Settings need to access app name and icon from asec allow system_app asec_apk_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow system apps (like Settings) to interact with statsd #line 81 # Call the server domain and optionally transfer references to it. #line 81 allow system_app statsd:binder { call transfer }; #line 81 # Allow the serverdomain to transfer references to the client on the reply. #line 81 allow statsd system_app:binder transfer; #line 81 # Receive and use open files from the server. #line 81 allow system_app statsd:fd use; #line 81 # Allow system apps to interact with incidentd #line 84 # Call the server domain and optionally transfer references to it. #line 84 allow system_app incidentd:binder { call transfer }; #line 84 # Allow the serverdomain to transfer references to the client on the reply. #line 84 allow incidentd system_app:binder transfer; #line 84 # Receive and use open files from the server. #line 84 allow system_app incidentd:fd use; #line 84 # Allow system apps (Settings) to call into update_engine # in order to apply update to switch from 4k kernel to 16K and vice-versa #line 88 # Call the servicemanager and transfer references to it. #line 88 allow system_app servicemanager:binder { call transfer }; #line 88 # Allow servicemanager to send out callbacks #line 88 allow servicemanager system_app:binder { call transfer }; #line 88 # servicemanager performs getpidcon on clients. #line 88 allow servicemanager system_app:dir search; #line 88 allow servicemanager system_app:file { read open }; #line 88 allow servicemanager system_app:process getattr; #line 88 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 88 # all domains in domain.te. #line 88 allow system_app update_engine_stable_service:service_manager find; #line 90 # Call the server domain and optionally transfer references to it. #line 90 allow system_app update_engine:binder { call transfer }; #line 90 # Allow the serverdomain to transfer references to the client on the reply. #line 90 allow update_engine system_app:binder transfer; #line 90 # Receive and use open files from the server. #line 90 allow system_app update_engine:fd use; #line 90 # Allow system app to interact with Dumpstate HAL #line 93 typeattribute system_app halclientdomain; #line 93 typeattribute system_app hal_dumpstate_client; #line 93 #line 93 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 93 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 93 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 93 #line 93 typeattribute system_app hal_dumpstate; #line 93 # Find passthrough HAL implementations #line 93 allow hal_dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 93 allow hal_dumpstate vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 93 allow hal_dumpstate vendor_file:file { read open getattr execute map }; #line 93 #line 93 allow system_app servicemanager:service_manager list; # TODO: scope this down? Too broad? allow system_app { service_manager_type -apex_service -dnsresolver_service -dumpstate_service -installd_service -lpdump_service -mdns_service -netd_service -system_suspend_control_internal_service -system_suspend_control_service -tracingproxy_service -virtual_touchpad_service -vold_service -default_android_service }:service_manager find; # suppress denials for services system_app should not be accessing. dontaudit system_app { dnsresolver_service dumpstate_service installd_service mdns_service netd_service virtual_touchpad_service vold_service }:service_manager find; # suppress denials caused by debugfs_tracing dontaudit system_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Ignore access to memory properties for Settings. dontaudit system_app proc_pagetypeinfo:file { getattr open read ioctl lock map watch watch_reads }; dontaudit system_app sysfs_zram:dir search; allow system_app keystore:keystore2_key { delete get_info grant rebind update use }; # Allow Settings to manage WI-FI keys. allow system_app wifi_key:keystore2_key { delete get_info rebind update use }; # settings app reads /proc/version allow system_app { proc_version }:file { getattr open read ioctl lock map watch watch_reads }; # Settings app writes to /dev/stune/foreground/tasks. allow system_app cgroup:file { open append write lock map }; allow system_app cgroup_v2:file { open append write lock map }; allow system_app cgroup_v2:dir { open search write add_name remove_name lock }; #line 159 # Group AID_LOG checked by filesystem & logd #line 159 # to permit control commands #line 159 #line 159 allow system_app logd_socket:sock_file write; #line 159 allow system_app logd:unix_stream_socket connectto; #line 159 #line 159 #line 160 allow system_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 160 #line 161 allow system_app device_logging_prop:file { getattr open read map }; #line 161 # allow system apps to use UDP sockets provided by the system server but not # modify them other than to connect allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; # allow system apps to read game manager related sysrops #line 169 allow system_app game_manager_config_prop:file { getattr open read map }; #line 169 # Settings app reads ro.oem_unlock_supported #line 172 allow system_app oem_unlock_prop:file { getattr open read map }; #line 172 # Settings app reads ro.usb.uvc.enabled #line 175 allow system_app usb_uvc_enabled_prop:file { getattr open read map }; #line 175 # Settings and Launcher apps read pm.archiving.enabled #line 178 allow system_app pm_archiving_enabled_prop:file { getattr open read map }; #line 178 ### ### Neverallow rules ### # app domains which access /dev/fuse should not run as system_app neverallow system_app fuse_device:chr_file *; # Apps which run as UID=system should not rely on any attacker controlled # filesystem locations, such as /data/local/tmp. For /data/local/tmp, we # allow writes to files passed by file descriptor to support dumpstate and # bug reports, but not reads. neverallow system_app shell_data_file:dir { { add_name create link relabelfrom remove_name rename reparent rmdir setattr write } open search read }; neverallow system_app shell_data_file:file { open read ioctl lock }; # system_app should be the only domain writing the adaptive haptics prop neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set; # system_app should be the only domain writing the force l3 prop neverallow { domain -init -system_app } drm_forcel3_prop:property_service set; #line 1 "system/sepolicy/private/system_server.te" # # System Server aka system_server spawned by zygote. # Most of the framework services run in this process. # typeattribute system_server coredomain; typeattribute system_server mlstrustedsubject; typeattribute system_server remote_provisioning_service_server; typeattribute system_server scheduler_service_server; typeattribute system_server sensor_service_server; typeattribute system_server stats_service_server; typeattribute system_server bpfdomain; # Define a type for tmpfs-backed ashmem regions. #line 15 type_transition system_server tmpfs:file system_server_tmpfs; #line 15 allow system_server system_server_tmpfs:file { read write getattr map }; #line 15 #line 17 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 17 type system_server_userfaultfd; #line 17 type_transition system_server system_server:anon_inode system_server_userfaultfd "[userfaultfd]"; #line 17 # Allow domain to create/use userfaultfd anon_inode. #line 17 allow system_server system_server_userfaultfd:anon_inode { create ioctl read }; #line 17 # Suppress errors generate during bugreport #line 17 dontaudit su system_server_userfaultfd:anon_inode *; #line 17 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 17 neverallow { domain -system_server } system_server_userfaultfd:anon_inode *; #line 17 # Create a socket for connections from crash_dump. type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; # Create a socket for connections from zygotes. type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; allow system_server zygote_tmpfs:file { map read }; allow system_server appdomain_tmpfs:file { getattr map read write }; # For Incremental Service to check if incfs is available allow system_server proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; # To create files, get permission to fill blocks, and configure Incremental File System allow system_server incremental_control_file:file { ioctl { getattr open read ioctl lock map watch watch_reads } }; allowxperm system_server incremental_control_file:file ioctl { 0x0000671e 0x00006723 0x00006721 0x00006725 0x00006726 0x00006727 }; # To get signature of an APK installed on Incremental File System, and fill in data # blocks and get the filesystem state allowxperm system_server apk_data_file:file ioctl { 0x0000671f 0x00006720 0x00006722 0x00006724 0xf50c 0xf511 0xf518 0xf517 0xf512 0xf513 0x40086602 0x80086601 }; allowxperm system_server apk_tmp_file:file ioctl { 0xf512 0x80086601 }; # For Incremental Service to check incfs metrics allow system_server sysfs_fs_incfs_metrics:file { getattr open read ioctl lock map watch watch_reads }; # For f2fs-compression support allow system_server sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server sysfs_fs_f2fs:file { getattr open read ioctl lock map watch watch_reads }; # For SdkSandboxManagerService allow system_server sdk_sandbox_system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # For art. allow system_server { apex_art_data_file dalvikcache_data_file }:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server { apex_art_data_file dalvikcache_data_file }:file { getattr open read ioctl lock map watch watch_reads }; # Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`. # `com.android.location.provider.jar` happens to be both a jar on system server classpath and a # shared library used by a system server app. The odex file is loaded fine by Zygote when it forks # system_server. It fails to be loaded when the jar is used as a shared library, which is expected. dontaudit system_server apex_art_data_file:file execute; # For release odex/vdex compress blocks allowxperm system_server dalvikcache_data_file:file ioctl { 0xf512 0x80086601 }; # When running system server under --invoke-with, we'll try to load the boot image under the # system server domain, following links to the system partition. # /data/resource-cache allow system_server resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow system_server resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # ptrace to processes in the same domain for debugging crashes. allow system_server self:process ptrace; # Child of the zygote. allow system_server zygote:fd use; allow system_server zygote:process sigchld; # May kill zygote (or its child processes) on crashes. allow system_server { app_zygote crash_dump crosvm virtualizationmanager webview_zygote zygote }:process { getpgid sigkill signull }; # Read /system/bin/app_process. allow system_server zygote_exec:file { getattr open read ioctl lock map watch watch_reads }; # Needed to close the zygote socket, which involves getopt / getattr allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. #line 122 typeattribute system_server netdomain; #line 122 # in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl #line 125 { #line 125 # qualcomm rmnet ioctls #line 125 0x00006900 0x00006902 #line 125 # socket ioctls #line 125 0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916 #line 125 0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f #line 125 0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926 #line 125 0x00008927 0x00008929 0x00008930 0x00008931 0x00008932 #line 125 0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941 #line 125 0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a #line 125 0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970 #line 125 0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990 #line 125 0x00008991 0x00008992 0x00008993 0x00008994 #line 125 0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0 #line 125 # device and protocol specific ioctls #line 125 0x000089f0-0x000089ff #line 125 0x000089e0-0x000089ef #line 125 # Wireless extension ioctls #line 125 0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a #line 125 0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17 #line 125 0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d #line 125 0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a #line 125 0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33 #line 125 0x00008b34 0x00008b35 0x00008b36 #line 125 # Dev private ioctl i.e. hardware specific ioctls #line 125 0x00008be0-0x00008bff #line 125 }; #line 126 typeattribute system_server bluetoothdomain; #line 126 # Allow setup of tcp keepalive offload. This gives system_server the permission to # call ioctl on app domains' tcp sockets. Additional ioctl commands still need to # be granted individually, except for a small set of safe values allowlisted in # public/domain.te. allow system_server appdomain:tcp_socket ioctl; # These are the capabilities assigned by the zygote to the # system server. allow system_server self:{ capability cap_userns } { ipc_lock kill net_admin net_bind_service net_broadcast net_raw sys_boot sys_nice sys_ptrace sys_time sys_tty_config }; # Allow alarmtimers to be set allow system_server self:{ capability2 cap2_userns } wake_alarm; # Create and share netlink_netfilter_sockets for tetheroffload. allow system_server self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. allow system_server self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write }; # Use netlink uevent sockets. allow system_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow system_server self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Use generic netlink sockets. allow system_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; allow system_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # libvintf reads the kernel config to verify vendor interface compatibility. allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be # allowlisted. allow system_server self:socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Set and get routes directly via netlink. allow system_server self:netlink_route_socket nlmsg_write; # Use XFRM (IPsec) netlink sockets allow system_server self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read }; # Kill apps. allow system_server appdomain:process { getpgid sigkill signal }; # signull allowed for kill(pid, 0) existence test. allow system_server appdomain:process { signull }; # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; allow system_server hal_camera:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; allow system_server bootanim:process { getsched setsched }; # Set scheduling info for psi monitor thread. # TODO: delete this line b/131761776 allow system_server kernel:process { getsched setsched }; # Allow system_server to write to /proc//* allow system_server domain:file { open append write lock map }; # Read /proc/pid data for all domains. This is used by ProcessCpuTracker # within system_server to keep track of memory and CPU usage for # all processes on the device. In addition, /proc/pid files access is needed # for dumping stack traces of native processes. #line 213 allow system_server domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 213 allow system_server domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 213 # Write /proc/uid_cputime/remove_uid_range. allow system_server proc_uid_cputime_removeuid:file { { open append write lock map } getattr }; # Write /proc/uid_procstat/set. allow system_server proc_uid_procstat_set:file { { open append write lock map } getattr }; # Write to /proc/sysrq-trigger. allow system_server proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Delete /data/misc/stats-service/ directories. allow system_server stats_config_data_file:dir { open read remove_name search write }; allow system_server stats_config_data_file:file unlink; # Read metric file & upload to statsd allow system_server odsign_data_file:dir search; allow system_server odsign_metrics_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name }; allow system_server odsign_metrics_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; # Read /sys/kernel/debug/wakeup_sources. #line 234 allow system_server debugfs_wakeup_sources:file { getattr open read ioctl lock map watch watch_reads }; #line 236 # Read /sys/kernel/ion/*. allow system_server sysfs_ion:file { getattr open read ioctl lock map watch watch_reads }; # Read /sys/kernel/dma_heap/*. allow system_server sysfs_dma_heap:file { getattr open read ioctl lock map watch watch_reads }; # Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. allow system_server sysfs_dmabuf_stats:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server sysfs_dmabuf_stats:file { getattr open read ioctl lock map watch watch_reads }; # Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap # for dumpsys meminfo allow system_server dmabuf_heap_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow reading /proc/vmstat for the oom kill count allow system_server proc_vmstat:file { getattr open read ioctl lock map watch watch_reads }; # The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } }; # Talk to init and various daemons via sockets. #line 262 allow system_server lmkd_socket:sock_file write; #line 262 allow system_server lmkd:unix_stream_socket connectto; #line 262 #line 263 allow system_server zygote_socket:sock_file write; #line 263 allow system_server zygote:unix_stream_socket connectto; #line 263 #line 264 allow system_server uncrypt_socket:sock_file write; #line 264 allow system_server uncrypt:unix_stream_socket connectto; #line 264 # Allow system_server to write to statsd. #line 267 allow system_server statsdw_socket:sock_file write; #line 267 allow system_server statsd:unix_dgram_socket sendto; #line 267 # Communicate over a socket created by surfaceflinger. allow system_server surfaceflinger:unix_stream_socket { read write setopt }; allow system_server gpuservice:unix_stream_socket { read write setopt }; # Communicate over a socket created by webview_zygote. allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; # Communicate over a socket created by app_zygote. allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; # Perform Binder IPC. #line 281 # Call the servicemanager and transfer references to it. #line 281 allow system_server servicemanager:binder { call transfer }; #line 281 # Allow servicemanager to send out callbacks #line 281 allow servicemanager system_server:binder { call transfer }; #line 281 # servicemanager performs getpidcon on clients. #line 281 allow servicemanager system_server:dir search; #line 281 allow servicemanager system_server:file { read open }; #line 281 allow servicemanager system_server:process getattr; #line 281 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 281 # all domains in domain.te. #line 281 #line 282 # Call the server domain and optionally transfer references to it. #line 282 allow system_server appdomain:binder { call transfer }; #line 282 # Allow the serverdomain to transfer references to the client on the reply. #line 282 allow appdomain system_server:binder transfer; #line 282 # Receive and use open files from the server. #line 282 allow system_server appdomain:fd use; #line 282 #line 283 # Call the server domain and optionally transfer references to it. #line 283 allow system_server artd:binder { call transfer }; #line 283 # Allow the serverdomain to transfer references to the client on the reply. #line 283 allow artd system_server:binder transfer; #line 283 # Receive and use open files from the server. #line 283 allow system_server artd:fd use; #line 283 #line 284 # Call the server domain and optionally transfer references to it. #line 284 allow system_server binderservicedomain:binder { call transfer }; #line 284 # Allow the serverdomain to transfer references to the client on the reply. #line 284 allow binderservicedomain system_server:binder transfer; #line 284 # Receive and use open files from the server. #line 284 allow system_server binderservicedomain:fd use; #line 284 #line 285 # Call the server domain and optionally transfer references to it. #line 285 allow system_server composd:binder { call transfer }; #line 285 # Allow the serverdomain to transfer references to the client on the reply. #line 285 allow composd system_server:binder transfer; #line 285 # Receive and use open files from the server. #line 285 allow system_server composd:fd use; #line 285 #line 286 # Call the server domain and optionally transfer references to it. #line 286 allow system_server dexopt_chroot_setup:binder { call transfer }; #line 286 # Allow the serverdomain to transfer references to the client on the reply. #line 286 allow dexopt_chroot_setup system_server:binder transfer; #line 286 # Receive and use open files from the server. #line 286 allow system_server dexopt_chroot_setup:fd use; #line 286 #line 287 # Call the server domain and optionally transfer references to it. #line 287 allow system_server dumpstate:binder { call transfer }; #line 287 # Allow the serverdomain to transfer references to the client on the reply. #line 287 allow dumpstate system_server:binder transfer; #line 287 # Receive and use open files from the server. #line 287 allow system_server dumpstate:fd use; #line 287 #line 288 # Call the server domain and optionally transfer references to it. #line 288 allow system_server fingerprintd:binder { call transfer }; #line 288 # Allow the serverdomain to transfer references to the client on the reply. #line 288 allow fingerprintd system_server:binder transfer; #line 288 # Receive and use open files from the server. #line 288 allow system_server fingerprintd:fd use; #line 288 #line 289 # Call the server domain and optionally transfer references to it. #line 289 allow system_server gatekeeperd:binder { call transfer }; #line 289 # Allow the serverdomain to transfer references to the client on the reply. #line 289 allow gatekeeperd system_server:binder transfer; #line 289 # Receive and use open files from the server. #line 289 allow system_server gatekeeperd:fd use; #line 289 #line 290 # Call the server domain and optionally transfer references to it. #line 290 allow system_server gpuservice:binder { call transfer }; #line 290 # Allow the serverdomain to transfer references to the client on the reply. #line 290 allow gpuservice system_server:binder transfer; #line 290 # Receive and use open files from the server. #line 290 allow system_server gpuservice:fd use; #line 290 #line 291 # Call the server domain and optionally transfer references to it. #line 291 allow system_server idmap:binder { call transfer }; #line 291 # Allow the serverdomain to transfer references to the client on the reply. #line 291 allow idmap system_server:binder transfer; #line 291 # Receive and use open files from the server. #line 291 allow system_server idmap:fd use; #line 291 #line 292 # Call the server domain and optionally transfer references to it. #line 292 allow system_server installd:binder { call transfer }; #line 292 # Allow the serverdomain to transfer references to the client on the reply. #line 292 allow installd system_server:binder transfer; #line 292 # Receive and use open files from the server. #line 292 allow system_server installd:fd use; #line 292 #line 293 # Call the server domain and optionally transfer references to it. #line 293 allow system_server incidentd:binder { call transfer }; #line 293 # Allow the serverdomain to transfer references to the client on the reply. #line 293 allow incidentd system_server:binder transfer; #line 293 # Receive and use open files from the server. #line 293 allow system_server incidentd:fd use; #line 293 #line 294 # Call the server domain and optionally transfer references to it. #line 294 allow system_server netd:binder { call transfer }; #line 294 # Allow the serverdomain to transfer references to the client on the reply. #line 294 allow netd system_server:binder transfer; #line 294 # Receive and use open files from the server. #line 294 allow system_server netd:fd use; #line 294 #line 295 # Call the server domain and optionally transfer references to it. #line 295 allow system_server ot_daemon:binder { call transfer }; #line 295 # Allow the serverdomain to transfer references to the client on the reply. #line 295 allow ot_daemon system_server:binder transfer; #line 295 # Receive and use open files from the server. #line 295 allow system_server ot_daemon:fd use; #line 295 #line 297 # Call the server domain and optionally transfer references to it. #line 297 allow system_server statsd:binder { call transfer }; #line 297 # Allow the serverdomain to transfer references to the client on the reply. #line 297 allow statsd system_server:binder transfer; #line 297 # Receive and use open files from the server. #line 297 allow system_server statsd:fd use; #line 297 #line 298 # Call the server domain and optionally transfer references to it. #line 298 allow system_server storaged:binder { call transfer }; #line 298 # Allow the serverdomain to transfer references to the client on the reply. #line 298 allow storaged system_server:binder transfer; #line 298 # Receive and use open files from the server. #line 298 allow system_server storaged:fd use; #line 298 #line 299 # Call the server domain and optionally transfer references to it. #line 299 allow system_server update_engine:binder { call transfer }; #line 299 # Allow the serverdomain to transfer references to the client on the reply. #line 299 allow update_engine system_server:binder transfer; #line 299 # Receive and use open files from the server. #line 299 allow system_server update_engine:fd use; #line 299 #line 300 # Call the server domain and optionally transfer references to it. #line 300 allow system_server virtual_camera:binder { call transfer }; #line 300 # Allow the serverdomain to transfer references to the client on the reply. #line 300 allow virtual_camera system_server:binder transfer; #line 300 # Receive and use open files from the server. #line 300 allow system_server virtual_camera:fd use; #line 300 #line 301 # Call the server domain and optionally transfer references to it. #line 301 allow system_server vold:binder { call transfer }; #line 301 # Allow the serverdomain to transfer references to the client on the reply. #line 301 allow vold system_server:binder transfer; #line 301 # Receive and use open files from the server. #line 301 allow system_server vold:fd use; #line 301 #line 302 # Call the server domain and optionally transfer references to it. #line 302 allow system_server logd:binder { call transfer }; #line 302 # Allow the serverdomain to transfer references to the client on the reply. #line 302 allow logd system_server:binder transfer; #line 302 # Receive and use open files from the server. #line 302 allow system_server logd:fd use; #line 302 #line 303 # Call the server domain and optionally transfer references to it. #line 303 allow system_server wificond:binder { call transfer }; #line 303 # Allow the serverdomain to transfer references to the client on the reply. #line 303 allow wificond system_server:binder transfer; #line 303 # Receive and use open files from the server. #line 303 allow system_server wificond:fd use; #line 303 #line 304 # Call the server domain and optionally transfer references to it. #line 304 allow system_server uprobestats:binder { call transfer }; #line 304 # Allow the serverdomain to transfer references to the client on the reply. #line 304 allow uprobestats system_server:binder transfer; #line 304 # Receive and use open files from the server. #line 304 allow system_server uprobestats:fd use; #line 304 #line 305 typeattribute system_server binderservicedomain; #line 305 # Use HALs #line 308 typeattribute system_server halclientdomain; #line 308 typeattribute system_server hal_allocator_client; #line 308 #line 308 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 308 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 308 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 308 #line 308 typeattribute system_server hal_allocator; #line 308 # Find passthrough HAL implementations #line 308 allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 308 allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 308 allow hal_allocator vendor_file:file { read open getattr execute map }; #line 308 #line 308 #line 309 typeattribute system_server halclientdomain; #line 309 typeattribute system_server hal_audio_client; #line 309 #line 309 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 309 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 309 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 309 #line 309 typeattribute system_server hal_audio; #line 309 # Find passthrough HAL implementations #line 309 allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 309 allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 309 allow hal_audio vendor_file:file { read open getattr execute map }; #line 309 #line 309 #line 310 typeattribute system_server halclientdomain; #line 310 typeattribute system_server hal_authgraph_client; #line 310 #line 310 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 310 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 310 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 310 #line 310 typeattribute system_server hal_authgraph; #line 310 # Find passthrough HAL implementations #line 310 allow hal_authgraph system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 310 allow hal_authgraph vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 310 allow hal_authgraph vendor_file:file { read open getattr execute map }; #line 310 #line 310 #line 311 typeattribute system_server halclientdomain; #line 311 typeattribute system_server hal_authsecret_client; #line 311 #line 311 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 311 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 311 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 311 #line 311 typeattribute system_server hal_authsecret; #line 311 # Find passthrough HAL implementations #line 311 allow hal_authsecret system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 311 allow hal_authsecret vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 311 allow hal_authsecret vendor_file:file { read open getattr execute map }; #line 311 #line 311 #line 312 typeattribute system_server halclientdomain; #line 312 typeattribute system_server hal_bluetooth_client; #line 312 #line 312 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 312 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 312 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 312 #line 312 typeattribute system_server hal_bluetooth; #line 312 # Find passthrough HAL implementations #line 312 allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 312 allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 312 allow hal_bluetooth vendor_file:file { read open getattr execute map }; #line 312 #line 312 #line 313 typeattribute system_server halclientdomain; #line 313 typeattribute system_server hal_broadcastradio_client; #line 313 #line 313 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 313 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 313 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 313 #line 313 typeattribute system_server hal_broadcastradio; #line 313 # Find passthrough HAL implementations #line 313 allow hal_broadcastradio system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 313 allow hal_broadcastradio vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 313 allow hal_broadcastradio vendor_file:file { read open getattr execute map }; #line 313 #line 313 #line 314 typeattribute system_server halclientdomain; #line 314 typeattribute system_server hal_codec2_client; #line 314 #line 314 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 314 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 314 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 314 #line 314 typeattribute system_server hal_codec2; #line 314 # Find passthrough HAL implementations #line 314 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 314 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 314 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 314 #line 314 #line 315 typeattribute system_server halclientdomain; #line 315 typeattribute system_server hal_configstore_client; #line 315 #line 315 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 315 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 315 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 315 #line 315 typeattribute system_server hal_configstore; #line 315 # Find passthrough HAL implementations #line 315 allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 315 allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 315 allow hal_configstore vendor_file:file { read open getattr execute map }; #line 315 #line 315 #line 316 typeattribute system_server halclientdomain; #line 316 typeattribute system_server hal_contexthub_client; #line 316 #line 316 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 316 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 316 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 316 #line 316 typeattribute system_server hal_contexthub; #line 316 # Find passthrough HAL implementations #line 316 allow hal_contexthub system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 316 allow hal_contexthub vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 316 allow hal_contexthub vendor_file:file { read open getattr execute map }; #line 316 #line 316 #line 317 typeattribute system_server halclientdomain; #line 317 typeattribute system_server hal_face_client; #line 317 #line 317 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 317 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 317 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 317 #line 317 typeattribute system_server hal_face; #line 317 # Find passthrough HAL implementations #line 317 allow hal_face system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 317 allow hal_face vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 317 allow hal_face vendor_file:file { read open getattr execute map }; #line 317 #line 317 #line 318 typeattribute system_server halclientdomain; #line 318 typeattribute system_server hal_fingerprint_client; #line 318 #line 318 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 318 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 318 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 318 #line 318 typeattribute system_server hal_fingerprint; #line 318 # Find passthrough HAL implementations #line 318 allow hal_fingerprint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 318 allow hal_fingerprint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 318 allow hal_fingerprint vendor_file:file { read open getattr execute map }; #line 318 #line 318 #line 319 typeattribute system_server halclientdomain; #line 319 typeattribute system_server hal_gnss_client; #line 319 #line 319 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 319 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 319 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 319 #line 319 typeattribute system_server hal_gnss; #line 319 # Find passthrough HAL implementations #line 319 allow hal_gnss system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 319 allow hal_gnss vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 319 allow hal_gnss vendor_file:file { read open getattr execute map }; #line 319 #line 319 #line 320 typeattribute system_server halclientdomain; #line 320 typeattribute system_server hal_graphics_allocator_client; #line 320 #line 320 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 320 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 320 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 320 #line 320 typeattribute system_server hal_graphics_allocator; #line 320 # Find passthrough HAL implementations #line 320 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 320 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 320 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 320 #line 320 #line 321 typeattribute system_server halclientdomain; #line 321 typeattribute system_server hal_health_client; #line 321 #line 321 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 321 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 321 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 321 #line 321 typeattribute system_server hal_health; #line 321 # Find passthrough HAL implementations #line 321 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 321 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 321 allow hal_health vendor_file:file { read open getattr execute map }; #line 321 #line 321 #line 322 typeattribute system_server halclientdomain; #line 322 typeattribute system_server hal_input_classifier_client; #line 322 #line 322 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 322 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 322 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 322 #line 322 typeattribute system_server hal_input_classifier; #line 322 # Find passthrough HAL implementations #line 322 allow hal_input_classifier system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 322 allow hal_input_classifier vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 322 allow hal_input_classifier vendor_file:file { read open getattr execute map }; #line 322 #line 322 #line 323 typeattribute system_server halclientdomain; #line 323 typeattribute system_server hal_input_processor_client; #line 323 #line 323 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 323 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 323 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 323 #line 323 typeattribute system_server hal_input_processor; #line 323 # Find passthrough HAL implementations #line 323 allow hal_input_processor system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 323 allow hal_input_processor vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 323 allow hal_input_processor vendor_file:file { read open getattr execute map }; #line 323 #line 323 #line 324 typeattribute system_server halclientdomain; #line 324 typeattribute system_server hal_ir_client; #line 324 #line 324 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 324 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 324 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 324 #line 324 typeattribute system_server hal_ir; #line 324 # Find passthrough HAL implementations #line 324 allow hal_ir system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 324 allow hal_ir vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 324 allow hal_ir vendor_file:file { read open getattr execute map }; #line 324 #line 324 #line 325 typeattribute system_server halclientdomain; #line 325 typeattribute system_server hal_keymint_client; #line 325 #line 325 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 325 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 325 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 325 #line 325 typeattribute system_server hal_keymint; #line 325 # Find passthrough HAL implementations #line 325 allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 325 allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 325 allow hal_keymint vendor_file:file { read open getattr execute map }; #line 325 #line 325 #line 326 typeattribute system_server halclientdomain; #line 326 typeattribute system_server hal_light_client; #line 326 #line 326 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 326 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 326 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 326 #line 326 typeattribute system_server hal_light; #line 326 # Find passthrough HAL implementations #line 326 allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 326 allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 326 allow hal_light vendor_file:file { read open getattr execute map }; #line 326 #line 326 #line 327 typeattribute system_server halclientdomain; #line 327 typeattribute system_server hal_memtrack_client; #line 327 #line 327 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 327 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 327 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 327 #line 327 typeattribute system_server hal_memtrack; #line 327 # Find passthrough HAL implementations #line 327 allow hal_memtrack system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 327 allow hal_memtrack vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 327 allow hal_memtrack vendor_file:file { read open getattr execute map }; #line 327 #line 327 #line 328 typeattribute system_server halclientdomain; #line 328 typeattribute system_server hal_neuralnetworks_client; #line 328 #line 328 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 328 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 328 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 328 #line 328 typeattribute system_server hal_neuralnetworks; #line 328 # Find passthrough HAL implementations #line 328 allow hal_neuralnetworks system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 328 allow hal_neuralnetworks vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 328 allow hal_neuralnetworks vendor_file:file { read open getattr execute map }; #line 328 #line 328 #line 329 typeattribute system_server halclientdomain; #line 329 typeattribute system_server hal_oemlock_client; #line 329 #line 329 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 329 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 329 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 329 #line 329 typeattribute system_server hal_oemlock; #line 329 # Find passthrough HAL implementations #line 329 allow hal_oemlock system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 329 allow hal_oemlock vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 329 allow hal_oemlock vendor_file:file { read open getattr execute map }; #line 329 #line 329 #line 330 typeattribute system_server halclientdomain; #line 330 typeattribute system_server hal_omx_client; #line 330 #line 330 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 330 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 330 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 330 #line 330 typeattribute system_server hal_omx; #line 330 # Find passthrough HAL implementations #line 330 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 330 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 330 allow hal_omx vendor_file:file { read open getattr execute map }; #line 330 #line 330 #line 331 typeattribute system_server halclientdomain; #line 331 typeattribute system_server hal_power_client; #line 331 #line 331 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 331 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 331 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 331 #line 331 typeattribute system_server hal_power; #line 331 # Find passthrough HAL implementations #line 331 allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 331 allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 331 allow hal_power vendor_file:file { read open getattr execute map }; #line 331 #line 331 #line 332 typeattribute system_server halclientdomain; #line 332 typeattribute system_server hal_power_stats_client; #line 332 #line 332 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 332 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 332 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 332 #line 332 typeattribute system_server hal_power_stats; #line 332 # Find passthrough HAL implementations #line 332 allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 332 allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 332 allow hal_power_stats vendor_file:file { read open getattr execute map }; #line 332 #line 332 #line 333 typeattribute system_server halclientdomain; #line 333 typeattribute system_server hal_rebootescrow_client; #line 333 #line 333 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 333 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 333 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 333 #line 333 typeattribute system_server hal_rebootescrow; #line 333 # Find passthrough HAL implementations #line 333 allow hal_rebootescrow system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 333 allow hal_rebootescrow vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 333 allow hal_rebootescrow vendor_file:file { read open getattr execute map }; #line 333 #line 333 #line 334 typeattribute system_server halclientdomain; #line 334 typeattribute system_server hal_remotelyprovisionedcomponent_avf_client; #line 334 #line 334 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 334 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 334 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 334 #line 334 typeattribute system_server hal_remotelyprovisionedcomponent_avf; #line 334 # Find passthrough HAL implementations #line 334 allow hal_remotelyprovisionedcomponent_avf system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 334 allow hal_remotelyprovisionedcomponent_avf vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 334 allow hal_remotelyprovisionedcomponent_avf vendor_file:file { read open getattr execute map }; #line 334 #line 334 #line 335 typeattribute system_server halclientdomain; #line 335 typeattribute system_server hal_sensors_client; #line 335 #line 335 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 335 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 335 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 335 #line 335 typeattribute system_server hal_sensors; #line 335 # Find passthrough HAL implementations #line 335 allow hal_sensors system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 335 allow hal_sensors vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 335 allow hal_sensors vendor_file:file { read open getattr execute map }; #line 335 #line 335 #line 336 typeattribute system_server halclientdomain; #line 336 typeattribute system_server hal_tetheroffload_client; #line 336 #line 336 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 336 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 336 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 336 #line 336 typeattribute system_server hal_tetheroffload; #line 336 # Find passthrough HAL implementations #line 336 allow hal_tetheroffload system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 336 allow hal_tetheroffload vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 336 allow hal_tetheroffload vendor_file:file { read open getattr execute map }; #line 336 #line 336 #line 337 typeattribute system_server halclientdomain; #line 337 typeattribute system_server hal_thermal_client; #line 337 #line 337 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 337 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 337 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 337 #line 337 typeattribute system_server hal_thermal; #line 337 # Find passthrough HAL implementations #line 337 allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 337 allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 337 allow hal_thermal vendor_file:file { read open getattr execute map }; #line 337 #line 337 #line 338 typeattribute system_server halclientdomain; #line 338 typeattribute system_server hal_threadnetwork_client; #line 338 #line 338 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 338 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 338 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 338 #line 338 typeattribute system_server hal_threadnetwork; #line 338 # Find passthrough HAL implementations #line 338 allow hal_threadnetwork system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 338 allow hal_threadnetwork vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 338 allow hal_threadnetwork vendor_file:file { read open getattr execute map }; #line 338 #line 338 #line 339 typeattribute system_server halclientdomain; #line 339 typeattribute system_server hal_tv_cec_client; #line 339 #line 339 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 339 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 339 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 339 #line 339 typeattribute system_server hal_tv_cec; #line 339 # Find passthrough HAL implementations #line 339 allow hal_tv_cec system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 339 allow hal_tv_cec vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 339 allow hal_tv_cec vendor_file:file { read open getattr execute map }; #line 339 #line 339 #line 340 typeattribute system_server halclientdomain; #line 340 typeattribute system_server hal_tv_hdmi_cec_client; #line 340 #line 340 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 340 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 340 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 340 #line 340 typeattribute system_server hal_tv_hdmi_cec; #line 340 # Find passthrough HAL implementations #line 340 allow hal_tv_hdmi_cec system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 340 allow hal_tv_hdmi_cec vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 340 allow hal_tv_hdmi_cec vendor_file:file { read open getattr execute map }; #line 340 #line 340 #line 341 typeattribute system_server halclientdomain; #line 341 typeattribute system_server hal_tv_hdmi_connection_client; #line 341 #line 341 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 341 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 341 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 341 #line 341 typeattribute system_server hal_tv_hdmi_connection; #line 341 # Find passthrough HAL implementations #line 341 allow hal_tv_hdmi_connection system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 341 allow hal_tv_hdmi_connection vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 341 allow hal_tv_hdmi_connection vendor_file:file { read open getattr execute map }; #line 341 #line 341 #line 342 typeattribute system_server halclientdomain; #line 342 typeattribute system_server hal_tv_hdmi_earc_client; #line 342 #line 342 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 342 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 342 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 342 #line 342 typeattribute system_server hal_tv_hdmi_earc; #line 342 # Find passthrough HAL implementations #line 342 allow hal_tv_hdmi_earc system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 342 allow hal_tv_hdmi_earc vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 342 allow hal_tv_hdmi_earc vendor_file:file { read open getattr execute map }; #line 342 #line 342 #line 343 typeattribute system_server halclientdomain; #line 343 typeattribute system_server hal_tv_input_client; #line 343 #line 343 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 343 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 343 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 343 #line 343 typeattribute system_server hal_tv_input; #line 343 # Find passthrough HAL implementations #line 343 allow hal_tv_input system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 343 allow hal_tv_input vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 343 allow hal_tv_input vendor_file:file { read open getattr execute map }; #line 343 #line 343 #line 344 typeattribute system_server halclientdomain; #line 344 typeattribute system_server hal_usb_client; #line 344 #line 344 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 344 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 344 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 344 #line 344 typeattribute system_server hal_usb; #line 344 # Find passthrough HAL implementations #line 344 allow hal_usb system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 344 allow hal_usb vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 344 allow hal_usb vendor_file:file { read open getattr execute map }; #line 344 #line 344 #line 345 typeattribute system_server halclientdomain; #line 345 typeattribute system_server hal_usb_gadget_client; #line 345 #line 345 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 345 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 345 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 345 #line 345 typeattribute system_server hal_usb_gadget; #line 345 # Find passthrough HAL implementations #line 345 allow hal_usb_gadget system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 345 allow hal_usb_gadget vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 345 allow hal_usb_gadget vendor_file:file { read open getattr execute map }; #line 345 #line 345 #line 346 typeattribute system_server halclientdomain; #line 346 typeattribute system_server hal_uwb_client; #line 346 #line 346 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 346 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 346 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 346 #line 346 typeattribute system_server hal_uwb; #line 346 # Find passthrough HAL implementations #line 346 allow hal_uwb system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 346 allow hal_uwb vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 346 allow hal_uwb vendor_file:file { read open getattr execute map }; #line 346 #line 346 #line 347 typeattribute system_server halclientdomain; #line 347 typeattribute system_server hal_vibrator_client; #line 347 #line 347 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 347 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 347 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 347 #line 347 typeattribute system_server hal_vibrator; #line 347 # Find passthrough HAL implementations #line 347 allow hal_vibrator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 347 allow hal_vibrator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 347 allow hal_vibrator vendor_file:file { read open getattr execute map }; #line 347 #line 347 #line 348 typeattribute system_server halclientdomain; #line 348 typeattribute system_server hal_vr_client; #line 348 #line 348 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 348 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 348 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 348 #line 348 typeattribute system_server hal_vr; #line 348 # Find passthrough HAL implementations #line 348 allow hal_vr system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 348 allow hal_vr vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 348 allow hal_vr vendor_file:file { read open getattr execute map }; #line 348 #line 348 #line 349 typeattribute system_server halclientdomain; #line 349 typeattribute system_server hal_weaver_client; #line 349 #line 349 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 349 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 349 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 349 #line 349 typeattribute system_server hal_weaver; #line 349 # Find passthrough HAL implementations #line 349 allow hal_weaver system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 349 allow hal_weaver vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 349 allow hal_weaver vendor_file:file { read open getattr execute map }; #line 349 #line 349 #line 350 typeattribute system_server halclientdomain; #line 350 typeattribute system_server hal_wifi_client; #line 350 #line 350 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 350 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 350 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 350 #line 350 typeattribute system_server hal_wifi; #line 350 # Find passthrough HAL implementations #line 350 allow hal_wifi system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 350 allow hal_wifi vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 350 allow hal_wifi vendor_file:file { read open getattr execute map }; #line 350 #line 350 #line 351 typeattribute system_server halclientdomain; #line 351 typeattribute system_server hal_wifi_hostapd_client; #line 351 #line 351 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 351 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 351 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 351 #line 351 typeattribute system_server hal_wifi_hostapd; #line 351 # Find passthrough HAL implementations #line 351 allow hal_wifi_hostapd system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 351 allow hal_wifi_hostapd vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 351 allow hal_wifi_hostapd vendor_file:file { read open getattr execute map }; #line 351 #line 351 #line 352 typeattribute system_server halclientdomain; #line 352 typeattribute system_server hal_wifi_supplicant_client; #line 352 #line 352 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 352 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 352 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 352 #line 352 typeattribute system_server hal_wifi_supplicant; #line 352 # Find passthrough HAL implementations #line 352 allow hal_wifi_supplicant system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 352 allow hal_wifi_supplicant vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 352 allow hal_wifi_supplicant vendor_file:file { read open getattr execute map }; #line 352 #line 352 # The bootctl is a pass through HAL mode under recovery mode. So we skip the # permission for recovery in order not to give system server the access to # the low level block devices. #line 356 typeattribute system_server halclientdomain; #line 356 typeattribute system_server hal_bootctl_client; #line 356 #line 356 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 356 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 356 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 356 #line 356 typeattribute system_server hal_bootctl; #line 356 # Find passthrough HAL implementations #line 356 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 356 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 356 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 356 #line 356 # Talk with graphics composer fences allow system_server hal_graphics_composer:fd use; # Use RenderScript always-passthrough HAL allow system_server hal_renderscript_hwservice:hwservice_manager find; allow system_server same_process_hal_file:file { execute read open getattr map }; # Talk to tombstoned to get ANR traces. #line 366 allow system_server tombstoned_intercept_socket:sock_file write; #line 366 allow system_server tombstoned:unix_stream_socket connectto; #line 366 # List HAL interfaces to get ANR traces. allow system_server hwservicemanager:hwservice_manager list; allow system_server servicemanager:service_manager list; # Send signals to trigger ANR traces. allow system_server { # This is derived from the list that system server defines as interesting native processes # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in # frameworks/base/services/core/java/com/android/server/Watchdog.java. artd audioserver cameraserver drmserver gpuservice inputflinger keystore mediadrmserver mediaextractor mediametrics mediaserver mediaswcodec mediatranscoding mediatuner netd sdcardd servicemanager statsd surfaceflinger vold # This list comes from HAL_INTERFACES_OF_INTEREST in # frameworks/base/services/core/java/com/android/server/Watchdog.java. hal_audio_server hal_bluetooth_server hal_camera_server hal_codec2_server hal_face_server hal_fingerprint_server hal_gnss_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server hal_input_processor_server hal_light_server hal_neuralnetworks_server hal_omx_server hal_power_server hal_power_stats_server hal_sensors_server hal_vibrator_server hal_vr_server system_suspend_server }:process { signal }; # Use sockets received over binder from various services. allow system_server audioserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; allow system_server audioserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; allow system_server mediaserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; allow system_server mediaserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; # Use sockets received over binder from various services. allow system_server mediadrmserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; allow system_server mediadrmserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }; # Write trace data to the Perfetto traced daemon. This requires connecting to # its producer socket and obtaining a (per-process) tmpfs fd. #line 434 allow system_server traced:fd use; #line 434 allow system_server traced_tmpfs:file { read write getattr map }; #line 434 #line 434 allow system_server traced_producer_socket:sock_file write; #line 434 allow system_server traced:unix_stream_socket connectto; #line 434 #line 434 #line 434 # Also allow the service to use the producer file descriptors. This is #line 434 # necessary when the producer is creating the shared memory, as it will be #line 434 # passed to the service as a file descriptor (obtained from memfd_create). #line 434 allow traced system_server:fd use; #line 434 # Get file context allow system_server file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # access for mac_permissions allow system_server mac_perms_file: file { getattr open read ioctl lock map watch watch_reads }; # Check SELinux permissions. #line 441 #line 441 allow system_server selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 441 allow system_server selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 441 #line 441 allow system_server selinuxfs:file { open append write lock map }; #line 441 allow system_server kernel:security compute_av; #line 441 allow system_server self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 441 allow system_server sysfs_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 445 allow system_server sysfs_android_usb:dir { open getattr read search ioctl lock watch watch_reads }; #line 445 allow system_server sysfs_android_usb:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 445 allow system_server sysfs_android_usb:file { open append write lock map }; #line 448 allow system_server sysfs_extcon:dir { open getattr read search ioctl lock watch watch_reads }; #line 448 allow system_server sysfs_extcon:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 448 #line 450 allow system_server sysfs_ipv4:dir { open getattr read search ioctl lock watch watch_reads }; #line 450 allow system_server sysfs_ipv4:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 450 allow system_server sysfs_ipv4:file { open append write lock map }; #line 453 allow system_server sysfs_rtc:dir { open getattr read search ioctl lock watch watch_reads }; #line 453 allow system_server sysfs_rtc:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 453 #line 454 allow system_server sysfs_switch:dir { open getattr read search ioctl lock watch watch_reads }; #line 454 allow system_server sysfs_switch:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 454 allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server sysfs_power:dir search; allow system_server sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server sysfs_thermal:dir search; allow system_server sysfs_thermal:file { getattr open read ioctl lock map watch watch_reads }; allow system_server sysfs_uhid:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server sysfs_uhid:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # TODO: Remove when HALs are forced into separate processes allow system_server sysfs_vibrator:file { write append }; # TODO: added to match above sysfs rule. Remove me? allow system_server sysfs_usb:file { open append write lock map }; # Access devices. allow system_server device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server mdns_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads }; allow system_server input_device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server video_device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server adbd_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server rtc_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server audio_device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server hidraw_device:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server hidraw_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # write access to ALSA interfaces (/dev/snd/*) needed for MIDI allow system_server audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # tun device used for 3rd party vpn apps and test network manager allow system_server tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm system_server tun_device:chr_file ioctl { 0x800454d2 0x400454ca 0x400454cd 0x400454e2 }; # Manage data/ota_package allow system_server ota_package_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server ota_package_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage system data files. allow system_server system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server system_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server packages_list_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server game_mode_intervention_list_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server keychain_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server keychain_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server keychain_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Read the user parent directories like /data/user. Don't allow write access, # as vold is responsible for creating and deleting the subdirectories. allow system_server system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads }; # Manage /data/app. allow system_server apk_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apk_data_file:{ file lnk_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link }; allow system_server apk_tmp_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apk_tmp_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Access input configuration files in the /vendor directory #line 520 allow system_server vendor_keylayout_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 520 allow system_server vendor_keylayout_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 520 #line 521 allow system_server vendor_keychars_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 521 allow system_server vendor_keychars_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 521 #line 522 allow system_server vendor_idc_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 522 allow system_server vendor_idc_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 522 #line 523 allow system_server input_device_config_prop:file { getattr open read map }; #line 523 # Access /vendor/{app,framework,overlay} #line 526 allow system_server vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 526 allow system_server vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 526 #line 527 allow system_server vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 527 allow system_server vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 527 #line 528 allow system_server vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 528 allow system_server vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 528 # Manage /data/app-private. allow system_server apk_private_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apk_private_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server apk_private_tmp_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apk_private_tmp_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage files within asec containers. allow system_server asec_apk_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server asec_apk_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server asec_public_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/anr. # # TODO: Some of these permissions can be withdrawn once we've switched to the # new stack dumping mechanism, see b/32064548 and the rules below. In particular, # the system_server should never need to create a new anr_data_file:file or write # to one, but it will still need to read and append to existing files. allow system_server anr_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # New stack dumping scheme : request an output FD from tombstoned via a unix # domain socket. # # Allow system_server to connect and write to the tombstoned java trace socket in # order to dump its traces. Also allow the system server to write its traces to # dumpstate during bugreport capture and incidentd during incident collection. #line 556 allow system_server tombstoned_java_trace_socket:sock_file write; #line 556 allow system_server tombstoned:unix_stream_socket connectto; #line 556 allow system_server tombstoned:fd use; allow system_server dumpstate:fifo_file append; allow system_server incidentd:fifo_file append; # Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) #line 563 # Allow system_server to read pipes from incidentd (used to deliver incident reports # to dropbox) allow system_server incidentd:fifo_file read; # Read /data/misc/incidents - only read. The fd will be sent over binder, # with no DAC access to it, for dropbox to read. allow system_server incident_data_file:file read; # Manage /data/misc/prereboot. allow system_server prereboot_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server prereboot_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow tracing proxy service to read traces. Only the fd is sent over # binder. allow system_server perfetto_traces_data_file:file { read getattr }; allow system_server perfetto:fd use; # Allow system_server to exec the perfetto cmdline client and pass it a trace config #line 583 # Allow the necessary permissions. #line 583 #line 583 # Old domain may exec the file and transition to the new domain. #line 583 allow system_server perfetto_exec:file { getattr open read execute map }; #line 583 allow system_server perfetto:process transition; #line 583 # New domain is entered by executing the file. #line 583 allow perfetto perfetto_exec:file { entrypoint open read execute getattr map }; #line 583 # New domain can send SIGCHLD to its caller. #line 583 allow perfetto system_server:process sigchld; #line 583 # Enable AT_SECURE, i.e. libc secure mode. #line 583 dontaudit system_server perfetto:process noatsecure; #line 583 # XXX dontaudit candidate but requires further study. #line 583 allow system_server perfetto:process { siginh rlimitinh }; #line 583 #line 583 # Make the transition occur by default. #line 583 type_transition system_server perfetto_exec:process perfetto; #line 583 ; allow system_server perfetto:fifo_file { read write }; # Allow system server to manage perfetto traces for ProfilingService. allow system_server perfetto_traces_profiling_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server perfetto_traces_profiling_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink }; allow system_server perfetto_traces_data_file:dir search; # Manage /data/backup. allow system_server backup_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server backup_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Write to /data/system/dropbox allow system_server dropbox_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server dropbox_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Write to /data/system/heapdump allow system_server heapdump_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server heapdump_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/adb. allow system_server adb_keys_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server adb_keys_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/appcompat. allow system_server appcompat_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server appcompat_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/emergencynumberdb allow system_server emergency_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server emergency_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/network_watchlist allow system_server network_watchlist_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server network_watchlist_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/sms. # TODO: Split into a separate type? allow system_server radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server radio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/systemkeys. allow system_server systemkeys_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server systemkeys_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/textclassifier. allow system_server textclassifier_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server textclassifier_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/tombstones. allow system_server tombstone_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server tombstone_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/vpn. allow system_server vpn_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server vpn_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/misc/wifi. allow system_server wifi_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server wifi_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/app-staging. allow system_server staging_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage /data/rollback. allow system_server staging_data_file:{ file lnk_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link }; # Walk /data/data subdirectories. allow system_server app_data_file_type:dir { getattr read search }; # Also permit for unlabeled /data/data subdirectories and # for unlabeled asec containers on upgrades from 4.2. allow system_server unlabeled:dir { open getattr read search ioctl lock watch watch_reads }; # Read pkg.apk file before it has been relabeled by vold. allow system_server unlabeled:file { getattr open read ioctl lock map watch watch_reads }; # Populate com.android.providers.settings/databases/settings.db. allow system_server system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server system_app_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Receive and use open app data files passed over binder IPC. allow system_server app_data_file_type:file { getattr read write append map }; # Access to /data/media for measuring disk usage. allow system_server media_rw_data_file:dir { search getattr open read }; # Receive and use open /data/media files passed over binder IPC. # Also used for measuring disk usage. allow system_server media_rw_data_file:file { getattr read write append }; # System server needs to setfscreate to packages_list_file when writing # /data/system/packages.list allow system_server system_server:process setfscreate; # Relabel apk files. allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; # Allow PackageManager to: # 1. rename file from /data/app-staging folder to /data/app # 2. relabel files (linked to /data/rollback) under /data/app-staging # during staged apk/apex install. allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; # Relabel wallpaper. allow system_server system_data_file:file relabelfrom; allow system_server wallpaper_file:file relabelto; allow system_server wallpaper_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } rename unlink }; # Backup of wallpaper imagery uses temporary hard links to avoid data churn allow system_server { system_data_file wallpaper_file }:file link; # ShortcutManager icons allow system_server system_data_file:dir relabelfrom; allow system_server shortcut_manager_icons:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow system_server shortcut_manager_icons:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage ringtones. allow system_server ringtone_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow system_server ringtone_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Relabel icon file. allow system_server icon_file:file relabelto; allow system_server icon_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink }; # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? allow system_server system_data_file:dir relabelfrom; # server_configurable_flags_data_file is used for storing server configurable flags which # have been reset during current booting. system_server needs to read the data to perform related # disaster recovery actions. allow system_server server_configurable_flags_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server server_configurable_flags_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Property Service write #line 718 #line 718 allow system_server property_socket:sock_file write; #line 718 allow system_server init:unix_stream_socket connectto; #line 718 #line 718 allow system_server system_prop:property_service set; #line 718 #line 718 allow system_server system_prop:file { getattr open read map }; #line 718 #line 718 #line 719 #line 719 allow system_server property_socket:sock_file write; #line 719 allow system_server init:unix_stream_socket connectto; #line 719 #line 719 allow system_server bootanim_system_prop:property_service set; #line 719 #line 719 allow system_server bootanim_system_prop:file { getattr open read map }; #line 719 #line 719 #line 720 #line 720 allow system_server property_socket:sock_file write; #line 720 allow system_server init:unix_stream_socket connectto; #line 720 #line 720 allow system_server bluetooth_prop:property_service set; #line 720 #line 720 allow system_server bluetooth_prop:file { getattr open read map }; #line 720 #line 720 #line 721 #line 721 allow system_server property_socket:sock_file write; #line 721 allow system_server init:unix_stream_socket connectto; #line 721 #line 721 allow system_server exported_system_prop:property_service set; #line 721 #line 721 allow system_server exported_system_prop:file { getattr open read map }; #line 721 #line 721 #line 722 #line 722 allow system_server property_socket:sock_file write; #line 722 allow system_server init:unix_stream_socket connectto; #line 722 #line 722 allow system_server exported3_system_prop:property_service set; #line 722 #line 722 allow system_server exported3_system_prop:file { getattr open read map }; #line 722 #line 722 #line 723 #line 723 allow system_server property_socket:sock_file write; #line 723 allow system_server init:unix_stream_socket connectto; #line 723 #line 723 allow system_server safemode_prop:property_service set; #line 723 #line 723 allow system_server safemode_prop:file { getattr open read map }; #line 723 #line 723 #line 724 #line 724 allow system_server property_socket:sock_file write; #line 724 allow system_server init:unix_stream_socket connectto; #line 724 #line 724 allow system_server theme_prop:property_service set; #line 724 #line 724 allow system_server theme_prop:file { getattr open read map }; #line 724 #line 724 #line 725 #line 725 allow system_server property_socket:sock_file write; #line 725 allow system_server init:unix_stream_socket connectto; #line 725 #line 725 allow system_server dhcp_prop:property_service set; #line 725 #line 725 allow system_server dhcp_prop:file { getattr open read map }; #line 725 #line 725 #line 726 #line 726 allow system_server property_socket:sock_file write; #line 726 allow system_server init:unix_stream_socket connectto; #line 726 #line 726 allow system_server net_connectivity_prop:property_service set; #line 726 #line 726 allow system_server net_connectivity_prop:file { getattr open read map }; #line 726 #line 726 #line 727 #line 727 allow system_server property_socket:sock_file write; #line 727 allow system_server init:unix_stream_socket connectto; #line 727 #line 727 allow system_server net_radio_prop:property_service set; #line 727 #line 727 allow system_server net_radio_prop:file { getattr open read map }; #line 727 #line 727 #line 728 #line 728 allow system_server property_socket:sock_file write; #line 728 allow system_server init:unix_stream_socket connectto; #line 728 #line 728 allow system_server net_dns_prop:property_service set; #line 728 #line 728 allow system_server net_dns_prop:file { getattr open read map }; #line 728 #line 728 #line 729 #line 729 allow system_server property_socket:sock_file write; #line 729 allow system_server init:unix_stream_socket connectto; #line 729 #line 729 allow system_server usb_control_prop:property_service set; #line 729 #line 729 allow system_server usb_control_prop:file { getattr open read map }; #line 729 #line 729 #line 730 #line 730 allow system_server property_socket:sock_file write; #line 730 allow system_server init:unix_stream_socket connectto; #line 730 #line 730 allow system_server usb_prop:property_service set; #line 730 #line 730 allow system_server usb_prop:file { getattr open read map }; #line 730 #line 730 #line 731 #line 731 allow system_server property_socket:sock_file write; #line 731 allow system_server init:unix_stream_socket connectto; #line 731 #line 731 allow system_server debug_prop:property_service set; #line 731 #line 731 allow system_server debug_prop:file { getattr open read map }; #line 731 #line 731 #line 732 #line 732 allow system_server property_socket:sock_file write; #line 732 allow system_server init:unix_stream_socket connectto; #line 732 #line 732 allow system_server powerctl_prop:property_service set; #line 732 #line 732 allow system_server powerctl_prop:file { getattr open read map }; #line 732 #line 732 #line 733 #line 733 allow system_server property_socket:sock_file write; #line 733 allow system_server init:unix_stream_socket connectto; #line 733 #line 733 allow system_server fingerprint_prop:property_service set; #line 733 #line 733 allow system_server fingerprint_prop:file { getattr open read map }; #line 733 #line 733 #line 734 #line 734 allow system_server property_socket:sock_file write; #line 734 allow system_server init:unix_stream_socket connectto; #line 734 #line 734 allow system_server device_logging_prop:property_service set; #line 734 #line 734 allow system_server device_logging_prop:file { getattr open read map }; #line 734 #line 734 #line 735 #line 735 allow system_server property_socket:sock_file write; #line 735 allow system_server init:unix_stream_socket connectto; #line 735 #line 735 allow system_server dumpstate_options_prop:property_service set; #line 735 #line 735 allow system_server dumpstate_options_prop:file { getattr open read map }; #line 735 #line 735 #line 736 #line 736 allow system_server property_socket:sock_file write; #line 736 allow system_server init:unix_stream_socket connectto; #line 736 #line 736 allow system_server overlay_prop:property_service set; #line 736 #line 736 allow system_server overlay_prop:file { getattr open read map }; #line 736 #line 736 #line 737 #line 737 allow system_server property_socket:sock_file write; #line 737 allow system_server init:unix_stream_socket connectto; #line 737 #line 737 allow system_server exported_overlay_prop:property_service set; #line 737 #line 737 allow system_server exported_overlay_prop:file { getattr open read map }; #line 737 #line 737 #line 738 #line 738 allow system_server property_socket:sock_file write; #line 738 allow system_server init:unix_stream_socket connectto; #line 738 #line 738 allow system_server pm_prop:property_service set; #line 738 #line 738 allow system_server pm_prop:file { getattr open read map }; #line 738 #line 738 #line 739 #line 739 allow system_server property_socket:sock_file write; #line 739 allow system_server init:unix_stream_socket connectto; #line 739 #line 739 allow system_server exported_pm_prop:property_service set; #line 739 #line 739 allow system_server exported_pm_prop:file { getattr open read map }; #line 739 #line 739 #line 740 #line 740 allow system_server property_socket:sock_file write; #line 740 allow system_server init:unix_stream_socket connectto; #line 740 #line 740 allow system_server socket_hook_prop:property_service set; #line 740 #line 740 allow system_server socket_hook_prop:file { getattr open read map }; #line 740 #line 740 #line 741 #line 741 allow system_server property_socket:sock_file write; #line 741 allow system_server init:unix_stream_socket connectto; #line 741 #line 741 allow system_server audio_prop:property_service set; #line 741 #line 741 allow system_server audio_prop:file { getattr open read map }; #line 741 #line 741 #line 742 #line 742 allow system_server property_socket:sock_file write; #line 742 allow system_server init:unix_stream_socket connectto; #line 742 #line 742 allow system_server boot_status_prop:property_service set; #line 742 #line 742 allow system_server boot_status_prop:file { getattr open read map }; #line 742 #line 742 #line 743 #line 743 allow system_server property_socket:sock_file write; #line 743 allow system_server init:unix_stream_socket connectto; #line 743 #line 743 allow system_server surfaceflinger_color_prop:property_service set; #line 743 #line 743 allow system_server surfaceflinger_color_prop:file { getattr open read map }; #line 743 #line 743 #line 744 #line 744 allow system_server property_socket:sock_file write; #line 744 allow system_server init:unix_stream_socket connectto; #line 744 #line 744 allow system_server provisioned_prop:property_service set; #line 744 #line 744 allow system_server provisioned_prop:file { getattr open read map }; #line 744 #line 744 #line 745 #line 745 allow system_server property_socket:sock_file write; #line 745 allow system_server init:unix_stream_socket connectto; #line 745 #line 745 allow system_server retaildemo_prop:property_service set; #line 745 #line 745 allow system_server retaildemo_prop:file { getattr open read map }; #line 745 #line 745 #line 746 #line 746 allow system_server property_socket:sock_file write; #line 746 allow system_server init:unix_stream_socket connectto; #line 746 #line 746 allow system_server dmesgd_start_prop:property_service set; #line 746 #line 746 allow system_server dmesgd_start_prop:file { getattr open read map }; #line 746 #line 746 #line 747 #line 747 allow system_server property_socket:sock_file write; #line 747 allow system_server init:unix_stream_socket connectto; #line 747 #line 747 allow system_server locale_prop:property_service set; #line 747 #line 747 allow system_server locale_prop:file { getattr open read map }; #line 747 #line 747 #line 748 #line 748 allow system_server property_socket:sock_file write; #line 748 allow system_server init:unix_stream_socket connectto; #line 748 #line 748 allow system_server timezone_metadata_prop:property_service set; #line 748 #line 748 allow system_server timezone_metadata_prop:file { getattr open read map }; #line 748 #line 748 #line 749 #line 749 allow system_server property_socket:sock_file write; #line 749 allow system_server init:unix_stream_socket connectto; #line 749 #line 749 allow system_server timezone_prop:property_service set; #line 749 #line 749 allow system_server timezone_prop:file { getattr open read map }; #line 749 #line 749 #line 750 #line 750 allow system_server property_socket:sock_file write; #line 750 allow system_server init:unix_stream_socket connectto; #line 750 #line 750 allow system_server crashrecovery_prop:property_service set; #line 750 #line 750 allow system_server crashrecovery_prop:file { getattr open read map }; #line 750 #line 750 # ctl interface #line 755 #line 755 allow system_server property_socket:sock_file write; #line 755 allow system_server init:unix_stream_socket connectto; #line 755 #line 755 allow system_server ctl_default_prop:property_service set; #line 755 #line 755 allow system_server ctl_default_prop:file { getattr open read map }; #line 755 #line 755 #line 756 #line 756 allow system_server property_socket:sock_file write; #line 756 allow system_server init:unix_stream_socket connectto; #line 756 #line 756 allow system_server ctl_bugreport_prop:property_service set; #line 756 #line 756 allow system_server ctl_bugreport_prop:file { getattr open read map }; #line 756 #line 756 #line 757 #line 757 allow system_server property_socket:sock_file write; #line 757 allow system_server init:unix_stream_socket connectto; #line 757 #line 757 allow system_server ctl_gsid_prop:property_service set; #line 757 #line 757 allow system_server ctl_gsid_prop:file { getattr open read map }; #line 757 #line 757 # cppreopt property #line 760 #line 760 allow system_server property_socket:sock_file write; #line 760 allow system_server init:unix_stream_socket connectto; #line 760 #line 760 allow system_server cppreopt_prop:property_service set; #line 760 #line 760 allow system_server cppreopt_prop:file { getattr open read map }; #line 760 #line 760 # server configurable flags properties #line 763 #line 763 allow system_server property_socket:sock_file write; #line 763 allow system_server init:unix_stream_socket connectto; #line 763 #line 763 allow system_server device_config_core_experiments_team_internal_prop:property_service set; #line 763 #line 763 allow system_server device_config_core_experiments_team_internal_prop:file { getattr open read map }; #line 763 #line 763 #line 764 #line 764 allow system_server property_socket:sock_file write; #line 764 allow system_server init:unix_stream_socket connectto; #line 764 #line 764 allow system_server device_config_edgetpu_native_prop:property_service set; #line 764 #line 764 allow system_server device_config_edgetpu_native_prop:file { getattr open read map }; #line 764 #line 764 #line 765 #line 765 allow system_server property_socket:sock_file write; #line 765 allow system_server init:unix_stream_socket connectto; #line 765 #line 765 allow system_server device_config_input_native_boot_prop:property_service set; #line 765 #line 765 allow system_server device_config_input_native_boot_prop:file { getattr open read map }; #line 765 #line 765 #line 766 #line 766 allow system_server property_socket:sock_file write; #line 766 allow system_server init:unix_stream_socket connectto; #line 766 #line 766 allow system_server device_config_netd_native_prop:property_service set; #line 766 #line 766 allow system_server device_config_netd_native_prop:file { getattr open read map }; #line 766 #line 766 #line 767 #line 767 allow system_server property_socket:sock_file write; #line 767 allow system_server init:unix_stream_socket connectto; #line 767 #line 767 allow system_server device_config_nnapi_native_prop:property_service set; #line 767 #line 767 allow system_server device_config_nnapi_native_prop:file { getattr open read map }; #line 767 #line 767 #line 768 #line 768 allow system_server property_socket:sock_file write; #line 768 allow system_server init:unix_stream_socket connectto; #line 768 #line 768 allow system_server device_config_activity_manager_native_boot_prop:property_service set; #line 768 #line 768 allow system_server device_config_activity_manager_native_boot_prop:file { getattr open read map }; #line 768 #line 768 #line 769 #line 769 allow system_server property_socket:sock_file write; #line 769 allow system_server init:unix_stream_socket connectto; #line 769 #line 769 allow system_server device_config_runtime_native_boot_prop:property_service set; #line 769 #line 769 allow system_server device_config_runtime_native_boot_prop:file { getattr open read map }; #line 769 #line 769 #line 770 #line 770 allow system_server property_socket:sock_file write; #line 770 allow system_server init:unix_stream_socket connectto; #line 770 #line 770 allow system_server device_config_runtime_native_prop:property_service set; #line 770 #line 770 allow system_server device_config_runtime_native_prop:file { getattr open read map }; #line 770 #line 770 #line 771 #line 771 allow system_server property_socket:sock_file write; #line 771 allow system_server init:unix_stream_socket connectto; #line 771 #line 771 allow system_server device_config_lmkd_native_prop:property_service set; #line 771 #line 771 allow system_server device_config_lmkd_native_prop:file { getattr open read map }; #line 771 #line 771 #line 772 #line 772 allow system_server property_socket:sock_file write; #line 772 allow system_server init:unix_stream_socket connectto; #line 772 #line 772 allow system_server device_config_media_native_prop:property_service set; #line 772 #line 772 allow system_server device_config_media_native_prop:file { getattr open read map }; #line 772 #line 772 #line 773 #line 773 allow system_server property_socket:sock_file write; #line 773 allow system_server init:unix_stream_socket connectto; #line 773 #line 773 allow system_server device_config_camera_native_prop:property_service set; #line 773 #line 773 allow system_server device_config_camera_native_prop:file { getattr open read map }; #line 773 #line 773 #line 774 #line 774 allow system_server property_socket:sock_file write; #line 774 allow system_server init:unix_stream_socket connectto; #line 774 #line 774 allow system_server device_config_mglru_native_prop:property_service set; #line 774 #line 774 allow system_server device_config_mglru_native_prop:file { getattr open read map }; #line 774 #line 774 #line 775 #line 775 allow system_server property_socket:sock_file write; #line 775 allow system_server init:unix_stream_socket connectto; #line 775 #line 775 allow system_server device_config_profcollect_native_boot_prop:property_service set; #line 775 #line 775 allow system_server device_config_profcollect_native_boot_prop:file { getattr open read map }; #line 775 #line 775 #line 776 #line 776 allow system_server property_socket:sock_file write; #line 776 allow system_server init:unix_stream_socket connectto; #line 776 #line 776 allow system_server device_config_statsd_native_prop:property_service set; #line 776 #line 776 allow system_server device_config_statsd_native_prop:file { getattr open read map }; #line 776 #line 776 #line 777 #line 777 allow system_server property_socket:sock_file write; #line 777 allow system_server init:unix_stream_socket connectto; #line 777 #line 777 allow system_server device_config_statsd_native_boot_prop:property_service set; #line 777 #line 777 allow system_server device_config_statsd_native_boot_prop:file { getattr open read map }; #line 777 #line 777 #line 778 #line 778 allow system_server property_socket:sock_file write; #line 778 allow system_server init:unix_stream_socket connectto; #line 778 #line 778 allow system_server device_config_storage_native_boot_prop:property_service set; #line 778 #line 778 allow system_server device_config_storage_native_boot_prop:file { getattr open read map }; #line 778 #line 778 #line 779 #line 779 allow system_server property_socket:sock_file write; #line 779 allow system_server init:unix_stream_socket connectto; #line 779 #line 779 allow system_server device_config_swcodec_native_prop:property_service set; #line 779 #line 779 allow system_server device_config_swcodec_native_prop:file { getattr open read map }; #line 779 #line 779 #line 780 #line 780 allow system_server property_socket:sock_file write; #line 780 allow system_server init:unix_stream_socket connectto; #line 780 #line 780 allow system_server device_config_sys_traced_prop:property_service set; #line 780 #line 780 allow system_server device_config_sys_traced_prop:file { getattr open read map }; #line 780 #line 780 #line 781 #line 781 allow system_server property_socket:sock_file write; #line 781 allow system_server init:unix_stream_socket connectto; #line 781 #line 781 allow system_server device_config_window_manager_native_boot_prop:property_service set; #line 781 #line 781 allow system_server device_config_window_manager_native_boot_prop:file { getattr open read map }; #line 781 #line 781 #line 782 #line 782 allow system_server property_socket:sock_file write; #line 782 allow system_server init:unix_stream_socket connectto; #line 782 #line 782 allow system_server device_config_configuration_prop:property_service set; #line 782 #line 782 allow system_server device_config_configuration_prop:file { getattr open read map }; #line 782 #line 782 #line 783 #line 783 allow system_server property_socket:sock_file write; #line 783 allow system_server init:unix_stream_socket connectto; #line 783 #line 783 allow system_server device_config_connectivity_prop:property_service set; #line 783 #line 783 allow system_server device_config_connectivity_prop:file { getattr open read map }; #line 783 #line 783 #line 784 #line 784 allow system_server property_socket:sock_file write; #line 784 allow system_server init:unix_stream_socket connectto; #line 784 #line 784 allow system_server device_config_surface_flinger_native_boot_prop:property_service set; #line 784 #line 784 allow system_server device_config_surface_flinger_native_boot_prop:file { getattr open read map }; #line 784 #line 784 #line 785 #line 785 allow system_server property_socket:sock_file write; #line 785 allow system_server init:unix_stream_socket connectto; #line 785 #line 785 allow system_server device_config_aconfig_flags_prop:property_service set; #line 785 #line 785 allow system_server device_config_aconfig_flags_prop:file { getattr open read map }; #line 785 #line 785 #line 786 #line 786 allow system_server property_socket:sock_file write; #line 786 allow system_server init:unix_stream_socket connectto; #line 786 #line 786 allow system_server device_config_vendor_system_native_prop:property_service set; #line 786 #line 786 allow system_server device_config_vendor_system_native_prop:file { getattr open read map }; #line 786 #line 786 #line 787 #line 787 allow system_server property_socket:sock_file write; #line 787 allow system_server init:unix_stream_socket connectto; #line 787 #line 787 allow system_server device_config_vendor_system_native_boot_prop:property_service set; #line 787 #line 787 allow system_server device_config_vendor_system_native_boot_prop:file { getattr open read map }; #line 787 #line 787 #line 788 #line 788 allow system_server property_socket:sock_file write; #line 788 allow system_server init:unix_stream_socket connectto; #line 788 #line 788 allow system_server device_config_virtualization_framework_native_prop:property_service set; #line 788 #line 788 allow system_server device_config_virtualization_framework_native_prop:file { getattr open read map }; #line 788 #line 788 #line 789 #line 789 allow system_server property_socket:sock_file write; #line 789 allow system_server init:unix_stream_socket connectto; #line 789 #line 789 allow system_server device_config_memory_safety_native_boot_prop:property_service set; #line 789 #line 789 allow system_server device_config_memory_safety_native_boot_prop:file { getattr open read map }; #line 789 #line 789 #line 790 #line 790 allow system_server property_socket:sock_file write; #line 790 allow system_server init:unix_stream_socket connectto; #line 790 #line 790 allow system_server device_config_memory_safety_native_prop:property_service set; #line 790 #line 790 allow system_server device_config_memory_safety_native_prop:file { getattr open read map }; #line 790 #line 790 #line 791 #line 791 allow system_server property_socket:sock_file write; #line 791 allow system_server init:unix_stream_socket connectto; #line 791 #line 791 allow system_server device_config_remote_key_provisioning_native_prop:property_service set; #line 791 #line 791 allow system_server device_config_remote_key_provisioning_native_prop:file { getattr open read map }; #line 791 #line 791 #line 792 #line 792 allow system_server property_socket:sock_file write; #line 792 allow system_server init:unix_stream_socket connectto; #line 792 #line 792 allow system_server device_config_tethering_u_or_later_native_prop:property_service set; #line 792 #line 792 allow system_server device_config_tethering_u_or_later_native_prop:file { getattr open read map }; #line 792 #line 792 #line 793 #line 793 allow system_server property_socket:sock_file write; #line 793 allow system_server init:unix_stream_socket connectto; #line 793 #line 793 allow system_server smart_idle_maint_enabled_prop:property_service set; #line 793 #line 793 allow system_server smart_idle_maint_enabled_prop:file { getattr open read map }; #line 793 #line 793 #line 794 #line 794 allow system_server property_socket:sock_file write; #line 794 allow system_server init:unix_stream_socket connectto; #line 794 #line 794 allow system_server arm64_memtag_prop:property_service set; #line 794 #line 794 allow system_server arm64_memtag_prop:file { getattr open read map }; #line 794 #line 794 # staged flag properties #line 797 #line 797 allow system_server property_socket:sock_file write; #line 797 allow system_server init:unix_stream_socket connectto; #line 797 #line 797 allow system_server next_boot_prop:property_service set; #line 797 #line 797 allow system_server next_boot_prop:file { getattr open read map }; #line 797 #line 797 # Allow query ART device config properties #line 800 allow system_server device_config_runtime_native_boot_prop:file { getattr open read map }; #line 800 #line 801 allow system_server device_config_runtime_native_prop:file { getattr open read map }; #line 801 # BootReceiver to read ro.boot.bootreason #line 804 allow system_server bootloader_boot_reason_prop:file { getattr open read map }; #line 804 # PowerManager to read sys.boot.reason #line 806 allow system_server system_boot_reason_prop:file { getattr open read map }; #line 806 # Collect metrics on boot time created by init #line 809 allow system_server boottime_prop:file { getattr open read map }; #line 809 # Read device's serial number from system properties #line 812 allow system_server serialno_prop:file { getattr open read map }; #line 812 # Read/write the property which keeps track of whether this is the first start of system_server #line 815 #line 815 allow system_server property_socket:sock_file write; #line 815 allow system_server init:unix_stream_socket connectto; #line 815 #line 815 allow system_server firstboot_prop:property_service set; #line 815 #line 815 allow system_server firstboot_prop:file { getattr open read map }; #line 815 #line 815 # Audio service in system server can read audio config properties, # such as camera shutter enforcement #line 819 allow system_server audio_config_prop:file { getattr open read map }; #line 819 # StorageManager service reads media config while checking if transcoding is supported. #line 822 allow system_server media_config_prop:file { getattr open read map }; #line 822 # system server reads this property to keep track of whether server configurable flags have been # reset during current boot. #line 826 allow system_server device_config_reset_performed_prop:file { getattr open read map }; #line 826 # Read/write the property that enables Test Harness Mode #line 829 #line 829 allow system_server property_socket:sock_file write; #line 829 allow system_server init:unix_stream_socket connectto; #line 829 #line 829 allow system_server test_harness_prop:property_service set; #line 829 #line 829 allow system_server test_harness_prop:file { getattr open read map }; #line 829 #line 829 # Read gsid.image_running. #line 832 allow system_server gsid_prop:file { getattr open read map }; #line 832 # Read the property that mocks an OTA #line 835 allow system_server mock_ota_prop:file { getattr open read map }; #line 835 # Read the property as feature flag for protecting apks with fs-verity. #line 838 allow system_server apk_verity_prop:file { getattr open read map }; #line 838 # Read wifi.interface #line 841 allow system_server wifi_prop:file { getattr open read map }; #line 841 # Read the vendor property that indicates if Incremental features is enabled #line 844 allow system_server incremental_prop:file { getattr open read map }; #line 844 # Read ro.zram. properties #line 847 allow system_server zram_config_prop:file { getattr open read map }; #line 847 # Read/write persist.sys.zram_enabled #line 850 #line 850 allow system_server property_socket:sock_file write; #line 850 allow system_server init:unix_stream_socket connectto; #line 850 #line 850 allow system_server zram_control_prop:property_service set; #line 850 #line 850 allow system_server zram_control_prop:file { getattr open read map }; #line 850 #line 850 # Read/write persist.sys.dalvik.vm.lib.2 #line 853 #line 853 allow system_server property_socket:sock_file write; #line 853 allow system_server init:unix_stream_socket connectto; #line 853 #line 853 allow system_server dalvik_runtime_prop:property_service set; #line 853 #line 853 allow system_server dalvik_runtime_prop:file { getattr open read map }; #line 853 #line 853 # Read ro.control_privapp_permissions and ro.cp_system_other_odex #line 856 allow system_server packagemanager_config_prop:file { getattr open read map }; #line 856 # Read the net.464xlat.cellular.enabled property (written by init). #line 859 allow system_server net_464xlat_fromvendor_prop:file { getattr open read map }; #line 859 # Read hypervisor capabilities ro.boot.hypervisor.* #line 862 allow system_server hypervisor_prop:file { getattr open read map }; #line 862 # Read persist.wm.debug. properties #line 865 allow system_server persist_wm_debug_prop:file { getattr open read map }; #line 865 # Read persist.sysui.notification.builder_extras_override property #line 868 allow system_server persist_sysui_builder_extras_prop:file { getattr open read map }; #line 868 # Read persist.sysui.notification.ranking_update_ashmem property #line 870 allow system_server persist_sysui_ranking_update_prop:file { getattr open read map }; #line 870 # Read ro.tuner.lazyhal #line 873 allow system_server tuner_config_prop:file { getattr open read map }; #line 873 # Write tuner.server.enable #line 875 #line 875 allow system_server property_socket:sock_file write; #line 875 allow system_server init:unix_stream_socket connectto; #line 875 #line 875 allow system_server tuner_server_ctl_prop:property_service set; #line 875 #line 875 allow system_server tuner_server_ctl_prop:file { getattr open read map }; #line 875 #line 875 # Allow the heap dump ART plugin to the count of sessions waiting for OOME #line 878 allow system_server traced_oome_heap_session_count_prop:file { getattr open read map }; #line 878 # Allow the sensor service (running in the system service) to read sensor # configuration properties #line 882 allow system_server sensors_config_prop:file { getattr open read map }; #line 882 # Create a socket for connections from debuggerd. allow system_server system_ndebug_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Create a socket for connections from zygotes. allow system_server system_unsolzygote_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Manage cache files. allow system_server cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow system_server { cache_file cache_recovery_file }:dir { relabelfrom { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } }; allow system_server { cache_file cache_recovery_file }:file { relabelfrom { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } }; allow system_server { cache_file cache_recovery_file }:fifo_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server system_file:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server system_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # ART locks profile files. allow system_server system_file:file lock; # LocationManager(e.g, GPS) needs to read and write # to uart driver and ctrl proc entry allow system_server gps_control:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow system_server to use app-created sockets and pipes. allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; # BackupManagerService needs to manipulate backup data files allow system_server cache_backup_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server cache_backup_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # LocalTransport works inside /cache/backup allow system_server cache_private_backup_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server cache_private_backup_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow system to talk to usb device allow system_server usb_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_server usb_device:dir { open getattr read search ioctl lock watch watch_reads }; # Read and delete files under /dev/fscklogs. #line 922 allow system_server fscklogs:dir { open getattr read search ioctl lock watch watch_reads }; #line 922 allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 922 allow system_server fscklogs:dir { write remove_name add_name }; allow system_server fscklogs:file rename; # logd access, system_server inherit logd write socket # (urge is to deprecate this long term) allow system_server zygote:unix_dgram_socket write; # Read from log daemon. #line 931 allow system_server logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; #line 931 #line 931 allow system_server logdr_socket:sock_file write; #line 931 allow system_server logd:unix_stream_socket connectto; #line 931 #line 931 #line 932 allow system_server runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 932 # Be consistent with DAC permissions. Allow system_server to write to # /sys/module/lowmemorykiller/parameters/adj # /sys/module/lowmemorykiller/parameters/minfree allow system_server sysfs_lowmemorykiller:file { getattr { open append write lock map } }; # Read /sys/fs/pstore/console-ramoops # Don't worry about overly broad permissions for now, as there's # only one file in /sys/fs/pstore allow system_server pstorefs:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server pstorefs:file { getattr open read ioctl lock map watch watch_reads }; # /sys access allow system_server sysfs_zram:dir search; allow system_server sysfs_zram:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read /sys/fs/selinux/policy allow system_server kernel:security read_policy; #line 952 allow system_server system_server_service:service_manager { add find }; #line 952 neverallow { domain -system_server } system_server_service:service_manager add; #line 952 #line 952 # On debug builds with root, allow binder services to use binder over TCP. #line 952 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 952 #line 952 ; allow system_server artd_service:service_manager find; allow system_server artd_pre_reboot_service:service_manager find; allow system_server audioserver_service:service_manager find; allow system_server authorization_service:service_manager find; allow system_server batteryproperties_service:service_manager find; allow system_server cameraserver_service:service_manager find; allow system_server compos_service:service_manager find; allow system_server dataloader_manager_service:service_manager find; allow system_server dexopt_chroot_setup_service:service_manager find; allow system_server dnsresolver_service:service_manager find; allow system_server drmserver_service:service_manager find; allow system_server dumpstate_service:service_manager find; allow system_server fingerprintd_service:service_manager find; allow system_server gatekeeper_service:service_manager find; allow system_server gpu_service:service_manager find; allow system_server gsi_service:service_manager find; allow system_server idmap_service:service_manager find; allow system_server incident_service:service_manager find; allow system_server incremental_service:service_manager find; allow system_server installd_service:service_manager find; allow system_server keystore_maintenance_service:service_manager find; allow system_server keystore_metrics_service:service_manager find; allow system_server keystore_service:service_manager find; allow system_server mdns_service:service_manager find; allow system_server mediaserver_service:service_manager find; allow system_server mediametrics_service:service_manager find; allow system_server mediaextractor_service:service_manager find; allow system_server mediadrmserver_service:service_manager find; allow system_server mediatuner_service:service_manager find; allow system_server netd_service:service_manager find; allow system_server nfc_service:service_manager find; allow system_server ot_daemon_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server stats_service:service_manager find; allow system_server storaged_service:service_manager find; allow system_server surfaceflinger_service:service_manager find; allow system_server update_engine_service:service_manager find; allow system_server virtual_camera_service:service_manager find; #line 993 allow system_server vold_service:service_manager find; allow system_server wifinl80211_service:service_manager find; allow system_server logd_service:service_manager find; #line 999 #line 1001 allow system_server batteryproperties_service:service_manager { add find }; #line 1001 neverallow { domain -system_server } batteryproperties_service:service_manager add; #line 1001 #line 1001 # On debug builds with root, allow binder services to use binder over TCP. #line 1001 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 1001 #line 1001 allow system_server keystore:keystore2 { add_auth change_password change_user clear_ns clear_uid get_last_auth_time lock pull_metrics reset unlock }; allow system_server keystore:keystore2_key { delete use_dev_id grant get_info rebind update use }; # Allow Wifi module to manage Wi-Fi keys. allow system_server wifi_key:keystore2_key { delete get_info rebind update use }; # Allow lock_settings service to manage RoR keys. allow system_server resume_on_reboot_key:keystore2_key { delete get_info rebind update use }; # Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). allow system_server locksettings_key:keystore2_key { delete get_info rebind update use }; # Allow system server to search and write to the persistent factory reset # protection partition. This block device does not get wiped in a factory reset. allow system_server block_device:dir search; allow system_server frp_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allowxperm system_server frp_block_device:blk_file ioctl { 0x0000127d 0x00001277 }; # Create new process groups and clean up old cgroups allow system_server cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server cgroup:file setattr; allow system_server cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server cgroup_v2:file { { getattr open read ioctl lock map watch watch_reads } setattr }; # /oem access #line 1067 allow system_server oemfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 1067 allow system_server oemfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1067 # Allow resolving per-user storage symlinks allow system_server { mnt_user_file storage_file }:dir { getattr search }; allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; # Allow statfs() on storage devices, which happens fast enough that # we shouldn't be killed during unsafe removal allow system_server { sdcard_type fuse }:dir { getattr search }; # Traverse into expanded storage allow system_server mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow system process to relabel the fingerprint directory after mkdir # and delete the directory and files when no longer needed allow system_server fingerprintd_data_file:dir { { open getattr read search ioctl lock watch watch_reads } remove_name rmdir relabelto write }; allow system_server fingerprintd_data_file:file { getattr unlink }; #line 1100 # For AppFuse. allow system_server vold:fd use; allow system_server fuse_device:chr_file { read write ioctl getattr }; allow system_server app_fuse_file:file { read write getattr }; # For configuring sdcardfs allow system_server configfs:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } }; allow system_server configfs:file { getattr open create unlink write }; # Connect to adbd and use a socket transferred from it. # Used for e.g. jdwp. allow system_server adbd:unix_stream_socket connectto; allow system_server adbd:fd use; allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; # Read service.adb.tls.port, persist.adb.wifi. properties #line 1118 allow system_server adbd_prop:file { getattr open read map }; #line 1118 # Set persist.adb.tls_server.enable property #line 1121 #line 1121 allow system_server property_socket:sock_file write; #line 1121 allow system_server init:unix_stream_socket connectto; #line 1121 #line 1121 allow system_server system_adbd_prop:property_service set; #line 1121 #line 1121 allow system_server system_adbd_prop:file { getattr open read map }; #line 1121 #line 1121 # Allow invoking tools like "timeout" allow system_server toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow system process to setup fs-verity allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl 0x6685; # Allow system process to measure fs-verity for apps, including those being installed allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl 0x6686; allowxperm system_server apk_tmp_file:file ioctl 0x40086602; # Postinstall # # For OTA dexopt, allow calls coming from postinstall. #line 1136 # Call the server domain and optionally transfer references to it. #line 1136 allow system_server postinstall:binder { call transfer }; #line 1136 # Allow the serverdomain to transfer references to the client on the reply. #line 1136 allow postinstall system_server:binder transfer; #line 1136 # Receive and use open files from the server. #line 1136 allow system_server postinstall:fd use; #line 1136 allow system_server postinstall:fifo_file write; allow system_server update_engine:fd use; allow system_server update_engine:fifo_file write; # Access to /data/preloads allow system_server preloads_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow system_server preloads_data_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir }; allow system_server preloads_media_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; allow system_server preloads_media_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir }; #line 1148 allow system_server cgroup:dir { open getattr read search ioctl lock watch watch_reads }; #line 1148 allow system_server cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1148 #line 1149 allow system_server cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads }; #line 1149 allow system_server cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1149 allow system_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Access to /dev/dma_heap/system allow system_server dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; # Access to /dev/dma_heap/system-secure allow system_server dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads }; #line 1157 allow system_server proc_asound:dir { open getattr read search ioctl lock watch watch_reads }; #line 1157 allow system_server proc_asound:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1157 #line 1158 allow system_server proc_net_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 1158 allow system_server proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1158 #line 1159 allow system_server proc_qtaguid_stat:dir { open getattr read search ioctl lock watch watch_reads }; #line 1159 allow system_server proc_qtaguid_stat:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1159 allow system_server { proc_cmdline proc_loadavg proc_locks proc_meminfo proc_pagetypeinfo proc_pipe_conf proc_stat proc_uid_cputime_showstat proc_uid_io_stats proc_uid_time_in_state proc_uid_concurrent_active_time proc_uid_concurrent_policy_time proc_version proc_vmallocinfo }:file { getattr open read ioctl lock map watch watch_reads }; allow system_server proc_uid_time_in_state:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server proc_uid_cpupower:file { getattr open read ioctl lock map watch watch_reads }; #line 1180 allow system_server rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 1180 allow system_server rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 1180 # Allow WifiService to start, stop, and read wifi-specific trace events. allow system_server debugfs_tracing_instances:dir search; allow system_server debugfs_wifi_tracing:dir search; allow system_server debugfs_wifi_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Allow BootReceiver to watch trace error_report events. allow system_server debugfs_bootreceiver_tracing:dir search; allow system_server debugfs_bootreceiver_tracing:file { getattr open read ioctl lock map watch watch_reads }; # Allow system_server to read tracepoint ids in order to attach BPF programs to them. allow system_server debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads }; # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run # asanwrapper. #line 1200 # allow system_server to read the eBPF maps that stores the traffic stats information and update # the map after snapshot is recorded, and to read, update and run the maps and programs used for # time in state accounting allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; allow system_server bpfloader:bpf { map_read map_write prog_run }; # in order to invoke side effect of close() on such a socket calling synchronize_rcu() allow system_server self:key_socket create; # Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 # calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... dontaudit system_server self:key_socket getopt; # Allow system_server to start clatd in its own domain and kill it. #line 1215 # Allow the necessary permissions. #line 1215 #line 1215 # Old domain may exec the file and transition to the new domain. #line 1215 allow system_server clatd_exec:file { getattr open read execute map }; #line 1215 allow system_server clatd:process transition; #line 1215 # New domain is entered by executing the file. #line 1215 allow clatd clatd_exec:file { entrypoint open read execute getattr map }; #line 1215 # New domain can send SIGCHLD to its caller. #line 1215 allow clatd system_server:process sigchld; #line 1215 # Enable AT_SECURE, i.e. libc secure mode. #line 1215 dontaudit system_server clatd:process noatsecure; #line 1215 # XXX dontaudit candidate but requires further study. #line 1215 allow system_server clatd:process { siginh rlimitinh }; #line 1215 #line 1215 # Make the transition occur by default. #line 1215 type_transition system_server clatd_exec:process clatd; #line 1215 allow system_server clatd:process { sigkill signal }; # ART Profiles. # Allow system_server to open profile snapshots for read. # System server never reads the actual content. It passes the descriptor to # to privileged apps which acquire the permissions to inspect the profiles. allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; allow system_server user_profile_data_file:file { getattr open read }; # System server may dump profile data for debuggable apps in the /data/misc/profman. # As such it needs to be able create files but it should never read from them. # It also needs to stat the directory to check if it has the right permissions. allow system_server profman_dump_data_file:file { create getattr setattr { open append write lock map }}; allow system_server profman_dump_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # On userdebug build we may profile system server. Allow it to write and create its own profile. #line 1235 # Allow system server to load JVMTI agents under control of a property. #line 1237 allow system_server system_jvmti_agent_prop:file { getattr open read map }; #line 1237 # UsbDeviceManager uses /dev/usb-ffs allow system_server functionfs:dir search; allow system_server functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # system_server contains time / time zone detection logic so reads the associated properties. #line 1244 allow system_server time_prop:file { getattr open read map }; #line 1244 # system_server reads this property to know it should expect the lmkd sends notification to it # on low memory kills. #line 1248 allow system_server system_lmk_prop:file { getattr open read map }; #line 1248 #line 1250 allow system_server wifi_config_prop:file { getattr open read map }; #line 1250 # Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO allowxperm system_server binder_device:chr_file ioctl { 0x400c620e 0xc00c620f }; # Watchdog prints debugging log to /dev/kmsg_debug. #line 1258 # Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. #line 1260 allow system_server framework_watchdog_config_prop:file { getattr open read map }; #line 1260 # Font files are written by system server allow system_server font_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server font_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; # Allow system process to setup and measure fs-verity for font files allowxperm system_server font_data_file:file ioctl { 0x6685 0x6686 }; # Read qemu.hw.mainkeys property #line 1270 allow system_server qemu_hw_prop:file { getattr open read map }; #line 1270 # Allow system server to read profcollectd reports for upload. ### ### Neverallow rules ### ### system_server should NEVER do any of this # Do not allow opening files from external storage as unsafe ejection # could cause the kernel to kill the system_server. neverallow system_server { sdcard_type fuse }:dir { open read write }; neverallow system_server { sdcard_type fuse }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # system server should never be operating on zygote spawned app data # files directly. Rather, they should always be passed via a # file descriptor. # Exclude those types that system_server needs to open directly. neverallow system_server { app_data_file_type -system_app_data_file -radio_data_file }:file { open create unlink link }; # Forking and execing is inherently dangerous and racy. See, for # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them # Prevent the addition of new file execs to stop the problem from # getting worse. b/28035297 neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans; # Ensure that system_server doesn't perform any domain transitions other than # transitioning to the crash_dump domain when a crash occurs or fork clatd. neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition; neverallow system_server *:process dyntransition; # Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir. neverallow system_server perfetto_traces_data_file:dir ~search; # Only allow crash_dump to connect to system_ndebug_socket. neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; # Only allow zygotes to connect to system_unsolzygote_socket. neverallow { domain -init -system_server -zygote -app_zygote -webview_zygote } system_unsolzygote_socket:sock_file { open write }; # Only allow init, system_server, flags_health_check to set properties for server configurable flags neverallow { domain -init -system_server -flags_health_check } { device_config_core_experiments_team_internal_prop device_config_activity_manager_native_boot_prop device_config_connectivity_prop device_config_input_native_boot_prop device_config_lmkd_native_prop device_config_netd_native_prop device_config_nnapi_native_prop device_config_edgetpu_native_prop device_config_runtime_native_boot_prop device_config_runtime_native_prop device_config_media_native_prop device_config_mglru_native_prop device_config_remote_key_provisioning_native_prop device_config_storage_native_boot_prop device_config_surface_flinger_native_boot_prop device_config_sys_traced_prop device_config_swcodec_native_prop device_config_aconfig_flags_prop device_config_window_manager_native_boot_prop device_config_tethering_u_or_later_native_prop next_boot_prop }:property_service set; # Only allow system_server and init to set tuner_server_ctl_prop neverallow { domain -system_server -init } tuner_server_ctl_prop:property_service set; # system_server should never be executing dex2oat. This is either # a bug (for example, bug 16317188), or represents an attempt by # system server to dynamically load a dex file, something we do not # want to allow. neverallow system_server dex2oat_exec:file { execute execute_no_trans }; # system_server should never execute or load executable shared libraries # in /data. Executable files in /data are a persistence vector. # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. neverallow system_server data_file_type:file { execute execute_no_trans }; # The only block device system_server should be writing to is # the frp_block_device. This helps avoid a system_server to root # escalation by writing to raw block devices. # The system_server may need to read from vd_device if it uses # block apexes. neverallow system_server { dev_type -frp_block_device }:blk_file { append create link unlink relabelfrom rename setattr write }; neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file { getattr open read ioctl lock map watch watch_reads }; # system_server should never use JIT functionality # See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html # in the section titled "A Short ROP Chain" for why. # However, in emulator builds without OpenGL passthrough, we use software # rendering via SwiftShader, which requires JIT support. These builds are # never shipped to users. neverallow system_server self:process execmem; #line 1392 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; # TODO: deal with tmpfs_domain pub/priv split properly neverallow system_server system_server_tmpfs:file execute; # Resources handed off by system_server_startup allow system_server system_server_startup:fd use; allow system_server system_server_startup_tmpfs:file { read write map }; allow system_server system_server_startup:unix_dgram_socket write; # Allow system server to communicate to apexd allow system_server apex_service:service_manager find; allow system_server apexd:binder call; # Allow system server to scan /apex for flattened APEXes allow system_server apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; # Allow system server to read /apex/apex-info-list.xml allow system_server apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow system server to communicate to system-suspend's control interface allow system_server system_suspend_control_internal_service:service_manager find; allow system_server system_suspend_control_service:service_manager find; #line 1415 # Call the server domain and optionally transfer references to it. #line 1415 allow system_server system_suspend:binder { call transfer }; #line 1415 # Allow the serverdomain to transfer references to the client on the reply. #line 1415 allow system_suspend system_server:binder transfer; #line 1415 # Receive and use open files from the server. #line 1415 allow system_server system_suspend:fd use; #line 1415 #line 1416 # Call the server domain and optionally transfer references to it. #line 1416 allow system_suspend system_server:binder { call transfer }; #line 1416 # Allow the serverdomain to transfer references to the client on the reply. #line 1416 allow system_server system_suspend:binder transfer; #line 1416 # Receive and use open files from the server. #line 1416 allow system_suspend system_server:fd use; #line 1416 # Allow system server to communicate to system-suspend's wakelock interface #line 1419 # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is #line 1419 # deprecated. #line 1419 # Access /sys/power/wake_lock and /sys/power/wake_unlock #line 1419 allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1419 # Accessing these files requires CAP_BLOCK_SUSPEND #line 1419 allow system_server self:{ capability2 cap2_userns } block_suspend; #line 1419 # system_suspend permissions #line 1419 #line 1419 # Call the server domain and optionally transfer references to it. #line 1419 allow system_server system_suspend_server:binder { call transfer }; #line 1419 # Allow the serverdomain to transfer references to the client on the reply. #line 1419 allow system_suspend_server system_server:binder transfer; #line 1419 # Receive and use open files from the server. #line 1419 allow system_server system_suspend_server:fd use; #line 1419 #line 1419 allow system_server system_suspend_hwservice:hwservice_manager find; #line 1419 # halclientdomain permissions #line 1419 #line 1419 # Call the hwservicemanager and transfer references to it. #line 1419 allow system_server hwservicemanager:binder { call transfer }; #line 1419 # Allow hwservicemanager to send out callbacks #line 1419 allow hwservicemanager system_server:binder { call transfer }; #line 1419 # hwservicemanager performs getpidcon on clients. #line 1419 allow hwservicemanager system_server:dir search; #line 1419 allow hwservicemanager system_server:file { read open map }; #line 1419 allow hwservicemanager system_server:process getattr; #line 1419 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 1419 # all domains in domain.te. #line 1419 #line 1419 #line 1419 allow system_server hwservicemanager_prop:file { getattr open read map }; #line 1419 #line 1419 allow system_server hidl_manager_hwservice:hwservice_manager find; #line 1419 # AIDL suspend hal permissions #line 1419 allow system_server hal_system_suspend_service:service_manager find; #line 1419 #line 1419 # Call the servicemanager and transfer references to it. #line 1419 allow system_server servicemanager:binder { call transfer }; #line 1419 # Allow servicemanager to send out callbacks #line 1419 allow servicemanager system_server:binder { call transfer }; #line 1419 # servicemanager performs getpidcon on clients. #line 1419 allow servicemanager system_server:dir search; #line 1419 allow servicemanager system_server:file { read open }; #line 1419 allow servicemanager system_server:process getattr; #line 1419 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 1419 # all domains in domain.te. #line 1419 #line 1419 # Allow the system server to read files under /data/apex. The system_server # needs these privileges to compare file signatures while processing installs. # # Only apexd is allowed to create new entries or write to any file under /data/apex. allow system_server apex_data_file:dir { getattr search }; allow system_server apex_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow the system server to read files under /vendor/apex. This is where # vendor APEX packages might be installed and system_server needs to parse # these packages to inspect the signatures and other metadata. allow system_server vendor_apex_file:dir { getattr search }; allow system_server vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow the system server to manage relevant apex module data files. allow system_server apex_module_data_file:dir { getattr search }; # These are modules where the code runs in system_server, so we need full access. allow system_server apex_system_server_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apex_system_server_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server apex_tethering_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server apex_tethering_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Legacy labels that we still need to support (b/217581286) allow system_server { apex_appsearch_data_file apex_permission_data_file apex_scheduling_data_file apex_wifi_data_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server { apex_appsearch_data_file apex_permission_data_file apex_scheduling_data_file apex_wifi_data_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can # communicate which slots are available for use. allow system_server metadata_file:dir search; allow system_server password_slot_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server password_slot_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server userspace_reboot_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server userspace_reboot_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow system server rw access to files in /metadata/staged-install folder allow system_server staged_install_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server staged_install_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server watchdog_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server watchdog_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server aconfig_storage_flags_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server aconfig_storage_flags_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server repair_mode_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server repair_mode_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow system_server gsi_persistent_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server gsi_persistent_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow system server read and remove files under /data/misc/odrefresh allow system_server odrefresh_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow system_server odrefresh_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; # Allow system server r access to /system/bin/surfaceflinger for PinnerService. allow system_server surfaceflinger_exec:file { getattr open read ioctl lock map watch watch_reads }; # Allow init to set sysprop used to compute stats about userspace reboot. #line 1488 #line 1488 allow system_server property_socket:sock_file write; #line 1488 allow system_server init:unix_stream_socket connectto; #line 1488 #line 1488 allow system_server userspace_reboot_log_prop:property_service set; #line 1488 #line 1488 allow system_server userspace_reboot_log_prop:file { getattr open read map }; #line 1488 #line 1488 # JVMTI agent settings are only readable from the system server. neverallow { domain -system_server -dumpstate -init -vendor_init } { system_jvmti_agent_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Read/Write /proc/pressure/memory allow system_server proc_pressure_mem:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Read /proc/pressure/cpu and /proc/pressure/io allow system_server { proc_pressure_cpu proc_pressure_io }:file { getattr open read ioctl lock map watch watch_reads }; # dexoptanalyzer is currently used only for secondary dex files which # system_server should never access. neverallow system_server dexoptanalyzer_exec:file { execute execute_no_trans }; # No ptracing others neverallow system_server { domain -system_server }:process ptrace; # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID # file read access. However, that is now unnecessary (b/34951864) neverallow system_server system_server:{ capability cap_userns } sys_resource; # Only system_server/init should access /metadata/password_slots. neverallow { domain -init -system_server } password_slot_metadata_file:dir *; neverallow { domain -init -system_server } password_slot_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr }; neverallow { domain -init -system_server } password_slot_metadata_file:{ file lnk_file sock_file fifo_file } *; # Only system_server/init should access /metadata/userspacereboot. neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; neverallow { domain -init -system_server } userspace_reboot_metadata_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only system server should access /metadata/aconfig neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *; neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow systemserver to read/write the invalidation property #line 1535 #line 1535 allow system_server property_socket:sock_file write; #line 1535 allow system_server init:unix_stream_socket connectto; #line 1535 #line 1535 allow system_server binder_cache_system_server_prop:property_service set; #line 1535 #line 1535 allow system_server binder_cache_system_server_prop:file { getattr open read map }; #line 1535 #line 1535 neverallow { domain -system_server -init } binder_cache_system_server_prop:property_service set; # Allow system server to attach BPF programs to tracepoints. Deny read permission so that # system_server cannot use this access to read perf event data like process stacks. allow system_server self:perf_event { open write cpu kernel }; neverallow system_server self:perf_event ~{ open write cpu kernel }; # Allow writing files under /data/system/shutdown-checkpoints/ allow system_server shutdown_checkpoints_system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow system_server shutdown_checkpoints_system_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Do not allow any domain other than init or system server to set the property neverallow { domain -init -system_server } socket_hook_prop:property_service set; neverallow { domain -init -system_server } boot_status_prop:property_service set; neverallow { domain -init -vendor_init -dumpstate -system_server } wifi_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Only allow system server to write uhid sysfs files neverallow { domain -init -system_server -ueventd -vendor_init } sysfs_uhid:file { append create link unlink relabelfrom rename setattr write }; # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it # can be accessed by system_server only (b/143717177) # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder # interface neverallowxperm { domain -system_server } binder_device:chr_file ioctl { 0x400c620e 0xc00c620f }; # Only system server can write the font files. neverallow { domain -init -system_server } font_data_file:file { append create link unlink relabelfrom rename setattr write }; neverallow { domain -init -system_server } font_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; # Allow reading /system/etc/font_fallback.xml allow system_server system_font_fallback_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow system server to set dynamic ART properties. #line 1584 #line 1584 allow system_server property_socket:sock_file write; #line 1584 allow system_server init:unix_stream_socket connectto; #line 1584 #line 1584 allow system_server dalvik_dynamic_config_prop:property_service set; #line 1584 #line 1584 allow system_server dalvik_dynamic_config_prop:file { getattr open read map }; #line 1584 #line 1584 # Allow system server to read binderfs allow system_server binderfs_logs:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server binderfs_logs_stats:file { getattr open read ioctl lock map watch watch_reads }; # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled #line 1591 #line 1591 allow system_server property_socket:sock_file write; #line 1591 allow system_server init:unix_stream_socket connectto; #line 1591 #line 1591 allow system_server game_manager_config_prop:property_service set; #line 1591 #line 1591 allow system_server game_manager_config_prop:file { getattr open read map }; #line 1591 #line 1591 # ThreadNetworkService reads Thread Network properties #line 1594 allow system_server threadnetwork_config_prop:file { getattr open read map }; #line 1594 # Do not allow any domain other than init and system server to set the property neverallow { domain -init -vendor_init -dumpstate -system_server } threadnetwork_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow system server to read pm.archiving.enabled prop # TODO(azilio): Remove system property after archiving testing is completed. #line 1607 allow system_server pm_archiving_enabled_prop:file { getattr open read map }; #line 1607 # Do not allow any domain other than init or system server to get or set the property neverallow { domain -init -system_server } crashrecovery_prop:property_service set; neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 1 "system/sepolicy/private/system_server_startup.te" type system_server_startup, domain, coredomain; type system_server_startup_tmpfs, file_type; #line 4 type_transition system_server_startup tmpfs:file system_server_startup_tmpfs; #line 4 allow system_server_startup system_server_startup_tmpfs:file { read write getattr map }; #line 4 # Create JIT memory allow system_server_startup self:process execmem; allow system_server_startup system_server_startup_tmpfs:file { execute read write open map }; # Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache. allow system_server_startup apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow system_server_startup apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # Allow system_server_startup to run setcon() and enter the # system_server domain allow system_server_startup self:process setcurrent; allow system_server_startup system_server:process dyntransition; # Child of the zygote. allow system_server_startup zygote:process sigchld; # Allow query ART device config properties #line 23 allow system_server_startup device_config_runtime_native_boot_prop:file { getattr open read map }; #line 23 #line 24 allow system_server_startup device_config_runtime_native_prop:file { getattr open read map }; #line 24 #line 1 "system/sepolicy/private/system_suspend.te" type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server; type system_suspend_exec, system_file_type, exec_type, file_type; #line 4 #line 4 # Allow the necessary permissions. #line 4 #line 4 # Old domain may exec the file and transition to the new domain. #line 4 allow init system_suspend_exec:file { getattr open read execute map }; #line 4 allow init system_suspend:process transition; #line 4 # New domain is entered by executing the file. #line 4 allow system_suspend system_suspend_exec:file { entrypoint open read execute getattr map }; #line 4 # New domain can send SIGCHLD to its caller. #line 4 #line 4 # Enable AT_SECURE, i.e. libc secure mode. #line 4 dontaudit init system_suspend:process noatsecure; #line 4 # XXX dontaudit candidate but requires further study. #line 4 allow init system_suspend:process { siginh rlimitinh }; #line 4 #line 4 # Make the transition occur by default. #line 4 type_transition init system_suspend_exec:process system_suspend; #line 4 #line 4 # To serve ISuspendControlService. #line 7 # Call the servicemanager and transfer references to it. #line 7 allow system_suspend servicemanager:binder { call transfer }; #line 7 # Allow servicemanager to send out callbacks #line 7 allow servicemanager system_suspend:binder { call transfer }; #line 7 # servicemanager performs getpidcon on clients. #line 7 allow servicemanager system_suspend:dir search; #line 7 allow servicemanager system_suspend:file { read open }; #line 7 allow servicemanager system_suspend:process getattr; #line 7 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 7 # all domains in domain.te. #line 7 #line 8 allow system_suspend system_suspend_control_service:service_manager { add find }; #line 8 neverallow { domain -system_suspend } system_suspend_control_service:service_manager add; #line 8 #line 8 # On debug builds with root, allow binder services to use binder over TCP. #line 8 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 8 #line 8 #line 10 allow system_suspend hal_system_suspend_service:service_manager { add find }; #line 10 neverallow { domain -system_suspend } hal_system_suspend_service:service_manager add; #line 10 #line 10 # On debug builds with root, allow binder services to use binder over TCP. #line 10 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 10 #line 10 # Access to /sys/power/{ wakeup_count, state } suspend interface. allow system_suspend sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # Access to wakeup, suspend stats, and wakeup reasons. #line 16 allow system_suspend sysfs_suspend_stats:dir { open getattr read search ioctl lock watch watch_reads }; #line 16 allow system_suspend sysfs_suspend_stats:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 16 #line 17 allow system_suspend sysfs_wakeup:dir { open getattr read search ioctl lock watch watch_reads }; #line 17 allow system_suspend sysfs_wakeup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 17 #line 18 allow system_suspend sysfs_wakeup_reasons:dir { open getattr read search ioctl lock watch watch_reads }; #line 18 allow system_suspend sysfs_wakeup_reasons:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 18 # To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks. allow system_suspend sysfs_type:dir search; # Access to suspend_hal system properties #line 23 allow system_suspend suspend_prop:file { getattr open read map }; #line 23 # Access to system_suspend debug system properties #line 28 # To call BTAA registered callbacks allow system_suspend bluetooth:binder call; # For adding `dumpsys syspend_control` output to bugreport allow system_suspend dumpstate:fd use; allow system_suspend dumpstate:fifo_file write; # Allow init to take kernel wakelock and system suspend to # remove kenel wakelocks and the capability to access these # files allow init sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow init self:{ capability2 cap2_userns } block_suspend; allow system_suspend sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow system_suspend self:{ capability2 cap2_userns } block_suspend; # Allow init to set /sys/power/sync_on_suspend. allow init sysfs_sync_on_suspend:file { open append write lock map }; neverallow { domain -atrace # tracing -bluetooth # support Bluetooth activity attribution (BTAA) -dumpstate # bug reports -system_suspend # implements system_suspend_control_service -system_server # configures system_suspend via ISuspendControlService -traceur_app # tracing } system_suspend_control_service:service_manager find; #line 1 "system/sepolicy/private/tombstoned.te" typeattribute tombstoned coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init tombstoned_exec:file { getattr open read execute map }; #line 3 allow init tombstoned:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow tombstoned tombstoned_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init tombstoned:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init tombstoned:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init tombstoned_exec:process tombstoned; #line 3 #line 3 #line 5 allow tombstoned tombstone_config_prop:file { getattr open read map }; #line 5 neverallow { domain -init -vendor_init -dumpstate -tombstoned } tombstone_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 1 "system/sepolicy/private/toolbox.te" typeattribute toolbox coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init toolbox_exec:file { getattr open read execute map }; #line 3 allow init toolbox:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow toolbox toolbox_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init toolbox:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init toolbox:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init toolbox_exec:process toolbox; #line 3 #line 3 # rm -rf in /data/misc/virtualizationservice allow toolbox virtualizationservice_data_file:dir { rmdir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow toolbox virtualizationservice_data_file:file { getattr unlink }; # If we can't remove these directories we try to chmod them. That # doesn't work, but it doesn't matter as virtualizationservice itself # will delete them when it starts. See b/235338094#comment39 dontaudit toolbox virtualizationservice_data_file:dir setattr; #line 1 "system/sepolicy/private/traced.te" # Perfetto user-space tracing daemon (unprivileged) type traced_exec, system_file_type, exec_type, file_type; # Allow init to exec the daemon. #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init traced_exec:file { getattr open read execute map }; #line 5 allow init traced:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow traced traced_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init traced:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init traced:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init traced_exec:process traced; #line 5 #line 5 #line 6 type_transition traced tmpfs:file traced_tmpfs; #line 6 allow traced traced_tmpfs:file { read write getattr map }; #line 6 # Allow apps in other MLS contexts (for multi-user) to access # share memory buffers created by traced. typeattribute traced_tmpfs mlstrustedobject; # Allow traced to start with a lower scheduling class and change # class accordingly to what defined in the config provided by # the privileged process that controls it. allow traced self:{ capability cap_userns } { sys_nice }; # Allow to pass a file descriptor for the output trace from "perfetto" (the # cmdline client) and other shell binaries to traced and let traced write # directly into that (rather than returning the trace contents over the socket). allow traced perfetto:fd use; allow traced shell:fd use; allow traced shell:fifo_file { read write }; # Allow the service to create new files within /data/misc/perfetto-traces. allow traced perfetto_traces_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow traced perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Allow traceur to pass open file descriptors to traced, so traced can directly # write into the output file without doing roundtrips over IPC. allow traced traceur_app:fd use; allow traced trace_data_file:file { read write }; # Allow perfetto to access the proxy service for notifying Traceur. allow traced tracingproxy_service:service_manager find; #line 35 # Call the servicemanager and transfer references to it. #line 35 allow traced servicemanager:binder { call transfer }; #line 35 # Allow servicemanager to send out callbacks #line 35 allow servicemanager traced:binder { call transfer }; #line 35 # servicemanager performs getpidcon on clients. #line 35 allow servicemanager traced:dir search; #line 35 allow servicemanager traced:file { read open }; #line 35 allow servicemanager traced:process getattr; #line 35 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 35 # all domains in domain.te. #line 35 ; #line 36 # Call the server domain and optionally transfer references to it. #line 36 allow traced system_server:binder { call transfer }; #line 36 # Allow the serverdomain to transfer references to the client on the reply. #line 36 allow system_server traced:binder transfer; #line 36 # Receive and use open files from the server. #line 36 allow traced system_server:fd use; #line 36 ; # Allow traced to use shared memory supplied by producers. Typically, traced # (i.e. the tracing service) creates the shared memory used for data transfer # from the producer. This rule allows an alternative scheme, where the producer # creates the shared memory, that is then adopted by traced (after validating # that it is appropriately sealed). # This list has to replicate the tmpfs domains of all applicable domains that # have perfetto_producer() macro applied to them. # perfetto_tmpfs excluded as it should never need to use the producer-supplied # shared memory scheme. allow traced { appdomain_tmpfs heapprofd_tmpfs surfaceflinger_tmpfs traced_probes_tmpfs }:file { getattr map read write }; # Allow setting debug properties which guard initialization of the Perfetto SDK # in SurfaceFlinger and HWUI's copy of Skia. # Required for the android.sdk_sysprop_guard data source. # TODO(b/281329340): remove this when no longer needed. #line 59 #line 59 allow traced property_socket:sock_file write; #line 59 allow traced init:unix_stream_socket connectto; #line 59 #line 59 allow traced debug_prop:property_service set; #line 59 #line 59 allow traced debug_prop:file { getattr open read map }; #line 59 #line 59 # Allow traced to notify Traceur when a trace ends by setting the # sys.trace.trace_end_signal property. #line 62 #line 62 allow traced property_socket:sock_file write; #line 62 allow traced init:unix_stream_socket connectto; #line 62 #line 62 allow traced system_trace_prop:property_service set; #line 62 #line 62 allow traced system_trace_prop:file { getattr open read map }; #line 62 #line 62 # Allow to lazily start producers. #line 64 #line 64 allow traced property_socket:sock_file write; #line 64 allow traced init:unix_stream_socket connectto; #line 64 #line 64 allow traced traced_lazy_prop:property_service set; #line 64 #line 64 allow traced traced_lazy_prop:file { getattr open read map }; #line 64 #line 64 # Allow tracking the count of sessions intercepting Java OutOfMemoryError # If there are such tracing sessions and an OutOfMemoryError is thrown by ART, # the hprof plugin intercepts the error, lazily registers a data source to # traced and collects a heap dump. #line 69 #line 69 allow traced property_socket:sock_file write; #line 69 allow traced init:unix_stream_socket connectto; #line 69 #line 69 allow traced traced_oome_heap_session_count_prop:property_service set; #line 69 #line 69 allow traced traced_oome_heap_session_count_prop:file { getattr open read map }; #line 69 #line 69 # Allow traced to talk to statsd for logging metrics. #line 72 allow traced statsdw_socket:sock_file write; #line 72 allow traced statsd:unix_dgram_socket sendto; #line 72 ### ### Neverallow rules ### ### traced should NEVER do any of this # Disallow mapping executable memory (execstack and exec are already disallowed # globally in domain.te). neverallow traced self:process execmem; # Block device access. neverallow traced dev_type:blk_file { read write }; # ptrace any other process neverallow traced domain:process ptrace; # Disallows access to /data files, still allowing to write to file descriptors # passed through the socket. neverallow traced { data_file_type -perfetto_traces_data_file -system_data_file -system_data_root_file -media_userdir_file -system_userdir_file -vendor_userdir_file # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file }:dir *; neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced { data_file_type -perfetto_traces_data_file -trace_data_file }:file ~write; # Only init is allowed to enter the traced domain via exec() neverallow { domain -init } traced:process transition; neverallow * traced:process dyntransition; # Limit the processes that can access tracingproxy_service. neverallow { domain -traced -dumpstate -traceur_app -shell -system_server -perfetto } tracingproxy_service:service_manager find; #line 1 "system/sepolicy/private/traced_perf.te" # Performance profiler, backed by perf_event_open(2). # See go/perfetto-perf-android. typeattribute traced_perf coredomain; typeattribute traced_perf mlstrustedsubject; type traced_perf_exec, system_file_type, exec_type, file_type; #line 8 #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow init traced_perf_exec:file { getattr open read execute map }; #line 8 allow init traced_perf:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow traced_perf traced_perf_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit init traced_perf:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow init traced_perf:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition init traced_perf_exec:process traced_perf; #line 8 #line 8 #line 9 allow traced_perf traced:fd use; #line 9 allow traced_perf traced_tmpfs:file { read write getattr map }; #line 9 #line 9 allow traced_perf traced_producer_socket:sock_file write; #line 9 allow traced_perf traced:unix_stream_socket connectto; #line 9 #line 9 #line 9 # Also allow the service to use the producer file descriptors. This is #line 9 # necessary when the producer is creating the shared memory, as it will be #line 9 # passed to the service as a file descriptor (obtained from memfd_create). #line 9 allow traced traced_perf:fd use; #line 9 # Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide # profiling, but retain samples only for profileable processes. # Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH # check (which would require a process:attach SELinux allow-rule). allow traced_perf self:perf_event { open cpu kernel read write tracepoint }; # Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a # process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of # sampled stacks, which requires opening the backing libraries/executables (as # symbols are usually not mapped into the process space). Not all such files # are world-readable, e.g. odex files that included user profiles during # profile-guided optimization. allow traced_perf self:capability { kill dac_read_search }; # Allow reading /system/data/packages.list. allow traced_perf packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow reading files for stack unwinding and symbolization. #line 29 allow traced_perf nativetest_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 29 allow traced_perf nativetest_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 29 #line 30 allow traced_perf system_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 30 allow traced_perf system_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 30 #line 31 allow traced_perf apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 31 allow traced_perf apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 31 #line 32 allow traced_perf dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 32 allow traced_perf dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 32 #line 33 allow traced_perf vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow traced_perf vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 # ART apex files and directory access to the containing /data/misc/apexdata. #line 35 allow traced_perf apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow traced_perf apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 35 allow traced_perf apex_module_data_file:dir { getattr search }; # Allow to temporarily lift the kptr_restrict setting and build a symbolization # map reading /proc/kallsyms. allow traced_perf proc_kallsyms:file { getattr open read ioctl lock map watch watch_reads }; # Allow reading tracefs files to get the format and numeric ids of tracepoints. allow traced_perf debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads }; allow traced_perf debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads }; #line 49 # Do not audit the cases where traced_perf attempts to access /proc/[pid] for # domains that it cannot read. dontaudit traced_perf domain:dir { search getattr open }; # Do not audit failures to signal a process, as there are cases when this is # expected (native processes on debug builds use the policy for enforcing which # processes are profileable). dontaudit traced_perf domain:process signal; # Never allow access to app data files neverallow traced_perf app_data_file_type:file *; # Never allow profiling privileged or otherwise incompatible domains. # Corresponding allow-rule is in private/domain.te. #line 65 neverallow traced_perf { #line 65 apexd #line 65 app_zygote #line 65 bpfloader #line 65 hal_configstore_server #line 65 init #line 65 kernel #line 65 keystore #line 65 llkd #line 65 logd #line 65 ueventd #line 65 vendor_init #line 65 vold #line 65 webview_zygote #line 65 zygote #line 65 }:file read; #line 65 neverallow traced_perf { #line 65 apexd #line 65 app_zygote #line 65 bpfloader #line 65 hal_configstore_server #line 65 init #line 65 kernel #line 65 keystore #line 65 llkd #line 65 logd #line 65 ueventd #line 65 vendor_init #line 65 vold #line 65 webview_zygote #line 65 zygote #line 65 }:process signal; #line 80 #line 1 "system/sepolicy/private/traced_probes.te" # Perfetto tracing probes, has tracefs access. type traced_probes_exec, system_file_type, exec_type, file_type; type traced_probes_tmpfs, file_type; # Allow init to exec the daemon. #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init traced_probes_exec:file { getattr open read execute map }; #line 6 allow init traced_probes:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow traced_probes traced_probes_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init traced_probes:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init traced_probes:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init traced_probes_exec:process traced_probes; #line 6 #line 6 #line 7 type_transition traced_probes tmpfs:file traced_probes_tmpfs; #line 7 allow traced_probes traced_probes_tmpfs:file { read write getattr map }; #line 7 # Write trace data to the Perfetto traced damon. This requires connecting to its # producer socket and obtaining a (per-process) tmpfs fd. #line 11 allow traced_probes traced:fd use; #line 11 allow traced_probes traced_tmpfs:file { read write getattr map }; #line 11 #line 11 allow traced_probes traced_producer_socket:sock_file write; #line 11 allow traced_probes traced:unix_stream_socket connectto; #line 11 #line 11 #line 11 # Also allow the service to use the producer file descriptors. This is #line 11 # necessary when the producer is creating the shared memory, as it will be #line 11 # passed to the service as a file descriptor (obtained from memfd_create). #line 11 allow traced traced_probes:fd use; #line 11 # Allow traced_probes to access tracefs. allow traced_probes debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads }; allow traced_probes debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow traced_probes debugfs_trace_marker:file getattr; allow traced_probes debugfs_tracing_printk_formats:file { getattr open read ioctl lock map watch watch_reads }; # Allow traced_probes to access mm_events trace instance allow traced_probes debugfs_tracing_instances:dir search; allow traced_probes debugfs_mm_events_tracing:dir search; allow traced_probes debugfs_mm_events_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # TODO(primiano): temporarily I/O tracing categories are still # userdebug only until we nail down the denylist/allowlist. #line 29 # Allow traced_probes to start with a higher scheduling class and then downgrade # itself. allow traced_probes self:{ capability cap_userns } { sys_nice }; # Allow procfs access #line 36 allow traced_probes domain:dir { open getattr read search ioctl lock watch watch_reads }; #line 36 allow traced_probes domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 36 # Allow to temporarily lift the kptr_restrict setting and build a symbolization # map reading /proc/kallsyms. allow traced_probes proc_kallsyms:file { getattr open read ioctl lock map watch watch_reads }; # Allow to read packages.list file. allow traced_probes packages_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow to read game_mode_intervention.list file. allow traced_probes game_mode_intervention_list_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow to log to kernel dmesg when starting / stopping ftrace. allow traced_probes kmsg_device:chr_file write; # Allow traced_probes to list the system partition. allow traced_probes system_file:dir { open read }; # Allow traced_probes to list some of the data partition. allow traced_probes self:{ capability cap_userns } dac_read_search; allow traced_probes apk_data_file:dir { getattr open read search }; allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search }; allow traced_probes dalvikcache_data_file:dir { getattr open read search }; #line 64 allow traced_probes system_app_data_file:dir { getattr open read search }; allow traced_probes backup_data_file:dir { getattr open read search }; allow traced_probes bootstat_data_file:dir { getattr open read search }; allow traced_probes update_engine_data_file:dir { getattr open read search }; allow traced_probes update_engine_log_data_file:dir { getattr open read search }; allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search }; # Allow traced_probes to run atrace. atrace pokes at system services to enable # their userspace TRACE macros. #line 74 # Allow the necessary permissions. #line 74 #line 74 # Old domain may exec the file and transition to the new domain. #line 74 allow traced_probes atrace_exec:file { getattr open read execute map }; #line 74 allow traced_probes atrace:process transition; #line 74 # New domain is entered by executing the file. #line 74 allow atrace atrace_exec:file { entrypoint open read execute getattr map }; #line 74 # New domain can send SIGCHLD to its caller. #line 74 allow atrace traced_probes:process sigchld; #line 74 # Enable AT_SECURE, i.e. libc secure mode. #line 74 dontaudit traced_probes atrace:process noatsecure; #line 74 # XXX dontaudit candidate but requires further study. #line 74 allow traced_probes atrace:process { siginh rlimitinh }; #line 74 #line 74 # Make the transition occur by default. #line 74 type_transition traced_probes atrace_exec:process atrace; #line 74 ; # Allow traced_probes to kill atrace on timeout. allow traced_probes atrace:process sigkill; # Allow traced_probes to access /proc files for system stats. # Note: trace data is NOT exposed to anything other than shell and privileged # system apps that have access to the traced consumer socket. allow traced_probes { proc_meminfo proc_vmstat proc_stat proc_buddyinfo proc_pressure_cpu proc_pressure_io proc_pressure_mem }:file { getattr open read ioctl lock map watch watch_reads }; # Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files allow traced_probes sysfs_devfreq_dir:dir { open getattr read search ioctl lock watch watch_reads }; allow traced_probes sysfs_devfreq_cur:file { getattr open read ioctl lock map watch watch_reads }; # Allow access to read /proc/diskstats for I/O profiling. allow traced_probes proc_diskstats:file { getattr open read ioctl lock map watch watch_reads }; # Allow access to the IHealth and IPowerStats HAL service for tracing battery counters. #line 100 typeattribute traced_probes halclientdomain; #line 100 typeattribute traced_probes hal_health_client; #line 100 #line 100 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 100 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 100 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 100 #line 100 typeattribute traced_probes hal_health; #line 100 # Find passthrough HAL implementations #line 100 allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 100 allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 100 allow hal_health vendor_file:file { read open getattr execute map }; #line 100 #line 100 #line 101 typeattribute traced_probes halclientdomain; #line 101 typeattribute traced_probes hal_power_stats_client; #line 101 #line 101 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 101 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 101 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 101 #line 101 typeattribute traced_probes hal_power_stats; #line 101 # Find passthrough HAL implementations #line 101 allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 101 allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 101 allow hal_power_stats vendor_file:file { read open getattr execute map }; #line 101 #line 101 # Allow access to Atrace HAL for enabling vendor/device specific tracing categories. #line 104 typeattribute traced_probes halclientdomain; #line 104 typeattribute traced_probes hal_atrace_client; #line 104 #line 104 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 104 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 104 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 104 #line 104 typeattribute traced_probes hal_atrace; #line 104 # Find passthrough HAL implementations #line 104 allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 104 allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 104 allow hal_atrace vendor_file:file { read open getattr execute map }; #line 104 #line 104 # On debug builds allow to ingest system logs into the trace. # Allow traced_probes to talk to statsd for logging metrics and recording atoms. #line 110 allow traced_probes statsdw_socket:sock_file write; #line 110 allow traced_probes statsd:unix_dgram_socket sendto; #line 110 #line 111 # Call the server domain and optionally transfer references to it. #line 111 allow traced_probes statsd:binder { call transfer }; #line 111 # Allow the serverdomain to transfer references to the client on the reply. #line 111 allow statsd traced_probes:binder transfer; #line 111 # Receive and use open files from the server. #line 111 allow traced_probes statsd:fd use; #line 111 allow traced_probes stats_service:service_manager find; ### ### Neverallow rules ### ### traced_probes should NEVER do any of this # Disallow mapping executable memory (execstack and exec are already disallowed # globally in domain.te). neverallow traced_probes self:process execmem; # Block device access. neverallow traced_probes dev_type:blk_file { read write }; # ptrace any other app neverallow traced_probes domain:process ptrace; # Disallows access to /data files. neverallow traced_probes { data_file_type -apex_module_data_file -apex_art_data_file -apk_data_file -dalvikcache_data_file -system_data_file -system_data_root_file -media_userdir_file -system_userdir_file -vendor_userdir_file -system_app_data_file -backup_data_file -bootstat_data_file -update_engine_data_file -update_engine_log_data_file -user_profile_root_file -user_profile_data_file # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file }:dir *; neverallow traced_probes system_data_file:dir ~{ getattr search }; neverallow traced_probes { data_file_type -packages_list_file -game_mode_intervention_list_file }:file *; # Only init is allowed to enter the traced_probes domain via exec() neverallow { domain -init } traced_probes:process transition; neverallow * traced_probes:process dyntransition; #line 1 "system/sepolicy/private/traceur_app.te" typeattribute traceur_app coredomain; #line 3 typeattribute traceur_app appdomain; #line 3 # Label tmpfs objects for all apps. #line 3 type_transition traceur_app tmpfs:file appdomain_tmpfs; #line 3 #line 3 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 3 type traceur_app_userfaultfd; #line 3 type_transition traceur_app traceur_app:anon_inode traceur_app_userfaultfd "[userfaultfd]"; #line 3 # Allow domain to create/use userfaultfd anon_inode. #line 3 allow traceur_app traceur_app_userfaultfd:anon_inode { create ioctl read }; #line 3 # Suppress errors generate during bugreport #line 3 dontaudit su traceur_app_userfaultfd:anon_inode *; #line 3 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 3 neverallow { domain -traceur_app } traceur_app_userfaultfd:anon_inode *; #line 3 #line 3 allow traceur_app appdomain_tmpfs:file { execute getattr map read write }; #line 3 neverallow { traceur_app -runas_app -shell -simpleperf } { domain -traceur_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 neverallow { appdomain -runas_app -shell -simpleperf -traceur_app } traceur_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 3 # The Android security model guarantees the confidentiality and integrity #line 3 # of application data and execution state. Ptrace bypasses those #line 3 # confidentiality guarantees. Disallow ptrace access from system components to #line 3 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 3 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 3 # simpleperf is excluded, as it operates only on debuggable or profileable #line 3 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 3 # live lock conditions. #line 3 neverallow { domain -traceur_app -crash_dump -runas_app -simpleperf } traceur_app:process ptrace; #line 3 ; allow traceur_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow traceur_app debugfs_tracing_debug:dir { open getattr read search ioctl lock watch watch_reads }; #line 9 allow traceur_app trace_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow traceur_app trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow traceur_app wm_trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow traceur_app wm_trace_data_file:file { getattr { getattr open read ioctl lock map watch watch_reads } unlink }; allow traceur_app atrace_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # To exec the perfetto cmdline client and pass it the trace config on # stdint through a pipe. allow traceur_app perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow to access traced's privileged consumer socket. #line 22 allow traceur_app traced_consumer_socket:sock_file write; #line 22 allow traceur_app traced:unix_stream_socket connectto; #line 22 dontaudit traceur_app debugfs_tracing_debug:file audit_access; #line 26 #line 26 allow traceur_app property_socket:sock_file write; #line 26 allow traceur_app init:unix_stream_socket connectto; #line 26 #line 26 allow traceur_app debug_prop:property_service set; #line 26 #line 26 allow traceur_app debug_prop:file { getattr open read map }; #line 26 #line 26 #line 1 "system/sepolicy/private/ueventd.te" typeattribute ueventd coredomain; #line 3 type_transition ueventd tmpfs:file ueventd_tmpfs; #line 3 allow ueventd ueventd_tmpfs:file { read write getattr map }; #line 3 # ueventd can set properties, particularly it sets ro.cold_boot_done to signal # to init that cold boot has completed. #line 7 #line 7 allow ueventd property_socket:sock_file write; #line 7 allow ueventd init:unix_stream_socket connectto; #line 7 #line 7 allow ueventd cold_boot_done_prop:property_service set; #line 7 #line 7 allow ueventd cold_boot_done_prop:file { getattr open read map }; #line 7 #line 7 #line 1 "system/sepolicy/private/uncrypt.te" typeattribute uncrypt coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init uncrypt_exec:file { getattr open read execute map }; #line 3 allow init uncrypt:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow uncrypt uncrypt_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init uncrypt:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init uncrypt:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init uncrypt_exec:process uncrypt; #line 3 #line 3 # Set a property to reboot the device. #line 6 #line 6 allow uncrypt property_socket:sock_file write; #line 6 allow uncrypt init:unix_stream_socket connectto; #line 6 #line 6 allow uncrypt powerctl_prop:property_service set; #line 6 #line 6 allow uncrypt powerctl_prop:file { getattr open read map }; #line 6 #line 6 #line 1 "system/sepolicy/private/untrusted_app.te" ### ### Untrusted apps. ### ### This file defines the rules for untrusted apps running with ### targetSdkVersion >= 34. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### typeattribute untrusted_app coredomain; #line 13 typeattribute untrusted_app appdomain; #line 13 # Label tmpfs objects for all apps. #line 13 type_transition untrusted_app tmpfs:file appdomain_tmpfs; #line 13 #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type untrusted_app_userfaultfd; #line 13 type_transition untrusted_app untrusted_app:anon_inode untrusted_app_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow untrusted_app untrusted_app_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su untrusted_app_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -untrusted_app } untrusted_app_userfaultfd:anon_inode *; #line 13 #line 13 allow untrusted_app appdomain_tmpfs:file { execute getattr map read write }; #line 13 neverallow { untrusted_app -runas_app -shell -simpleperf } { domain -untrusted_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app } untrusted_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 # The Android security model guarantees the confidentiality and integrity #line 13 # of application data and execution state. Ptrace bypasses those #line 13 # confidentiality guarantees. Disallow ptrace access from system components to #line 13 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 13 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 13 # simpleperf is excluded, as it operates only on debuggable or profileable #line 13 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 13 # live lock conditions. #line 13 neverallow { domain -untrusted_app -crash_dump -runas_app -simpleperf } untrusted_app:process ptrace; #line 13 #line 14 typeattribute untrusted_app untrusted_app_all; #line 14 #line 15 typeattribute untrusted_app netdomain; #line 15 #line 16 typeattribute untrusted_app bluetoothdomain; #line 16 # Allow webview to access fd shared by sdksandbox for experiments data # TODO(b/229249719): Will not be supported in Android U allow untrusted_app sdk_sandbox_data_file:fd use; allow untrusted_app sdk_sandbox_data_file:file write; neverallow untrusted_app sdk_sandbox_data_file:file { open create }; #line 1 "system/sepolicy/private/untrusted_app_25.te" ### ### Untrusted_app_25 ### ### This file defines the rules for untrusted apps running with ### targetSdkVersion <= 25. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### typeattribute untrusted_app_25 coredomain; #line 13 typeattribute untrusted_app_25 appdomain; #line 13 # Label tmpfs objects for all apps. #line 13 type_transition untrusted_app_25 tmpfs:file appdomain_tmpfs; #line 13 #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type untrusted_app_25_userfaultfd; #line 13 type_transition untrusted_app_25 untrusted_app_25:anon_inode untrusted_app_25_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow untrusted_app_25 untrusted_app_25_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su untrusted_app_25_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -untrusted_app_25 } untrusted_app_25_userfaultfd:anon_inode *; #line 13 #line 13 allow untrusted_app_25 appdomain_tmpfs:file { execute getattr map read write }; #line 13 neverallow { untrusted_app_25 -runas_app -shell -simpleperf } { domain -untrusted_app_25 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_25 } untrusted_app_25:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 # The Android security model guarantees the confidentiality and integrity #line 13 # of application data and execution state. Ptrace bypasses those #line 13 # confidentiality guarantees. Disallow ptrace access from system components to #line 13 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 13 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 13 # simpleperf is excluded, as it operates only on debuggable or profileable #line 13 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 13 # live lock conditions. #line 13 neverallow { domain -untrusted_app_25 -crash_dump -runas_app -simpleperf } untrusted_app_25:process ptrace; #line 13 #line 14 typeattribute untrusted_app_25 untrusted_app_all; #line 14 #line 15 typeattribute untrusted_app_25 netdomain; #line 15 #line 16 typeattribute untrusted_app_25 bluetoothdomain; #line 16 # b/35917228 - /proc/misc access # This will go away in a future Android release allow untrusted_app_25 proc_misc:file { getattr open read ioctl lock map watch watch_reads }; # Access to /proc/tty/drivers, to allow apps to determine if they # are running in an emulated environment. # b/33214085 b/33814662 b/33791054 b/33211769 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java # This will go away in a future Android release allow untrusted_app_25 proc_tty_drivers:file { getattr open read ioctl lock map watch watch_reads }; # Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q. # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod; # The ability to call exec() on files in the apps home directories # for targetApi<=25. This is also allowed for targetAPIs 26, 27, # and 28 in untrusted_app_27.te. allow untrusted_app_25 app_data_file:file execute_no_trans; auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans }; # The ability to invoke dex2oat. Historically required by ART, now only # allowed for targetApi<=28 for compat reasons. allow untrusted_app_25 dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # The ability to talk to /dev/ashmem directly. targetApi>=29 must use # ASharedMemory instead. allow untrusted_app_25 ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; auditallow untrusted_app_25 ashmem_device:chr_file open; # Read /mnt/sdcard symlink. allow untrusted_app_25 mnt_sdcard_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh; # Connect to mdnsd via mdnsd socket. #line 57 allow untrusted_app_25 mdnsd_socket:sock_file write; #line 57 allow untrusted_app_25 mdnsd:unix_stream_socket connectto; #line 57 #line 61 # Allow calling inotify on APKs for backwards compatibility. This is disallowed # for targetSdkVersion>=34 to remove a sidechannel. allow untrusted_app_25 apk_data_file:dir { watch watch_reads }; allow untrusted_app_25 apk_data_file:file { watch watch_reads }; #line 70 #line 1 "system/sepolicy/private/untrusted_app_27.te" ### ### Untrusted_27. ### ### This file defines the rules for untrusted apps running with ### 25 < targetSdkVersion <= 28. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### typeattribute untrusted_app_27 coredomain; #line 13 typeattribute untrusted_app_27 appdomain; #line 13 # Label tmpfs objects for all apps. #line 13 type_transition untrusted_app_27 tmpfs:file appdomain_tmpfs; #line 13 #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type untrusted_app_27_userfaultfd; #line 13 type_transition untrusted_app_27 untrusted_app_27:anon_inode untrusted_app_27_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow untrusted_app_27 untrusted_app_27_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su untrusted_app_27_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -untrusted_app_27 } untrusted_app_27_userfaultfd:anon_inode *; #line 13 #line 13 allow untrusted_app_27 appdomain_tmpfs:file { execute getattr map read write }; #line 13 neverallow { untrusted_app_27 -runas_app -shell -simpleperf } { domain -untrusted_app_27 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_27 } untrusted_app_27:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 # The Android security model guarantees the confidentiality and integrity #line 13 # of application data and execution state. Ptrace bypasses those #line 13 # confidentiality guarantees. Disallow ptrace access from system components to #line 13 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 13 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 13 # simpleperf is excluded, as it operates only on debuggable or profileable #line 13 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 13 # live lock conditions. #line 13 neverallow { domain -untrusted_app_27 -crash_dump -runas_app -simpleperf } untrusted_app_27:process ptrace; #line 13 #line 14 typeattribute untrusted_app_27 untrusted_app_all; #line 14 #line 15 typeattribute untrusted_app_27 netdomain; #line 15 #line 16 typeattribute untrusted_app_27 bluetoothdomain; #line 16 # Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q. # https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23 allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod; # The ability to call exec() on files in the apps home directories # for targetApi 26, 27, and 28. allow untrusted_app_27 app_data_file:file execute_no_trans; auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans }; # The ability to invoke dex2oat. Historically required by ART, now only # allowed for targetApi<=28 for compat reasons. allow untrusted_app_27 dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # The ability to talk to /dev/ashmem directly. targetApi>=29 must use # ASharedMemory instead. allow untrusted_app_27 ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; auditallow untrusted_app_27 ashmem_device:chr_file open; # Read /mnt/sdcard symlink. allow untrusted_app_27 mnt_sdcard_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh; # Connect to mdnsd via mdnsd socket. #line 45 allow untrusted_app_27 mdnsd_socket:sock_file write; #line 45 allow untrusted_app_27 mdnsd:unix_stream_socket connectto; #line 45 #line 49 # Allow calling inotify on APKs for backwards compatibility. This is disallowed # for targetSdkVersion>=34 to remove a sidechannel. allow untrusted_app_27 apk_data_file:dir { watch watch_reads }; allow untrusted_app_27 apk_data_file:file { watch watch_reads }; #line 58 #line 1 "system/sepolicy/private/untrusted_app_29.te" ### ### Untrusted_29. ### ### This file defines the rules for untrusted apps running with ### targetSdkVersion = 29. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### typeattribute untrusted_app_29 coredomain; #line 13 typeattribute untrusted_app_29 appdomain; #line 13 # Label tmpfs objects for all apps. #line 13 type_transition untrusted_app_29 tmpfs:file appdomain_tmpfs; #line 13 #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type untrusted_app_29_userfaultfd; #line 13 type_transition untrusted_app_29 untrusted_app_29:anon_inode untrusted_app_29_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow untrusted_app_29 untrusted_app_29_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su untrusted_app_29_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -untrusted_app_29 } untrusted_app_29_userfaultfd:anon_inode *; #line 13 #line 13 allow untrusted_app_29 appdomain_tmpfs:file { execute getattr map read write }; #line 13 neverallow { untrusted_app_29 -runas_app -shell -simpleperf } { domain -untrusted_app_29 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_29 } untrusted_app_29:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 # The Android security model guarantees the confidentiality and integrity #line 13 # of application data and execution state. Ptrace bypasses those #line 13 # confidentiality guarantees. Disallow ptrace access from system components to #line 13 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 13 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 13 # simpleperf is excluded, as it operates only on debuggable or profileable #line 13 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 13 # live lock conditions. #line 13 neverallow { domain -untrusted_app_29 -crash_dump -runas_app -simpleperf } untrusted_app_29:process ptrace; #line 13 #line 14 typeattribute untrusted_app_29 untrusted_app_all; #line 14 #line 15 typeattribute untrusted_app_29 netdomain; #line 15 #line 16 typeattribute untrusted_app_29 bluetoothdomain; #line 16 # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh; # Connect to mdnsd via mdnsd socket. #line 23 allow untrusted_app_29 mdnsd_socket:sock_file write; #line 23 allow untrusted_app_29 mdnsd:unix_stream_socket connectto; #line 23 #line 27 # Allow calling inotify on APKs for backwards compatibility. This is disallowed # for targetSdkVersion>=34 to remove a sidechannel. allow untrusted_app_29 apk_data_file:dir { watch watch_reads }; allow untrusted_app_29 apk_data_file:file { watch watch_reads }; #line 36 #line 1 "system/sepolicy/private/untrusted_app_30.te" ### ### Untrusted apps. ### ### This file defines the rules for untrusted apps running with ### 29 < targetSdkVersion <= 31. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### ### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible ### typeattribute untrusted_app_30 coredomain; #line 15 typeattribute untrusted_app_30 appdomain; #line 15 # Label tmpfs objects for all apps. #line 15 type_transition untrusted_app_30 tmpfs:file appdomain_tmpfs; #line 15 #line 15 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 15 type untrusted_app_30_userfaultfd; #line 15 type_transition untrusted_app_30 untrusted_app_30:anon_inode untrusted_app_30_userfaultfd "[userfaultfd]"; #line 15 # Allow domain to create/use userfaultfd anon_inode. #line 15 allow untrusted_app_30 untrusted_app_30_userfaultfd:anon_inode { create ioctl read }; #line 15 # Suppress errors generate during bugreport #line 15 dontaudit su untrusted_app_30_userfaultfd:anon_inode *; #line 15 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 15 neverallow { domain -untrusted_app_30 } untrusted_app_30_userfaultfd:anon_inode *; #line 15 #line 15 allow untrusted_app_30 appdomain_tmpfs:file { execute getattr map read write }; #line 15 neverallow { untrusted_app_30 -runas_app -shell -simpleperf } { domain -untrusted_app_30 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_30 } untrusted_app_30:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 15 # The Android security model guarantees the confidentiality and integrity #line 15 # of application data and execution state. Ptrace bypasses those #line 15 # confidentiality guarantees. Disallow ptrace access from system components to #line 15 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 15 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 15 # simpleperf is excluded, as it operates only on debuggable or profileable #line 15 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 15 # live lock conditions. #line 15 neverallow { domain -untrusted_app_30 -crash_dump -runas_app -simpleperf } untrusted_app_30:process ptrace; #line 15 #line 16 typeattribute untrusted_app_30 untrusted_app_all; #line 16 #line 17 typeattribute untrusted_app_30 netdomain; #line 17 #line 18 typeattribute untrusted_app_30 bluetoothdomain; #line 18 # allow sending RTM_GETNEIGH{TBL} messages. allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; # Connect to mdnsd via mdnsd socket. #line 25 allow untrusted_app_30 mdnsd_socket:sock_file write; #line 25 allow untrusted_app_30 mdnsd:unix_stream_socket connectto; #line 25 #line 29 # Allow calling inotify on APKs for backwards compatibility. This is disallowed # for targetSdkVersion>=34 to remove a sidechannel. allow untrusted_app_30 apk_data_file:dir { watch watch_reads }; allow untrusted_app_30 apk_data_file:file { watch watch_reads }; #line 38 #line 1 "system/sepolicy/private/untrusted_app_32.te" ### ### Untrusted apps. ### ### This file defines the rules for untrusted apps running with ### 31 < targetSdkVersion <= 33. ### ### See public/untrusted_app.te for more information about which apps are ### placed in this selinux domain. ### typeattribute untrusted_app_32 coredomain; #line 13 typeattribute untrusted_app_32 appdomain; #line 13 # Label tmpfs objects for all apps. #line 13 type_transition untrusted_app_32 tmpfs:file appdomain_tmpfs; #line 13 #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type untrusted_app_32_userfaultfd; #line 13 type_transition untrusted_app_32 untrusted_app_32:anon_inode untrusted_app_32_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow untrusted_app_32 untrusted_app_32_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su untrusted_app_32_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -untrusted_app_32 } untrusted_app_32_userfaultfd:anon_inode *; #line 13 #line 13 allow untrusted_app_32 appdomain_tmpfs:file { execute getattr map read write }; #line 13 neverallow { untrusted_app_32 -runas_app -shell -simpleperf } { domain -untrusted_app_32 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_32 } untrusted_app_32:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 13 # The Android security model guarantees the confidentiality and integrity #line 13 # of application data and execution state. Ptrace bypasses those #line 13 # confidentiality guarantees. Disallow ptrace access from system components to #line 13 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 13 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 13 # simpleperf is excluded, as it operates only on debuggable or profileable #line 13 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 13 # live lock conditions. #line 13 neverallow { domain -untrusted_app_32 -crash_dump -runas_app -simpleperf } untrusted_app_32:process ptrace; #line 13 #line 14 typeattribute untrusted_app_32 untrusted_app_all; #line 14 #line 15 typeattribute untrusted_app_32 netdomain; #line 15 #line 16 typeattribute untrusted_app_32 bluetoothdomain; #line 16 # Allow webview to access fd shared by sdksandbox for experiments data # TODO(b/229249719): Will not be supported in Android U allow untrusted_app_32 sdk_sandbox_data_file:fd use; allow untrusted_app_32 sdk_sandbox_data_file:file write; neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create }; # Connect to mdnsd via mdnsd socket. #line 26 allow untrusted_app_32 mdnsd_socket:sock_file write; #line 26 allow untrusted_app_32 mdnsd:unix_stream_socket connectto; #line 26 #line 30 # Allow calling inotify on APKs for backwards compatibility. This is disallowed # for targetSdkVersion>=34 to remove a sidechannel. allow untrusted_app_32 apk_data_file:dir { watch watch_reads }; allow untrusted_app_32 apk_data_file:file { watch watch_reads }; #line 39 #line 1 "system/sepolicy/private/untrusted_app_all.te" ### ### Untrusted_app_all. ### ### This file defines the rules shared by all untrusted app domains except ### ephemeral_app for instant apps and isolated_app (which has a reduced ### permission set). ### Apps are labeled based on mac_permissions.xml (maps signer and ### optionally package name to seinfo value) and seapp_contexts (maps UID ### and optionally seinfo value to domain for process and type for data ### directory). The untrusted_app_all attribute is assigned to all default ### seapp_contexts for any app with UID between APP_AID (10000) ### and AID_ISOLATED_START (99000) if the app has no specific seinfo ### value as determined from mac_permissions.xml. In current AOSP, this ### attribute is assigned to all non-system apps as well as to any system apps ### that are not signed by the platform key. To move ### a system app into a specific domain, add a signer entry for it to ### mac_permissions.xml and assign it one of the pre-existing seinfo values ### or define and use a new seinfo value in both mac_permissions.xml and ### seapp_contexts. ### ### Note that rules that should apply to all untrusted apps must be in app.te or also ### added to ephemeral_app.te. # Some apps ship with shared libraries and binaries that they write out # to their sandbox directory and then execute. allow untrusted_app_all privapp_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; allow untrusted_app_all app_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; auditallow untrusted_app_all app_data_file:file execute; # Chrome Crashpad uses the the dynamic linker to load native executables # from an APK (b/112050209, crbug.com/928422) allow untrusted_app_all system_linker_exec:file execute_no_trans; # Follow priv-app symlinks. This is used for dynamite functionality. allow untrusted_app_all privapp_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Allow handling of less common filesystem objects allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow loading and deleting executable shared libraries # within an application home directory. Such shared libraries would be # created by things like renderscript or via other mechanisms. allow untrusted_app_all app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink }; # ASEC allow untrusted_app_all asec_apk_file:file { getattr open read ioctl lock map watch watch_reads }; allow untrusted_app_all asec_apk_file:dir { open getattr read search ioctl lock watch watch_reads }; # Execute libs in asec containers. allow untrusted_app_all asec_public_file:file { execute }; # Used by Finsky / Android "Verify Apps" functionality when # running "adb install foo.apk". # TODO: Long term, we don't want apps probing into shell data files. # Figure out a way to remove these rules. allow untrusted_app_all shell_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow untrusted_app_all shell_data_file:dir { open getattr read search ioctl lock watch watch_reads }; # Allow traceur to pass file descriptors through a content provider to untrusted apps # for the purpose of sharing files through e.g. gmail allow untrusted_app_all trace_data_file:file { getattr read }; # untrusted apps should not be able to open trace data files, they should depend # upon traceur to pass a file descriptor neverallow untrusted_app_all trace_data_file:dir *; neverallow untrusted_app_all trace_data_file:file { { append create link unlink relabelfrom rename setattr write } open }; # neverallow untrusted apps accessing debugfs_tracing neverallow untrusted_app_all debugfs_tracing:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow to read staged apks. allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr}; # Read and write system app data files passed over Binder. # Motivating case was /data/data/com.android.settings/cache/*.jpg for # cropping or taking user photos. allow untrusted_app_all system_app_data_file:file { read write getattr }; # # Rules migrated from old app domains coalesced into untrusted_app. # This includes what used to be media_app, shared_app, and release_app. # # Access to /data/media. allow untrusted_app_all media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow untrusted_app_all media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # allow cts to query all services allow untrusted_app_all servicemanager:service_manager list; allow untrusted_app_all audioserver_service:service_manager find; allow untrusted_app_all cameraserver_service:service_manager find; allow untrusted_app_all drmserver_service:service_manager find; allow untrusted_app_all mediaserver_service:service_manager find; allow untrusted_app_all mediaextractor_service:service_manager find; allow untrusted_app_all mediametrics_service:service_manager find; allow untrusted_app_all mediadrmserver_service:service_manager find; allow untrusted_app_all nfc_service:service_manager find; allow untrusted_app_all radio_service:service_manager find; allow untrusted_app_all app_api_service:service_manager find; allow untrusted_app_all vr_manager_service:service_manager find; # gdbserver for ndk-gdb ptrace attaches to app process. allow untrusted_app_all self:process ptrace; # Android Studio Instant Run has the application connect to a # runas_app socket listening in the abstract namespace. # https://developer.android.com/studio/run/ # b/123297648 allow untrusted_app_all runas_app:unix_stream_socket connectto; # Untrusted apps need to be able to send a SIGCHLD to runas_app # when running under a debugger (b/123612207) allow untrusted_app_all runas_app:process sigchld; # Cts: HwRngTest allow untrusted_app_all sysfs_hwrandom:dir search; allow untrusted_app_all sysfs_hwrandom:file { getattr open read ioctl lock map watch watch_reads }; # Allow apps to view preloaded media content allow untrusted_app_all preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads }; allow untrusted_app_all preloads_media_file:file { getattr open read ioctl lock map watch watch_reads }; allow untrusted_app_all preloads_data_file:dir search; # Allow untrusted apps read / execute access to /vendor/app for there can # be pre-installed vendor apps that package a library within themselves. # TODO (b/37784178) Consider creating a special type for /vendor/app installed # apps. allow untrusted_app_all vendor_app_file:dir { open getattr read search }; allow untrusted_app_all vendor_app_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; allow untrusted_app_all vendor_app_file:lnk_file { open getattr read }; # allow untrusted apps to use UDP sockets provided by the system server but not # modify them other than to connect allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; # Allow the renderscript compiler to be run. #line 138 # Allow the necessary permissions. #line 138 #line 138 # Old domain may exec the file and transition to the new domain. #line 138 allow untrusted_app_all rs_exec:file { getattr open read execute map }; #line 138 allow untrusted_app_all rs:process transition; #line 138 # New domain is entered by executing the file. #line 138 allow rs rs_exec:file { entrypoint open read execute getattr map }; #line 138 # New domain can send SIGCHLD to its caller. #line 138 allow rs untrusted_app_all:process sigchld; #line 138 # Enable AT_SECURE, i.e. libc secure mode. #line 138 dontaudit untrusted_app_all rs:process noatsecure; #line 138 # XXX dontaudit candidate but requires further study. #line 138 allow untrusted_app_all rs:process { siginh rlimitinh }; #line 138 #line 138 # Make the transition occur by default. #line 138 type_transition untrusted_app_all rs_exec:process rs; #line 138 # suppress denials caused by debugfs_tracing dontaudit untrusted_app_all debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions. dontaudit untrusted_app_all net_dns_prop:file read; # These have been disallowed since Android O. # For P, we assume that apps are safely handling the denial. dontaudit untrusted_app_all { proc_stat proc_uptime proc_vmstat proc_zoneinfo }:file read; # Allow the allocation and use of ptys # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm #line 157 # Each domain gets a unique devpts type. #line 157 type untrusted_app_all_devpts, fs_type; #line 157 # Label the pty with the unique type when created. #line 157 type_transition untrusted_app_all devpts:chr_file untrusted_app_all_devpts; #line 157 # Allow use of the pty after creation. #line 157 allow untrusted_app_all untrusted_app_all_devpts:chr_file { open getattr read write ioctl }; #line 157 allowxperm untrusted_app_all untrusted_app_all_devpts:chr_file ioctl { #line 157 0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414 #line 157 0x0000540e 0x0000540b 0x00005410 0x0000540f #line 157 }; #line 157 # TIOCSTI is only ever used for exploits. Block it. #line 157 # b/33073072, b/7530569 #line 157 # http://www.openwall.com/lists/oss-security/2016/09/26/14 #line 157 neverallowxperm * untrusted_app_all_devpts:chr_file ioctl 0x00005412; #line 157 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms #line 157 # allowed to everyone via domain.te. #line 157 # Allow access to kcov via its ioctl interface for coverage # guided kernel fuzzing. #line 164 # Allow running a VM for test/demo purposes. Note that access to the # service is still guarded with the # `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The # protection level of the permission is # `signature|privileged|development` so that it can only be granted to # either platform-key signed apps, privileged apps, or test-only apps # having `android:testOnly="true"` in their manifest. #line 173 # Transition to virtualizationmanager when the client executes it. #line 173 #line 173 # Allow the necessary permissions. #line 173 #line 173 # Old domain may exec the file and transition to the new domain. #line 173 allow untrusted_app_all virtualizationmanager_exec:file { getattr open read execute map }; #line 173 allow untrusted_app_all virtualizationmanager:process transition; #line 173 # New domain is entered by executing the file. #line 173 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 173 # New domain can send SIGCHLD to its caller. #line 173 allow virtualizationmanager untrusted_app_all:process sigchld; #line 173 # Enable AT_SECURE, i.e. libc secure mode. #line 173 dontaudit untrusted_app_all virtualizationmanager:process noatsecure; #line 173 # XXX dontaudit candidate but requires further study. #line 173 allow untrusted_app_all virtualizationmanager:process { siginh rlimitinh }; #line 173 #line 173 # Make the transition occur by default. #line 173 type_transition untrusted_app_all virtualizationmanager_exec:process virtualizationmanager; #line 173 #line 173 # Allow virtualizationmanager to communicate over UDS with the client. #line 173 allow { virtualizationmanager crosvm } untrusted_app_all:unix_stream_socket { ioctl getattr read write }; #line 173 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 173 allow { virtualizationmanager crosvm } untrusted_app_all:fd use; #line 173 # Let the client use file descriptors created by virtualizationmanager. #line 173 allow untrusted_app_all virtualizationmanager:fd use; #line 173 # Allow piping console log to the client #line 173 allow { virtualizationmanager crosvm } untrusted_app_all:fifo_file { ioctl getattr read write }; #line 173 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 173 # that it created. Notice that we do not grant permission to create a vsock; #line 173 # the client can only connect to VMs that it owns. #line 173 allow untrusted_app_all virtualizationmanager:vsock_socket { getattr getopt read write }; #line 173 # Allow client to inspect hypervisor capabilities #line 173 #line 173 allow untrusted_app_all hypervisor_prop:file { getattr open read map }; #line 173 #line 173 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 173 allow untrusted_app_all virtualizationservice_data_file:file { getattr read }; #line 173 #line 179 #line 1 "system/sepolicy/private/update_engine.te" typeattribute update_engine coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init update_engine_exec:file { getattr open read execute map }; #line 3 allow init update_engine:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow update_engine update_engine_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init update_engine:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init update_engine:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init update_engine_exec:process update_engine; #line 3 #line 3 ; # Allow to talk to gsid. allow update_engine gsi_service:service_manager find; #line 7 # Call the server domain and optionally transfer references to it. #line 7 allow update_engine gsid:binder { call transfer }; #line 7 # Allow the serverdomain to transfer references to the client on the reply. #line 7 allow gsid update_engine:binder transfer; #line 7 # Receive and use open files from the server. #line 7 allow update_engine gsid:fd use; #line 7 # Allow to start gsid service. #line 10 #line 10 allow update_engine property_socket:sock_file write; #line 10 allow update_engine init:unix_stream_socket connectto; #line 10 #line 10 allow update_engine ctl_gsid_prop:property_service set; #line 10 #line 10 allow update_engine ctl_gsid_prop:file { getattr open read map }; #line 10 #line 10 # Allow to start snapuserd for dm-user communication. #line 13 #line 13 allow update_engine property_socket:sock_file write; #line 13 allow update_engine init:unix_stream_socket connectto; #line 13 #line 13 allow update_engine ctl_snapuserd_prop:property_service set; #line 13 #line 13 allow update_engine ctl_snapuserd_prop:file { getattr open read map }; #line 13 #line 13 # Allow to set the OTA related properties, e.g. ota.warm_reset. #line 16 #line 16 allow update_engine property_socket:sock_file write; #line 16 allow update_engine init:unix_stream_socket connectto; #line 16 #line 16 allow update_engine ota_prop:property_service set; #line 16 #line 16 allow update_engine ota_prop:file { getattr open read map }; #line 16 #line 16 #line 17 allow update_engine ota_build_prop:file { getattr open read map }; #line 17 # Allow to get the DSU status #line 20 allow update_engine gsid_prop:file { getattr open read map }; #line 20 # Allow update_engine to call the callback function provided by GKI update hook. #line 23 # Call the server domain and optionally transfer references to it. #line 23 allow update_engine gki_apex_prepostinstall:binder { call transfer }; #line 23 # Allow the serverdomain to transfer references to the client on the reply. #line 23 allow gki_apex_prepostinstall update_engine:binder transfer; #line 23 # Receive and use open files from the server. #line 23 allow update_engine gki_apex_prepostinstall:fd use; #line 23 # Allow update_engine to call the callback function by settings app # for the kernel update triggered using 16k developer option #line 27 # Call the server domain and optionally transfer references to it. #line 27 allow update_engine system_app:binder { call transfer }; #line 27 # Allow the serverdomain to transfer references to the client on the reply. #line 27 allow system_app update_engine:binder transfer; #line 27 # Receive and use open files from the server. #line 27 allow update_engine system_app:fd use; #line 27 # Allow to communicate with the snapuserd service, for dm-user snapshots. allow update_engine snapuserd:unix_stream_socket connectto; allow update_engine snapuserd_socket:sock_file write; #line 32 allow update_engine snapuserd_prop:file { getattr open read map }; #line 32 # Allow to communicate with apexd for calculating and reserving space for # capex decompression allow update_engine apex_service:service_manager find; #line 37 # Call the server domain and optionally transfer references to it. #line 37 allow update_engine apexd:binder { call transfer }; #line 37 # Allow the serverdomain to transfer references to the client on the reply. #line 37 allow apexd update_engine:binder transfer; #line 37 # Receive and use open files from the server. #line 37 allow update_engine apexd:fd use; #line 37 # let this domain use the hal service #line 40 # Call the servicemanager and transfer references to it. #line 40 allow update_engine servicemanager:binder { call transfer }; #line 40 # Allow servicemanager to send out callbacks #line 40 allow servicemanager update_engine:binder { call transfer }; #line 40 # servicemanager performs getpidcon on clients. #line 40 allow servicemanager update_engine:dir search; #line 40 allow servicemanager update_engine:file { read open }; #line 40 allow servicemanager update_engine:process getattr; #line 40 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 40 # all domains in domain.te. #line 40 #line 41 typeattribute update_engine halclientdomain; #line 41 typeattribute update_engine hal_bootctl_client; #line 41 #line 41 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 41 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 41 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 41 #line 41 typeattribute update_engine hal_bootctl; #line 41 # Find passthrough HAL implementations #line 41 allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 41 allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 41 allow hal_bootctl vendor_file:file { read open getattr execute map }; #line 41 #line 41 #line 1 "system/sepolicy/private/update_engine_common.te" # type_transition must be private policy the domain_trans rules could stay # public, but conceptually should go with this # The postinstall program is run by update_engine_common and must be tagged # with postinstall_exec in the new filesystem. # TODO Have build system attempt to verify this #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow update_engine_common postinstall_exec:file { getattr open read execute map }; #line 6 allow update_engine_common postinstall:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow postinstall postinstall_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow postinstall update_engine_common:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit update_engine_common postinstall:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow update_engine_common postinstall:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition update_engine_common postinstall_exec:process postinstall; #line 6 # Vendor directories can have the transition as well during OTA. This is caused # by update_engine execing scripts in vendor to perform any update tasks needed # there. #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow update_engine_common postinstall_file:file { getattr open read execute map }; #line 11 allow update_engine_common postinstall:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow postinstall postinstall_file:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 allow postinstall update_engine_common:process sigchld; #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit update_engine_common postinstall:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow update_engine_common postinstall:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition update_engine_common postinstall_file:process postinstall; #line 11 allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; #line 1 "system/sepolicy/private/update_verifier.te" typeattribute update_verifier coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init update_verifier_exec:file { getattr open read execute map }; #line 3 allow init update_verifier:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow update_verifier update_verifier_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init update_verifier:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init update_verifier:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init update_verifier_exec:process update_verifier; #line 3 #line 3 # Allow update_verifier to reboot the device. #line 6 #line 6 allow update_verifier property_socket:sock_file write; #line 6 allow update_verifier init:unix_stream_socket connectto; #line 6 #line 6 allow update_verifier powerctl_prop:property_service set; #line 6 #line 6 allow update_verifier powerctl_prop:file { getattr open read map }; #line 6 #line 6 # Allow to set the OTA related properties e.g. ota.warm_reset. #line 9 #line 9 allow update_verifier property_socket:sock_file write; #line 9 allow update_verifier init:unix_stream_socket connectto; #line 9 #line 9 allow update_verifier ota_prop:property_service set; #line 9 #line 9 allow update_verifier ota_prop:file { getattr open read map }; #line 9 #line 9 # allow update_verifier to connect to snapuserd daemon allow update_verifier snapuserd_socket:sock_file write; allow update_verifier snapuserd:unix_stream_socket connectto; # virtual a/b properties #line 16 allow update_verifier virtual_ab_prop:file { getattr open read map }; #line 16 #line 1 "system/sepolicy/private/uprobestats.te" type uprobestats, domain, coredomain; typeattribute uprobestats bpfdomain; type uprobestats_exec, system_file_type, exec_type, file_type; # Allow init to start uprobestats. #line 8 #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow init uprobestats_exec:file { getattr open read execute map }; #line 8 allow init uprobestats:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow uprobestats uprobestats_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit init uprobestats:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow init uprobestats:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition init uprobestats_exec:process uprobestats; #line 8 #line 8 allow uprobestats fs_bpf_uprobestats:file { read write }; allow uprobestats fs_bpf_uprobestats:dir search; allow uprobestats bpfloader:bpf { map_read map_write prog_run }; allow uprobestats self:capability2 perfmon; allow uprobestats self:perf_event { cpu open write }; allow uprobestats sysfs_uprobe:file { open read }; allow uprobestats sysfs_uprobe:dir { search }; # Allow uprobestats to popen oatdump. allow uprobestats oatdump_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow uprobestats to write atoms to statsd #line 22 allow uprobestats statsdw_socket:sock_file write; #line 22 allow uprobestats statsd:unix_dgram_socket sendto; #line 22 # For registration with system server as a process observer. #line 25 # Call the servicemanager and transfer references to it. #line 25 allow uprobestats servicemanager:binder { call transfer }; #line 25 # Allow servicemanager to send out callbacks #line 25 allow servicemanager uprobestats:binder { call transfer }; #line 25 # servicemanager performs getpidcon on clients. #line 25 allow servicemanager uprobestats:dir search; #line 25 allow servicemanager uprobestats:file { read open }; #line 25 allow servicemanager uprobestats:process getattr; #line 25 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 25 # all domains in domain.te. #line 25 allow uprobestats activity_service:service_manager find; #line 27 # Call the server domain and optionally transfer references to it. #line 27 allow uprobestats system_server:binder { call transfer }; #line 27 # Allow the serverdomain to transfer references to the client on the reply. #line 27 allow system_server uprobestats:binder transfer; #line 27 # Receive and use open files from the server. #line 27 allow uprobestats system_server:fd use; #line 27 ; # Allow uprobestats to talk to native package manager allow uprobestats package_native_service:service_manager find; # Allow uprobestats to scan /proc//cmdline. #line 33 allow uprobestats { domain -appdomain }:dir { open getattr read search ioctl lock watch watch_reads }; #line 33 allow uprobestats { domain -appdomain }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 33 # Allow uprobestats to manage its own config files. allow uprobestats uprobestats_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow uprobestats uprobestats_configs_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink }; #line 1 "system/sepolicy/private/usbd.te" typeattribute usbd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init usbd_exec:file { getattr open read execute map }; #line 3 allow init usbd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow usbd usbd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init usbd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init usbd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init usbd_exec:process usbd; #line 3 #line 3 # Access usb gadget hal #line 6 typeattribute usbd halclientdomain; #line 6 typeattribute usbd hal_usb_gadget_client; #line 6 #line 6 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 6 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 6 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 6 #line 6 typeattribute usbd hal_usb_gadget; #line 6 # Find passthrough HAL implementations #line 6 allow hal_usb_gadget system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_usb_gadget vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 6 allow hal_usb_gadget vendor_file:file { read open getattr execute map }; #line 6 #line 6 # Access persist.sys.usb.config #line 9 allow usbd system_prop:file { getattr open read map }; #line 9 # start adbd during boot if adb is enabled #line 12 #line 12 allow usbd property_socket:sock_file write; #line 12 allow usbd init:unix_stream_socket connectto; #line 12 #line 12 allow usbd ctl_default_prop:property_service set; #line 12 #line 12 allow usbd ctl_default_prop:file { getattr open read map }; #line 12 #line 12 # Start/stop adbd via ctl.start adbd #line 15 #line 15 allow usbd property_socket:sock_file write; #line 15 allow usbd init:unix_stream_socket connectto; #line 15 #line 15 allow usbd ctl_adbd_prop:property_service set; #line 15 #line 15 allow usbd ctl_adbd_prop:file { getattr open read map }; #line 15 #line 15 #line 1 "system/sepolicy/private/vdc.te" typeattribute vdc coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init vdc_exec:file { getattr open read execute map }; #line 3 allow init vdc:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow vdc vdc_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init vdc:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init vdc:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init vdc_exec:process vdc; #line 3 #line 3 # Allow stdin/out back to vehicle_binding_util allow vdc vehicle_binding_util:fd use; #line 1 "system/sepolicy/private/vehicle_binding_util.te" # vehicle binding util startup application type vehicle_binding_util, domain, coredomain; # allow init to start vehicle_binding_util type vehicle_binding_util_exec, exec_type, file_type, system_file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init vehicle_binding_util_exec:file { getattr open read execute map }; #line 6 allow init vehicle_binding_util:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow vehicle_binding_util vehicle_binding_util_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init vehicle_binding_util:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init vehicle_binding_util:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init vehicle_binding_util_exec:process vehicle_binding_util; #line 6 #line 6 # allow writing to kmsg during boot allow vehicle_binding_util kmsg_device:chr_file { getattr { open append write lock map } }; # allow reading the binding property from HIDL VHAL. #line 12 # Call the hwservicemanager and transfer references to it. #line 12 allow vehicle_binding_util hwservicemanager:binder { call transfer }; #line 12 # Allow hwservicemanager to send out callbacks #line 12 allow hwservicemanager vehicle_binding_util:binder { call transfer }; #line 12 # hwservicemanager performs getpidcon on clients. #line 12 allow hwservicemanager vehicle_binding_util:dir search; #line 12 allow hwservicemanager vehicle_binding_util:file { read open map }; #line 12 allow hwservicemanager vehicle_binding_util:process getattr; #line 12 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to #line 12 # all domains in domain.te. #line 12 # allow reading the binding property from AIDL VHAL. #line 14 # Call the servicemanager and transfer references to it. #line 14 allow vehicle_binding_util servicemanager:binder { call transfer }; #line 14 # Allow servicemanager to send out callbacks #line 14 allow servicemanager vehicle_binding_util:binder { call transfer }; #line 14 # servicemanager performs getpidcon on clients. #line 14 allow servicemanager vehicle_binding_util:dir search; #line 14 allow servicemanager vehicle_binding_util:file { read open }; #line 14 allow servicemanager vehicle_binding_util:process getattr; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 #line 15 typeattribute vehicle_binding_util halclientdomain; #line 15 typeattribute vehicle_binding_util hal_vehicle_client; #line 15 #line 15 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 15 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 15 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 15 #line 15 typeattribute vehicle_binding_util hal_vehicle; #line 15 # Find passthrough HAL implementations #line 15 allow hal_vehicle system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hal_vehicle vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 15 allow hal_vehicle vendor_file:file { read open getattr execute map }; #line 15 #line 15 # allow executing vdc #line 18 # Allow the necessary permissions. #line 18 #line 18 # Old domain may exec the file and transition to the new domain. #line 18 allow vehicle_binding_util vdc_exec:file { getattr open read execute map }; #line 18 allow vehicle_binding_util vdc:process transition; #line 18 # New domain is entered by executing the file. #line 18 allow vdc vdc_exec:file { entrypoint open read execute getattr map }; #line 18 # New domain can send SIGCHLD to its caller. #line 18 allow vdc vehicle_binding_util:process sigchld; #line 18 # Enable AT_SECURE, i.e. libc secure mode. #line 18 dontaudit vehicle_binding_util vdc:process noatsecure; #line 18 # XXX dontaudit candidate but requires further study. #line 18 allow vehicle_binding_util vdc:process { siginh rlimitinh }; #line 18 #line 18 # Make the transition occur by default. #line 18 type_transition vehicle_binding_util vdc_exec:process vdc; #line 18 # devpts is needed to redirect output from vdc allow vehicle_binding_util devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; #line 1 "system/sepolicy/private/vendor_init.te" # Creating files on sysfs is impossible so this isn't a threat # Sometimes we have to write to non-existent files to avoid conditional # init behavior. See b/35303861 for an example. dontaudit vendor_init sysfs:dir write; # TODO(b/140259336) We want to remove vendor_init in the long term but allow for now allow vendor_init system_data_root_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; # Let vendor_init set service.adb.tcp.port. #line 10 #line 10 allow vendor_init property_socket:sock_file write; #line 10 allow vendor_init init:unix_stream_socket connectto; #line 10 #line 10 allow vendor_init adbd_config_prop:property_service set; #line 10 #line 10 allow vendor_init adbd_config_prop:file { getattr open read map }; #line 10 #line 10 # Let vendor_init react to AVF device config changes #line 13 allow vendor_init device_config_virtualization_framework_native_prop:file { getattr open read map }; #line 13 # Let vendor_init use apex..ready to start services from vendor APEX #line 16 allow vendor_init apex_ready_prop:file { getattr open read map }; #line 16 # chown/chmod on devices, e.g. /dev/ttyHS0 allow vendor_init { dev_type -keychord_device -vm_manager_device_type -port_device -lowpan_device -hw_random_device }:chr_file setattr; #line 34 "system/sepolicy/private/vfio_handler.te" # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT) #line 1 "system/sepolicy/private/viewcompiler.te" # viewcompiler type viewcompiler, domain, coredomain, mlstrustedsubject; type viewcompiler_exec, system_file_type, exec_type, file_type; type viewcompiler_tmpfs, file_type; # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by viewcompiler their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by viewcompiler vs other # processes. #line 11 type_transition viewcompiler tmpfs:file viewcompiler_tmpfs; #line 11 allow viewcompiler viewcompiler_tmpfs:file { read write getattr map }; #line 11 allow viewcompiler installd:fd use; # Include write permission for app data files so viewcompiler can generate # compiled layout dex files allow viewcompiler app_data_file:file { getattr write }; # Allow the view compiler to read resources from the apps APK. allow viewcompiler apk_data_file:file { read map }; # priv-apps are moving to a world where they can only execute # signed code. Make sure viewcompiler never can write to privapp # directories to avoid introducing unsigned executable code neverallow viewcompiler privapp_data_file:file { append create link unlink relabelfrom rename setattr write }; #line 1 "system/sepolicy/private/virtual_camera.te" # virtual_camera - virtual camera daemon type virtual_camera, domain, coredomain; type virtual_camera_exec, system_file_type, exec_type, file_type; #line 6 #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow init virtual_camera_exec:file { getattr open read execute map }; #line 6 allow init virtual_camera:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow virtual_camera virtual_camera_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit init virtual_camera:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow init virtual_camera:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition init virtual_camera_exec:process virtual_camera; #line 6 #line 6 # Since virtual_camera is not a real HAL we don't set the # hal_server_domain(virtual_camera, hal_camera) macro but only the rules that # we actually need from halserverdomain and hal_camera_server: #line 11 # Call the servicemanager and transfer references to it. #line 11 allow virtual_camera servicemanager:binder { call transfer }; #line 11 # Allow servicemanager to send out callbacks #line 11 allow servicemanager virtual_camera:binder { call transfer }; #line 11 # servicemanager performs getpidcon on clients. #line 11 allow servicemanager virtual_camera:dir search; #line 11 allow servicemanager virtual_camera:file { read open }; #line 11 allow servicemanager virtual_camera:process getattr; #line 11 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 11 # all domains in domain.te. #line 11 #line 12 # Call the server domain and optionally transfer references to it. #line 12 allow virtual_camera cameraserver:binder { call transfer }; #line 12 # Allow the serverdomain to transfer references to the client on the reply. #line 12 allow cameraserver virtual_camera:binder transfer; #line 12 # Receive and use open files from the server. #line 12 allow virtual_camera cameraserver:fd use; #line 12 #line 13 # Call the server domain and optionally transfer references to it. #line 13 allow virtual_camera system_server:binder { call transfer }; #line 13 # Allow the serverdomain to transfer references to the client on the reply. #line 13 allow system_server virtual_camera:binder transfer; #line 13 # Receive and use open files from the server. #line 13 allow virtual_camera system_server:fd use; #line 13 # Allow virtual_camera to communicate with # mediaserver (required for using Surface originating # from virtual camera in mediaserver). #line 18 # Call the server domain and optionally transfer references to it. #line 18 allow virtual_camera mediaserver:binder { call transfer }; #line 18 # Allow the serverdomain to transfer references to the client on the reply. #line 18 allow mediaserver virtual_camera:binder transfer; #line 18 # Receive and use open files from the server. #line 18 allow virtual_camera mediaserver:fd use; #line 18 # Required for the codecs to be able to decode # video into surface provided by virtual camera. #line 22 typeattribute virtual_camera halclientdomain; #line 22 typeattribute virtual_camera hal_codec2_client; #line 22 #line 22 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 22 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 22 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 22 #line 22 typeattribute virtual_camera hal_codec2; #line 22 # Find passthrough HAL implementations #line 22 allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 22 allow hal_codec2 vendor_file:file { read open getattr execute map }; #line 22 #line 22 #line 23 typeattribute virtual_camera halclientdomain; #line 23 typeattribute virtual_camera hal_omx_client; #line 23 #line 23 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 23 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 23 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 23 #line 23 typeattribute virtual_camera hal_omx; #line 23 # Find passthrough HAL implementations #line 23 allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 23 allow hal_omx vendor_file:file { read open getattr execute map }; #line 23 #line 23 # Allow virtualCamera to call apps via binder. #line 26 # Call the server domain and optionally transfer references to it. #line 26 allow virtual_camera appdomain:binder { call transfer }; #line 26 # Allow the serverdomain to transfer references to the client on the reply. #line 26 allow appdomain virtual_camera:binder transfer; #line 26 # Receive and use open files from the server. #line 26 allow virtual_camera appdomain:fd use; #line 26 # Allow virtual_camera to use fd from apps allow virtual_camera { appdomain -isolated_app }:fd use; # Only allow virtual_camera to add a virtual_camera_service and no one else. #line 32 allow virtual_camera virtual_camera_service:service_manager { add find }; #line 32 neverallow { domain -virtual_camera } virtual_camera_service:service_manager add; #line 32 #line 32 # On debug builds with root, allow binder services to use binder over TCP. #line 32 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 32 #line 32 ; # Allow virtual_camera to map graphic buffers #line 35 typeattribute virtual_camera halclientdomain; #line 35 typeattribute virtual_camera hal_graphics_allocator_client; #line 35 #line 35 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 35 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 35 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 35 #line 35 typeattribute virtual_camera hal_graphics_allocator; #line 35 # Find passthrough HAL implementations #line 35 allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 35 allow hal_graphics_allocator vendor_file:file { read open getattr execute map }; #line 35 #line 35 # Allow virtual_camera to use GPU allow virtual_camera gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow virtual_camera gpu_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow virtual camera to use graphics composer fd-s (fences). allow virtual_camera hal_graphics_composer:fd use; # For collecting bugreports. allow virtual_camera dumpstate:fd use; allow virtual_camera dumpstate:fifo_file write; # Needed for permission checks. allow virtual_camera permission_service:service_manager find; #line 1 "system/sepolicy/private/virtual_touchpad.te" typeattribute virtual_touchpad coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init virtual_touchpad_exec:file { getattr open read execute map }; #line 3 allow init virtual_touchpad:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow virtual_touchpad virtual_touchpad_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init virtual_touchpad:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init virtual_touchpad:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init virtual_touchpad_exec:process virtual_touchpad; #line 3 #line 3 #line 1 "system/sepolicy/private/virtualizationmanager.te" # Domain for a child process that manages virtual machines on behalf of its parent. type virtualizationmanager, domain, coredomain; type virtualizationmanager_exec, system_file_type, exec_type, file_type; # Allow virtualizationmanager to communicate use, read and write over the adb connection. allow virtualizationmanager adbd:fd use; allow virtualizationmanager adbd:unix_stream_socket { getattr read write }; # Allow writing VM logs to the shell console allow virtualizationmanager devpts:chr_file { read write getattr ioctl }; # Let the virtualizationmanager domain use Binder. #line 14 # Call the servicemanager and transfer references to it. #line 14 allow virtualizationmanager servicemanager:binder { call transfer }; #line 14 # Allow servicemanager to send out callbacks #line 14 allow servicemanager virtualizationmanager:binder { call transfer }; #line 14 # servicemanager performs getpidcon on clients. #line 14 allow servicemanager virtualizationmanager:dir search; #line 14 allow servicemanager virtualizationmanager:file { read open }; #line 14 allow servicemanager virtualizationmanager:process getattr; #line 14 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 14 # all domains in domain.te. #line 14 # Let virtualizationmanager find and communicate with virtualizationservice. allow virtualizationmanager virtualization_service:service_manager find; #line 18 # Call the server domain and optionally transfer references to it. #line 18 allow virtualizationmanager virtualizationservice:binder { call transfer }; #line 18 # Allow the serverdomain to transfer references to the client on the reply. #line 18 allow virtualizationservice virtualizationmanager:binder transfer; #line 18 # Receive and use open files from the server. #line 18 allow virtualizationmanager virtualizationservice:fd use; #line 18 # Allow calling into the system server to find native services. "permission_service" to check # permissions, and "package_native" for staged apex info. #line 22 # Call the server domain and optionally transfer references to it. #line 22 allow virtualizationmanager system_server:binder { call transfer }; #line 22 # Allow the serverdomain to transfer references to the client on the reply. #line 22 allow system_server virtualizationmanager:binder transfer; #line 22 # Receive and use open files from the server. #line 22 allow virtualizationmanager system_server:fd use; #line 22 allow virtualizationmanager { package_native_service permission_service }:service_manager find; # When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain. #line 26 # Allow the necessary permissions. #line 26 #line 26 # Old domain may exec the file and transition to the new domain. #line 26 allow virtualizationmanager crosvm_exec:file { getattr open read execute map }; #line 26 allow virtualizationmanager crosvm:process transition; #line 26 # New domain is entered by executing the file. #line 26 allow crosvm crosvm_exec:file { entrypoint open read execute getattr map }; #line 26 # New domain can send SIGCHLD to its caller. #line 26 allow crosvm virtualizationmanager:process sigchld; #line 26 # Enable AT_SECURE, i.e. libc secure mode. #line 26 dontaudit virtualizationmanager crosvm:process noatsecure; #line 26 # XXX dontaudit candidate but requires further study. #line 26 allow virtualizationmanager crosvm:process { siginh rlimitinh }; #line 26 #line 26 # Make the transition occur by default. #line 26 type_transition virtualizationmanager crosvm_exec:process crosvm; #line 26 # Let virtualizationmanager kill crosvm. allow virtualizationmanager crosvm:process sigkill; # Let virtualizationmanager create files inside virtualizationservice's temporary directories. allow virtualizationmanager virtualizationservice_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Let virtualizationmanager read and write files from its various clients, but not open them # directly as they must be passed over Binder by the client. allow virtualizationmanager apk_data_file:file { getattr read }; # Write access is needed for mutable partitions like instance.img allow virtualizationmanager { app_data_file apex_compos_data_file apex_virt_data_file privapp_data_file }:file { getattr read write }; # shell_data_file is used for automated tests and manual debugging. allow virtualizationmanager shell_data_file:file { getattr read write }; # Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there. allow virtualizationmanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; allow virtualizationmanager apex_data_file:dir search; allow virtualizationmanager staging_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow virtualizationmanager staging_data_file:dir search; # Run derive_classpath in our domain allow virtualizationmanager derive_classpath_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow virtualizationmanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads }; # Ignore harmless denials on /proc/self/fd dontaudit virtualizationmanager self:dir write; # Let virtualizationmanager to accept vsock connection from the guest VMs allow virtualizationmanager self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept }; # Allow virtualizationmanager to inspect all hypervisor capabilities. #line 66 allow virtualizationmanager hypervisor_prop:file { getattr open read map }; #line 66 #line 67 allow virtualizationmanager hypervisor_restricted_prop:file { getattr open read map }; #line 67 # Allow virtualizationmanager to be read custom pvmfw.img configuration dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read; neverallow { domain -init -dumpstate } hypervisor_pvmfw_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow virtualizationmanager to be read custom virtualizationmanager configuration dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read; neverallow { domain -init -dumpstate } hypervisor_virtualizationmanager_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; # Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps #line 80 allow virtualizationmanager tombstoned_crash_socket:sock_file write; #line 80 allow virtualizationmanager tombstoned:unix_stream_socket connectto; #line 80 # Append ramdumps to tombstone files passed as fds from tombstoned allow virtualizationmanager tombstone_data_file:file { append getattr }; allow virtualizationmanager tombstoned:fd use; # Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy #line 87 allow virtualizationmanager proc_dt_avf:dir { open getattr read search ioctl lock watch watch_reads }; #line 87 allow virtualizationmanager proc_dt_avf:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 87 #line 88 allow virtualizationmanager sysfs_dt_avf:dir { open getattr read search ioctl lock watch watch_reads }; #line 88 allow virtualizationmanager sysfs_dt_avf:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 88 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages # from pVM to HAL. #line 92 typeattribute virtualizationmanager halclientdomain; #line 92 typeattribute virtualizationmanager hal_secretkeeper_client; #line 92 #line 92 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 92 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 92 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 92 #line 92 typeattribute virtualizationmanager hal_secretkeeper; #line 92 # Find passthrough HAL implementations #line 92 allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 92 allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 92 allow hal_secretkeeper vendor_file:file { read open getattr execute map }; #line 92 #line 92 ; # Let virtualizationmanager open test artifacts under /data/local/tmp with file path. # (e.g. custom debug policy) #line 99 # Allow virtualizationmanager to read microdroid related files in vendor partition #line 102 allow virtualizationmanager vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 102 allow virtualizationmanager vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 102 # Do not allow writing vendor_microdroid_file from any process. neverallow { domain } vendor_microdroid_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write }; neverallow { domain } vendor_microdroid_file:file { append create link unlink relabelfrom rename setattr write }; # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM. #line 109 allow virtualizationmanager crosvm:dir { open getattr read search ioctl lock watch watch_reads }; #line 109 allow virtualizationmanager crosvm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 109 ; # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers # a harmless denial for CompOS log files, so ignore that. dontaudit virtualizationmanager apex_module_data_file:dir search; #line 118 #line 1 "system/sepolicy/private/virtualizationservice.te" type virtualizationservice, domain, coredomain; type virtualizationservice_exec, system_file_type, exec_type, file_type; # The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of # the virtualizationmanager domain running at a more constrained MLS level. typeattribute virtualizationservice mlstrustedsubject; # When init runs a file labelled with virtualizationservice_exec, run it in the # virtualizationservice domain. #line 10 #line 10 # Allow the necessary permissions. #line 10 #line 10 # Old domain may exec the file and transition to the new domain. #line 10 allow init virtualizationservice_exec:file { getattr open read execute map }; #line 10 allow init virtualizationservice:process transition; #line 10 # New domain is entered by executing the file. #line 10 allow virtualizationservice virtualizationservice_exec:file { entrypoint open read execute getattr map }; #line 10 # New domain can send SIGCHLD to its caller. #line 10 #line 10 # Enable AT_SECURE, i.e. libc secure mode. #line 10 dontaudit init virtualizationservice:process noatsecure; #line 10 # XXX dontaudit candidate but requires further study. #line 10 allow init virtualizationservice:process { siginh rlimitinh }; #line 10 #line 10 # Make the transition occur by default. #line 10 type_transition init virtualizationservice_exec:process virtualizationservice; #line 10 #line 10 # Let the virtualizationservice domain use Binder. #line 13 # Call the servicemanager and transfer references to it. #line 13 allow virtualizationservice servicemanager:binder { call transfer }; #line 13 # Allow servicemanager to send out callbacks #line 13 allow servicemanager virtualizationservice:binder { call transfer }; #line 13 # servicemanager performs getpidcon on clients. #line 13 allow servicemanager virtualizationservice:dir search; #line 13 allow servicemanager virtualizationservice:file { read open }; #line 13 allow servicemanager virtualizationservice:process getattr; #line 13 # rw access to /dev/binder and /dev/ashmem is presently granted to #line 13 # all domains in domain.te. #line 13 # Register our services with ServiceManager. #line 16 allow virtualizationservice virtualization_service:service_manager { add find }; #line 16 neverallow { domain -virtualizationservice } virtualization_service:service_manager add; #line 16 #line 16 # On debug builds with root, allow binder services to use binder over TCP. #line 16 # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions. #line 16 #line 16 #line 19 #line 25 # Allow the virtualizationservice domain to serve a remotely provisioned component for # pVM remote attestation. #line 29 typeattribute virtualizationservice halserverdomain; #line 29 typeattribute virtualizationservice hal_remotelyprovisionedcomponent_avf_server; #line 29 typeattribute virtualizationservice hal_remotelyprovisionedcomponent_avf; #line 29 # Allow calling into the system server to find "permission_service". #line 32 # Call the server domain and optionally transfer references to it. #line 32 allow virtualizationservice system_server:binder { call transfer }; #line 32 # Allow the serverdomain to transfer references to the client on the reply. #line 32 allow system_server virtualizationservice:binder transfer; #line 32 # Receive and use open files from the server. #line 32 allow virtualizationservice system_server:fd use; #line 32 allow virtualizationservice permission_service:service_manager find; # Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd. #line 36 # Call the server domain and optionally transfer references to it. #line 36 allow virtualizationservice remote_provisioning_service:binder { call transfer }; #line 36 # Allow the serverdomain to transfer references to the client on the reply. #line 36 allow remote_provisioning_service virtualizationservice:binder transfer; #line 36 # Receive and use open files from the server. #line 36 allow virtualizationservice remote_provisioning_service:fd use; #line 36 allow virtualizationservice remote_provisioning_service:service_manager find; # Allow virtualizationservice to manage VM secrets via Secretkeeper. #line 40 typeattribute virtualizationservice halclientdomain; #line 40 typeattribute virtualizationservice hal_secretkeeper_client; #line 40 #line 40 # TODO(b/34170079): Make the inclusion of the rules below conditional also on #line 40 # non-Treble devices. For now, on non-Treble device, always grant clients of a #line 40 # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). #line 40 #line 40 typeattribute virtualizationservice hal_secretkeeper; #line 40 # Find passthrough HAL implementations #line 40 allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 40 allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 40 allow hal_secretkeeper vendor_file:file { read open getattr execute map }; #line 40 #line 40 # Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary # to mlock VM memory and page tables. allow virtualizationservice self:capability sys_resource; allow virtualizationservice virtualizationmanager:process setrlimit; # Let virtualizationservice set the owner of a VM's temporary directory. allow virtualizationservice self:capability chown; # Let virtualizationservice create and delete temporary directories of VMs. To remove old # directories, it needs the permission to unlink the files created by virtualizationmanager. allow virtualizationservice virtualizationservice_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow virtualizationservice virtualizationservice_data_file:sock_file unlink; allow virtualizationservice virtualizationservice_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from # crosvm to the console allow virtualizationservice adbd:fd use; allow virtualizationservice adbd:unix_stream_socket { read write }; # Allow to connnect to and run VirtMgr to start the service VM for remote attestation. #line 62 # Transition to virtualizationmanager when the client executes it. #line 62 #line 62 # Allow the necessary permissions. #line 62 #line 62 # Old domain may exec the file and transition to the new domain. #line 62 allow virtualizationservice virtualizationmanager_exec:file { getattr open read execute map }; #line 62 allow virtualizationservice virtualizationmanager:process transition; #line 62 # New domain is entered by executing the file. #line 62 allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map }; #line 62 # New domain can send SIGCHLD to its caller. #line 62 allow virtualizationmanager virtualizationservice:process sigchld; #line 62 # Enable AT_SECURE, i.e. libc secure mode. #line 62 dontaudit virtualizationservice virtualizationmanager:process noatsecure; #line 62 # XXX dontaudit candidate but requires further study. #line 62 allow virtualizationservice virtualizationmanager:process { siginh rlimitinh }; #line 62 #line 62 # Make the transition occur by default. #line 62 type_transition virtualizationservice virtualizationmanager_exec:process virtualizationmanager; #line 62 #line 62 # Allow virtualizationmanager to communicate over UDS with the client. #line 62 allow { virtualizationmanager crosvm } virtualizationservice:unix_stream_socket { ioctl getattr read write }; #line 62 # Let the client pass file descriptors to virtualizationmanager and on to crosvm. #line 62 allow { virtualizationmanager crosvm } virtualizationservice:fd use; #line 62 # Let the client use file descriptors created by virtualizationmanager. #line 62 allow virtualizationservice virtualizationmanager:fd use; #line 62 # Allow piping console log to the client #line 62 allow { virtualizationmanager crosvm } virtualizationservice:fifo_file { ioctl getattr read write }; #line 62 # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM #line 62 # that it created. Notice that we do not grant permission to create a vsock; #line 62 # the client can only connect to VMs that it owns. #line 62 allow virtualizationservice virtualizationmanager:vsock_socket { getattr getopt read write }; #line 62 # Allow client to inspect hypervisor capabilities #line 62 #line 62 allow virtualizationservice hypervisor_prop:file { getattr open read map }; #line 62 #line 62 # Allow client to read (but not open) the crashdump provided by virtualizationmanager #line 62 allow virtualizationservice virtualizationservice_data_file:file { getattr read }; #line 62 # Allow virtualizationservice to read and write in the apex data directory # /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory # (needed for SQLite database creation). allow virtualizationservice apex_module_data_file:dir { search getattr }; allow virtualizationservice apex_virt_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow virtualizationservice apex_virt_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Let virtualizationservice to accept vsock connection from the guest VMs to singleton services # such as the guest tombstone server. allow virtualizationservice self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept }; # Allow virtualizationservice to read/write its own sysprop. Only the process can do so. #line 76 #line 76 allow virtualizationservice property_socket:sock_file write; #line 76 allow virtualizationservice init:unix_stream_socket connectto; #line 76 #line 76 allow virtualizationservice virtualizationservice_prop:property_service set; #line 76 #line 76 allow virtualizationservice virtualizationservice_prop:file { getattr open read map }; #line 76 #line 76 # Allow writing stats to statsd #line 79 allow virtualizationservice statsdw_socket:sock_file write; #line 79 allow virtualizationservice statsd:unix_dgram_socket sendto; #line 79 # Allow virtualization service to talk to tombstoned to push guest tombstones #line 82 allow virtualizationservice tombstoned_crash_socket:sock_file write; #line 82 allow virtualizationservice tombstoned:unix_stream_socket connectto; #line 82 # Append to tombstone files passed as fds from tombstoned allow virtualizationservice tombstone_data_file:file { append getattr }; allow virtualizationservice tombstoned:fd use; # Allow virtualizationservice to check if VFIO is supported allow virtualizationservice vfio_device:chr_file getattr; allow virtualizationservice vfio_device:dir { open getattr read search ioctl lock watch watch_reads }; # Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager. allow virtualizationservice virtualizationmanager:fd use; # Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices. #line 96 allow virtualizationservice vendor_configs_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 96 allow virtualizationservice vendor_configs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 96 neverallow { domain -init -virtualizationservice } virtualizationservice_prop:property_service set; neverallow { domain -init -virtualizationmanager -virtualizationservice } virtualizationservice_data_file:file { open create }; neverallow virtualizationservice { domain -virtualizationmanager -virtualizationservice }:process setrlimit; #line 120 #line 1 "system/sepolicy/private/vold.te" typeattribute vold coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init vold_exec:file { getattr open read execute map }; #line 3 allow init vold:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow vold vold_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init vold:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init vold:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init vold_exec:process vold; #line 3 #line 3 # Switch to more restrictive domains when executing common tools #line 6 # Allow the necessary permissions. #line 6 #line 6 # Old domain may exec the file and transition to the new domain. #line 6 allow vold sgdisk_exec:file { getattr open read execute map }; #line 6 allow vold sgdisk:process transition; #line 6 # New domain is entered by executing the file. #line 6 allow sgdisk sgdisk_exec:file { entrypoint open read execute getattr map }; #line 6 # New domain can send SIGCHLD to its caller. #line 6 allow sgdisk vold:process sigchld; #line 6 # Enable AT_SECURE, i.e. libc secure mode. #line 6 dontaudit vold sgdisk:process noatsecure; #line 6 # XXX dontaudit candidate but requires further study. #line 6 allow vold sgdisk:process { siginh rlimitinh }; #line 6 #line 6 # Make the transition occur by default. #line 6 type_transition vold sgdisk_exec:process sgdisk; #line 6 ; #line 7 # Allow the necessary permissions. #line 7 #line 7 # Old domain may exec the file and transition to the new domain. #line 7 allow vold sdcardd_exec:file { getattr open read execute map }; #line 7 allow vold sdcardd:process transition; #line 7 # New domain is entered by executing the file. #line 7 allow sdcardd sdcardd_exec:file { entrypoint open read execute getattr map }; #line 7 # New domain can send SIGCHLD to its caller. #line 7 allow sdcardd vold:process sigchld; #line 7 # Enable AT_SECURE, i.e. libc secure mode. #line 7 dontaudit vold sdcardd:process noatsecure; #line 7 # XXX dontaudit candidate but requires further study. #line 7 allow vold sdcardd:process { siginh rlimitinh }; #line 7 #line 7 # Make the transition occur by default. #line 7 type_transition vold sdcardd_exec:process sdcardd; #line 7 ; #line 8 # Allow the necessary permissions. #line 8 #line 8 # Old domain may exec the file and transition to the new domain. #line 8 allow vold fuseblkd_untrusted_exec:file { getattr open read execute map }; #line 8 allow vold fuseblkd_untrusted:process transition; #line 8 # New domain is entered by executing the file. #line 8 allow fuseblkd_untrusted fuseblkd_untrusted_exec:file { entrypoint open read execute getattr map }; #line 8 # New domain can send SIGCHLD to its caller. #line 8 allow fuseblkd_untrusted vold:process sigchld; #line 8 # Enable AT_SECURE, i.e. libc secure mode. #line 8 dontaudit vold fuseblkd_untrusted:process noatsecure; #line 8 # XXX dontaudit candidate but requires further study. #line 8 allow vold fuseblkd_untrusted:process { siginh rlimitinh }; #line 8 #line 8 # Make the transition occur by default. #line 8 type_transition vold fuseblkd_untrusted_exec:process fuseblkd_untrusted; #line 8 ; # Switch to e2fs domain when running mkfs.ext4 to format a partition #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow vold e2fs_exec:file { getattr open read execute map }; #line 11 allow vold e2fs:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow e2fs e2fs_exec:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 allow e2fs vold:process sigchld; #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit vold e2fs:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow vold e2fs:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition vold e2fs_exec:process e2fs; #line 11 ; # For a handful of probing tools, we choose an even more restrictive # domain when working with untrusted block devices #line 16 # Old domain may exec the file and transition to the new domain. #line 16 allow vold blkid_exec:file { getattr open read execute map }; #line 16 allow vold blkid:process transition; #line 16 # New domain is entered by executing the file. #line 16 allow blkid blkid_exec:file { entrypoint open read execute getattr map }; #line 16 # New domain can send SIGCHLD to its caller. #line 16 allow blkid vold:process sigchld; #line 16 # Enable AT_SECURE, i.e. libc secure mode. #line 16 dontaudit vold blkid:process noatsecure; #line 16 # XXX dontaudit candidate but requires further study. #line 16 allow vold blkid:process { siginh rlimitinh }; #line 16 ; #line 17 # Old domain may exec the file and transition to the new domain. #line 17 allow vold blkid_exec:file { getattr open read execute map }; #line 17 allow vold blkid_untrusted:process transition; #line 17 # New domain is entered by executing the file. #line 17 allow blkid_untrusted blkid_exec:file { entrypoint open read execute getattr map }; #line 17 # New domain can send SIGCHLD to its caller. #line 17 allow blkid_untrusted vold:process sigchld; #line 17 # Enable AT_SECURE, i.e. libc secure mode. #line 17 dontaudit vold blkid_untrusted:process noatsecure; #line 17 # XXX dontaudit candidate but requires further study. #line 17 allow vold blkid_untrusted:process { siginh rlimitinh }; #line 17 ; #line 18 # Old domain may exec the file and transition to the new domain. #line 18 allow vold fsck_exec:file { getattr open read execute map }; #line 18 allow vold fsck:process transition; #line 18 # New domain is entered by executing the file. #line 18 allow fsck fsck_exec:file { entrypoint open read execute getattr map }; #line 18 # New domain can send SIGCHLD to its caller. #line 18 allow fsck vold:process sigchld; #line 18 # Enable AT_SECURE, i.e. libc secure mode. #line 18 dontaudit vold fsck:process noatsecure; #line 18 # XXX dontaudit candidate but requires further study. #line 18 allow vold fsck:process { siginh rlimitinh }; #line 18 ; #line 19 # Old domain may exec the file and transition to the new domain. #line 19 allow vold fsck_exec:file { getattr open read execute map }; #line 19 allow vold fsck_untrusted:process transition; #line 19 # New domain is entered by executing the file. #line 19 allow fsck_untrusted fsck_exec:file { entrypoint open read execute getattr map }; #line 19 # New domain can send SIGCHLD to its caller. #line 19 allow fsck_untrusted vold:process sigchld; #line 19 # Enable AT_SECURE, i.e. libc secure mode. #line 19 dontaudit vold fsck_untrusted:process noatsecure; #line 19 # XXX dontaudit candidate but requires further study. #line 19 allow vold fsck_untrusted:process { siginh rlimitinh }; #line 19 ; # Newly created storage dirs are always treated as mount stubs to prevent us # from accidentally writing when the mount point isn't present. type_transition vold storage_file:dir storage_stub_file; type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; # Property Service #line 27 allow vold vold_config_prop:file { getattr open read map }; #line 27 #line 28 allow vold storage_config_prop:file { getattr open read map }; #line 28 ; #line 29 allow vold incremental_prop:file { getattr open read map }; #line 29 ; #line 30 allow vold gsid_prop:file { getattr open read map }; #line 30 ; #line 32 #line 32 allow vold property_socket:sock_file write; #line 32 allow vold init:unix_stream_socket connectto; #line 32 #line 32 allow vold vold_prop:property_service set; #line 32 #line 32 allow vold vold_prop:file { getattr open read map }; #line 32 #line 32 #line 33 #line 33 allow vold property_socket:sock_file write; #line 33 allow vold init:unix_stream_socket connectto; #line 33 #line 33 allow vold vold_status_prop:property_service set; #line 33 #line 33 allow vold vold_status_prop:file { getattr open read map }; #line 33 #line 33 #line 34 #line 34 allow vold property_socket:sock_file write; #line 34 allow vold init:unix_stream_socket connectto; #line 34 #line 34 allow vold powerctl_prop:property_service set; #line 34 #line 34 allow vold powerctl_prop:file { getattr open read map }; #line 34 #line 34 #line 35 #line 35 allow vold property_socket:sock_file write; #line 35 allow vold init:unix_stream_socket connectto; #line 35 #line 35 allow vold ctl_fuse_prop:property_service set; #line 35 #line 35 allow vold ctl_fuse_prop:file { getattr open read map }; #line 35 #line 35 #line 36 #line 36 allow vold property_socket:sock_file write; #line 36 allow vold init:unix_stream_socket connectto; #line 36 #line 36 allow vold restorecon_prop:property_service set; #line 36 #line 36 allow vold restorecon_prop:file { getattr open read map }; #line 36 #line 36 #line 37 #line 37 allow vold property_socket:sock_file write; #line 37 allow vold init:unix_stream_socket connectto; #line 37 #line 37 allow vold ota_prop:property_service set; #line 37 #line 37 allow vold ota_prop:file { getattr open read map }; #line 37 #line 37 #line 38 #line 38 allow vold property_socket:sock_file write; #line 38 allow vold init:unix_stream_socket connectto; #line 38 #line 38 allow vold boottime_prop:property_service set; #line 38 #line 38 allow vold boottime_prop:file { getattr open read map }; #line 38 #line 38 #line 39 #line 39 allow vold property_socket:sock_file write; #line 39 allow vold init:unix_stream_socket connectto; #line 39 #line 39 allow vold boottime_public_prop:property_service set; #line 39 #line 39 allow vold boottime_public_prop:file { getattr open read map }; #line 39 #line 39 # Vold will use Keystore instead of using Keymint directly. But it still needs # to manage its Keymint blobs. This is why it needs the `manage_blob` permission. allow vold vold_key:keystore2_key { convert_storage_key_to_ephemeral delete get_info manage_blob rebind req_forced_op update use }; # vold needs to call keystore methods allow vold keystore:binder call; # vold needs to find keystore2 services allow vold keystore_service:service_manager find; allow vold keystore_maintenance_service:service_manager find; # vold needs to be able to call earlyBootEnded() and deleteAllKeys() allow vold keystore:keystore2 early_boot_ended; allow vold keystore:keystore2 delete_all_keys; neverallow { domain -system_server -vdc -vold -update_verifier -apexd -gsid } vold_service:service_manager find; # Allow vold to create and delete per-user directories like /data/user/$userId. allow vold { media_userdir_file system_userdir_file vendor_userdir_file }:dir { add_name remove_name write }; # Only vold should create (and delete) per-user directories like # /data/user/$userId. This is very important, as these directories need to be # encrypted with per-user keys, which only vold can do. Encryption can only be # set up on empty directories, so creation and encryption must happen together. neverallow { domain -vold } { media_userdir_file system_userdir_file vendor_userdir_file }:dir { add_name remove_name write }; #line 1 "system/sepolicy/private/vold_prepare_subdirs.te" #line 1 # Allow the necessary permissions. #line 1 #line 1 # Old domain may exec the file and transition to the new domain. #line 1 allow vold vold_prepare_subdirs_exec:file { getattr open read execute map }; #line 1 allow vold vold_prepare_subdirs:process transition; #line 1 # New domain is entered by executing the file. #line 1 allow vold_prepare_subdirs vold_prepare_subdirs_exec:file { entrypoint open read execute getattr map }; #line 1 # New domain can send SIGCHLD to its caller. #line 1 allow vold_prepare_subdirs vold:process sigchld; #line 1 # Enable AT_SECURE, i.e. libc secure mode. #line 1 dontaudit vold vold_prepare_subdirs:process noatsecure; #line 1 # XXX dontaudit candidate but requires further study. #line 1 allow vold vold_prepare_subdirs:process { siginh rlimitinh }; #line 1 #line 1 # Make the transition occur by default. #line 1 type_transition vold vold_prepare_subdirs_exec:process vold_prepare_subdirs; #line 1 typeattribute vold_prepare_subdirs mlstrustedsubject; allow vold_prepare_subdirs system_file:file execute_no_trans; allow vold_prepare_subdirs shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow vold_prepare_subdirs toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow vold_prepare_subdirs devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } }; allow vold_prepare_subdirs vold:fd use; allow vold_prepare_subdirs vold:fifo_file { read write }; allow vold_prepare_subdirs file_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; allow vold_prepare_subdirs self:{ capability cap_userns } { chown dac_override dac_read_search fowner }; allow vold_prepare_subdirs self:process setfscreate; allow vold_prepare_subdirs { sdk_sandbox_system_data_file system_data_file vendor_data_file }:dir { open read write add_name remove_name rmdir relabelfrom }; allow vold_prepare_subdirs { apex_data_file_type apex_module_data_file apex_rollback_data_file backup_data_file checkin_data_file face_vendor_data_file fingerprint_vendor_data_file iris_vendor_data_file rollback_data_file storaged_data_file sdk_sandbox_data_file sdk_sandbox_system_data_file system_data_file vold_data_file }:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto }; allow vold_prepare_subdirs { apex_data_file_type apex_art_staging_data_file apex_module_data_file apex_rollback_data_file backup_data_file checkin_data_file face_vendor_data_file fingerprint_vendor_data_file iris_vendor_data_file rollback_data_file storaged_data_file sdk_sandbox_data_file system_data_file vold_data_file }:file { getattr unlink }; allow vold_prepare_subdirs apex_mnt_dir:dir { open read }; allow vold_prepare_subdirs mnt_expand_file:dir search; allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom }; allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto }; # Migrate legacy labels to apex_system_server_data_file (b/217581286) allow vold_prepare_subdirs { apex_appsearch_data_file apex_permission_data_file apex_scheduling_data_file apex_tethering_data_file apex_wifi_data_file }:dir relabelfrom; # /data/misc is unlabeled during early boot. allow vold_prepare_subdirs unlabeled:dir search; dontaudit vold_prepare_subdirs { proc unlabeled }:file { getattr open read ioctl lock map watch watch_reads }; #line 1 "system/sepolicy/private/vzwomatrigger_app.te" ### ### A domain for further sandboxing the VzwOmaTrigger app. ### type vzwomatrigger_app, domain; #line 6 typeattribute vzwomatrigger_app appdomain; #line 6 # Label tmpfs objects for all apps. #line 6 type_transition vzwomatrigger_app tmpfs:file appdomain_tmpfs; #line 6 #line 6 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 6 type vzwomatrigger_app_userfaultfd; #line 6 type_transition vzwomatrigger_app vzwomatrigger_app:anon_inode vzwomatrigger_app_userfaultfd "[userfaultfd]"; #line 6 # Allow domain to create/use userfaultfd anon_inode. #line 6 allow vzwomatrigger_app vzwomatrigger_app_userfaultfd:anon_inode { create ioctl read }; #line 6 # Suppress errors generate during bugreport #line 6 dontaudit su vzwomatrigger_app_userfaultfd:anon_inode *; #line 6 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 6 neverallow { domain -vzwomatrigger_app } vzwomatrigger_app_userfaultfd:anon_inode *; #line 6 #line 6 allow vzwomatrigger_app appdomain_tmpfs:file { execute getattr map read write }; #line 6 neverallow { vzwomatrigger_app -runas_app -shell -simpleperf } { domain -vzwomatrigger_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 neverallow { appdomain -runas_app -shell -simpleperf -vzwomatrigger_app } vzwomatrigger_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; #line 6 # The Android security model guarantees the confidentiality and integrity #line 6 # of application data and execution state. Ptrace bypasses those #line 6 # confidentiality guarantees. Disallow ptrace access from system components to #line 6 # apps. crash_dump is excluded, as it needs ptrace access to produce stack #line 6 # traces. runas_app is excluded, as it operates only on debuggable apps. #line 6 # simpleperf is excluded, as it operates only on debuggable or profileable #line 6 # apps. llkd is excluded, as it needs ptrace access to inspect stack traces for #line 6 # live lock conditions. #line 6 neverallow { domain -vzwomatrigger_app -crash_dump -runas_app -simpleperf } vzwomatrigger_app:process ptrace; #line 6 #line 1 "system/sepolicy/private/wait_for_keymaster.te" # wait_for_keymaster service. No longer used; # here only so that downstream code compiles. type wait_for_keymaster, domain, coredomain; type wait_for_keymaster_exec, system_file_type, exec_type, file_type; #line 1 "system/sepolicy/private/watchdogd.te" typeattribute watchdogd coredomain; #line 3 #line 3 # Allow the necessary permissions. #line 3 #line 3 # Old domain may exec the file and transition to the new domain. #line 3 allow init watchdogd_exec:file { getattr open read execute map }; #line 3 allow init watchdogd:process transition; #line 3 # New domain is entered by executing the file. #line 3 allow watchdogd watchdogd_exec:file { entrypoint open read execute getattr map }; #line 3 # New domain can send SIGCHLD to its caller. #line 3 #line 3 # Enable AT_SECURE, i.e. libc secure mode. #line 3 dontaudit init watchdogd:process noatsecure; #line 3 # XXX dontaudit candidate but requires further study. #line 3 allow init watchdogd:process { siginh rlimitinh }; #line 3 #line 3 # Make the transition occur by default. #line 3 type_transition init watchdogd_exec:process watchdogd; #line 3 #line 3 #line 1 "system/sepolicy/private/webview_zygote.te" # webview_zygote is an auxiliary zygote process that is used to spawn # isolated_app processes for rendering untrusted web content. typeattribute webview_zygote coredomain; # The webview_zygote needs to be able to transition domains. typeattribute webview_zygote mlstrustedsubject; # Allow access to temporary files, which is normally permitted through # a domain macro. #line 11 type_transition webview_zygote tmpfs:file webview_zygote_tmpfs; #line 11 allow webview_zygote webview_zygote_tmpfs:file { read write getattr map }; #line 11 ; #line 13 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 13 type webview_zygote_userfaultfd; #line 13 type_transition webview_zygote webview_zygote:anon_inode webview_zygote_userfaultfd "[userfaultfd]"; #line 13 # Allow domain to create/use userfaultfd anon_inode. #line 13 allow webview_zygote webview_zygote_userfaultfd:anon_inode { create ioctl read }; #line 13 # Suppress errors generate during bugreport #line 13 dontaudit su webview_zygote_userfaultfd:anon_inode *; #line 13 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 13 neverallow { domain -webview_zygote } webview_zygote_userfaultfd:anon_inode *; #line 13 # Allow reading/executing installed binaries to enable preloading the # installed WebView implementation. allow webview_zygote apk_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow webview_zygote apk_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # Access to the WebView relro file. allow webview_zygote shared_relro_file:dir search; allow webview_zygote shared_relro_file:file { getattr open read ioctl lock map watch watch_reads }; # Set the UID/GID of the process. allow webview_zygote self:{ capability cap_userns } { setgid setuid }; # Drop capabilities from bounding set. allow webview_zygote self:{ capability cap_userns } setpcap; # Switch SELinux context to app domains. allow webview_zygote self:process setcurrent; allow webview_zygote isolated_app:process dyntransition; # For art. allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir { open getattr read search ioctl lock watch watch_reads }; allow webview_zygote dalvikcache_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { { getattr open read ioctl lock map watch watch_reads } execute }; allow webview_zygote apex_module_data_file:dir search; # To load overlay from /apex (vendor APEXes) allow webview_zygote vendor_apex_metadata_file:dir search; # Allow webview_zygote to create JIT memory. allow webview_zygote self:process execmem; # Allow webview_zygote to stat the files that it opens. It must # be able to inspect them so that it can reopen them on fork # if necessary: b/30963384. allow webview_zygote debugfs_trace_marker:file getattr; # Allow webview_zygote to manage the pgroup of its children. allow webview_zygote system_server:process getpgid; # Interaction between the webview_zygote and its children. allow webview_zygote isolated_app:process setpgid; # TODO (b/63631799) fix this access # Suppress denials to storage. Webview zygote should not be accessing. dontaudit webview_zygote mnt_expand_file:dir getattr; # TODO (b/72957399) remove this when webview_zygote is reparented to # app_process zygote dontaudit webview_zygote dex2oat_exec:file execute; # Get seapp_contexts allow webview_zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Check validity of SELinux context before use. #line 66 #line 66 allow webview_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 66 allow webview_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 66 #line 66 allow webview_zygote selinuxfs:file { open append write lock map }; #line 66 allow webview_zygote kernel:security check_context; #line 66 # Check SELinux permissions. #line 68 #line 68 allow webview_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 68 allow webview_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 68 #line 68 allow webview_zygote selinuxfs:file { open append write lock map }; #line 68 allow webview_zygote kernel:security compute_av; #line 68 allow webview_zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 68 # Directory listing in /system. allow webview_zygote system_file:dir { open getattr read search ioctl lock watch watch_reads }; # Read and inspect temporary files (like system properties) managed by zygote. allow webview_zygote zygote_tmpfs:file { read getattr }; # Child of zygote. allow webview_zygote zygote:fd use; allow webview_zygote zygote:process sigchld; # Allow apps access to /vendor/overlay #line 80 allow webview_zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 80 allow webview_zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 80 allow webview_zygote same_process_hal_file:file { execute read open getattr map }; allow webview_zygote system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads }; # Send unsolicited message to system_server #line 87 allow webview_zygote system_unsolzygote_socket:sock_file write; #line 87 allow webview_zygote system_server:unix_dgram_socket sendto; #line 87 # Allow the webview_zygote to access the runtime feature flag properties. #line 90 allow webview_zygote device_config_runtime_native_prop:file { getattr open read map }; #line 90 #line 91 allow webview_zygote device_config_runtime_native_boot_prop:file { getattr open read map }; #line 91 # Allow webview_zygote to access odsign verification status #line 94 allow zygote odsign_prop:file { getattr open read map }; #line 94 # /data/resource-cache allow webview_zygote resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads }; allow webview_zygote resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads }; ##### ##### Neverallow ##### # Only permit transition to isolated_app. neverallow webview_zygote { domain -isolated_app }:process dyntransition; # Only setcon() transitions, no exec() based transitions, except for crash_dump. neverallow webview_zygote { domain -crash_dump }:process transition; # Must not exec() a program without changing domains. # Having said that, exec() above is not allowed. neverallow webview_zygote *:file execute_no_trans; # The only way to enter this domain is for the zygote to fork a new # webview_zygote child. neverallow { domain -zygote } webview_zygote:process dyntransition; # Disallow write access to properties. neverallow webview_zygote property_socket:sock_file write; neverallow webview_zygote property_type:property_service set; # Should not have any access to app data files. neverallow webview_zygote app_data_file_type:file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } }; neverallow webview_zygote { service_manager_type -activity_service -webviewupdate_service }:service_manager find; # Isolated apps shouldn't be able to access the driver directly. neverallow webview_zygote gpu_device:chr_file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } }; # Do not allow webview_zygote access to /cache. neverallow webview_zygote cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } }; neverallow webview_zygote cache_file:file ~{ read getattr }; # Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket, # unix_stream_socket, and netlink_selinux_socket. neverallow webview_zygote domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } *; # Do not allow access to Bluetooth-related system properties. # neverallow rules for Bluetooth-related data files are listed above. neverallow webview_zygote { bluetooth_a2dp_offload_prop bluetooth_audio_hal_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; #line 1 "system/sepolicy/private/wificond.te" typeattribute wificond coredomain; #line 3 #line 3 allow wificond property_socket:sock_file write; #line 3 allow wificond init:unix_stream_socket connectto; #line 3 #line 3 allow wificond wifi_hal_prop:property_service set; #line 3 #line 3 allow wificond wifi_hal_prop:file { getattr open read map }; #line 3 #line 3 #line 4 #line 4 allow wificond property_socket:sock_file write; #line 4 allow wificond init:unix_stream_socket connectto; #line 4 #line 4 allow wificond wifi_prop:property_service set; #line 4 #line 4 allow wificond wifi_prop:file { getattr open read map }; #line 4 #line 4 #line 5 #line 5 allow wificond property_socket:sock_file write; #line 5 allow wificond init:unix_stream_socket connectto; #line 5 #line 5 allow wificond ctl_default_prop:property_service set; #line 5 #line 5 allow wificond ctl_default_prop:file { getattr open read map }; #line 5 #line 5 #line 7 allow wificond hwservicemanager_prop:file { getattr open read map }; #line 7 allow wificond legacykeystore_service:service_manager find; #line 11 #line 11 # Allow the necessary permissions. #line 11 #line 11 # Old domain may exec the file and transition to the new domain. #line 11 allow init wificond_exec:file { getattr open read execute map }; #line 11 allow init wificond:process transition; #line 11 # New domain is entered by executing the file. #line 11 allow wificond wificond_exec:file { entrypoint open read execute getattr map }; #line 11 # New domain can send SIGCHLD to its caller. #line 11 #line 11 # Enable AT_SECURE, i.e. libc secure mode. #line 11 dontaudit init wificond:process noatsecure; #line 11 # XXX dontaudit candidate but requires further study. #line 11 allow init wificond:process { siginh rlimitinh }; #line 11 #line 11 # Make the transition occur by default. #line 11 type_transition init wificond_exec:process wificond; #line 11 #line 11 #line 1 "system/sepolicy/private/zygote.te" # zygote typeattribute zygote coredomain; typeattribute zygote mlstrustedsubject; #line 5 #line 5 # Allow the necessary permissions. #line 5 #line 5 # Old domain may exec the file and transition to the new domain. #line 5 allow init zygote_exec:file { getattr open read execute map }; #line 5 allow init zygote:process transition; #line 5 # New domain is entered by executing the file. #line 5 allow zygote zygote_exec:file { entrypoint open read execute getattr map }; #line 5 # New domain can send SIGCHLD to its caller. #line 5 #line 5 # Enable AT_SECURE, i.e. libc secure mode. #line 5 dontaudit init zygote:process noatsecure; #line 5 # XXX dontaudit candidate but requires further study. #line 5 allow init zygote:process { siginh rlimitinh }; #line 5 #line 5 # Make the transition occur by default. #line 5 type_transition init zygote_exec:process zygote; #line 5 #line 5 #line 6 type_transition zygote tmpfs:file zygote_tmpfs; #line 6 allow zygote zygote_tmpfs:file { read write getattr map }; #line 6 #line 8 allow zygote runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads }; #line 8 # Override DAC on files and switch uid/gid. allow zygote self:{ capability cap_userns } { dac_override dac_read_search setgid setuid fowner chown }; # Drop capabilities from bounding set. allow zygote self:{ capability cap_userns } setpcap; # Switch SELinux context to app domains. allow zygote self:process setcurrent; allow zygote system_server_startup:process dyntransition; allow zygote appdomain:process dyntransition; allow zygote webview_zygote:process dyntransition; allow zygote app_zygote:process dyntransition; # Allow zygote to read app /proc/pid dirs (b/10455872). allow zygote appdomain:dir { getattr search }; allow zygote appdomain:file { { getattr open read ioctl lock map watch watch_reads } }; #line 27 # Set up a type_transition to "userfaultfd" named anonymous inode object. #line 27 type zygote_userfaultfd; #line 27 type_transition zygote zygote:anon_inode zygote_userfaultfd "[userfaultfd]"; #line 27 # Allow domain to create/use userfaultfd anon_inode. #line 27 allow zygote zygote_userfaultfd:anon_inode { create ioctl read }; #line 27 # Suppress errors generate during bugreport #line 27 dontaudit su zygote_userfaultfd:anon_inode *; #line 27 # Other domains may not use userfaultfd anon_inodes created by this domain. #line 27 neverallow { domain -zygote } zygote_userfaultfd:anon_inode *; #line 27 # Move children into the peer process group. allow zygote system_server:process { getpgid setpgid }; allow zygote appdomain:process { getpgid setpgid }; allow zygote webview_zygote:process { getpgid setpgid }; allow zygote app_zygote:process { getpgid setpgid }; # Read system data. allow zygote system_data_file:dir { open getattr read search ioctl lock watch watch_reads }; allow zygote system_data_file:file { getattr open read ioctl lock map watch watch_reads }; # Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders. allow zygote mnt_expand_file:dir getattr; # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow zygote dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Create symlinks in /data/dalvik-cache. allow zygote dalvikcache_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Write to /data/resource-cache. allow zygote resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }; allow zygote resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # For updateability, the zygote may fetch the current boot # classpath from the dalvik cache. Integrity of the files # is ensured by fsverity protection (checked in art_apex_boot_integrity). allow zygote dalvikcache_data_file:file execute; # Allow zygote to find files in APEX data directories. allow zygote apex_module_data_file:dir search; # Allow zygote to find and map files created by on device signing. allow zygote apex_art_data_file:dir { getattr search }; allow zygote apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute }; # Mount tmpfs over various directories containing per-app directories, to hide # them for app data isolation. Also traverse these directories (via # /data_mirror) to find the allowlisted per-app directories to bind-mount in. allow zygote { # /data/user{,_de}, /mnt/expand/$volume/user{,_de} system_userdir_file # /data/data system_data_file # /data/misc/profiles/cur user_profile_root_file # /data/misc/profiles/ref user_profile_data_file # /storage/emulated/$userId/Android/{data,obb} media_rw_data_file # /dev/__properties__ properties_device }:dir { mounton search }; # Traverse /data_mirror to get to the above directories while their normal paths # are hidden, in order to bind-mount allowlisted per-app directories. allow zygote mirror_data_file:dir search; # List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that # need to be hidden by app data isolation, and traverse /mnt/expand to get to # any allowlisted per-app directories within these directories. allow zygote mnt_expand_file:dir { open read search }; # Get the inode number of app CE data directories to find them by inode number # when CE storage is locked. Needed for app data isolation. allow zygote app_data_file_type:dir getattr; # Create dirs in the app data isolation tmpfs mounts and bind mount on them. allow zygote tmpfs:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; # Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount # when setting up app data isolation. allow zygote tmpfs:lnk_file create; # Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their # standard labels. Note: it seems that not all dirs are actually relabeled yet, # but it works anyway since all domains can search tmpfs:dir. allow zygote tmpfs:{ dir lnk_file } relabelfrom; allow zygote system_userdir_file:dir relabelto; allow zygote system_data_file:{ dir lnk_file } relabelto; allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search }; # Read if sdcardfs is supported allow zygote proc_filesystems:file { getattr open read ioctl lock map watch watch_reads }; # Allow zygote to create JIT memory. allow zygote self:process execmem; allow zygote zygote_tmpfs:file execute; allow zygote ashmem_libcutils_device:chr_file execute; # Execute idmap and dex2oat within zygote's own domain. # TODO: Should either of these be transitioned to the same domain # used by installd or stay in-domain for zygote? allow zygote idmap_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; allow zygote dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow apps access to /vendor/overlay #line 126 allow zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 126 allow zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 126 # Control cgroups. allow zygote cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow zygote cgroup:{ file lnk_file } { { getattr open read ioctl lock map watch watch_reads } setattr }; allow zygote cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }; allow zygote cgroup_v2:{ file lnk_file } { { getattr open read ioctl lock map watch watch_reads } setattr }; allow zygote self:{ capability cap_userns } sys_admin; # Allow zygote to stat the files that it opens. The zygote must # be able to inspect them so that it can reopen them on fork # if necessary: b/30963384. allow zygote pmsg_device:chr_file getattr; allow zygote debugfs_trace_marker:file getattr; # Get seapp_contexts allow zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads }; # Check validity of SELinux context before use. #line 144 #line 144 allow zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 144 allow zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 144 #line 144 allow zygote selinuxfs:file { open append write lock map }; #line 144 allow zygote kernel:security check_context; #line 144 # Check SELinux permissions. #line 146 #line 146 allow zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 146 allow zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 146 #line 146 allow zygote selinuxfs:file { open append write lock map }; #line 146 allow zygote kernel:security compute_av; #line 146 allow zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; #line 146 # Native bridge functionality requires that zygote replaces # /proc/cpuinfo with /system/lib//cpuinfo using a bind mount allow zygote proc_cpuinfo:file mounton; # Allow remounting rootfs as MS_SLAVE. allow zygote rootfs:dir mounton; allow zygote tmpfs:filesystem { mount unmount }; allow zygote fuse:filesystem { unmount }; allow zygote sdcardfs:filesystem { unmount }; allow zygote labeledfs:filesystem { unmount }; # Allow creating user-specific storage source if started before vold. allow zygote mnt_user_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow zygote mnt_user_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; allow zygote mnt_user_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Allow mounting user-specific storage source if started before vold. allow zygote mnt_pass_through_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; # Allowed to mount user-specific storage into place allow zygote storage_file:dir { search mounton }; # Allow mounting and creating files, dirs on sdcardfs. allow zygote { sdcard_type fuse }:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton }; allow zygote { sdcard_type fuse }:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } }; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } }; # Allow zygote to write to statsd. #line 178 allow zygote statsdw_socket:sock_file write; #line 178 allow zygote statsd:unix_dgram_socket sendto; #line 178 # Root fs. #line 181 allow zygote rootfs:dir { open getattr read search ioctl lock watch watch_reads }; #line 181 allow zygote rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 181 # System file accesses. #line 184 allow zygote system_file:dir { open getattr read search ioctl lock watch watch_reads }; #line 184 allow zygote system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 184 # /oem accesses. allow zygote oemfs:dir search; #line 193 allow zygote ion_device:chr_file { getattr open read ioctl lock map watch watch_reads }; allow zygote tmpfs:dir { open getattr read search ioctl lock watch watch_reads }; allow zygote same_process_hal_file:file { execute read open getattr map }; # Allow zygote to read build properties for attestation feature #line 201 allow zygote build_attestation_prop:file { getattr open read map }; #line 201 # Allow the zygote to access storage properties to check if sdcardfs is enabled. #line 204 allow zygote storage_config_prop:file { getattr open read map }; #line 204 ; # Let the zygote access overlays so it can initialize the AssetManager. #line 207 allow zygote overlay_prop:file { getattr open read map }; #line 207 #line 208 allow zygote exported_overlay_prop:file { getattr open read map }; #line 208 # Allow the zygote to access the runtime feature flag properties. #line 211 allow zygote device_config_runtime_native_prop:file { getattr open read map }; #line 211 #line 212 allow zygote device_config_runtime_native_boot_prop:file { getattr open read map }; #line 212 # Allow the zygote to access window manager native boot feature flags # to initialize WindowManager static properties. #line 216 allow zygote device_config_window_manager_native_boot_prop:file { getattr open read map }; #line 216 # ingore spurious denials # fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is # done to determine if the file should inherit setgid. In this case, setgid on the file is # undesirable, so suppress the denial. dontaudit zygote self:{ capability cap_userns } { sys_resource fsetid }; # Ignore spurious denials calling access() on fuse. # Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that # doesn't exist. # TODO(b/151316657): avoid the denials dontaudit zygote media_rw_data_file:dir { read open setattr }; # Allow zygote to use ashmem fds from system_server. allow zygote system_server:fd use; # Send unsolicited message to system_server #line 234 allow zygote system_unsolzygote_socket:sock_file write; #line 234 allow zygote system_server:unix_dgram_socket sendto; #line 234 # Allow zygote to access media_variant_prop for static initialization #line 237 allow zygote media_variant_prop:file { getattr open read map }; #line 237 # Allow zygote to access odsign verification status #line 240 allow zygote odsign_prop:file { getattr open read map }; #line 240 # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex #line 243 allow zygote packagemanager_config_prop:file { getattr open read map }; #line 243 # Allow zygote to read qemu.sf.lcd_density #line 246 allow zygote qemu_sf_lcd_density_prop:file { getattr open read map }; #line 246 # Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in # preloaded classes #line 250 allow zygote persist_wm_debug_prop:file { getattr open read map }; #line 250 # Allow zygote to read persist_sysui_builder_extras_prop # and persist_sysui_ranking_update_prop # to toggle experimental features in core preloaded classes #line 255 allow zygote persist_sysui_builder_extras_prop:file { getattr open read map }; #line 255 #line 256 allow zygote persist_sysui_ranking_update_prop:file { getattr open read map }; #line 256 # Allow zygote to read /apex/apex-info-list.xml allow zygote apex_info_file:file { getattr open read ioctl lock map watch watch_reads }; # Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package. allow zygote vendor_apex_file:dir { getattr search }; allow zygote vendor_apex_file:file { getattr }; allow zygote vendor_apex_metadata_file:dir { search }; # Allow zygote to query for compression/features. #line 268 allow zygote sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads }; #line 268 allow zygote sysfs_fs_f2fs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads }; #line 268 # Allow zygote to read fonts_customization.xml for preloading font files that matches device locale. allow zygote system_font_fallback_file:file { getattr open read ioctl lock map watch watch_reads }; ### ### neverallow rules ### # Ensure that all types assigned to app processes are included # in the appdomain attribute, so that all allow and neverallow rules # written on appdomain are applied to all app processes. # This is achieved by ensuring that it is impossible for zygote to # setcon (dyntransition) to any types other than those associated # with appdomain plus system_server_startup, webview_zygote and # app_zygote. neverallow zygote ~{ appdomain system_server_startup webview_zygote app_zygote }:process dyntransition; # Zygote should never execute anything from /data except for # /data/dalvik-cache files or files generated during on-device # signing under /data/misc/apexdata/com.android.art/. neverallow zygote { data_file_type -apex_art_data_file # map PROT_EXEC -dalvikcache_data_file # map PROT_EXEC }:file { execute execute_no_trans }; # Do not allow access to Bluetooth-related system properties and files neverallow zygote { bluetooth_a2dp_offload_prop bluetooth_audio_hal_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } }; # Zygote should not be able to access app private data. neverallow zygote app_data_file_type:dir ~getattr; #line 1 "system/sepolicy/private/roles_decl" role r; #line 1 "system/sepolicy/public/roles" role r types domain; #line 1 "system/sepolicy/private/users" user u roles { r } level s0 range s0 - s0:c0.c1023; #line 1 "system/sepolicy/private/initial_sid_contexts" sid kernel u:r:kernel:s0 sid security u:object_r:kernel:s0 sid unlabeled u:object_r:unlabeled:s0 sid fs u:object_r:labeledfs:s0 sid file u:object_r:unlabeled:s0 sid file_labels u:object_r:unlabeled:s0 sid init u:object_r:unlabeled:s0 sid any_socket u:object_r:unlabeled:s0 sid port u:object_r:port:s0 sid netif u:object_r:netif:s0 sid netmsg u:object_r:unlabeled:s0 sid node u:object_r:node:s0 sid igmp_packet u:object_r:unlabeled:s0 sid icmp_socket u:object_r:unlabeled:s0 sid tcp_socket u:object_r:unlabeled:s0 sid sysctl_modprobe u:object_r:unlabeled:s0 sid sysctl u:object_r:proc:s0 sid sysctl_fs u:object_r:unlabeled:s0 sid sysctl_kernel u:object_r:unlabeled:s0 sid sysctl_net u:object_r:unlabeled:s0 sid sysctl_net_unix u:object_r:unlabeled:s0 sid sysctl_vm u:object_r:unlabeled:s0 sid sysctl_dev u:object_r:unlabeled:s0 sid kmod u:object_r:unlabeled:s0 sid policy u:object_r:unlabeled:s0 sid scmp_packet u:object_r:unlabeled:s0 sid devnull u:object_r:null_device:s0 #line 1 "system/sepolicy/private/fs_use" # Label inodes via getxattr. fs_use_xattr yaffs2 u:object_r:labeledfs:s0; fs_use_xattr jffs2 u:object_r:labeledfs:s0; fs_use_xattr ext2 u:object_r:labeledfs:s0; fs_use_xattr ext3 u:object_r:labeledfs:s0; fs_use_xattr ext4 u:object_r:labeledfs:s0; fs_use_xattr xfs u:object_r:labeledfs:s0; fs_use_xattr btrfs u:object_r:labeledfs:s0; fs_use_xattr f2fs u:object_r:labeledfs:s0; fs_use_xattr squashfs u:object_r:labeledfs:s0; fs_use_xattr overlay u:object_r:labeledfs:s0; fs_use_xattr erofs u:object_r:labeledfs:s0; fs_use_xattr incremental-fs u:object_r:labeledfs:s0; fs_use_xattr virtiofs u:object_r:labeledfs:s0; # Label inodes from task label. fs_use_task pipefs u:object_r:pipefs:s0; fs_use_task sockfs u:object_r:sockfs:s0; # Label inodes from combination of task label and fs label. # Define type_transition rules if you want per-domain types. fs_use_trans devpts u:object_r:devpts:s0; fs_use_trans tmpfs u:object_r:tmpfs:s0; fs_use_trans devtmpfs u:object_r:device:s0; fs_use_trans shm u:object_r:shm:s0; fs_use_trans mqueue u:object_r:mqueue:s0; #line 1 "system/sepolicy/private/genfs_contexts" # Label inodes with the fs label. genfscon rootfs / u:object_r:rootfs:s0 # proc labeling can be further refined (longest matching prefix). genfscon proc / u:object_r:proc:s0 genfscon proc /asound u:object_r:proc_asound:s0 genfscon proc /bootconfig u:object_r:proc_bootconfig:s0 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0 genfscon proc /cmdline u:object_r:proc_cmdline:s0 genfscon proc /config.gz u:object_r:config_gz:s0 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0 genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0 genfscon proc /diskstats u:object_r:proc_diskstats:s0 genfscon proc /filesystems u:object_r:proc_filesystems:s0 genfscon proc /interrupts u:object_r:proc_interrupts:s0 genfscon proc /iomem u:object_r:proc_iomem:s0 genfscon proc /kallsyms u:object_r:proc_kallsyms:s0 genfscon proc /keys u:object_r:proc_keys:s0 genfscon proc /kmsg u:object_r:proc_kmsg:s0 genfscon proc /loadavg u:object_r:proc_loadavg:s0 genfscon proc /locks u:object_r:proc_locks:s0 genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0 genfscon proc /meminfo u:object_r:proc_meminfo:s0 genfscon proc /misc u:object_r:proc_misc:s0 genfscon proc /modules u:object_r:proc_modules:s0 genfscon proc /mounts u:object_r:proc_mounts:s0 genfscon proc /net u:object_r:proc_net:s0 genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0 genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0 genfscon proc /pressure/io u:object_r:proc_pressure_io:s0 genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0 genfscon proc /slabinfo u:object_r:proc_slabinfo:s0 genfscon proc /softirqs u:object_r:proc_timer:s0 genfscon proc /stat u:object_r:proc_stat:s0 genfscon proc /swaps u:object_r:proc_swaps:s0 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 genfscon proc /kpageflags u:object_r:proc_kpageflags:s0 genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0 genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0 genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0 genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0 genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 genfscon proc /sys/kernel/random u:object_r:proc_random:s0 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0 genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0 genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0 genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0 genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0 genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0 genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0 genfscon proc /timer_list u:object_r:proc_timer:s0 genfscon proc /timer_stats u:object_r:proc_timer:s0 genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0 genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0 genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0 genfscon proc /uptime u:object_r:proc_uptime:s0 genfscon proc /version u:object_r:proc_version:s0 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0 genfscon proc /vmstat u:object_r:proc_vmstat:s0 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0 genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0 genfscon fusectl / u:object_r:fusectlfs:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 genfscon cgroup2 / u:object_r:cgroup_v2:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0 genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0 genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0 genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 genfscon sysfs /class/net u:object_r:sysfs_net:s0 genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0 genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /class/switch u:object_r:sysfs_switch:s0 genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0 genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0 genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0 genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0 genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0 genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0 genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0 genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0 genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0 genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0 genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0 genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0 genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0 genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0 genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0 genfscon sysfs /fs/fuse/features u:object_r:sysfs_fs_fuse_features:s0 genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0 genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0 genfscon sysfs /power/state u:object_r:sysfs_power:s0 genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0 genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0 genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0 genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0 genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0 genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0 genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0 genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0 genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0 genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0 genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0 genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0 genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0 genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0 genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0 genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0 genfscon tracefs / u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0 genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0 genfscon tracefs /trace u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0 genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/hyp u:object_r:debugfs_tracing:s0 genfscon tracefs /hyp u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0 genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0 genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0 genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0 genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0 genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0 genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0 genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0 genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0 genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0 genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0 genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0 genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0 genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0 genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0 genfscon tracefs /events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0 genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0 genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0 genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0 genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0 genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0 genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0 genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0 genfscon debugfs /kcov u:object_r:debugfs_kcov:s0 genfscon securityfs / u:object_r:securityfs:s0 genfscon binder /binder u:object_r:binder_device:s0 genfscon binder /hwbinder u:object_r:hwbinder_device:s0 genfscon binder /vndbinder u:object_r:vndbinder_device:s0 genfscon binder /binder_logs u:object_r:binderfs_logs:s0 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0 genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0 genfscon binder /features u:object_r:binderfs_features:s0 genfscon inotifyfs / u:object_r:inotify:s0 genfscon vfat / u:object_r:vfat:s0 genfscon binder / u:object_r:binderfs:s0 genfscon exfat / u:object_r:exfat:s0 genfscon debugfs / u:object_r:debugfs:s0 genfscon fuse / u:object_r:fuse:s0 genfscon fuseblk / u:object_r:fuseblk:s0 genfscon configfs / u:object_r:configfs:s0 genfscon sdcardfs / u:object_r:sdcardfs:s0 genfscon esdfs / u:object_r:sdcardfs:s0 genfscon pstore / u:object_r:pstorefs:s0 genfscon functionfs / u:object_r:functionfs:s0 genfscon usbfs / u:object_r:usbfs:s0 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0 genfscon bpf / u:object_r:fs_bpf:s0 genfscon bpf /loader u:object_r:fs_bpf_loader:s0 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0 genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0 genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0 genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0 genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0 #line 1 "system/sepolicy/private/port_contexts" # portcon statements go here, e.g. # portcon tcp 80 u:object_r:http_port:s0