domain.te 10.1 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13
# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };

# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;

# Intra-domain accesses.
14
allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
15 16 17 18
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
Stephen Smalley's avatar
Stephen Smalley committed
19 20
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
21 22 23

# Inherit or receive open files from others.
allow domain init:fd use;
24
allow domain system_server:fd use;
25 26

# Connect to adbd and use a socket transferred from it.
27
# This is used for e.g. adb backup/restore.
28 29
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
30
allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
31

32 33 34 35 36 37
userdebug_or_eng(`
  # Same as adbd rules above, except allow su to do the same thing
  allow domain su:unix_stream_socket connectto;
  allow domain su:fd use;
  allow domain su:unix_stream_socket { getattr getopt read write shutdown };

38 39
  binder_call(domain, su)

40 41 42 43 44 45 46 47
  # Running something like "pm dump com.android.bluetooth" requires
  # fifo writes
  allow domain su:fifo_file { write getattr };

  # allow "gdbserver --attach" to work for su.
  allow domain su:process sigchld;
')

48 49 50
###
### Talk to debuggerd.
###
51 52 53 54 55
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;

# Root fs.
allow domain rootfs:dir r_dir_perms;
56
allow domain rootfs:file r_file_perms;
57
allow domain rootfs:lnk_file r_file_perms;
58 59 60

# Device accesses.
allow domain device:dir search;
61
allow domain dev_type:lnk_file r_file_perms;
62 63
allow domain devpts:dir search;
allow domain device:file read;
64
allow domain socket_device:dir r_dir_perms;
65 66
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
Nick Kralevich's avatar
Nick Kralevich committed
67
allow domain zero_device:chr_file rw_file_perms;
68 69 70 71 72 73
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain log_device:dir search;
allow domain log_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
74 75
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
76 77
allow domain properties_device:file r_file_perms;

78 79 80
# logd access
write_logd(domain)

81 82 83 84 85 86 87 88
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# System file accesses.
allow domain system_file:dir r_dir_perms;
allow domain system_file:file r_file_perms;
allow domain system_file:file execute;
89
allow domain system_file:lnk_file r_file_perms;
90 91 92 93

# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
94
allow domain system_data_file:lnk_file r_file_perms;
95 96

# Read apk files under /data/app.
97
allow domain apk_data_file:dir { getattr search };
98
allow domain apk_data_file:file r_file_perms;
99
allow domain apk_data_file:lnk_file r_file_perms;
100 101 102 103 104 105 106 107

# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;

# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
108
allow domain cache_file:lnk_file r_file_perms;
109

Nick Kralevich's avatar
Nick Kralevich committed
110 111 112
# Read timezone related information
r_dir_file(domain, zoneinfo_data_file)

113 114 115 116 117 118 119 120 121 122
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;

#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;

# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
123
r_dir_file(domain, sysfs_devices_system_cpu)
124 125
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
126
r_dir_file(domain, proc_net)
127 128 129

# debugfs access
allow domain debugfs:dir r_dir_perms;
130
allow domain debugfs:file w_file_perms;
131

132 133 134
# Get SELinux enforcing status.
selinux_getenforce(domain)

135
# /data/security files
136 137
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
138
allow domain security_file:lnk_file r_file_perms;
139

140 141 142 143
# World readable asec image contents
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;

144 145 146 147
###
### neverallow rules
###

148 149 150
# Do not allow any confined domain to create new unlabeled files.
neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;

151 152 153 154 155
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;

# Limit device node creation and raw I/O to these whitelisted domains.
Nick Kralevich's avatar
Nick Kralevich committed
156
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
157

158 159 160
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow domain self:memprotect mmap_zero;

161
# No domain needs mac_override as it is unused by SELinux.
162
neverallow domain self:capability2 mac_override;
163 164

# Only recovery needs mac_admin to set contexts not defined in current policy.
165 166
neverallow { domain -recovery } self:capability2 mac_admin;

167 168 169 170 171 172
# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;

173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
# Only init and the system_server can set selinux.reload_policy 1
# to trigger a policy reload.
neverallow { domain -init -system_server } security_prop:property_service set;

# Only init and system_server can write to /data/security, where runtime
# policy updates live.
# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
# Only init and system_server can create/setattr directories with this type.
# init is for init.rc mkdir /data/security.
# system_server is for creating subdirectories under /data/security.
neverallow { domain -init -system_server } security_file:dir { create setattr };
# Only system_server can create subdirectories and files under /data/security.
neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };

190 191 192 193
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
Nick Kralevich's avatar
Nick Kralevich committed
194 195
neverallow domain kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
196

197 198 199 200 201 202 203 204
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;

# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;

William Roberts's avatar
William Roberts committed
205 206
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
207

208 209
# Ensure that all entrypoint executables are in exec_type.
neverallow domain { file_type -exec_type }:file entrypoint;
210 211 212 213

# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
214 215 216 217 218

# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };
219 220 221

# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;
222 223 224 225

# Init can't receive binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow domain init:binder call;
226 227 228

# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
Nick Kralevich's avatar
Nick Kralevich committed
229
neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
230 231 232 233 234

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# ueventd is exempt from this, as its managing these devices.
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
235 236 237 238 239

# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
240 241 242 243 244 245 246 247 248

#
# Assert that, to the extent possible, we're not loading executable content from
# outside the /system partition except for a few whitelisted domains.
#
neverallow {
    domain
    -appdomain
    -dumpstate
Stephen Smalley's avatar
Stephen Smalley committed
249
    -shell
250 251 252 253
    userdebug_or_eng(`-su')
    -system_server
    -zygote
} { file_type -system_file -exec_type }:file execute;
Stephen Smalley's avatar
Stephen Smalley committed
254 255 256 257

# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
258 259 260 261

# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };