Leave minimal sepolicy for microdroid
Steps taken:
1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0
diff --git a/microdroid/sepolicy/system/private/adbd.te b/microdroid/sepolicy/system/private/adbd.te
index 52070cb..2ebf9d8 100644
--- a/microdroid/sepolicy/system/private/adbd.te
+++ b/microdroid/sepolicy/system/private/adbd.te
@@ -1,5 +1,3 @@
-### ADB daemon
-
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
@@ -12,21 +10,6 @@
allow adbd su:process dyntransition;
')
-# When 'adb shell' is executed in recovery mode, adbd explicitly
-# switches into shell domain using setcon() because the shell executable
-# is not labeled as shell but as rootfs.
-recovery_only(`
- domain_trans(adbd, rootfs, shell)
- allow adbd shell:process dyntransition;
-
- # Allows reboot fastboot to enter fastboot directly
- unix_socket_connect(adbd, recovery, recovery)
-')
-
-# Control Perfetto traced and obtain traces from it.
-# Needed to allow port forwarding directly to traced.
-unix_socket_connect(adbd, traced_consumer, traced)
-
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -37,9 +20,6 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
-# ignore spurious denials for adbd when disk space is low.
-dontaudit adbd self:global_capability_class_set sys_resource;
-
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
@@ -47,17 +27,6 @@
# Allow adbd inside vm to forward vm's vsock.
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-allowxperm adbd functionfs:file ioctl {
- FUNCTIONFS_ENDPOINT_DESC
- FUNCTIONFS_CLEAR_HALT
-};
-
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
@@ -65,164 +34,11 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
-# adb pull /data/local/traces/*
-allow adbd trace_data_file:dir r_dir_perms;
-allow adbd trace_data_file:file r_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# adb pull /vendor/framework/*
-allow adbd vendor_framework_file:dir r_dir_perms;
-allow adbd vendor_framework_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-get_prop(adbd, ffs_config_prop)
-set_prop(adbd, ffs_control_prop)
-
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
-
-# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
-
-# Read device's overlayfs related properties and files
-userdebug_or_eng(`
- get_prop(adbd, persistent_properties_ready_prop)
- r_dir_file(adbd, sysfs_dt_firmware_android)
-')
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-binder_call(adbd, gpuservice)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd gpu_service:service_manager find;
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
-# Allow killing child "perfetto" binary processes, which auto-transition to
-# their own domain. Allows propagating termination of "adb shell perfetto ..."
-# invocations.
-allow adbd perfetto:process signal;
-
-# Allow to pull Perfetto traces.
-allow adbd perfetto_traces_data_file:file r_file_perms;
-allow adbd perfetto_traces_data_file:dir r_dir_perms;
-
-# Allow to push and manage configs in /data/misc/perfetto-configs.
-allow adbd perfetto_configs_data_file:dir rw_dir_perms;
-allow adbd perfetto_configs_data_file:file create_file_perms;
-
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
-
-# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
-
-# Allow adb pull of updated apex files in /data/apex/active.
-allow adbd apex_data_file:dir search;
-allow adbd staging_data_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/microdroid/sepolicy/system/private/aidl_lazy_test_server.te b/microdroid/sepolicy/system/private/aidl_lazy_test_server.te
deleted file mode 100644
index 33efde0..0000000
--- a/microdroid/sepolicy/system/private/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute aidl_lazy_test_server coredomain;
-
- init_daemon_domain(aidl_lazy_test_server)
-')
diff --git a/microdroid/sepolicy/system/private/apex_test_prepostinstall.te b/microdroid/sepolicy/system/private/apex_test_prepostinstall.te
deleted file mode 100644
index f1bc214..0000000
--- a/microdroid/sepolicy/system/private/apex_test_prepostinstall.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# APEX pre- & post-install test.
-#
-# Allow to run pre- and post-install hooks for APEX test modules
-# in debuggable builds.
-
-type apex_test_prepostinstall, domain, coredomain;
-type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # /dev/zero
- allow apex_test_prepostinstall apexd:fd use;
- # Logwrapper.
- create_pty(apex_test_prepostinstall)
- # Logwrapper executing sh.
- allow apex_test_prepostinstall shell_exec:file rx_file_perms;
- # Logwrapper exec.
- allow apex_test_prepostinstall system_file:file execute_no_trans;
- # Ls.
- allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/apexd.te b/microdroid/sepolicy/system/private/apexd.te
index b6fff92..621b1a8 100644
--- a/microdroid/sepolicy/system/private/apexd.te
+++ b/microdroid/sepolicy/system/private/apexd.te
@@ -2,41 +2,6 @@
init_daemon_domain(apexd)
-# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
-allow apexd apex_data_file:dir create_dir_perms;
-allow apexd apex_data_file:file create_file_perms;
-# Allow relabeling file created in /data/apex/decompressed
-allow apexd apex_data_file:file relabelfrom;
-
-# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
-allow apexd metadata_file:dir search;
-allow apexd apex_metadata_file:dir create_dir_perms;
-allow apexd apex_metadata_file:file create_file_perms;
-
-# Allow reserving space on /data/apex/ota_reserved for apex decompression
-allow apexd apex_ota_reserved_file:dir create_dir_perms;
-allow apexd apex_ota_reserved_file:file create_file_perms;
-
-# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
-allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_permission_data_file:file { create_file_perms relabelto };
-allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
-allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
-allow apexd apex_rollback_data_file:dir create_dir_perms;
-allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
-allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
-
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
-
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -83,20 +48,8 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
-# allow apexd to unlink apex files in /data/apex/active
-# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
-# because it doesn't have write permission for staging_data_file object.
-allow apexd staging_data_file:file unlink;
-
-# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
-allow apexd staging_data_file:dir r_dir_perms;
-allow apexd staging_data_file:file { r_file_perms link };
-# # Allow relabeling file created in /data/apex/decompressed
-allow apexd staging_data_file:file relabelto;
-
-# allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
@@ -114,17 +67,6 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
-
-# Allow apexd to stop itself
-set_prop(apexd, ctl_apexd_prop)
-
-# Find the vold service, and call into vold to manage FS checkpoints
-allow apexd vold_service:service_manager find;
-binder_call(apexd, vold)
-
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
@@ -134,70 +76,12 @@
# running system.
allow apexd rootfs:dir mounton;
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
-# Allow apexd to be invoked with logwrapper from init during userspace reboot.
-allow apexd devpts:chr_file { read write };
-
-# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
-# other processes
-create_pty(apexd)
-
-# Allow apexd to read file contexts when performing restorecon of snapshots.
+# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
-# Allow apexd to execute toybox for snapshot & restore
-allow apexd toolbox_exec:file rx_file_perms;
-
-# Allow apexd to read ro.cold_boot_done prop.
-# apexd uses it to decide whether it needs to keep retrying polling for loop device.
-get_prop(apexd, cold_boot_done_prop)
-
-# Allow apexd to read per-device configuration properties.
-get_prop(apexd, apexd_config_prop)
-
-neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
-neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
-neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
-
-# only apexd can set apexd sysprop
-set_prop(apexd, apexd_prop)
-neverallow { domain -apexd -init } apexd_prop:property_service set;
-
-# only apexd can write apex-info-list.xml
-neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
-
-# Only apexd and init should be allowed to manage /apex mounts
-# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
-# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
-# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
-
-# Allow for use in postinstall
-allow apexd otapreopt_chroot:fd use;
-allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
-allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
-allow apexd proc_filesystems:file r_file_perms;
+#-------------------------------------------
+allow apexd kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/sepolicy/system/private/app.te b/microdroid/sepolicy/system/private/app.te
deleted file mode 100644
index 2b3554f..0000000
--- a/microdroid/sepolicy/system/private/app.te
+++ /dev/null
@@ -1,105 +0,0 @@
-# Allow apps to read the Test Harness Mode property. This property is used in
-# the implementation of ActivityManager.isDeviceInTestHarnessMode()
-get_prop(appdomain, test_harness_prop)
-
-get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
-get_prop(appdomain, media_config_prop)
-get_prop(appdomain, packagemanager_config_prop)
-get_prop(appdomain, radio_control_prop)
-get_prop(appdomain, surfaceflinger_color_prop)
-get_prop(appdomain, systemsound_config_prop)
-get_prop(appdomain, telephony_config_prop)
-get_prop(appdomain, userspace_reboot_config_prop)
-get_prop(appdomain, vold_config_prop)
-get_prop(appdomain, adbd_config_prop)
-
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
-userdebug_or_eng(`perfetto_producer({ appdomain })')
-
-# Prevent apps from causing presubmit failures.
-# Apps can cause selinux denials by accessing CE storage
-# and/or external storage. In either case, the selinux denial is
-# not the cause of the failure, but just a symptom that
-# storage isn't ready. Many apps handle the failure appropriately.
-#
-# Apps cannot access external storage before it becomes available.
-dontaudit appdomain storage_stub_file:dir getattr;
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
-# allowed to write to CE storage before it's available.
-# Attempting to do so will be blocked by both selinux and unix
-# permissions.
-dontaudit appdomain system_data_file:dir write;
-# Apps should not be reading vendor-defined properties.
-dontaudit appdomain vendor_default_prop:file read;
-
-# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
-
-neverallow appdomain system_server:udp_socket {
- accept append bind create ioctl listen lock name_bind
- relabelfrom relabelto setattr shutdown };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump to allow for app crash reporting.
-# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
-# to allow renderscript to create privileged executable files.
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain }:process { dyntransition };
-
-# Don't allow regular apps access to storage configuration properties.
-neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-
-# Allow to read sendbug.preferred.domain
-get_prop(appdomain, sendbug_config_prop)
-
-# Allow to read graphics related properties.
-get_prop(appdomain, graphics_config_prop)
-
-# Allow to read persist.config.calibration_fac
-get_prop(appdomain, camera_calibration_prop)
-
-# Allow to read db.log.detailed, db.log.slow_query_threshold*
-get_prop(appdomain, sqlite_log_prop)
-
-# Allow font file read by apps.
-allow appdomain font_data_file:file r_file_perms;
-allow appdomain font_data_file:dir r_dir_perms;
-
-# Enter /data/misc/apexdata/
-allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
-allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file rx_file_perms;
-
-# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
-allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
-
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
diff --git a/microdroid/sepolicy/system/private/app_neverallows.te b/microdroid/sepolicy/system/private/app_neverallows.te
deleted file mode 100644
index 096a41b..0000000
--- a/microdroid/sepolicy/system/private/app_neverallows.te
+++ /dev/null
@@ -1,237 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-define(`all_untrusted_apps',`{
- ephemeral_app
- isolated_app
- mediaprovider
- mediaprovider_app
- untrusted_app
- untrusted_app_25
- untrusted_app_27
- untrusted_app_29
- untrusted_app_all
-}')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
-neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
-neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-
-# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps } net_dns_prop:file read;
-
-# Shared libraries created by trusted components within an app home
-# directory can be dlopen()ed. To maintain the W^X property, these files
-# must never be writable to the app.
-neverallow all_untrusted_apps app_exec_data_file:file
- { append create link relabelfrom relabelto rename setattr write };
-
-# Block calling execve() on files in an apps home directory.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Do not allow untrusted apps to invoke dex2oat. This was historically required
-# by ART for compiling secondary dex files but has been removed in Q.
-# Exempt legacy apps (targetApi<=28) for compatibility.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} dex2oat_exec:file no_x_file_perms;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
-
-# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
-
-# Apps may never access the default sysfs label.
-neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket sctp_socket
- ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
- atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
-} *;
-
-# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
-
-# Do not allow untrusted apps access to /cache
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow { all_untrusted_apps -mediaprovider } {
- fs_type
- -sdcard_type
- file_type
- -app_data_file # The apps sandbox itself
- -privapp_data_file
- -app_exec_data_file # stored within the app sandbox directory
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component except mediaprovider_app should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open the tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-# The tun_device ioctls below are not allowed, to prove equivalence
-# to the kernel patch at
-# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps {
- proc
- proc_asound
- proc_kmsg
- proc_loadavg
- proc_mounts
- proc_pagetypeinfo
- proc_slabinfo
- proc_stat
- proc_swaps
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file { no_rw_file_perms no_x_file_perms };
-
-# /proc/filesystems is accessible to mediaprovider_app only since it handles
-# external storage
-neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to the protected services
-# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because
-# vendor code does not have a way to understand apps or their relation to
-# caller UID information and, even if it did, those services either operate
-# at a level below that of apps (e.g., HALs) or must not rely on app identity
-# for authorization. Thus, to be safe, the default assumption for all added
-# vendor services is that they treat all their clients as equally authorized
-# to perform operations offered by the service.
-# 2. HAL servers contain code with higher incidence rate of security issues
-# than system/core components and have access to lower layes of the stack
-# (all the way down to hardware) thus increasing opportunities for bypassing
-# the Android security model.
-neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-neverallow all_untrusted_apps protected_service:service_manager find;
-
-# SELinux is not an API for untrusted apps to use
-neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
-neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
-
-# Untrusted apps are not allowed to use cgroups.
-neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
-
-# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
-# must not use it.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} mnt_sdcard_file:lnk_file *;
-
-# Only privileged apps may find the incident service
-neverallow all_untrusted_apps incident_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/app_zygote.te b/microdroid/sepolicy/system/private/app_zygote.te
deleted file mode 100644
index 4ee3af7..0000000
--- a/microdroid/sepolicy/system/private/app_zygote.te
+++ /dev/null
@@ -1,168 +0,0 @@
-typeattribute app_zygote coredomain;
-
-######
-###### Policy below is different from regular zygote-spawned apps
-######
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(app_zygote);
-
-# Set the UID/GID of the process.
-# This will be further limited to a range of isolated UIDs with seccomp.
-allow app_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow app_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to isolated app domain.
-allow app_zygote self:process setcurrent;
-allow app_zygote isolated_app:process dyntransition;
-
-# For JIT
-allow app_zygote self:process execmem;
-
-# Allow app_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow app_zygote debugfs_trace_marker:file getattr;
-
-# get system_server process group
-allow app_zygote system_server:process getpgid;
-
-# Interaction between the app_zygote and its children.
-allow app_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-dontaudit app_zygote mnt_expand_file:dir getattr;
-
-# Get seapp_contexts
-allow app_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(app_zygote)
-# Check SELinux permissions.
-selinux_check_access(app_zygote)
-
-######
-###### Policy below is shared with regular zygote-spawned apps
-######
-
-# Child of zygote.
-allow app_zygote zygote:fd use;
-allow app_zygote zygote:process sigchld;
-
-# For ART (read /data/dalvik-cache).
-r_dir_file(app_zygote, dalvikcache_data_file);
-allow app_zygote dalvikcache_data_file:file execute;
-
-# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
-allow app_zygote apex_module_data_file:dir search;
-# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
-r_dir_file(app_zygote, apex_art_data_file)
-
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
-# /oem accesses.
-allow app_zygote oemfs:dir search;
-
-# Allow app_zygote access to /vendor/overlay
-r_dir_file(app_zygote, vendor_overlay_file)
-
-allow app_zygote system_data_file:lnk_file r_file_perms;
-allow app_zygote system_data_file:file { getattr read map };
-
-# Send unsolicited message to system_server
-unix_socket_send(app_zygote, system_unsolzygote, system_server)
-
-# Allow the app_zygote to access the runtime feature flag properties.
-get_prop(app_zygote, device_config_runtime_native_prop)
-get_prop(app_zygote, device_config_runtime_native_boot_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow app_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow app_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow app_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# app_zygote child.
-neverallow { domain -zygote } app_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow app_zygote property_socket:sock_file write;
-neverallow app_zygote property_type:property_service set;
-
-# Should not have any access to data files.
-neverallow app_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow app_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps should not be able to access the driver directly.
-neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow app_zygote access to /cache.
-neverallow app_zygote cache_file:dir ~{ r_dir_perms };
-neverallow app_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow app_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
-} *;
-
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
-neverallow app_zygote {
- domain
- -app_zygote
- -logd
- -system_server
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_dgram_socket *;
-
-neverallow app_zygote {
- domain
- -app_zygote
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_stream_socket *;
-
-# Never allow ptrace
-neverallow app_zygote *:process ptrace;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow app_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/microdroid/sepolicy/system/private/artd.te b/microdroid/sepolicy/system/private/artd.te
deleted file mode 100644
index 0aa12dc..0000000
--- a/microdroid/sepolicy/system/private/artd.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# art service daemon
-type artd, domain;
-type artd_exec, system_file_type, exec_type, file_type;
-
-# Allow artd to publish a binder service and make binder calls.
-binder_use(artd)
-add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
-
-typeattribute artd coredomain;
-
-init_daemon_domain(artd)
-
-# Allow query ART device config properties
-get_prop(artd, device_config_runtime_native_prop)
-get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/asan_extract.te b/microdroid/sepolicy/system/private/asan_extract.te
deleted file mode 100644
index 69bcd50..0000000
--- a/microdroid/sepolicy/system/private/asan_extract.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
- typeattribute asan_extract coredomain;
- init_daemon_domain(asan_extract)
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
-')
diff --git a/microdroid/sepolicy/system/private/atrace.te b/microdroid/sepolicy/system/private/atrace.te
deleted file mode 100644
index d4aed40..0000000
--- a/microdroid/sepolicy/system/private/atrace.te
+++ /dev/null
@@ -1,79 +0,0 @@
-# Domain for atrace process.
-# It is spawned either by traced_probes or by init for the boottrace service.
-
-type atrace_exec, exec_type, file_type, system_file_type;
-
-# boottrace services uses /data/misc/boottrace/categories
-allow atrace boottrace_data_file:dir search;
-allow atrace boottrace_data_file:file r_file_perms;
-
-# Allow atrace to access tracefs.
-allow atrace debugfs_tracing:dir r_dir_perms;
-allow atrace debugfs_tracing:file rw_file_perms;
-allow atrace debugfs_trace_marker:file getattr;
-
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
-allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
-
-# atrace sets debug.atrace.* properties
-set_prop(atrace, debug_prop)
-
-# atrace pokes all the binder-enabled processes at startup with a
-# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-
-# Allow discovery of binder services.
-allow atrace {
- service_manager_type
- -apex_service
- -incident_service
- -iorapd_service
- -netd_service
- -dnsresolver_service
- -stats_service
- -dumpstate_service
- -installd_service
- -vold_service
- -lpdump_service
- -default_android_service
-}:service_manager { find };
-allow atrace servicemanager:service_manager list;
-
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
- # List HAL interfaces.
- allow atrace hwservicemanager:hwservice_manager list;
- # Notify the camera HAL.
- hal_client_domain(atrace, hal_camera)
- hal_client_domain(atrace, hal_vibrator)
-')
-
-# Remove logspam from notification attempts to non-allowlisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
-userdebug_or_eng(`
- # atrace is generally invoked as a standalone binary from shell or perf
- # daemons like Perfetto traced_probes. However, in userdebug builds, there is
- # a further option to run atrace as an init daemon for boot tracing.
- init_daemon_domain(atrace)
-
- allow atrace debugfs_tracing_debug:dir r_dir_perms;
- allow atrace debugfs_tracing_debug:file rw_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/audioserver.te b/microdroid/sepolicy/system/private/audioserver.te
deleted file mode 100644
index feda8d4..0000000
--- a/microdroid/sepolicy/system/private/audioserver.te
+++ /dev/null
@@ -1,105 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type, system_file_type;
-init_daemon_domain(audioserver)
-tmpfs_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver external_vibrator_service:service_manager find;
-allow audioserver package_native_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver permission_checker_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver mediametrics_service:service_manager find;
-allow audioserver sensor_privacy_service:service_manager find;
-allow audioserver soundtrigger_middleware_service:service_manager find;
-
-# Allow read/write access to bluetooth-specific properties
-set_prop(audioserver, bluetooth_a2dp_offload_prop)
-set_prop(audioserver, bluetooth_audio_hal_prop)
-set_prop(audioserver, bluetooth_prop)
-set_prop(audioserver, exported_bluetooth_prop)
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
-not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-# Allow shell commands from ADB and shell for CTS testing/dumping
-allow audioserver adbd:fd use;
-allow audioserver adbd:unix_stream_socket { read write };
-allow audioserver shell:fifo_file { read write };
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow audioserver su:fd use;
- allow audioserver su:fifo_file { read write };
- allow audioserver su:unix_stream_socket { read write };
-')
-
-# Allow write access to log tag property
-set_prop(audioserver, log_tag_prop);
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ udp_socket rawip_socket } *;
-neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow using wake locks
-wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
diff --git a/microdroid/sepolicy/system/private/auditctl.te b/microdroid/sepolicy/system/private/auditctl.te
deleted file mode 100644
index f634d3d..0000000
--- a/microdroid/sepolicy/system/private/auditctl.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# /system/bin/auditctl executed for logd
-#
-# Performs maintenance of the kernel auditing system, including
-# setting rate limits on SELinux denials.
-#
-
-type auditctl, domain, coredomain;
-type auditctl_exec, file_type, system_file_type, exec_type;
-
-# Uncomment the line below to put this domain into permissive
-# mode. This helps speed SELinux policy development.
-# userdebug_or_eng(`permissive auditctl;')
-
-init_daemon_domain(auditctl)
-
-allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/microdroid/sepolicy/system/private/automotive_display_service.te b/microdroid/sepolicy/system/private/automotive_display_service.te
deleted file mode 100644
index fa11ca4..0000000
--- a/microdroid/sepolicy/system/private/automotive_display_service.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# Display proxy service for Automotive
-type automotive_display_service, domain, coredomain;
-type automotive_display_service_exec, system_file_type, exec_type, file_type;
-
-typeattribute automotive_display_service automotive_display_service_server;
-
-# Allow to add a display service to the manager
-add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
-
-# Allow init to launch automotive display service
-init_daemon_domain(automotive_display_service)
-
-# Allow to use Binder IPC for SurfaceFlinger.
-binder_use(automotive_display_service)
-
-# Allow to use HwBinder IPC for HAL implementations.
-hwbinder_use(automotive_display_service)
-hal_client_domain(automotive_display_service, hal_graphics_composer)
-
-# Allow to read the target property.
-get_prop(automotive_display_service, hwservicemanager_prop)
-
-# Allow to find SurfaceFlinger.
-allow automotive_display_service surfaceflinger_service:service_manager find;
-
-# Allow client domain to do binder IPC to serverdomain.
-binder_call(automotive_display_service, surfaceflinger)
-
-# Allow to use a graphics mapper
-allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# Allow to use hidl token service
-allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/binderservicedomain.te b/microdroid/sepolicy/system/private/binderservicedomain.te
index 7275954..99006bf 100644
--- a/microdroid/sepolicy/system/private/binderservicedomain.te
+++ b/microdroid/sepolicy/system/private/binderservicedomain.te
@@ -1,22 +1,3 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
diff --git a/microdroid/sepolicy/system/private/blank_screen.te b/microdroid/sepolicy/system/private/blank_screen.te
deleted file mode 100644
index 20d50cc..0000000
--- a/microdroid/sepolicy/system/private/blank_screen.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(blank_screen)
-
-# hal_light_client has access to hal_light_server
-hal_client_domain(blank_screen, hal_light)
diff --git a/microdroid/sepolicy/system/private/blkid.te b/microdroid/sepolicy/system/private/blkid.te
deleted file mode 100644
index 4e972ab..0000000
--- a/microdroid/sepolicy/system/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, system_file_type, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/private/blkid_untrusted.te b/microdroid/sepolicy/system/private/blkid_untrusted.te
deleted file mode 100644
index 1256771..0000000
--- a/microdroid/sepolicy/system/private/blkid_untrusted.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# blkid for untrusted block devices
-
-typeattribute blkid_untrusted coredomain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/private/bluetooth.te b/microdroid/sepolicy/system/private/bluetooth.te
deleted file mode 100644
index 8fc6d20..0000000
--- a/microdroid/sepolicy/system/private/bluetooth.te
+++ /dev/null
@@ -1,87 +0,0 @@
-# bluetooth app
-
-typeattribute bluetooth coredomain, mlstrustedsubject;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:global_capability_class_set net_admin;
-allow bluetooth self:global_capability2_class_set wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, binder_cache_bluetooth_server_prop);
-neverallow { domain -bluetooth -init }
- binder_cache_bluetooth_server_prop:property_service set;
-set_prop(bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(bluetooth, bluetooth_audio_hal_prop)
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, exported_bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-allow bluetooth network_stack_service:service_manager find;
-allow bluetooth system_suspend_control_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:global_capability_class_set sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-# Bluetooth A2DP offload requires binding with audio HAL
-hal_client_domain(bluetooth, hal_audio)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/microdroid/sepolicy/system/private/bluetoothdomain.te b/microdroid/sepolicy/system/private/bluetoothdomain.te
deleted file mode 100644
index fe4f0e6..0000000
--- a/microdroid/sepolicy/system/private/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/microdroid/sepolicy/system/private/bootanim.te b/microdroid/sepolicy/system/private/bootanim.te
deleted file mode 100644
index 855bc3d..0000000
--- a/microdroid/sepolicy/system/private/bootanim.te
+++ /dev/null
@@ -1,17 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
-
-# b/68864350
-dontaudit bootanim unlabeled:dir search;
-
-# Bootanim should not be reading default vendor-defined properties.
-dontaudit bootanim vendor_default_prop:file read;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
-get_prop(bootanim, bootanim_config_prop)
-
-# Allow updating boot animation status.
-set_prop(bootanim, bootanim_system_prop)
diff --git a/microdroid/sepolicy/system/private/bootstat.te b/microdroid/sepolicy/system/private/bootstat.te
deleted file mode 100644
index 016292e..0000000
--- a/microdroid/sepolicy/system/private/bootstat.te
+++ /dev/null
@@ -1,34 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- userdebug_or_eng(`-incidentd')
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/boringssl_self_test.te b/microdroid/sepolicy/system/private/boringssl_self_test.te
deleted file mode 100644
index 50fc1fc..0000000
--- a/microdroid/sepolicy/system/private/boringssl_self_test.te
+++ /dev/null
@@ -1,74 +0,0 @@
-# System and vendor domains for BoringSSL self test binaries.
-#
-# For FIPS compliance, all processes linked against libcrypto perform a startup
-# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
-# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
-#
-# The KATs are expensive, and to ensure they are run as few times as possible, they
-# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
-# the hash of the BCM that was computed earlier. The files are zero length and their contents
-# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
-# to create these marker files, there are dedicated self test binaries which this policy
-# gives access to and which are run during early-init.
-#
-# Due to build skew, the version of libcrypto in /vendor may have a different hash than
-# the system one. To cater for this there are vendor variants of the self test binaries
-# which also have permission to write to the same files in /dev/boringssl. In the case where
-# vendor and system libcrypto have the same hash, there will be a race to create the file,
-# but this is harmless.
-#
-# If the self tests fail, then the device should reboot into firmware and for this reason
-# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
-# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
-# reboot. However every binary linked against the vendor libcrypto will abort on startup,
-# so in practice the device will crash anyway in this unlikely scenario.
-
-# System boringssl_self_test domain
-type boringssl_self_test, domain, coredomain;
-type boringssl_self_test_exec, system_file_type, exec_type, file_type;
-
-# Vendor boringssl_self_test domain
-type vendor_boringssl_self_test, domain;
-type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
-
-# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
-init_daemon_domain(boringssl_self_test)
-
-# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
-init_daemon_domain(vendor_boringssl_self_test)
-
-# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
-#
-# The files are zero length so there is no issue if both vendor and system code
-# try to create the same file simultaneously. One will succeed and the other will fail
-# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
-# system domain e.g. when system and APEX copies of libcrypto are identical.
-type boringssl_self_test_marker, file_type;
-
-# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:file create_file_perms;
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:dir ra_dir_perms;
-
-# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
-allow { boringssl_self_test vendor_boringssl_self_test }
- kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
-
-# No other process should be able to create marker files because their existence causes the
-# boringssl KAT to be skipped.
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:file no_rw_file_perms;
-
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:dir write;
diff --git a/microdroid/sepolicy/system/private/bpfloader.te b/microdroid/sepolicy/system/private/bpfloader.te
deleted file mode 100644
index ae9b52c..0000000
--- a/microdroid/sepolicy/system/private/bpfloader.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bpf program loader
-type bpfloader, domain;
-type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
-
-# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
-
-# Allow bpfloader to create bpf maps and programs.
-allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-
-allow bpfloader self:capability { chown sys_admin net_admin };
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
-
-###
-### Neverallow rules
-###
-
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
-
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
-
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
-
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-
-neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
-
-# No domain should be allowed to ptrace bpfloader
-neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/microdroid/sepolicy/system/private/bufferhubd.te b/microdroid/sepolicy/system/private/bufferhubd.te
deleted file mode 100644
index 012eb20..0000000
--- a/microdroid/sepolicy/system/private/bufferhubd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bufferhubd coredomain;
-
-init_daemon_domain(bufferhubd)
diff --git a/microdroid/sepolicy/system/private/cameraserver.te b/microdroid/sepolicy/system/private/cameraserver.te
deleted file mode 100644
index 2be3c9e..0000000
--- a/microdroid/sepolicy/system/private/cameraserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cameraserver coredomain;
-
-typeattribute cameraserver camera_service_server;
-
-init_daemon_domain(cameraserver)
-tmpfs_domain(cameraserver)
diff --git a/microdroid/sepolicy/system/private/canhalconfigurator.te b/microdroid/sepolicy/system/private/canhalconfigurator.te
deleted file mode 100644
index 9ba60ac..0000000
--- a/microdroid/sepolicy/system/private/canhalconfigurator.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type canhalconfigurator, domain, coredomain;
-type canhalconfigurator_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(canhalconfigurator)
-
-# This allows the configurator to look up the CAN HAL controller via
-# hwservice_manager and communicate with it.
-hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/microdroid/sepolicy/system/private/charger.te b/microdroid/sepolicy/system/private/charger.te
deleted file mode 100644
index 8be113f..0000000
--- a/microdroid/sepolicy/system/private/charger.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute charger coredomain;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
-
-get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
-
-compatible_property_only(`
- neverallow {
- domain
- -init
- -dumpstate
- -charger
- } charger_prop:file no_rw_file_perms;
-')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/clatd.te b/microdroid/sepolicy/system/private/clatd.te
deleted file mode 100644
index 0fa774a..0000000
--- a/microdroid/sepolicy/system/private/clatd.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/coredomain.te b/microdroid/sepolicy/system/private/coredomain.te
deleted file mode 100644
index b7f4f5d..0000000
--- a/microdroid/sepolicy/system/private/coredomain.te
+++ /dev/null
@@ -1,246 +0,0 @@
-get_prop(coredomain, boot_status_prop)
-get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
-get_prop(coredomain, dalvik_runtime_prop)
-get_prop(coredomain, exported_pm_prop)
-get_prop(coredomain, ffs_config_prop)
-get_prop(coredomain, graphics_config_prop)
-get_prop(coredomain, hdmi_config_prop)
-get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, lmkd_config_prop)
-get_prop(coredomain, localization_prop)
-get_prop(coredomain, pm_prop)
-get_prop(coredomain, radio_control_prop)
-get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_prop)
-get_prop(coredomain, sqlite_log_prop)
-get_prop(coredomain, storagemanager_config_prop)
-get_prop(coredomain, surfaceflinger_color_prop)
-get_prop(coredomain, systemsound_config_prop)
-get_prop(coredomain, telephony_config_prop)
-get_prop(coredomain, usb_config_prop)
-get_prop(coredomain, usb_control_prop)
-get_prop(coredomain, userspace_reboot_config_prop)
-get_prop(coredomain, vold_config_prop)
-get_prop(coredomain, vts_status_prop)
-get_prop(coredomain, zygote_config_prop)
-get_prop(coredomain, zygote_wrap_prop)
-
-# TODO(b/170590987): remove this after cleaning up default_prop
-get_prop(coredomain, default_prop)
-
-full_treble_only(`
-neverallow {
- coredomain
-
- # for chowning
- -init
-
- # generic access to sysfs_type
- -ueventd
- -vold
-} sysfs_leds:file *;
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -mediaserver
- } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- } vendor_overlay_file:file open;
-')
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -init
- -vold
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -gpuservice
- -init
- -traced_perf
- -traced_probes
- -shell
- -system_server
- -traceur_app
- userdebug_or_eng(`-profcollectd')
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-
- # dmabuf heaps
- neverallow {
- coredomain
- -init
- -ueventd
- }{
- dmabuf_heap_device_type
- -dmabuf_system_heap_device
- -dmabuf_system_secure_heap_device
- }:chr_file no_rw_file_perms;
-')
-
-# Following /dev nodes must not be directly accessed by coredomain, but should
-# instead be wrapped by HALs.
-neverallow coredomain {
- iio_device
- radio_device
-}:chr_file { open read append write ioctl };
-
-# TODO(b/120243891): HAL permission to tee_device is included into coredomain
-# on non-Treble devices.
-full_treble_only(`
- neverallow coredomain tee_device:chr_file { open read append write ioctl };
-')
diff --git a/microdroid/sepolicy/system/private/cppreopts.te b/microdroid/sepolicy/system/private/cppreopts.te
deleted file mode 100644
index 1192ba6..0000000
--- a/microdroid/sepolicy/system/private/cppreopts.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject, coredomain;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but cppreopts.sh still runs.
-dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/microdroid/sepolicy/system/private/crash_dump.te b/microdroid/sepolicy/system/private/crash_dump.te
index 9233a4d..90587fa 100644
--- a/microdroid/sepolicy/system/private/crash_dump.te
+++ b/microdroid/sepolicy/system/private/crash_dump.te
@@ -1,3 +1,50 @@
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+allow crash_dump kmsg_debug_device:chr_file { open append };
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read all /vendor
+r_dir_file(crash_dump, vendor_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
@@ -6,57 +53,19 @@
allow crash_dump {
domain
-apexd
- -bpfloader
-crash_dump
-init
-kernel
-keystore
- -llkd
-logd
-ueventd
-vendor_init
- -vold
}:process { ptrace signal sigchld sigstop sigkill };
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
keystore
- llkd
logd
- vold
}:process { ptrace signal sigchld sigstop sigkill };
')
-
-###
-### neverallow assertions
-###
-
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
-neverallow crash_dump {
- apexd
- userdebug_or_eng(`-apexd')
- bpfloader
- init
- kernel
- keystore
- userdebug_or_eng(`-keystore')
- llkd
- userdebug_or_eng(`-llkd')
- logd
- userdebug_or_eng(`-logd')
- ueventd
- vendor_init
- vold
- userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
-
-neverallow crash_dump self:process ptrace;
-neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/credstore.te b/microdroid/sepolicy/system/private/credstore.te
deleted file mode 100644
index 8d87e2f..0000000
--- a/microdroid/sepolicy/system/private/credstore.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute credstore coredomain;
-
-init_daemon_domain(credstore)
-
-# talk to Identity Credential
-hal_client_domain(credstore, hal_identity)
diff --git a/microdroid/sepolicy/system/private/crosvm.te b/microdroid/sepolicy/system/private/crosvm.te
deleted file mode 100644
index f7729fd..0000000
--- a/microdroid/sepolicy/system/private/crosvm.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type crosvm, domain, coredomain;
-type crosvm_exec, system_file_type, exec_type, file_type;
-type crosvm_tmpfs, file_type;
-
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
-
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
-
-# Most other domains shouldn't access /dev/kvm.
-neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/microdroid/sepolicy/system/private/dex2oat.te b/microdroid/sepolicy/system/private/dex2oat.te
deleted file mode 100644
index 28d8b9a..0000000
--- a/microdroid/sepolicy/system/private/dex2oat.te
+++ /dev/null
@@ -1,109 +0,0 @@
-# dex2oat
-type dex2oat, domain, coredomain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-userfaultfd_use(dex2oat)
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-allow dex2oat postinstall_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
-allow dex2oat apex_module_data_file:dir search;
-
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
-allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
-
-# Allow dex2oat to write to file descriptors from odrefresh for files
-# in the staging area.
-allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
-allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
-
-# Allow dex2oat to read artifacts from odrefresh.
-allow dex2oat apex_art_data_file:dir r_dir_perms;
-allow dex2oat apex_art_data_file:file r_file_perms;
-
-# Allow dex2oat to read runtime native flag properties.
-get_prop(dex2oat, device_config_runtime_native_prop)
-get_prop(dex2oat, device_config_runtime_native_boot_prop)
-
-# Allow dex2oat to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
-allow dex2oat postinstall_file:dir r_dir_perms;
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-allow dex2oat postinstall_file:file read;
-# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
-# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
-allow dex2oat postinstall_file:file { execute getattr open };
-
-# Allow dex2oat access to /postinstall/apex.
-allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-###############
-# APEX Update #
-###############
-
-# /dev/zero is inherited.
-allow dex2oat apexd:fd use;
-
-# Allow dex2oat to use file descriptors from preinstall.
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/microdroid/sepolicy/system/private/dexoptanalyzer.te b/microdroid/sepolicy/system/private/dexoptanalyzer.te
deleted file mode 100644
index d194acb..0000000
--- a/microdroid/sepolicy/system/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/dhcp.te b/microdroid/sepolicy/system/private/dhcp.te
deleted file mode 100644
index 8ec9111..0000000
--- a/microdroid/sepolicy/system/private/dhcp.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute dhcp coredomain;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
diff --git a/microdroid/sepolicy/system/private/dnsmasq.te b/microdroid/sepolicy/system/private/dnsmasq.te
deleted file mode 100644
index 96084b4..0000000
--- a/microdroid/sepolicy/system/private/dnsmasq.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute dnsmasq coredomain;
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index e979f3e..54423ec 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te
@@ -1,544 +1,252 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
+# Rules for all domains.
-# Allow every process to check the heapprofd.enable properties to determine
-# whether to load the heap profiling library. This does not necessarily enable
-# heap profiling, as initialization will fail if it does not have the
-# necessary SELinux permissions.
-get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
-})')
+# Allow reaping by init.
+allow domain init:process sigchld;
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
- -zygote
-})')
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-# Everyone can access the IncFS list of features.
-r_dir_file(domain, sysfs_fs_incfs_features);
+# Inherit or receive open files from others.
+allow domain init:fd use;
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+
+# logd access
+unix_socket_send(domain, logdw, logd)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow coredomain system_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+# Allow all domains to be able to follow /system/vendor and/or
+# /vendor/odm symlinks.
+allow domain vendor_file_type:lnk_file { getattr open read };
+
+# This is required to be able to search & read /vendor/lib64
+# in order to lookup vendor libraries. The execute permission
+# for coredomains is granted *only* for same process HALs
+allow domain vendor_file:dir { getattr search };
+
+# Allow reading and executing out of /vendor to all vendor domains
+allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+allow coredomain system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+allow domain self:global_capability_class_set audit_control;
+allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+
+# workaround for supressing property accesses.
+# TODO: remove these
+set_prop(domain, property_type)
+# auditallow { domain -init } property_type:property_service set;
+# auditallow { domain -init } property_type:file rw_file_perms;
+
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+#-----------------------------------------
# Path resolution access in cgroups.
allow domain cgroup:dir search;
-allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow { domain } cgroup:dir w_dir_perms;
+allow { domain } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow { domain } cgroup_v2:dir w_dir_perms;
+allow { domain } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
-allow domain vendor_task_profiles_file:file r_file_perms;
-# Allow all domains to read sys.use_memfd to determine
-# if memfd support can be used if device supports it
-get_prop(domain, use_memfd_prop);
-
-# Read access to sdkextensions props
-get_prop(domain, module_sdkextensions_prop)
-
-# Read access to bq configuration values
-get_prop(domain, bq_config_prop);
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop(domain, core_property_type)
- get_prop(domain, exported3_system_prop)
- get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported3_system_prop)
- get_prop({coredomain appdomain shell}, exported_camera_prop)
- get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_log_prop)
- get_prop({coredomain shell}, userspace_reboot_test_prop)
- get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
+#-----------------------------------------
# Allow access to fsverity keyring.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
-# For testing purposes, allow access to keys installed with su.
-userdebug_or_eng(`
- allow domain su:key search;
-')
-# Allow access to linkerconfig file
-allow domain linkerconfig_file:dir search;
-allow domain linkerconfig_file:file r_file_perms;
-
-# Allow all processes to check for the existence of the boringssl_self_test_marker files.
-allow domain boringssl_self_test_marker:dir search;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
-neverallow {
- domain
- -vold
- userdebug_or_eng(`-llkd')
- -dumpstate
- userdebug_or_eng(`-incidentd')
- userdebug_or_eng(`-profcollectd')
- -storaged
- -system_server
-} self:global_capability_class_set sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
-neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
-neverallow { domain -system_server } *:keystore2_key use_dev_id;
-neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
-
-neverallow {
- domain
- -init
- -vendor_init
- userdebug_or_eng(`-domain')
-} debugfs_tracing_debug:file no_rw_file_perms;
-
-# System_server owns dropbox data, and init creates/restorecons the directory
-# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
-
-###
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-# Only the following processes should be directly accessing private app
-# directories.
-neverallow {
- domain
- -adbd
- -appdomain
- -app_zygote
- -dexoptanalyzer
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -profman
- -rs # spawned by appdomain, so carryover the exception above
- -runas
- -system_server
- -viewcompiler
- -zygote
-} { privapp_data_file app_data_file }:dir *;
-
-# Only apps should be modifying app data. installd is exempted for
-# restorecon and package install/uninstall.
-neverallow {
- domain
- -appdomain
- -installd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:dir ~r_dir_perms;
-
-neverallow {
- domain
- -appdomain
- -app_zygote
- -installd
- -iorap_prefetcherd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:file_class_set open;
-
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-neverallow {
- domain
- -installd
-} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
-
-# The staging directory contains APEX and APK files. It is important to ensure
-# that these files cannot be accessed by other domains to ensure that the files
-# do not change between system_server staging the files and apexd processing
-# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
-# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
-# except for `link` and `unlink`.
-neverallow { domain -init -system_server } staging_data_file:file
- { append create relabelfrom rename setattr write no_x_file_perms };
-
-neverallow {
- domain
- -appdomain # for oemfs
- -bootanim # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
- -microdroid_app -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
-} { fs_type -rootfs }:file execute;
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
-# Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -iorap_prefetcherd
- -shell
- userdebug_or_eng(`-su')
- -system_server_startup # for memfd backed executable regions
- -app_zygote
- -webview_zygote
- -zygote
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} {
- file_type
- -system_file_type
- -system_lib_file
- -system_linker_exec
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-# Only init is allowed to write cgroup.rc file
-neverallow {
- domain
- -init
- -vendor_init
-} cgroup_rc_file:file no_w_file_perms;
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
-# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:dir no_w_dir_perms;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- apexd
- dnsmasq
- dumpstate
- init
- installd
- userdebug_or_eng(`llkd')
- lmkd
- migrate_legacy_obb_data
- netd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
- traced_perf
- traced_probes
- heapprofd
-} self:global_capability_class_set dac_read_search;
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`-fastbootd')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
- -zipfuse
-} { fs_type
- -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
-
-enforce_debugfs_restriction(`
- neverallow {
- domain userdebug_or_eng(`-init')
- } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -gsid
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
- -fastbootd
-} self:global_capability_class_set sys_rawio;
-
-# Limit directory operations that doesn't need to do app data isolation.
-neverallow {
- domain
- -init
- -installd
- -zygote
-} mirror_data_file:dir *;
-
-# This property is being removed. Remove remaining access.
-neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
-neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
-
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
-# Kprobes should only be used by adb root
-neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
-
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
-# Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
-
-full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones allowed here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-# mlsvendorcompat is only for compatibility support for older vendor
-# images, and should not be granted to any domain in current policy.
-# (Every domain is allowed self:fork, so this will trigger if the
-# intsersection of domain & mlsvendorcompat is not empty.)
-neverallow domain mlsvendorcompat:process fork;
-
-# Only init and otapreopt_chroot should be mounting filesystems on locations
-# labeled system or vendor (/product and /vendor respectively).
-# In microdroid, zipfuse is allowed mounton /mnt/apk.
-neverallow { domain -init -otapreopt_chroot -zipfuse } { system_file_type vendor_file_type }:dir_file_class_set mounton;
-
-# Only allow init and vendor_init to read/write mm_events properties
-# NOTE: dumpstate is allowed to read any system property
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
-} mm_events_config_prop:file no_rw_file_perms;
-
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- -vendor_modprobe
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
diff --git a/microdroid/sepolicy/system/private/drmserver.te b/microdroid/sepolicy/system/private/drmserver.te
deleted file mode 100644
index 8449c3e..0000000
--- a/microdroid/sepolicy/system/private/drmserver.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
-
-get_prop(drmserver, drm_service_config_prop)
diff --git a/microdroid/sepolicy/system/private/dumpstate.te b/microdroid/sepolicy/system/private/dumpstate.te
deleted file mode 100644
index 37a9a0c..0000000
--- a/microdroid/sepolicy/system/private/dumpstate.te
+++ /dev/null
@@ -1,115 +0,0 @@
-typeattribute dumpstate coredomain;
-type dumpstate_tmpfs, file_type;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# /data/misc/a11ytrace for accessibility traces
-userdebug_or_eng(`
- allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
- allow dumpstate accessibility_trace_data_file:file r_file_perms;
-')
-
-# /data/misc/wmtrace for wm traces
-userdebug_or_eng(`
- allow dumpstate wm_trace_data_file:dir r_dir_perms;
- allow dumpstate wm_trace_data_file:file r_file_perms;
-')
-
-# Allow dumpstate to make binder calls to incidentd
-binder_call(dumpstate, incidentd)
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Allow dumpstate to make binder calls to statsd
-binder_call(dumpstate, statsd)
-
-# Allow dumpstate to talk to gpuservice over binder
-binder_call(dumpstate, gpuservice);
-
-# Allow dumpstate to talk to idmap over binder
-binder_call(dumpstate, idmap);
-
-# Allow dumpstate to talk to profcollectd over binder
-userdebug_or_eng(`
- binder_call(dumpstate, profcollectd)
-')
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- mediatranscoding
- statsd
- netd
-}:process signal;
-
-userdebug_or_eng(`
- allow dumpstate keystore:process signal;
-')
-
-# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
-allow dumpstate dev_type:blk_file getattr;
-allow dumpstate webview_zygote:process signal;
-allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
-dontaudit dumpstate update_engine:binder call;
-
-# Read files in /proc
-allow dumpstate {
- proc_net_tcp_udp
- proc_pid_max
-}:file r_file_perms;
-
-# For comminucating with the system process to do confirmation ui.
-binder_call(dumpstate, incidentcompanion_service)
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
-# For dumping dynamic partition information.
-set_prop(dumpstate, lpdumpd_prop)
-binder_call(dumpstate, lpdumpd)
-
-# For dumping device-mapper and snapshot information.
-allow dumpstate gsid_exec:file rx_file_perms;
-set_prop(dumpstate, ctl_gsid_prop)
-binder_call(dumpstate, gsid)
-
-r_dir_file(dumpstate, ota_metadata_file)
-
-# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
-# is being recorded, the command above will serialize it into
-# /data/misc/perfetto-traces/bugreport/*.pftrace .
-domain_auto_trans(dumpstate, perfetto_exec, perfetto)
-allow dumpstate perfetto:process signal;
-allow dumpstate perfetto_traces_data_file:dir { search };
-allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
-# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
-# zip file. These rules are to allow perfetto.te to inherit dumpstate's
-# /dev/null.
-allow perfetto dumpstate_tmpfs:file rw_file_perms;
-allow perfetto dumpstate:fd use;
diff --git a/microdroid/sepolicy/system/private/ephemeral_app.te b/microdroid/sepolicy/system/private/ephemeral_app.te
deleted file mode 100644
index e004891..0000000
--- a/microdroid/sepolicy/system/private/ephemeral_app.te
+++ /dev/null
@@ -1,95 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file { r_file_perms execute };
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(ephemeral_app, rs_exec, rs)
-
-# Allow loading and deleting shared libraries created by trusted system
-# components within an application home directory.
-allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
-# allow ephemeral apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow ephemeral_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-allow ephemeral_app ashmem_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/fastbootd.te b/microdroid/sepolicy/system/private/fastbootd.te
deleted file mode 100644
index 0174faa..0000000
--- a/microdroid/sepolicy/system/private/fastbootd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute fastbootd coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
- # Set sys.usb.ffs.ready.
- get_prop(fastbootd, ffs_config_prop)
- set_prop(fastbootd, ffs_control_prop)
-
- userdebug_or_eng(`
- get_prop(fastbootd, persistent_properties_ready_prop)
- ')
-
- set_prop(fastbootd, gsid_prop)
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Start snapuserd for merging VABC updates
- set_prop(fastbootd, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow fastbootd snapuserd_socket:sock_file write;
- allow fastbootd snapuserd:unix_stream_socket connectto;
- allow fastbootd dm_user_device:dir r_dir_perms;
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
-
- # Mount /metadata to interact with Virtual A/B snapshots.
- allow fastbootd labeledfs:filesystem { mount unmount };
-')
diff --git a/microdroid/sepolicy/system/private/file.te b/microdroid/sepolicy/system/private/file.te
index 0f7e689..1989d7e 100644
--- a/microdroid/sepolicy/system/private/file.te
+++ b/microdroid/sepolicy/system/private/file.te
@@ -1,67 +1,12 @@
-# /proc/config.gz
-type config_gz, fs_type, proc_type;
-
-# /data/misc/storaged
-type storaged_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/a11ytrace for accessibility traces
-type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces for perfetto traces
-type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
-type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-configs for perfetto configs
-type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
-type debugfs_kcov, fs_type, debugfs_type;
-
-# App executable files in /data/data directories
-type app_exec_data_file, file_type, data_file_type, core_data_file_type;
-typealias app_exec_data_file alias rs_data_file;
-
-# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
-# of application data.
-type rollback_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi/ota
-type ota_image_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi_persistent_data
-type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/emergencynumberdb
-type emergency_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/profcollectd
-type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art/staging
-type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/font/files
-type font_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odrefresh
-type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odsign
-type odsign_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/system/environ
-type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-
-# /dev/kvm
-type kvm_device, dev_type;
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow proc_net proc:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow system_data_file tmpfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/private/file_contexts b/microdroid/sepolicy/system/private/file_contexts
index 4318bb0..97e756d 100644
--- a/microdroid/sepolicy/system/private/file_contexts
+++ b/microdroid/sepolicy/system/private/file_contexts
@@ -64,11 +64,11 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -153,7 +153,6 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
@@ -161,3 +160,7 @@
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+
+# microdroid doesn't use anr, but tombstoned tries to read this.
+# So marking /data/anr as tombstone_data_file
+/data/anr(/.*)? u:object_r:tombstone_data_file:s0
diff --git a/microdroid/sepolicy/system/private/fingerprintd.te b/microdroid/sepolicy/system/private/fingerprintd.te
deleted file mode 100644
index eb73ef8..0000000
--- a/microdroid/sepolicy/system/private/fingerprintd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute fingerprintd coredomain;
-
-init_daemon_domain(fingerprintd)
diff --git a/microdroid/sepolicy/system/private/flags_health_check.te b/microdroid/sepolicy/system/private/flags_health_check.te
deleted file mode 100644
index 55d1a9a..0000000
--- a/microdroid/sepolicy/system/private/flags_health_check.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute flags_health_check coredomain;
-
-init_daemon_domain(flags_health_check)
-
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
-set_prop(flags_health_check, device_config_statsd_native_prop)
-set_prop(flags_health_check, device_config_statsd_native_boot_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_swcodec_native_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-set_prop(flags_health_check, device_config_connectivity_prop)
-
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/fsck.te b/microdroid/sepolicy/system/private/fsck.te
deleted file mode 100644
index 4d68fa5..0000000
--- a/microdroid/sepolicy/system/private/fsck.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute fsck coredomain;
-
-init_daemon_domain(fsck)
-
-allow fsck metadata_block_device:blk_file rw_file_perms;
-
-allow fsck vd_device:blk_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/fsck_untrusted.te b/microdroid/sepolicy/system/private/fsck_untrusted.te
deleted file mode 100644
index 9a57bf0..0000000
--- a/microdroid/sepolicy/system/private/fsck_untrusted.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute fsck_untrusted coredomain;
diff --git a/microdroid/sepolicy/system/private/fsverity_init.te b/microdroid/sepolicy/system/private/fsverity_init.te
deleted file mode 100644
index 42d142f..0000000
--- a/microdroid/sepolicy/system/private/fsverity_init.te
+++ /dev/null
@@ -1,25 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/microdroid/sepolicy/system/private/fwk_bufferhub.te b/microdroid/sepolicy/system/private/fwk_bufferhub.te
deleted file mode 100644
index 6b69cca..0000000
--- a/microdroid/sepolicy/system/private/fwk_bufferhub.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type fwk_bufferhub, domain, coredomain;
-type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
-allow fwk_bufferhub ion_device:chr_file r_file_perms;
-
-hal_server_domain(fwk_bufferhub, hal_bufferhub)
-init_daemon_domain(fwk_bufferhub)
diff --git a/microdroid/sepolicy/system/private/gatekeeperd.te b/microdroid/sepolicy/system/private/gatekeeperd.te
deleted file mode 100644
index 2fb88a3..0000000
--- a/microdroid/sepolicy/system/private/gatekeeperd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
-
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
diff --git a/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te b/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te
deleted file mode 100644
index 1155389..0000000
--- a/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# GKI pre- & post-install hooks.
-#
-# Allow to run pre- and post-install hooks for GKI APEXes
-
-type gki_apex_prepostinstall, domain, coredomain;
-type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-# Execute /system/bin/sh.
-allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
-
-# Execute various toolsbox utilities.
-allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
-
-# Allow preinstall.sh to execute update_engine_stable_client binary.
-allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
-
-# Allow preinstall hook to communicate with update_engine to execute update.
-binder_use(gki_apex_prepostinstall)
-allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
-binder_call(gki_apex_prepostinstall, update_engine)
-
-# /dev/zero is inherited although it is not used. See b/126787589.
-allow gki_apex_prepostinstall apexd:fd use;
diff --git a/microdroid/sepolicy/system/private/gmscore_app.te b/microdroid/sepolicy/system/private/gmscore_app.te
deleted file mode 100644
index 571d155..0000000
--- a/microdroid/sepolicy/system/private/gmscore_app.te
+++ /dev/null
@@ -1,140 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-typeattribute gmscore_app coredomain;
-
-app_domain(gmscore_app)
-
-allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(gmscore_app, sysfs_zram)
-
-r_dir_file(gmscore_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow gmscore_app config_gz:file { open read getattr };
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(gmscore_app, update_engine)
-allow gmscore_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(gmscore_app, storaged)
-allow gmscore_app storaged_service:service_manager find;
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow gmscore_app system_update_service:service_manager find;
-
-# Allow GMS core to communicate with statsd.
-binder_call(gmscore_app, statsd)
-
-# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
-allow gmscore_app keystore:keystore2_key gen_unique_id;
-
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow gmscore_app selinuxfs:file r_file_perms;
-
-# suppress denials for non-API accesses.
-dontaudit gmscore_app exec_type:file r_file_perms;
-dontaudit gmscore_app device:dir r_dir_perms;
-dontaudit gmscore_app fs_bpf:dir r_dir_perms;
-dontaudit gmscore_app net_dns_prop:file r_file_perms;
-dontaudit gmscore_app proc:file r_file_perms;
-dontaudit gmscore_app proc_interrupts:file r_file_perms;
-dontaudit gmscore_app proc_modules:file r_file_perms;
-dontaudit gmscore_app proc_net:file r_file_perms;
-dontaudit gmscore_app proc_stat:file r_file_perms;
-dontaudit gmscore_app proc_version:file r_file_perms;
-dontaudit gmscore_app sysfs:dir r_dir_perms;
-dontaudit gmscore_app sysfs:file r_file_perms;
-dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
-dontaudit gmscore_app sysfs_dm:file r_file_perms;
-dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
-dontaudit gmscore_app mirror_data_file:dir search;
-dontaudit gmscore_app mnt_vendor_file:dir search;
-
-# Access the network
-net_domain(gmscore_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow gmscore_app self:process ptrace;
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow gmscore_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow gmscore_app system_linker_exec:file execute_no_trans;
-
-allow gmscore_app privapp_data_file:lnk_file create_file_perms;
-
-# /proc access
-allow gmscore_app proc_vmstat:file r_file_perms;
-
-# Allow interaction with gpuservice
-binder_call(gmscore_app, gpuservice)
-allow gmscore_app gpu_service:service_manager find;
-
-# find services that expose both @SystemAPI and normal APIs.
-allow gmscore_app app_api_service:service_manager find;
-allow gmscore_app system_api_service:service_manager find;
-allow gmscore_app audioserver_service:service_manager find;
-allow gmscore_app cameraserver_service:service_manager find;
-allow gmscore_app drmserver_service:service_manager find;
-allow gmscore_app mediadrmserver_service:service_manager find;
-allow gmscore_app mediaextractor_service:service_manager find;
-allow gmscore_app mediametrics_service:service_manager find;
-allow gmscore_app mediaserver_service:service_manager find;
-allow gmscore_app network_watchlist_service:service_manager find;
-allow gmscore_app nfc_service:service_manager find;
-allow gmscore_app oem_lock_service:service_manager find;
-allow gmscore_app persistent_data_block_service:service_manager find;
-allow gmscore_app radio_service:service_manager find;
-allow gmscore_app recovery_service:service_manager find;
-allow gmscore_app stats_service:service_manager find;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# Write to /cache.
-allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow gmscore_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
-allow gmscore_app ota_package_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow gmscore_app anr_data_file:file r_file_perms;
-
-# b/148974132: com.android.vending needs this
-allow gmscore_app priv_app:tcp_socket { read write };
-
-# b/168059475 Allow GMSCore to read Virtual AB properties to determine
-# if device supports VAB.
-get_prop(gmscore_app, virtual_ab_prop)
-
-# b/186488185: Allow GMSCore to read dck properties
-get_prop(gmscore_app, dck_prop)
diff --git a/microdroid/sepolicy/system/private/gpuservice.te b/microdroid/sepolicy/system/private/gpuservice.te
deleted file mode 100644
index 2e4254c..0000000
--- a/microdroid/sepolicy/system/private/gpuservice.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-typeattribute gpuservice coredomain;
-type gpuservice_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(gpuservice)
-
-binder_call(gpuservice, adbd)
-binder_call(gpuservice, shell)
-binder_call(gpuservice, system_server)
-binder_use(gpuservice)
-
-# Access the GPU.
-allow gpuservice gpu_device:chr_file rw_file_perms;
-
-# GPU service will need to load GPU driver, for example Vulkan driver in order
-# to get the capability of the driver.
-allow gpuservice same_process_hal_file:file { open read getattr execute map };
-allow gpuservice ion_device:chr_file r_file_perms;
-get_prop(gpuservice, hwservicemanager_prop)
-hwbinder_use(gpuservice)
-
-# Access /dev/graphics/fb0.
-allow gpuservice graphics_device:dir search;
-allow gpuservice graphics_device:chr_file rw_file_perms;
-
-# Needed for dumpsys pipes.
-allow gpuservice shell:fifo_file write;
-
-# Needed for perfetto producer.
-perfetto_producer(gpuservice)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow gpuservice adbd:unix_stream_socket { read write getattr };
-
-# Needed for interactive shell
-allow gpuservice devpts:chr_file { read write getattr };
-
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
-# Needed for stats callback registration to statsd.
-allow gpuservice stats_service:service_manager find;
-allow gpuservice statsmanager_service:service_manager find;
-# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
-binder_call(gpuservice, statsd);
-
-# Needed for reading tracepoint ids in order to attach bpf programs.
-allow gpuservice debugfs_tracing:file r_file_perms;
-allow gpuservice self:perf_event { cpu kernel open write };
-neverallow gpuservice self:perf_event ~{ cpu kernel open write };
-
-# Needed for interact with bpf fs.
-allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
-
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
-
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
-add_service(gpuservice, gpu_service)
-
-# Only uncomment below line when in development
-# userdebug_or_eng(`permissive gpuservice;')
diff --git a/microdroid/sepolicy/system/private/gsid.te b/microdroid/sepolicy/system/private/gsid.te
deleted file mode 100644
index 8a13cb1..0000000
--- a/microdroid/sepolicy/system/private/gsid.te
+++ /dev/null
@@ -1,200 +0,0 @@
-# gsid - Manager for GSI Installation
-
-type gsid, domain;
-type gsid_exec, exec_type, file_type, system_file_type;
-typeattribute gsid coredomain;
-
-init_daemon_domain(gsid)
-
-binder_use(gsid)
-binder_service(gsid)
-add_service(gsid, gsi_service)
-
-# Manage DSU metadata encryption key through vold.
-allow gsid vold_service:service_manager find;
-binder_call(gsid, vold)
-
-set_prop(gsid, gsid_prop)
-
-# Needed to create/delete device-mapper nodes, and read/write to them.
-allow gsid dm_device:chr_file rw_file_perms;
-allow gsid dm_device:blk_file rw_file_perms;
-allow gsid self:global_capability_class_set sys_admin;
-dontaudit gsid self:global_capability_class_set dac_override;
-
-# On FBE devices (not using dm-default-key), gsid will use loop devices to map
-# images rather than device-mapper.
-allow gsid loop_control_device:chr_file rw_file_perms;
-allow gsid loop_device:blk_file rw_file_perms;
-allowxperm gsid loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
-# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
-# file names.
-r_dir_file(gsid, sysfs_dm)
-
-# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
-# whether pin_file support is enabled.
-r_dir_file(gsid, sysfs_fs_f2fs)
-
-# Needed to read fstab, which is used to validate that system verity does not
-# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
-# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
-allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
-allow gsid sysfs_dt_firmware_android:file r_file_perms;
-
-# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
-allow gsid block_device:dir r_dir_perms;
-
-# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
- BLKIOMIN
- BLKALIGNOFF
-};
-
-# When installing images to an sdcard, gsid needs to be able to stat() the
-# block device. gsid also calls realpath() to remove symlinks.
-allow gsid mnt_media_rw_file:dir r_dir_perms;
-allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
-
-# When installing images to an sdcard, gsid must bypass sdcardfs and install
-# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir create_dir_perms;
-allow gsid vfat:file create_file_perms;
-allow gsid sdcard_block_device:blk_file r_file_perms;
-# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
-# requirement, but the kernel does not implement FIEMAP support for VFAT.
-allow gsid self:global_capability_class_set sys_rawio;
-
-# Allow rules for gsi_tool.
-userdebug_or_eng(`
- # gsi_tool passes the system image over the adb connection, via stdin.
- allow gsid adbd:fd use;
- # Needed when running gsi_tool through "su root" rather than adb root.
- allow gsid adbd:unix_stream_socket rw_socket_perms;
- # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
- allow gsid { shell su }:fifo_file r_file_perms;
- # Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
-')
-
-neverallow {
- domain
- -gsid
- -init
- -update_engine_common
- -recovery
- -fastbootd
-} gsid_prop:property_service set;
-
-# gsid needs to store images on /data, but cannot use file I/O. If it did, the
-# underlying blocks would be encrypted, and we couldn't mount the GSI image in
-# first-stage init. So instead of directly writing to /data, we:
-#
-# 1. fallocate a file large enough to hold the signed GSI
-# 2. extract its block layout with FIEMAP
-# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
-# 4. write system_gsi into that dm device
-#
-# To make this process work, we need to unwrap the device-mapper stacking for
-# userdata to reach the underlying block device. To verify the result we use
-# stat(), which requires read access.
-allow gsid userdata_block_device:blk_file r_file_perms;
-
-# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
-# init. It cannot use userdata since data cannot be decrypted during this
-# stage.
-#
-# gsid uses /metadata/gsi to store three files:
-# install_status - A short string indicating whether a GSI image is bootable.
-# lp_metadata - LpMetadata blob describing the block ranges on userdata
-# where system_gsi resides.
-# booted - An empty file that, if exists, indicates that a GSI is
-# currently running.
-#
-allow gsid metadata_file:dir { search getattr };
-allow gsid {
- gsi_metadata_file_type
-}:dir create_dir_perms;
-
-allow gsid {
- ota_metadata_file
-}:dir rw_dir_perms;
-
-allow gsid {
- gsi_metadata_file_type
- ota_metadata_file
-}:file create_file_perms;
-
-# Allow restorecon to fix context of gsi_public_metadata_file.
-allow gsid file_contexts_file:file r_file_perms;
-allow gsid gsi_metadata_file:file relabelfrom;
-allow gsid gsi_public_metadata_file:file relabelto;
-
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:dir rw_dir_perms;
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:file create_file_perms;
-allowxperm gsid {
- gsi_data_file
- ota_image_data_file
-}:file ioctl {
- FS_IOC_FIEMAP
- FS_IOC_GETFLAGS
-};
-
-allow gsid system_server:binder call;
-
-# Prevent most processes from writing to gsi_metadata_file_type, but allow
-# adding rules for path resolution of gsi_public_metadata_file and reading
-# gsi_public_metadata_file.
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_metadata_file_type:dir no_w_dir_perms;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
-
-# Prevent apps from accessing gsi_metadata_file_type.
-neverallow {
- appdomain
- -shell
-} gsi_metadata_file_type:dir_file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
-} gsi_data_file:dir_file_class_set *;
-
-neverallow {
- domain
- -gsid
-} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/microdroid/sepolicy/system/private/hal_allocator_default.te b/microdroid/sepolicy/system/private/hal_allocator_default.te
deleted file mode 100644
index 7aa28aa..0000000
--- a/microdroid/sepolicy/system/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/microdroid/sepolicy/system/private/hal_lazy_test.te b/microdroid/sepolicy/system/private/hal_lazy_test.te
deleted file mode 100644
index 93cf235..0000000
--- a/microdroid/sepolicy/system/private/hal_lazy_test.te
+++ /dev/null
@@ -1,3 +0,0 @@
-userdebug_or_eng(`
- hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
-')
diff --git a/microdroid/sepolicy/system/private/halclientdomain.te b/microdroid/sepolicy/system/private/halclientdomain.te
index 9dcd3ee..5f2afb3 100644
--- a/microdroid/sepolicy/system/private/halclientdomain.te
+++ b/microdroid/sepolicy/system/private/halclientdomain.te
@@ -6,8 +6,5 @@
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
-# Used to wait for hwservicemanager
-get_prop(halclientdomain, hwservicemanager_prop)
-
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/halserverdomain.te b/microdroid/sepolicy/system/private/halserverdomain.te
deleted file mode 100644
index f36e0e7..0000000
--- a/microdroid/sepolicy/system/private/halserverdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which offer a HAL service over HwBinder
-###
-
-# Register the HAL service with hwservicemanager
-hwbinder_use(halserverdomain)
-
-# Find HAL implementations
-allow halserverdomain system_file:dir r_dir_perms;
-
-# Used to wait for hwservicemanager
-get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/microdroid/sepolicy/system/private/healthd.te b/microdroid/sepolicy/system/private/healthd.te
deleted file mode 100644
index 93bc3d8..0000000
--- a/microdroid/sepolicy/system/private/healthd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/microdroid/sepolicy/system/private/heapprofd.te b/microdroid/sepolicy/system/private/heapprofd.te
deleted file mode 100644
index 246f936..0000000
--- a/microdroid/sepolicy/system/private/heapprofd.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
-type heapprofd_exec, exec_type, file_type, system_file_type;
-type heapprofd_tmpfs, file_type;
-
-init_daemon_domain(heapprofd)
-tmpfs_domain(heapprofd)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# shared memory buffers created by heapprofd.
-typeattribute heapprofd_tmpfs mlstrustedobject;
-
-set_prop(heapprofd, heapprofd_prop);
-
-# Necessary for /proc/[pid]/cmdline access & sending signals.
-typeattribute heapprofd mlstrustedsubject;
-
-# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
-# SIGCHLD, which are controlled by separate permissions.
-allow heapprofd self:capability kill;
-
-# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
-# spamming logs with denials for entries that we can not access.
-dontaudit heapprofd domain:dir { search open };
-
-# Write trace data to the Perfetto traced daemon. This requires connecting to
-# its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(heapprofd)
-
-# When handling profiling for all processes, heapprofd needs to read
-# executables/libraries/etc to do stack unwinding.
-r_dir_file(heapprofd, nativetest_data_file)
-r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
-r_dir_file(heapprofd, apk_data_file)
-r_dir_file(heapprofd, dalvikcache_data_file)
-r_dir_file(heapprofd, vendor_file_type)
-r_dir_file(heapprofd, shell_test_data_file)
-# Some dex files are not world-readable.
-# We are still constrained by the SELinux rules above.
-allow heapprofd self:global_capability_class_set dac_read_search;
-
-# For checking profileability.
-allow heapprofd packages_list_file:file r_file_perms;
-
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
-never_profile_heap(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
-
-full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
-')
diff --git a/microdroid/sepolicy/system/private/hidl_lazy_test_server.te b/microdroid/sepolicy/system/private/hidl_lazy_test_server.te
deleted file mode 100644
index 04e8c9f..0000000
--- a/microdroid/sepolicy/system/private/hidl_lazy_test_server.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type hidl_lazy_test_server, domain;
-type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- typeattribute hidl_lazy_test_server coredomain;
- init_daemon_domain(hidl_lazy_test_server)
- hal_server_domain(hidl_lazy_test_server, hal_lazy_test)
-')
diff --git a/microdroid/sepolicy/system/private/hwservice.te b/microdroid/sepolicy/system/private/hwservice.te
deleted file mode 100644
index b7ba4d7..0000000
--- a/microdroid/sepolicy/system/private/hwservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/microdroid/sepolicy/system/private/hwservicemanager.te b/microdroid/sepolicy/system/private/hwservicemanager.te
index e1fde43..17456db 100644
--- a/microdroid/sepolicy/system/private/hwservicemanager.te
+++ b/microdroid/sepolicy/system/private/hwservicemanager.te
@@ -2,8 +2,24 @@
init_daemon_domain(hwservicemanager)
+allow hwservicemanager vendor_configs_file:file { open getattr };
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
+
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, ctl_interface_start_prop)
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/sepolicy/system/private/idmap.te b/microdroid/sepolicy/system/private/idmap.te
deleted file mode 100644
index c982783..0000000
--- a/microdroid/sepolicy/system/private/idmap.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute idmap coredomain;
-
-init_daemon_domain(idmap)
diff --git a/microdroid/sepolicy/system/private/incident.te b/microdroid/sepolicy/system/private/incident.te
deleted file mode 100644
index db9ae86..0000000
--- a/microdroid/sepolicy/system/private/incident.te
+++ /dev/null
@@ -1,37 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, system_file_type, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-domain_auto_trans(dumpstate, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate with dumpstate, and write incident report to
-# /data/data/com.android.shell/files/bugreports/tmp_incident_report
-allow incident dumpstate:fd use;
-allow incident dumpstate:unix_stream_socket { read write };
-allow incident shell_data_file:file write;
-
-# allow incident be able to output data for CTS to fetch.
-allow incident devpts:chr_file { read write };
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
-# only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/microdroid/sepolicy/system/private/incident_helper.te b/microdroid/sepolicy/system/private/incident_helper.te
deleted file mode 100644
index b453855..0000000
--- a/microdroid/sepolicy/system/private/incident_helper.te
+++ /dev/null
@@ -1,14 +0,0 @@
-typeattribute incident_helper coredomain;
-
-type incident_helper_exec, system_file_type, exec_type, file_type;
-
-# switch to incident_helper domain for incident_helper command
-domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
-
-# use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd dumpstate }:fd use;
-allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
-allow incident_helper incidentd:unix_stream_socket { read write };
-
-# only allow incidentd and shell to call incident_helper
-neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/microdroid/sepolicy/system/private/incidentd.te b/microdroid/sepolicy/system/private/incidentd.te
deleted file mode 100644
index ef191a2..0000000
--- a/microdroid/sepolicy/system/private/incidentd.te
+++ /dev/null
@@ -1,210 +0,0 @@
-typeattribute incidentd coredomain;
-typeattribute incidentd mlstrustedsubject;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, system_file_type, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-# Allow incidentd to kill incident_helper when timeout
-allow incidentd incident_helper:process sigkill;
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# section id 1002, allow reading kernel version /proc/version
-allow incidentd proc_version:file r_file_perms;
-
-# section id 1116, allow accessing statsd socket
-unix_socket_send(incidentd, statsdw, statsd)
-
-# section id 2001, allow reading /proc/pagetypeinfo
-allow incidentd proc_pagetypeinfo:file r_file_perms;
-
-# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
-
-# section id 2003, allow executing top
-allow incidentd proc_meminfo:file { open read };
-
-# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
-allow incidentd sysfs_devices_system_cpu:file r_file_perms;
-
-# section id 2005, allow reading ps dump in full
-allow incidentd domain:process getattr;
-
-# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
-allow incidentd sysfs_batteryinfo:dir { search };
-allow incidentd sysfs_batteryinfo:file r_file_perms;
-
-# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
-userdebug_or_eng(`allow incidentd pstorefs:dir search');
-userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
-
-# section id 3023, allow obtaining stats report
-allow incidentd stats_service:service_manager find;
-binder_call(incidentd, statsd)
-
-# section id 3026, allow reading /data/misc/perfetto-traces.
-allow incidentd perfetto_traces_data_file:dir r_dir_perms;
-allow incidentd perfetto_traces_data_file:file r_file_perms;
-
-# section id 3052, allow accessing nfc_service
-allow incidentd nfc_service:service_manager find;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Enable incidentd to get stack traces.
-binder_use(incidentd)
-hwbinder_use(incidentd)
-allow incidentd hwservicemanager:hwservice_manager { list };
-get_prop(incidentd, hwservicemanager_prop)
-allow incidentd hidl_manager_hwservice:hwservice_manager { find };
-
-# Read files in /proc
-allow incidentd {
- proc_cmdline
- proc_pid_max
- proc_pipe_conf
- proc_stat
-}:file r_file_perms;
-
-# Signal java processes to dump their stack and get the results
-allow incidentd { appdomain ephemeral_app system_server }:process signal;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- sdcardd
- statsd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_omx_server
- hal_sensors_server
- hal_vr_server
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, system_server)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
-# incidentd has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow incidentd *:process ptrace;
-
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# For running am, incident-helper-cmd and similar framework commands.
-# Run /system/bin/app_process.
-allow incidentd zygote_exec:file { rx_file_perms };
-# Access the runtime feature flag properties.
-get_prop(incidentd, device_config_runtime_native_prop)
-get_prop(incidentd, device_config_runtime_native_boot_prop)
-# ART locks profile files.
-allow incidentd system_file:file lock;
-# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
-dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
-dontaudit incidentd apex_module_data_file:dir r_dir_perms;
-dontaudit incidentd apex_art_data_file:dir r_dir_perms;
-dontaudit incidentd tmpfs:file rwx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-userdebug_or_eng(`read_logd(incidentd)')
-# TODO control_logd(incidentd)
-
-# Access /data/misc/logd
-r_dir_file(incidentd, misc_logd_file)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes only from dumpstate and incident
-allow incidentd { dumpstate incident }:fd use;
-allow incidentd { dumpstate incident }:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-# Read device serial number from system properties
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, serialno_prop)
-')
-
-# Read ro.boot.bootreason, persist.sys.boot.bootreason
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, bootloader_boot_reason_prop);
- get_prop(incidentd, system_boot_reason_prop);
- get_prop(incidentd, last_boot_reason_prop);
-')
-
-###
-### neverallow rules
-###
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/microdroid/sepolicy/system/private/init.te b/microdroid/sepolicy/system/private/init.te
index 99afd84..ff3f6f5 100644
--- a/microdroid/sepolicy/system/private/init.te
+++ b/microdroid/sepolicy/system/private/init.te
@@ -2,35 +2,9 @@
tmpfs_domain(init)
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-domain_auto_trans(init, charger_exec, charger)
-domain_auto_trans(init, e2fs_exec, e2fs)
-domain_auto_trans(init, bpfloader_exec, bpfloader)
-
-recovery_only(`
- # Files in recovery image are labeled as rootfs.
- domain_trans(init, rootfs, adbd)
- domain_trans(init, rootfs, charger)
- domain_trans(init, rootfs, fastbootd)
- domain_trans(init, rootfs, recovery)
- domain_trans(init, rootfs, linkerconfig)
- domain_trans(init, rootfs, snapuserd)
-')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-userdebug_or_eng(`
- # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
- domain_auto_trans(init, logcat_exec, logpersist)
-
- # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
- allow init su:process transition;
- dontaudit init su:process noatsecure;
- allow init su:process { siginh rlimitinh };
-')
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
@@ -38,67 +12,435 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
-# Allow init to write to the drop_caches file.
-allow init proc_drop_caches:file rw_file_perms;
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)
-
-# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
-
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
-# TODO(b/137092007): this can be removed once the platform stops supporting
-# kernels that precede the perf_event_open hooks (Android common kernels 4.4
-# and 4.9).
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
-neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
-# Allow init to communicate with snapuserd to transition Virtual A/B devices
-# from the first-stage daemon to the second-stage.
-allow init snapuserd_socket:sock_file write;
-allow init snapuserd:unix_stream_socket connectto;
-# Allow for libsnapshot's use of flock() on /metadata/ota.
-allow init ota_metadata_file:dir lock;
-
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
-# Only init is allowed to set the sysprop indicating whether perf_event_open()
-# SELinux hooks were detected.
-set_prop(init, init_perf_lsm_hooks_prop)
-neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
-
-# Only init can write vts.native_server.on
-set_prop(init, vts_status_prop)
-neverallow { domain -init } vts_status_prop:property_service set;
-
-# Only init can write normal ro.boot. properties
-neverallow { domain -init } bootloader_prop:property_service set;
-
-# Only init can write hal.instrumentation.enable
-neverallow { domain -init } hal_instrumentation_prop:property_service set;
-
-# Only init can write ro.property_service.version
-neverallow { domain -init } property_service_version_prop:property_service set;
-
-# Only init can set keystore.boot_level
-neverallow { domain -init } keystore_listen_prop:property_service set;
-
-# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
-allow init debugfs_bootreceiver_tracing:file w_file_perms;
-
# chown/chmod on devices.
allow init {
dev_type
-hw_random_device
- -keychord_device
-kvm_device
- -port_device
}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
+allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cgroup
+ linkerconfig_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+}:filesystem ~relabelto;
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -exec_type
+ -keystore_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+}:dir_file_class_set relabelto;
+
+allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -proc_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ kmsg_device
+ null_device
+ owntty_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+};
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+set_prop(init, property_type)
diff --git a/microdroid/sepolicy/system/private/inputflinger.te b/microdroid/sepolicy/system/private/inputflinger.te
deleted file mode 100644
index 9696b49..0000000
--- a/microdroid/sepolicy/system/private/inputflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute inputflinger coredomain;
-
-init_daemon_domain(inputflinger)
diff --git a/microdroid/sepolicy/system/private/installd.te b/microdroid/sepolicy/system/private/installd.te
deleted file mode 100644
index c89ba8b..0000000
--- a/microdroid/sepolicy/system/private/installd.te
+++ /dev/null
@@ -1,45 +0,0 @@
-typeattribute installd coredomain;
-
-init_daemon_domain(installd)
-
-# Run migrate_legacy_obb_data.sh in its own sandbox.
-domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
-allow installd shell_exec:file rx_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run viewcompiler in its own sandbox.
-domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# For collecting bugreports.
-allow installd dumpstate:fd use;
-allow installd dumpstate:fifo_file r_file_perms;
-
-# Delete /system/bin/bcc generated artifacts
-allow installd app_exec_data_file:file unlink;
-
-# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
-# subsequently restore them.
-allow installd rollback_data_file:dir create_dir_perms;
-allow installd rollback_data_file:file create_file_perms;
-
-# Allow installd to access the runtime feature flag properties.
-get_prop(installd, device_config_runtime_native_prop)
-get_prop(installd, device_config_runtime_native_boot_prop)
-
-# Allow installd to access apk verity feature flag (for legacy case).
-get_prop(installd, apk_verity_prop)
-
-# Allow installd to delete files in /data/staging
-allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/microdroid/sepolicy/system/private/iorap_inode2filename.te b/microdroid/sepolicy/system/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/microdroid/sepolicy/system/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/microdroid/sepolicy/system/private/iorap_prefecherd.te b/microdroid/sepolicy/system/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/microdroid/sepolicy/system/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/microdroid/sepolicy/system/private/iorapd.te b/microdroid/sepolicy/system/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/microdroid/sepolicy/system/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/isolated_app.te b/microdroid/sepolicy/system/private/isolated_app.te
deleted file mode 100644
index 71749c0..0000000
--- a/microdroid/sepolicy/system/private/isolated_app.te
+++ /dev/null
@@ -1,153 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
-
-# Allow access to network sockets received over IPC. New socket creation is not
-# permitted.
-allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-# Inherit FDs from the app_zygote.
-allow isolated_app app_zygote:fd use;
-# Notify app_zygote of child death.
-allow isolated_app app_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app app_zygote:unix_dgram_socket write;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
-
-#####
-##### Neverallow
-#####
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
- sysfs_type
- -sysfs_devices_system_cpu
- -sysfs_transparent_hugepage
- -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
- -sysfs_fs_incfs_features
-}:file no_rw_file_perms;
-
-# No creation of sockets families other than AF_UNIX sockets.
-# List taken from system/sepolicy/public/global_macros - socket_class_set
-# excluding unix_stream_socket and unix_dgram_socket.
-# Many of these are socket families which have never and will never
-# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
- key_socket appletalk_socket netlink_route_socket
- netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
- netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
- netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
- netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
- netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
- rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
- ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
- qipcrtr_socket smc_socket xdp_socket
-} create;
diff --git a/microdroid/sepolicy/system/private/iw.te b/microdroid/sepolicy/system/private/iw.te
deleted file mode 100644
index adc8c96..0000000
--- a/microdroid/sepolicy/system/private/iw.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type iw, domain, coredomain;
-type iw_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(iw)
diff --git a/microdroid/sepolicy/system/private/kernel.te b/microdroid/sepolicy/system/private/kernel.te
index 2d49445..1d03c4a 100644
--- a/microdroid/sepolicy/system/private/kernel.te
+++ b/microdroid/sepolicy/system/private/kernel.te
@@ -1,12 +1,6 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
-domain_auto_trans(kernel, snapuserd_exec, snapuserd)
-
-# Allow the kernel to read otapreopt_chroot's file descriptors and files under
-# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
# The following sections are for the transition period during a Virtual A/B
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
@@ -27,13 +21,63 @@
allow kernel kmsg_device:chr_file relabelto;
allow kernel null_device:chr_file relabelto;
allow kernel random_device:chr_file relabelto;
-allow kernel snapuserd_exec:file relabelto;
+allow kernel kmsg_device:chr_file write;
allow kernel vd_device:blk_file read;
-allow kernel kmsg_device:chr_file write;
-allow kernel gsid:fd use;
+allow kernel self:global_capability_class_set sys_nice;
-# apkdmverity attaches a loop device to idsig file
-# and the loop device is used by zipfuse later.
-# This requires kernel to use the fd opened by apkdmverity.
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+
+#-----------------------------------------
allow kernel apkdmverity:fd use;
diff --git a/microdroid/sepolicy/system/private/keystore.te b/microdroid/sepolicy/system/private/keystore.te
index 0e57045..ac3ada1 100644
--- a/microdroid/sepolicy/system/private/keystore.te
+++ b/microdroid/sepolicy/system/private/keystore.te
@@ -2,33 +2,14 @@
init_daemon_domain(keystore)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# talk to confirmationui
-hal_client_domain(keystore, hal_confirmationui)
-
# talk to keymint
hal_client_domain(keystore, hal_keymint)
-# This is used for the ConfirmationUI async callback.
-allow keystore platform_app:binder call;
-
-# Allow to check whether security logging is enabled.
-get_prop(keystore, device_logging_prop)
-
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Allow keystore to register callbacks with statsd.
-allow keystore stats_service:service_manager find;
-binder_call(keystore, statsd);
-
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
-get_prop(keystore, keystore_listen_prop)
-
-# Keystore needs to transfer binder references to vold so that it
-# can call keystore methods on those references.
-allow keystore vold:binder transfer;
+# microdroid doesn't use keymaster HAL
+dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/keystore_keys.te b/microdroid/sepolicy/system/private/keystore_keys.te
deleted file mode 100644
index 03625dc..0000000
--- a/microdroid/sepolicy/system/private/keystore_keys.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# Specify keystore2_key namespaces in this file.
-# Please keep the names in alphabetical order and comment each new entry.
-
-# A keystore2_key namespace for the shell domain. Mainly used for native tests.
-type shell_key, keystore2_key_type;
-
-# A keystore2 namespace for the su domain. Mainly used for native tests.
-type su_key, keystore2_key_type;
-
-# A keystore2 namespace for vold. Vold need special permission to handle
-# its own Keymint blobs.
-type vold_key, keystore2_key_type;
-
-# A keystore2 namespace for the on-device signing daemon.
-type odsign_key, keystore2_key_type;
-
-# A keystore2 namespace for LockSettingsService.
-type locksettings_key, keystore2_key_type;
-
-# A keystore2 namespace for resume on reboot.
-type resume_on_reboot_key, keystore2_key_type;
-
-# A keystore2 namespace for VM payloads.
-type vm_payload_key, keystore2_key_type;
-
diff --git a/microdroid/sepolicy/system/private/linkerconfig.te b/microdroid/sepolicy/system/private/linkerconfig.te
index 2688102..4d8db0c 100644
--- a/microdroid/sepolicy/system/private/linkerconfig.te
+++ b/microdroid/sepolicy/system/private/linkerconfig.te
@@ -19,9 +19,3 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-# Allow linkerconfig to be called in the otapreopt_chroot
-allow linkerconfig otapreopt_chroot:fd use;
-allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
-allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
-
-neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/microdroid/sepolicy/system/private/llkd.te b/microdroid/sepolicy/system/private/llkd.te
deleted file mode 100644
index f218dec..0000000
--- a/microdroid/sepolicy/system/private/llkd.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# llkd Live LocK Daemon
-typeattribute llkd coredomain;
-
-init_daemon_domain(llkd)
-
-get_prop(llkd, llkd_prop)
-
-allow llkd self:global_capability_class_set kill;
-userdebug_or_eng(`
- allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
- allow llkd self:global_capability_class_set { dac_override dac_read_search };
-')
-
-# llkd optionally locks itself in memory, to prevent it from being
-# swapped out and unable to discover a kernel in live-lock state.
-allow llkd self:global_capability_class_set ipc_lock;
-
-# Send kill signals to _anyone_ suffering from Live Lock
-allow llkd domain:process sigkill;
-
-# read stack to check for Live Lock
-userdebug_or_eng(`
- allow llkd {
- domain
- -apexd
- -kernel
- -keystore
- -init
- -llkd
- -ueventd
- -vendor_init
- }:process ptrace;
-')
-
-# live lock watchdog process allowed to look through /proc/
-allow llkd domain:dir r_dir_perms;
-allow llkd domain:file r_file_perms;
-allow llkd domain:lnk_file read;
-# Set /proc/sys/kernel/hung_task_*
-allow llkd proc_hung_task:file rw_file_perms;
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow llkd proc_sysrq:file w_file_perms;
-allow llkd kmsg_device:chr_file w_file_perms;
-
-### neverallow rules
-
-neverallow { domain -init } llkd:process { dyntransition transition };
-neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
-
-# never honor LD_PRELOAD
-neverallow * llkd:process noatsecure;
diff --git a/microdroid/sepolicy/system/private/lmkd.te b/microdroid/sepolicy/system/private/lmkd.te
deleted file mode 100644
index fef3a89..0000000
--- a/microdroid/sepolicy/system/private/lmkd.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
-
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
-# Set lmkd.* properties.
-set_prop(lmkd, lmkd_prop)
-
-neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/logd.te b/microdroid/sepolicy/system/private/logd.te
index 7112c4f..0cc6e96 100644
--- a/microdroid/sepolicy/system/private/logd.te
+++ b/microdroid/sepolicy/system/private/logd.te
@@ -2,40 +2,42 @@
init_daemon_domain(logd)
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd {
- file_type
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd hwservicemanager:dir search;
+allow logd hwservicemanager:file { open read };
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd keystore:dir search;
+allow logd keystore:file { getattr open read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)
diff --git a/microdroid/sepolicy/system/private/logpersist.te b/microdroid/sepolicy/system/private/logpersist.te
deleted file mode 100644
index ab2c9c6..0000000
--- a/microdroid/sepolicy/system/private/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:global_capability_class_set sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist {
- file_type
- userdebug_or_eng(`-misc_logd_file -coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/microdroid/sepolicy/system/private/lpdumpd.te b/microdroid/sepolicy/system/private/lpdumpd.te
deleted file mode 100644
index 9f5f87e..0000000
--- a/microdroid/sepolicy/system/private/lpdumpd.te
+++ /dev/null
@@ -1,37 +0,0 @@
-type lpdumpd, domain, coredomain;
-type lpdumpd_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(lpdumpd)
-
-# Allow lpdumpd to register itself as a service.
-binder_use(lpdumpd)
-add_service(lpdumpd, lpdump_service)
-
-# Allow lpdumpd to find the super partition block device.
-allow lpdumpd block_device:dir r_dir_perms;
-
-# Allow lpdumpd to read super partition metadata.
-allow lpdumpd super_block_device_type:blk_file r_file_perms;
-
-# Allow lpdumpd to read fstab.
-allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
-allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(lpdumpd)
-
-### Neverallow rules
-
-# Disallow other domains to get lpdump_service and call lpdumpd.
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
-} lpdump_service:service_manager find;
-
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
- -servicemanager
-} lpdumpd:binder call;
diff --git a/microdroid/sepolicy/system/private/mdnsd.te b/microdroid/sepolicy/system/private/mdnsd.te
deleted file mode 100644
index 98e95da..0000000
--- a/microdroid/sepolicy/system/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net_type)
diff --git a/microdroid/sepolicy/system/private/mediadrmserver.te b/microdroid/sepolicy/system/private/mediadrmserver.te
deleted file mode 100644
index 4e511a8..0000000
--- a/microdroid/sepolicy/system/private/mediadrmserver.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediadrmserver coredomain;
-
-init_daemon_domain(mediadrmserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediadrmserver, hal_graphics_allocator)
-auditallow mediadrmserver hal_graphics_allocator_server:binder call;
-
diff --git a/microdroid/sepolicy/system/private/mediaextractor.te b/microdroid/sepolicy/system/private/mediaextractor.te
deleted file mode 100644
index 7bcf5c8..0000000
--- a/microdroid/sepolicy/system/private/mediaextractor.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
-tmpfs_domain(mediaextractor)
-allow mediaextractor appdomain_tmpfs:file { getattr map read write };
-allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
-allow mediaextractor system_server_tmpfs:file { getattr map read write };
-
-get_prop(mediaextractor, device_config_media_native_prop)
-get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/microdroid/sepolicy/system/private/mediametrics.te b/microdroid/sepolicy/system/private/mediametrics.te
deleted file mode 100644
index 5a6f2e1..0000000
--- a/microdroid/sepolicy/system/private/mediametrics.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
-
-# Needed for stats callback registration to statsd.
-allow mediametrics stats_service:service_manager find;
-allow mediametrics statsmanager_service:service_manager find;
-binder_call(mediametrics, statsd)
diff --git a/microdroid/sepolicy/system/private/mediaprovider.te b/microdroid/sepolicy/system/private/mediaprovider.te
deleted file mode 100644
index 78bbdb0..0000000
--- a/microdroid/sepolicy/system/private/mediaprovider.te
+++ /dev/null
@@ -1,48 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-typeattribute mediaprovider coredomain;
-app_domain(mediaprovider)
-
-# DownloadProvider accesses the network.
-net_domain(mediaprovider)
-
-# DownloadProvider uses /cache.
-allow mediaprovider cache_file:dir create_dir_perms;
-allow mediaprovider cache_file:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow mediaprovider cache_file:lnk_file r_file_perms;
-# mediaprovider searches through /cache looking for orphans
-# Ignore denials to /cache/recovery and /cache/backup.
-dontaudit mediaprovider cache_private_backup_file:dir getattr;
-dontaudit mediaprovider cache_recovery_file:dir getattr;
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider { mnt_media_rw_file }:dir search;
-
-allow mediaprovider app_api_service:service_manager find;
-allow mediaprovider audioserver_service:service_manager find;
-allow mediaprovider cameraserver_service:service_manager find;
-allow mediaprovider drmserver_service:service_manager find;
-allow mediaprovider mediaextractor_service:service_manager find;
-allow mediaprovider mediaserver_service:service_manager find;
-
-# Allow MediaProvider to read/write cached ringtones (opened by system).
-allow mediaprovider ringtone_file:file { getattr read write };
-
-# MtpServer uses /dev/mtp_usb
-allow mediaprovider mtp_device:chr_file rw_file_perms;
-
-# MtpServer uses /dev/usb-ffs/mtp
-allow mediaprovider functionfs:dir search;
-allow mediaprovider functionfs:file rw_file_perms;
-allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
-# MtpServer sets sys.usb.ffs.mtp.ready
-get_prop(mediaprovider, ffs_config_prop)
-set_prop(mediaprovider, ffs_control_prop)
-
-# DownloadManager may retrieve DRM status
-get_prop(mediaprovider, drm_service_config_prop)
diff --git a/microdroid/sepolicy/system/private/mediaprovider_app.te b/microdroid/sepolicy/system/private/mediaprovider_app.te
deleted file mode 100644
index 0e4a50e..0000000
--- a/microdroid/sepolicy/system/private/mediaprovider_app.te
+++ /dev/null
@@ -1,56 +0,0 @@
-###
-### A domain for further sandboxing the MediaProvider mainline module.
-###
-type mediaprovider_app, domain, coredomain;
-
-app_domain(mediaprovider_app)
-
-# Access to /mnt/pass_through.
-r_dir_file(mediaprovider_app, mnt_pass_through_file)
-
-# Allow MediaProvider to host a FUSE daemon for external storage
-allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
-
-# Allow MediaProvider to read/write media_rw_data_file files and dirs
-allow mediaprovider_app media_rw_data_file:file create_file_perms;
-allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
-
-# Talk to the DRM service
-allow mediaprovider_app drmserver_service:service_manager find;
-
-# Talk to the MediaServer service
-allow mediaprovider_app mediaserver_service:service_manager find;
-
-# Talk to regular app services
-allow mediaprovider_app app_api_service:service_manager find;
-
-# Talk to the GPU service
-binder_call(mediaprovider_app, gpuservice)
-
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
-# read pipe-max-size configuration
-allow mediaprovider_app proc_pipe_conf:file r_file_perms;
-
-# Allow MediaProvider to set extended attributes (such as quota project ID)
-# on media files.
-allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider_app { mnt_media_rw_file }:dir search;
-
-allow mediaprovider_app proc_filesystems:file r_file_perms;
-
-#Allow MediaProvider to see if sdcardfs is in use
-get_prop(mediaprovider_app, storage_config_prop)
-
-get_prop(mediaprovider_app, drm_service_config_prop)
-
-allow mediaprovider_app gpu_device:dir search;
diff --git a/microdroid/sepolicy/system/private/mediaserver.te b/microdroid/sepolicy/system/private/mediaserver.te
deleted file mode 100644
index 6fe460c..0000000
--- a/microdroid/sepolicy/system/private/mediaserver.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-tmpfs_domain(mediaserver)
-allow mediaserver appdomain_tmpfs:file { getattr map read write };
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-hal_client_domain(mediaserver, hal_configstore)
-hal_client_domain(mediaserver, hal_drm)
-hal_client_domain(mediaserver, hal_omx)
-hal_client_domain(mediaserver, hal_codec2)
-
-set_prop(mediaserver, audio_prop)
-
-get_prop(mediaserver, drm_service_config_prop)
-get_prop(mediaserver, media_config_prop)
-
-# Allow mediaserver to start media.transcoding service via ctl.start.
-set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/microdroid/sepolicy/system/private/mediaswcodec.te b/microdroid/sepolicy/system/private/mediaswcodec.te
deleted file mode 100644
index 02079c1..0000000
--- a/microdroid/sepolicy/system/private/mediaswcodec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute mediaswcodec coredomain;
-
-init_daemon_domain(mediaswcodec)
-
-get_prop(mediaswcodec, device_config_media_native_prop)
-get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/microdroid/sepolicy/system/private/mediatranscoding.te b/microdroid/sepolicy/system/private/mediatranscoding.te
deleted file mode 100644
index d812525..0000000
--- a/microdroid/sepolicy/system/private/mediatranscoding.te
+++ /dev/null
@@ -1,65 +0,0 @@
-# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
-type mediatranscoding_tmpfs, file_type;
-typeattribute mediatranscoding coredomain;
-
-init_daemon_domain(mediatranscoding)
-tmpfs_domain(mediatranscoding)
-allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
-
-binder_use(mediatranscoding)
-binder_call(mediatranscoding, binderservicedomain)
-binder_call(mediatranscoding, appdomain)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-hal_client_domain(mediatranscoding, hal_graphics_allocator)
-hal_client_domain(mediatranscoding, hal_configstore)
-hal_client_domain(mediatranscoding, hal_omx)
-hal_client_domain(mediatranscoding, hal_codec2)
-
-allow mediatranscoding mediaserver_service:service_manager find;
-allow mediatranscoding mediametrics_service:service_manager find;
-allow mediatranscoding mediaextractor_service:service_manager find;
-allow mediatranscoding package_native_service:service_manager find;
-allow mediatranscoding thermal_service:service_manager find;
-
-allow mediatranscoding system_server:fd use;
-allow mediatranscoding activity_service:service_manager find;
-
-# allow mediatranscoding service read/write permissions for file sources
-allow mediatranscoding sdcardfs:file { getattr read write };
-allow mediatranscoding media_rw_data_file:file { getattr read write };
-allow mediatranscoding apk_data_file:file { getattr read };
-allow mediatranscoding app_data_file:file { getattr read write };
-allow mediatranscoding shell_data_file:file { getattr read write };
-
-# allow mediatranscoding service write permission to statsd socket
-unix_socket_send(mediatranscoding, statsdw, statsd)
-
-# Allow mediatranscoding to access the DMA-BUF system heap
-allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow mediatranscoding gpu_device:dir search;
-
-# Allow mediatranscoding service to access media-related system properties
-get_prop(mediatranscoding, media_config_prop)
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
-neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/private/mediatuner.te b/microdroid/sepolicy/system/private/mediatuner.te
deleted file mode 100644
index 413d2e5..0000000
--- a/microdroid/sepolicy/system/private/mediatuner.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# mediatuner - mediatuner daemon
-type mediatuner, domain;
-type mediatuner_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediatuner coredomain;
-
-init_daemon_domain(mediatuner)
-hal_client_domain(mediatuner, hal_tv_tuner)
-
-binder_use(mediatuner)
-binder_call(mediatuner, appdomain)
-binder_service(mediatuner)
-
-add_service(mediatuner, mediatuner_service)
-allow mediatuner system_server:fd use;
-allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
-allow mediatuner package_native_service:service_manager find;
-binder_call(mediatuner, system_server)
-
-###
-### neverallow rules
-###
-
-# mediatuner should never execute any executable without a
-# domain transition
-neverallow mediatuner { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
diff --git a/microdroid/sepolicy/system/private/microdroid_app.te b/microdroid/sepolicy/system/private/microdroid_app.te
index c8e75a4..820ec68 100644
--- a/microdroid/sepolicy/system/private/microdroid_app.te
+++ b/microdroid/sepolicy/system/private/microdroid_app.te
@@ -46,3 +46,6 @@
# Allow microdroid_app to use vsock inherited from microdroid_manager
allow microdroid_app microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te b/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te
deleted file mode 100644
index b2a1fb1..0000000
--- a/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type migrate_legacy_obb_data, domain, coredomain;
-type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
-
-allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
-allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
-
-allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
-
-allow migrate_legacy_obb_data mnt_user_file:dir search;
-allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
-allow migrate_legacy_obb_data storage_file:dir search;
-allow migrate_legacy_obb_data storage_file:lnk_file read;
-
-allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
-allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
-
-# TODO: This should not be necessary. We don't deliberately hand over
-# any open file descriptors to this domain, so anything that triggers this
-# should be a candidate for O_CLOEXEC.
-allow migrate_legacy_obb_data installd:fd use;
-
-# This rule is required to let this process read /proc/{parent_pid}/mount.
-# TODO: Why is this required ?
-allow migrate_legacy_obb_data installd:file read;
diff --git a/microdroid/sepolicy/system/private/mls b/microdroid/sepolicy/system/private/mls
index 955c27b..303df81 100644
--- a/microdroid/sepolicy/system/private/mls
+++ b/microdroid/sepolicy/system/private/mls
@@ -48,52 +48,25 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
-# Userfaultfd constraints
-#
-# To enforce that anonymous inodes are self contained in the application's process.
-mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
- (l1 eq l2);
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write, so already open fds can be used.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
-mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
-# TODO: Migrate to equivalence when it's no longer needed.
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and t2 == system_data_file) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/microdroid/sepolicy/system/private/mlstrustedsubject.te b/microdroid/sepolicy/system/private/mlstrustedsubject.te
deleted file mode 100644
index 22482d9..0000000
--- a/microdroid/sepolicy/system/private/mlstrustedsubject.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# MLS override can't be used to access private app data.
-
-# Apps should not normally be mlstrustedsubject, but if they must be
-# they cannot use this to access app private data files; their own app
-# data files must use a different label.
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:dir ~{ read getattr search };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
- -system_server
- -adbd
- -runas
- -zygote
-} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/microdroid/sepolicy/system/private/mm_events.te b/microdroid/sepolicy/system/private/mm_events.te
deleted file mode 100644
index 4875d40..0000000
--- a/microdroid/sepolicy/system/private/mm_events.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type mm_events, domain, coredomain;
-type mm_events_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(mm_events)
-
-allow mm_events shell_exec:file rx_file_perms;
-
-# Allow running the sleep command to rate limit attempts
-# to arm mm_events on failure.
-allow mm_events toolbox_exec:file rx_file_perms;
-
-allow mm_events perfetto_exec:file rx_file_perms;
-
-domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/microdroid/sepolicy/system/private/modprobe.te b/microdroid/sepolicy/system/private/modprobe.te
deleted file mode 100644
index 9858675..0000000
--- a/microdroid/sepolicy/system/private/modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute modprobe coredomain;
diff --git a/microdroid/sepolicy/system/private/mtp.te b/microdroid/sepolicy/system/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/microdroid/sepolicy/system/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/microdroid/sepolicy/system/private/net.te b/microdroid/sepolicy/system/private/net.te
new file mode 100644
index 0000000..1b2fd41
--- /dev/null
+++ b/microdroid/sepolicy/system/private/net.te
@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/sepolicy/system/private/netd.te b/microdroid/sepolicy/system/private/netd.te
deleted file mode 100644
index 670a4bf..0000000
--- a/microdroid/sepolicy/system/private/netd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netd coredomain;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow netd self:key_socket create;
-
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
-get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
-
-# Allow netd to write to statsd.
-unix_socket_send(netd, statsdw, statsd)
-
-# Allow netd to send callbacks to network_stack
-binder_call(netd, network_stack)
-
-# Allow netd to send dump info to dumpstate
-allow netd dumpstate:fd use;
-allow netd dumpstate:fifo_file { getattr write };
-
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/netutils_wrapper.te b/microdroid/sepolicy/system/private/netutils_wrapper.te
deleted file mode 100644
index ca3b515..0000000
--- a/microdroid/sepolicy/system/private/netutils_wrapper.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:global_capability_class_set net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net_type:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:global_capability_class_set net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_service:service_manager find;
-allow netutils_wrapper dnsresolver_service:service_manager find;
-binder_use(netutils_wrapper);
-binder_call(netutils_wrapper, netd);
-
-# For vendor code that update the iptables rules at runtime. They need to reload
-# the whole chain including the xt_bpf rules. They need to access to the pinned
-# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
-allow netutils_wrapper fs_bpf:file { read write };
-allow netutils_wrapper bpfloader:bpf prog_run;
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
-
-# suppress spurious denials
-dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
-dontaudit netutils_wrapper sysfs_type:file read;
-
-# netutils wrapper may only use the following capabilities.
-neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/microdroid/sepolicy/system/private/network_stack.te b/microdroid/sepolicy/system/private/network_stack.te
deleted file mode 100644
index 09a98b5..0000000
--- a/microdroid/sepolicy/system/private/network_stack.te
+++ /dev/null
@@ -1,62 +0,0 @@
-# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
-
-app_domain(network_stack);
-net_domain(network_stack);
-
-allow network_stack self:global_capability_class_set {
- net_admin
- net_bind_service
- net_broadcast
- net_raw
-};
-
-# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
-allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# The DhcpClient uses packet_sockets
-allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-
-# Monitor neighbors via netlink.
-allow network_stack self:netlink_route_socket nlmsg_write;
-
-allow network_stack app_api_service:service_manager find;
-allow network_stack dnsresolver_service:service_manager find;
-allow network_stack netd_service:service_manager find;
-allow network_stack network_watchlist_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack system_config_service:service_manager find;
-allow network_stack radio_data_file:dir create_dir_perms;
-allow network_stack radio_data_file:file create_file_perms;
-
-binder_call(network_stack, netd);
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
-# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
-# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
-dontaudit network_stack self:key_socket getopt;
-
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
-
-# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-############### Tethering Service app - Tethering.apk ##############
-hal_client_domain(network_stack, hal_tetheroffload)
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow network_stack network_stack_service:service_manager find;
-# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
-
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/microdroid/sepolicy/system/private/nfc.te b/microdroid/sepolicy/system/private/nfc.te
deleted file mode 100644
index f1a08f7..0000000
--- a/microdroid/sepolicy/system/private/nfc.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain, mlstrustedsubject;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-allow nfc nfc_logs_data_file:dir rw_dir_perms;
-allow nfc nfc_logs_data_file:file create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-allow nfc vr_manager_service:service_manager find;
-allow nfc secure_element_service:service_manager find;
-
-set_prop(nfc, nfc_prop);
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/microdroid/sepolicy/system/private/odrefresh.te b/microdroid/sepolicy/system/private/odrefresh.te
deleted file mode 100644
index 7a64247..0000000
--- a/microdroid/sepolicy/system/private/odrefresh.te
+++ /dev/null
@@ -1,54 +0,0 @@
-# odrefresh
-type odrefresh, domain, coredomain;
-type odrefresh_exec, system_file_type, exec_type, file_type;
-
-# Allow odrefresh to create files and directories for on device signing.
-allow odrefresh apex_module_data_file:dir { getattr search };
-allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
-
-# Allow odrefresh to create data files (typically for metrics before statsd starts).
-allow odrefresh odrefresh_data_file:dir create_dir_perms;
-allow odrefresh odrefresh_data_file:file create_file_perms;
-
-userfaultfd_use(odrefresh)
-
-# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
-# sets up files here and passes file descriptors for dex2oat to write to.
-allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow odrefresh odsign_devpts:chr_file { read write };
-allow odrefresh odsign:fd use;
-
-# Do not audit unused resources from parent processes (adb, shell, su).
-# These appear to be unnecessary for odrefresh.
-dontaudit odrefresh { adbd shell }:fd use;
-dontaudit odrefresh devpts:chr_file rw_file_perms;
-dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/odsign.te b/microdroid/sepolicy/system/private/odsign.te
deleted file mode 100644
index 0ff3b7b..0000000
--- a/microdroid/sepolicy/system/private/odsign.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# odsign - on-device signing.
-type odsign, domain;
-
-# odsign - Binary for signing ART artifacts.
-typeattribute odsign coredomain;
-
-type odsign_exec, exec_type, file_type, system_file_type;
-
-# Allow init to start odsign
-init_daemon_domain(odsign)
-
-# Allow using persistent storage in /data/odsign
-allow odsign odsign_data_file:dir create_dir_perms;
-allow odsign odsign_data_file:file create_file_perms;
-
-# Create and use pty created by android_fork_execvp().
-create_pty(odsign)
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
-allowxperm odsign apex_art_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
-};
-
-# talk to binder services (for keystore)
-binder_use(odsign);
-
-# talk to keystore specifically
-use_keystore(odsign);
-
-# Use our dedicated keystore key
-allow odsign odsign_key:keystore2_key {
- delete
- get_info
- rebind
- use
-};
-
-# talk to keymaster
-hal_client_domain(odsign, hal_keymaster)
-
-# For ART apex data dir access
-allow odsign apex_module_data_file:dir { getattr search };
-
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
-allow odsign apex_art_data_file:file { rw_file_perms unlink };
-
-# Run odrefresh to refresh ART artifacts
-domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
-# only odsign can set odsign sysprop
-set_prop(odsign, odsign_prop)
-neverallow { domain -odsign -init } odsign_prop:property_service set;
-
-# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/microdroid/sepolicy/system/private/otapreopt_chroot.te b/microdroid/sepolicy/system/private/otapreopt_chroot.te
deleted file mode 100644
index ea9d4ee..0000000
--- a/microdroid/sepolicy/system/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# otapreopt_chroot executable
-typeattribute otapreopt_chroot coredomain;
-type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot apex_mnt_dir:dir mounton;
-allow otapreopt_chroot device:dir mounton;
-allow otapreopt_chroot linkerconfig_file:dir mounton;
-allow otapreopt_chroot rootfs:dir mounton;
-allow otapreopt_chroot sysfs:dir mounton;
-allow otapreopt_chroot system_data_root_file:dir mounton;
-allow otapreopt_chroot system_file:dir mounton;
-allow otapreopt_chroot vendor_file:dir mounton;
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# This is required for dynamic partitions.
-allow otapreopt_chroot dm_device:chr_file rw_file_perms;
-
-# This is required to unmount flattened APEX packages under
-# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
-allow otapreopt_chroot postinstall_file:filesystem unmount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
-
-# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
-domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
-domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
-
-# Allow otapreopt_chroot to control linkerconfig
-allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
-allow otapreopt_chroot linkerconfig_file:file create_file_perms;
-
-# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
-allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
-# Allow otapreopt_chroot to access loop devices.
-allow otapreopt_chroot loop_device:blk_file rw_file_perms;
-allowxperm otapreopt_chroot loop_device:blk_file ioctl {
- LOOP_CONFIGURE
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# Allow otapreopt_chroot to configure read-ahead of loop devices.
-allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
-allow otapreopt_chroot sysfs_loop:file rw_file_perms;
-
-# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
-allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir relabelfrom;
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
-
-# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
-allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
-# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
-
-# Allow otapreopt_chroot to access /dev/block (needed to detach loop
-# devices used by ext4 images from APEX packages).
-allow otapreopt_chroot block_device:dir r_dir_perms;
-
-# Allow to access the linker through the symlink.
-allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
-
-# Allow otapreopt_chroot to read ro.cold_boot_done prop.
-# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
-# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
-get_prop(otapreopt_chroot, cold_boot_done_prop)
-
-# allow otapreopt_chroot to run the linkerconfig from the new image.
-allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/microdroid/sepolicy/system/private/otapreopt_slot.te b/microdroid/sepolicy/system/private/otapreopt_slot.te
deleted file mode 100644
index 27a3b0e..0000000
--- a/microdroid/sepolicy/system/private/otapreopt_slot.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject, coredomain;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/microdroid/sepolicy/system/private/perfetto.te b/microdroid/sepolicy/system/private/perfetto.te
deleted file mode 100644
index f9693da..0000000
--- a/microdroid/sepolicy/system/private/perfetto.te
+++ /dev/null
@@ -1,102 +0,0 @@
-# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
-# This command line client accesses the privileged socket of the traced
-# daemon.
-
-type perfetto_exec, system_file_type, exec_type, file_type;
-type perfetto_tmpfs, file_type;
-
-tmpfs_domain(perfetto);
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(perfetto, traced_consumer, traced)
-
-# Connect to the Perfetto traced daemon as a producer. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(perfetto)
-
-# Allow to write and unlink traces into /data/misc/perfetto-traces.
-allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
-allow perfetto perfetto_traces_data_file:file create_file_perms;
-
-# Allow to access binder to pass the traces to Dropbox.
-binder_use(perfetto)
-binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
-
-# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
-# shell and adb can write files into that directory.
-allow perfetto perfetto_configs_data_file:dir r_dir_perms;
-allow perfetto perfetto_configs_data_file:file r_file_perms;
-
-# Allow perfetto to read the trace config from statsd, mm_events and shell
-# (both root and non-root) on stdin and also to write the resulting trace to
-# stdout.
-allow perfetto { statsd mm_events shell su }:fd use;
-allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
-
-# Allow to communicate use, read and write over the adb connection.
-allow perfetto adbd:fd use;
-allow perfetto adbd:unix_stream_socket { read write };
-
-# Allow adbd to reap perfetto.
-allow perfetto adbd:process { sigchld };
-
-# Allow perfetto to write to statsd.
-unix_socket_send(perfetto, statsdw, statsd)
-
-# Allow to access /dev/pts when launched in an adb shell.
-allow perfetto devpts:chr_file rw_file_perms;
-
-# Allow perfetto to ask incidentd to start a report.
-allow perfetto incident_service:service_manager find;
-binder_call(perfetto, incidentd)
-
-# perfetto log formatter calls isatty() on its stderr. Denial when running
-# under adbd is harmless. Avoid generating denial logs.
-dontaudit perfetto adbd:unix_stream_socket getattr;
-dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
-# As above, when adbd is running in "su" domain (only the ioctl is denied in
-# practice).
-dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
-# Similarly, CTS tests end up hitting a denial on shell pipes.
-dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
-
-###
-### Neverallow rules
-###
-### perfetto should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow perfetto self:process execmem;
-
-# Block device access.
-neverallow perfetto dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow perfetto domain:process ptrace;
-
-# Disallows access to other /data files.
-neverallow perfetto {
- data_file_type
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
diff --git a/microdroid/sepolicy/system/private/performanced.te b/microdroid/sepolicy/system/private/performanced.te
deleted file mode 100644
index 792826e..0000000
--- a/microdroid/sepolicy/system/private/performanced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute performanced coredomain;
-
-init_daemon_domain(performanced)
diff --git a/microdroid/sepolicy/system/private/permissioncontroller_app.te b/microdroid/sepolicy/system/private/permissioncontroller_app.te
deleted file mode 100644
index 5f81875..0000000
--- a/microdroid/sepolicy/system/private/permissioncontroller_app.te
+++ /dev/null
@@ -1,22 +0,0 @@
-###
-### A domain for further sandboxing the GooglePermissionController app.
-###
-type permissioncontroller_app, domain, coredomain;
-
-app_domain(permissioncontroller_app)
-
-allow permissioncontroller_app app_api_service:service_manager find;
-allow permissioncontroller_app system_api_service:service_manager find;
-
-# Allow interaction with gpuservice
-binder_call(permissioncontroller_app, gpuservice)
-
-allow permissioncontroller_app radio_service:service_manager find;
-
-# Allow the app to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow permissioncontroller_app incident_service:service_manager find;
-binder_call(permissioncontroller_app, incidentd)
-allow permissioncontroller_app incidentd:fifo_file { read write };
-
-allow permissioncontroller_app gpu_device:dir search;
diff --git a/microdroid/sepolicy/system/private/platform_app.te b/microdroid/sepolicy/system/private/platform_app.te
deleted file mode 100644
index a112081..0000000
--- a/microdroid/sepolicy/system/private/platform_app.te
+++ /dev/null
@@ -1,107 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app sdcard_type:dir create_dir_perms;
-allow platform_app sdcard_type:file create_file_perms;
-
-# com.android.systemui
-allow platform_app rootfs:dir getattr;
-
-# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app {
- proc_vmstat
-}:file r_file_perms;
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-r_dir_file(platform_app, proc_net_type)
-userdebug_or_eng(`
- auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-allow platform_app stats_service:service_manager find;
-
-# Allow platform apps to log via statsd.
-binder_call(platform_app, statsd)
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-# allow platform apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow platform_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow platform apps to connect to the property service
-set_prop(platform_app, test_boot_reason_prop)
-
-# allow platform apps to read keyguard.no_require_sim
-get_prop(platform_app, keyguard_config_prop)
-
-# allow platform apps to read qemu.hw.mainkeys
-get_prop(platform_app, qemu_hw_prop)
-
-# allow platform apps to create symbolic link
-allow platform_app app_data_file:lnk_file create_file_perms;
-
-# suppress denials caused by debugfs_tracing
-dontaudit platform_app debugfs_tracing:file rw_file_perms;
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/microdroid/sepolicy/system/private/postinstall.te b/microdroid/sepolicy/system/private/postinstall.te
deleted file mode 100644
index 7060c59..0000000
--- a/microdroid/sepolicy/system/private/postinstall.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall coredomain;
-type postinstall_exec, system_file_type, exec_type, file_type;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
-allow postinstall rootfs:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/private/postinstall_dexopt.te b/microdroid/sepolicy/system/private/postinstall_dexopt.te
deleted file mode 100644
index 14e7854..0000000
--- a/microdroid/sepolicy/system/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,81 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
-type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
-type postinstall_dexopt_tmpfs, file_type;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-# - Case where dex2oat is in a non-flattened APEX, which has retained
-# the correct type (`dex2oat_exec`).
-domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
-# - Case where dex2oat is in a flattened APEX, which has been tagged
-# with the `postinstall_file` type by update_engine.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-
-allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr read search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt rootfs:file r_file_perms;
-
-allow postinstall_dexopt tmpfs:file read;
-
-# Allow access to /postinstall/apex.
-allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Read vendor overlay files (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_overlay_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-# Allow postinstall_dexopt to access the runtime feature flag properties.
-get_prop(postinstall_dexopt, device_config_runtime_native_prop)
-get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/ppp.te b/microdroid/sepolicy/system/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/microdroid/sepolicy/system/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/microdroid/sepolicy/system/private/preloads_copy.te b/microdroid/sepolicy/system/private/preloads_copy.te
deleted file mode 100644
index ba54b70..0000000
--- a/microdroid/sepolicy/system/private/preloads_copy.te
+++ /dev/null
@@ -1,18 +0,0 @@
-type preloads_copy, domain, coredomain;
-type preloads_copy_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(preloads_copy)
-
-allow preloads_copy shell_exec:file rx_file_perms;
-allow preloads_copy toolbox_exec:file rx_file_perms;
-allow preloads_copy preloads_data_file:dir create_dir_perms;
-allow preloads_copy preloads_data_file:file create_file_perms;
-allow preloads_copy preloads_media_file:dir create_dir_perms;
-allow preloads_copy preloads_media_file:file create_file_perms;
-
-# Allow to copy from /postinstall
-allow preloads_copy system_file:dir r_dir_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but preloads_copy.sh still runs.
-dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/microdroid/sepolicy/system/private/preopt2cachename.te b/microdroid/sepolicy/system/private/preopt2cachename.te
deleted file mode 100644
index dcfba14..0000000
--- a/microdroid/sepolicy/system/private/preopt2cachename.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-
-type preopt2cachename, domain, coredomain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/microdroid/sepolicy/system/private/priv_app.te b/microdroid/sepolicy/system/private/priv_app.te
deleted file mode 100644
index 63a9cbf..0000000
--- a/microdroid/sepolicy/system/private/priv_app.te
+++ /dev/null
@@ -1,254 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow priv_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow priv_app system_linker_exec:file execute_no_trans;
-
-allow priv_app privapp_data_file:lnk_file create_file_perms;
-
-# Priv apps can find services that expose both @SystemAPI and normal APIs.
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app music_recognition_service:service_manager find;
-allow priv_app network_watchlist_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-allow priv_app stats_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to betterbug
-allow priv_app trace_data_file:file { getattr read };
-
-# Allow betterbug to read profile reports generated by profcollect.
-userdebug_or_eng(`
- allow priv_app profcollectd_data_file:file r_file_perms;
-')
-
-# Allow the bug reporting frontend to read the presence and timestamp of the
-# trace attached to the bugreport (but not its contents, which will go in the
-# usual bugreport .zip file). This is used by the bug reporting UI to tell if
-# the bugreport will contain a system trace or not while the bugreport is still
-# in progress.
-allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
-allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
-# Required to traverse the parent dir (/data/misc/perfetto-traces).
-allow priv_app perfetto_traces_data_file:dir { search };
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /proc access
-allow priv_app {
- proc_vmstat
-}:file r_file_perms;
-
-allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(priv_app, sysfs_zram)
-
-r_dir_file(priv_app, rootfs)
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow com.android.vending to communicate with statsd.
-binder_call(priv_app, statsd)
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(priv_app)
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
-# Allow priv_apps to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow priv_app incident_service:service_manager find;
-binder_call(priv_app, incidentd)
-allow priv_app incidentd:fifo_file { read write };
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
-# Allow priv_apps to check whether Dynamic System Update is enabled
-get_prop(priv_app, dynamic_system_prop)
-
-# suppress denials for non-API accesses.
-dontaudit priv_app exec_type:file getattr;
-dontaudit priv_app device:dir read;
-dontaudit priv_app fs_bpf:dir search;
-dontaudit priv_app net_dns_prop:file read;
-dontaudit priv_app proc:file read;
-dontaudit priv_app proc_interrupts:file read;
-dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
-dontaudit priv_app proc_stat:file read;
-dontaudit priv_app proc_version:file read;
-dontaudit priv_app sysfs:dir read;
-dontaudit priv_app sysfs:file read;
-dontaudit priv_app sysfs_android_usb:file read;
-dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
-
-# allow privileged apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow priv_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status and loading progress
-allowxperm priv_app apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- INCFS_IOCTL_GET_FILLED_BLOCKS
-};
-
-# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr ioctl };
-
-# allow apps like Phonesky to request permission to fill blocks of an apk file
-# on the Incremental File System.
-allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
-
-# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
-get_prop(priv_app, incremental_prop)
-
-# Required for Phonesky to be able to read APEX files under /data/apex/active/.
-allow priv_app apex_data_file:dir search;
-allow priv_app staging_data_file:file r_file_perms;
-# Required for Phonesky to be able to read staged files under /data/app-staging.
-allow priv_app staging_data_file:dir r_dir_perms;
-
-# allow priv app to access the system app data files for ContentProvider case.
-allow priv_app system_app_data_file:file { read getattr };
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
-
-# priv apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor which they can then read
-neverallow priv_app trace_data_file:dir *;
-neverallow priv_app trace_data_file:file { no_w_file_perms open };
-
-# Do not allow priv_app access to cgroups.
-neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
-
-# Do not allow loading executable code from non-privileged
-# application home directories. Code loading across a security boundary
-# is dangerous and allows a full compromise of a privileged process
-# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
-
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/microdroid/sepolicy/system/private/profcollectd.te b/microdroid/sepolicy/system/private/profcollectd.te
deleted file mode 100644
index efde321..0000000
--- a/microdroid/sepolicy/system/private/profcollectd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain, mlstrustedsubject;
-type profcollectd_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- init_daemon_domain(profcollectd)
-
- # profcollectd opens a file for writing in /data/misc/profcollectd.
- allow profcollectd profcollectd_data_file:file create_file_perms;
- allow profcollectd profcollectd_data_file:dir create_dir_perms;
-
- # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
- allow profcollectd self:perf_event { cpu kernel open read write };
-
- # Allow profcollectd to scan through /proc/pid for all processes.
- r_dir_file(profcollectd, domain)
-
- # Allow profcollectd to read executable binaries.
- allow profcollectd system_file_type:file r_file_perms;
- allow profcollectd vendor_file_type:file r_file_perms;
-
- # Allow profcollectd to search for and read kernel modules.
- allow profcollectd vendor_file:dir r_dir_perms;
- allow profcollectd vendor_kernel_modules:file r_file_perms;
-
- # Allow profcollectd to read system bootstrap libs.
- allow profcollectd system_bootstrap_lib_file:dir search;
- allow profcollectd system_bootstrap_lib_file:file r_file_perms;
-
- # Allow profcollectd to access tracefs.
- allow profcollectd debugfs_tracing:dir r_dir_perms;
- allow profcollectd debugfs_tracing:file rw_file_perms;
- allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
- allow profcollectd debugfs_tracing_debug:file rw_file_perms;
-
- # Allow profcollectd to write to perf_event_paranoid under /proc.
- allow profcollectd proc_perf:file write;
-
- # Allow profcollectd to access cs_etm sysfs.
- r_dir_file(profcollectd, sysfs_devices_cs_etm)
-
- # Allow profcollectd to ptrace.
- allow profcollectd self:global_capability_class_set sys_ptrace;
-
- # Allow profcollectd to read its system properties.
- get_prop(profcollectd, device_config_profcollect_native_boot_prop)
- set_prop(profcollectd, profcollectd_node_id_prop)
-
- # Allow profcollectd to publish a binder service and make binder calls.
- binder_use(profcollectd)
- add_service(profcollectd, profcollectd_service)
-
- # Allow to temporarily lift the kptr_restrict setting and get kernel start address
- # by reading /proc/kallsyms, get module start address by reading /proc/modules.
- set_prop(profcollectd, lower_kptr_restrict_prop)
- allow profcollectd proc_kallsyms:file r_file_perms;
- allow profcollectd proc_modules:file r_file_perms;
-
- # Allow profcollectd to read kernel build id.
- allow profcollectd sysfs_kernel_notes:file r_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/profman.te b/microdroid/sepolicy/system/private/profman.te
deleted file mode 100644
index f61d05e..0000000
--- a/microdroid/sepolicy/system/private/profman.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute profman coredomain;
diff --git a/microdroid/sepolicy/system/private/property.te b/microdroid/sepolicy/system/private/property.te
deleted file mode 100644
index 01d4fd9..0000000
--- a/microdroid/sepolicy/system/private/property.te
+++ /dev/null
@@ -1,604 +0,0 @@
-# Properties used only in /system
-system_internal_prop(adbd_prop)
-system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_profcollect_native_boot_prop)
-system_internal_prop(device_config_statsd_native_prop)
-system_internal_prop(device_config_statsd_native_boot_prop)
-system_internal_prop(device_config_storage_native_boot_prop)
-system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(device_config_window_manager_native_boot_prop)
-system_internal_prop(device_config_configuration_prop)
-system_internal_prop(device_config_connectivity_prop)
-system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(fastbootd_protocol_prop)
-system_internal_prop(gsid_prop)
-system_internal_prop(init_perf_lsm_hooks_prop)
-system_internal_prop(init_service_status_private_prop)
-system_internal_prop(init_svc_debug_prop)
-system_internal_prop(keystore_listen_prop)
-system_internal_prop(last_boot_reason_prop)
-system_internal_prop(localization_prop)
-system_internal_prop(lower_kptr_restrict_prop)
-system_internal_prop(net_464xlat_fromvendor_prop)
-system_internal_prop(net_connectivity_prop)
-system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(odsign_prop)
-system_internal_prop(perf_drop_caches_prop)
-system_internal_prop(pm_prop)
-system_internal_prop(profcollectd_node_id_prop)
-system_internal_prop(rollback_test_prop)
-system_internal_prop(setupwizard_prop)
-system_internal_prop(system_adbd_prop)
-system_internal_prop(traced_perf_enabled_prop)
-system_internal_prop(userspace_reboot_log_prop)
-system_internal_prop(userspace_reboot_test_prop)
-system_internal_prop(verity_status_prop)
-system_internal_prop(zygote_wrap_prop)
-system_internal_prop(ctl_mediatranscoding_prop)
-
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-enforce_sysprop_owner(`
- neverallow domain {
- property_type
- -system_property_type
- -product_property_type
- -vendor_property_type
- }:file no_rw_file_perms;
-')
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -dhcp_prop
- -dumpstate_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -usb_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
- domain
- -init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_system_prop
- exported3_system_prop
- usb_control_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- radio_control_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -init
- -dumpstate
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- wifi_hal_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- dalvik_config_prop
- extended_core_property_type
- exported3_system_prop
- systemsound_config_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -vendor_init
- } {
- suspend_prop
- }:property_service set;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- ffs_config_prop
- ffs_control_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- domain
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
-neverallow {
- domain
- -init
- -vendor_init
- -adbd
- -system_server
-} {
- adbd_config_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- domain
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- domain
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} {
- surfaceflinger_color_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} {
- libc_debug_prop
-}:property_service set;
-
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-neverallow {
- domain
- -init
- -shell
-} {
- arm64_memtag_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} zram_control_prop:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} dalvik_runtime_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- usb_config_prop
- usb_control_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- provisioned_prop
- retaildemo_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- provisioned_prop
- retaildemo_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- init_service_status_private_prop
- init_service_status_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -radio
- -appdomain
- -hal_telephony_server
- not_compatible_property(`-vendor_init')
-} telephony_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
-} {
- graphics_config_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -surfaceflinger
-} {
- surfaceflinger_display_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
-} packagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} keyguard_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- localization_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_app
-} oem_unlock_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} storagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} sendbug_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} camera_calibration_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -dumpstate
- -hal_dumpstate_server
- not_compatible_property(`-vendor_init')
-} hal_dumpstate_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- userdebug_or_eng(`-traced_probes')
- userdebug_or_eng(`-traced_perf')
-} {
- lower_kptr_restrict_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} zygote_wrap_prop:property_service set;
-
-neverallow {
- domain
- -init
-} verity_status_prop:property_service set;
-
-neverallow {
- domain
- -init
-} setupwizard_prop:property_service set;
-
-# ro.product.property_source_order is useless after initialization of ro.product.* props.
-# So making it accessible only from init and vendor_init.
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
-} build_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -shell
-} sqlite_log_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
-} sqlite_log_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} default_prop:property_service set;
-
-# Only one of system_property_type and vendor_property_type can be assigned.
-# Property types having both attributes won't be accessible from anywhere.
-neverallow domain system_and_vendor_property_type:{file property_service} *;
-
-neverallow {
- # Only allow init and shell to set rollback_test_prop
- domain
- -init
- -shell
-} rollback_test_prop:property_service set;
-
-neverallow {
- # Only allow init and profcollectd to access profcollectd_node_id_prop
- domain
- -init
- -dumpstate
- -profcollectd
-} profcollectd_node_id_prop:file r_file_perms;
-
diff --git a/microdroid/sepolicy/system/private/racoon.te b/microdroid/sepolicy/system/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/microdroid/sepolicy/system/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/microdroid/sepolicy/system/private/radio.te b/microdroid/sepolicy/system/private/radio.te
deleted file mode 100644
index 2758289..0000000
--- a/microdroid/sepolicy/system/private/radio.te
+++ /dev/null
@@ -1,35 +0,0 @@
-typeattribute radio coredomain, mlstrustedsubject;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
-
-# Property service
-set_prop(radio, radio_control_prop)
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-set_prop(radio, telephony_status_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-# Telephony code contains time / time zone detection logic so it reads the associated properties.
-get_prop(radio, time_prop)
-
-# allow telephony to access platform compat to log permission denials
-allow radio platform_compat_service:service_manager find;
-
-allow radio uce_service:service_manager find;
-
-# Manage /data/misc/emergencynumberdb
-allow radio emergency_data_file:dir r_dir_perms;
-allow radio emergency_data_file:file r_file_perms;
-
-# allow telephony to access related cache properties
-set_prop(radio, binder_cache_telephony_server_prop);
-neverallow { domain -radio -init }
- binder_cache_telephony_server_prop:property_service set;
-
-# allow sending pulled atoms to statsd
-binder_call(radio, statsd)
-
diff --git a/microdroid/sepolicy/system/private/recovery.te b/microdroid/sepolicy/system/private/recovery.te
deleted file mode 100644
index 00d7132..0000000
--- a/microdroid/sepolicy/system/private/recovery.te
+++ /dev/null
@@ -1,46 +0,0 @@
-typeattribute recovery coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- get_prop(recovery, ffs_config_prop)
- set_prop(recovery, ffs_control_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, usb_control_prop)
- set_prop(recovery, usb_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
- # Read storage properties (for correctly formatting filesystems)
- get_prop(recovery, storage_config_prop)
-
- set_prop(recovery, gsid_prop)
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Start snapuserd for merging VABC updates
- set_prop(recovery, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow recovery snapuserd_socket:sock_file write;
- allow recovery snapuserd:unix_stream_socket connectto;
- allow recovery dm_user_device:dir r_dir_perms;
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
-
- get_prop(recovery, recovery_config_prop)
-')
diff --git a/microdroid/sepolicy/system/private/recovery_persist.te b/microdroid/sepolicy/system/private/recovery_persist.te
deleted file mode 100644
index 7cb2e67..0000000
--- a/microdroid/sepolicy/system/private/recovery_persist.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist {
- file_type
- -recovery_data_file
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/microdroid/sepolicy/system/private/recovery_refresh.te b/microdroid/sepolicy/system/private/recovery_refresh.te
deleted file mode 100644
index 3c095cc..0000000
--- a/microdroid/sepolicy/system/private/recovery_refresh.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh {
- file_type
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/microdroid/sepolicy/system/private/remote_prov_app.te b/microdroid/sepolicy/system/private/remote_prov_app.te
deleted file mode 100644
index 010c9bc..0000000
--- a/microdroid/sepolicy/system/private/remote_prov_app.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-allow remote_prov_app {
- app_api_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/microdroid/sepolicy/system/private/rs.te b/microdroid/sepolicy/system/private/rs.te
deleted file mode 100644
index bf10841..0000000
--- a/microdroid/sepolicy/system/private/rs.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
-allow rs app_exec_data_file:file create_file_perms;
-type_transition rs app_data_file:file app_exec_data_file;
-
-# Follow /data/user/0 symlink
-allow rs system_data_file:lnk_file read;
-
-# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
-
-# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
-
-# Use vendor resources
-allow rs vendor_file:dir r_dir_perms;
-r_dir_file(rs, vendor_overlay_file)
-r_dir_file(rs, vendor_app_file)
-
-# Read contents of app apks
-r_dir_file(rs, apk_data_file)
-
-allow rs gpu_device:chr_file rw_file_perms;
-allow rs ion_device:chr_file r_file_perms;
-allow rs same_process_hal_file:file { r_file_perms execute };
-
-# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
-
-# rs can access app data, so ensure it can only be entered via an app domain and cannot have
-# CAP_DAC_OVERRIDE.
-neverallow rs rs:capability_class_set *;
-neverallow { domain -appdomain } rs:process { dyntransition transition };
-neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
-# rs should never use network sockets
-neverallow rs *:network_socket_class_set *;
diff --git a/microdroid/sepolicy/system/private/rss_hwm_reset.te b/microdroid/sepolicy/system/private/rss_hwm_reset.te
deleted file mode 100644
index 30818c2..0000000
--- a/microdroid/sepolicy/system/private/rss_hwm_reset.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
-
-# Start rss_hwm_reset from init.
-init_daemon_domain(rss_hwm_reset)
-
-# Search /proc/pid directories.
-allow rss_hwm_reset domain:dir search;
-
-# Write to /proc/pid/clear_refs of other processes.
-# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
-allow rss_hwm_reset self:global_capability_class_set { dac_override };
-
-# Write to /prc/pid/clear_refs.
-allow rss_hwm_reset domain:file w_file_perms;
diff --git a/microdroid/sepolicy/system/private/runas.te b/microdroid/sepolicy/system/private/runas.te
deleted file mode 100644
index ef31aac..0000000
--- a/microdroid/sepolicy/system/private/runas.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute runas coredomain;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/microdroid/sepolicy/system/private/runas_app.te b/microdroid/sepolicy/system/private/runas_app.te
deleted file mode 100644
index c1b354a..0000000
--- a/microdroid/sepolicy/system/private/runas_app.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute runas_app coredomain;
-
-app_domain(runas_app)
-untrusted_app_domain(runas_app)
-net_domain(runas_app)
-bluetooth_domain(runas_app)
-
-# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
-# which are copied to the apps home directories.
-allow runas_app app_data_file:file execute_no_trans;
-
-# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
-r_dir_file(runas_app, untrusted_app_all)
-
-# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
-allow runas_app untrusted_app_all:unix_stream_socket connectto;
-
-# Allow executing system image simpleperf without a domain transition.
-allow runas_app simpleperf_exec:file rx_file_perms;
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective process, most of which this domain is not
-# allowed to see.
-dontaudit runas_app domain:dir search;
-
-# Allow runas_app to call perf_event_open for profiling debuggable app
-# processes, but not the whole system.
-allow runas_app self:perf_event { open read write kernel };
-neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/microdroid/sepolicy/system/private/sdcardd.te b/microdroid/sepolicy/system/private/sdcardd.te
deleted file mode 100644
index 126d643..0000000
--- a/microdroid/sepolicy/system/private/sdcardd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute sdcardd coredomain;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/microdroid/sepolicy/system/private/secure_element.te b/microdroid/sepolicy/system/private/secure_element.te
deleted file mode 100644
index 57f512b..0000000
--- a/microdroid/sepolicy/system/private/secure_element.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# secure element subsystem
-typeattribute secure_element coredomain;
-app_domain(secure_element)
-
-binder_service(secure_element)
-add_service(secure_element, secure_element_service)
-
-allow secure_element app_api_service:service_manager find;
-hal_client_domain(secure_element, hal_secure_element)
-
-# already open bugreport file descriptors may be shared with
-# the secure element process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow secure_element shell_data_file:file read;
diff --git a/microdroid/sepolicy/system/private/service.te b/microdroid/sepolicy/system/private/service.te
deleted file mode 100644
index 7f692f3..0000000
--- a/microdroid/sepolicy/system/private/service.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type attention_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
-type tracingproxy_service, system_server_service, service_manager_type;
-type uce_service, service_manager_type;
diff --git a/microdroid/sepolicy/system/private/service_contexts b/microdroid/sepolicy/system/private/service_contexts
index 150c89a..5857a0f 100644
--- a/microdroid/sepolicy/system/private/service_contexts
+++ b/microdroid/sepolicy/system/private/service_contexts
@@ -12,6 +12,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
apexservice u:object_r:apex_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid/sepolicy/system/private/servicemanager.te b/microdroid/sepolicy/system/private/servicemanager.te
index 6294452..8ff964f 100644
--- a/microdroid/sepolicy/system/private/servicemanager.te
+++ b/microdroid/sepolicy/system/private/servicemanager.te
@@ -2,6 +2,22 @@
init_daemon_domain(servicemanager)
-read_runtime_log_tags(servicemanager)
+selinux_check_access(servicemanager)
-set_prop(servicemanager, ctl_interface_start_prop)
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/sgdisk.te b/microdroid/sepolicy/system/private/sgdisk.te
deleted file mode 100644
index a17342e..0000000
--- a/microdroid/sepolicy/system/private/sgdisk.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute sgdisk coredomain;
diff --git a/microdroid/sepolicy/system/private/shared_relro.te b/microdroid/sepolicy/system/private/shared_relro.te
deleted file mode 100644
index 31fdb8c..0000000
--- a/microdroid/sepolicy/system/private/shared_relro.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute shared_relro coredomain;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/shell.te b/microdroid/sepolicy/system/private/shell.te
index 03490b0..fc51ad8 100644
--- a/microdroid/sepolicy/system/private/shell.te
+++ b/microdroid/sepolicy/system/private/shell.te
@@ -3,202 +3,29 @@
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
-# systrace support - allow atrace to run
-allow shell debugfs_tracing_debug:dir r_dir_perms;
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow shell debugfs_tracing_debug:file rw_file_perms;
-')
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
-
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
-# Control Perfetto traced and obtain traces from it.
-# Needed for Studio and debugging.
-unix_socket_connect(shell, traced_consumer, traced)
-
-# Allow shell binaries to write trace data to Perfetto. Used for testing and
-# cmdline utils.
-perfetto_producer(shell)
-
-domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-
-# Allow shell binaries to exec the perfetto cmdline util and have that
-# transition into its own domain, so that it behaves consistently to
-# when exec()-d by statsd.
-domain_auto_trans(shell, perfetto_exec, perfetto)
-# Allow to send SIGINT to perfetto when daemonized.
-allow shell perfetto:process signal;
-
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
-# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
-userdebug_or_eng(`
- allow shell accessibility_trace_data_file:dir rw_dir_perms;
- allow shell accessibility_trace_data_file:file { r_file_perms unlink };
-')
-
-# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
-allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file { r_file_perms unlink };
-# ... and /data/misc/perfetto-traces/bugreport/ .
-allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
-allow shell perfetto_configs_data_file:dir rw_dir_perms;
-allow shell perfetto_configs_data_file:file create_file_perms;
-
-# Allow shell to run adb shell cmd gpu commands.
-binder_call(shell, gpuservice);
-
-# Allow shell to use atrace HAL
-hal_client_domain(shell, hal_atrace)
-
-# For hostside tests such as CTS listening ports test.
-allow shell proc_net_tcp_udp:file r_file_perms;
-
-# The dl.exec_linker* tests need to execute /system/bin/linker
-# b/124789393
-allow shell system_linker_exec:file rx_file_perms;
-
-# Renderscript host side tests depend on being able to execute
-# /system/bin/bcc (b/126388046)
-allow shell rs_exec:file rx_file_perms;
-
-# Allow (host-driven) ART run-tests to execute dex2oat, in order to
-# check ART's compiler.
-allow shell dex2oat_exec:file rx_file_perms;
-
-# Allow shell to start and comminicate with lpdumpd.
-set_prop(shell, lpdumpd_prop);
-binder_call(shell, lpdumpd)
-
-# Allow shell to set and read value of properties used for CTS tests of
-# userspace reboot
-set_prop(shell, userspace_reboot_test_prop)
-
-# Allow shell to set this property used for rollback tests
-set_prop(shell, rollback_test_prop)
-
-# Allow shell to get encryption policy of /data/local/tmp/, for CTS
-allowxperm shell shell_data_file:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_GET_ENCRYPTION_POLICY_EX
-};
-
-# Allow shell to execute simpleperf without a domain transition.
-allow shell simpleperf_exec:file rx_file_perms;
-
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
-
-# Allow shell to call perf_event_open for profiling other shell processes, but
-# not the whole system.
-allow shell self:perf_event { open read write kernel };
-neverallow shell self:perf_event ~{ open read write kernel };
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, perf_drop_caches_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-set_prop(shell, ctl_snapuserd_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
-# Allow shell to read boot image timestamps and fingerprints.
-get_prop(shell, build_bootimage_prop)
-
-userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
-# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
-allow shell keystore2_key_contexts_file:file r_file_perms;
-
-# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info update };
-
-# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
-set_prop(shell, sqlite_log_prop)
-
-# Allow shell to write MTE properties even on user builds.
-set_prop(shell, arm64_memtag_prop)
-
-# Allow shell to read the dm-verity props on user builds.
-get_prop(shell, verity_status_prop)
-
-# Allow shell to read Virtual A/B related properties
-get_prop(shell, virtual_ab_prop)
-
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-# Never allow others to set or get the perf.drop_caches property.
-neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
-neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-# Allow ReadDefaultFstab() for CTS.
-read_fstab(shell)
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;
diff --git a/microdroid/sepolicy/system/private/simpleperf.te b/microdroid/sepolicy/system/private/simpleperf.te
deleted file mode 100644
index 0639c11..0000000
--- a/microdroid/sepolicy/system/private/simpleperf.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Domain used when running /system/bin/simpleperf to profile a specific app.
-# Entered either by the app itself exec-ing the binary, or through
-# simpleperf_app_runner (with shell as its origin). Certain other domains
-# (runas_app, shell) can also exec this binary without a domain transition.
-typeattribute simpleperf coredomain;
-type simpleperf_exec, system_file_type, exec_type, file_type;
-
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
-
-# When running in this domain, simpleperf is scoped to profiling an individual
-# app. The necessary MAC permissions for profiling are more maintainable and
-# consistent if simpleperf is marked as an app domain as well (as, for example,
-# it will then see the same set of system libraries as the app).
-app_domain(simpleperf)
-untrusted_app_domain(simpleperf)
-
-# Allow ptrace attach to the target app, for reading JIT debug info (using
-# process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
-
-# Allow using perf_event_open syscall for profiling the target app.
-allow simpleperf self:perf_event { open read write kernel };
-
-# Allow /proc/<pid> access for the target app (for example, when trying to
-# discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective processes, most of which this domain is
-# not allowed to see.
-dontaudit simpleperf domain:dir search;
-
-# Neverallows:
-
-# Profiling must be confined to the scope of an individual app.
-neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/microdroid/sepolicy/system/private/simpleperf_app_runner.te b/microdroid/sepolicy/system/private/simpleperf_app_runner.te
deleted file mode 100644
index 8501826..0000000
--- a/microdroid/sepolicy/system/private/simpleperf_app_runner.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute simpleperf_app_runner coredomain;
-
-domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/microdroid/sepolicy/system/private/slideshow.te b/microdroid/sepolicy/system/private/slideshow.te
deleted file mode 100644
index 7dfa994..0000000
--- a/microdroid/sepolicy/system/private/slideshow.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute slideshow coredomain;
diff --git a/microdroid/sepolicy/system/private/snapshotctl.te b/microdroid/sepolicy/system/private/snapshotctl.te
deleted file mode 100644
index fb2bbca..0000000
--- a/microdroid/sepolicy/system/private/snapshotctl.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type snapshotctl, domain, coredomain;
-type snapshotctl_exec, system_file_type, exec_type, file_type;
-
-# Allow init to run snapshotctl and do auto domain transfer.
-init_daemon_domain(snapshotctl);
-
-# Allow to start gsid service.
-set_prop(snapshotctl, ctl_gsid_prop)
-
-# Allow to talk to gsid.
-binder_use(snapshotctl)
-allow snapshotctl gsi_service:service_manager find;
-binder_call(snapshotctl, gsid)
-
-# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
-allow snapshotctl metadata_file:dir search;
-allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file create_file_perms;
-
-# Allow to get A/B slot suffix from device tree or kernel cmdline.
-r_dir_file(snapshotctl, sysfs_dt_firmware_android);
-allow snapshotctl proc_cmdline:file r_file_perms;
-
-# Needed to (re-)map logical partitions.
-allow snapshotctl block_device:dir r_dir_perms;
-allow snapshotctl super_block_device:blk_file r_file_perms;
-
-# Interact with device-mapper to collapse snapshots.
-allow snapshotctl dm_device:chr_file rw_file_perms;
-
-# Needed to mutate device-mapper nodes.
-allow snapshotctl self:global_capability_class_set sys_admin;
-
-# Snapshotctl talk to boot control HAL to set merge status.
-hwbinder_use(snapshotctl)
-hal_client_domain(snapshotctl, hal_bootctl)
-
-# Allow snapshotctl to write to statsd socket.
-unix_socket_send(snapshotctl, statsdw, statsd)
-
-# Logging
-userdebug_or_eng(`
- allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
- allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/snapuserd.te b/microdroid/sepolicy/system/private/snapuserd.te
deleted file mode 100644
index d96b31e..0000000
--- a/microdroid/sepolicy/system/private/snapuserd.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
-
-typeattribute snapuserd coredomain;
-
-init_daemon_domain(snapuserd)
-
-allow snapuserd kmsg_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
-allow snapuserd block_device:dir r_dir_perms;
-allow snapuserd dm_device:chr_file rw_file_perms;
-allow snapuserd dm_device:blk_file rw_file_perms;
-
-# Reading and writing to dm-user control nodes.
-allow snapuserd dm_user_device:dir r_dir_perms;
-allow snapuserd dm_user_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/socket/snapuserd.
-allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
-
-# This arises due to first-stage init opening /dev/null without F_CLOEXEC
-# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
-# again, the descriptor leaks into the new process.
-allow snapuserd kernel:fd use;
diff --git a/microdroid/sepolicy/system/private/stats.te b/microdroid/sepolicy/system/private/stats.te
deleted file mode 100644
index db29072..0000000
--- a/microdroid/sepolicy/system/private/stats.te
+++ /dev/null
@@ -1,57 +0,0 @@
-type stats, domain;
-typeattribute stats coredomain;
-type stats_exec, system_file_type, exec_type, file_type;
-
-# switch to stats domain for stats command
-domain_auto_trans(shell, stats_exec, stats)
-
-# allow stats access to stdout from its parent shell.
-allow stats shell:fd use;
-
-# allow stats to communicate use, read and write over the adb
-# connection.
-allow stats adbd:fd use;
-allow stats adbd:unix_stream_socket { read write };
-
-# allow adbd to reap stats
-allow stats adbd:process { sigchld };
-
-# Allow the stats command to talk to the statsd over the binder, and get
-# back the stats report data from a ParcelFileDescriptor.
-binder_use(stats)
-allow stats stats_service:service_manager find;
-binder_call(stats, statsd)
-allow stats statsd:fifo_file write;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -platform_app
- -priv_app
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
-} stats_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/statsd.te b/microdroid/sepolicy/system/private/statsd.te
index 444d82e..437f505 100644
--- a/microdroid/sepolicy/system/private/statsd.te
+++ b/microdroid/sepolicy/system/private/statsd.te
@@ -1,27 +1,3 @@
typeattribute statsd coredomain;
init_daemon_domain(statsd)
-
-# Allow to exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe. It allows statsd to capture traces and hand them
-# to Android dropbox.
-allow statsd perfetto_exec:file rx_file_perms;
-domain_auto_trans(statsd, perfetto_exec, perfetto)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- statscompanion_service
-}:service_manager find;
-
-# Allow incidentd to obtain the statsd incident section.
-allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
-
-# Allow statsd to retrieve SF statistics over binder
-binder_call(statsd, surfaceflinger);
-
-# Allow statsd to read its system properties
-get_prop(statsd, device_config_statsd_native_prop)
-get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/storaged.te b/microdroid/sepolicy/system/private/storaged.te
deleted file mode 100644
index bb39e5b..0000000
--- a/microdroid/sepolicy/system/private/storaged.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-allow storaged packages_list_file:file r_file_perms;
-
-# Store storaged proto file
-allow storaged storaged_data_file:dir rw_dir_perms;
-allow storaged storaged_data_file:file create_file_perms;
-
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-# Remove after no logs are seen for this rule.
-userdebug_or_eng(`
- auditallow storaged priv_app:fd use;
-')
-allow storaged gmscore_app:fd use;
-allow storaged { privapp_data_file app_data_file }:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-hal_client_domain(storaged, hal_health)
-
-# Implements a dumpsys interface.
-allow storaged dumpstate:fd use;
-
-# use a subset of the package manager service
-allow storaged package_native_service:service_manager find;
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
-
-# For collecting bugreports.
-allow storaged dumpstate:fifo_file write;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/microdroid/sepolicy/system/private/su.te b/microdroid/sepolicy/system/private/su.te
index 587f449..55b7308 100644
--- a/microdroid/sepolicy/system/private/su.te
+++ b/microdroid/sepolicy/system/private/su.te
@@ -2,28 +2,10 @@
typeattribute su coredomain;
domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
- # Put the odrefresh command into its domain.
- domain_auto_trans(su, odrefresh_exec, odrefresh)
-
- # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, perfetto_exec, perfetto)
# su is also permissive to permit setenforce.
permissive su;
- app_domain(su)
-
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
diff --git a/microdroid/sepolicy/system/private/surfaceflinger.te b/microdroid/sepolicy/system/private/surfaceflinger.te
deleted file mode 100644
index 7a92bd4..0000000
--- a/microdroid/sepolicy/system/private/surfaceflinger.te
+++ /dev/null
@@ -1,148 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-tmpfs_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
-hal_client_domain(surfaceflinger, hal_codec2)
-hal_client_domain(surfaceflinger, hal_omx)
-hal_client_domain(surfaceflinger, hal_configstore)
-hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_call(surfaceflinger, system_server);
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, bootanim_system_prop)
-set_prop(surfaceflinger, exported_system_prop)
-set_prop(surfaceflinger, exported3_system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-set_prop(surfaceflinger, surfaceflinger_display_prop)
-
-# Get properties.
-get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
-
-# Allow writing surface traces to /data/misc/wmtrace.
-userdebug_or_eng(`
- allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
- allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
-')
-
-# Needed to register as a Perfetto producer.
-perfetto_producer(surfaceflinger)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# media.player service
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-add_service(surfaceflinger, vrflinger_vsync_service)
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-allow surfaceflinger inputflinger_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:global_capability_class_set sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger system_server:unix_stream_socket { read write };
-allow surfaceflinger ion_device:chr_file r_file_perms;
-allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-# Allow supplying timestats statistics to statsd
-allow surfaceflinger stats_service:service_manager find;
-allow surfaceflinger statsmanager_service:service_manager find;
-# TODO(146461633): remove this once native pullers talk to StatsManagerService
-binder_call(surfaceflinger, statsd);
-
-# Allow pushing jank event atoms to statsd
-userdebug_or_eng(`
- unix_socket_send(surfaceflinger, statsdw, statsd)
-')
-
-# Surfaceflinger should not be reading default vendor-defined properties.
-dontaudit surfaceflinger vendor_default_prop:file read;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
-
-# b/68864350
-dontaudit surfaceflinger unlabeled:dir search;
diff --git a/microdroid/sepolicy/system/private/system_app.te b/microdroid/sepolicy/system/private/system_app.te
deleted file mode 100644
index 48d5f9d..0000000
--- a/microdroid/sepolicy/system/private/system_app.te
+++ /dev/null
@@ -1,184 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain, mlstrustedsubject;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# android.ui and system.ui
-allow system_app rootfs:dir getattr;
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_a2dp_offload_prop)
-set_prop(system_app, bluetooth_audio_hal_prop)
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, exported_bluetooth_prop)
-set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported3_system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, usb_control_prop)
-set_prop(system_app, usb_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app usb_control_prop:property_service set;
-auditallow system_app usb_prop:property_service set;
-# Allow Settings to enable Dynamic System Update
-set_prop(system_app, dynamic_system_prop)
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Allow developer settings to query gsid status
-get_prop(system_app, gsid_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps (like Settings) to interact with statsd
-binder_call(system_app, statsd)
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-# Allow system app to interact with Dumpstate HAL
-hal_client_domain(system_app, hal_dumpstate)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -dumpstate_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services system_app should not be accessing.
-dontaudit system_app {
- dnsresolver_service
- dumpstate_service
- installd_service
- iorapd_service
- netd_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# suppress denials caused by debugfs_tracing
-dontaudit system_app debugfs_tracing:file rw_file_perms;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-allow system_app keystore:keystore2_key {
- delete
- get_info
- grant
- rebind
- update
- use
-};
-
-# Allow Settings to manage WI-FI keys.
-allow system_app wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# settings app reads /proc/version
-allow system_app {
- proc_version
-}:file r_file_perms;
-
-# Settings app writes to /dev/stune/foreground/tasks.
-allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-get_prop(system_app, device_logging_prop)
-
-# allow system apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow system_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Settings app reads ro.oem_unlock_supported
-get_prop(system_app, oem_unlock_prop)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
-
-# Apps which run as UID=system should not rely on any attacker controlled
-# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
-# allow writes to files passed by file descriptor to support dumpstate and
-# bug reports, but not reads.
-neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
-neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/microdroid/sepolicy/system/private/system_server.te b/microdroid/sepolicy/system/private/system_server.te
deleted file mode 100644
index 0e57739..0000000
--- a/microdroid/sepolicy/system/private/system_server.te
+++ /dev/null
@@ -1,1403 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server mlstrustedsubject;
-typeattribute system_server scheduler_service_server;
-typeattribute system_server sensor_service_server;
-typeattribute system_server stats_service_server;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-userfaultfd_use(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-# Create a socket for connections from zygotes.
-type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-
-allow system_server zygote_tmpfs:file read;
-allow system_server appdomain_tmpfs:file { getattr map read write };
-
-# For Incremental Service to check if incfs is available
-allow system_server proc_filesystems:file r_file_perms;
-
-# To create files, get permission to fill blocks, and configure Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl {
- INCFS_IOCTL_CREATE_FILE
- INCFS_IOCTL_CREATE_MAPPED_FILE
- INCFS_IOCTL_PERMIT_FILL
- INCFS_IOCTL_GET_READ_TIMEOUTS
- INCFS_IOCTL_SET_READ_TIMEOUTS
- INCFS_IOCTL_GET_LAST_READ_ERROR
-};
-
-# To get signature of an APK installed on Incremental File System, and fill in data
-# blocks and get the filesystem state
-allowxperm system_server apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_FILLED_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_COMPRESS_BLOCKS
- F2FS_IOC_COMPRESS_FILE
- F2FS_IOC_DECOMPRESS_FILE
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- F2FS_IOC_RESERVE_COMPRESS_BLOCKS
- FS_IOC_SETFLAGS
- FS_IOC_GETFLAGS
-};
-
-allowxperm system_server apk_tmp_file:file ioctl {
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- FS_IOC_GETFLAGS
-};
-
-# For Incremental Service to check incfs metrics
-allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
-
-# For f2fs-compression support
-allow system_server sysfs_fs_f2fs:dir r_dir_perms;
-allow system_server sysfs_fs_f2fs:file r_file_perms;
-
-# For art.
-allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
-
-# When running system server under --invoke-with, we'll try to load the boot image under the
-# system server domain, following links to the system partition.
-with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server {
- app_zygote
- crash_dump
- webview_zygote
- zygote
-}:process { sigkill signull };
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# Allow setup of tcp keepalive offload. This gives system_server the permission to
-# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
-# public/domain.te.
-allow system_server appdomain:tcp_socket ioctl;
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:global_capability_class_set {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:global_capability2_class_set wake_alarm;
-
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-
-# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { getpgid sigkill signal };
-# signull allowed for kill(pid, 0) existence test.
-allow system_server appdomain:process { signull };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server hal_codec2_server:process { getsched setsched };
-allow system_server hal_omx_server:process { getsched setsched };
-allow system_server mediaswcodec:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
-allow system_server kernel:process { getsched setsched };
-
-# Allow system_server to write to /proc/<pid>/*
-allow system_server domain:file w_file_perms;
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
-# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
-
-# Read /sys/kernel/ion/*.
-allow system_server sysfs_ion:file r_file_perms;
-
-# Read /sys/kernel/dma_heap/*.
-allow system_server sysfs_dma_heap:file r_file_perms;
-
-# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
-allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
-allow system_server sysfs_dmabuf_stats:file r_file_perms;
-
-# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
-# for dumpsys meminfo
-allow system_server dmabuf_heap_device:dir r_dir_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Allow system_server to write to statsd.
-unix_socket_send(system_server, statsdw, statsd)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-allow system_server gpuservice:unix_stream_socket { read write setopt };
-
-# Communicate over a socket created by webview_zygote.
-allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
-
-# Communicate over a socket created by app_zygote.
-allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, gpuservice)
-binder_call(system_server, idmap)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
-binder_call(system_server, netd)
-userdebug_or_eng(`binder_call(system_server, profcollectd)')
-binder_call(system_server, statsd)
-binder_call(system_server, storaged)
-binder_call(system_server, update_engine)
-binder_call(system_server, vold)
-binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_audio)
-hal_client_domain(system_server, hal_authsecret)
-hal_client_domain(system_server, hal_broadcastradio)
-hal_client_domain(system_server, hal_codec2)
-hal_client_domain(system_server, hal_configstore)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_face)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_health)
-hal_client_domain(system_server, hal_input_classifier)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_neuralnetworks)
-hal_client_domain(system_server, hal_oemlock)
-hal_client_domain(system_server, hal_omx)
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_power_stats)
-hal_client_domain(system_server, hal_rebootescrow)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_usb_gadget)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_hostapd)
-hal_client_domain(system_server, hal_wifi_supplicant)
-# The bootctl is a pass through HAL mode under recovery mode. So we skip the
-# permission for recovery in order not to give system server the access to
-# the low level block devices.
-not_recovery(`hal_client_domain(system_server, hal_bootctl)')
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-allow system_server same_process_hal_file:file { execute read open getattr map };
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-allow system_server servicemanager:service_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- gpuservice
- inputflinger
- keystore
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- mediatranscoding
- mediatuner
- netd
- sdcardd
- statsd
- surfaceflinger
- vold
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_fingerprint_server
- hal_gnss_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_light_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_stats_server
- hal_sensors_server
- hal_vr_server
- system_suspend_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-userdebug_or_eng(`perfetto_producer({ system_server })')
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-allow system_server sysfs_type:dir search;
-
-r_dir_file(system_server, sysfs_android_usb)
-allow system_server sysfs_android_usb:file w_file_perms;
-
-allow system_server sysfs_extcon:dir r_dir_perms;
-
-r_dir_file(system_server, sysfs_ipv4)
-allow system_server sysfs_ipv4:file w_file_perms;
-
-r_dir_file(system_server, sysfs_rtc)
-r_dir_file(system_server, sysfs_switch)
-
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_power:dir search;
-allow system_server sysfs_power:file rw_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-allow system_server sysfs_uhid:dir r_dir_perms;
-allow system_server sysfs_uhid:file rw_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-
-# Manage data/ota_package
-allow system_server ota_package_file:dir rw_dir_perms;
-allow system_server ota_package_file:file create_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server packages_list_file:file create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access input configuration files in the /vendor directory
-r_dir_file(system_server, vendor_keylayout_file)
-r_dir_file(system_server, vendor_keychars_file)
-r_dir_file(system_server, vendor_idc_file)
-
-# Access /vendor/{app,framework,overlay}
-r_dir_file(system_server, vendor_app_file)
-r_dir_file(system_server, vendor_framework_file)
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-#
-# TODO: Some of these permissions can be withdrawn once we've switched to the
-# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
-# the system_server should never need to create a new anr_data_file:file or write
-# to one, but it will still need to read and append to existing files.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture and incidentd during incident collection.
-unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
-allow system_server tombstoned:fd use;
-allow system_server dumpstate:fifo_file append;
-allow system_server incidentd:fifo_file append;
-# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
-userdebug_or_eng(`
- allow system_server su:fifo_file append;
-')
-
-# Allow system_server to read pipes from incidentd (used to deliver incident reports
-# to dropbox)
-allow system_server incidentd:fifo_file read;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/misc/prereboot.
-allow system_server prereboot_data_file:dir rw_dir_perms;
-allow system_server prereboot_data_file:file create_file_perms;
-
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
-# binder.
-allow system_server perfetto_traces_data_file:file read;
-allow system_server perfetto:fd use;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/dropbox
-allow system_server dropbox_data_file:dir create_dir_perms;
-allow system_server dropbox_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/appcompat.
-allow system_server appcompat_data_file:dir rw_dir_perms;
-allow system_server appcompat_data_file:file create_file_perms;
-
-# Manage /data/misc/emergencynumberdb
-allow system_server emergency_data_file:dir create_dir_perms;
-allow system_server emergency_data_file:file create_file_perms;
-
-# Manage /data/misc/network_watchlist
-allow system_server network_watchlist_data_file:dir create_dir_perms;
-allow system_server network_watchlist_data_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Manage /data/app-staging.
-allow system_server staging_data_file:dir create_dir_perms;
-allow system_server staging_data_file:file create_file_perms;
-
-# Manage /data/rollback.
-allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
-
-# Walk /data/data subdirectories.
-allow system_server app_data_file_type:dir { getattr read search };
-
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-allow system_server app_data_file_type:file { getattr read write append map };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# System server needs to setfscreate to packages_list_file when writing
-# /data/system/packages.list
-allow system_server system_server:process setfscreate;
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to:
-# 1. rename file from /data/app-staging folder to /data/app
-# 2. relabel files (linked to /data/rollback) under /data/app-staging
-# during staged apk/apex install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# server_configurable_flags_data_file is used for storing server configurable flags which
-# have been reset during current booting. system_server needs to read the data to perform related
-# disaster recovery actions.
-allow system_server server_configurable_flags_data_file:dir r_dir_perms;
-allow system_server server_configurable_flags_data_file:file r_file_perms;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, bootanim_system_prop)
-set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported3_system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, theme_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_connectivity_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, usb_control_prop)
-set_prop(system_server, usb_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-set_prop(system_server, exported_overlay_prop)
-set_prop(system_server, pm_prop)
-set_prop(system_server, exported_pm_prop)
-set_prop(system_server, socket_hook_prop)
-set_prop(system_server, audio_prop)
-set_prop(system_server, boot_status_prop)
-set_prop(system_server, surfaceflinger_color_prop)
-set_prop(system_server, provisioned_prop)
-set_prop(system_server, retaildemo_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-set_prop(system_server, ctl_gsid_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# server configurable flags properties
-set_prop(system_server, device_config_input_native_boot_prop)
-set_prop(system_server, device_config_netd_native_prop)
-set_prop(system_server, device_config_activity_manager_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_prop)
-set_prop(system_server, device_config_media_native_prop)
-set_prop(system_server, device_config_profcollect_native_boot_prop)
-set_prop(system_server, device_config_statsd_native_prop)
-set_prop(system_server, device_config_statsd_native_boot_prop)
-set_prop(system_server, device_config_storage_native_boot_prop)
-set_prop(system_server, device_config_swcodec_native_prop)
-set_prop(system_server, device_config_sys_traced_prop)
-set_prop(system_server, device_config_window_manager_native_boot_prop)
-set_prop(system_server, device_config_configuration_prop)
-set_prop(system_server, device_config_connectivity_prop)
-
-
-# Allow query ART device config properties
-get_prop(system_server, device_config_runtime_native_boot_prop)
-get_prop(system_server, device_config_runtime_native_prop)
-
-# BootReceiver to read ro.boot.bootreason
-get_prop(system_server, bootloader_boot_reason_prop)
-# PowerManager to read sys.boot.reason
-get_prop(system_server, system_boot_reason_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Audio service in system server can read audio config properties,
-# such as camera shutter enforcement
-get_prop(system_server, audio_config_prop)
-
-# system server reads this property to keep track of whether server configurable flags have been
-# reset during current boot.
-get_prop(system_server, device_config_reset_performed_prop)
-
-# Read/write the property that enables Test Harness Mode
-set_prop(system_server, test_harness_prop)
-
-# Read gsid.image_running.
-get_prop(system_server, gsid_prop)
-
-# Read the property that mocks an OTA
-get_prop(system_server, mock_ota_prop)
-
-# Read the property as feature flag for protecting apks with fs-verity.
-get_prop(system_server, apk_verity_prop)
-
-# Read wifi.interface
-get_prop(system_server, wifi_prop)
-
-# Read the vendor property that indicates if Incremental features is enabled
-get_prop(system_server, incremental_prop)
-
-# Read ro.zram. properties
-get_prop(system_server, zram_config_prop)
-
-# Read/write persist.sys.zram_enabled
-set_prop(system_server, zram_control_prop)
-
-# Read/write persist.sys.dalvik.vm.lib.2
-set_prop(system_server, dalvik_runtime_prop)
-
-# Read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(system_server, packagemanager_config_prop)
-
-# Read the net.464xlat.cellular.enabled property (written by init).
-get_prop(system_server, net_464xlat_fromvendor_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Create a socket for connections from zygotes.
-allow system_server system_unsolzygote_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server cache_file:lnk_file r_file_perms;
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# ART locks profile files.
-allow system_server system_file:file lock;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file rw_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server authorization_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server dataloader_manager_service:service_manager find;
-allow system_server dnsresolver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server gpu_service:service_manager find;
-allow system_server gsi_service:service_manager find;
-allow system_server idmap_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server incremental_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
-allow system_server keystore_maintenance_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediatuner_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server stats_service:service_manager find;
-allow system_server storaged_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server update_engine_service:service_manager find;
-allow system_server vold_service:service_manager find;
-allow system_server wifinl80211_service:service_manager find;
-userdebug_or_eng(`
- allow system_server profcollectd_service:service_manager find;
-')
-
-add_service(system_server, batteryproperties_service)
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-allow system_server keystore:keystore2 {
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- get_state
- lock
- reset
- unlock
-};
-
-allow system_server keystore:keystore2_key {
- delete
- use_dev_id
- grant
- get_info
- rebind
- update
- use
-};
-
-# Allow Wifi module to manage Wi-Fi keys.
-allow system_server wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage RoR keys.
-allow system_server resume_on_reboot_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
-allow system_server locksettings_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
-# Create new process groups and clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir create_dir_perms;
-allow system_server cgroup_v2:file { r_file_perms setattr };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-
- # Allow writing and removing window traces in /data/misc/wmtrace.
- allow system_server wm_trace_data_file:dir rw_dir_perms;
- allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
-
- # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
- allow system_server accessibility_trace_data_file:dir rw_dir_perms;
- allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open create unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Read service.adb.tls.port, persist.adb.wifi. properties
-get_prop(system_server, adbd_prop)
-
-# Set persist.adb.tls_server.enable property
-set_prop(system_server, system_adbd_prop)
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
-allow system_server ion_device:chr_file r_file_perms;
-
-# Access to /dev/dma_heap/system
-allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
-# Access to /dev/dma_heap/system-secure
-allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net_type)
-r_dir_file(system_server, proc_qtaguid_stat)
-allow system_server {
- proc_cmdline
- proc_loadavg
- proc_locks
- proc_meminfo
- proc_pagetypeinfo
- proc_pipe_conf
- proc_stat
- proc_uid_cputime_showstat
- proc_uid_io_stats
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_version
- proc_vmallocinfo
-}:file r_file_perms;
-
-allow system_server proc_uid_time_in_state:dir r_dir_perms;
-allow system_server proc_uid_cpupower:file r_file_perms;
-
-r_dir_file(system_server, rootfs)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# Allow BootReceiver to watch trace error_report events.
-allow system_server debugfs_bootreceiver_tracing:dir search;
-allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
-
-# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
-allow system_server debugfs_tracing:file r_file_perms;
-
-# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
- allow system_server asanwrapper_exec:file rx_file_perms;
- allow system_server zygote_exec:file rx_file_perms;
-')
-
-# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded, and to read, update and run the maps and programs used for
-# time in state accounting
-allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
-
-# ART Profiles.
-# Allow system_server to open profile snapshots for read.
-# System server never reads the actual content. It passes the descriptor to
-# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
-allow system_server user_profile_data_file:file { getattr open read };
-
-# System server may dump profile data for debuggable apps in the /data/misc/profman.
-# As such it needs to be able create files but it should never read from them.
-allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
-
-# On userdebug build we may profile system server. Allow it to write and create its own profile.
-userdebug_or_eng(`
- allow system_server user_profile_data_file:file create_file_perms;
-')
-# Allow system server to load JVMTI agents under control of a property.
-get_prop(system_server,system_jvmti_agent_prop)
-
-# UsbDeviceManager uses /dev/usb-ffs
-allow system_server functionfs:dir search;
-allow system_server functionfs:file rw_file_perms;
-
-# system_server contains time / time zone detection logic so reads the associated properties.
-get_prop(system_server, time_prop)
-
-# system_server reads this property to know it should expect the lmkd sends notification to it
-# on low memory kills.
-get_prop(system_server, system_lmk_prop)
-
-get_prop(system_server, wifi_config_prop)
-
-# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Watchdog prints debugging log to /dev/kmsg_debug.
-userdebug_or_eng(`
- allow system_server kmsg_debug_device:chr_file { open append getattr };
-')
-# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
-get_prop(system_server, framework_watchdog_config_prop)
-
-
-# Font files are written by system server
-allow system_server font_data_file:file create_file_perms;
-allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Exclude those types that system_server needs to open directly.
-neverallow system_server {
- app_data_file_type
- -system_app_data_file
- -radio_data_file
-}:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# Only allow zygotes to connect to system_unsolzygote_socket.
-neverallow {
- domain
- -init
- -system_server
- -zygote
- -app_zygote
- -webview_zygote
-} system_unsolzygote_socket:sock_file { open write };
-
-# Only allow init, system_server, flags_health_check to set properties for server configurable flags
-neverallow {
- domain
- -init
- -system_server
- -flags_health_check
-} {
- device_config_activity_manager_native_boot_prop
- device_config_connectivity_prop
- device_config_input_native_boot_prop
- device_config_netd_native_prop
- device_config_runtime_native_boot_prop
- device_config_runtime_native_prop
- device_config_media_native_prop
- device_config_storage_native_boot_prop
- device_config_sys_traced_prop
- device_config_swcodec_native_prop
- device_config_window_manager_native_boot_prop
-}:property_service set;
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data. Executable files in /data are a persistence vector.
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-neverallow system_server data_file_type:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
-# in the section titled "A Short ROP Chain" for why.
-# However, in emulator builds without OpenGL passthrough, we use software
-# rendering via SwiftShader, which requires JIT support. These builds are
-# never shipped to users.
-ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
- `allow system_server self:process execmem;',
- `neverallow system_server self:process execmem;')
-neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
-# Allow system server to communicate to apexd
-allow system_server apex_service:service_manager find;
-allow system_server apexd:binder call;
-
-# Allow system server to scan /apex for flattened APEXes
-allow system_server apex_mnt_dir:dir r_dir_perms;
-
-# Allow system server to read /apex/apex-info-list.xml
-allow system_server apex_info_file:file r_file_perms;
-
-# Allow system server to communicate to system-suspend's control interface
-allow system_server system_suspend_control_internal_service:service_manager find;
-allow system_server system_suspend_control_service:service_manager find;
-binder_call(system_server, system_suspend)
-binder_call(system_suspend, system_server)
-
-# Allow system server to communicate to system-suspend's wakelock interface
-wakelock_use(system_server)
-
-# Allow the system server to read files under /data/apex. The system_server
-# needs these privileges to compare file signatures while processing installs.
-#
-# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
-allow system_server apex_data_file:file r_file_perms;
-
-# Allow the system server to read files under /vendor/apex. This is where
-# vendor APEX packages might be installed and system_server needs to parse
-# these packages to inspect the signatures and other metadata.
-allow system_server vendor_apex_file:dir { getattr search };
-allow system_server vendor_apex_file:file r_file_perms;
-
-# Allow the system server to manage relevant apex module data files.
-allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
-
-# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
-# communicate which slots are available for use.
-allow system_server metadata_file:dir search;
-allow system_server password_slot_metadata_file:dir rw_dir_perms;
-allow system_server password_slot_metadata_file:file create_file_perms;
-
-allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
-allow system_server userspace_reboot_metadata_file:file create_file_perms;
-
-# Allow system server rw access to files in /metadata/staged-install folder
-allow system_server staged_install_file:dir rw_dir_perms;
-allow system_server staged_install_file:file create_file_perms;
-
-allow system_server watchdog_metadata_file:dir rw_dir_perms;
-allow system_server watchdog_metadata_file:file create_file_perms;
-
-allow system_server gsi_persistent_data_file:dir rw_dir_perms;
-allow system_server gsi_persistent_data_file:file create_file_perms;
-
-# Allow system server read and remove files under /data/misc/odrefresh
-allow system_server odrefresh_data_file:dir rw_dir_perms;
-allow system_server odrefresh_data_file:file { r_file_perms unlink };
-
-# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
-allow system_server surfaceflinger_exec:file r_file_perms;
-
-# Allow init to set sysprop used to compute stats about userspace reboot.
-set_prop(system_server, userspace_reboot_log_prop)
-
-# JVMTI agent settings are only readable from the system server.
-neverallow {
- domain
- -system_server
- -dumpstate
- -init
- -vendor_init
-} {
- system_jvmti_agent_prop
-}:file no_rw_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow system_server proc_pressure_mem:file rw_file_perms;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-neverallow system_server system_server:global_capability_class_set sys_resource;
-
-# Only system_server/init should access /metadata/password_slots.
-neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
-neverallow {
- domain
- -init
- -system_server
-} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
-# Allow systemserver to read/write the invalidation property
-set_prop(system_server, binder_cache_system_server_prop)
-neverallow { domain -system_server -init }
- binder_cache_system_server_prop:property_service set;
-
-# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
-# system_server cannot use this access to read perf event data like process stacks.
-allow system_server self:perf_event { open write cpu kernel };
-neverallow system_server self:perf_event ~{ open write cpu kernel };
-
-# Do not allow any domain other than init or system server to set the property
-neverallow { domain -init -system_server } socket_hook_prop:property_service set;
-
-neverallow { domain -init -system_server } boot_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_server
-} wifi_config_prop:file no_rw_file_perms;
-
-# Only allow system server to write uhid sysfs files
-neverallow {
- domain
- -init
- -system_server
- -ueventd
- -vendor_init
-} sysfs_uhid:file no_w_file_perms;
-
-# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
-# can be accessed by system_server only (b/143717177)
-# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
-# interface
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Only system server can write the font files.
-neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
-neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/microdroid/sepolicy/system/private/system_server_startup.te b/microdroid/sepolicy/system/private/system_server_startup.te
deleted file mode 100644
index 3301304..0000000
--- a/microdroid/sepolicy/system/private/system_server_startup.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type system_server_startup, domain, coredomain;
-type system_server_startup_tmpfs, file_type;
-
-tmpfs_domain(system_server_startup)
-
-# Create JIT memory
-allow system_server_startup self:process execmem;
-allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-
-# Allow system_server_startup to run setcon() and enter the
-# system_server domain
-allow system_server_startup self:process setcurrent;
-allow system_server_startup system_server:process dyntransition;
-
-# Child of the zygote.
-allow system_server_startup zygote:process sigchld;
-
-# Allow query ART device config properties
-get_prop(system_server_startup, device_config_runtime_native_boot_prop)
-get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/microdroid/sepolicy/system/private/system_suspend.te b/microdroid/sepolicy/system/private/system_suspend.te
deleted file mode 100644
index caf8955..0000000
--- a/microdroid/sepolicy/system/private/system_suspend.te
+++ /dev/null
@@ -1,38 +0,0 @@
-type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
-
-type system_suspend_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(system_suspend)
-
-# To serve ISuspendControlService.
-binder_use(system_suspend)
-add_service(system_suspend, system_suspend_control_service)
-
-# Access to /sys/power/{ wakeup_count, state } suspend interface.
-allow system_suspend sysfs_power:file rw_file_perms;
-
-# Access to wakeup, suspend stats, and wakeup reasons.
-r_dir_file(system_suspend, sysfs_suspend_stats)
-r_dir_file(system_suspend, sysfs_wakeup)
-r_dir_file(system_suspend, sysfs_wakeup_reasons)
-# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
-allow system_suspend sysfs_type:dir search;
-
-# Access to suspend_hal system properties
-get_prop(system_suspend, suspend_prop)
-
-# To call BTAA registered callbacks
-allow system_suspend bluetooth:binder call;
-
-# For adding `dumpsys syspend_control` output to bugreport
-allow system_suspend dumpstate:fd use;
-allow system_suspend dumpstate:fifo_file write;
-
-neverallow {
- domain
- -atrace # tracing
- -bluetooth # support Bluetooth activity attribution (BTAA)
- -dumpstate # bug reports
- -system_suspend # implements system_suspend_control_service
- -system_server # configures system_suspend via ISuspendControlService
- -traceur_app # tracing
-} system_suspend_control_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/technical_debt.cil b/microdroid/sepolicy/system/private/technical_debt.cil
deleted file mode 100644
index 9b3e3c6..0000000
--- a/microdroid/sepolicy/system/private/technical_debt.cil
+++ /dev/null
@@ -1,71 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of OMX-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Codec2-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Drm-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Cas HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
-
-; Apps, except isolated apps, are clients of Neuralnetworks HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
-
-; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
-; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
-; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
-(typeattribute untrusted_app_visible_hwservice)
-(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
-(typeattribute untrusted_app_visible_halserver)
-(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
-
-; Apps, except isolated apps, are clients of BufferHub HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
-; Properties having both system_property_type and vendor_property_type are illegal
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
-(typeattribute system_and_vendor_property_type)
-(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/microdroid/sepolicy/system/private/tombstoned.te b/microdroid/sepolicy/system/private/tombstoned.te
index b6dfd1e..2567a23 100644
--- a/microdroid/sepolicy/system/private/tombstoned.te
+++ b/microdroid/sepolicy/system/private/tombstoned.te
@@ -2,12 +2,11 @@
init_daemon_domain(tombstoned)
-get_prop(tombstoned, tombstone_config_prop)
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -tombstoned
-} tombstone_config_prop:file no_rw_file_perms;
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/microdroid/sepolicy/system/private/traced.te b/microdroid/sepolicy/system/private/traced.te
deleted file mode 100644
index 6e3ad46..0000000
--- a/microdroid/sepolicy/system/private/traced.te
+++ /dev/null
@@ -1,118 +0,0 @@
-# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
-type traced_exec, system_file_type, exec_type, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced)
-tmpfs_domain(traced)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# share memory buffers created by traced.
-typeattribute traced_tmpfs mlstrustedobject;
-
-# Allow traced to start with a lower scheduling class and change
-# class accordingly to what defined in the config provided by
-# the privileged process that controls it.
-allow traced self:global_capability_class_set { sys_nice };
-
-# Allow to pass a file descriptor for the output trace from "perfetto" (the
-# cmdline client) and other shell binaries to traced and let traced write
-# directly into that (rather than returning the trace contents over the socket).
-allow traced perfetto:fd use;
-allow traced shell:fd use;
-allow traced shell:fifo_file { read write };
-
-# Allow the service to create new files within /data/misc/perfetto-traces.
-allow traced perfetto_traces_data_file:file create_file_perms;
-allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-
-# Allow traceur to pass open file descriptors to traced, so traced can directly
-# write into the output file without doing roundtrips over IPC.
-allow traced traceur_app:fd use;
-allow traced trace_data_file:file { read write };
-
-# Allow perfetto to access the proxy service for notifying Traceur.
-allow traced tracingproxy_service:service_manager find;
-binder_use(traced);
-binder_call(traced, system_server);
-
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
-# Allow traced to use shared memory supplied by producers. Typically, traced
-# (i.e. the tracing service) creates the shared memory used for data transfer
-# from the producer. This rule allows an alternative scheme, where the producer
-# creates the shared memory, that is then adopted by traced (after validating
-# that it is appropriately sealed).
-# This list has to replicate the tmpfs domains of all applicable domains that
-# have perfetto_producer() macro applied to them.
-# perfetto_tmpfs excluded as it should never need to use the producer-supplied
-# shared memory scheme.
-allow traced {
- appdomain_tmpfs
- heapprofd_tmpfs
- surfaceflinger_tmpfs
- traced_probes_tmpfs
- userdebug_or_eng(`system_server_tmpfs')
-}:file { getattr map read write };
-
-# Allow traced to notify Traceur when a trace ends by setting the
-# sys.trace.trace_end_signal property.
-set_prop(traced, system_trace_prop)
-# Allow to lazily start producers.
-set_prop(traced, traced_lazy_prop)
-
-# Allow traced to talk to statsd for logging metrics.
-unix_socket_send(traced, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced self:process execmem;
-
-# Block device access.
-neverallow traced dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow traced domain:process ptrace;
-
-# Disallows access to /data files, still allowing to write to file descriptors
-# passed through the socket.
-neverallow traced {
- data_file_type
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -trace_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
-
-# Only init is allowed to enter the traced domain via exec()
-neverallow { domain -init } traced:process transition;
-neverallow * traced:process dyntransition;
diff --git a/microdroid/sepolicy/system/private/traced_perf.te b/microdroid/sepolicy/system/private/traced_perf.te
deleted file mode 100644
index 96a7263..0000000
--- a/microdroid/sepolicy/system/private/traced_perf.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# Performance profiler, backed by perf_event_open(2).
-# See go/perfetto-perf-android.
-typeattribute traced_perf coredomain;
-typeattribute traced_perf mlstrustedsubject;
-
-type traced_perf_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(traced_perf)
-perfetto_producer(traced_perf)
-
-# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
-# profiling, but retain samples only for profileable processes.
-# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
-# check (which would require a process:attach SELinux allow-rule).
-allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
-
-# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
-# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
-# sampled stacks, which requires opening the backing libraries/executables (as
-# symbols are usually not mapped into the process space). Not all such files
-# are world-readable, e.g. odex files that included user profiles during
-# profile-guided optimization.
-allow traced_perf self:capability { kill dac_read_search };
-
-# Allow reading /system/data/packages.list.
-allow traced_perf packages_list_file:file r_file_perms;
-
-# Allow reading files for stack unwinding and symbolization.
-r_dir_file(traced_perf, nativetest_data_file)
-r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
-r_dir_file(traced_perf, apk_data_file)
-r_dir_file(traced_perf, dalvikcache_data_file)
-r_dir_file(traced_perf, vendor_file_type)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
-
-# Allow reading tracefs files to get the format and numeric ids of tracepoints.
-allow traced_perf debugfs_tracing:dir r_dir_perms;
-allow traced_perf debugfs_tracing:file r_file_perms;
-userdebug_or_eng(`
- allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
- allow traced_perf debugfs_tracing_debug:file r_file_perms;
-')
-
-# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
-# domains that it cannot read.
-dontaudit traced_perf domain:dir { search getattr open };
-
-# Do not audit failures to signal a process, as there are cases when this is
-# expected (native processes on debug builds use the policy for enforcing which
-# processes are profileable).
-dontaudit traced_perf domain:process signal;
-
-# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
-
-# Never allow profiling highly privileged processes.
-never_profile_perf(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
diff --git a/microdroid/sepolicy/system/private/traced_probes.te b/microdroid/sepolicy/system/private/traced_probes.te
deleted file mode 100644
index 730a45c..0000000
--- a/microdroid/sepolicy/system/private/traced_probes.te
+++ /dev/null
@@ -1,152 +0,0 @@
-# Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, system_file_type, exec_type, file_type;
-type traced_probes_tmpfs, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced_probes)
-tmpfs_domain(traced_probes)
-
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(traced_probes)
-
-# Allow traced_probes to access tracefs.
-allow traced_probes debugfs_tracing:dir r_dir_perms;
-allow traced_probes debugfs_tracing:file rw_file_perms;
-allow traced_probes debugfs_trace_marker:file getattr;
-allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
-
-# Allow traced_probes to access mm_events trace instance
-allow traced_probes debugfs_tracing_instances:dir search;
-allow traced_probes debugfs_mm_events_tracing:dir search;
-allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
-
-# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
-userdebug_or_eng(`
-allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
-allow traced_probes debugfs_tracing_debug:file rw_file_perms;
-')
-
-# Allow traced_probes to start with a higher scheduling class and then downgrade
-# itself.
-allow traced_probes self:global_capability_class_set { sys_nice };
-
-# Allow procfs access
-r_dir_file(traced_probes, domain)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
-
-# Allow to read packages.list file.
-allow traced_probes packages_list_file:file r_file_perms;
-
-# Allow to log to kernel dmesg when starting / stopping ftrace.
-allow traced_probes kmsg_device:chr_file write;
-
-# Allow traced_probes to list the system partition.
-allow traced_probes system_file:dir { open read };
-
-# Allow traced_probes to list some of the data partition.
-allow traced_probes self:global_capability_class_set dac_read_search;
-
-allow traced_probes apk_data_file:dir { getattr open read search };
-allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
-allow traced_probes dalvikcache_data_file:dir { getattr open read search };
-userdebug_or_eng(`
-# search and getattr are granted via domain and coredomain, respectively.
-allow traced_probes system_data_file:dir { open read };
-')
-allow traced_probes system_app_data_file:dir { getattr open read search };
-allow traced_probes backup_data_file:dir { getattr open read search };
-allow traced_probes bootstat_data_file:dir { getattr open read search };
-allow traced_probes update_engine_data_file:dir { getattr open read search };
-allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
-
-# Allow traced_probes to run atrace. atrace pokes at system services to enable
-# their userspace TRACE macros.
-domain_auto_trans(traced_probes, atrace_exec, atrace);
-
-# Allow traced_probes to kill atrace on timeout.
-allow traced_probes atrace:process sigkill;
-
-# Allow traced_probes to access /proc files for system stats.
-# Note: trace data is NOT exposed to anything other than shell and privileged
-# system apps that have access to the traced consumer socket.
-allow traced_probes {
- proc_meminfo
- proc_vmstat
- proc_stat
-}:file r_file_perms;
-
-# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
-allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
-allow traced_probes sysfs_devfreq_cur:file r_file_perms;
-
-# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
-hal_client_domain(traced_probes, hal_health)
-hal_client_domain(traced_probes, hal_power_stats)
-
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
-# On debug builds allow to ingest system logs into the trace.
-userdebug_or_eng(`read_logd(traced_probes)')
-
-# Allow traced_probes to talk to statsd for logging metrics.
-unix_socket_send(traced_probes, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced_probes should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced_probes self:process execmem;
-
-# Block device access.
-neverallow traced_probes dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow traced_probes domain:process ptrace;
-
-# Disallows access to /data files.
-neverallow traced_probes {
- data_file_type
- -apex_module_data_file
- -apex_art_data_file
- -apk_data_file
- -dalvikcache_data_file
- -system_data_file
- -system_data_root_file
- -system_app_data_file
- -backup_data_file
- -bootstat_data_file
- -update_engine_data_file
- -update_engine_log_data_file
- -user_profile_root_file
- -user_profile_data_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes {
- data_file_type
- -zoneinfo_data_file
- -packages_list_file
- with_native_coverage(`-method_trace_data_file')
-}:file *;
-
-# Only init is allowed to enter the traced_probes domain via exec()
-neverallow { domain -init } traced_probes:process transition;
-neverallow * traced_probes:process dyntransition;
-
diff --git a/microdroid/sepolicy/system/private/traceur_app.te b/microdroid/sepolicy/system/private/traceur_app.te
deleted file mode 100644
index 2937e26..0000000
--- a/microdroid/sepolicy/system/private/traceur_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute traceur_app coredomain;
-
-app_domain(traceur_app);
-allow traceur_app debugfs_tracing:file rw_file_perms;
-allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
-
-userdebug_or_eng(`
- allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-')
-
-allow traceur_app trace_data_file:file create_file_perms;
-allow traceur_app trace_data_file:dir rw_dir_perms;
-allow traceur_app atrace_exec:file rx_file_perms;
-
-# To exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe.
-allow traceur_app perfetto_exec:file rx_file_perms;
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(traceur_app, traced_consumer, traced)
-
-dontaudit traceur_app debugfs_tracing_debug:file audit_access;
-
-set_prop(traceur_app, debug_prop)
diff --git a/microdroid/sepolicy/system/private/tzdatacheck.te b/microdroid/sepolicy/system/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/microdroid/sepolicy/system/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/microdroid/sepolicy/system/private/ueventd.te b/microdroid/sepolicy/system/private/ueventd.te
index 8bcdbf9..eb06672 100644
--- a/microdroid/sepolicy/system/private/ueventd.te
+++ b/microdroid/sepolicy/system/private/ueventd.te
@@ -2,6 +2,51 @@
tmpfs_domain(ueventd)
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file_type)
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
diff --git a/microdroid/sepolicy/system/private/uncrypt.te b/microdroid/sepolicy/system/private/uncrypt.te
deleted file mode 100644
index 1a94cd1..0000000
--- a/microdroid/sepolicy/system/private/uncrypt.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute uncrypt coredomain;
-
-init_daemon_domain(uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
diff --git a/microdroid/sepolicy/system/private/untrusted_app.te b/microdroid/sepolicy/system/private/untrusted_app.te
deleted file mode 100644
index 6e7a99c..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
diff --git a/microdroid/sepolicy/system/private/untrusted_app_25.te b/microdroid/sepolicy/system/private/untrusted_app_25.te
deleted file mode 100644
index 82c07ff..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_25.te
+++ /dev/null
@@ -1,50 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
-# and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file execute_no_trans;
-auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/untrusted_app_27.te b/microdroid/sepolicy/system/private/untrusted_app_27.te
deleted file mode 100644
index 7a326a5..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_27.te
+++ /dev/null
@@ -1,38 +0,0 @@
-###
-### Untrusted_27.
-###
-### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 28.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_27 coredomain;
-
-app_domain(untrusted_app_27)
-untrusted_app_domain(untrusted_app_27)
-net_domain(untrusted_app_27)
-bluetooth_domain(untrusted_app_27)
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file execute_no_trans;
-auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/untrusted_app_29.te b/microdroid/sepolicy/system/private/untrusted_app_29.te
deleted file mode 100644
index d03f399..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_29.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Untrusted_29.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion = 29.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_29 coredomain;
-
-app_domain(untrusted_app_29)
-untrusted_app_domain(untrusted_app_29)
-net_domain(untrusted_app_29)
-bluetooth_domain(untrusted_app_29)
diff --git a/microdroid/sepolicy/system/private/untrusted_app_all.te b/microdroid/sepolicy/system/private/untrusted_app_all.te
deleted file mode 100644
index 6064c14..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_all.te
+++ /dev/null
@@ -1,177 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps and isolated_app (which has a reduced
-### permission set).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to ephemeral_app.te.
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file { r_file_perms execute };
-auditallow untrusted_app_all app_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow untrusted_app_all system_linker_exec:file execute_no_trans;
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
-
-# Allow handling of less common filesystem objects
-allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
-
-# Allow loading and deleting executable shared libraries
-# within an application home directory. Such shared libraries would be
-# created by things like renderscript or via other mechanisms.
-allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to untrusted apps
-# for the purpose of sharing files through e.g. gmail
-allow untrusted_app_all trace_data_file:file { getattr read };
-
-# untrusted apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor
-neverallow untrusted_app_all trace_data_file:dir *;
-neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
-
-# neverallow untrusted apps accessing debugfs_tracing
-neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
-
-# Allow to read staged apks.
-allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Android Studio Instant Run has the application connect to a
-# runas_app socket listening in the abstract namespace.
-# https://developer.android.com/studio/run/
-# b/123297648
-allow untrusted_app_all runas_app:unix_stream_socket connectto;
-
-# Untrusted apps need to be able to send a SIGCHLD to runas_app
-# when running under a debugger (b/123612207)
-allow untrusted_app_all runas_app:process sigchld;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(untrusted_app_all, rs_exec, rs)
-
-# suppress denials caused by debugfs_tracing
-dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
-
-# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
-dontaudit untrusted_app_all net_dns_prop:file read;
-
-# These have been disallowed since Android O.
-# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_all)
-
-# Allow access to kcov via its ioctl interface for coverage
-# guided kernel fuzzing.
-userdebug_or_eng(`
- allow untrusted_app_all debugfs_kcov:file rw_file_perms;
- allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
-')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
diff --git a/microdroid/sepolicy/system/private/update_engine.te b/microdroid/sepolicy/system/private/update_engine.te
deleted file mode 100644
index d828e1f..0000000
--- a/microdroid/sepolicy/system/private/update_engine.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute update_engine coredomain;
-
-init_daemon_domain(update_engine);
-
-# Allow to talk to gsid.
-allow update_engine gsi_service:service_manager find;
-binder_call(update_engine, gsid)
-
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to start snapuserd for dm-user communication.
-set_prop(update_engine, ctl_snapuserd_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
-# Allow to get the DSU status
-get_prop(update_engine, gsid_prop)
-
-# Allow update_engine to call the callback function provided by GKI update hook.
-binder_call(update_engine, gki_apex_prepostinstall)
-
-# Allow to communicate with the snapuserd service, for dm-user snapshots.
-allow update_engine snapuserd:unix_stream_socket connectto;
-allow update_engine snapuserd_socket:sock_file write;
-
-# Allow to communicate with apexd for calculating and reserving space for
-# capex decompression
-allow update_engine apex_service:service_manager find;
-binder_call(update_engine, apexd)
diff --git a/microdroid/sepolicy/system/private/update_engine_common.te b/microdroid/sepolicy/system/private/update_engine_common.te
deleted file mode 100644
index 8571ff6..0000000
--- a/microdroid/sepolicy/system/private/update_engine_common.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and must be tagged
-# with postinstall_exec in the new filesystem.
-# TODO Have build system attempt to verify this
-domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
-
-# Vendor directories can have the transition as well during OTA. This is caused
-# by update_engine execing scripts in vendor to perform any update tasks needed
-# there.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
-
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/microdroid/sepolicy/system/private/update_verifier.te b/microdroid/sepolicy/system/private/update_verifier.te
deleted file mode 100644
index 5e1b27b..0000000
--- a/microdroid/sepolicy/system/private/update_verifier.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
diff --git a/microdroid/sepolicy/system/private/usbd.te b/microdroid/sepolicy/system/private/usbd.te
deleted file mode 100644
index 42f2324..0000000
--- a/microdroid/sepolicy/system/private/usbd.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute usbd coredomain;
-
-init_daemon_domain(usbd)
-
-# Access usb gadget hal
-hal_client_domain(usbd, hal_usb_gadget)
-
-# Access persist.sys.usb.config
-get_prop(usbd, system_prop)
-
-# start adbd during boot if adb is enabled
-set_prop(usbd, ctl_default_prop)
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/microdroid/sepolicy/system/private/vdc.te b/microdroid/sepolicy/system/private/vdc.te
deleted file mode 100644
index bc7409e..0000000
--- a/microdroid/sepolicy/system/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/microdroid/sepolicy/system/private/vendor_init.te b/microdroid/sepolicy/system/private/vendor_init.te
deleted file mode 100644
index 2e616f3..0000000
--- a/microdroid/sepolicy/system/private/vendor_init.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit vendor_init sysfs:dir write;
-
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-allow vendor_init system_data_root_file:dir rw_dir_perms;
-
-# Let vendor_init set service.adb.tcp.port.
-set_prop(vendor_init, adbd_config_prop)
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -kvm_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
diff --git a/microdroid/sepolicy/system/private/viewcompiler.te b/microdroid/sepolicy/system/private/viewcompiler.te
deleted file mode 100644
index d1f0964..0000000
--- a/microdroid/sepolicy/system/private/viewcompiler.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# viewcompiler
-type viewcompiler, domain, coredomain, mlstrustedsubject;
-type viewcompiler_exec, system_file_type, exec_type, file_type;
-type viewcompiler_tmpfs, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by viewcompiler vs other
-# processes.
-tmpfs_domain(viewcompiler)
-
-allow viewcompiler installd:fd use;
-
-# Include write permission for app data files so viewcompiler can generate
-# compiled layout dex files
-allow viewcompiler app_data_file:file { getattr write };
-
-# Allow the view compiler to read resources from the apps APK.
-allow viewcompiler apk_data_file:file { read map };
-
-# priv-apps are moving to a world where they can only execute
-# signed code. Make sure viewcompiler never can write to privapp
-# directories to avoid introducing unsigned executable code
-neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/private/virtual_touchpad.te b/microdroid/sepolicy/system/private/virtual_touchpad.te
deleted file mode 100644
index e735172..0000000
--- a/microdroid/sepolicy/system/private/virtual_touchpad.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute virtual_touchpad coredomain;
-
-init_daemon_domain(virtual_touchpad)
diff --git a/microdroid/sepolicy/system/private/virtualizationservice.te b/microdroid/sepolicy/system/private/virtualizationservice.te
deleted file mode 100644
index 097f0a0..0000000
--- a/microdroid/sepolicy/system/private/virtualizationservice.te
+++ /dev/null
@@ -1,22 +0,0 @@
-type virtualizationservice, domain, coredomain;
-type virtualizationservice_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtualizationservice_exec, run it in the
-# virtualizationservice domain.
-init_daemon_domain(virtualizationservice)
-
-# Let the virtualizationservice domain use Binder.
-binder_use(virtualizationservice)
-
-# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
-add_service(virtualizationservice, virtualization_service)
-
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
-
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
-allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
diff --git a/microdroid/sepolicy/system/private/vold.te b/microdroid/sepolicy/system/private/vold.te
deleted file mode 100644
index a802bdb..0000000
--- a/microdroid/sepolicy/system/private/vold.te
+++ /dev/null
@@ -1,67 +0,0 @@
-typeattribute vold coredomain;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, blkid_exec, blkid);
-domain_trans(vold, blkid_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
-# Property Service
-get_prop(vold, vold_config_prop)
-get_prop(vold, storage_config_prop);
-get_prop(vold, incremental_prop);
-
-set_prop(vold, vold_post_fs_data_prop)
-set_prop(vold, vold_prop)
-set_prop(vold, vold_status_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-set_prop(vold, boottime_public_prop)
-
-# Vold will use Keystore instead of using Keymint directly. But it still needs
-# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
-allow vold vold_key:keystore2_key {
- convert_storage_key_to_ephemeral
- delete
- get_info
- manage_blob
- rebind
- req_forced_op
- update
- use
-};
-
-# vold needs to call keystore methods
-allow vold keystore:binder call;
-
-# vold needs to find keystore2 services
-allow vold keystore_service:service_manager find;
-allow vold keystore_maintenance_service:service_manager find;
-
-# vold needs to be able to call earlyBootEnded()
-allow vold keystore:keystore2 early_boot_ended;
-
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/vold_prepare_subdirs.te b/microdroid/sepolicy/system/private/vold_prepare_subdirs.te
deleted file mode 100644
index 956e94e..0000000
--- a/microdroid/sepolicy/system/private/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,60 +0,0 @@
-domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
-
-typeattribute vold_prepare_subdirs mlstrustedsubject;
-
-allow vold_prepare_subdirs system_file:file execute_no_trans;
-allow vold_prepare_subdirs shell_exec:file rx_file_perms;
-allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
-allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
-allow vold_prepare_subdirs vold:fd use;
-allow vold_prepare_subdirs vold:fifo_file { read write };
-allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
-allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs {
- system_data_file
- vendor_data_file
-}:dir { open read write add_name remove_name rmdir relabelfrom };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:dir { create_dir_perms relabelto };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:file { getattr unlink };
-allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
-allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
-allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
-# /data/misc is unlabeled during early boot.
-allow vold_prepare_subdirs unlabeled:dir search;
-
-dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/vr_hwc.te b/microdroid/sepolicy/system/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/microdroid/sepolicy/system/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/microdroid/sepolicy/system/private/vzwomatrigger_app.te b/microdroid/sepolicy/system/private/vzwomatrigger_app.te
deleted file mode 100644
index 8deb22b..0000000
--- a/microdroid/sepolicy/system/private/vzwomatrigger_app.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for further sandboxing the VzwOmaTrigger app.
-###
-type vzwomatrigger_app, domain;
-
-app_domain(vzwomatrigger_app)
diff --git a/microdroid/sepolicy/system/private/watchdogd.te b/microdroid/sepolicy/system/private/watchdogd.te
deleted file mode 100644
index 91ece70..0000000
--- a/microdroid/sepolicy/system/private/watchdogd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute watchdogd coredomain;
-
-init_daemon_domain(watchdogd)
diff --git a/microdroid/sepolicy/system/private/webview_zygote.te b/microdroid/sepolicy/system/private/webview_zygote.te
deleted file mode 100644
index 10bcf1c..0000000
--- a/microdroid/sepolicy/system/private/webview_zygote.te
+++ /dev/null
@@ -1,152 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(webview_zygote);
-
-userfaultfd_use(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
-allow webview_zygote apex_module_data_file:dir search;
-
-# Allow webview_zygote to create JIT memory.
-allow webview_zygote self:process execmem;
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-# Suppress denials to storage. Webview zygote should not be accessing.
-dontaudit webview_zygote mnt_expand_file:dir getattr;
-
-# TODO (b/72957399) remove this when webview_zygote is reparented to
-# app_process zygote
-dontaudit webview_zygote dex2oat_exec:file execute;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-# Directory listing in /system.
-allow webview_zygote system_file:dir r_dir_perms;
-
-# Read and inspect temporary files (like system properties) managed by zygote.
-allow webview_zygote zygote_tmpfs:file { read getattr };
-# Child of zygote.
-allow webview_zygote zygote:fd use;
-allow webview_zygote zygote:process sigchld;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(webview_zygote, vendor_overlay_file)
-
-allow webview_zygote same_process_hal_file:file { execute read open getattr map };
-
-allow webview_zygote system_data_file:lnk_file r_file_perms;
-
-# Send unsolicited message to system_server
-unix_socket_send(webview_zygote, system_unsolzygote, system_server)
-
-# Allow the webview_zygote to access the runtime feature flag properties.
-get_prop(webview_zygote, device_config_runtime_native_prop)
-get_prop(webview_zygote, device_config_runtime_native_boot_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# webview_zygote child.
-neverallow { domain -zygote } webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
- xdp_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/microdroid/sepolicy/system/private/wificond.te b/microdroid/sepolicy/system/private/wificond.te
deleted file mode 100644
index 8bf37ca..0000000
--- a/microdroid/sepolicy/system/private/wificond.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute wificond coredomain;
-
-set_prop(wificond, wifi_hal_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-get_prop(wificond, hwservicemanager_prop)
-
-init_daemon_domain(wificond)
diff --git a/microdroid/sepolicy/system/private/wpantund.te b/microdroid/sepolicy/system/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/microdroid/sepolicy/system/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/microdroid/sepolicy/system/private/zipfuse.te b/microdroid/sepolicy/system/private/zipfuse.te
index fb7527b..a5248c1 100644
--- a/microdroid/sepolicy/system/private/zipfuse.te
+++ b/microdroid/sepolicy/system/private/zipfuse.te
@@ -32,3 +32,6 @@
# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;
+
+read_logd(zipfuse)
+control_logd(zipfuse)
diff --git a/microdroid/sepolicy/system/private/zygote.te b/microdroid/sepolicy/system/private/zygote.te
deleted file mode 100644
index 9038c4f..0000000
--- a/microdroid/sepolicy/system/private/zygote.te
+++ /dev/null
@@ -1,265 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-tmpfs_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:global_capability_class_set setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
-allow zygote appdomain:process dyntransition;
-allow zygote webview_zygote:process dyntransition;
-allow zygote app_zygote:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-userfaultfd_use(zygote)
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-allow zygote webview_zygote:process { getpgid setpgid };
-allow zygote app_zygote:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# For updateability, the zygote may fetch the current boot
-# classpath from the dalvik cache. Integrity of the files
-# is ensured by fsverity protection (checked in art_apex_boot_integrity).
-allow zygote dalvikcache_data_file:file execute;
-
-# Allow zygote to find files in APEX data directories.
-allow zygote apex_module_data_file:dir search;
-
-# Allow zygote to find and map files created by on device signing.
-allow zygote apex_art_data_file:dir { getattr search };
-allow zygote apex_art_data_file:file { r_file_perms execute };
-
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
-
-# Relabel /data/user /data/user_de and /data/data
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
-
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
-
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
-
-# Create and bind dirs on /data/data
-allow zygote tmpfs:dir { create_dir_perms mounton };
-
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
-
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
-
-# Read if sdcardfs is supported
-allow zygote proc_filesystems:file r_file_perms;
-
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
- app_data_file_type
- system_data_file
- mnt_expand_file
-}:dir getattr;
-
-# Allow zygote to create JIT memory.
-allow zygote self:process execmem;
-allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_libcutils_device:chr_file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
-allow zygote self:global_capability_class_set sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir { create_dir_perms mounton };
-allow zygote mnt_user_file:lnk_file create_file_perms;
-allow zygote mnt_user_file:file create_file_perms;
-
-# Allow mounting user-specific storage source if started before vold.
-allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
-
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Allow zygote to write to statsd.
-unix_socket_send(zygote, statsdw, statsd)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-# /oem accesses.
-allow zygote oemfs:dir search;
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-allow zygote same_process_hal_file:file { execute read open getattr map };
-
-# Allow the zygote to access storage properties to check if sdcardfs is enabled.
-get_prop(zygote, storage_config_prop);
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-get_prop(zygote, exported_overlay_prop)
-
-# Allow the zygote to access the runtime feature flag properties.
-get_prop(zygote, device_config_runtime_native_prop)
-get_prop(zygote, device_config_runtime_native_boot_prop)
-
-# Allow the zygote to access window manager native boot feature flags
-# to initialize WindowManager static properties.
-get_prop(zygote, device_config_window_manager_native_boot_prop)
-
-# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-
-# Ignore spurious denials calling access() on fuse.
-# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
-# doesn't exist.
-# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir { read open setattr };
-
-# Allow zygote to use ashmem fds from system_server.
-allow zygote system_server:fd use;
-
-# Send unsolicited message to system_server
-unix_socket_send(zygote, system_unsolzygote, system_server)
-
-# Allow zygote to access media_variant_prop for static initialization
-get_prop(zygote, media_variant_prop)
-
-# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(zygote, packagemanager_config_prop)
-
-# Allow zygote to read qemu.sf.lcd_density
-get_prop(zygote, qemu_sf_lcd_density_prop)
-
-# Allow zygote to read /apex/apex-info-list.xml
-allow zygote apex_info_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
-# app_zygote.
-neverallow zygote ~{
- appdomain
- system_server_startup
- webview_zygote
- app_zygote
-}:process dyntransition;
-
-# Zygote should never execute anything from /data except for
-# /data/dalvik-cache files or files generated during on-device
-# signing under /data/misc/apexdata/com.android.art/.
-neverallow zygote {
- data_file_type
- -apex_art_data_file # map PROT_EXEC
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
-
-# Zygote should not be able to access app private data.
-neverallow zygote app_data_file_type:dir ~getattr;