Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
new file mode 100644
index 0000000..c451fcf
--- /dev/null
+++ b/microdroid/sepolicy/system/private/domain.te
@@ -0,0 +1,543 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+# Allow heap profiling on debug builds.
+userdebug_or_eng(`can_profile_heap({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
+# As above, allow perf profiling most processes on debug builds.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+ -zygote
+})')
+
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup:file w_file_perms;
+
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
+
+# Allow all domains to read sys.use_memfd to determine
+# if memfd support can be used if device supports it
+get_prop(domain, use_memfd_prop);
+
+# Read access to sdkextensions props
+get_prop(domain, module_sdkextensions_prop)
+
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain shell}, userspace_reboot_exported_prop)
+ get_prop({coredomain shell}, userspace_reboot_log_prop)
+ get_prop({coredomain shell}, userspace_reboot_test_prop)
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain fsverity_init:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
+# Allow access to linkerconfig file
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these allowlisted domains.
+neverallow {
+ domain
+ -vold
+ userdebug_or_eng(`-llkd')
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ userdebug_or_eng(`-profcollectd')
+ -storaged
+ -system_server
+} self:global_capability_class_set sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+
+###
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+
+# Only the following processes should be directly accessing private app
+# directories.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -app_zygote
+ -dexoptanalyzer
+ -installd
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -profman
+ -rs # spawned by appdomain, so carryover the exception above
+ -runas
+ -system_server
+ -viewcompiler
+ -zygote
+} { privapp_data_file app_data_file }:dir *;
+
+# Only apps should be modifying app data. installd is exempted for
+# restorecon and package install/uninstall.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -rs # spawned by appdomain, so carryover the exception above
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
+
+neverallow {
+ domain
+ -appdomain
+ -app_zygote
+ -installd
+ -iorap_prefetcherd
+ -rs # spawned by appdomain, so carryover the exception above
+} { privapp_data_file app_data_file }:file_class_set open;
+
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+
+neverallow {
+ domain
+ -installd
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
+neverallow { domain -init -system_server } staging_data_file:file
+ { append create relabelfrom rename setattr write no_x_file_perms };
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -bootanim # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+ -microdroid_launcher -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
+} { fs_type -rootfs }:file execute;
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few allowlisted domains.
+# Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -iorap_prefetcherd
+ -shell
+ userdebug_or_eng(`-su')
+ -system_server_startup # for memfd backed executable regions
+ -app_zygote
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-mediaextractor')
+ userdebug_or_eng(`-mediaswcodec')
+} {
+ file_type
+ -system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+define(`dac_override_allowed', `{
+ apexd
+ dnsmasq
+ dumpstate
+ init
+ installd
+ userdebug_or_eng(`llkd')
+ lmkd
+ migrate_legacy_obb_data
+ netd
+ postinstall_dexopt
+ recovery
+ rss_hwm_reset
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ iorap_inode2filename
+ iorap_prefetcherd
+ traced_perf
+ traced_probes
+ heapprofd
+} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`-fastbootd')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+ -zipfuse
+} { fs_type
+ -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+ neverallow {
+ domain userdebug_or_eng(`-init')
+ } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
+
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -gsid
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+ -hal_bootctl_server
+ -fastbootd
+} self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+ domain
+ -init
+ -installd
+ -zygote
+} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -init
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel
+ -traced_perf
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -tombstoned # linker to tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+ });
+')
+
+full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones allowed here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -init # starts vendor executables
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel # loads /vendor/firmware
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -shell
+ -system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
+ -ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_apex_file
+ -vendor_configs_file
+ -vendor_service_contexts_file
+ -vendor_framework_file
+ -vendor_idc_file
+ -vendor_keychars_file
+ -vendor_keylayout_file
+ -vendor_overlay_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ -vendor_task_profiles_file
+ -vndk_sp_file
+ }:file *;
+')
+
+# mlsvendorcompat is only for compatibility support for older vendor
+# images, and should not be granted to any domain in current policy.
+# (Every domain is allowed self:fork, so this will trigger if the
+# intsersection of domain & mlsvendorcompat is not empty.)
+neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+
+# Only allow init and vendor_init to read/write mm_events properties
+# NOTE: dumpstate is allowed to read any system property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')