Merge "Allow system_server to read binderfs state file" into main
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index c83bcdb..4441d12 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -440,3 +440,7 @@
r_dir_file(init, vendor_kernel_modules)
allow init self:capability sys_module;
allow init vendor_kernel_modules:system module_load;
+
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 98c483a..daf6185 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -18,6 +18,11 @@
ctl_fuse_prop
}:property_service set;
+allow property_type tmpfs:filesystem associate;
+
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
+
###
### Neverallow rules
###
@@ -67,3 +72,7 @@
domain
-init
} non_existing_prop:property_service set;
+
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 5267348..0ea67a7 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,5 +1,76 @@
typeattribute shell coredomain;
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
diff --git a/microdroid/system/private/statsd.te b/microdroid/system/private/statsd.te
index 437f505..d802602 100644
--- a/microdroid/system/private/statsd.te
+++ b/microdroid/system/private/statsd.te
@@ -1,3 +1,22 @@
typeattribute statsd coredomain;
init_daemon_domain(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 533b328..9b8e2d0 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -2,3 +2,34 @@
# su is also permissive to permit setenforce.
permissive su;
+
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/microdroid/system/private/vendor_init.te b/microdroid/system/private/vendor_init.te
new file mode 100644
index 0000000..669f69a
--- /dev/null
+++ b/microdroid/system/private/vendor_init.te
@@ -0,0 +1,144 @@
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -apex_info_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# vendor_init is using bootstrap bionic
+use_bootstrap_libs(vendor_init)
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/system/public/adbd.te b/microdroid/system/public/adbd.te
index a41d4a3..f773eab 100644
--- a/microdroid/system/public/adbd.te
+++ b/microdroid/system/public/adbd.te
@@ -1,2 +1,6 @@
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
index d14da93..7d34e63 100644
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@@ -1,2 +1,6 @@
type apexd, domain, coredomain;
type apexd_exec, file_type, exec_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/crash_dump.te b/microdroid/system/public/crash_dump.te
index d59b034..bac3012 100644
--- a/microdroid/system/public/crash_dump.te
+++ b/microdroid/system/public/crash_dump.te
@@ -1,2 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index dfae6f9..c8a05f5 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -27,3 +27,7 @@
type vd_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 201a07e..8d3f76a 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -191,3 +191,7 @@
type usbfs, fs_type;
type usermodehelper, fs_type, proc_type;
type vfat, fs_type, sdcard_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
index b4def39..79f537d 100644
--- a/microdroid/system/public/init.te
+++ b/microdroid/system/public/init.te
@@ -3,6 +3,6 @@
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-allow init kmsg_debug_device:chr_file { open write relabelto };
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/kernel.te b/microdroid/system/public/kernel.te
index 9ea35c1..c8f0038 100644
--- a/microdroid/system/public/kernel.te
+++ b/microdroid/system/public/kernel.te
@@ -1,2 +1,6 @@
# Life begins with the kernel.
type kernel, domain;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c2e5ebd..7db53d0 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -50,11 +50,6 @@
type vendor_default_prop, property_type;
type powerctl_prop, property_type;
-allow property_type tmpfs:filesystem associate;
-
-# Properties should be explicitly labeled in property_contexts
-neverallow { domain -init } default_prop:file no_rw_file_perms;
-neverallow { domain -init } default_prop:property_service set;
-
-dontaudit { domain -init } default_prop:file no_rw_file_perms;
-dontaudit { domain -init } default_prop:property_service set;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index 0bcb29d..0d0c63f 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,73 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-
-# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
-r_dir_file(shell, proc_net_type)
-
-allow shell {
- proc_asound
- proc_filesystems
- proc_interrupts
- proc_loadavg # b/124024827
- proc_meminfo
- proc_modules
- proc_pid_max
- proc_slabinfo
- proc_stat
- proc_timer
- proc_uptime
- proc_version
- proc_vmstat
- proc_zoneinfo
-}:file r_file_perms;
-
-# allow listing network interfaces under /sys/class/net.
-allow shell sysfs_net:dir r_dir_perms;
-
-r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 0807126..5a37179 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,22 +1,6 @@
type statsd, domain;
-
type statsd_exec, system_file_type, exec_type, file_type;
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read write };
-
-unix_socket_send(statsd, statsdw, statsd)
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index 5f41e37..d425015 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -5,33 +5,6 @@
# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# Add su to various domains
-dontaudit su self:capability_class_set *;
-dontaudit su self:capability2 *;
-dontaudit su kernel:security *;
-dontaudit su { kernel file_type }:system *;
-dontaudit su self:memprotect *;
-dontaudit su domain:{ process process2 } *;
-dontaudit su domain:fd *;
-dontaudit su domain:dir *;
-dontaudit su domain:lnk_file *;
-dontaudit su domain:{ fifo_file file } *;
-dontaudit su domain:socket_class_set *;
-dontaudit su domain:ipc_class_set *;
-dontaudit su domain:key *;
-dontaudit su fs_type:filesystem *;
-dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-dontaudit su node_type:node *;
-dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-dontaudit su netif_type:netif *;
-dontaudit su port_type:socket_class_set *;
-dontaudit su port_type:{ tcp_socket dccp_socket } *;
-dontaudit su domain:peer *;
-dontaudit su domain:binder *;
-dontaudit su property_type:property_service *;
-dontaudit su property_type:file *;
-dontaudit su domain:drmservice *;
-dontaudit su unlabeled:filesystem *;
-dontaudit su domain:bpf *;
-dontaudit su unlabeled:vsock_socket *;
-dontaudit su self:perf_event *;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/toolbox.te b/microdroid/system/public/toolbox.te
index 0a6e649..96565f2 100644
--- a/microdroid/system/public/toolbox.te
+++ b/microdroid/system/public/toolbox.te
@@ -1,2 +1,6 @@
type toolbox, domain;
type toolbox_exec, file_type, exec_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index efc1aa3..44d1f96 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,3 +1,7 @@
# Miscellaneous types
type system_linker;
type vm_payload_key;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/ueventd.te b/microdroid/system/public/ueventd.te
index 7bf7888..bc49479 100644
--- a/microdroid/system/public/ueventd.te
+++ b/microdroid/system/public/ueventd.te
@@ -2,3 +2,7 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index 3db899a..5f5721c 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -1,147 +1,6 @@
# vendor_init is its own domain.
type vendor_init, domain;
-# Communication to the main init process
-allow vendor_init init:unix_stream_socket { read write };
-
-# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open getattr write };
-
-# Mount on /dev/usb-ffs/adb.
-allow vendor_init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow vendor_init rootfs:lnk_file { create unlink };
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
-
-# /config
-allow vendor_init configfs:dir mounton;
-allow vendor_init configfs:dir create_dir_perms;
-allow vendor_init configfs:{ file lnk_file } create_file_perms;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-
-allow vendor_init system_data_file:dir getattr;
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
- -apex_info_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -apex_mnt_dir
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -vendor_file_type
-}:dir_file_class_set relabelto;
-
-allow vendor_init dev_type:dir create_dir_perms;
-allow vendor_init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow vendor_init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr map };
-
-allow vendor_init tracefs_type:file { open read setattr map };
-
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
-
-allow vendor_init dev_type:blk_file getattr;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net_type:file w_file_perms;
-allow vendor_init self:global_capability_class_set net_admin;
-
-# Write to /proc/sys/vm/page-cluster
-allow vendor_init proc_page_cluster:file w_file_perms;
-
-# Write to sysfs nodes.
-allow vendor_init sysfs_type:dir r_dir_perms;
-allow vendor_init sysfs_type:lnk_file read;
-allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
-
-# setfscreatecon() for labeling directories and socket files.
-allow vendor_init self:process { setfscreate };
-
-r_dir_file(vendor_init, vendor_file_type)
-
-# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:global_capability_class_set sys_admin;
-
-# vendor_init is using bootstrap bionic
-use_bootstrap_libs(vendor_init)
-
-# Get file context
-allow vendor_init file_contexts_file:file r_file_perms;
-
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -hw_random_device
-}:chr_file setattr;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/private/adbd.te b/private/adbd.te
index e735222..c852038 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -230,6 +230,11 @@
allow adbd tombstone_data_file:dir r_dir_perms;
allow adbd tombstone_data_file:file r_file_perms;
+# Access /data/local/tests.
+allow adbd shell_test_data_file:dir create_dir_perms;
+allow adbd shell_test_data_file:file create_file_perms;
+allow adbd shell_test_data_file:lnk_file create_file_perms;
+
###
### Neverallow rules
###
@@ -239,3 +244,7 @@
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+
+# Only init is allowed to enter the adbd domain via exec()
+neverallow { domain -init } adbd:process transition;
+neverallow * adbd:process dyntransition;
diff --git a/private/aidl_lazy_test_server.te b/private/aidl_lazy_test_server.te
index 33efde0..98ab218 100644
--- a/private/aidl_lazy_test_server.te
+++ b/private/aidl_lazy_test_server.te
@@ -2,4 +2,9 @@
typeattribute aidl_lazy_test_server coredomain;
init_daemon_domain(aidl_lazy_test_server)
+
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
')
diff --git a/private/apexd.te b/private/apexd.te
index 079489c..e7ad3b9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -2,6 +2,9 @@
init_daemon_domain(apexd)
+binder_use(apexd)
+add_service(apexd, apex_service)
+
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
@@ -166,33 +169,7 @@
# Allow apexd to read apexd_payload_metadata_prop
get_prop(apexd, apexd_payload_metadata_prop)
-neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
-neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
-neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
-
-# only apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
-neverallow { domain -apexd -init } apexd_prop:property_service set;
-
-# only apexd can write apex-info-list.xml
-neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
-
-# Only apexd and init should be allowed to manage /apex mounts
-# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
-# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
-# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
-# dexopt_chroot_setup calls apexd to prepare /apex for Pre-reboot Dexopt, but it
-# needs to mount a tmpfs on /apex for apexd to work on.
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
@@ -212,3 +189,39 @@
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
+
+###
+### Neverallow rules
+###
+
+neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
+neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
+neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+neverallow { domain -apexd -init } apexd_prop:property_service set;
+
+# only apexd can write apex-info-list.xml
+neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+# dexopt_chroot_setup calls apexd to prepare /apex for Pre-reboot Dexopt, but it
+# needs to mount a tmpfs on /apex for apexd to work on.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
+
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/app.te b/private/app.te
index b0b5dbb..634cc53 100644
--- a/private/app.te
+++ b/private/app.te
@@ -84,28 +84,6 @@
allow appdomain system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-neverallow appdomain system_server:udp_socket {
- accept append bind create ioctl listen lock name_bind
- relabelfrom relabelto setattr shutdown };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump to allow for app crash reporting.
-# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
-# to allow renderscript to create privileged executable files.
-# Exception for virtualizationmanager to allow running VMs as child processes.
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain }:process { dyntransition };
-
-# Don't allow regular apps access to storage configuration properties.
-neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-
-# Don't allow apps reading /system/etc/font_fallback.xml
-dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
-neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
-
# Allow to read sendbug.preferred.domain
get_prop(appdomain, sendbug_config_prop)
@@ -134,7 +112,6 @@
# Allow access to tombstones if an fd to one is given to you.
# An app cannot open the tombstone itself because it lacks `open`.
allow appdomain tombstone_data_file:file { getattr read };
-neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
@@ -505,6 +482,223 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -network_stack }
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces. llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
+
+neverallow {
+ domain
+ -appdomain
+ -crash_dump
+ userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
+
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+# -perfetto is to allow shell (which is an appdomain) to kill perfetto
+# (see private/shell.te).
+neverallow appdomain { domain -appdomain -perfetto }:process
+ { sigkill sigstop signal };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file_type:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
+# allow system_app to access radio_config system properties.
+set_prop(system_app, radio_control_prop)
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
+
+# Apps cannot access bootstrap files. The bootstrap files are only for
+# extremely early processes (like init, etc.) which are started before
+# the runtime APEX is activated and Bionic libs are provided from there.
+# If app process accesses (or even load/execute) the bootstrap files,
+# it might cause problems such as ODR violation, etc.
+neverallow appdomain system_bootstrap_lib_file:file
+ { open read write append execute execute_no_trans map };
+neverallow appdomain system_bootstrap_lib_file:dir
+ { open read getattr search };
+
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
@@ -559,3 +753,27 @@
-untrusted_app_30
-untrusted_app_32
} apk_data_file:file { watch watch_reads };
+
+neverallow appdomain system_server:udp_socket {
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump to allow for app crash reporting.
+# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
+# to allow renderscript to create privileged executable files.
+# Exception for virtualizationmanager to allow running VMs as child processes.
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') }
+ { domain -appdomain }:process { dyntransition };
+
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Don't allow apps reading /system/etc/font_fallback.xml
+dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
+neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
+
+neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
diff --git a/private/asan_extract.te b/private/asan_extract.te
index 69bcd50..8c8980c 100644
--- a/private/asan_extract.te
+++ b/private/asan_extract.te
@@ -8,4 +8,28 @@
# We need to signal a reboot when done.
set_prop(asan_extract, powerctl_prop)
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
')
diff --git a/private/audioserver.te b/private/audioserver.te
index 74d5e88..54e0208 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,8 +1,7 @@
# audioserver - audio services daemon
-
+type audioserver_exec, exec_type, file_type, system_file_type;
typeattribute audioserver coredomain;
-type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
tmpfs_domain(audioserver)
@@ -79,6 +78,20 @@
# Allow write access to log tag property
set_prop(audioserver, log_tag_prop);
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
+
+# Allow audioserver to access sensorservice.
+allow audioserver sensorservice_service:service_manager find;
+allow audioserver system_server:unix_stream_socket { read write };
+
+# Allow using wake locks
+wakelock_use(audioserver)
+
+# Allow reading audio config props, e.g. af.fast_track_multiplier
+get_prop(audioserver, audio_config_prop)
+get_prop(audioserver, system_audio_config_prop)
+
###
### neverallow rules
###
@@ -99,10 +112,3 @@
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ udp_socket rawip_socket } *;
neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow using wake locks
-wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
-get_prop(audioserver, system_audio_config_prop)
diff --git a/private/bootanim.te b/private/bootanim.te
index f63a230..d9be72f 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -21,3 +21,46 @@
# Allow accessing vendor apex for EGL/GLES
allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow bootanim proc_meminfo:file r_file_perms;
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;
diff --git a/private/bootstat.te b/private/bootstat.te
index 99d8c6d..9835940 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -10,6 +10,39 @@
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
+read_runtime_log_tags(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# Allow bootstat write to statsd.
+unix_socket_send(bootstat, statsdw, statsd)
+
+###
+### Neverallow rules
+###
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
+
neverallow {
domain
-bootanim
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 012eb20..143c6b5 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1,3 +1,24 @@
typeattribute bufferhubd coredomain;
init_daemon_domain(bufferhubd)
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+# TODO(b/112338294): remove these after migrate to Binder
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
diff --git a/public/camera_service_server.te b/private/camera_service_server.te
similarity index 100%
rename from public/camera_service_server.te
rename to private/camera_service_server.te
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 76ffba6..b143f58 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,6 +1,5 @@
-typeattribute cameraserver coredomain;
-
typeattribute cameraserver camera_service_server;
+typeattribute cameraserver coredomain;
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
@@ -8,3 +7,86 @@
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
allow cameraserver virtual_camera:binder call;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
+allow cameraserver virtual_camera_service:service_manager find;
+
+# Allow to talk with surfaceflinger through unix stream socket
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
+allow cameraserver shell:fifo_file { read write };
+
+# allow self to set SCHED_FIFO
+allow cameraserver self:global_capability_class_set sys_nice;
+
+# Allow to talk with media codec
+allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
+hal_client_domain(cameraserver, hal_omx)
+hal_client_domain(cameraserver, hal_allocator)
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/charger.te b/private/charger.te
index c5f3a50..2d48a60 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -1,5 +1,8 @@
typeattribute charger coredomain;
+# The system charger is a client of HIDL health HAL.
+hal_client_domain(charger, hal_health)
+
# charger needs to tell init to continue the boot
# process when running in charger mode.
# The system charger needs to be allowed to set these properties on legacy devices.
diff --git a/private/charger_type.te b/private/charger_type.te
index 3647496..d920a3d 100644
--- a/private/charger_type.te
+++ b/private/charger_type.te
@@ -6,6 +6,44 @@
# get minui properties
get_prop(charger_type, recovery_config_prop)
+# Write to /dev/kmsg
+allow charger_type kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger_type, rootfs)
+r_dir_file(charger_type, cgroup)
+r_dir_file(charger_type, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger_type sysfs_type:dir r_dir_perms;
+
+allow charger_type self:global_capability_class_set {
+ sys_boot
+ sys_tty_config
+};
+
+wakelock_use(charger_type)
+
+allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger_type sysfs_power:file rw_file_perms;
+
+r_dir_file(charger_type, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger_type pstorefs:dir r_dir_perms;
+allow charger_type pstorefs:file r_file_perms;
+
+allow charger_type graphics_device:dir r_dir_perms;
+allow charger_type graphics_device:chr_file rw_file_perms;
+allow charger_type input_device:dir r_dir_perms;
+allow charger_type input_device:chr_file r_file_perms;
+allow charger_type tty_device:chr_file rw_file_perms;
+allow charger_type proc_sysrq:file rw_file_perms;
+
### Neverallow rules for charger properties
# charger_config_prop: Only init and vendor_init is allowed to set it
diff --git a/private/charger_vendor.te b/private/charger_vendor.te
new file mode 100644
index 0000000..47bd198
--- /dev/null
+++ b/private/charger_vendor.te
@@ -0,0 +1,3 @@
+hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 5f835a4..1477766 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -49,4 +49,5 @@
aconfigd
aconfigd_exec
aconfigd_socket
+ enable_16k_pages_prop
))
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 27baaff..9bc7cf6 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -39,10 +39,84 @@
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
+# Read uptime
+allow crash_dump proc_uptime:file r_file_perms;
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
###
### neverallow assertions
###
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
+
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
diff --git a/private/credstore.te b/private/credstore.te
index 02e87f7..bef5c55 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -11,3 +11,19 @@
# credstore needs to get keys from the RKPD
get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;
+
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
+
+r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/private/dhcp.te b/private/dhcp.te
index 8ec9111..ce4fef1 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -5,3 +5,29 @@
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
+
+net_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:netlink_route_socket nlmsg_write;
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
+
+# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
+allow dhcp toolbox_exec:file rx_file_perms;
+
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net_type:file write;
+
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/public/display_service_server.te b/private/display_service_server.te
similarity index 100%
rename from public/display_service_server.te
rename to private/display_service_server.te
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
index 96084b4..de6c8d6 100644
--- a/private/dnsmasq.te
+++ b/private/dnsmasq.te
@@ -1 +1,23 @@
typeattribute dnsmasq coredomain;
+
+net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO: Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
+
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { getattr read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { getattr read write };
+allow dnsmasq netd:unix_dgram_socket { read write };
+allow dnsmasq netd:udp_socket { read write };
diff --git a/private/domain.te b/private/domain.te
index 36eb197..b5525d5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1,3 +1,347 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
+
+ allow { domain -init } su:binder { call transfer };
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+allow domain binderfs_features:dir search;
+allow domain binderfs_features:file r_file_perms;
+
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow { appdomain coredomain } system_file:file { execute read open getattr map };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain system_file:file { execute read open getattr map };
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# libc references /system/usr/share/zoneinfo for timezone related information.
+# This directory is considered to be a VNDK-stable
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+# Allow search access, and sometimes getattr access, to various directories
+# under /data. We are fairly lenient in allowing search access to top-level
+# dirs that commonly need to be traversed to get access to the "real" files, as
+# this greatly simplifies the policy and doesn't open up much attack surface.
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# Anything that accesses anything in /data needs search access to /data itself.
+# This includes vendor components, as they need to access /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+# system_data_file is the default type for directories in /data. Anything
+# accessing data files with a more specific type often has to traverse a
+# system_data_file directory such as /data/misc to get there.
+allow domain system_data_file:dir search;
+# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
+# search access to these directories themselves. getattr access is sometimes
+# needed too.
+allow { coredomain appdomain } system_userdir_file:dir { search getattr };
+# Anything that accesses files in /data/media needs search access to /data/media
+# itself.
+allow { coredomain appdomain } media_userdir_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_userdir_file:dir { getattr search };
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# Support sqlite F2FS specific optimizations
+# ioctl permission on the specific file type is still required
+# TODO: consider only compiling these rules if we know the
+# /data partition is F2FS
+allowxperm domain { file_type sdcard_type }:file ioctl {
+ F2FS_IOC_ABORT_VOLATILE_WRITE
+ F2FS_IOC_COMMIT_ATOMIC_WRITE
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_PIN_FILE
+ F2FS_IOC_SET_PIN_FILE
+ F2FS_IOC_START_ATOMIC_WRITE
+};
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
@@ -223,6 +567,962 @@
# permission on /metadata dir
allow domain metadata_file:dir search;
+###
+### neverallow rules
+###
+
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to an allowlist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these allowed domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:global_capability_class_set mknod;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only the kernel hwrng thread should be able to read from the HW RNG.
+neverallow {
+ domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
+} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -shell # stat of /dev, getattr only
+ -ueventd
+} keychord_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# The dynamic linker always calls access(2) on the path. Don't generate SElinux
+# denials since the linker does not actually access the path in case the path
+# does not exist or isn't accessible for the process.
+dontaudit domain postinstall_mnt_dir:dir audit_access;
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# The test files and executables MUST not be accessible to any domain
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+} {
+ system_file_type
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * contextmount_type:dir_file_class_set
+ { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
+
+compatible_property_only(`
+ neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
+ neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
+')
+
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
+
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
+neverallow { domain -init } aac_drc_prop:property_service set;
+neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
+
+# Do not allow reading device's serial number from system properties except form
+# a few allowed domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -fastbootd
+ -hal_camera_server
+ -hal_cas_server
+ -hal_drm_server
+ -hal_keymint_server
+ userdebug_or_eng(`-incidentd')
+ -init
+ -mediadrmserver
+ -mediaserver
+ -recovery
+ -shell
+ -system_server
+ -vendor_init
+} serialno_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+ -fastbootd
+ -hal_fastboot_server
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
+
+# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
+neverallow {
+ domain
+ -fastbootd
+ userdebug_or_eng(`-fsck')
+ userdebug_or_eng(`-init')
+ -recovery
+ -update_engine
+} system_block_device:blk_file { write append };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+full_treble_only(`
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ #
+ # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+
+ -app_api_service
+ -ephemeral_app_api_service
+
+ -hal_service_type # see app_neverallows.te
+
+ -apc_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -credstore_service
+ -keystore_maintenance_service
+ -keystore_service
+ -legacykeystore_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -virtual_touchpad_service
+ -vr_manager_service
+ userdebug_or_eng(`-hal_face_service')
+ }:service_manager find;
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+')
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
+ -socket_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -privapp_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -app_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+ # only coredomains may only access core_data_file_type, particularly not
+ # /data/vendor
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ }:dir *;
+
+')
+full_treble_only(`
+ # vendor domains may only access files in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
+ } {
+ core_data_file_type
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -system_data_root_file
+ -vendor_userdir_file
+ -vendor_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -system_data_root_file
+ -vendor_userdir_file
+ -vendor_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ } {
+ system_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+
+full_treble_only(`
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -ueventd
+ } vendor_shell_exec:file { execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow vendor components to execute files from system
+ # except for the ones allowed here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_executes_system_violators
+ -vendor_init
+ } {
+ system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+ }:file { entrypoint execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
+ # Do not allow system components to execute files from vendor
+ # except for the ones allowed here.
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -system_executes_vendor_violators
+ -ueventd
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ }:file execute;
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ -system_executes_vendor_violators
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ }:file execute_no_trans;
+')
+
+full_treble_only(`
+ # Do not allow vendor components access to /system files except for the
+ # ones allowed here.
+ neverallow {
+ domain
+ -appdomain
+ -coredomain
+ -vendor_executes_system_violators
+ # vendor_init needs access to init_exec for domain transition. vendor_init
+ # neverallows are covered in public/vendor_init.te
+ -vendor_init
+ } {
+ system_file_type
+ -crash_dump_exec
+ -file_contexts_file
+ -netutils_wrapper_exec
+ -property_contexts_file
+ -system_event_log_tags_file
+ -system_group_file
+ -system_lib_file
+ with_asan(`-system_asan_options_file')
+ -system_linker_exec
+ -system_linker_config_file
+ -system_passwd_file
+ -system_seccomp_policy_file
+ -system_security_cacerts_file
+ -system_zoneinfo_file
+ -task_profiles_api_file
+ -task_profiles_file
+ userdebug_or_eng(`-tcpdump_exec')
+ # Vendor components still can invoke shell commands via /system/bin/sh
+ -shell_exec
+ -toolbox_exec
+ }:file *;
+')
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote:sock_file write;
+neverallow { domain -system_server } app_zygote:sock_file write;
+
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -artd
+ -installd
+} { app_data_file privapp_data_file }:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
+
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# it from installd and artd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+ -artd
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, boot, and system_dlkm partitions.
+# TODO(b/218951883): Remove usage of system and rootfs as origin
+neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ -system_writes_mnt_vendor_violators
+} mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
+')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+ domain
+ -coredomain
+} mnt_product_file:dir *;
+
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ # For access to block device information under /sys/class/block.
+ -apexd
+ # Read sysfs block device information.
+ -init
+ # Generate uevents for health info
+ -ueventd
+ # Recovery uses health HAL passthrough implementation.
+ -recovery
+ # Charger uses health HAL passthrough implementation.
+ -charger
+ # TODO(b/110891300): remove this exception
+ -incidentd
+ } sysfs_batteryinfo:file { open read };
+')
+
+neverallow {
+ domain
+ -hal_codec2_server
+ -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
diff --git a/private/drmserver.te b/private/drmserver.te
index 8449c3e..dfbf3b8 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -7,3 +7,63 @@
typeattribute drmserver_socket coredomain_socket;
get_prop(drmserver, drm_service_config_prop)
+
+typeattribute drmserver mlstrustedsubject;
+
+net_domain(drmserver)
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
+binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver { sdcard_type fuse }:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
+r_dir_file(drmserver, efs_file)
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
+allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
+
+# Read resources from open apk files passed over Binder.
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow drmserver radio_data_file:file { read getattr map };
+
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
+add_service(drmserver, drmserver_service)
+allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
+
+selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
+r_dir_file(drmserver, system_file)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 27b6904..bccbafd 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -154,3 +154,407 @@
# Allow dumpstate to execute derive_sdk in its own domain
domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:global_capability_class_set {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
+
+# Read dmesg
+allow dumpstate self:global_capability2_class_set syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ mediaswcodec
+ sdcardd
+ surfaceflinger
+ vold
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ evsmanagerd
+ hal_audio_server
+ hal_audiocontrol_server
+ hal_bluetooth_server
+ hal_broadcastradio_server
+ hal_camera_server
+ hal_codec2_server
+ hal_drm_server
+ hal_evs_server
+ hal_face_server
+ hal_fingerprint_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_input_processor_server
+ hal_neuralnetworks_server
+ hal_omx_server
+ hal_power_server
+ hal_power_stats_server
+ hal_sensors_server
+ hal_thermal_server
+ hal_vehicle_server
+ hal_vr_server
+ system_suspend_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
+
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
+# Other random bits of data we want to collect
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
+
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ metadata_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain artd netd wificond })
+
+# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_audio)
+dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
+dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
+dump_hal(hal_broadcastradio)
+dump_hal(hal_camera)
+dump_hal(hal_codec2)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
+dump_hal(hal_dumpstate)
+dump_hal(hal_evs)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_graphics_composer)
+dump_hal(hal_health)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
+dump_hal(hal_sensors)
+dump_hal(hal_thermal)
+dump_hal(hal_vehicle)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
+
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:global_capability_class_set sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate {
+ proc_bootconfig
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net_type
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_ctrl
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+allow dumpstate misc_logd_file:dir r_dir_perms;
+allow dumpstate misc_logd_file:file r_file_perms;
+
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
+allow dumpstate {
+ service_manager_type
+ -apex_service
+ -dumpstate_service
+ -gatekeeper_service
+ -hal_service_type
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ apex_service
+ dumpstate_service
+ gatekeeper_service
+ hal_service_type
+ virtual_touchpad_service
+ vold_service
+}:service_manager find;
+
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Read any system properties
+get_prop(dumpstate, property_type)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
+# For when dumpstate runs df
+dontaudit dumpstate {
+ mnt_vendor_file
+ mirror_data_file
+ mnt_user_file
+ mnt_product_file
+}:dir search;
+dontaudit dumpstate {
+ apex_mnt_dir
+ linkerconfig_file
+ mirror_data_file
+ mnt_user_file
+}:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
+
+# Allow dumpstate to talk to mediaswcodec over binder
+binder_call(dumpstate, mediaswcodec);
+
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
+
+use_apex_info(dumpstate)
+
+# Allow reading files under /data/system/shutdown-checkpoints/
+allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
+allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..3316ce2
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,30 @@
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+allow e2fs dm_device:blk_file rw_file_perms;
+allow e2fs zoned_block_device:blk_file rw_file_perms;
+# Vold needs to capture mkfs.ext4's output
+allow e2fs vold:fd use;
+# Need to be able to format a partition
+allow e2fs sysfs_dm:dir r_dir_perms;
+allow e2fs sysfs_dm:file r_file_perms;
+
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
+};
+
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
index d210884..f24340d 100644
--- a/private/extra_free_kbytes.te
+++ b/private/extra_free_kbytes.te
@@ -4,3 +4,13 @@
# Only extra_free_kbytes script is allowed to store these properties
set_prop(extra_free_kbytes, init_storage_prop)
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index a189d23..66dd2b1 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -49,9 +49,129 @@
# Let this domain use the hal fastboot service
binder_use(fastbootd)
hal_client_domain(fastbootd, hal_fastboot)
+
+ # fastbootd can only use HALs in passthrough mode
+ passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+ # fastbootd can use AIDL HALs in binder mode
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_health)
+ hal_client_domain(fastbootd, hal_fastboot)
+
+ # Access /dev/usb-ffs/fastbootd/ep0
+ allow fastbootd functionfs:dir search;
+ allow fastbootd functionfs:file rw_file_perms;
+
+ allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
+ # Log to serial
+ allow fastbootd kmsg_device:chr_file { open getattr write };
+
+ # battery info
+ allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+ allow fastbootd device:dir r_dir_perms;
+
+ # For dev/block/by-name dir
+ allow fastbootd block_device:dir r_dir_perms;
+
+ # Needed for DM_DEV_CREATE ioctl call
+ allow fastbootd self:capability sys_admin;
+
+ unix_socket_connect(fastbootd, recovery, recovery)
+
+ # Required for flashing
+ allow fastbootd dm_device:chr_file rw_file_perms;
+ allow fastbootd dm_device:blk_file rw_file_perms;
+
+ allow fastbootd cache_block_device:blk_file rw_file_perms;
+ allow fastbootd super_block_device_type:blk_file rw_file_perms;
+ allow fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file { w_file_perms getattr ioctl };
+
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir { search getattr mounton };
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
+
+ allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ allowxperm fastbootd {
+ metadata_block_device
+ userdata_block_device
+ dm_device
+ cache_block_device
+ }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+ allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+ allow fastbootd proc_cmdline:file r_file_perms;
+ allow fastbootd rootfs:dir r_dir_perms;
+
+ # Needed to read fstab node from device tree.
+ allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+ allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+
+ # Needed because libdm reads sysfs to validate when a dm path is ready.
+ r_dir_file(fastbootd, sysfs_dm)
+
+ # Needed for realpath() call to resolve symlinks.
+ allow fastbootd block_device:dir getattr;
+ userdebug_or_eng(`
+ # Refined manipulation of /mnt/scratch, without these perms resorts
+ # to deleting scratch partition when partition(s) are flashed.
+ allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
+ allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+ allow fastbootd {
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:dir { remove_name rmdir search write };
+ allow fastbootd {
+ overlayfs_file
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:{ file lnk_file } unlink;
+ allow fastbootd tmpfs:dir rw_dir_perms;
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
+
+ # popen(/system/bin/dmesg) and associated permissions. We only allow this
+ # on unlocked devices running userdebug builds.
+ allow fastbootd rootfs:file execute_no_trans;
+ allow fastbootd system_file:file execute_no_trans;
+ allow fastbootd kmsg_device:chr_file read;
+ allow fastbootd kernel:system syslog_read;
+ ')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow fastbootd gsi_metadata_file_type:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
')
# This capability allows fastbootd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
io_uring_use(fastbootd)
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+ data_file_type
+}:file { no_x_file_perms };
diff --git a/private/file.te b/private/file.te
index b5b22a2..5295f69 100644
--- a/private/file.te
+++ b/private/file.te
@@ -165,3 +165,27 @@
# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
# This type is set on the directory through the `rootcontext=` mount option.
type pre_reboot_dexopt_artd_file, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index eb73ef8..949f9ea 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,27 @@
typeattribute fingerprintd coredomain;
init_daemon_domain(fingerprintd)
+
+binder_use(fingerprintd)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
+# need to find KeyStore and add self
+add_service(fingerprintd, fingerprintd_service)
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore2 { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
+
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index b7f5808..c6785dd 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -36,6 +36,18 @@
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
set_prop(flags_health_check, next_boot_prop)
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
+
+###
+### Neverallow rules
+###
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
+
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
diff --git a/private/fsck.te b/private/fsck.te
index f8e09b6..5eeb39f 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -3,3 +3,77 @@
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
+# Run fsck on certain block devices
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
+allow fsck zoned_block_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
+
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+ BLKDISCARDZEROES
+ BLKROGET
+ BLKREPORTZONE
+};
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+allow fsck {
+ proc_mounts
+ proc_swaps
+ sysfs_dm
+}:file r_file_perms;
+allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdebug_or_eng(`-system_block_device')
+ vold_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
+neverallow * fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf0..682831f 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,66 @@
typeattribute fsck_untrusted coredomain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+allow fsck_untrusted proc_mounts:file r_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
+
+# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
+# permissions, that is a code mistake that needs to be fixed, not a permission that
+# should be granted. Same with setgid and setuid.
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+###
+### dontaudit rules
+###
+
+# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
+# here, but nothing bad happens if they can't, and they shouldn't be allowed.
+dontaudit fsck_untrusted sysfs:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
+
+# Ignore attempts to access tmpfs. fsck don't need to do this.
+dontaudit fsck_untrusted tmpfs:lnk_file read;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index 2fb88a3..045294f 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -4,3 +4,42 @@
# For checking whether GSI is running
get_prop(gatekeeperd, gsid_prop)
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_allocator.te b/private/hal_allocator.te
similarity index 100%
rename from public/hal_allocator.te
rename to private/hal_allocator.te
diff --git a/public/hal_atrace.te b/private/hal_atrace.te
similarity index 100%
rename from public/hal_atrace.te
rename to private/hal_atrace.te
diff --git a/public/hal_audio.te b/private/hal_audio.te
similarity index 100%
rename from public/hal_audio.te
rename to private/hal_audio.te
diff --git a/public/hal_audiocontrol.te b/private/hal_audiocontrol.te
similarity index 100%
rename from public/hal_audiocontrol.te
rename to private/hal_audiocontrol.te
diff --git a/public/hal_authgraph.te b/private/hal_authgraph.te
similarity index 100%
rename from public/hal_authgraph.te
rename to private/hal_authgraph.te
diff --git a/public/hal_authsecret.te b/private/hal_authsecret.te
similarity index 100%
rename from public/hal_authsecret.te
rename to private/hal_authsecret.te
diff --git a/public/hal_bluetooth.te b/private/hal_bluetooth.te
similarity index 100%
rename from public/hal_bluetooth.te
rename to private/hal_bluetooth.te
diff --git a/public/hal_bootctl.te b/private/hal_bootctl.te
similarity index 100%
rename from public/hal_bootctl.te
rename to private/hal_bootctl.te
diff --git a/public/hal_broadcastradio.te b/private/hal_broadcastradio.te
similarity index 100%
rename from public/hal_broadcastradio.te
rename to private/hal_broadcastradio.te
diff --git a/public/hal_camera.te b/private/hal_camera.te
similarity index 100%
rename from public/hal_camera.te
rename to private/hal_camera.te
diff --git a/public/hal_can.te b/private/hal_can.te
similarity index 100%
rename from public/hal_can.te
rename to private/hal_can.te
diff --git a/public/hal_cas.te b/private/hal_cas.te
similarity index 100%
rename from public/hal_cas.te
rename to private/hal_cas.te
diff --git a/public/hal_codec2.te b/private/hal_codec2.te
similarity index 100%
rename from public/hal_codec2.te
rename to private/hal_codec2.te
diff --git a/public/hal_configstore.te b/private/hal_configstore.te
similarity index 100%
rename from public/hal_configstore.te
rename to private/hal_configstore.te
diff --git a/public/hal_confirmationui.te b/private/hal_confirmationui.te
similarity index 100%
rename from public/hal_confirmationui.te
rename to private/hal_confirmationui.te
diff --git a/public/hal_contexthub.te b/private/hal_contexthub.te
similarity index 100%
rename from public/hal_contexthub.te
rename to private/hal_contexthub.te
diff --git a/public/hal_drm.te b/private/hal_drm.te
similarity index 100%
rename from public/hal_drm.te
rename to private/hal_drm.te
diff --git a/public/hal_dumpstate.te b/private/hal_dumpstate.te
similarity index 100%
rename from public/hal_dumpstate.te
rename to private/hal_dumpstate.te
diff --git a/public/hal_evs.te b/private/hal_evs.te
similarity index 100%
rename from public/hal_evs.te
rename to private/hal_evs.te
diff --git a/public/hal_face.te b/private/hal_face.te
similarity index 100%
rename from public/hal_face.te
rename to private/hal_face.te
diff --git a/public/hal_fastboot.te b/private/hal_fastboot.te
similarity index 100%
rename from public/hal_fastboot.te
rename to private/hal_fastboot.te
diff --git a/public/hal_fingerprint.te b/private/hal_fingerprint.te
similarity index 100%
rename from public/hal_fingerprint.te
rename to private/hal_fingerprint.te
diff --git a/public/hal_gatekeeper.te b/private/hal_gatekeeper.te
similarity index 100%
rename from public/hal_gatekeeper.te
rename to private/hal_gatekeeper.te
diff --git a/public/hal_gnss.te b/private/hal_gnss.te
similarity index 100%
rename from public/hal_gnss.te
rename to private/hal_gnss.te
diff --git a/public/hal_graphics_allocator.te b/private/hal_graphics_allocator.te
similarity index 100%
rename from public/hal_graphics_allocator.te
rename to private/hal_graphics_allocator.te
diff --git a/private/hal_graphics_composer.te b/private/hal_graphics_composer.te
new file mode 100644
index 0000000..3250564
--- /dev/null
+++ b/private/hal_graphics_composer.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
+
+hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+# allow surfaceflinger to use a pipe for dumpsys output
+allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
+
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/public/hal_health.te b/private/hal_health.te
similarity index 100%
rename from public/hal_health.te
rename to private/hal_health.te
diff --git a/public/hal_health_storage.te b/private/hal_health_storage.te
similarity index 100%
rename from public/hal_health_storage.te
rename to private/hal_health_storage.te
diff --git a/public/hal_identity.te b/private/hal_identity.te
similarity index 100%
rename from public/hal_identity.te
rename to private/hal_identity.te
diff --git a/public/hal_input_classifier.te b/private/hal_input_classifier.te
similarity index 100%
rename from public/hal_input_classifier.te
rename to private/hal_input_classifier.te
diff --git a/public/hal_input_processor.te b/private/hal_input_processor.te
similarity index 100%
rename from public/hal_input_processor.te
rename to private/hal_input_processor.te
diff --git a/public/hal_ir.te b/private/hal_ir.te
similarity index 100%
rename from public/hal_ir.te
rename to private/hal_ir.te
diff --git a/public/hal_ivn.te b/private/hal_ivn.te
similarity index 100%
rename from public/hal_ivn.te
rename to private/hal_ivn.te
diff --git a/public/hal_keymaster.te b/private/hal_keymaster.te
similarity index 100%
rename from public/hal_keymaster.te
rename to private/hal_keymaster.te
diff --git a/public/hal_keymint.te b/private/hal_keymint.te
similarity index 100%
rename from public/hal_keymint.te
rename to private/hal_keymint.te
diff --git a/public/hal_light.te b/private/hal_light.te
similarity index 100%
rename from public/hal_light.te
rename to private/hal_light.te
diff --git a/public/hal_lowpan.te b/private/hal_lowpan.te
similarity index 100%
rename from public/hal_lowpan.te
rename to private/hal_lowpan.te
diff --git a/public/hal_macsec.te b/private/hal_macsec.te
similarity index 100%
rename from public/hal_macsec.te
rename to private/hal_macsec.te
diff --git a/public/hal_memtrack.te b/private/hal_memtrack.te
similarity index 100%
rename from public/hal_memtrack.te
rename to private/hal_memtrack.te
diff --git a/public/hal_neuralnetworks.te b/private/hal_neuralnetworks.te
similarity index 100%
rename from public/hal_neuralnetworks.te
rename to private/hal_neuralnetworks.te
diff --git a/public/hal_neverallows.te b/private/hal_neverallows.te
similarity index 100%
rename from public/hal_neverallows.te
rename to private/hal_neverallows.te
diff --git a/public/hal_nfc.te b/private/hal_nfc.te
similarity index 100%
rename from public/hal_nfc.te
rename to private/hal_nfc.te
diff --git a/public/hal_nlinterceptor.te b/private/hal_nlinterceptor.te
similarity index 100%
rename from public/hal_nlinterceptor.te
rename to private/hal_nlinterceptor.te
diff --git a/public/hal_oemlock.te b/private/hal_oemlock.te
similarity index 100%
rename from public/hal_oemlock.te
rename to private/hal_oemlock.te
diff --git a/public/hal_omx.te b/private/hal_omx.te
similarity index 100%
rename from public/hal_omx.te
rename to private/hal_omx.te
diff --git a/public/hal_power.te b/private/hal_power.te
similarity index 100%
rename from public/hal_power.te
rename to private/hal_power.te
diff --git a/public/hal_power_stats.te b/private/hal_power_stats.te
similarity index 100%
rename from public/hal_power_stats.te
rename to private/hal_power_stats.te
diff --git a/public/hal_rebootescrow.te b/private/hal_rebootescrow.te
similarity index 100%
rename from public/hal_rebootescrow.te
rename to private/hal_rebootescrow.te
diff --git a/public/hal_remoteaccess.te b/private/hal_remoteaccess.te
similarity index 100%
rename from public/hal_remoteaccess.te
rename to private/hal_remoteaccess.te
diff --git a/public/hal_remotelyprovisionedcomponent_avf.te b/private/hal_remotelyprovisionedcomponent_avf.te
similarity index 100%
rename from public/hal_remotelyprovisionedcomponent_avf.te
rename to private/hal_remotelyprovisionedcomponent_avf.te
diff --git a/public/hal_secretkeeper.te b/private/hal_secretkeeper.te
similarity index 100%
rename from public/hal_secretkeeper.te
rename to private/hal_secretkeeper.te
diff --git a/public/hal_secure_element.te b/private/hal_secure_element.te
similarity index 100%
rename from public/hal_secure_element.te
rename to private/hal_secure_element.te
diff --git a/public/hal_sensors.te b/private/hal_sensors.te
similarity index 100%
rename from public/hal_sensors.te
rename to private/hal_sensors.te
diff --git a/public/hal_telephony.te b/private/hal_telephony.te
similarity index 100%
rename from public/hal_telephony.te
rename to private/hal_telephony.te
diff --git a/public/hal_tetheroffload.te b/private/hal_tetheroffload.te
similarity index 100%
rename from public/hal_tetheroffload.te
rename to private/hal_tetheroffload.te
diff --git a/public/hal_thermal.te b/private/hal_thermal.te
similarity index 100%
rename from public/hal_thermal.te
rename to private/hal_thermal.te
diff --git a/public/hal_threadnetwork.te b/private/hal_threadnetwork.te
similarity index 100%
rename from public/hal_threadnetwork.te
rename to private/hal_threadnetwork.te
diff --git a/public/hal_tv_cec.te b/private/hal_tv_cec.te
similarity index 100%
rename from public/hal_tv_cec.te
rename to private/hal_tv_cec.te
diff --git a/public/hal_tv_hdmi_cec.te b/private/hal_tv_hdmi_cec.te
similarity index 100%
rename from public/hal_tv_hdmi_cec.te
rename to private/hal_tv_hdmi_cec.te
diff --git a/public/hal_tv_hdmi_connection.te b/private/hal_tv_hdmi_connection.te
similarity index 100%
rename from public/hal_tv_hdmi_connection.te
rename to private/hal_tv_hdmi_connection.te
diff --git a/public/hal_tv_hdmi_earc.te b/private/hal_tv_hdmi_earc.te
similarity index 100%
rename from public/hal_tv_hdmi_earc.te
rename to private/hal_tv_hdmi_earc.te
diff --git a/public/hal_tv_input.te b/private/hal_tv_input.te
similarity index 100%
rename from public/hal_tv_input.te
rename to private/hal_tv_input.te
diff --git a/public/hal_tv_tuner.te b/private/hal_tv_tuner.te
similarity index 100%
rename from public/hal_tv_tuner.te
rename to private/hal_tv_tuner.te
diff --git a/public/hal_usb.te b/private/hal_usb.te
similarity index 100%
rename from public/hal_usb.te
rename to private/hal_usb.te
diff --git a/public/hal_usb_gadget.te b/private/hal_usb_gadget.te
similarity index 100%
rename from public/hal_usb_gadget.te
rename to private/hal_usb_gadget.te
diff --git a/public/hal_uwb.te b/private/hal_uwb.te
similarity index 100%
rename from public/hal_uwb.te
rename to private/hal_uwb.te
diff --git a/public/hal_vehicle.te b/private/hal_vehicle.te
similarity index 100%
rename from public/hal_vehicle.te
rename to private/hal_vehicle.te
diff --git a/public/hal_vibrator.te b/private/hal_vibrator.te
similarity index 100%
rename from public/hal_vibrator.te
rename to private/hal_vibrator.te
diff --git a/public/hal_vr.te b/private/hal_vr.te
similarity index 100%
rename from public/hal_vr.te
rename to private/hal_vr.te
diff --git a/public/hal_weaver.te b/private/hal_weaver.te
similarity index 100%
rename from public/hal_weaver.te
rename to private/hal_weaver.te
diff --git a/public/hal_wifi.te b/private/hal_wifi.te
similarity index 100%
rename from public/hal_wifi.te
rename to private/hal_wifi.te
diff --git a/public/hal_wifi_hostapd.te b/private/hal_wifi_hostapd.te
similarity index 100%
rename from public/hal_wifi_hostapd.te
rename to private/hal_wifi_hostapd.te
diff --git a/public/hal_wifi_supplicant.te b/private/hal_wifi_supplicant.te
similarity index 100%
rename from public/hal_wifi_supplicant.te
rename to private/hal_wifi_supplicant.te
diff --git a/private/hwservice.te b/private/hwservice.te
index b7ba4d7..1a56eb7 100644
--- a/private/hwservice.te
+++ b/private/hwservice.te
@@ -1 +1,10 @@
type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index ecc8a40..5605c4d 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -13,3 +13,20 @@
# hwservicemanager is using apex_info via libvintf
use_apex_info(hwservicemanager)
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/private/idmap.te b/private/idmap.te
index c982783..2c32b91 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1,3 +1,26 @@
typeattribute idmap coredomain;
init_daemon_domain(idmap)
+
+# Allow read + write access to /data/resource-cache
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+binder_service(idmap)
+add_service(idmap, idmap_service)
diff --git a/private/init.te b/private/init.te
index 9d3a2c3..a83e538 100644
--- a/private/init.te
+++ b/private/init.te
@@ -57,9 +57,7 @@
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
-# Only init is allowed to set userspace reboot related properties.
set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
@@ -69,8 +67,6 @@
# and 4.9).
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
-neverallow init self:perf_event { kernel tracepoint read write };
-dontaudit init self:perf_event { kernel tracepoint read write };
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
@@ -83,26 +79,8 @@
# /dev/block.
allow init vd_device:blk_file relabelto;
-# Only init is allowed to set the sysprop indicating whether perf_event_open()
-# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
-neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
-
-# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
-neverallow { domain -init } vts_status_prop:property_service set;
-
-# Only init can write normal ro.boot. properties
-neverallow { domain -init } bootloader_prop:property_service set;
-
-# Only init can write hal.instrumentation.enable
-neverallow { domain -init } hal_instrumentation_prop:property_service set;
-
-# Only init can write ro.property_service.version
-neverallow { domain -init } property_service_version_prop:property_service set;
-
-# Only init can set keystore.boot_level
-neverallow { domain -init } keystore_listen_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
@@ -123,3 +101,720 @@
-vm_manager_device_type
-port_device
}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+#
+# init direct restorecon calls.
+#
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { open write relabelto };
+')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# allow init to establish connection and communicate with lmkd
+unix_socket_connect(init, lmkd, lmkd)
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init {
+ metadata_block_device
+ misc_block_device
+ recovery_block_device
+ system_block_device
+ userdata_block_device
+}:{ blk_file lnk_file } relabelto;
+
+allow init dtbo_block_device:lnk_file relabelto;
+allow init super_block_device:lnk_file relabelto;
+
+# Create /mnt/sdcard -> /storage/self/primary symlink.
+allow init mnt_sdcard_file:lnk_file create;
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Create /dev/fscklogs files.
+allow init fscklogs:file create_file_perms;
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cache_file
+ cgroup
+ linkerconfig_file
+ storage_file
+ mnt_user_file
+ system_data_file
+ system_data_root_file
+ system_dlkm_file
+ system_file
+ vendor_file
+ postinstall_mnt_dir
+ mirror_data_file
+ shell_data_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Bind-mount on /system/apex/com.android.art
+allow init art_apex_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
+
+# /metadata
+allow init metadata_file:dir mounton;
+
+# Run restorecon on /dev
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+# Set system clock.
+allow init self:global_capability_class_set sys_time;
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -app_data_file
+ -bpffs_type
+ -exec_type
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -bpffs_type
+ -credstore_data_file
+ -exec_type
+ -keystore_data_file
+ -media_userdir_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -system_userdir_file
+ -vendor_file_type
+ -vendor_userdir_file
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -app_data_file
+ -bpffs_type
+ -exec_type
+ -gsi_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
+# subcontext for action/service defined in APEXes.
+allow init apex_info_file:file r_file_perms;
+
+allow init {
+ file_type
+ -app_data_file
+ -bpffs_type
+ -exec_type
+ -gsi_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -app_data_file
+ -bpffs_type
+ -exec_type
+ -gsi_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init {
+ file_type
+ -bpffs_type
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+ -app_data_file
+ -privapp_data_file
+}:dir_file_class_set relabelto;
+
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow init debugfs_tracing:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -keychord_device
+ -proc_type
+ -sdcard_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr };
+allow init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+}:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ input_device
+ kmsg_device
+ null_device
+ owntty_device
+ pmsg_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+userdebug_or_eng(`
+ # Overlayfs workdir write access check during mount to permit remount,rw
+ allow init overlayfs_file:dir { relabelfrom mounton write };
+ allow init overlayfs_file:file { append rename };
+ allow init overlayfs_file:chr_file unlink;
+ allow init system_block_device:blk_file { write };
+')
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_cpu_alignment
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+ proc_watermark_boost_factor
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+ sysfs_lru_gen_enabled
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+ LOOP_SET_STATUS64
+};
+
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# keychord retrieval from /dev/input/ devices
+allow init input_device:dir r_dir_perms;
+allow init input_device:chr_file rw_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
+# Access metadata block device for storing dm-verity state
+allow init metadata_block_device:blk_file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops to detect restarts caused
+# by dm-verity detecting corrupted blocks
+allow init pstorefs:dir search;
+allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to create /data/unencrypted
+allow init unencrypted_data_file:dir create_dir_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm init { data_file_type unlabeled }:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
+r_dir_file(init, system_file)
+r_dir_file(init, system_dlkm_file_type)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+use_bootstrap_libs(init)
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel } init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
+
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
+# init can never add binder services
+neverallow init service_manager_type:service_manager { add find };
+# init can never list binder services
+neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# init owns the root of /data
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+
+# Only init is allowed to set userspace reboot related properties.
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+neverallow { domain -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { domain -init } bootloader_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { domain -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { domain -init } keystore_listen_prop:property_service set;
diff --git a/private/inputflinger.te b/private/inputflinger.te
index 9696b49..9e8e35b 100644
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@@ -1,3 +1,16 @@
typeattribute inputflinger coredomain;
init_daemon_domain(inputflinger)
+
+binder_use(inputflinger)
+binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
+
+wakelock_use(inputflinger)
+
+allow inputflinger input_device:dir r_dir_perms;
+allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/private/installd.te b/private/installd.te
index f9fb206..feb47f7 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -58,3 +58,186 @@
# Allow installd to enable fs-verity for app file passed as FD;
allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
allowxperm installd app_data_file_type:file ioctl FS_IOC_ENABLE_VERITY;
+
+typeattribute installd mlstrustedsubject;
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
+
+# Allow labeling of files under /data/app/com.example/oat/
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+
+allow installd asec_apk_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
+allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
+allow installd mnt_expand_file:dir { search getattr };
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
+
+# Search /data/app-asec and stat files in it.
+allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
+
+# Required to initially create subdirectories of /data/user/$userId
+# and lib symlinks before the setfilecon call. May want to
+# move symlink creation after setfilecon in installd.
+allow installd system_data_file:dir create_dir_perms;
+# Also, allow read for lnk_file so that we can process symlinks within
+# /data/user/$userId when optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
+# Upgrade /data/media for multi-user if necessary.
+allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file { getattr unlink };
+# restorecon new /data/media directory.
+allow installd system_data_file:dir relabelfrom;
+allow installd media_rw_data_file:dir relabelto;
+
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd media_userdir_file:dir r_dir_perms;
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
+
+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd system_userdir_file:dir r_dir_perms;
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
+# Create /data/misc/installd/layout_version.* file
+allow installd install_data_file:file create_file_perms;
+allow installd install_data_file:dir rw_dir_perms;
+
+# Create files under /data/dalvik-cache.
+allow installd dalvikcache_data_file:dir create_dir_perms;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
+
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
+# Upgrade from unlabeled userdata.
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
+
+# Upgrade from before system_app_data_file was used for system UID apps.
+# Just need enough to relabel it and to unlink removed package files.
+# Directory access covered by earlier rule above.
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
+
+# Manage /data/data subdirectories, including initially labeling them
+# upon creation via setfilecon or running restorecon_recursive,
+# setting owner/mode, creating symlinks within them, and deleting them
+# upon package uninstall.
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Allow setting extended attributes (for project quota IDs) on dirs and files
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
+allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
+
+# Create and use pty created by android_fork_execvp().
+allow installd devpts:chr_file rw_file_perms;
+
+# execute toybox for app relocation
+allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+# Allow installd to read /proc/filesystems
+allow installd proc_filesystems:file r_file_perms;
+
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
+neverallow installd {
+ domain
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/private/kernel.te b/private/kernel.te
index 2d46b3e..1b82c66 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -32,6 +32,124 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+allow kernel usbfs:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Write to /proc/1/oom_adj prior to switching to init domain.
+allow kernel self:global_capability_class_set sys_resource;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
+allow kernel { app_data_file privapp_data_file }:file read;
+allow kernel asec_image_file:file read;
+
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file { read write };
+ allow kernel nativetest_data_file:file { read write };
+')
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel {
+ apex_data_file
+ staging_data_file
+ vendor_apex_file
+}:file read;
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
+userdebug_or_eng(`
+ allow kernel shell_data_file:file { read write };
+')
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
+
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file { read write };
+
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
@@ -44,3 +162,29 @@
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow * kernel:process { transition dyntransition };
+
+# The kernel domain is never entered via an exec, nor should it
+# ever execute a program outside the rootfs without changing to another domain.
+# If you encounter an execute_no_trans denial on the kernel domain, then
+# possible causes include:
+# - The program is a kernel usermodehelper. In this case, define a domain
+# for the program and domain_auto_trans() to it.
+# - You are running an exploit which switched to the init task credentials
+# and is then trying to exec a shell or other program. You lose!
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Nobody should be ptracing kernel threads
+neverallow * kernel:process ptrace;
diff --git a/private/keystore.te b/private/keystore.te
index b81ccfa..b35a16e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,10 +41,61 @@
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
set_prop(keystore, keystore_crash_prop)
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
# keystore is using apex_info via libvintf
use_apex_info(keystore)
+
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, system_server)
+binder_call(keystore, wificond)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
+
+# Allow keystore to read its vendor configuration
+get_prop(keystore, keystore_config_prop)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/private/lmkd.te b/private/lmkd.te
index 6a38c58..8d22552 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -23,5 +23,73 @@
allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
allow lmkd fs_bpf_lmkd_memevents_prog:file read;
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
+
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:global_capability_class_set ipc_lock;
+
+## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
+## TODO: maybe scope this down?
+r_dir_file(lmkd, domain)
+allow lmkd domain:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_lowmemorykiller)
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+
+# setsched and send kill signals to any registered process
+allow lmkd domain:process { setsched sigkill };
+# TODO: delete this line b/131761776
+allow lmkd kernel:process { setsched };
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
+
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
+
+# Set self to SCHED_FIFO
+allow lmkd self:global_capability_class_set sys_nice;
+
+allow lmkd proc_zoneinfo:file r_file_perms;
+allow lmkd proc_vmstat:file r_file_perms;
+
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
+# Read /proc/lowmemorykiller
+allow lmkd proc_lowmemorykiller:file r_file_perms;
+
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow lmkd proc_pressure_cpu:file r_file_perms;
+allow lmkd proc_pressure_io:file r_file_perms;
+
+# Read/Write /proc/pressure/memory
+allow lmkd proc_pressure_mem:file rw_file_perms;
+
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
+# Allow lmkd to write to statsd.
+unix_socket_send(lmkd, statsdw, statsd)
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow * lmkd:process noatsecure;
+neverallow lmkd self:global_capability_class_set sys_ptrace;
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
neverallow lmkd self:perf_event ~{ cpu kernel open write };
diff --git a/private/logd.te b/private/logd.te
index 62d4196..b6e8b27 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -49,3 +49,79 @@
add_service(logd, logd_service)
allow logd logcat_service:service_manager find;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd packages_list_file:file r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { map open read };
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file_type:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd {
+ app_data_file_type
+ system_data_file
+ packages_list_file
+ -shell_data_file # for bugreports
+}:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index e151810..34022d6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -20,6 +20,39 @@
')
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
+allowxperm logpersist misc_logd_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+};
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
+
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist {
file_type
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index 4e511a8..fdc7681 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -6,3 +6,32 @@
hal_client_domain(mediadrmserver, hal_graphics_allocator)
auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+# TODO(b/80317992): remove
+binder_call(mediadrmserver, hal_omx_server)
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 7bcf5c8..c800d89 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -8,3 +8,71 @@
get_prop(mediaextractor, device_config_media_native_prop)
get_prop(mediaextractor, device_config_swcodec_native_prop)
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
+
+allow mediaextractor system_server:fd use;
+
+hal_client_domain(mediaextractor, hal_cas)
+hal_client_domain(mediaextractor, hal_allocator)
+
+r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
+}:file open;
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 5a6f2e1..bb12900 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -6,3 +6,45 @@
allow mediametrics stats_service:service_manager find;
allow mediametrics statsmanager_service:service_manager find;
binder_call(mediametrics, statsd)
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics { app_data_file privapp_data_file }:file write;
+
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 5fc13a8..d72caf6 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -33,3 +33,157 @@
# Allow mediaserver to communicate with Surface provided
# by virtual camera.
binder_call(mediaserver, virtual_camera)
+
+typeattribute mediaserver mlstrustedsubject;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
+r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
+allow mediaserver { sdcard_type fuse }:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+# Needed for mediaserver to send information to statsd socket.
+unix_socket_send(mediaserver, statsdw, statsd)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver package_native_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For hybrid interfaces
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
+# /vendor apk access
+allow mediaserver vendor_app_file:file { read map getattr };
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
+hal_client_domain(mediaserver, hal_allocator)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index 02079c1..c96c9dd 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -4,3 +4,38 @@
get_prop(mediaswcodec, device_config_media_native_prop)
get_prop(mediaswcodec, device_config_swcodec_native_prop)
+
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+
+# get aac_drc_* properties
+get_prop(mediaswcodec, aac_drc_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/modprobe.te b/private/modprobe.te
index 9858675..d7b2fc3 100644
--- a/private/modprobe.te
+++ b/private/modprobe.te
@@ -1 +1,13 @@
typeattribute modprobe coredomain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
+allow modprobe self:global_capability_class_set sys_module;
+allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
diff --git a/private/net.te b/private/net.te
index 4adf84c..2c2f091 100644
--- a/private/net.te
+++ b/private/net.te
@@ -17,3 +17,21 @@
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
diff --git a/private/netd.te b/private/netd.te
index 6d1c10c..a466ef1 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -36,6 +36,191 @@
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
+net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+
+allow netd system_server:fd use;
+
+allow netd self:global_capability_class_set { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:global_capability_class_set fsetid;
+
+# Allow netd to open /dev/tun, set it up and pass it to clatd
+allow netd tun_device:chr_file rw_file_perms;
+allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow netd self:tun_socket create;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
+allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
+
+# Allow netd to write to qtaguid ctrl file.
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file
+# after migration complete
+allow netd proc_qtaguid_ctrl:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
+
+r_dir_file(netd, proc_net_type)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net_type:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
+# Allows setting interface MTU
+allow netd sysfs_net:file w_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+r_dir_file(netd, cgroup_v2)
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:global_capability_class_set fowner;
+
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process { sigkill signal };
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ icmp_socket
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+
+# AIDL hal server
+binder_call(system_net_netd_service, servicemanager)
+add_service(netd, system_net_netd_service)
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file_type:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
+
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} netd_service:service_manager find;
+
+# only system_server, dumpstate and network stack app may find dnsresolver service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} dnsresolver_service:service_manager find;
+
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
+# apps may not interact with netd over binder.
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
+
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a26181f..37a2c47 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -39,9 +39,15 @@
-appdomain
}, netutils_wrapper_exec, netutils_wrapper)
+###
+### Neverallow rules
+###
+
# suppress spurious denials
dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
dontaudit netutils_wrapper sysfs_type:file read;
# netutils wrapper may only use the following capabilities.
neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/private/performanced.te b/private/performanced.te
index 792826e..98107ca 100644
--- a/private/performanced.te
+++ b/private/performanced.te
@@ -1,3 +1,31 @@
typeattribute performanced coredomain;
init_daemon_domain(performanced)
+
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/private/postinstall.te b/private/postinstall.te
index 92ddbbf..5a2804b 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -6,3 +6,48 @@
# Allow invoking `pm` shell commands.
allow postinstall package_service:service_manager find;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/private/profman.te b/private/profman.te
index 7ad49b2..af53646 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -15,3 +15,31 @@
# profman needs to read the embedded profile that artd extracts from an APK,
# which is passed by a memfd.
allow profman artd_tmpfs:file { getattr read map lock };
+
+allow profman user_profile_data_file:file { getattr read write lock map };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
+allow profman apk_data_file:dir { getattr read search };
+
+allow profman oemfs:file { read map };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
+
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
+###
+### neverallow rules
+###
+
+neverallow profman app_data_file_type:notdevfile_class_set open;
diff --git a/private/property.te b/private/property.te
index ae471d0..994594d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -60,7 +60,6 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
-system_internal_prop(enable_16k_pages_prop)
system_internal_prop(sensors_config_prop)
system_internal_prop(hypervisor_pvmfw_prop)
system_internal_prop(hypervisor_virtualizationmanager_prop)
@@ -74,6 +73,44 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute usb_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
+typeattribute dalvik_config_prop dalvik_config_prop_type;
+typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
+
###
### Neverallow rules
###
@@ -767,4 +804,3 @@
-init
-vendor_init
} pm_archiving_enabled_prop:property_service set;
-
diff --git a/private/radio.te b/private/radio.te
index 08365f0..ef384ba 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -28,9 +28,47 @@
# allow telephony to access related cache properties
set_prop(radio, binder_cache_telephony_server_prop);
-neverallow { domain -radio -init }
- binder_cache_telephony_server_prop:property_service set;
# allow sending pulled atoms to statsd
binder_call(radio, statsd)
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+neverallow { domain -radio -init }
+ binder_cache_telephony_server_prop:property_service set;
diff --git a/private/recovery.te b/private/recovery.te
index 2dba93b..24dfd43 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -47,4 +47,166 @@
# Needed to read bootconfig parameters through libfs_mgr
allow recovery proc_bootconfig:file r_file_perms;
+
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common;
+ # Recovery can use HIDL HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
+
+ # Recovery can use AIDL HALs in binder mode
+ binder_use(recovery)
+ hal_client_domain(recovery, hal_health)
+
+ allow recovery self:global_capability_class_set {
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ setuid
+ setgid
+ sys_admin
+ sys_tty_config
+ };
+
+ # Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
+ allow recovery rootfs:file execute_no_trans;
+ allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
+
+ # Mount filesystems.
+ allow recovery rootfs:dir mounton;
+ allow recovery tmpfs:dir mounton;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
+
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
+
+ # Write to /proc/sys/vm/drop_caches
+ allow recovery proc_drop_caches:file w_file_perms;
+
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
+ # Write to /sys/class/android_usb/android0/enable.
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
+
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
+ allow recovery kernel:system syslog_read;
+
+ # Access /dev/usb-ffs/adb/ep0
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
+ # Required to e.g. wipe userdata/cache.
+ allow recovery device:dir r_dir_perms;
+ allow recovery block_device:dir r_dir_perms;
+ allow recovery dev_type:blk_file rw_file_perms;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
+
+ # GUI
+ allow recovery graphics_device:chr_file rw_file_perms;
+ allow recovery graphics_device:dir r_dir_perms;
+ allow recovery input_device:dir r_dir_perms;
+ allow recovery input_device:chr_file r_file_perms;
+ allow recovery tty_device:chr_file rw_file_perms;
+
+ # Create /tmp/recovery.log and execute /tmp/update_binary.
+ allow recovery tmpfs:file { create_file_perms x_file_perms };
+ allow recovery tmpfs:dir create_dir_perms;
+
+ # Manage files on /cache and /cache/recovery
+ allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+ allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
+ # Use setfscreatecon() to label files for OTA updates.
+ allow recovery self:process setfscreate;
+
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
+ wakelock_use(recovery)
+
+ # This line seems suspect, as it should not really need to
+ # set scheduling parameters for a kernel domain task.
+ allow recovery kernel:process setsched;
+
+ # These are needed to update dynamic partitions in recovery.
+ r_dir_file(recovery, sysfs_dm)
+ allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow recovery gsi_metadata_file_type:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
+
+ # Allow mounting /metadata for writing update states
+ allow recovery metadata_file:dir { getattr mounton };
+
+ # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+ allow recovery devpts:chr_file rw_file_perms;
+ allow recovery kmsg_device:chr_file { getattr w_file_perms };
')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir no_w_dir_perms;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 7cb2e67..3e3c66c 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -2,6 +2,34 @@
init_daemon_domain(recovery_persist)
+allow recovery_persist pstorefs:dir search;
+allow recovery_persist pstorefs:file r_file_perms;
+
+allow recovery_persist recovery_data_file:file create_file_perms;
+allow recovery_persist recovery_data_file:dir create_dir_perms;
+
+allow recovery_persist cache_file:dir search;
+allow recovery_persist cache_file:lnk_file read;
+allow recovery_persist cache_recovery_file:dir rw_dir_perms;
+allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
+
+###
+### Neverallow rules
+###
+### recovery_persist should NEVER do any of this
+
+# Block device access.
+neverallow recovery_persist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_persist domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_persist system_file_type:dir_file_class_set write;
+
+# Write to files in /data/data
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
+
# recovery_persist is not allowed to write anywhere other than recovery_data_file
neverallow recovery_persist {
file_type
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index 3c095cc..9dd95e3 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -2,6 +2,27 @@
init_daemon_domain(recovery_refresh)
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
+
# recovery_refresh is not allowed to write anywhere
neverallow recovery_refresh {
file_type
diff --git a/public/remote_provisioning_service_server.te b/private/remote_provisioning_service_server.te
similarity index 100%
rename from public/remote_provisioning_service_server.te
rename to private/remote_provisioning_service_server.te
diff --git a/public/rootdisk_sysdev.te b/private/rootdisk_sysdev.te
similarity index 100%
rename from public/rootdisk_sysdev.te
rename to private/rootdisk_sysdev.te
diff --git a/private/runas.te b/private/runas.te
index ef31aac..1d9aed0 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -2,3 +2,44 @@
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
+
+allow runas adbd:fd use;
+allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
+allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
+allow runas packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:global_capability_class_set { setuid setgid };
+
+# run-as switches to the app security context.
+selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
+allow runas non_system_app_set:process dyntransition; # setcon
+
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/public/scheduler_service_server.te b/private/scheduler_service_server.te
similarity index 100%
rename from public/scheduler_service_server.te
rename to private/scheduler_service_server.te
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 126d643..7cea890 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,47 @@
typeattribute sdcardd coredomain;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
+allow sdcardd tmpfs:dir r_dir_perms;
+allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+allow sdcardd storage_file:dir search;
+allow sdcardd storage_stub_file:dir { search mounton };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
+
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
+
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+allow sdcardd packages_list_file:file r_file_perms;
+
+# Read /data/misc/installd/layout_version
+allow sdcardd install_data_file:file r_file_perms;
+allow sdcardd install_data_file:dir search;
+
+# Allow stdin/out back to vold
+allow sdcardd vold:fd use;
+allow sdcardd vold:fifo_file { read write getattr };
+
+# Allow running on top of expanded storage
+allow sdcardd mnt_expand_file:dir search;
+
+# access /proc/filesystems
+allow sdcardd proc_filesystems:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/public/sensor_service_server.te b/private/sensor_service_server.te
similarity index 100%
rename from public/sensor_service_server.te
rename to private/sensor_service_server.te
diff --git a/private/service.te b/private/service.te
index cce3be4..d777e53 100644
--- a/private/service.te
+++ b/private/service.te
@@ -33,3 +33,12 @@
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
+
+###
+### Neverallow rules
+###
+
+# servicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a service.
+# Trigger a compile error if this occurs.
+neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 5a69a43..7a5bf51 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -12,3 +12,39 @@
# servicemanager is using apex_info via libvintf
use_apex_info(servicemanager)
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
+
+add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
+
+allow servicemanager kmsg_device:chr_file rw_file_perms;
+
+recovery_only(`
+ # Read VINTF files.
+ r_dir_file(servicemanager, rootfs)
+')
diff --git a/private/sgdisk.te b/private/sgdisk.te
index a17342e..42b8c6b 100644
--- a/private/sgdisk.te
+++ b/private/sgdisk.te
@@ -1 +1,38 @@
typeattribute sgdisk coredomain;
+
+# Allowed to read/write low-level partition tables
+allow sgdisk block_device:dir search;
+allow sgdisk vold_device:blk_file rw_file_perms;
+# HDIO_GETGEO needed to get the number of disk heads
+# on vold_device. How quaint.
+allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
+# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
+# is granted to all block device users in domain.te, so
+# no need to mention it here. sgdisk should not be
+# using the BLKGETSIZE ioctl as it is useless for devices over
+# 2T in size, but we allow it for now and hope that sgdisk
+# will fix their bug.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
+# Force a re-read of the partition table.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
+
+# Inherit and use pty created by android_fork_execvp()
+allow sgdisk devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow sgdisk vold:fd use;
+allow sgdisk vold:fifo_file { read write getattr };
+
+# Used to probe kernel to reload partition tables
+allow sgdisk self:global_capability_class_set sys_admin;
+
+###
+### Neverallow rules
+###
+
+# Only allow entry from vold
+neverallow { domain -vold } sgdisk:process transition;
+neverallow * sgdisk:process dyntransition;
+neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/private/shell.te b/private/shell.te
index 9417d47..8adc71c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -134,7 +134,6 @@
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
-neverallow shell self:perf_event ~{ open read write kernel };
# Allow shell to read microdroid vendor image
r_dir_file(shell, vendor_microdroid_file)
@@ -238,10 +237,6 @@
# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)
-# Never allow others to set or get the perf.drop_caches property.
-neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
-neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
-
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
@@ -274,3 +269,243 @@
allow shell aconfigd_socket:sock_file write;
allow shell aconfigd:unix_stream_socket connectto;
')
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+get_prop(shell, logd_prop)
+# logcat -L (directly, or via dumpstate)
+allow shell pstorefs:dir search;
+allow shell pstorefs:file r_file_perms;
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+# Access /data/local/tests.
+allow shell shell_test_data_file:dir create_dir_perms;
+allow shell shell_test_data_file:file create_file_perms;
+allow shell shell_test_data_file:file rx_file_perms;
+allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
+
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
+
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+allow shell input_device:dir r_dir_perms;
+allow shell input_device:chr_file r_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ # "systrace --boot" support - allow boottrace service to run
+ allow shell boottrace_data_file:dir rw_dir_perms;
+ allow shell boottrace_data_file:file create_file_perms;
+')
+
+# allow shell access to services
+allow shell servicemanager:service_manager list;
+# don't allow shell to access GateKeeper service
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -hal_keymint_service
+ -hal_secureclock_service
+ -hal_sharedsecret_service
+ -incident_service
+ -installd_service
+ -mdns_service
+ -netd_service
+ -system_suspend_control_internal_service
+ -system_suspend_control_service
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
+
+# Make sure strace works for the non-privileged shell user
+allow shell self:process ptrace;
+
+# allow shell to get battery info
+allow shell sysfs:dir r_dir_perms;
+allow shell sysfs_batteryinfo:dir r_dir_perms;
+allow shell sysfs_batteryinfo:file r_file_perms;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+ allow shell rootfs:file rx_file_perms;
+')
+
+###
+### Neverallow rules
+###
+
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+ hal_keymint_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+}:service_manager find;
+
+# Do not allow shell to hard link to any files.
+# In particular, if shell hard links to app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure the shell user never has this
+# capability.
+neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
+
+# b/30861057: Shell access to existing input devices is an abuse
+# vector. The shell user can inject events that look like they
+# originate from the touchscreen etc.
+# Everyone should have already moved to UiAutomation#injectInputEvent
+# if they are running instrumentation tests (i.e. CTS), Monkey for
+# their stress tests, and the input command (adb shell input ...) for
+# injecting swipes and things.
+neverallow shell input_device:chr_file no_w_file_perms;
+
+neverallow shell self:perf_event ~{ open read write kernel };
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
diff --git a/private/slideshow.te b/private/slideshow.te
index 7dfa994..d7c9868 100644
--- a/private/slideshow.te
+++ b/private/slideshow.te
@@ -1 +1,11 @@
typeattribute slideshow coredomain;
+
+allow slideshow kmsg_device:chr_file rw_file_perms;
+wakelock_use(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:global_capability_class_set sys_tty_config;
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
diff --git a/public/stats_service_server.te b/private/stats_service_server.te
similarity index 100%
rename from public/stats_service_server.te
rename to private/stats_service_server.te
diff --git a/private/statsd.te b/private/statsd.te
index 051b99e..1e43160 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -35,3 +35,100 @@
# Allow statsd to trigger uprobestats via property.
set_prop(statsd, uprobestats_start_with_config_prop);
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into
+# /data/misc/stats-active-metric
+# /data/misc/stats-data
+# /data/misc/stats-metadata
+# /data/misc/stats-service
+# /data/misc/train-info
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+allow statsd stats_config_data_file:dir create_dir_perms;
+allow statsd stats_config_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, incidentd)
+binder_call(statsd, system_server)
+binder_call(statsd, traced_probes)
+
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
+binder_call(statsd, gpuservice)
+
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
+# Allow statsd to interact with mediametrics
+allow statsd mediaserver_service:service_manager find;
+binder_call(statsd, mediaserver)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_power_stats)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
+
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
diff --git a/private/su.te b/private/su.te
index 906c806..2d4b0c6 100644
--- a/private/su.te
+++ b/private/su.te
@@ -30,4 +30,105 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
+ dontaudit su kernel:security *;
+ dontaudit su { kernel file_type }:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:anon_inode *;
+ dontaudit su domain:{ process process2 } *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su {fs_type fusefs_type}:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
+ dontaudit su keystore:keystore2 *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_atrace_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_authsecret_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secretkeeper_client;
+ typeattribute su hal_secure_element_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_hdmi_cec_client;
+ typeattribute su hal_tv_hdmi_connection_client;
+ typeattribute su hal_tv_hdmi_earc_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_tv_tuner_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
+ typeattribute su hal_wifi_supplicant_client;
')
diff --git a/private/system_server.te b/private/system_server.te
index 5da6f66..8e137e3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -401,6 +401,7 @@
hal_bluetooth_server
hal_camera_server
hal_codec2_server
+ hal_drm_server
hal_face_server
hal_fingerprint_server
hal_gnss_server
@@ -1281,6 +1282,10 @@
# Allow system server to read profcollectd reports for upload.
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+# Power controls for debugging/diagnostics
+get_prop(system_server, power_debug_prop)
+set_prop(system_server, power_debug_prop)
+
###
### Neverallow rules
###
@@ -1618,10 +1623,18 @@
# TODO(azilio): Remove system property after archiving testing is completed.
get_prop(system_server, pm_archiving_enabled_prop)
+# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar
+# in Pre-reboot Dexopt.
+allow system_server pre_reboot_dexopt_file:dir { getattr search };
+
# Do not allow any domain other than init or system server to get or set the property
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
-# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar
-# in Pre-reboot Dexopt.
-allow system_server pre_reboot_dexopt_file:dir { getattr search };
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -system_server
+ -shell
+} power_debug_prop:property_service set;
diff --git a/public/system_suspend_internal_server.te b/private/system_suspend_internal_server.te
similarity index 100%
rename from public/system_suspend_internal_server.te
rename to private/system_suspend_internal_server.te
diff --git a/public/system_suspend_server.te b/private/system_suspend_server.te
similarity index 100%
rename from public/system_suspend_server.te
rename to private/system_suspend_server.te
diff --git a/private/tee.te b/private/tee.te
new file mode 100644
index 0000000..2f86c4d
--- /dev/null
+++ b/private/tee.te
@@ -0,0 +1,2 @@
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
diff --git a/private/tombstoned.te b/private/tombstoned.te
index b6dfd1e..1384835 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -4,6 +4,24 @@
get_prop(tombstoned, tombstone_config_prop)
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { append create getattr open link unlink };
+
+###
+### Neverallow rules
+###
+
neverallow {
domain
-init
diff --git a/private/toolbox.te b/private/toolbox.te
index 5878997..265db0a 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -10,3 +10,35 @@
# doesn't work, but it doesn't matter as virtualizationservice itself
# will delete them when it starts. See b/235338094#comment39
dontaudit toolbox virtualizationservice_data_file:dir setattr;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write getattr ioctl };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# rm -rf /data/per_boot
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F /data/media in init
+allow toolbox media_userdir_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
+
+###
+### Neverallow rules
+###
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow * toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index a743917..4e6feff 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -24,3 +24,28 @@
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
set_prop(traceur_app, debug_prop)
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+allow traceur_app {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -lpdump_service
+ -mdns_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+
+# Allow traceur_app to use atrace HAL
+hal_client_domain(traceur_app, hal_atrace)
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
diff --git a/private/ueventd.te b/private/ueventd.te
index 8bcdbf9..7effa6d 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -5,3 +5,88 @@
# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
# to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow ueventd rootfs:file { r_file_perms execute };
+')
+
+# Suppress denials for ueventd to getattr /postinstall. This occurs when the
+# linker tries to resolve paths in ld.config.txt.
+dontaudit ueventd postinstall_mnt_dir:dir getattr;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+use_bootstrap_libs(ueventd)
+
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
+# Allow ueventd to read apexd property
+get_prop(ueventd, apexd_prop)
+
+#####
+##### neverallow rules
+#####
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
+
+# Nobody should be able to ptrace ueventd
+neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/private/uncrypt.te b/private/uncrypt.te
index 1a94cd1..156f684 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -4,3 +4,46 @@
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
+
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index 862a62a..6a60718 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -39,3 +39,79 @@
# let this domain use the hal service
binder_use(update_engine)
hal_client_domain(update_engine, hal_bootctl)
+
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:global_capability_class_set fsetid;
+
+allow update_engine kmsg_device:chr_file { getattr w_file_perms };
+allow update_engine update_engine_exec:file rx_file_perms;
+wakelock_use(update_engine);
+
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
+
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
+binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
+
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Allow ReadDefaultFstab().
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device.
+read_fstab(update_engine)
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 8571ff6..5bba84a 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,3 +1,6 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# The postinstall program is run by update_engine_common and must be tagged
@@ -10,4 +13,99 @@
# there.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+ BLKDISCARD
+ BLKDISCARDZEROES
+ BLKROGET
+ BLKROSET
+ BLKSECDISCARD
+ BLKZEROOUT
+};
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline
+allow update_engine_common proc_cmdline:file r_file_perms;
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# Needed because libdm reads sysfs to validate when a dm path is ready.
+r_dir_file(update_engine_common, sysfs_dm)
+
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device_type:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
+
+# Allow update_engine_common to write to statsd socket.
+unix_socket_send(update_engine_common, statsdw, statsd)
+
+# Allow to read Virtual A/B feature flags.
+get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+get_prop(update_engine_common, build_bootimage_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common metadata_file:dir search;
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/private/update_verifier.te b/private/update_verifier.te
index a8cef37..2c68f4c 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -14,3 +14,33 @@
# virtual a/b properties
get_prop(update_verifier, virtual_ab_prop)
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/private/usbd.te b/private/usbd.te
index 42f2324..a444f9c 100644
--- a/private/usbd.te
+++ b/private/usbd.te
@@ -13,3 +13,5 @@
# Start/stop adbd via ctl.start adbd
set_prop(usbd, ctl_adbd_prop)
+
+binder_call(usbd, servicemanager)
diff --git a/public/userdata_sysdev.te b/private/userdata_sysdev.te
similarity index 100%
rename from public/userdata_sysdev.te
rename to private/userdata_sysdev.te
diff --git a/private/vdc.te b/private/vdc.te
index 63c9c2a..e59afce 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -4,3 +4,14 @@
# Allow stdin/out back to vehicle_binding_util
allow vdc vehicle_binding_util:fd use;
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file { getattr w_file_perms };
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 1680f96..4f52b56 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -24,3 +24,333 @@
-lowpan_device
-hw_random_device
}:chr_file setattr;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm vendor_init data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -bpffs_type
+ -core_data_file_type
+ -exec_type
+ -system_dlkm_file_type
+ -system_file_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -bpffs_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -runtime_event_log_tags_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -apex_info_file
+ -userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -bpffs_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -bpffs_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -bpffs_type
+ -core_data_file_type
+ -exec_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_dlkm_file_type
+ -system_file_type
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+ -aconfig_storage_metadata_file
+ -aconfig_storage_flags_metadata_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -keychord_device
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read map };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
+# vendor_init is using bootstrap bionic
+use_bootstrap_libs(vendor_init)
+
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow vendor_init rootfs:file { r_file_perms execute };
+')
+
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -system_internal_property_type
+ -system_restricted_property_type
+ })
+')
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+set_prop(vendor_init, apk_verity_prop)
+set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
+set_prop(vendor_init, camera2_extensions_prop)
+set_prop(vendor_init, camerax_extensions_prop)
+set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
+set_prop(vendor_init, dalvik_dynamic_config_prop)
+set_prop(vendor_init, dalvik_runtime_prop)
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, ffs_control_prop)
+set_prop(vendor_init, hw_timeout_multiplier_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, graphics_config_writable_prop)
+set_prop(vendor_init, qemu_hw_prop)
+set_prop(vendor_init, radio_control_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
+set_prop(vendor_init, surfaceflinger_color_prop)
+set_prop(vendor_init, usb_control_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
+set_prop(vendor_init, vehicle_hal_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, keystore_config_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
+set_prop(vendor_init, wifi_hal_prop)
+set_prop(vendor_init, wifi_log_prop)
+set_prop(vendor_init, zram_control_prop)
+
+get_prop(vendor_init, boot_status_prop)
+get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, power_debug_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
+get_prop(vendor_init, theme_prop)
+set_prop(vendor_init, dck_prop)
+
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
+
+userdebug_or_eng(`
+get_prop(vendor_init, profcollectd_etr_prop)
+')
+
+###
+### neverallow rules
+###
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
+
+# The vendor_init domain is only entered via an exec based transition from the
+# init domain, never via setcon().
+neverallow domain vendor_init:process dyntransition;
+neverallow { domain -init } vendor_init:process transition;
+neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow vendor_init app_data_file_type:lnk_file read;
+neverallow vendor_init shell_data_file:lnk_file read;
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow vendor_init shell_data_file:dir { write add_name remove_name };
+
+# init should never execute a program without changing to another domain.
+neverallow vendor_init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow vendor_init service_manager_type:service_manager { add find };
+neverallow vendor_init servicemanager:service_manager list;
+
+# vendor_init should never be ptraced
+neverallow * vendor_init:process ptrace;
diff --git a/private/vendor_misc_writer.te b/private/vendor_misc_writer.te
new file mode 100644
index 0000000..1f27bf9
--- /dev/null
+++ b/private/vendor_misc_writer.te
@@ -0,0 +1,12 @@
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/private/vendor_shell.te b/private/vendor_shell.te
new file mode 100644
index 0000000..5a5925d
--- /dev/null
+++ b/private/vendor_shell.te
@@ -0,0 +1,18 @@
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/private/vendor_toolbox.te b/private/vendor_toolbox.te
new file mode 100644
index 0000000..178fa8f
--- /dev/null
+++ b/private/vendor_toolbox.te
@@ -0,0 +1,11 @@
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox except for the allowlisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
index e735172..035b121 100644
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@@ -1,3 +1,17 @@
typeattribute virtual_touchpad coredomain;
init_daemon_domain(virtual_touchpad)
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/private/vold.te b/private/vold.te
index 4256ac3..4da11da 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -62,16 +62,6 @@
allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys;
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
-
# Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold {
media_userdir_file
@@ -83,6 +73,296 @@
write
};
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
+# XXX Label sysfs files with a specific type?
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+ sysfs_fs_f2fs
+}:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
+allowxperm vold data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
+ FS_IOC_GET_ENCRYPTION_KEY_STATUS
+};
+
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
+ FS_IOC_FIEMAP
+};
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
+
+# Allow setting project quota IDs and enabling project ID inheritance on
+# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir { create_dir_perms mounton };
+allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
+
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+allow vold system_userdir_file:dir { create getattr setattr };
+allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
+# Needed to set the casefold flag on /mnt/expand/$volume/media
+allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
+
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file { rw_file_perms unlink };
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl {
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_GET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_STATUS64
+};
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+# Mount and unmount filesystems.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+#
+# Also rename per-user encrypted directories such as /data/user/10 from their
+# temporary name ("10.new") to their final name ("10").
+allow vold {
+ system_data_file
+ system_data_root_file
+}:dir { create_dir_perms mounton };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
+wakelock_use(vold)
+
+# Allow vold to publish a binder service and make binder calls.
+binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
+
+# talk to bootloader HAL
+full_treble_only(`hal_client_domain(vold, hal_bootctl)')
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:global_capability_class_set sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:global_capability_class_set sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
+
+# MoveStorage.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# Allow ReadDefaultFstab().
+read_fstab(vold)
+
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
+
# Only vold should create (and delete) per-user directories like
# /data/user/$userId. This is very important, as these directories need to be
# encrypted with per-user keys, which only vold can do. Encryption can only be
@@ -99,3 +379,78 @@
remove_name
write
};
+
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
+
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold {
+ domain
+ -hal_health_storage_server
+ -hal_keymaster_server
+ -system_suspend_server
+ -hal_bootctl_server
+ -hwservicemanager
+ -keystore
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ddb2828..4d8c802 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,5 +1,6 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+typeattribute vold_prepare_subdirs coredomain;
typeattribute vold_prepare_subdirs mlstrustedsubject;
allow vold_prepare_subdirs system_file:file execute_no_trans;
diff --git a/private/watchdogd.te b/private/watchdogd.te
index 91ece70..509e950 100644
--- a/private/watchdogd.te
+++ b/private/watchdogd.te
@@ -1,3 +1,6 @@
typeattribute watchdogd coredomain;
init_daemon_domain(watchdogd)
+
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/private/wificond.te b/private/wificond.te
index 3fdaca2..0461573 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -9,3 +9,41 @@
allow wificond legacykeystore_service:service_manager find;
init_daemon_domain(wificond)
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+binder_call(wificond, keystore)
+
+add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allow wificond self:global_capability_class_set { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net_type)
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/public/adbd.te b/public/adbd.te
index 5056b35..36e4bd3 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -3,11 +3,6 @@
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
-# Only init is allowed to enter the adbd domain via exec()
-neverallow { domain -init } adbd:process transition;
-neverallow * adbd:process dyntransition;
-
-# Access /data/local/tests.
-allow adbd shell_test_data_file:dir create_dir_perms;
-allow adbd shell_test_data_file:file create_file_perms;
-allow adbd shell_test_data_file:lnk_file create_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/aidl_lazy_test_server.te b/public/aidl_lazy_test_server.te
index 626d008..2d3b7e7 100644
--- a/public/aidl_lazy_test_server.te
+++ b/public/aidl_lazy_test_server.te
@@ -1,9 +1,6 @@
type aidl_lazy_test_server, domain;
type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-userdebug_or_eng(`
- binder_use(aidl_lazy_test_server)
- binder_call(aidl_lazy_test_server, binderservicedomain)
-
- add_service(aidl_lazy_test_server, aidl_lazy_test_service)
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/apexd.te b/public/apexd.te
index 53bc569..1964bbe 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -2,10 +2,6 @@
type apexd, domain;
type apexd_exec, exec_type, file_type, system_file_type;
-binder_use(apexd)
-add_service(apexd, apex_service)
-
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
-
-neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/app.te b/public/app.te
index b539913..864557d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -8,219 +8,6 @@
###
type appdomain_tmpfs, file_type;
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow { appdomain -network_stack }
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow { appdomain -network_stack }
- domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs ptrace access to
-# inspect stack traces for live lock conditions.
-
-neverallow {
- domain
- -appdomain
- -crash_dump
- userdebug_or_eng(`-llkd')
-} appdomain:process ptrace;
-
-# Read or write access to /proc/pid entries for any non-app domain.
-# A different form of hidepid=2 like protections
-neverallow appdomain { domain -appdomain }:file no_w_file_perms;
-neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-# -perfetto is to allow shell (which is an appdomain) to kill perfetto
-# (see private/shell.te).
-neverallow appdomain { domain -appdomain -perfetto }:process
- { sigkill sigstop signal };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# allow system_app to access Nfc-related system properties.
-set_prop(system_app, nfc_prop)
-
-# allow system_app to access radio_config system properties.
-set_prop(system_app, radio_control_prop)
-
-# Apps cannot access proc_uid_time_in_state
-neverallow appdomain proc_uid_time_in_state:file *;
-
-# Apps cannot access proc_uid_concurrent_active_time
-neverallow appdomain proc_uid_concurrent_active_time:file *;
-
-# Apps cannot access proc_uid_concurrent_policy_time
-neverallow appdomain proc_uid_concurrent_policy_time:file *;
-
-# Apps cannot access proc_uid_cpupower
-neverallow appdomain proc_uid_cpupower:file *;
-
-# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
-# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
-# perform UID lookups.
-neverallow { appdomain -shell } proc_net_tcp_udp:file *;
-
-# Apps cannot access bootstrap files. The bootstrap files are only for
-# extremely early processes (like init, etc.) which are started before
-# the runtime APEX is activated and Bionic libs are provided from there.
-# If app process accesses (or even load/execute) the bootstrap files,
-# it might cause problems such as ODR violation, etc.
-neverallow appdomain system_bootstrap_lib_file:file
- { open read write append execute execute_no_trans map };
-neverallow appdomain system_bootstrap_lib_file:dir
- { open read getattr search };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/app_zygote.te b/public/app_zygote.te
index 4c1ec96..5c649d2 100644
--- a/public/app_zygote.te
+++ b/public/app_zygote.te
@@ -1,6 +1,9 @@
# app_zygote is an auxiliary zygote process that is used to spawn
# isolated service processes for individual applications. It is
# spawned from the regular zygote process as a "child zygote".
-
type app_zygote, domain;
type app_zygote_tmpfs, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/artd.te b/public/artd.te
index 0731adc..3cf8aa0 100644
--- a/public/artd.te
+++ b/public/artd.te
@@ -1,2 +1,6 @@
# ART service daemon.
type artd, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/asan_extract.te b/public/asan_extract.te
index d8a1b73..cf160d0 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -6,28 +6,8 @@
with_asan(`
type asan_extract, domain, coredomain;
type asan_extract_exec, exec_type, file_type, system_file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/atrace.te b/public/atrace.te
index 7327f84..26387c6 100644
--- a/public/atrace.te
+++ b/public/atrace.te
@@ -1 +1,5 @@
type atrace, domain, coredomain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/audioserver.te b/public/audioserver.te
index d593567..64a283d 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -2,9 +2,6 @@
type audioserver, domain;
type audioserver_tmpfs, file_type;
-# Allow audioserver to signal audio HAL processes and dump their stacks.
-allow audioserver hal_audio_server:process signal;
-
-# Allow audioserver to access sensorservice.
-allow audioserver sensorservice_service:service_manager find;
-allow audioserver system_server:unix_stream_socket { read write };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/blkid.te b/public/blkid.te
index dabe014..4e92e72 100644
--- a/public/blkid.te
+++ b/public/blkid.te
@@ -1,2 +1,6 @@
# blkid called from vold
type blkid, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 9b3442a..ff868a8 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,2 +1,6 @@
# bluetooth subsystem
type bluetooth, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/bootanim.te b/public/bootanim.te
index 239393c..47f1160 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,45 +2,6 @@
type bootanim, domain;
type bootanim_exec, system_file_type, exec_type, file_type;
-hal_client_domain(bootanim, hal_configstore)
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-allow bootanim gpu_device:dir r_dir_perms;
-allow bootanim sysfs_gpu:file r_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir r_dir_perms;
-# boot animations on oem are stored with specific label
-allow bootanim bootanim_oem_file:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim surfaceflinger:unix_stream_socket { read write };
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-
-# Allow access to DMA-BUF system heap
-allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-allow bootanim proc_meminfo:file r_file_perms;
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/bootstat.te b/public/bootstat.te
index 5079c28..437f6bc 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -2,31 +2,6 @@
type bootstat, domain;
type bootstat_exec, system_file_type, exec_type, file_type;
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-allow bootstat metadata_file:dir search;
-allow bootstat metadata_bootstat_file:dir rw_dir_perms;
-allow bootstat metadata_bootstat_file:file create_file_perms;
-
-# ToDo: TBI move access for the following to a system health HAL
-
-# Allow access to /sys/fs/pstore/ and syslog
-allow bootstat pstorefs:dir search;
-allow bootstat pstorefs:file r_file_perms;
-allow bootstat kernel:system syslog_read;
-
-# Allow access to reading the logs to read aspects of system health
-read_logd(bootstat)
-
-# Allow bootstat write to statsd.
-unix_socket_send(bootstat, statsdw, statsd)
-
-neverallow {
- domain
- -bootstat
- -init
-} system_boot_reason_prop:property_service set;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/bpfloader.te b/public/bpfloader.te
index 81c32ee..4aae1cf 100644
--- a/public/bpfloader.te
+++ b/public/bpfloader.te
@@ -1 +1,5 @@
type bpfloader, domain, coredomain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 37edb5d..e688d5c 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -2,24 +2,6 @@
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, system_file_type, exec_type, file_type;
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-# TODO(b/112338294): remove these after migrate to Binder
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd hal_omx_server:fd use;
-
-# Codec2 is similar to OMX
-allow bufferhubd hal_codec2_server:fd use;
-
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 07b7c33..619b386 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -3,85 +3,6 @@
type cameraserver_exec, system_file_type, exec_type, file_type;
type cameraserver_tmpfs, file_type;
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-add_service(cameraserver, fwk_camera_service)
-add_hwservice(cameraserver, fwk_camera_hwservice)
-
-allow cameraserver activity_service:service_manager find;
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver package_native_service:service_manager find;
-allow cameraserver permission_checker_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver sensor_privacy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-allow cameraserver hal_camera_service:service_manager find;
-allow cameraserver virtual_camera_service:service_manager find;
-
-# Allow to talk with surfaceflinger through unix stream socket
-allow cameraserver surfaceflinger:unix_stream_socket { read write };
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ udp_socket rawip_socket } *;
-neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow shell commands from ADB for CTS testing/dumping
-allow cameraserver adbd:fd use;
-allow cameraserver adbd:unix_stream_socket { read write };
-allow cameraserver shell:fd use;
-allow cameraserver shell:unix_stream_socket { read write };
-allow cameraserver shell:fifo_file { read write };
-
-# allow self to set SCHED_FIFO
-allow cameraserver self:global_capability_class_set sys_nice;
-
-# Allow to talk with media codec
-allow cameraserver mediametrics_service:service_manager find;
-hal_client_domain(cameraserver, hal_codec2)
-hal_client_domain(cameraserver, hal_omx)
-hal_client_domain(cameraserver, hal_allocator)
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow cameraserver su:fd use;
- allow cameraserver su:fifo_file { read write };
- allow cameraserver su:unix_stream_socket { read write };
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/charger.te b/public/charger.te
index 418dff9..4514fde 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,5 +1,6 @@
type charger, charger_type, domain;
type charger_exec, system_file_type, exec_type, file_type;
-# The system charger is a client of HIDL health HAL.
-hal_client_domain(charger, hal_health)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/charger_type.te b/public/charger_type.te
deleted file mode 100644
index 4241360..0000000
--- a/public/charger_type.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Write to /dev/kmsg
-allow charger_type kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger_type, rootfs)
-r_dir_file(charger_type, cgroup)
-r_dir_file(charger_type, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger_type sysfs_type:dir r_dir_perms;
-
-allow charger_type self:global_capability_class_set {
- sys_boot
- sys_tty_config
-};
-
-wakelock_use(charger_type)
-
-allow charger_type self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger_type sysfs_power:file rw_file_perms;
-
-r_dir_file(charger_type, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger_type pstorefs:dir r_dir_perms;
-allow charger_type pstorefs:file r_file_perms;
-
-allow charger_type graphics_device:dir r_dir_perms;
-allow charger_type graphics_device:chr_file rw_file_perms;
-allow charger_type input_device:dir r_dir_perms;
-allow charger_type input_device:chr_file r_file_perms;
-allow charger_type tty_device:chr_file rw_file_perms;
-allow charger_type proc_sysrq:file rw_file_perms;
diff --git a/public/charger_vendor.te b/public/charger_vendor.te
index d8f3bb2..dd8d020 100644
--- a/public/charger_vendor.te
+++ b/public/charger_vendor.te
@@ -1,6 +1,6 @@
# Context when health HAL runs charger mode
-
type charger_vendor, charger_type, domain;
-hal_server_domain(charger_vendor, hal_health)
-typeattribute charger_vendor bpfdomain;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 45269c3..3146ac4 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,80 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APEX data directories.
-allow crash_dump apex_module_data_file:dir { getattr search };
-
-# Read uptime
-allow crash_dump proc_uptime:file r_file_perms;
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Read all /data/local/tests
-r_dir_file(crash_dump, shell_test_data_file)
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/credstore.te b/public/credstore.te
index 97d942d..faa23e9 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -1,19 +1,7 @@
+# credstore daemon
type credstore, domain;
type credstore_exec, system_file_type, exec_type, file_type;
-# credstore daemon
-binder_use(credstore)
-binder_service(credstore)
-binder_call(credstore, system_server)
-
-allow credstore credstore_data_file:dir create_dir_perms;
-allow credstore credstore_data_file:file create_file_perms;
-
-add_service(credstore, credstore_service)
-allow credstore sec_key_att_app_id_provider_service:service_manager find;
-allow credstore dropbox_service:service_manager find;
-allow credstore authorization_service:service_manager find;
-allow credstore keystore:keystore2 get_auth_token;
-
-r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/device.te b/public/device.te
index f842d33..beafdf2 100644
--- a/public/device.te
+++ b/public/device.te
@@ -137,3 +137,7 @@
# vfio device
type vfio_device, dev_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/dhcp.te b/public/dhcp.te
index 1d875ab..0c1fa30 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,28 +1,6 @@
type dhcp, domain;
type dhcp_exec, system_file_type, exec_type, file_type;
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
-allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net_type:file write;
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index d189c89..08ce653 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -2,24 +2,6 @@
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
-
-allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { getattr read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { getattr read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/domain.te b/public/domain.te
deleted file mode 100644
index db3261e..0000000
--- a/public/domain.te
+++ /dev/null
@@ -1,1299 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- allow domain su:fd use;
- allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
- allow domain su:unix_dgram_socket sendto;
-
- allow { domain -init } su:binder { call transfer };
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-with_native_coverage(`
- # Allow writing coverage information to /data/misc/trace
- allow domain method_trace_data_file:dir create_dir_perms;
- allow domain method_trace_data_file:file create_file_perms;
-')
-
-# Allow everyone to read aconfig flags
-get_prop(domain, device_config_aconfig_flags_prop);
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir r_dir_perms;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/ashmem is being deprecated by means of constraining and eventually
-# removing all "open" permissions. We preserve the other permissions.
-allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
-# This device is used by libcutils, which is accessible to everyone.
-allow domain ashmem_libcutils_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-allow domain binderfs_features:dir search;
-allow domain binderfs_features:file r_file_perms;
-
-allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow { appdomain coredomain } system_file:file { execute read open getattr map };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain system_file:file { execute read open getattr map };
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr map };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow {
- domain
- -coredomain # access is explicitly granted to individual coredomains
-} same_process_hal_file:file { execute read open getattr map };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor and/or
- # /vendor/odm symlinks.
- allow domain vendor_file_type:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# libc references /system/usr/share/zoneinfo for timezone related information.
-# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file }:file r_file_perms;
-allow domain { system_zoneinfo_file }:dir r_dir_perms;
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-# Allow search access, and sometimes getattr access, to various directories
-# under /data. We are fairly lenient in allowing search access to top-level
-# dirs that commonly need to be traversed to get access to the "real" files, as
-# this greatly simplifies the policy and doesn't open up much attack surface.
-not_full_treble(`
- allow domain system_data_file:dir getattr;
-')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# Anything that accesses anything in /data needs search access to /data itself.
-# This includes vendor components, as they need to access /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-# system_data_file is the default type for directories in /data. Anything
-# accessing data files with a more specific type often has to traverse a
-# system_data_file directory such as /data/misc to get there.
-allow domain system_data_file:dir search;
-# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
-# search access to these directories themselves. getattr access is sometimes
-# needed too.
-allow { coredomain appdomain } system_userdir_file:dir { search getattr };
-# Anything that accesses files in /data/media needs search access to /data/media
-# itself.
-allow { coredomain appdomain } media_userdir_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_userdir_file:dir { getattr search };
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# /dev/cpu_variant:.*
-allow domain dev_cpu_variant:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offered coarse-grained definitions for access controls. In
-# previous versions of the policy, the integrity permission was neverallowed.
-# It was found that this permission mainly duplicates pre-existing rules in
-# the policy (see b/285443587). Additionally, some access were found to be
-# required (b/269377822). The access vector was removed from kernel 5.16
-# onwards. Grant unconditional access, these rules should be removed from the
-# policy once no kernel <5.16 are supported.
-allow domain self:lockdown { confidentiality integrity };
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# Support sqlite F2FS specific optimizations
-# ioctl permission on the specific file type is still required
-# TODO: consider only compiling these rules if we know the
-# /data partition is F2FS
-allowxperm domain { file_type sdcard_type }:file ioctl {
- F2FS_IOC_ABORT_VOLATILE_WRITE
- F2FS_IOC_COMMIT_ATOMIC_WRITE
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_PIN_FILE
- F2FS_IOC_SET_PIN_FILE
- F2FS_IOC_START_ATOMIC_WRITE
-};
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
-with_asan(`allow domain system_data_file:dir getattr;')
-# Under ASAN, /system/asan.options needs to be globally accessible.
-with_asan(`allow domain system_asan_options_file:file r_file_perms;')
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
-###
-### neverallow rules
-###
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-# b/78174219 b/64114943
-neverallow {
- domain
- -shell # stat of /dev, getattr only
- -ueventd
-} keychord_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# The dynamic linker always calls access(2) on the path. Don't generate SElinux
-# denials since the linker does not actually access the path in case the path
-# does not exist or isn't accessible for the process.
-dontaudit domain postinstall_mnt_dir:dir audit_access;
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Binderfs logs contain sensitive information about other processes.
-neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
-neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# The test files and executables MUST not be accessible to any domain
-neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
-neverallow domain nativetest_data_file:dir no_w_dir_perms;
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
-neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
- recovery_only(`userdebug_or_eng(`-fastbootd')')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * contextmount_type:dir_file_class_set
- { create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-neverallow * default_android_vndservice:service_manager *;
-neverallow * default_android_hwservice:hwservice_manager *;
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
-neverallow { domain -init -vendor_init } vndk_prop:property_service set;
-
-compatible_property_only(`
- neverallow { domain -init } mmc_prop:property_service set;
- neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
- neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
- neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
- neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
-')
-
-compatible_property_only(`
- neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
- neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
-')
-
-# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
-neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
-neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
-
-# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
-# old platforms shouldn't be regarded as a problem.
-dontaudit domain future_pm_prop:file read;
-
-neverallow { domain -init } aac_drc_prop:property_service set;
-neverallow { domain -init } build_prop:property_service set;
-neverallow { domain -init } userdebug_or_eng_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowed domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -fastbootd
- -hal_camera_server
- -hal_cas_server
- -hal_drm_server
- -hal_keymint_server
- userdebug_or_eng(`-incidentd')
- -init
- -mediadrmserver
- -mediaserver
- -recovery
- -shell
- -system_server
- -vendor_init
-} serialno_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow {
- domain
- -init
- -recovery
- -vold
- -e2fs
- -fsck
- -fastbootd
- -hal_fastboot_server
-} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-
-# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
-neverallow {
- domain
- -fastbootd
- userdebug_or_eng(`-fsck')
- userdebug_or_eng(`-init')
- -recovery
- -update_engine
-} system_block_device:blk_file { write append };
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-full_treble_only(`
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- #
- # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
-
- -app_api_service
- -ephemeral_app_api_service
-
- -hal_service_type # see app_neverallows.te
-
- -apc_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -credstore_service
- -keystore_maintenance_service
- -keystore_service
- -legacykeystore_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -virtual_touchpad_service
- -vr_manager_service
- userdebug_or_eng(`-hal_face_service')
- }:service_manager find;
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
-')
-full_treble_only(`
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
-full_treble_only(`
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
-')
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -data_between_core_and_vendor_violators # b/70393317
- -socket_between_core_and_vendor_violators
- -vendor_init
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
-')
-full_treble_only(`
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -privapp_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
-')
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
-full_treble_only(`
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -app_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
- # only coredomains may only access core_data_file_type, particularly not
- # /data/vendor
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- }:dir *;
-
-')
-full_treble_only(`
- # vendor domains may only access files in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -vendor_init
- } {
- core_data_file_type
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators
- -vendor_init
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -system_data_root_file
- -vendor_userdir_file
- -vendor_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -system_data_file
- -system_data_root_file
- -vendor_userdir_file
- -vendor_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:dir ~search;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- } {
- system_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- -vold # vold creates per-user storage for both system and vendor
- -vold_prepare_subdirs
- } {
- vendor_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- } {
- vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-
-full_treble_only(`
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- -shell
- -ueventd
- } vendor_shell_exec:file { execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow vendor components to execute files from system
- # except for the ones allowed here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_executes_system_violators
- -vendor_init
- } {
- system_file_type
- -system_lib_file
- -system_linker_exec
- -crash_dump_exec
- -netutils_wrapper_exec
- userdebug_or_eng(`-tcpdump_exec')
- # Vendor components still can invoke shell commands via /system/bin/sh
- -shell_exec
- -toolbox_exec
- }:file { entrypoint execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow coredomain to access entrypoint for files other
- # than system_file_type and postinstall_file
- neverallow coredomain {
- file_type
- -system_file_type
- -postinstall_file
- }:file entrypoint;
- # Do not allow domains other than coredomain to access entrypoint
- # for anything but vendor_file_type and init_exec for vendor_init.
- neverallow { domain -coredomain } {
- file_type
- -vendor_file_type
- -init_exec
- }:file entrypoint;
-')
-
-full_treble_only(`
- # Do not allow system components to execute files from vendor
- # except for the ones allowed here.
- neverallow {
- coredomain
- -init
- -shell
- -system_executes_vendor_violators
- -ueventd
- } {
- vendor_file_type
- -same_process_hal_file
- -vndk_sp_file
- -vendor_app_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- }:file execute;
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- -system_executes_vendor_violators
- } {
- vendor_file_type
- -same_process_hal_file
- }:file execute_no_trans;
-')
-
-full_treble_only(`
- # Do not allow vendor components access to /system files except for the
- # ones allowed here.
- neverallow {
- domain
- -appdomain
- -coredomain
- -vendor_executes_system_violators
- # vendor_init needs access to init_exec for domain transition. vendor_init
- # neverallows are covered in public/vendor_init.te
- -vendor_init
- } {
- system_file_type
- -crash_dump_exec
- -file_contexts_file
- -netutils_wrapper_exec
- -property_contexts_file
- -system_event_log_tags_file
- -system_group_file
- -system_lib_file
- with_asan(`-system_asan_options_file')
- -system_linker_exec
- -system_linker_config_file
- -system_passwd_file
- -system_seccomp_policy_file
- -system_security_cacerts_file
- -system_zoneinfo_file
- -task_profiles_api_file
- -task_profiles_file
- userdebug_or_eng(`-tcpdump_exec')
- # Vendor components still can invoke shell commands via /system/bin/sh
- -shell_exec
- -toolbox_exec
- }:file *;
-')
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote:sock_file write;
-neverallow { domain -system_server } app_zygote:sock_file write;
-
-neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
-neverallow { domain -init -system_server } heapdump_data_file:file read;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- -vold_prepare_subdirs # For unlink
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
-neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -artd
- -installd
-} { app_data_file privapp_data_file }:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to vold and init's
-neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# it from installd and artd forked processes.
-neverallow {
- domain
- -installd
- -profman
- -artd
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, boot, and system_dlkm partitions.
-# TODO(b/218951883): Remove usage of system and rootfs as origin
-neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-dontaudit domain proc_type:dir write;
-dontaudit domain sysfs_type:dir write;
-dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
-
-# These are only needed in permissive mode - in enforcing mode the
-# directory write check fails and so these are never attempted.
-userdebug_or_eng(`
- dontaudit domain proc_type:dir add_name;
- dontaudit domain sysfs_type:dir add_name;
- dontaudit domain proc_type:file create;
- dontaudit domain sysfs_type:file create;
-')
-
-# Platform must not have access to /mnt/vendor.
-neverallow {
- coredomain
- -init
- -ueventd
- -vold
- -system_writes_mnt_vendor_violators
-} mnt_vendor_file:dir *;
-
-# Only apps are allowed access to vendor public libraries.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
-')
-
-# Vendor domian must not have access to /mnt/product.
-neverallow {
- domain
- -coredomain
-} mnt_product_file:dir *;
-
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- # For access to block device information under /sys/class/block.
- -apexd
- # Read sysfs block device information.
- -init
- # Generate uevents for health info
- -ueventd
- # Recovery uses health HAL passthrough implementation.
- -recovery
- # Charger uses health HAL passthrough implementation.
- -charger
- # TODO(b/110891300): remove this exception
- -incidentd
- } sysfs_batteryinfo:file { open read };
-')
-
-neverallow {
- domain
- -hal_codec2_server
- -hal_omx_server
-} hal_codec2_hwservice:hwservice_manager add;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
- -ephemeral_app # We don't distinguish ephemeral apps based on target API.
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
-neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
diff --git a/public/drmserver.te b/public/drmserver.te
index d515079..4b59ee0 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -1,65 +1,8 @@
# drmserver - DRM service
type drmserver, domain;
type drmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_call(drmserver, mediametrics)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver { sdcard_type fuse }:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver { sdcard_type fuse }:file { read write getattr map };
-r_dir_file(drmserver, efs_file)
-
type drmserver_socket, file_type;
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-auditallow drmserver apk_data_file:dir { add_name write };
-allow drmserver drmserver_socket:sock_file create_file_perms;
-auditallow drmserver drmserver_socket:sock_file create;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr map };
-allow drmserver asec_apk_file:file { read getattr map };
-allow drmserver ringtone_file:file { read getattr map };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr map };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-# overlay package access
-allow drmserver vendor_overlay_file:file { read map };
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-allow drmserver mediametrics_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
-r_dir_file(drmserver, system_file)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 549e6c6..dd61ad1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -2,406 +2,6 @@
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, system_file_type, exec_type, file_type;
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:global_capability_class_set {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# hidl searches for files in /system/lib(64)/hw/
-allow dumpstate system_file:dir r_dir_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
-
-# Read dmesg
-allow dumpstate self:global_capability2_class_set syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- sdcardd
- surfaceflinger
- vold
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
- evsmanagerd
- hal_audio_server
- hal_audiocontrol_server
- hal_bluetooth_server
- hal_broadcastradio_server
- hal_camera_server
- hal_codec2_server
- hal_drm_server
- hal_evs_server
- hal_face_server
- hal_fingerprint_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_input_processor_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_server
- hal_power_stats_server
- hal_sensors_server
- hal_thermal_server
- hal_vehicle_server
- hal_vr_server
- system_suspend_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# Access to /sys
-allow dumpstate sysfs_type:dir r_dir_perms;
-
-allow dumpstate {
- sysfs_devices_block
- sysfs_dm
- sysfs_loop
- sysfs_usb
- sysfs_zram
-}:file r_file_perms;
-
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
-# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
-
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
-
-# df for
-allow dumpstate {
- block_device
- cache_file
- metadata_file
- rootfs
- selinuxfs
- storage_file
- tmpfs
-}:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain artd netd wificond })
-
-# Allow dumpstate to call dump() on specific hals.
-dump_hal(hal_audio)
-dump_hal(hal_audiocontrol)
-dump_hal(hal_authgraph)
-dump_hal(hal_authsecret)
-dump_hal(hal_bluetooth)
-dump_hal(hal_broadcastradio)
-dump_hal(hal_camera)
-dump_hal(hal_codec2)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
-dump_hal(hal_dumpstate)
-dump_hal(hal_evs)
-dump_hal(hal_face)
-dump_hal(hal_fingerprint)
-dump_hal(hal_gnss)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_graphics_composer)
-dump_hal(hal_health)
-dump_hal(hal_identity)
-dump_hal(hal_input_processor)
-dump_hal(hal_keymint)
-dump_hal(hal_light)
-dump_hal(hal_memtrack)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_oemlock)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_rebootescrow)
-dump_hal(hal_secretkeeper)
-dump_hal(hal_sensors)
-dump_hal(hal_thermal)
-dump_hal(hal_vehicle)
-dump_hal(hal_weaver)
-dump_hal(hal_wifi)
-
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:global_capability_class_set sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# For Nfc
-allow dumpstate nfc_logs_data_file:dir r_dir_perms;
-allow dumpstate nfc_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-allow dumpstate gpu_device:dir r_dir_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read files in /proc
-allow dumpstate {
- proc_bootconfig
- proc_buddyinfo
- proc_cmdline
- proc_meminfo
- proc_modules
- proc_net_type
- proc_pipe_conf
- proc_pagetypeinfo
- proc_qtaguid_ctrl
- proc_qtaguid_stat
- proc_slabinfo
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-# Access /data/misc/update_engine & /data/misc/update_engine_log
-allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
-allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
-# Access /data/misc/snapuserd_log
-allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
-allow dumpstate snapuserd_log_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-allow dumpstate misc_logd_file:dir r_dir_perms;
-allow dumpstate misc_logd_file:file r_file_perms;
-
-# Access /data/misc/prereboot
-allow dumpstate prereboot_data_file:dir r_dir_perms;
-allow dumpstate prereboot_data_file:file r_file_perms;
-
-allow dumpstate app_fuse_file:dir r_dir_perms;
-allow dumpstate overlayfs_file:dir r_dir_perms;
-
-allow dumpstate {
- service_manager_type
- -apex_service
- -dumpstate_service
- -gatekeeper_service
- -hal_service_type
- -virtual_touchpad_service
- -vold_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services dumpstate should not be accessing.
-dontaudit dumpstate {
- apex_service
- dumpstate_service
- gatekeeper_service
- hal_service_type
- virtual_touchpad_service
- vold_service
-}:service_manager find;
-
-# Most of these are neverallowed.
-dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
-
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Read any system properties
-get_prop(dumpstate, property_type)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-# use /dev/ion for screen capture
-allow dumpstate ion_device:chr_file r_file_perms;
-
-# Allow dumpstate to run top
-allow dumpstate proc_stat:file r_file_perms;
-
-allow dumpstate proc_pressure_cpu:file r_file_perms;
-allow dumpstate proc_pressure_mem:file r_file_perms;
-allow dumpstate proc_pressure_io:file r_file_perms;
-
-# Allow dumpstate to run ps
-allow dumpstate proc_pid_max:file r_file_perms;
-
-# Allow dumpstate to talk to installd over binder
-binder_call(dumpstate, installd);
-
-# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Allow dumpstate to run iotop
-allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4) have a new class for sockets
-allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# Allow dumpstate to run ss
-allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
-
-# Allow dumpstate to read linkerconfig directory
-allow dumpstate linkerconfig_file:dir { read open };
-
-# For when dumpstate runs df
-dontaudit dumpstate {
- mnt_vendor_file
- mirror_data_file
- mnt_user_file
- mnt_product_file
-}:dir search;
-dontaudit dumpstate {
- apex_mnt_dir
- linkerconfig_file
- mirror_data_file
- mnt_user_file
-}:dir getattr;
-
-# Allow dumpstate to talk to bufferhubd over binder
-binder_call(dumpstate, bufferhubd);
-
-# Allow dumpstate to talk to mediaswcodec over binder
-binder_call(dumpstate, mediaswcodec);
-
-#Access /data/misc/snapshotctl_log
-allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
-allow dumpstate snapshotctl_log_data_file:file r_file_perms;
-
-#Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs:dir r_dir_perms;
-allow dumpstate binderfs_logs:file r_file_perms;
-allow dumpstate binderfs_logs_proc:file r_file_perms;
-allow dumpstate binderfs_logs_stats:file r_file_perms;
-
-use_apex_info(dumpstate)
-
-# Allow reading files under /data/system/shutdown-checkpoints/
-allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
-allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
-neverallow {
- domain
- -system_server
- -shell
- -traceur_app
- -dumpstate
-} dumpstate_service:service_manager find;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/e2fs.te b/public/e2fs.te
index 973abb9..74bab31 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,33 +1,6 @@
type e2fs, domain, coredomain;
type e2fs_exec, system_file_type, exec_type, file_type;
-allow e2fs devpts:chr_file { read write getattr ioctl };
-
-allow e2fs dev_type:blk_file getattr;
-allow e2fs block_device:dir search;
-allow e2fs userdata_block_device:blk_file rw_file_perms;
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-allow e2fs dm_device:blk_file rw_file_perms;
-allow e2fs zoned_block_device:blk_file rw_file_perms;
-# Vold needs to capture mkfs.ext4's output
-allow e2fs vold:fd use;
-# Need to be able to format a partition
-allow e2fs sysfs_dm:dir r_dir_perms;
-allow e2fs sysfs_dm:file r_file_perms;
-
-allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
-};
-
-allow e2fs {
- proc_filesystems
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-
-# access /sys/fs/ext4/features
-allow e2fs sysfs_fs_ext4_features:dir search;
-allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-
-# access SELinux context files
-allow e2fs file_contexts_file:file r_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index dc39a22..072f8f6 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,3 +12,7 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te
index cde0380..b436f92 100644
--- a/public/evsmanagerd.te
+++ b/public/evsmanagerd.te
@@ -1,2 +1,6 @@
# evsmanager daemon
type evsmanagerd, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te
index ed0c935..82ba963 100644
--- a/public/extra_free_kbytes.te
+++ b/public/extra_free_kbytes.te
@@ -2,12 +2,6 @@
type extra_free_kbytes, domain;
type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
-# required permissions to run the script from init
-allow extra_free_kbytes shell_exec:file rx_file_perms;
-allow extra_free_kbytes system_file:file x_file_perms;
-allow extra_free_kbytes toolbox_exec:file rx_file_perms;
-
-# files used by the script
-allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
-allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
-allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 788a76f..360a109 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -4,126 +4,6 @@
# in neverallow rules.
type fastbootd, domain;
-# But the allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # fastbootd can only use HALs in passthrough mode
- passthrough_hal_client_domain(fastbootd, hal_bootctl)
-
- # fastbootd can use AIDL HALs in binder mode
- binder_use(fastbootd)
- hal_client_domain(fastbootd, hal_health)
- hal_client_domain(fastbootd, hal_fastboot)
-
- # Access /dev/usb-ffs/fastbootd/ep0
- allow fastbootd functionfs:dir search;
- allow fastbootd functionfs:file rw_file_perms;
-
- allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
- # Log to serial
- allow fastbootd kmsg_device:chr_file { open getattr write };
-
- # battery info
- allow fastbootd sysfs_batteryinfo:file r_file_perms;
-
- allow fastbootd device:dir r_dir_perms;
-
- # For dev/block/by-name dir
- allow fastbootd block_device:dir r_dir_perms;
-
- # Needed for DM_DEV_CREATE ioctl call
- allow fastbootd self:capability sys_admin;
-
- unix_socket_connect(fastbootd, recovery, recovery)
-
- # Required for flashing
- allow fastbootd dm_device:chr_file rw_file_perms;
- allow fastbootd dm_device:blk_file rw_file_perms;
-
- allow fastbootd cache_block_device:blk_file rw_file_perms;
- allow fastbootd super_block_device_type:blk_file rw_file_perms;
- allow fastbootd {
- boot_block_device
- metadata_block_device
- system_block_device
- userdata_block_device
- }:blk_file { w_file_perms getattr ioctl };
-
- # For disabling/wiping GSI, and for modifying/deleting files created via
- # libfiemap.
- allow fastbootd metadata_block_device:blk_file r_file_perms;
- allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr mounton };
- allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file_type:file create_file_perms;
-
- allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- allowxperm fastbootd {
- metadata_block_device
- userdata_block_device
- dm_device
- cache_block_device
- }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
- allow fastbootd misc_block_device:blk_file rw_file_perms;
-
- allow fastbootd proc_cmdline:file r_file_perms;
- allow fastbootd rootfs:dir r_dir_perms;
-
- # Needed to read fstab node from device tree.
- allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
- allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
-
- # Needed because libdm reads sysfs to validate when a dm path is ready.
- r_dir_file(fastbootd, sysfs_dm)
-
- # Needed for realpath() call to resolve symlinks.
- allow fastbootd block_device:dir getattr;
- userdebug_or_eng(`
- # Refined manipulation of /mnt/scratch, without these perms resorts
- # to deleting scratch partition when partition(s) are flashed.
- allow fastbootd self:process setfscreate;
- allow fastbootd cache_file:dir search;
- allow fastbootd proc_filesystems:file { getattr open read };
- allow fastbootd self:capability sys_rawio;
- allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
- allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
- allow fastbootd {
- system_file_type
- unlabeled
- vendor_file_type
- }:dir { remove_name rmdir search write };
- allow fastbootd {
- overlayfs_file
- system_file_type
- unlabeled
- vendor_file_type
- }:{ file lnk_file } unlink;
- allow fastbootd tmpfs:dir rw_dir_perms;
- # Fetch vendor_boot partition
- allow fastbootd boot_block_device:blk_file r_file_perms;
-
- # popen(/system/bin/dmesg) and associated permissions. We only allow this
- # on unlocked devices running userdebug builds.
- allow fastbootd rootfs:file execute_no_trans;
- allow fastbootd system_file:file execute_no_trans;
- allow fastbootd kmsg_device:chr_file read;
- allow fastbootd kernel:system syslog_read;
- ')
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file_type:dir search;
- allow fastbootd ota_metadata_file:dir rw_dir_perms;
- allow fastbootd ota_metadata_file:file create_file_perms;
-')
-
-###
-### neverallow rules
-###
-
-# Write permission is required to wipe userdata
-# until recovery supports vold.
-neverallow fastbootd {
- data_file_type
-}:file { no_x_file_perms };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/file.te b/public/file.te
index dc27979..b25175b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -623,32 +623,12 @@
# system_dlkm
type system_dlkm_file, system_dlkm_file_type, file_type;
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
-
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index eab38dd..b40ff3b 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,26 +1,6 @@
type fingerprintd, domain;
type fingerprintd_exec, system_file_type, exec_type, file_type;
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore2 { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-allow fingerprintd ion_device:chr_file r_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index 25a7768..fbd386c 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -2,10 +2,6 @@
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
-allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
-allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-
-# server_configurable_flags_data_file is used for storing whether server configurable flags which
-# have been reset during current booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/fsck.te b/public/fsck.te
index 1a74ba8..cdf7c79 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -2,76 +2,6 @@
type fsck, domain;
type fsck_exec, system_file_type, exec_type, file_type;
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-allow fsck zoned_block_device:blk_file rw_file_perms;
-userdebug_or_eng(`
-allow fsck system_block_device:blk_file rw_file_perms;
-')
-
-# e2fsck performs a comprehensive search of /proc/mounts to check whether the
-# checked filesystem is currently mounted.
-allow fsck metadata_file:dir getattr;
-allow fsck block_device:dir search;
-allow fsck mirror_data_file:dir search;
-
-# For the block devices where we have ioctl access,
-# allow at a minimum the following common fsck ioctls.
-allowxperm fsck dev_type:blk_file ioctl {
- BLKDISCARDZEROES
- BLKROGET
- BLKREPORTZONE
-};
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-allow fsck {
- proc_mounts
- proc_swaps
- sysfs_dm
-}:file r_file_perms;
-allow fsck rootfs:dir r_dir_perms;
-allow fsck sysfs_dm:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdebug_or_eng(`-system_block_device')
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 7e981bf..bb58f4d 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,67 +1,6 @@
# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-allow fsck_untrusted proc_mounts:file r_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
-
-# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
-# permissions, that is a code mistake that needs to be fixed, not a permission that
-# should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
-
-###
-### dontaudit rules
-###
-
-# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
-# here, but nothing bad happens if they can't, and they shouldn't be allowed.
-dontaudit fsck_untrusted sysfs:file rw_file_perms;
-dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
-dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
-
-# Ignore attempts to access tmpfs. fsck don't need to do this.
-dontaudit fsck_untrusted tmpfs:lnk_file read;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 0035bc6..6120d60 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,41 +1,6 @@
type gatekeeperd, domain;
type gatekeeperd_exec, system_file_type, exec_type, file_type;
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore2 { add_auth };
-allow gatekeeperd authorization_service:service_manager find;
-
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/gmscore_app.te b/public/gmscore_app.te
index b574bf3..ded8655 100644
--- a/public/gmscore_app.te
+++ b/public/gmscore_app.te
@@ -3,3 +3,7 @@
###
type gmscore_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/gpuservice.te b/public/gpuservice.te
index c862d0b..75f1c34 100644
--- a/public/gpuservice.te
+++ b/public/gpuservice.te
@@ -1,2 +1,6 @@
# gpuservice - server for gpu stats and other gpu related services
type gpuservice, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index e99d45f..f7ccd65 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -2,41 +2,6 @@
attribute hal_graphics_composer_client_tmpfs;
expandattribute hal_graphics_composer_client_tmpfs true;
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
-allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
-
-hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer gpu_device:dir r_dir_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:global_capability_class_set sys_nice;
-
-# allow surfaceflinger to use a pipe for dumpsys output
-allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
-
-
-binder_call(hal_graphics_composer_client, servicemanager)
-binder_call(hal_graphics_composer_server, servicemanager)
-
-hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/healthd.te b/public/healthd.te
index c5dcfb7..69c03c6 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,4 +1,7 @@
# healthd - battery/charger monitoring service daemon
# healthd is removed. The type is kept for backwards compatibility.
-
type healthd, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/heapprofd.te b/public/heapprofd.te
index 7ceb23f..95fadaa 100644
--- a/public/heapprofd.te
+++ b/public/heapprofd.te
@@ -1 +1,5 @@
type heapprofd, domain, coredomain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/hwservice.te b/public/hwservice.te
index 11b77f0..d6f2de4 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -91,11 +91,6 @@
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-###
-### Neverallow rules
-###
-
-# hwservicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a
-# hwservice. Trigger a compile error if this occurs.
-neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 7ec1872..7ed9583 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,19 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, system_file_type, exec_type, file_type;
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/idmap.te b/public/idmap.te
index 76ef622..02ff988 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,25 +2,6 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# Allow read + write access to /data/resource-cache
-allow idmap resourcecache_data_file:file create_file_perms;
-allow idmap resourcecache_data_file:dir rw_dir_perms;
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
-
-# Allow the idmap2d binary to register as a service and communicate via AIDL
-binder_use(idmap)
-binder_service(idmap)
-add_service(idmap, idmap_service)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/incident.te b/public/incident.te
index ce57bf6..f3f8140 100644
--- a/public/incident.te
+++ b/public/incident.te
@@ -6,3 +6,6 @@
# incident
type incident, domain;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/incident_helper.te b/public/incident_helper.te
index bca1018..e8aca04 100644
--- a/public/incident_helper.te
+++ b/public/incident_helper.te
@@ -3,3 +3,7 @@
# incident_helper
type incident_helper, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/incidentd.te b/public/incidentd.te
index b03249c..4a7501d 100644
--- a/public/incidentd.te
+++ b/public/incidentd.te
@@ -1,3 +1,6 @@
# incidentd
type incidentd, domain;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/init.te b/public/init.te
index 47b8603..a74983c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -3,694 +3,6 @@
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { open write relabelto };
-')
-
-# allow init to mount and unmount debugfs in debug builds
-userdebug_or_eng(`
- allow init debugfs:dir mounton;
-')
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# allow init to establish connection and communicate with lmkd
-unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
-# and /dev/urandom
-allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init {
- metadata_block_device
- misc_block_device
- recovery_block_device
- system_block_device
- userdata_block_device
-}:{ blk_file lnk_file } relabelto;
-
-allow init dtbo_block_device:lnk_file relabelto;
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-allow init mnt_sdcard_file:lnk_file create;
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cache_file
- cgroup
- linkerconfig_file
- storage_file
- mnt_user_file
- system_data_file
- system_data_root_file
- system_dlkm_file
- system_file
- vendor_file
- postinstall_mnt_dir
- mirror_data_file
- shell_data_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Bind-mount on /system/apex/com.android.art
-allow init art_apex_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-allow init configfs:{ file lnk_file } create_file_perms;
-
-# /metadata
-allow init metadata_file:dir mounton;
-
-# Run restorecon on /dev
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-# Set system clock.
-allow init self:global_capability_class_set sys_time;
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -bpffs_type
- -exec_type
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -system_app_data_file
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -bpffs_type
- -credstore_data_file
- -exec_type
- -keystore_data_file
- -media_userdir_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_dlkm_file_type
- -system_file_type
- -system_userdir_file
- -vendor_file_type
- -vendor_userdir_file
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -app_data_file
- -bpffs_type
- -exec_type
- -gsi_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -runtime_event_log_tags_file
- -shell_data_file
- -system_app_data_file
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
- -vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
-# subcontext for action/service defined in APEXes.
-allow init apex_info_file:file r_file_perms;
-
-allow init {
- file_type
- -app_data_file
- -bpffs_type
- -exec_type
- -gsi_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -app_data_file
- -bpffs_type
- -exec_type
- -gsi_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init {
- file_type
- -bpffs_type
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
- -exec_type
- -app_data_file
- -privapp_data_file
-}:dir_file_class_set relabelto;
-
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -bpffs_type
- -contextmount_type
- -keychord_device
- -proc_type
- -sdcard_type
- -fusefs_type
- -sysfs_type
- -rootfs
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr };
-allow init {
- fs_type
- -bpffs_type
- -contextmount_type
- -sdcard_type
- -fusefs_type
- -rootfs
-}:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- input_device
- kmsg_device
- null_device
- owntty_device
- pmsg_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-userdebug_or_eng(`
- # Overlayfs workdir write access check during mount to permit remount,rw
- allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append rename };
- allow init overlayfs_file:chr_file unlink;
- allow init system_block_device:blk_file { write };
-')
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_cpu_alignment
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
- proc_watermark_boost_factor
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
- sysfs_lru_gen_enabled
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
- LOOP_SET_STATUS64
-};
-
-# Allow init to write to vibrator/trigger
-allow init sysfs_vibrator:file w_file_perms;
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-# Set usermodehelpers.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates credstore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init credstore_data_file:dir { open create read getattr setattr search };
-allow init credstore_data_file:file { getattr };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord retrieval from /dev/input/ devices
-allow init input_device:dir r_dir_perms;
-allow init input_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access dm-user for OTA boot
-allow init dm_user_device:chr_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm init { data_file_type unlabeled }:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, system_dlkm_file_type)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-# Metadata setup
-allow init vold_metadata_file:dir create_dir_perms;
-allow init vold_metadata_file:file getattr;
-allow init metadata_bootstat_file:dir create_dir_perms;
-allow init metadata_bootstat_file:file w_file_perms;
-allow init userspace_reboot_metadata_file:file w_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-use_bootstrap_libs(init)
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-# allow filesystem tuning
-allow init userdata_sysdev:file create_file_perms;
-
-# allow disk tuning
-allow init rootdisk_sysdev:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file_type:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
-# when init is executing other binaries. The use of LD_PRELOAD for init spawned
-# services is generally considered a no-no, as it injects libraries which the
-# binary was not expecting. This is especially problematic for APEXes. The use
-# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
-# code into a process which wasn't expecting that code, with potentially
-# unexpected side effects. (b/140789528)
-neverallow init *:process noatsecure;
-
-# init can never add binder services
-neverallow init service_manager_type:service_manager { add find };
-# init can never list binder services
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
-
-# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init
-# TODO(b/141108496) We want to remove toolbox
-neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/inputflinger.te b/public/inputflinger.te
index b62c06d..2f44e56 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -2,15 +2,6 @@
type inputflinger, domain;
type inputflinger_exec, system_file_type, exec_type, file_type;
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/installd.te b/public/installd.te
index 88f6aab..53e7239 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,185 +1,7 @@
# installer daemon
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through JARs in /vendor/framework
-r_dir_file(installd, vendor_framework_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Vendor overlay can be found in vendor apex
-allow installd vendor_apex_metadata_file:dir { getattr search };
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Required to initially create subdirectories of /data/user/$userId
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process symlinks within
-# /data/user/$userId when optimizing application code.
-allow installd system_data_file:lnk_file { create getattr read setattr unlink };
-
-# Manage lower filesystem via pass_through mounts
-allow installd mnt_pass_through_file:dir r_dir_perms;
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd media_userdir_file:dir r_dir_perms;
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
-allow installd { sdcard_type fuse }:file { getattr unlink };
-
-# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
-allow installd mirror_data_file:dir { create_dir_perms mounton };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd system_userdir_file:dir r_dir_perms;
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/misc/installd/layout_version.* file
-allow installd install_data_file:file create_file_perms;
-allow installd install_data_file:dir rw_dir_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
-allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Allow setting extended attributes (for project quota IDs) on dirs and files
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
-# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
-allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
-allow installd user_profile_data_file:dir { create_dir_perms relabelto };
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:file unlink;
-
-# Allow zygote to unmount mirror directories
-allow installd labeledfs:filesystem unmount;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-# Allow installd to read /proc/filesystems
-allow installd proc_filesystems:file r_file_perms;
-
-#add for move app to sd card
-get_prop(installd, storage_config_prop)
-
-# Allow installd to access apps installed on the Incremental File System
-# Accessing files on the Incremental File System uses fds opened in the context of vold.
-allow installd vold:fd use;
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
-neverallow installd {
- domain
- -system_server
- -servicemanager
- userdebug_or_eng(`-su')
-}:binder call;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/isolated_app.te b/public/isolated_app.te
index a907dac..b231df7 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,3 +7,7 @@
###
type isolated_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/isolated_compute_app.te b/public/isolated_compute_app.te
index f2ae9a1..4bfadaa 100644
--- a/public/isolated_compute_app.te
+++ b/public/isolated_compute_app.te
@@ -1 +1,5 @@
type isolated_compute_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/kernel.te b/public/kernel.te
index b01c07a..c3fcdad 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -1,146 +1,6 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:global_capability_class_set sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel { sdcard_type fuse }:file { read write };
-
-# f_mtp driver accesses files from kernel context.
-allow kernel mediaprovider:fd use;
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel { app_data_file privapp_data_file }:file read;
-allow kernel asec_image_file:file read;
-
-# Allow mounting loop device in update_engine_unittests. (b/28319454)
-# and for LTP kernel tests (b/73220071)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file { read write };
- allow kernel nativetest_data_file:file { read write };
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
- vendor_apex_file
-}:file read;
-# Also allow the kernel to read/write /data/local/tmp files via loop device
-# for ApexTestCases and fiemap_image_test.
-userdebug_or_eng(`
- allow kernel shell_data_file:file { read write };
-')
-
-# Allow the first-stage init (which is running in the kernel domain) to execute the
-# dynamic linker when it re-executes /init to switch into the second stage.
-# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-# before the domain is switched to the target domain. So, we need to allow the kernel
-# domain (the source domain) to execute the dynamic linker (system_file type).
-# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
-# kernel older than 4.8.
-allow kernel system_file:file execute;
-# The label for the dynamic linker is rootfs in the recovery partition. This is because
-# the recovery partition which is rootfs does not support xattr and thus labeling can't be
-# done at build-time. All files are by default labeled as rootfs upon booting.
-recovery_only(`
- allow kernel rootfs:file execute;
-')
-
-# required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file { read write };
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
-
-# Nobody should be ptracing kernel threads
-neverallow * kernel:process ptrace;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/keystore.te b/public/keystore.te
index 7e964c2..34b6c95 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,53 +1,7 @@
+# keystore daemon
type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-binder_call(keystore, remote_provisioning_service_server)
-binder_call(keystore, system_server)
-binder_call(keystore, wificond)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
-allow keystore remote_provisioning_service:service_manager find;
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
-
-# The software KeyMint implementation used in km_compat needs
-# to read the vendor security patch level.
-get_prop(keystore, vendor_security_patch_level_prop);
-
-# Allow keystore to read its vendor configuration
-get_prop(keystore, keystore_config_prop)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
index 3c35984..370be4c 100644
--- a/public/keystore_keys.te
+++ b/public/keystore_keys.te
@@ -1,2 +1,6 @@
# A keystore2 namespace for WI-FI.
type wifi_key, keystore2_key_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/llkd.te b/public/llkd.te
index 1faa429..d678c3c 100644
--- a/public/llkd.te
+++ b/public/llkd.te
@@ -1,3 +1,7 @@
# llkd Live LocK Daemon
type llkd, domain, mlstrustedsubject;
type llkd_exec, system_file_type, exec_type, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/lmkd.te b/public/lmkd.te
index de6052d..7d05b00 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,71 +2,6 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, system_file_type, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:global_capability_class_set ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
-## TODO: maybe scope this down?
-r_dir_file(lmkd, domain)
-allow lmkd domain:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_lowmemorykiller)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# setsched and send kill signals to any registered process
-allow lmkd domain:process { setsched sigkill };
-# TODO: delete this line b/131761776
-allow lmkd kernel:process { setsched };
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
-
-# Allow to read memcg stats
-allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
-
-# Set self to SCHED_FIFO
-allow lmkd self:global_capability_class_set sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-allow lmkd proc_vmstat:file r_file_perms;
-
-# live lock watchdog process allowed to look through /proc/
-allow lmkd domain:dir { search open read };
-allow lmkd domain:file { open read };
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow lmkd proc_sysrq:file rw_file_perms;
-
-# Read /proc/lowmemorykiller
-allow lmkd proc_lowmemorykiller:file r_file_perms;
-
-# Read /proc/meminfo
-allow lmkd proc_meminfo:file r_file_perms;
-
-# Read /proc/pressure/cpu and /proc/pressure/io
-allow lmkd proc_pressure_cpu:file r_file_perms;
-allow lmkd proc_pressure_io:file r_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow lmkd proc_pressure_mem:file rw_file_perms;
-
-# Allow lmkd to connect during reinit.
-allow lmkd lmkd_socket:sock_file write;
-
-# Allow lmkd to write to statsd.
-unix_socket_send(lmkd, statsdw, statsd)
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
-neverallow lmkd self:global_capability_class_set sys_ptrace;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/logd.te b/public/logd.te
index aaf3900..a33ebd5 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -2,78 +2,6 @@
type logd, domain, mlstrustedsubject;
type logd_exec, system_file_type, exec_type, file_type;
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd packages_list_file:file r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { map open read };
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file_type:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd {
- app_data_file_type
- system_data_file
- packages_list_file
- -shell_data_file # for bugreports
-}:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/logpersist.te b/public/logpersist.te
index f2e856b..2936584 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -1,35 +1,6 @@
# android debug logging, logpersist domains
type logpersist, domain;
-# logcatd is a shell script that execs logcat with various parameters.
-allow logpersist shell_exec:file rx_file_perms;
-allow logpersist logcat_exec:file rx_file_perms;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
-
-allowxperm logpersist misc_logd_file:file ioctl {
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- FS_IOC_SETFLAGS
-};
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mdnsd.te b/public/mdnsd.te
index ef7b065..c36f5e6 100644
--- a/public/mdnsd.te
+++ b/public/mdnsd.te
@@ -1,2 +1,6 @@
# mdns daemon
type mdnsd, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index a52295e..f647529 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -2,32 +2,6 @@
type mediadrmserver, domain;
type mediadrmserver_exec, system_file_type, exec_type, file_type;
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-# TODO(b/80317992): remove
-binder_call(mediadrmserver, hal_omx_server)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 44786fc..0943ea3 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -3,70 +3,6 @@
type mediaextractor_exec, system_file_type, exec_type, file_type;
type mediaextractor_tmpfs, file_type;
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor hidl_token_hwservice:hwservice_manager find;
-
-allow mediaextractor system_server:fd use;
-
-hal_client_domain(mediaextractor, hal_cas)
-hal_client_domain(mediaextractor, hal_allocator)
-
-r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor { sdcard_type fuse }:file { getattr read };
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-# overlay package access
-allow mediaextractor vendor_overlay_file:file { read map };
-
-# scan extractor library directory to dynamically load extractors
-allow mediaextractor system_file:dir { read open };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
-neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# mediaextractor should not be opening /data files directly. Any files
-# it touches (with a few exceptions) need to be passed to it via a file
-# descriptor opened outside the process.
-neverallow mediaextractor {
- data_file_type
- userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
- with_native_coverage(`-method_trace_data_file')
-}:file open;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 76f819e..34a1415 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -2,45 +2,6 @@
type mediametrics, domain;
type mediametrics_exec, system_file_type, exec_type, file_type;
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics { app_data_file privapp_data_file }:file write;
-
-# allow access to package manager for uid->apk mapping
-allow mediametrics package_native_service:service_manager find;
-
-# Allow metrics service to send information to statsd socket.
-unix_socket_send(mediametrics, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ udp_socket rawip_socket } *;
-neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
index 24170a5..61dbf4c 100644
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@@ -4,3 +4,7 @@
###
type mediaprovider, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 9b86c86..8be8627 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -3,156 +3,6 @@
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;
-typeattribute mediaserver mlstrustedsubject;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, fuse)
-r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver { sdcard_type fuse }:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver gpu_device:dir r_dir_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-# Needed for mediaserver to send information to statsd socket.
-unix_socket_send(mediaserver, statsdw, statsd)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audio_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver package_native_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver permission_checker_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For hybrid interfaces
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-# /oem boot animation file
-allow mediaserver bootanim_oem_file:file r_file_perms;
-
-# /vendor apk access
-allow mediaserver vendor_app_file:file { read map getattr };
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-# b/120491318 allow mediaserver to access void:fd
-allow mediaserver vold:fd use;
-
-# overlay package access
-allow mediaserver vendor_overlay_file:file { read getattr map };
-
-hal_client_domain(mediaserver, hal_allocator)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index dc45500..4e131d3 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -1,33 +1,6 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-hal_server_domain(mediaswcodec, hal_codec2)
-
-# mediaswcodec may use an input surface from a different Codec2 service or an
-# OMX service
-hal_client_domain(mediaswcodec, hal_codec2)
-hal_client_domain(mediaswcodec, hal_omx)
-
-hal_client_domain(mediaswcodec, hal_allocator)
-hal_client_domain(mediaswcodec, hal_graphics_allocator)
-
-# get aac_drc_* properties
-get_prop(mediaswcodec, aac_drc_prop)
-
-crash_dump_fallback(mediaswcodec)
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
-
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
-neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediaswcodec gpu_device:chr_file rw_file_perms;
-allow mediaswcodec gpu_device:dir r_dir_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
index 420d038..cd4a2ac 100644
--- a/public/mediatranscoding.te
+++ b/public/mediatranscoding.te
@@ -1 +1,5 @@
type mediatranscoding, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/modprobe.te b/public/modprobe.te
index 910aebd..6964fee 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,13 +1,5 @@
type modprobe, domain;
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe proc_cmdline:file r_file_perms;
-allow modprobe self:global_capability_class_set sys_module;
-allow modprobe kernel:key search;
-allow modprobe system_dlkm_file:dir search;
-allow modprobe system_dlkm_file:file r_file_perms;
-allow modprobe system_dlkm_file:system module_load;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/mtp.te b/public/mtp.te
index 4f3ce9a..165c43e 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,2 +1,6 @@
# vpn tunneling protocol manager
type mtp, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/net.te b/public/net.te
index aa30b62..414b5bf 100644
--- a/public/net.te
+++ b/public/net.te
@@ -3,21 +3,6 @@
type netif, netif_type;
type port, port_type;
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/netd.te b/public/netd.te
index 41ae9ec..bfb3059 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -2,187 +2,6 @@
type netd, domain, mlstrustedsubject;
type netd_exec, system_file_type, exec_type, file_type;
-net_domain(netd)
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netd, mdnsd, mdnsd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-
-allow netd system_server:fd use;
-
-allow netd self:global_capability_class_set { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:global_capability_class_set fsetid;
-
-# Allow netd to open /dev/tun, set it up and pass it to clatd
-allow netd tun_device:chr_file rw_file_perms;
-allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow netd self:tun_socket create;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
-# exist, suppress the denial.
-allow netd system_file:file lock;
-dontaudit netd system_file:dir write;
-
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
-r_dir_file(netd, proc_net_type)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net_type:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-allow netd sysfs:dir r_dir_perms;
-r_dir_file(netd, sysfs_net)
-
-# Allows setting interface MTU
-allow netd sysfs_net:file w_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-r_dir_file(netd, cgroup_v2)
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:global_capability_class_set { dac_override dac_read_search chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:global_capability_class_set fowner;
-
-# Needed to lock the iptables lock.
-allow netd system_file:file lock;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process { sigkill signal };
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-add_service(netd, dnsresolver_service)
-add_service(netd, mdns_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- icmp_socket
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-# Allow netd to register as hal server.
-add_hwservice(netd, system_net_netd_hwservice)
-hwbinder_use(netd)
-
-# AIDL hal server
-binder_call(system_net_netd_service, servicemanager)
-add_service(netd, system_net_netd_service)
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file_type:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and network stack app may find netd service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} netd_service:service_manager find;
-
-# only system_server, dumpstate and network stack app may find dnsresolver service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} dnsresolver_service:service_manager find;
-
-# only system_server, dumpstate and network stack app may find mdns service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} mdns_service:service_manager find;
-
-# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-
-# If an already existing file is opened with O_CREATE, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-neverallow netd proc_net:dir no_w_dir_perms;
-dontaudit netd proc_net:dir write;
-
-neverallow netd sysfs_net:dir no_w_dir_perms;
-dontaudit netd sysfs_net:dir write;
-
-# Netd should not have SYS_ADMIN privs.
-neverallow netd self:capability sys_admin;
-dontaudit netd self:capability sys_admin;
-
-# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
-# (things it requires should be built directly into the kernel)
-dontaudit netd self:capability sys_module;
-
-dontaudit netd appdomain:unix_stream_socket { read write };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
index 27aa749..d53f152 100644
--- a/public/netutils_wrapper.te
+++ b/public/netutils_wrapper.te
@@ -1,4 +1,6 @@
type netutils_wrapper, domain;
type netutils_wrapper_exec, system_file_type, exec_type, file_type;
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/network_stack.te b/public/network_stack.te
index feff664..f909be3 100644
--- a/public/network_stack.te
+++ b/public/network_stack.te
@@ -1,2 +1,6 @@
# Network stack service app
type network_stack, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/nfc.te b/public/nfc.te
index e3a03e7..a6e5160 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,2 +1,6 @@
# nfc subsystem
type nfc, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index db8dd1a..8a625f5 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -2,3 +2,7 @@
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
type otapreopt_chroot, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/perfetto.te b/public/perfetto.te
index cec0e6f..6da515a 100644
--- a/public/perfetto.te
+++ b/public/perfetto.te
@@ -1 +1,5 @@
type perfetto, domain, coredomain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/performanced.te b/public/performanced.te
index d694fda..8da3b49 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -2,30 +2,6 @@
type performanced, domain, mlstrustedsubject;
type performanced_exec, system_file_type, exec_type, file_type;
-# Needed to check for app permissions.
-binder_use(performanced)
-binder_call(performanced, system_server)
-allow performanced permission_service:service_manager find;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:global_capability_class_set { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# These /proc accesses only show up in permissive mode but they
-# generate a lot of noise in the log.
-userdebug_or_eng(`
- dontaudit performanced domain:dir open;
- dontaudit performanced domain:file { open read getattr };
-')
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/platform_app.te b/public/platform_app.te
index 9b1faf0..035a3ef 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,3 +3,7 @@
###
type platform_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/postinstall.te b/public/postinstall.te
index bcea2dc..38b120f 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -3,43 +3,6 @@
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-# Allow postinstall to execute shell in recovery.
-recovery_only(`
- allow postinstall rootfs:file rx_file_perms;
-')
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# Allow postinstall scripts to trigger f2fs garbage collection
-allow postinstall sysfs_fs_f2fs:file rw_file_perms;
-allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/ppp.te b/public/ppp.te
index 29900ea..892b614 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,2 +1,6 @@
# Point to Point Protocol daemon
type ppp, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/priv_app.te b/public/priv_app.te
index 0761fc3..03a8c09 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -3,3 +3,7 @@
###
type priv_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/prng_seeder.te b/public/prng_seeder.te
index 7438452..ae1a2c1 100644
--- a/public/prng_seeder.te
+++ b/public/prng_seeder.te
@@ -1,2 +1,6 @@
# PRNG seeder daemon
type prng_seeder, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/profman.te b/public/profman.te
index 85cdc1e..34ae4a1 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,30 +2,6 @@
type profman, domain;
type profman_exec, system_file_type, exec_type, file_type;
-allow profman user_profile_data_file:file { getattr read write lock map };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read map };
-allow profman apk_data_file:file { getattr read map };
-allow profman apk_data_file:dir { getattr read search };
-
-allow profman oemfs:file { read map };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read map };
-allow profman profman_dump_data_file:file { write map };
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
-allow profman { privapp_data_file app_data_file }:dir { getattr read search };
-
-# Allow query ART device config properties
-get_prop(profman, device_config_runtime_native_prop)
-get_prop(profman, device_config_runtime_native_boot_prop)
-
-###
-### neverallow rules
-###
-
-neverallow profman app_data_file_type:notdevfile_class_set open;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/property.te b/public/property.te
index 95e19b7..fd12d7f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -76,6 +76,7 @@
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(drm_forcel3_prop)
+system_restricted_prop(enable_16k_pages_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
@@ -343,40 +344,6 @@
vendor_internal_prop(vendor_default_prop)
')
-typeattribute log_prop log_property_type;
-typeattribute log_tag_prop log_property_type;
-typeattribute wifi_log_prop log_property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
-
-typeattribute audio_prop core_property_type;
-typeattribute config_prop core_property_type;
-typeattribute cppreopt_prop core_property_type;
-typeattribute dalvik_prop core_property_type;
-typeattribute debuggerd_prop core_property_type;
-typeattribute debug_prop core_property_type;
-typeattribute dhcp_prop core_property_type;
-typeattribute dumpstate_prop core_property_type;
-typeattribute logd_prop core_property_type;
-typeattribute net_radio_prop core_property_type;
-typeattribute nfc_prop core_property_type;
-typeattribute ota_prop core_property_type;
-typeattribute pan_result_prop core_property_type;
-typeattribute persist_debug_prop core_property_type;
-typeattribute powerctl_prop core_property_type;
-typeattribute radio_prop core_property_type;
-typeattribute restorecon_prop core_property_type;
-typeattribute shell_prop core_property_type;
-typeattribute system_prop core_property_type;
-typeattribute usb_prop core_property_type;
-typeattribute vold_prop core_property_type;
-
-typeattribute dalvik_config_prop dalvik_config_prop_type;
-typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/radio.te b/public/radio.te
index e03b706..3762486 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,36 +1,6 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to hal_telephony_server via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio radio_core_data_file:dir r_dir_perms;
-allow radio radio_core_data_file:file r_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
-
-# Used by TelephonyManager
-allow radio proc_cmdline:file r_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/recovery.te b/public/recovery.te
index 324320b..3d3425c 100755
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -4,168 +4,6 @@
# in neverallow rules.
type recovery, domain;
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can use HIDL HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- # Recovery can use AIDL HALs in binder mode
- binder_use(recovery)
- hal_client_domain(recovery, hal_health)
-
- allow recovery self:global_capability_class_set {
- chown
- dac_override
- dac_read_search
- fowner
- setuid
- setgid
- sys_admin
- sys_tty_config
- };
-
- # Run helpers from / or /system without changing domain.
- r_dir_file(recovery, rootfs)
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
-
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read /proc/swaps
- allow recovery proc_swaps:file r_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- r_dir_file(recovery, sysfs_android_usb)
- allow recovery sysfs_android_usb:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read /sysfs/fs/ext4/features
- r_dir_file(recovery, sysfs_fs_ext4_features)
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
- allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
- # Access to /sys/fs/selinux/policyvers for compatibility check
- allow recovery selinuxfs:file r_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file_type:dir search;
- allow recovery ota_metadata_file:dir rw_dir_perms;
- allow recovery ota_metadata_file:file create_file_perms;
-
- # Allow mounting /metadata for writing update states
- allow recovery metadata_file:dir { getattr mounton };
-
- # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
- allow recovery devpts:chr_file rw_file_perms;
- allow recovery kmsg_device:chr_file { getattr w_file_perms };
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:file { no_w_file_perms no_x_file_perms };
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:dir no_w_dir_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index 7224e87..329d714 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -2,31 +2,6 @@
type recovery_persist, domain;
type recovery_persist_exec, system_file_type, exec_type, file_type;
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-allow recovery_persist cache_file:dir search;
-allow recovery_persist cache_file:lnk_file read;
-allow recovery_persist cache_recovery_file:dir rw_dir_perms;
-allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file_type:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
-
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index d20cd44..10bb7be 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -2,23 +2,6 @@
type recovery_refresh, domain;
type recovery_refresh_exec, system_file_type, exec_type, file_type;
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file_type:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
index 2aaf3b8..95b6d06 100644
--- a/public/rkpd_app.te
+++ b/public/rkpd_app.te
@@ -4,3 +4,7 @@
###
type rkpdapp, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/rs.te b/public/rs.te
index 16b6e96..80ab39b 100644
--- a/public/rs.te
+++ b/public/rs.te
@@ -1,2 +1,6 @@
type rs, domain, coredomain;
type rs_exec, system_file_type, exec_type, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te
index 163e1ac..7428a5b 100644
--- a/public/rss_hwm_reset.te
+++ b/public/rss_hwm_reset.te
@@ -1,2 +1,6 @@
# rss_hwm_reset resets RSS high-water mark counters for all procesess.
type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/runas.te b/public/runas.te
index 356a019..2ecf9b0 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,43 +1,6 @@
type runas, domain, mlstrustedsubject;
type runas_exec, system_file_type, exec_type, file_type;
-allow runas adbd:fd use;
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-allow runas system_data_file:lnk_file getattr;
-allow runas packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow runas system_data_file:lnk_file read;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:global_capability_class_set { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:global_capability_class_set ~{ setuid setgid };
-neverallow runas self:global_capability2_class_set *;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/runas_app.te b/public/runas_app.te
index cdaa799..b160a87 100644
--- a/public/runas_app.te
+++ b/public/runas_app.te
@@ -1 +1,5 @@
type runas_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 220e7d0..b7329ae 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,46 +1,6 @@
type sdcardd, domain;
type sdcardd_exec, system_file_type, exec_type, file_type;
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-
-allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
-allow sdcardd { sdcard_type fuse }:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-allow sdcardd packages_list_file:file r_file_perms;
-
-# Read /data/misc/installd/layout_version
-allow sdcardd install_data_file:file r_file_perms;
-allow sdcardd install_data_file:dir search;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc_filesystems:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/secure_element.te b/public/secure_element.te
index 4ce6714..26900cd 100644
--- a/public/secure_element.te
+++ b/public/secure_element.te
@@ -1,2 +1,6 @@
# secure_element subsystem
type secure_element, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/service.te b/public/service.te
index a6f854a..e055b4e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -355,11 +355,6 @@
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
-###
-### Neverallow rules
-###
-
-# servicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a service.
-# Trigger a compile error if this occurs.
-neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 58153f7..3409993 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -2,38 +2,6 @@
type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, system_file_type, exec_type, file_type;
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
-
-add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
-
-allow servicemanager kmsg_device:chr_file rw_file_perms;
-
-recovery_only(`
- # Read VINTF files.
- r_dir_file(servicemanager, rootfs)
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/sgdisk.te b/public/sgdisk.te
index e5a9152..c4468e2 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -2,35 +2,6 @@
type sgdisk, domain;
type sgdisk_exec, system_file_type, exec_type, file_type;
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-# HDIO_GETGEO needed to get the number of disk heads
-# on vold_device. How quaint.
-allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
-# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
-# is granted to all block device users in domain.te, so
-# no need to mention it here. sgdisk should not be
-# using the BLKGETSIZE ioctl as it is useless for devices over
-# 2T in size, but we allow it for now and hope that sgdisk
-# will fix their bug.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
-# Force a re-read of the partition table.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
-# Allow reading of the physical block size.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:global_capability_class_set sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 6dd5bd7..fdee99f 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,2 +1,6 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/shell.te b/public/shell.te
index d4d13e3..189976d 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -2,236 +2,6 @@
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-get_prop(shell, logd_prop)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Access /data/local/tests.
-allow shell shell_test_data_file:dir create_dir_perms;
-allow shell shell_test_data_file:file create_file_perms;
-allow shell shell_test_data_file:file rx_file_perms;
-allow shell shell_test_data_file:lnk_file create_file_perms;
-allow shell shell_test_data_file:sock_file create_file_perms;
-
-# Read and delete from /data/local/traces.
-allow shell trace_data_file:file { r_file_perms unlink };
-allow shell trace_data_file:dir { r_dir_perms remove_name write };
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { unlink r_file_perms };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file r_file_perms;
-
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
-')
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -hal_keymint_service
- -hal_secureclock_service
- -hal_sharedsecret_service
- -incident_service
- -installd_service
- -mdns_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -default_android_service
-}:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
-
-# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
-r_dir_file(shell, proc_net_type)
-
-allow shell {
- proc_asound
- proc_filesystems
- proc_interrupts
- proc_loadavg # b/124024827
- proc_meminfo
- proc_modules
- proc_pid_max
- proc_slabinfo
- proc_stat
- proc_timer
- proc_uptime
- proc_version
- proc_vmstat
- proc_zoneinfo
-}:file r_file_perms;
-
-# allow listing network interfaces under /sys/class/net.
-allow shell sysfs_net:dir r_dir_perms;
-
-r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-allow shell vendor_cgroup_desc_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs:dir r_dir_perms;
-allow shell sysfs_batteryinfo:dir r_dir_perms;
-allow shell sysfs_batteryinfo:file r_file_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
-
-# Allow shell to start up vendor shell
-allow shell vendor_shell_exec:file rx_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Allow shell to
-# execute them.
-recovery_only(`
- allow shell rootfs:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to talk directly to security HAL services other than
-# hal_remotelyprovisionedcomponent_service
-neverallow shell {
- hal_keymint_service
- hal_secureclock_service
- hal_sharedsecret_service
-}:service_manager find;
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
-
-# b/30861057: Shell access to existing input devices is an abuse
-# vector. The shell user can inject events that look like they
-# originate from the touchscreen etc.
-# Everyone should have already moved to UiAutomation#injectInputEvent
-# if they are running instrumentation tests (i.e. CTS), Monkey for
-# their stress tests, and the input command (adb shell input ...) for
-# injecting swipes and things.
-neverallow shell input_device:chr_file no_w_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/simpleperf.te b/public/simpleperf.te
index 218fee7..c13d241 100644
--- a/public/simpleperf.te
+++ b/public/simpleperf.te
@@ -1 +1,5 @@
type simpleperf, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 3719d9f..f2a6172 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -1,2 +1,6 @@
type simpleperf_app_runner, domain, mlstrustedsubject;
type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/slideshow.te b/public/slideshow.te
index 10fbbb8..4ead98c 100644
--- a/public/slideshow.te
+++ b/public/slideshow.te
@@ -2,13 +2,6 @@
# it lives in the rootfs and has no unique file type.
type slideshow, domain;
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:global_capability_class_set sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/statsd.te b/public/statsd.te
index 71597cc..52f4132 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -1,100 +1,6 @@
type statsd, domain, mlstrustedsubject;
-
type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into
-# /data/misc/stats-active-metric
-# /data/misc/stats-data
-# /data/misc/stats-metadata
-# /data/misc/stats-service
-# /data/misc/train-info
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-allow statsd stats_config_data_file:dir create_dir_perms;
-allow statsd stats_config_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, incidentd)
-binder_call(statsd, system_server)
-binder_call(statsd, traced_probes)
-
-# Allow statsd to interact with gpuservice
-allow statsd gpu_service:service_manager find;
-binder_call(statsd, gpuservice)
-
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
-# Allow statsd to interact with mediametrics
-allow statsd mediametrics_service:service_manager find;
-binder_call(statsd, mediametrics)
-
-# Allow statsd to interact with mediametrics
-allow statsd mediaserver_service:service_manager find;
-binder_call(statsd, mediaserver)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- app_api_service
- incident_service
- system_api_service
-}:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_power_stats)
-hal_client_domain(statsd, hal_thermal)
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read write };
-
-unix_socket_send(statsd, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
-neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
-
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
-neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/su.te b/public/su.te
index a893cdb..6936f67 100644
--- a/public/su.te
+++ b/public/su.te
@@ -8,105 +8,6 @@
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
-userdebug_or_eng(`
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- # grant su access to vndbinder
- vndbinder_use(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:anon_inode *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su {fs_type fusefs_type}:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore2 *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-
- # VTS tests run in the permissive su domain on debug builds, but the HALs
- # being tested run in enforcing mode. Because hal_foo_server is enforcing
- # su needs to be declared as hal_foo_client to grant hal_foo_server
- # permission to interact with it.
- typeattribute su halclientdomain;
- typeattribute su hal_allocator_client;
- typeattribute su hal_atrace_client;
- typeattribute su hal_audio_client;
- typeattribute su hal_authsecret_client;
- typeattribute su hal_bluetooth_client;
- typeattribute su hal_bootctl_client;
- typeattribute su hal_camera_client;
- typeattribute su hal_configstore_client;
- typeattribute su hal_confirmationui_client;
- typeattribute su hal_contexthub_client;
- typeattribute su hal_drm_client;
- typeattribute su hal_cas_client;
- typeattribute su hal_dumpstate_client;
- typeattribute su hal_fingerprint_client;
- typeattribute su hal_gatekeeper_client;
- typeattribute su hal_gnss_client;
- typeattribute su hal_graphics_allocator_client;
- typeattribute su hal_graphics_composer_client;
- typeattribute su hal_health_client;
- typeattribute su hal_input_classifier_client;
- typeattribute su hal_ir_client;
- typeattribute su hal_keymaster_client;
- typeattribute su hal_light_client;
- typeattribute su hal_memtrack_client;
- typeattribute su hal_neuralnetworks_client;
- typeattribute su hal_nfc_client;
- typeattribute su hal_oemlock_client;
- typeattribute su hal_power_client;
- typeattribute su hal_rebootescrow_client;
- typeattribute su hal_secretkeeper_client;
- typeattribute su hal_secure_element_client;
- typeattribute su hal_sensors_client;
- typeattribute su hal_telephony_client;
- typeattribute su hal_tetheroffload_client;
- typeattribute su hal_thermal_client;
- typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_hdmi_cec_client;
- typeattribute su hal_tv_hdmi_connection_client;
- typeattribute su hal_tv_hdmi_earc_client;
- typeattribute su hal_tv_input_client;
- typeattribute su hal_tv_tuner_client;
- typeattribute su hal_usb_client;
- typeattribute su hal_vibrator_client;
- typeattribute su hal_vr_client;
- typeattribute su hal_weaver_client;
- typeattribute su hal_wifi_client;
- typeattribute su hal_wifi_hostapd_client;
- typeattribute su hal_wifi_supplicant_client;
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index c1e4844..531b3da 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -1,3 +1,7 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
type surfaceflinger_tmpfs, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/system_app.te b/public/system_app.te
index 023058e..8e1d5dc 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -5,3 +5,7 @@
###
type system_app, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/system_server.te b/public/system_server.te
index cb7f288..55b163b 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -5,14 +5,6 @@
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
-# Power controls for debugging/diagnostics
-get_prop(system_server, power_debug_prop)
-set_prop(system_server, power_debug_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -system_server
- -shell
-} power_debug_prop:property_service set;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/tee.te b/public/tee.te
index 0f9b32d..a310d94 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -6,6 +6,6 @@
# Device(s) for communicating with the TEE
type tee_device, dev_type;
-allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
-allow tee fingerprint_vendor_data_file:file create_file_perms;
-
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/tombstoned.te b/public/tombstoned.te
index ea2abbb..bc57219 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -2,16 +2,6 @@
type tombstoned, domain, mlstrustedsubject;
type tombstoned_exec, system_file_type, exec_type, file_type;
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
-
-# Changes for the new stack dumping mechanism. Each trace goes into a
-# separate file, and these files are managed by tombstoned.
-allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { append create getattr open link unlink };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/toolbox.te b/public/toolbox.te
index 3705a92..47411bb 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -3,30 +3,6 @@
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-
-# rm -rf /data/per_boot
-allow toolbox system_data_root_file:dir { remove_name write };
-allow toolbox system_data_file:dir { rmdir rw_dir_perms };
-allow toolbox system_data_file:file { getattr unlink };
-
-# chattr +F /data/media in init
-allow toolbox media_userdir_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/traced.te b/public/traced.te
index 48da0d8..79c21ba 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,4 +1,6 @@
type traced, domain, coredomain, mlstrustedsubject;
type traced_tmpfs, file_type;
-
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/traced_perf.te b/public/traced_perf.te
index f9a0324..99d4a14 100644
--- a/public/traced_perf.te
+++ b/public/traced_perf.te
@@ -1 +1,5 @@
type traced_perf, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/traced_probes.te b/public/traced_probes.te
index 3e587c8..bc782a8 100644
--- a/public/traced_probes.te
+++ b/public/traced_probes.te
@@ -1 +1,5 @@
type traced_probes, domain, coredomain, mlstrustedsubject;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 22f6c3b..04df12f 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,26 +1,5 @@
type traceur_app, domain;
-allow traceur_app servicemanager:service_manager list;
-allow traceur_app hwservicemanager:hwservice_manager list;
-
-allow traceur_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -lpdump_service
- -mdns_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -default_android_service
-}:service_manager find;
-
-# Allow traceur_app to use atrace HAL
-hal_client_domain(traceur_app, hal_atrace)
-
-dontaudit traceur_app service_manager_type:service_manager find;
-dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-dontaudit traceur_app domain:binder call;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/ueventd.te b/public/ueventd.te
index 3135a7f..e0bd5ca 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -3,87 +3,6 @@
type ueventd, domain;
type ueventd_tmpfs, file_type;
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. ueventd has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow ueventd rootfs:file { r_file_perms execute };
-')
-
-# Suppress denials for ueventd to getattr /postinstall. This occurs when the
-# linker tries to resolve paths in ld.config.txt.
-dontaudit ueventd postinstall_mnt_dir:dir getattr;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-use_bootstrap_libs(ueventd)
-
-# Allow ueventd to run shell scripts from vendor
-allow ueventd vendor_shell_exec:file execute;
-
-# Query device-mapper to extract name/uuid in response to uevents.
-allow ueventd dm_device:chr_file rw_file_perms;
-allow ueventd self:capability sys_admin;
-
-# Allow ueventd to read apexd property
-get_prop(ueventd, apexd_prop)
-
-#####
-##### neverallow rules
-#####
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom port_device
-neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
-
-# Nobody should be able to ptrace ueventd
-neverallow * ueventd:process ptrace;
-
-# ueventd should never execute a program without changing to another domain.
-neverallow ueventd { file_type fs_type }:file execute_no_trans;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 3b04671..55a2b36 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,45 +2,6 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;
-allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_file:dir search;
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file rw_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Raw writes to block device
-allow uncrypt self:global_capability_class_set sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
-
-# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt {
- proc_bootconfig
- proc_cmdline
-
-}:file r_file_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs_dt_firmware_android)
-
-# Allow ReadDefaultFstab().
-read_fstab(uncrypt)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index a4ee6f5..af1ac27 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -34,3 +34,7 @@
# This file defines the rules for untrusted apps running with
# targetSdkVersion <= 25.
type untrusted_app_25, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/update_engine.te b/public/update_engine.te
index 6f79902..3c6c0b0 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -2,78 +2,6 @@
type update_engine, domain, update_engine_common;
type update_engine_exec, system_file_type, exec_type, file_type;
-net_domain(update_engine);
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:global_capability_class_set { fowner sys_admin };
-# Note: fsetid checks are triggered when creating a file in a directory with
-# the setgid bit set to determine if the file should inherit setgid. In this
-# case, setgid on the file is undesirable so we should just suppress the
-# denial.
-dontaudit update_engine self:global_capability_class_set fsetid;
-
-allow update_engine kmsg_device:chr_file { getattr w_file_perms };
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:global_capability_class_set sys_rawio;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir create_dir_perms;
-allow update_engine update_engine_data_file:file create_file_perms;
-
-# Allow using persistent storage in /data/misc/update_engine_log.
-allow update_engine update_engine_log_data_file:dir create_dir_perms;
-allow update_engine update_engine_log_data_file:file create_file_perms;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-add_service(update_engine, update_engine_stable_service)
-
-# Allow update_engine to call the callback function provided by priv_app/GMS core.
-binder_call(update_engine, priv_app)
-# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow update_engine priv_app:binder { call transfer };
- auditallow priv_app update_engine:binder transfer;
- auditallow update_engine priv_app:fd use;
-')
-
-binder_call(update_engine, gmscore_app)
-
-# Allow update_engine to call the callback function provided by system_server.
-binder_call(update_engine, system_server)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
-
-# access /proc/misc
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Allow ReadDefaultFstab().
-# update_engine tries to determine the parent path for all devices (e.g.
-# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device.
-read_fstab(update_engine)
-
-# Allow to write to snapshotctl_log logs.
-# TODO(b/148818798) revert when parent bug is fixed.
-userdebug_or_eng(`
-allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
-allow update_engine snapshotctl_log_data_file:file create_file_perms;
-')
-
-# Allow determining filesystems available on system.
-# Needed for checking if overlayfs is enabled
-allow update_engine proc_filesystems:file r_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
deleted file mode 100644
index 12961e7..0000000
--- a/public/update_engine_common.te
+++ /dev/null
@@ -1,99 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Where ioctls are granted via standard allow rules to block devices,
-# automatically allow common ioctls that are generally needed by
-# update_engine.
-allowxperm update_engine_common dev_type:blk_file ioctl {
- BLKDISCARD
- BLKDISCARDZEROES
- BLKROGET
- BLKROSET
- BLKSECDISCARD
- BLKZEROOUT
-};
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# read fstab
-allow update_engine_common rootfs:dir getattr;
-allow update_engine_common rootfs:file r_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-# install update.zip from cache
-r_dir_file(update_engine_common, cache_file)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/cmdline
-allow update_engine_common proc_cmdline:file r_file_perms;
-
-# Read files in /sys/firmware/devicetree/base/firmware/android/
-r_dir_file(update_engine_common, sysfs_dt_firmware_android)
-
-# Needed because libdm reads sysfs to validate when a dm path is ready.
-r_dir_file(update_engine_common, sysfs_dm)
-
-# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
-allow update_engine_common sysfs:dir r_dir_perms;
-allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
-
-# read / write on /dev/device-mapper to map / unmap devices
-allow update_engine_common dm_device:chr_file rw_file_perms;
-
-# apply / verify updates on devices mapped via device mapper
-allow update_engine_common dm_device:blk_file rw_file_perms;
-
-# read /dev/dm-user, so that we can inotify wait for control devices to be
-# asynchronously created by ueventd.
-allow update_engine dm_user_device:dir r_dir_perms;
-allow update_engine dm_user_device:chr_file r_file_perms;
-
-# read / write metadata on super device to resize partitions
-allow update_engine_common super_block_device_type:blk_file rw_file_perms;
-
-# ioctl on super device to get block device alignment and alignment offset
-allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
-# get physical block device to map logical partitions on device mapper
-allow update_engine_common block_device:dir r_dir_perms;
-
-# Allow update_engine_common to write to statsd socket.
-unix_socket_send(update_engine_common, statsdw, statsd)
-
-# Allow to read Virtual A/B feature flags.
-get_prop(update_engine_common, virtual_ab_prop)
-
-# Allow to read GKI related flags.
-get_prop(update_engine_common, ab_update_gki_prop)
-get_prop(update_engine_common, build_bootimage_prop)
-
-# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
-allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
-allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 68b43f0..a8804ce 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -2,32 +2,6 @@
type update_verifier, domain;
type update_verifier_exec, system_file_type, exec_type, file_type;
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
-allow update_verifier sysfs:dir r_dir_perms;
-
-# Read /sys/block/dm-X/dm/name (which is a symlink to
-# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
-# dm-X and system/vendor partitions.
-allow update_verifier sysfs_dm:dir r_dir_perms;
-allow update_verifier sysfs_dm:file r_file_perms;
-
-# Read all blocks in DM wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Write to kernel message.
-allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
-
-# Access Checkpoint commands over binder
-allow update_verifier vold_service:service_manager find;
-binder_call(update_verifier, servicemanager)
-binder_call(update_verifier, vold)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/usbd.te b/public/usbd.te
index ee36784..9ff08d2 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,4 +1,6 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
-binder_call(usbd, servicemanager)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vdc.te b/public/vdc.te
index dfe6888..04fc39e 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -4,17 +4,9 @@
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
-
type vdc, domain;
type vdc_exec, system_file_type, exec_type, file_type;
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file { getattr w_file_perms };
-
-# vdc talks to vold over Binder
-binder_use(vdc)
-binder_call(vdc, vold)
-allow vdc vold_service:service_manager find;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2816091..ef1386e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -1,332 +1,6 @@
# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;
-# Communication to the main init process
-allow vendor_init init:unix_stream_socket { read write };
-
-# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open getattr write };
-
-# Mount on /dev/usb-ffs/adb.
-allow vendor_init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow vendor_init rootfs:lnk_file { create unlink };
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
-
-# /config
-allow vendor_init configfs:dir mounton;
-allow vendor_init configfs:dir create_dir_perms;
-allow vendor_init configfs:{ file lnk_file } create_file_perms;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-
-# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
-allow vendor_init unencrypted_data_file:dir search;
-allow vendor_init unencrypted_data_file:file r_file_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm vendor_init data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-allow vendor_init system_data_file:dir getattr;
-
-allow vendor_init {
- file_type
- -bpffs_type
- -core_data_file_type
- -exec_type
- -system_dlkm_file_type
- -system_file_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
- -aconfig_storage_metadata_file
- -aconfig_storage_flags_metadata_file
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
-
-allow vendor_init {
- file_type
- -bpffs_type
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -runtime_event_log_tags_file
- -system_dlkm_file_type
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -apex_info_file
- -userspace_reboot_metadata_file
- -aconfig_storage_metadata_file
- -aconfig_storage_flags_metadata_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow vendor_init {
- file_type
- -bpffs_type
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -system_dlkm_file_type
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
- -aconfig_storage_metadata_file
- -aconfig_storage_flags_metadata_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -apex_mnt_dir
- -bpffs_type
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -system_dlkm_file_type
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
- -aconfig_storage_metadata_file
- -aconfig_storage_flags_metadata_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -bpffs_type
- -core_data_file_type
- -exec_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
- -system_dlkm_file_type
- -system_file_type
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
- -aconfig_storage_metadata_file
- -aconfig_storage_flags_metadata_file
-}:dir_file_class_set relabelto;
-
-allow vendor_init dev_type:dir create_dir_perms;
-allow vendor_init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow vendor_init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow vendor_init {
- fs_type
- -bpffs_type
- -contextmount_type
- -keychord_device
- -sdcard_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr map };
-
-allow vendor_init tracefs_type:file { open read setattr map };
-
-allow vendor_init {
- fs_type
- -bpffs_type
- -contextmount_type
- -sdcard_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
-
-allow vendor_init dev_type:blk_file getattr;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net_type:file w_file_perms;
-allow vendor_init self:global_capability_class_set net_admin;
-
-# Write to /proc/sys/vm/page-cluster
-allow vendor_init proc_page_cluster:file w_file_perms;
-
-# Write to sysfs nodes.
-allow vendor_init sysfs_type:dir r_dir_perms;
-allow vendor_init sysfs_type:lnk_file read;
-allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
-
-# setfscreatecon() for labeling directories and socket files.
-allow vendor_init self:process { setfscreate };
-
-r_dir_file(vendor_init, vendor_file_type)
-
-# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read map };
-
-# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:global_capability_class_set sys_admin;
-
-# Raw writes to misc block device
-allow vendor_init misc_block_device:blk_file w_file_perms;
-
-# vendor_init is using bootstrap bionic
-use_bootstrap_libs(vendor_init)
-
-# allow filesystem tuning
-allow vendor_init userdata_sysdev:file create_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow vendor_init rootfs:file { r_file_perms execute };
-')
-
-not_compatible_property(`
- set_prop(vendor_init, {
- property_type
- -system_internal_property_type
- -system_restricted_property_type
- })
-')
-
-# Get file context
-allow vendor_init file_contexts_file:file r_file_perms;
-
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
-set_prop(vendor_init, apk_verity_prop)
-set_prop(vendor_init, bluetooth_a2dp_offload_prop)
-set_prop(vendor_init, bluetooth_audio_hal_prop)
-set_prop(vendor_init, bluetooth_config_prop)
-set_prop(vendor_init, camera2_extensions_prop)
-set_prop(vendor_init, camerax_extensions_prop)
-set_prop(vendor_init, cpu_variant_prop)
-set_prop(vendor_init, dalvik_config_prop)
-set_prop(vendor_init, dalvik_dynamic_config_prop)
-set_prop(vendor_init, dalvik_runtime_prop)
-set_prop(vendor_init, debug_prop)
-set_prop(vendor_init, exported_bluetooth_prop)
-set_prop(vendor_init, exported_camera_prop)
-set_prop(vendor_init, exported_config_prop)
-set_prop(vendor_init, exported_default_prop)
-set_prop(vendor_init, exported_overlay_prop)
-set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, ffs_control_prop)
-set_prop(vendor_init, hw_timeout_multiplier_prop)
-set_prop(vendor_init, incremental_prop)
-set_prop(vendor_init, lmkd_prop)
-set_prop(vendor_init, logd_prop)
-set_prop(vendor_init, log_tag_prop)
-set_prop(vendor_init, log_prop)
-set_prop(vendor_init, graphics_config_writable_prop)
-set_prop(vendor_init, qemu_hw_prop)
-set_prop(vendor_init, radio_control_prop)
-set_prop(vendor_init, rebootescrow_hal_prop)
-set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, soc_prop)
-set_prop(vendor_init, surfaceflinger_color_prop)
-set_prop(vendor_init, usb_control_prop)
-set_prop(vendor_init, userspace_reboot_config_prop)
-set_prop(vendor_init, vehicle_hal_prop)
-set_prop(vendor_init, vendor_default_prop)
-set_prop(vendor_init, keystore_config_prop)
-set_prop(vendor_init, vendor_security_patch_level_prop)
-set_prop(vendor_init, vndk_prop)
-set_prop(vendor_init, virtual_ab_prop)
-set_prop(vendor_init, vold_post_fs_data_prop)
-set_prop(vendor_init, wifi_hal_prop)
-set_prop(vendor_init, wifi_log_prop)
-set_prop(vendor_init, zram_control_prop)
-
-get_prop(vendor_init, boot_status_prop)
-get_prop(vendor_init, exported3_system_prop)
-get_prop(vendor_init, ota_prop)
-get_prop(vendor_init, power_debug_prop)
-get_prop(vendor_init, provisioned_prop)
-get_prop(vendor_init, retaildemo_prop)
-get_prop(vendor_init, surfaceflinger_display_prop)
-get_prop(vendor_init, test_harness_prop)
-get_prop(vendor_init, theme_prop)
-set_prop(vendor_init, dck_prop)
-
-# Allow vendor_init to read vendor_system_native device config changes
-get_prop(vendor_init, device_config_vendor_system_native_prop)
-get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
-
-userdebug_or_eng(`
-get_prop(vendor_init, profcollectd_etr_prop)
-')
-
-###
-### neverallow rules
-###
-
-# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, {
- domain -init -logd -prng_seeder -su -vendor_init });
-
-# The vendor_init domain is only entered via an exec based transition from the
-# init domain, never via setcon().
-neverallow domain vendor_init:process dyntransition;
-neverallow { domain -init } vendor_init:process transition;
-neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init app_data_file_type:lnk_file read;
-neverallow vendor_init shell_data_file:lnk_file read;
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow vendor_init shell_data_file:dir { write add_name remove_name };
-
-# init should never execute a program without changing to another domain.
-neverallow vendor_init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow vendor_init service_manager_type:service_manager { add find };
-neverallow vendor_init servicemanager:service_manager list;
-
-# vendor_init should never be ptraced
-neverallow * vendor_init:process ptrace;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 3bc3a9f..a64eee5 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -2,15 +2,6 @@
type vendor_misc_writer, domain;
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
-# Raw writes to misc_block_device
-allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
-allow vendor_misc_writer block_device:dir r_dir_perms;
-
-# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
-# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
-dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
-
-# Allow ReadDefaultFstab().
-read_fstab(vendor_misc_writer)
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
index 529c4aa..8ec0aba 100644
--- a/public/vendor_modprobe.te
+++ b/public/vendor_modprobe.te
@@ -1 +1,5 @@
type vendor_modprobe, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index 5d7cb31..1906d0e 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,21 +1,6 @@
type vendor_shell, domain;
type vendor_shell_exec, exec_type, vendor_file_type, file_type;
-allow vendor_shell vendor_shell_exec:file rx_file_perms;
-allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
-
-# Use fd from shell when vendor_shell is started from shell
-allow vendor_shell shell:fd use;
-
-# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
-allow vendor_shell adbd:fd use;
-allow vendor_shell adbd:process sigchld;
-allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
-
-allow vendor_shell devpts:chr_file rw_file_perms;
-allow vendor_shell tty_device:chr_file rw_file_perms;
-allow vendor_shell console_device:chr_file rw_file_perms;
-allow vendor_shell input_device:dir r_dir_perms;
-allow vendor_shell input_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index 63f938d..13969b4 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -3,14 +3,6 @@
# and is always executed without transition.
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 49c8704..1e1c94e 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -1,16 +1,6 @@
type virtual_touchpad, domain;
type virtual_touchpad_exec, system_file_type, exec_type, file_type;
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vndservice.te b/public/vndservice.te
index efd9adf..9f70d9b 100644
--- a/public/vndservice.te
+++ b/public/vndservice.te
@@ -1,2 +1,6 @@
type service_manager_vndservice, vndservice_manager_type;
type default_android_vndservice, vndservice_manager_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
index 6b9f73d..60af16b 100644
--- a/public/vndservicemanager.te
+++ b/public/vndservicemanager.te
@@ -1,2 +1,6 @@
# vndservicemanager - the Binder context manager for vendor processes
type vndservicemanager, domain;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vold.te b/public/vold.te
index ad6ef83..c05da12 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -2,353 +2,6 @@
type vold, domain;
type vold_exec, exec_type, file_type, system_file_type;
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
-# XXX Label sysfs files with a specific type?
-allow vold {
- sysfs # writing to /sys/*/uevent during coldboot.
- sysfs_devices_block
- sysfs_dm
- sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
- sysfs_usb
- sysfs_zram_uevent
- sysfs_fs_f2fs
-}:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-r_dir_file(vold, metadata_file)
-allow vold {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_drop_caches
- proc_filesystems
- proc_meminfo
- proc_mounts
-}:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For formatting adoptable storage devices
-allow vold e2fs_exec:file rx_file_perms;
-
-# Run fstrim on mounted partitions
-# allowxperm still requires the ioctl permission for the individual type
-allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-
-# Get/set file-based encryption policies on dirs in /data and adoptable storage,
-# and add/remove file-based encryption keys.
-allowxperm vold data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
- FS_IOC_ADD_ENCRYPTION_KEY
- FS_IOC_REMOVE_ENCRYPTION_KEY
- FS_IOC_GET_ENCRYPTION_KEY_STATUS
-};
-
-# Only vold and init should ever set file-based encryption policies.
-neverallowxperm {
- domain
- -vold
- -init
- -vendor_init
-} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
-
-# Only vold should ever add/remove file-based encryption keys.
-neverallowxperm {
- domain
- -vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
-
-# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
-# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
-# location of the file's blocks on the raw block device to erase.
-allowxperm vold {
- vold_data_file
- vold_metadata_file
-}:file ioctl {
- F2FS_IOC_SEC_TRIM_FILE
- FS_IOC_FIEMAP
-};
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
-allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-# Allow mounting (lower filesystem) on parts of media for performance
-allow vold media_rw_data_file:dir mounton;
-
-# Allow setting project quota IDs and enabling project ID inheritance on
-# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
-allowxperm vold media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir { create_dir_perms mounton };
-allow vold mnt_user_file:lnk_file create_file_perms;
-allow vold mnt_user_file:file create_file_perms;
-
-# Manage per-user pass_through primary symlinks
-allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
-allow vold mnt_pass_through_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-allow vold system_userdir_file:dir { create getattr setattr };
-allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
-# Needed to set the casefold flag on /mnt/expand/$volume/media
-allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
-
-# Allow to mount incremental file system on /data/incremental and create files
-allow vold apk_data_file:dir { mounton rw_dir_perms };
-# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file { rw_file_perms unlink };
-# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
-allow vold apk_tmp_file:dir { mounton r_dir_perms };
-# Allow to read incremental control file and call selinux restorecon on it
-allow vold incremental_control_file:file { r_file_perms relabelto };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold loop_device:blk_file ioctl {
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_GET_STATUS64
- LOOP_SET_FD
- LOOP_SET_STATUS64
-};
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:global_capability_class_set { sys_ptrace kill };
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-# Mount and unmount filesystems.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-#
-# Also rename per-user encrypted directories such as /data/user/10 from their
-# temporary name ("10.new") to their final name ("10").
-allow vold {
- system_data_file
- system_data_root_file
-}:dir { create_dir_perms mounton };
-allow vold system_data_file:lnk_file getattr;
-
-# Vold create users in /data/vendor_{ce,de}/[0-9]+
-allow vold vendor_data_file:dir create_dir_perms;
-
-# for secdiscard
-allow vold system_data_file:file read;
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Access to FUSE control filesystem to hard-abort FUSE mounts
-allow vold fusectlfs:file rw_file_perms;
-allow vold fusectlfs:dir rw_dir_perms;
-
-# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
-wakelock_use(vold)
-
-# Allow vold to publish a binder service and make binder calls.
-binder_use(vold)
-add_service(vold, vold_service)
-
-# Allow vold to call into the system server so it can check permissions.
-binder_call(vold, system_server)
-allow vold permission_service:service_manager find;
-
-# talk to health storage HAL
-hal_client_domain(vold, hal_health_storage)
-
-# talk to bootloader HAL
-full_treble_only(`hal_client_domain(vold, hal_bootctl)')
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Access zoned block device.
-allow vold zoned_block_device:blk_file rw_file_perms;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# And a similar place in the metadata partition
-allow vold vold_metadata_file:dir create_dir_perms;
-allow vold vold_metadata_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:global_capability_class_set sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:global_capability_class_set sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
-
-# MoveStorage.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-# vold might need to search or mount /mnt/vendor/*
-allow vold mnt_vendor_file:dir search;
-
-dontaudit vold self:global_capability_class_set sys_resource;
-
-# Allow ReadDefaultFstab().
-read_fstab(vold)
-
-# vold might need to search loopback apex files
-allow vold vendor_apex_file:file r_file_perms;
-
-neverallow {
- domain
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir *;
-
-neverallow {
- domain
- -init
- -vold
-} vold_metadata_file:dir *;
-
-neverallow {
- domain
- -kernel
- -vold
- -vold_prepare_subdirs
-} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vold
- -vold_prepare_subdirs
-} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
-
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold {
- domain
- -hal_health_storage_server
- -hal_keymaster_server
- -system_suspend_server
- -hal_bootctl_server
- -hwservicemanager
- -keystore
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow vold fsck_exec:file execute_no_trans;
-neverallow { domain -init } vold:process { transition dyntransition };
-neverallow vold *:process ptrace;
-neverallow vold *:rawip_socket *;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index 3087fa8..f659307 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -1,6 +1,7 @@
# SELinux directory creation and labelling for vold-managed directories
-
type vold_prepare_subdirs, domain;
type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
-typeattribute vold_prepare_subdirs coredomain;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/watchdogd.te b/public/watchdogd.te
index 72e3685..2499b54 100644
--- a/public/watchdogd.te
+++ b/public/watchdogd.te
@@ -2,5 +2,6 @@
type watchdogd, domain;
type watchdogd_exec, system_file_type, exec_type, file_type;
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index ace3a01..8142832 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -1,6 +1,9 @@
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
-
type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
type webview_zygote_tmpfs, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/wificond.te b/public/wificond.te
index 1bd89f5..934133c 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -2,40 +2,6 @@
type wificond, domain;
type wificond_exec, system_file_type, exec_type, file_type;
-binder_use(wificond)
-binder_call(wificond, system_server)
-binder_call(wificond, keystore)
-
-add_service(wificond, wifinl80211_service)
-hal_client_domain(wificond, hal_nlinterceptor)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
-allow wificond self:global_capability_class_set { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net_type)
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
-
-#### Offer the Wifi Keystore HwBinder service ###
-hwbinder_use(wificond)
-typeattribute wificond wifi_keystore_service_server;
-add_hwservice(wificond, system_wifi_keystore_hwservice)
-
-# Allow keystore2 binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond wifi_key:keystore2_key {
- get_info
- use
-};
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/zygote.te b/public/zygote.te
index 071354e..9f24337 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -2,3 +2,7 @@
type zygote, domain;
type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index 1a7dfaa..b0fb850 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -41,8 +41,9 @@
if len(top_type_set) == 1:
continue
- m = re.match(r"(\w+)_\d+_\d+", top_ta)
- # Typeattributes in V.v.cil have _V_v suffix, but not in V.v.ignore.cil
+ m = re.fullmatch(r"(\w+?)_\d+(_0)?", top_ta)
+ # Typeattributes in V(.0).cil have _V(_0) suffix, but not in
+ # V(.0).ignore.cil
bottom_type = m.group(1) if m else top_ta
# If type doesn't exist in bottom map, no need to maintain mappings to
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 9d6960b..2e9d68f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -15,7 +15,7 @@
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -30,18 +30,18 @@
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
$(version)_mapping.cil += \
$(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
$(version)_mapping.ignore.cil += \
$(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
+endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
+ifneq (,$(BOARD_PRODUCT_PREBUILT_DIR))
$(version)_mapping.cil += \
$(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
$(version)_mapping.ignore.cil += \
$(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
-endif # (,$(PRODUCT_PREBUILT_POLICY))
+endif # (,$(BOARD_PRODUCT_PREBUILT_DIR))
endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
# $(version)_mapping.combined.cil - a combination of the mapping file used when