Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3d52817da411821e7288c7c9d730fb42fc9a6e64 / . / private / mls
blob: 1588a13e4d12dbd6d21e345f6fadc5f21b19bee4 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#################################################
2# MLS policy constraints
3#
4
5#
6# Process constraints
7#
8
9# Process transition: Require equivalence unless the subject is trusted.
10mlsconstrain process { transition dyntransition }
11 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
12
13# Process read operations: No read up unless trusted.
14mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
15 (l1 dom l2 or t1 == mlstrustedsubject);
16
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]17# Process write operations: Require equivalence unless trusted.
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]18mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]19 (l1 eq l2 or t1 == mlstrustedsubject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]20
21#
22# Socket constraints
23#
24
Stephen Smalleye8848722012-11-13 13:00:05 -0500[diff] [blame]25# Create/relabel operations: Subject must be equivalent to object unless
26# the subject is trusted. Sockets inherit the range of their creator.
27mlsconstrain socket_class_set { create relabelfrom relabelto }
28 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]29
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]30# Datagram send: Sender must be equivalent to the receiver unless one of them
31# is trusted.
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]32mlsconstrain unix_dgram_socket { sendto }
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]33 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]34
35# Stream connect: Client must be equivalent to server unless one of them
36# is trusted.
37mlsconstrain unix_stream_socket { connectto }
38 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
39
40#
41# Directory/file constraints
42#
43
44# Create/relabel operations: Subject must be equivalent to object unless
45# the subject is trusted. Also, files should always be single-level.
46# Do NOT exempt mlstrustedobject types from this constraint.
47mlsconstrain dir_file_class_set { create relabelfrom relabelto }
48 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
49
dcashman60cfe792015-03-04 09:50:34 -0800[diff] [blame]50#
51# Constraints for app data files only.
52#
53
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]54# Only constrain open, not read/write, so already open fds can be used.
dcashman60cfe792015-03-04 09:50:34 -0800[diff] [blame]55# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
Jeff Vander Stoep3aa7ca52018-04-03 11:22:38 -0700[diff] [blame]56# Subject must dominate object unless the subject is trusted.
Alan Stokes9443b2e2020-07-16 10:42:58 +0100[diff] [blame]57mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]58 (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
Jeff Vander Stoepbed2e162019-01-24 09:48:57 -0800[diff] [blame]59mlsconstrain { file sock_file } { open setattr unlink link rename }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]60 ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
61
62# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
Jeff Vander Stoepbed2e162019-01-24 09:48:57 -0800[diff] [blame]63mlsconstrain { lnk_file } { open setattr unlink link rename read }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]64 ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
65# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
Jeff Vander Stoepbed2e162019-01-24 09:48:57 -0800[diff] [blame]66# TODO: Migrate to equivalence when it's no longer needed.
67mlsconstrain { lnk_file } { open setattr unlink link rename read }
Jeff Vander Stoep9f5d0d92019-01-29 14:43:45 -0800[diff] [blame]68 ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
dcashman60cfe792015-03-04 09:50:34 -0800[diff] [blame]69
70#
71# Constraints for file types other than app data files.
72#
73
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]74# Read operations: Subject must dominate object unless the subject
75# or the object is trusted.
76mlsconstrain dir { read getattr search }
Alan Stokes8bf8a262020-11-16 18:10:33 +0000[diff] [blame]77 (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
Alan Stokes7aa40412020-12-04 14:07:52 +0000[diff] [blame]78 or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]79
dcashman60cfe792015-03-04 09:50:34 -0800[diff] [blame]80mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]81 (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]82
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]83# Write operations: Subject must be equivalent to the object unless the
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]84# subject or the object is trusted.
85mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]86 (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]87
88mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
Alan Stokesc5773a92020-11-09 16:53:01 +0000[diff] [blame]89 (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]90
91# Special case for FIFOs.
92# These can be unnamed pipes, in which case they will be labeled with the
93# creating process' label. Thus we also have an exemption when the "object"
Stephen Smalley7d1b6c82015-02-20 12:30:31 -0500[diff] [blame]94# is a domain type, so that processes can communicate via unnamed pipes
95# passed by binder or local socket IPC.
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]96mlsconstrain fifo_file { read getattr }
Stephen Smalley7d1b6c82015-02-20 12:30:31 -0500[diff] [blame]97 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]98
99mlsconstrain fifo_file { write setattr append unlink link rename }
Stephen Smalley025b7df2015-03-13 17:07:39 -0400[diff] [blame]100 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]101
102#
103# Binder IPC constraints
104#
105# Presently commented out, as apps are expected to call one another.
106# This would only make sense if apps were assigned categories
107# based on allowable communications rather than per-app categories.
108#mlsconstrain binder call
109# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);