Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 596dd09fed8c0394cb4a2be4a7c8c053c75cb5af / . / public / domain_deprecated.te
blob: 66acfd691772574a3305280abc82010cc43e3d5b [file] [log] [blame]
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]1# rules removed from the domain attribute
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]2
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]3# Search /storage/emulated tmpfs mount.
4allow domain_deprecated tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]5userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]6auditallow {
7 domain_deprecated
8 -appdomain
9 -sdcardd
10 -surfaceflinger
11 -system_server
12 -vold
13 -zygote
14} tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]15')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]16
17# Inherit or receive open files from others.
18allow domain_deprecated system_server:fd use;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]19userdebug_or_eng(`
Jeff Vander Stoep3a0721a2016-10-01 05:26:15 -0700[diff] [blame]20auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]21')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]22
23# Connect to adbd and use a socket transferred from it.
24# This is used for e.g. adb backup/restore.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]25allow domain_deprecated adbd:fd use;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]26userdebug_or_eng(`
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]27auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]28')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]29
30# Root fs.
31allow domain_deprecated rootfs:dir r_dir_perms;
32allow domain_deprecated rootfs:file r_file_perms;
33allow domain_deprecated rootfs:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]34userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]35auditallow {
36 domain_deprecated
37 -fsck
38 -healthd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]39 -installd
40 -servicemanager
41 -system_server
42 -ueventd
43 -uncrypt
44 -vold
45 -zygote
46} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]47auditallow {
48 domain_deprecated
49 -healthd
50 -installd
51 -servicemanager
52 -system_server
53 -ueventd
54 -uncrypt
55 -vold
56 -zygote
57} rootfs:file r_file_perms;
58auditallow {
59 domain_deprecated
60 -appdomain
61 -healthd
62 -installd
63 -servicemanager
64 -system_server
65 -ueventd
66 -uncrypt
67 -vold
68 -zygote
69} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]70')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]71
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]72# System file accesses.
73allow domain_deprecated system_file:dir r_dir_perms;
74allow domain_deprecated system_file:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]75userdebug_or_eng(`
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]76auditallow {
77 domain_deprecated
78 -appdomain
Nick Kralevich49e35882016-11-25 18:00:38 -0800[diff] [blame]79 -fingerprintd
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]80 -installd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]81 -keystore
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]82 -rild
83 -surfaceflinger
84 -system_server
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]85 -update_engine
86 -vold
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]87 -zygote
88} system_file:dir { open read ioctl lock }; # search getattr in domain
89auditallow {
90 domain_deprecated
91 -appdomain
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]92 -rild
93 -surfaceflinger
94 -system_server
95 -zygote
96} system_file:file { ioctl lock }; # read open getattr in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]97')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]98
99# Read files already opened under /data.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]100allow domain_deprecated system_data_file:file { getattr read };
101allow domain_deprecated system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]102userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]103auditallow {
104 domain_deprecated
105 -appdomain
106 -sdcardd
107 -system_server
108 -tee
109} system_data_file:file { getattr read };
110auditallow {
111 domain_deprecated
112 -appdomain
113 -system_server
114 -tee
115} system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]116')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]117
118# Read apk files under /data/app.
119allow domain_deprecated apk_data_file:dir { getattr search };
120allow domain_deprecated apk_data_file:file r_file_perms;
121allow domain_deprecated apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]122userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]123auditallow {
124 domain_deprecated
125 -appdomain
126 -dex2oat
127 -installd
128 -system_server
129} apk_data_file:dir { getattr search };
130auditallow {
131 domain_deprecated
132 -appdomain
133 -dex2oat
134 -installd
135 -system_server
136} apk_data_file:file r_file_perms;
137auditallow {
138 domain_deprecated
139 -appdomain
140 -dex2oat
141 -installd
142 -system_server
143} apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]144')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]145
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]146# Read already opened /cache files.
Nick Kralevichd5464732016-01-16 08:15:52 -0800[diff] [blame]147allow domain_deprecated cache_file:dir r_dir_perms;
148allow domain_deprecated cache_file:file { getattr read };
Nick Kralevichdc37ea72016-01-07 12:56:54 -0800[diff] [blame]149allow domain_deprecated cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]150userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]151auditallow {
152 domain_deprecated
153 -system_server
154 -vold
155} cache_file:dir { open read search ioctl lock };
156auditallow {
157 domain_deprecated
158 -appdomain
159 -system_server
160 -vold
161} cache_file:dir getattr;
162auditallow {
163 domain_deprecated
164 -system_server
165 -vold
166} cache_file:file { getattr read };
167auditallow {
168 domain_deprecated
169 -system_server
170 -vold
171} cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]172')
Felipe Leme549ccf72015-12-22 12:37:17 -0800[diff] [blame]173
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]174# Allow access to ion memory allocation device
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]175allow domain_deprecated ion_device:chr_file rw_file_perms;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]176# split this auditallow into read and write perms since most domains seem to
177# only require read
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]178userdebug_or_eng(`
179auditallow {
180 domain_deprecated
181 -appdomain
182 -fingerprintd
183 -keystore
184 -surfaceflinger
185 -system_server
186 -tee
187 -vold
188 -zygote
189} ion_device:chr_file r_file_perms;
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]190auditallow domain_deprecated ion_device:chr_file { write append };
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]191')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]192
193# Read access to pseudo filesystems.
194r_dir_file(domain_deprecated, proc)
Jeff Vander Stoepa2c40552016-09-13 11:03:36 -0700[diff] [blame]195r_dir_file(domain_deprecated, sysfs)
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]196r_dir_file(domain_deprecated, cgroup)
Nick Kralevich7a35c132016-03-31 14:11:50 -0700[diff] [blame]197allow domain_deprecated proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]198
199userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]200auditallow {
201 domain_deprecated
202 -fsck
203 -fsck_untrusted
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]204 -rild
205 -sdcardd
206 -system_server
207 -update_engine
208 -vold
209} proc:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]210auditallow {
211 domain_deprecated
212 -fsck
213 -fsck_untrusted
214 -rild
215 -system_server
216 -vold
217} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
218auditallow {
219 domain_deprecated
220 -bluetooth
221 -fingerprintd
222 -healthd
223 -netd
224 -rild
225 -system_app
226 -surfaceflinger
227 -system_server
228 -tee
229 -ueventd
230 -vold
231 -wpa
232} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
233auditallow {
234 domain_deprecated
235 -bluetooth
236 -fingerprintd
237 -healthd
238 -netd
239 -rild
240 -system_app
241 -surfaceflinger
242 -system_server
243 -tee
244 -ueventd
245 -vold
246 -wpa
247} sysfs:file r_file_perms;
248auditallow {
249 domain_deprecated
250 -bluetooth
251 -fingerprintd
252 -healthd
253 -netd
254 -rild
255 -system_app
256 -surfaceflinger
257 -system_server
258 -tee
259 -ueventd
260 -vold
261 -wpa
262} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]263auditallow {
264 domain_deprecated
265 -appdomain
266 -dumpstate
267 -fingerprintd
268 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]269 -inputflinger
270 -installd
271 -keystore
272 -netd
273 -rild
274 -surfaceflinger
275 -system_server
276 -zygote
277} cgroup:dir r_dir_perms;
278auditallow {
279 domain_deprecated
280 -appdomain
281 -dumpstate
282 -fingerprintd
283 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]284 -inputflinger
285 -installd
286 -keystore
287 -netd
288 -rild
289 -surfaceflinger
290 -system_server
291 -zygote
292} cgroup:{ file lnk_file } r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]293auditallow {
294 domain_deprecated
295 -appdomain
296 -surfaceflinger
297 -system_server
298 -vold
299} proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]300')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]301
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]302# Get SELinux enforcing status.
303allow domain_deprecated selinuxfs:dir r_dir_perms;
304allow domain_deprecated selinuxfs:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]305userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]306auditallow {
307 domain_deprecated
308 -appdomain
309 -installd
310 -keystore
311 -postinstall_dexopt
312 -runas
313 -servicemanager
314 -system_server
315 -ueventd
316 -zygote
317} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
318auditallow {
319 domain_deprecated
320 -appdomain
321 -installd
322 -keystore
323 -postinstall_dexopt
324 -runas
325 -servicemanager
326 -system_server
327 -ueventd
328 -zygote
329} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame^]330')