Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9bbe420b42112f3a580211e3d230657459d05add / . / public / domain_deprecated.te
blob: f5231fbb3f975b8e8bff79956590e7157d99e4d7 [file] [log] [blame]
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]1# rules removed from the domain attribute
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]2
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]3# Search /storage/emulated tmpfs mount.
Jeff Sharkeydd57e692017-05-03 10:52:59 -0600[diff] [blame]4allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]5userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]6auditallow {
7 domain_deprecated
8 -appdomain
Jeff Sharkeydd57e692017-05-03 10:52:59 -0600[diff] [blame]9 -installd
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]10 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]11 -sdcardd
12 -surfaceflinger
13 -system_server
14 -vold
15 -zygote
16} tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]17')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]18
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]19# Root fs.
20allow domain_deprecated rootfs:dir r_dir_perms;
21allow domain_deprecated rootfs:file r_file_perms;
22allow domain_deprecated rootfs:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]23userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]24auditallow {
25 domain_deprecated
26 -fsck
27 -healthd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]28 -installd
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]29 -recovery
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]30 -servicemanager
31 -system_server
32 -ueventd
33 -uncrypt
34 -vold
35 -zygote
36} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]37auditallow {
38 domain_deprecated
39 -healthd
40 -installd
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]41 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]42 -servicemanager
43 -system_server
44 -ueventd
45 -uncrypt
46 -vold
47 -zygote
48} rootfs:file r_file_perms;
49auditallow {
50 domain_deprecated
51 -appdomain
52 -healthd
53 -installd
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]54 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]55 -servicemanager
56 -system_server
57 -ueventd
58 -uncrypt
59 -vold
60 -zygote
61} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]62')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]63
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]64# System file accesses.
65allow domain_deprecated system_file:dir r_dir_perms;
66allow domain_deprecated system_file:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]67userdebug_or_eng(`
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]68auditallow {
69 domain_deprecated
70 -appdomain
Nick Kralevich49e35882016-11-25 18:00:38 -0800[diff] [blame]71 -fingerprintd
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]72 -installd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]73 -keystore
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]74 -rild
75 -surfaceflinger
76 -system_server
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]77 -update_engine
78 -vold
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]79 -zygote
80} system_file:dir { open read ioctl lock }; # search getattr in domain
81auditallow {
82 domain_deprecated
83 -appdomain
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]84 -rild
85 -surfaceflinger
86 -system_server
87 -zygote
88} system_file:file { ioctl lock }; # read open getattr in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]89')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]90
91# Read files already opened under /data.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]92allow domain_deprecated system_data_file:file { getattr read };
93allow domain_deprecated system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]94userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]95auditallow {
96 domain_deprecated
97 -appdomain
98 -sdcardd
99 -system_server
100 -tee
101} system_data_file:file { getattr read };
102auditallow {
103 domain_deprecated
104 -appdomain
105 -system_server
106 -tee
107} system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]108')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]109
110# Read apk files under /data/app.
111allow domain_deprecated apk_data_file:dir { getattr search };
112allow domain_deprecated apk_data_file:file r_file_perms;
113allow domain_deprecated apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]114userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]115auditallow {
116 domain_deprecated
117 -appdomain
118 -dex2oat
119 -installd
120 -system_server
121} apk_data_file:dir { getattr search };
122auditallow {
123 domain_deprecated
124 -appdomain
125 -dex2oat
126 -installd
127 -system_server
128} apk_data_file:file r_file_perms;
129auditallow {
130 domain_deprecated
131 -appdomain
132 -dex2oat
133 -installd
134 -system_server
135} apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]136')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]137
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]138# Read already opened /cache files.
Nick Kralevichd5464732016-01-16 08:15:52 -0800[diff] [blame]139allow domain_deprecated cache_file:dir r_dir_perms;
140allow domain_deprecated cache_file:file { getattr read };
Nick Kralevichdc37ea72016-01-07 12:56:54 -0800[diff] [blame]141allow domain_deprecated cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]142userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]143auditallow {
144 domain_deprecated
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]145 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]146 -system_server
147 -vold
148} cache_file:dir { open read search ioctl lock };
149auditallow {
150 domain_deprecated
151 -appdomain
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]152 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]153 -system_server
154 -vold
155} cache_file:dir getattr;
156auditallow {
157 domain_deprecated
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]158 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]159 -system_server
160 -vold
161} cache_file:file { getattr read };
162auditallow {
163 domain_deprecated
164 -system_server
165 -vold
166} cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]167')
Felipe Leme549ccf72015-12-22 12:37:17 -0800[diff] [blame]168
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]169# Read access to pseudo filesystems.
170r_dir_file(domain_deprecated, proc)
Jeff Vander Stoepa2c40552016-09-13 11:03:36 -0700[diff] [blame]171r_dir_file(domain_deprecated, sysfs)
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]172r_dir_file(domain_deprecated, cgroup)
Nick Kralevich7a35c132016-03-31 14:11:50 -0700[diff] [blame]173allow domain_deprecated proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]174
175userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]176auditallow {
177 domain_deprecated
178 -fsck
179 -fsck_untrusted
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]180 -rild
181 -sdcardd
182 -system_server
183 -update_engine
184 -vold
185} proc:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]186auditallow {
187 domain_deprecated
188 -fsck
189 -fsck_untrusted
190 -rild
191 -system_server
192 -vold
193} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
194auditallow {
195 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]196 -fingerprintd
197 -healthd
198 -netd
199 -rild
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]200 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]201 -system_app
202 -surfaceflinger
203 -system_server
204 -tee
205 -ueventd
206 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]207} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
208auditallow {
209 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]210 -fingerprintd
211 -healthd
212 -netd
213 -rild
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]214 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]215 -system_app
216 -surfaceflinger
217 -system_server
218 -tee
219 -ueventd
220 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]221} sysfs:file r_file_perms;
222auditallow {
223 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]224 -fingerprintd
225 -healthd
226 -netd
227 -rild
Jeff Vander Stoep9bbe4202017-06-14 10:11:12 -0700[diff] [blame^]228 -recovery
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]229 -system_app
230 -surfaceflinger
231 -system_server
232 -tee
233 -ueventd
234 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]235} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]236auditallow {
237 domain_deprecated
238 -appdomain
239 -dumpstate
240 -fingerprintd
241 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]242 -inputflinger
243 -installd
244 -keystore
245 -netd
246 -rild
247 -surfaceflinger
248 -system_server
249 -zygote
250} cgroup:dir r_dir_perms;
251auditallow {
252 domain_deprecated
253 -appdomain
254 -dumpstate
255 -fingerprintd
256 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]257 -inputflinger
258 -installd
259 -keystore
260 -netd
261 -rild
262 -surfaceflinger
263 -system_server
264 -zygote
265} cgroup:{ file lnk_file } r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]266auditallow {
267 domain_deprecated
268 -appdomain
269 -surfaceflinger
270 -system_server
271 -vold
272} proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]273')