| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | # Transition to crash_dump when /system/bin/crash_dump* is executed. |
| 2 | # This occurs when the process crashes. |
| 3 | # We do not apply this to the su domain to avoid interfering with |
| 4 | # tests (b/114136122) |
| 5 | domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); |
| 6 | allow domain crash_dump:process sigchld; |
| 7 | |
| 8 | # Allow every process to check the heapprofd.enable properties to determine |
| 9 | # whether to load the heap profiling library. This does not necessarily enable |
| 10 | # heap profiling, as initialization will fail if it does not have the |
| 11 | # necessary SELinux permissions. |
| 12 | get_prop(domain, heapprofd_prop); |
| 13 | # Allow heap profiling on debug builds. |
| 14 | userdebug_or_eng(`can_profile_heap_userdebug_or_eng({ |
| 15 | domain |
| 16 | -bpfloader |
| 17 | -init |
| 18 | -kernel |
| 19 | -keystore |
| 20 | -llkd |
| 21 | -logd |
| 22 | -logpersist |
| 23 | -recovery |
| 24 | -recovery_persist |
| 25 | -recovery_refresh |
| 26 | -ueventd |
| 27 | -vendor_init |
| 28 | -vold |
| 29 | })') |
| 30 | |
| 31 | # Path resolution access in cgroups. |
| 32 | allow domain cgroup:dir search; |
| 33 | allow { domain -appdomain -rs } cgroup:dir w_dir_perms; |
| 34 | allow { domain -appdomain -rs } cgroup:file w_file_perms; |
| 35 | |
| 36 | allow domain cgroup_rc_file:dir search; |
| 37 | allow domain cgroup_rc_file:file r_file_perms; |
| 38 | allow domain task_profiles_file:file r_file_perms; |
| 39 | allow domain vendor_task_profiles_file:file r_file_perms; |
| 40 | |
| 41 | # Allow all domains to read sys.use_memfd to determine |
| 42 | # if memfd support can be used if device supports it |
| 43 | get_prop(domain, use_memfd_prop); |
| 44 | |
| 45 | # For now, everyone can access core property files |
| 46 | # Device specific properties are not granted by default |
| 47 | not_compatible_property(` |
| 48 | get_prop(domain, core_property_type) |
| 49 | get_prop(domain, exported_dalvik_prop) |
| 50 | get_prop(domain, exported_ffs_prop) |
| 51 | get_prop(domain, exported_system_radio_prop) |
| 52 | get_prop(domain, exported2_config_prop) |
| 53 | get_prop(domain, exported2_radio_prop) |
| 54 | get_prop(domain, exported2_system_prop) |
| 55 | get_prop(domain, exported2_vold_prop) |
| 56 | get_prop(domain, exported3_default_prop) |
| 57 | get_prop(domain, exported3_radio_prop) |
| 58 | get_prop(domain, exported3_system_prop) |
| 59 | get_prop(domain, vendor_default_prop) |
| 60 | ') |
| 61 | compatible_property_only(` |
| 62 | get_prop({coredomain appdomain shell}, core_property_type) |
| 63 | get_prop({coredomain appdomain shell}, exported_dalvik_prop) |
| 64 | get_prop({coredomain appdomain shell}, exported_ffs_prop) |
| 65 | get_prop({coredomain appdomain shell}, exported_system_radio_prop) |
| 66 | get_prop({coredomain appdomain shell}, exported2_config_prop) |
| 67 | get_prop({coredomain appdomain shell}, exported2_radio_prop) |
| 68 | get_prop({coredomain appdomain shell}, exported2_system_prop) |
| 69 | get_prop({coredomain appdomain shell}, exported2_vold_prop) |
| 70 | get_prop({coredomain appdomain shell}, exported3_default_prop) |
| 71 | get_prop({coredomain appdomain shell}, exported3_radio_prop) |
| 72 | get_prop({coredomain appdomain shell}, exported3_system_prop) |
| 73 | get_prop({domain -coredomain -appdomain}, vendor_default_prop) |
| 74 | ') |
| 75 | |
| 76 | # Allow access to fsverity keyring. |
| 77 | allow domain kernel:key search; |
| 78 | # Allow access to keys in the fsverity keyring that were installed at boot. |
| 79 | allow domain fsverity_init:key search; |
| 80 | # For testing purposes, allow access to keys installed with su. |
| 81 | userdebug_or_eng(` |
| 82 | allow domain su:key search; |
| 83 | ') |
| 84 | |
| 85 | # Limit ability to ptrace or read sensitive /proc/pid files of processes |
| 86 | # with other UIDs to these whitelisted domains. |
| 87 | neverallow { |
| 88 | domain |
| 89 | -vold |
| 90 | userdebug_or_eng(`-llkd') |
| 91 | -dumpstate |
| 92 | userdebug_or_eng(`-incidentd') |
| 93 | -storaged |
| 94 | -system_server |
| 95 | userdebug_or_eng(`-perfprofd') |
| 96 | } self:global_capability_class_set sys_ptrace; |
| 97 | |
| 98 | # Limit ability to generate hardware unique device ID attestations to priv_apps |
| 99 | neverallow { domain -priv_app } *:keystore_key gen_unique_id; |
| 100 | |
| 101 | neverallow { |
| 102 | domain |
| 103 | -init |
| 104 | -vendor_init |
| 105 | userdebug_or_eng(`-domain') |
| 106 | } debugfs_tracing_debug:file no_rw_file_perms; |
| 107 | |
| 108 | # System_server owns dropbox data, and init creates/restorecons the directory |
| 109 | # Disallow direct access by other processes. |
| 110 | neverallow { domain -init -system_server } dropbox_data_file:dir *; |
| 111 | neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read }; |
| 112 | |
| 113 | ### |
| 114 | # Services should respect app sandboxes |
| 115 | neverallow { |
| 116 | domain |
| 117 | -appdomain |
| 118 | -installd # creation of sandbox |
| 119 | } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; |
| 120 | |
| 121 | # Only the following processes should be directly accessing private app |
| 122 | # directories. |
| 123 | neverallow { |
| 124 | domain |
| 125 | -adbd |
| 126 | -appdomain |
| 127 | -app_zygote |
| 128 | -dexoptanalyzer |
| 129 | -installd |
| 130 | userdebug_or_eng(`-perfprofd') |
| 131 | -profman |
| 132 | -rs # spawned by appdomain, so carryover the exception above |
| 133 | -runas |
| 134 | -system_server |
| 135 | -viewcompiler |
| 136 | } { privapp_data_file app_data_file }:dir *; |
| 137 | |
| 138 | # Only apps should be modifying app data. installd is exempted for |
| 139 | # restorecon and package install/uninstall. |
| 140 | neverallow { |
| 141 | domain |
| 142 | -appdomain |
| 143 | -installd |
| 144 | -rs # spawned by appdomain, so carryover the exception above |
| 145 | } { privapp_data_file app_data_file }:dir ~r_dir_perms; |
| 146 | |
| 147 | neverallow { |
| 148 | domain |
| 149 | -appdomain |
| 150 | -app_zygote |
| 151 | -installd |
| 152 | userdebug_or_eng(`-perfprofd') |
| 153 | -rs # spawned by appdomain, so carryover the exception above |
| 154 | } { privapp_data_file app_data_file }:file_class_set open; |
| 155 | |
| 156 | neverallow { |
| 157 | domain |
| 158 | -appdomain |
| 159 | -installd # creation of sandbox |
| 160 | } { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; |
| 161 | |
| 162 | neverallow { |
| 163 | domain |
| 164 | -installd |
| 165 | } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; |
| 166 | |
| 167 | # The staging directory contains APEX and APK files. It is important to ensure |
| 168 | # that these files cannot be accessed by other domains to ensure that the files |
| 169 | # do not change between system_server staging the files and apexd processing |
| 170 | # the files. |
| 171 | neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *; |
| 172 | neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *; |
| 173 | neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; |
| 174 | # apexd needs the link and unlink permissions, so list every `no_w_file_perms` |
| 175 | # except for `link` and `unlink`. |
| 176 | neverallow { domain -init -system_server } staging_data_file:file |
| 177 | { append create relabelfrom rename setattr write no_x_file_perms }; |
| 178 | |
| 179 | neverallow { |
| 180 | domain |
| 181 | -appdomain # for oemfs |
| 182 | -bootanim # for oemfs |
| 183 | -recovery # for /tmp/update_binary in tmpfs |
| 184 | } { fs_type -rootfs }:file execute; |
| 185 | |
| 186 | # |
| 187 | # Assert that, to the extent possible, we're not loading executable content from |
| 188 | # outside the rootfs or /system partition except for a few whitelisted domains. |
| 189 | # Executable files loaded from /data is a persistence vector |
| 190 | # we want to avoid. See |
| 191 | # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. |
| 192 | # |
| 193 | neverallow { |
| 194 | domain |
| 195 | -appdomain |
| 196 | with_asan(`-asan_extract') |
| 197 | -shell |
| 198 | userdebug_or_eng(`-su') |
| 199 | -system_server_startup # for memfd backed executable regions |
| 200 | -app_zygote |
| 201 | -webview_zygote |
| 202 | -zygote |
| 203 | userdebug_or_eng(`-mediaextractor') |
| 204 | userdebug_or_eng(`-mediaswcodec') |
| 205 | } { |
| 206 | file_type |
| 207 | -system_file_type |
| 208 | -system_lib_file |
| 209 | -system_linker_exec |
| 210 | -vendor_file_type |
| 211 | -exec_type |
| 212 | -postinstall_file |
| 213 | }:file execute; |
| 214 | |
| 215 | # Only init is allowed to write cgroup.rc file |
| 216 | neverallow { |
| 217 | domain |
| 218 | -init |
| 219 | -vendor_init |
| 220 | } cgroup_rc_file:file no_w_file_perms; |
| 221 | |
| 222 | # Only authorized processes should be writing to files in /data/dalvik-cache |
| 223 | neverallow { |
| 224 | domain |
| 225 | -init # TODO: limit init to relabelfrom for files |
| 226 | -zygote |
| 227 | -installd |
| 228 | -postinstall_dexopt |
| 229 | -cppreopts |
| 230 | -dex2oat |
| 231 | -otapreopt_slot |
| 232 | -art_apex_postinstall |
| 233 | -art_apex_boot_integrity |
| 234 | } dalvikcache_data_file:file no_w_file_perms; |
| 235 | |
| 236 | neverallow { |
| 237 | domain |
| 238 | -init |
| 239 | -installd |
| 240 | -postinstall_dexopt |
| 241 | -cppreopts |
| 242 | -dex2oat |
| 243 | -zygote |
| 244 | -otapreopt_slot |
| 245 | -art_apex_boot_integrity |
| 246 | -art_apex_postinstall |
| 247 | } dalvikcache_data_file:dir no_w_dir_perms; |
| 248 | |
| 249 | # Minimize dac_override and dac_read_search. |
| 250 | # Instead of granting them it is usually better to add the domain to |
| 251 | # a Unix group or change the permissions of a file. |
| 252 | define(`dac_override_allowed', `{ |
| 253 | dnsmasq |
| 254 | dumpstate |
| 255 | init |
| 256 | installd |
| 257 | install_recovery |
| 258 | userdebug_or_eng(`llkd') |
| 259 | lmkd |
| 260 | netd |
| 261 | perfprofd |
| 262 | postinstall_dexopt |
| 263 | recovery |
| 264 | rss_hwm_reset |
| 265 | sdcardd |
| 266 | tee |
| 267 | ueventd |
| 268 | uncrypt |
| 269 | vendor_init |
| 270 | vold |
| 271 | vold_prepare_subdirs |
| 272 | zygote |
| 273 | }') |
| 274 | neverallow ~dac_override_allowed self:global_capability_class_set dac_override; |
| 275 | # Since the kernel checks dac_read_search before dac_override, domains that |
| 276 | # have dac_override should also have dac_read_search to eliminate spurious |
| 277 | # denials. Some domains have dac_read_search without having dac_override, so |
| 278 | # this list should be a superset of the one above. |
| 279 | neverallow ~{ |
| 280 | dac_override_allowed |
| 281 | traced_probes |
| 282 | userdebug_or_eng(`heapprofd') |
| 283 | } self:global_capability_class_set dac_read_search; |
| 284 | |
| 285 | # Limit what domains can mount filesystems or change their mount flags. |
| 286 | # sdcard_type / vfat is exempt as a larger set of domains need |
| 287 | # this capability, including device-specific domains. |
| 288 | neverallow { |
| 289 | domain |
| 290 | -apexd |
| 291 | recovery_only(`userdebug_or_eng(`-fastbootd')') |
| 292 | -init |
| 293 | -kernel |
| 294 | -otapreopt_chroot |
| 295 | -recovery |
| 296 | -update_engine |
| 297 | -vold |
| 298 | -zygote |
| 299 | } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; |
| 300 | |
| 301 | # Limit raw I/O to these whitelisted domains. Do not apply to debug builds. |
| 302 | neverallow { |
| 303 | domain |
| 304 | userdebug_or_eng(`-domain') |
| 305 | -kernel |
| 306 | -gsid |
| 307 | -init |
| 308 | -recovery |
| 309 | -ueventd |
| 310 | -healthd |
| 311 | -uncrypt |
| 312 | -tee |
| 313 | -hal_bootctl_server |
| 314 | } self:global_capability_class_set sys_rawio; |