Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 88e4be54a66cf4cfa9616f89b6622ced2b774c1a / . / public / domain_deprecated.te
blob: 6a51e617e8385454b7f3d182621c02cabd7e3dd0 [file] [log] [blame]
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]1# rules removed from the domain attribute
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]2
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]3# Search /storage/emulated tmpfs mount.
4allow domain_deprecated tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]5userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]6auditallow {
7 domain_deprecated
8 -appdomain
9 -sdcardd
10 -surfaceflinger
11 -system_server
12 -vold
13 -zygote
14} tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]15')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]16
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]17# Root fs.
18allow domain_deprecated rootfs:dir r_dir_perms;
19allow domain_deprecated rootfs:file r_file_perms;
20allow domain_deprecated rootfs:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]21userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]22auditallow {
23 domain_deprecated
24 -fsck
25 -healthd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]26 -installd
27 -servicemanager
28 -system_server
29 -ueventd
30 -uncrypt
31 -vold
32 -zygote
33} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]34auditallow {
35 domain_deprecated
36 -healthd
37 -installd
38 -servicemanager
39 -system_server
40 -ueventd
41 -uncrypt
42 -vold
43 -zygote
44} rootfs:file r_file_perms;
45auditallow {
46 domain_deprecated
47 -appdomain
48 -healthd
49 -installd
50 -servicemanager
51 -system_server
52 -ueventd
53 -uncrypt
54 -vold
55 -zygote
56} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]57')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]58
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]59# System file accesses.
60allow domain_deprecated system_file:dir r_dir_perms;
61allow domain_deprecated system_file:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]62userdebug_or_eng(`
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]63auditallow {
64 domain_deprecated
65 -appdomain
Nick Kralevich49e35882016-11-25 18:00:38 -0800[diff] [blame]66 -fingerprintd
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]67 -installd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]68 -keystore
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]69 -rild
70 -surfaceflinger
71 -system_server
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]72 -update_engine
73 -vold
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]74 -zygote
75} system_file:dir { open read ioctl lock }; # search getattr in domain
76auditallow {
77 domain_deprecated
78 -appdomain
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]79 -rild
80 -surfaceflinger
81 -system_server
82 -zygote
83} system_file:file { ioctl lock }; # read open getattr in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]84')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]85
86# Read files already opened under /data.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]87allow domain_deprecated system_data_file:file { getattr read };
88allow domain_deprecated system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]89userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]90auditallow {
91 domain_deprecated
92 -appdomain
93 -sdcardd
94 -system_server
95 -tee
96} system_data_file:file { getattr read };
97auditallow {
98 domain_deprecated
99 -appdomain
100 -system_server
101 -tee
102} system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]103')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]104
105# Read apk files under /data/app.
106allow domain_deprecated apk_data_file:dir { getattr search };
107allow domain_deprecated apk_data_file:file r_file_perms;
108allow domain_deprecated apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]109userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]110auditallow {
111 domain_deprecated
112 -appdomain
113 -dex2oat
114 -installd
115 -system_server
116} apk_data_file:dir { getattr search };
117auditallow {
118 domain_deprecated
119 -appdomain
120 -dex2oat
121 -installd
122 -system_server
123} apk_data_file:file r_file_perms;
124auditallow {
125 domain_deprecated
126 -appdomain
127 -dex2oat
128 -installd
129 -system_server
130} apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]131')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]132
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]133# Read already opened /cache files.
Nick Kralevichd5464732016-01-16 08:15:52 -0800[diff] [blame]134allow domain_deprecated cache_file:dir r_dir_perms;
135allow domain_deprecated cache_file:file { getattr read };
Nick Kralevichdc37ea72016-01-07 12:56:54 -0800[diff] [blame]136allow domain_deprecated cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]137userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]138auditallow {
139 domain_deprecated
140 -system_server
141 -vold
142} cache_file:dir { open read search ioctl lock };
143auditallow {
144 domain_deprecated
145 -appdomain
146 -system_server
147 -vold
148} cache_file:dir getattr;
149auditallow {
150 domain_deprecated
151 -system_server
152 -vold
153} cache_file:file { getattr read };
154auditallow {
155 domain_deprecated
156 -system_server
157 -vold
158} cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]159')
Felipe Leme549ccf72015-12-22 12:37:17 -0800[diff] [blame]160
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]161# Read access to pseudo filesystems.
162r_dir_file(domain_deprecated, proc)
Jeff Vander Stoepa2c40552016-09-13 11:03:36 -0700[diff] [blame]163r_dir_file(domain_deprecated, sysfs)
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]164r_dir_file(domain_deprecated, cgroup)
Nick Kralevich7a35c132016-03-31 14:11:50 -0700[diff] [blame]165allow domain_deprecated proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]166
167userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]168auditallow {
169 domain_deprecated
170 -fsck
171 -fsck_untrusted
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]172 -rild
173 -sdcardd
174 -system_server
175 -update_engine
176 -vold
177} proc:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]178auditallow {
179 domain_deprecated
180 -fsck
181 -fsck_untrusted
182 -rild
183 -system_server
184 -vold
185} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
186auditallow {
187 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]188 -fingerprintd
189 -healthd
190 -netd
191 -rild
192 -system_app
193 -surfaceflinger
194 -system_server
195 -tee
196 -ueventd
197 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]198} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
199auditallow {
200 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]201 -fingerprintd
202 -healthd
203 -netd
204 -rild
205 -system_app
206 -surfaceflinger
207 -system_server
208 -tee
209 -ueventd
210 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]211} sysfs:file r_file_perms;
212auditallow {
213 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]214 -fingerprintd
215 -healthd
216 -netd
217 -rild
218 -system_app
219 -surfaceflinger
220 -system_server
221 -tee
222 -ueventd
223 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]224} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]225auditallow {
226 domain_deprecated
227 -appdomain
228 -dumpstate
229 -fingerprintd
230 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]231 -inputflinger
232 -installd
233 -keystore
234 -netd
235 -rild
236 -surfaceflinger
237 -system_server
238 -zygote
239} cgroup:dir r_dir_perms;
240auditallow {
241 domain_deprecated
242 -appdomain
243 -dumpstate
244 -fingerprintd
245 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]246 -inputflinger
247 -installd
248 -keystore
249 -netd
250 -rild
251 -surfaceflinger
252 -system_server
253 -zygote
254} cgroup:{ file lnk_file } r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]255auditallow {
256 domain_deprecated
257 -appdomain
258 -surfaceflinger
259 -system_server
260 -vold
261} proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]262')