Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / dd57e698869ace5d13bcffa377aa7068d0031b20 / . / public / domain_deprecated.te
blob: ad84af9be1631c1df373475d33e1d7a3c8f390a9 [file] [log] [blame]
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]1# rules removed from the domain attribute
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]2
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]3# Search /storage/emulated tmpfs mount.
Jeff Sharkeydd57e692017-05-03 10:52:59 -0600[diff] [blame^]4allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]5userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]6auditallow {
7 domain_deprecated
8 -appdomain
Jeff Sharkeydd57e692017-05-03 10:52:59 -0600[diff] [blame^]9 -installd
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]10 -sdcardd
11 -surfaceflinger
12 -system_server
13 -vold
14 -zygote
15} tmpfs:dir r_dir_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]16')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]17
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]18# Root fs.
19allow domain_deprecated rootfs:dir r_dir_perms;
20allow domain_deprecated rootfs:file r_file_perms;
21allow domain_deprecated rootfs:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]22userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]23auditallow {
24 domain_deprecated
25 -fsck
26 -healthd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]27 -installd
28 -servicemanager
29 -system_server
30 -ueventd
31 -uncrypt
32 -vold
33 -zygote
34} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]35auditallow {
36 domain_deprecated
37 -healthd
38 -installd
39 -servicemanager
40 -system_server
41 -ueventd
42 -uncrypt
43 -vold
44 -zygote
45} rootfs:file r_file_perms;
46auditallow {
47 domain_deprecated
48 -appdomain
49 -healthd
50 -installd
51 -servicemanager
52 -system_server
53 -ueventd
54 -uncrypt
55 -vold
56 -zygote
57} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]58')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]59
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]60# System file accesses.
61allow domain_deprecated system_file:dir r_dir_perms;
62allow domain_deprecated system_file:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]63userdebug_or_eng(`
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]64auditallow {
65 domain_deprecated
66 -appdomain
Nick Kralevich49e35882016-11-25 18:00:38 -0800[diff] [blame]67 -fingerprintd
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]68 -installd
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]69 -keystore
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]70 -rild
71 -surfaceflinger
72 -system_server
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]73 -update_engine
74 -vold
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]75 -zygote
76} system_file:dir { open read ioctl lock }; # search getattr in domain
77auditallow {
78 domain_deprecated
79 -appdomain
Nick Kralevich68f23362016-11-07 16:14:28 -0800[diff] [blame]80 -rild
81 -surfaceflinger
82 -system_server
83 -zygote
84} system_file:file { ioctl lock }; # read open getattr in domain
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]85')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]86
87# Read files already opened under /data.
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]88allow domain_deprecated system_data_file:file { getattr read };
89allow domain_deprecated system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]90userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]91auditallow {
92 domain_deprecated
93 -appdomain
94 -sdcardd
95 -system_server
96 -tee
97} system_data_file:file { getattr read };
98auditallow {
99 domain_deprecated
100 -appdomain
101 -system_server
102 -tee
103} system_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]104')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]105
106# Read apk files under /data/app.
107allow domain_deprecated apk_data_file:dir { getattr search };
108allow domain_deprecated apk_data_file:file r_file_perms;
109allow domain_deprecated apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]110userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]111auditallow {
112 domain_deprecated
113 -appdomain
114 -dex2oat
115 -installd
116 -system_server
117} apk_data_file:dir { getattr search };
118auditallow {
119 domain_deprecated
120 -appdomain
121 -dex2oat
122 -installd
123 -system_server
124} apk_data_file:file r_file_perms;
125auditallow {
126 domain_deprecated
127 -appdomain
128 -dex2oat
129 -installd
130 -system_server
131} apk_data_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]132')
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]133
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]134# Read already opened /cache files.
Nick Kralevichd5464732016-01-16 08:15:52 -0800[diff] [blame]135allow domain_deprecated cache_file:dir r_dir_perms;
136allow domain_deprecated cache_file:file { getattr read };
Nick Kralevichdc37ea72016-01-07 12:56:54 -0800[diff] [blame]137allow domain_deprecated cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]138userdebug_or_eng(`
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]139auditallow {
140 domain_deprecated
141 -system_server
142 -vold
143} cache_file:dir { open read search ioctl lock };
144auditallow {
145 domain_deprecated
146 -appdomain
147 -system_server
148 -vold
149} cache_file:dir getattr;
150auditallow {
151 domain_deprecated
152 -system_server
153 -vold
154} cache_file:file { getattr read };
155auditallow {
156 domain_deprecated
157 -system_server
158 -vold
159} cache_file:lnk_file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]160')
Felipe Leme549ccf72015-12-22 12:37:17 -0800[diff] [blame]161
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]162# Read access to pseudo filesystems.
163r_dir_file(domain_deprecated, proc)
Jeff Vander Stoepa2c40552016-09-13 11:03:36 -0700[diff] [blame]164r_dir_file(domain_deprecated, sysfs)
Jeff Vander Stoep6e3506e2015-11-05 15:24:22 -0800[diff] [blame]165r_dir_file(domain_deprecated, cgroup)
Nick Kralevich7a35c132016-03-31 14:11:50 -0700[diff] [blame]166allow domain_deprecated proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]167
168userdebug_or_eng(`
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]169auditallow {
170 domain_deprecated
171 -fsck
172 -fsck_untrusted
Jeff Vander Stoepa1b45602017-02-10 09:39:37 -0800[diff] [blame]173 -rild
174 -sdcardd
175 -system_server
176 -update_engine
177 -vold
178} proc:file r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]179auditallow {
180 domain_deprecated
181 -fsck
182 -fsck_untrusted
183 -rild
184 -system_server
185 -vold
186} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
187auditallow {
188 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]189 -fingerprintd
190 -healthd
191 -netd
192 -rild
193 -system_app
194 -surfaceflinger
195 -system_server
196 -tee
197 -ueventd
198 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]199} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
200auditallow {
201 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]202 -fingerprintd
203 -healthd
204 -netd
205 -rild
206 -system_app
207 -surfaceflinger
208 -system_server
209 -tee
210 -ueventd
211 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]212} sysfs:file r_file_perms;
213auditallow {
214 domain_deprecated
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]215 -fingerprintd
216 -healthd
217 -netd
218 -rild
219 -system_app
220 -surfaceflinger
221 -system_server
222 -tee
223 -ueventd
224 -vold
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]225} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]226auditallow {
227 domain_deprecated
228 -appdomain
229 -dumpstate
230 -fingerprintd
231 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]232 -inputflinger
233 -installd
234 -keystore
235 -netd
236 -rild
237 -surfaceflinger
238 -system_server
239 -zygote
240} cgroup:dir r_dir_perms;
241auditallow {
242 domain_deprecated
243 -appdomain
244 -dumpstate
245 -fingerprintd
246 -healthd
Nick Kralevich2c8ea362016-10-29 08:07:12 -0700[diff] [blame]247 -inputflinger
248 -installd
249 -keystore
250 -netd
251 -rild
252 -surfaceflinger
253 -system_server
254 -zygote
255} cgroup:{ file lnk_file } r_file_perms;
Nick Kralevichb59c2012017-02-10 12:06:46 -0800[diff] [blame]256auditallow {
257 domain_deprecated
258 -appdomain
259 -surfaceflinger
260 -system_server
261 -vold
262} proc_meminfo:file r_file_perms;
Nick Kralevich596dd092017-02-10 12:58:41 -0800[diff] [blame]263')