| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute kernel coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | domain_auto_trans(kernel, init_exec, init) |
| David Anderson | f4cba7e | 2020-12-02 21:15:08 -0800 | [diff] [blame] | 4 | domain_auto_trans(kernel, snapuserd_exec, snapuserd) |
| Andreas Gampe | d6fdcef | 2019-03-18 10:54:42 -0700 | [diff] [blame] | 5 | |
| 6 | # Allow the kernel to read otapreopt_chroot's file descriptors and files under |
| 7 | # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. |
| 8 | allow kernel otapreopt_chroot:fd use; |
| 9 | allow kernel postinstall_file:file read; |
| David Anderson | f4cba7e | 2020-12-02 21:15:08 -0800 | [diff] [blame] | 10 | |
| 11 | # The following sections are for the transition period during a Virtual A/B |
| 12 | # OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct |
| 13 | # context, and with properly labelled devices. This must be done before |
| 14 | # enabling enforcement, eg, in permissive mode while still in the kernel |
| 15 | # context. |
| 16 | allow kernel tmpfs:blk_file { getattr relabelfrom }; |
| 17 | allow kernel tmpfs:chr_file { getattr relabelfrom }; |
| 18 | allow kernel tmpfs:lnk_file { getattr relabelfrom }; |
| 19 | allow kernel tmpfs:dir { open read relabelfrom }; |
| 20 | |
| 21 | allow kernel block_device:blk_file relabelto; |
| 22 | allow kernel block_device:lnk_file relabelto; |
| 23 | allow kernel dm_device:chr_file relabelto; |
| 24 | allow kernel dm_device:blk_file relabelto; |
| 25 | allow kernel dm_user_device:dir { read open search relabelto }; |
| 26 | allow kernel dm_user_device:chr_file relabelto; |
| 27 | allow kernel kmsg_device:chr_file relabelto; |
| 28 | allow kernel null_device:chr_file relabelto; |
| 29 | allow kernel random_device:chr_file relabelto; |
| 30 | allow kernel snapuserd_exec:file relabelto; |
| 31 | |
| 32 | allow kernel kmsg_device:chr_file write; |
| Howard Chen | 4db8cbd | 2021-01-14 15:27:50 +0800 | [diff] [blame] | 33 | allow kernel gsid:fd use; |
| Jeff Vander Stoep | bc0fa66 | 2021-12-03 15:21:54 +0100 | [diff] [blame] | 34 | |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 35 | allow kernel self:global_capability_class_set sys_nice; |
| 36 | |
| 37 | # Root fs. |
| 38 | r_dir_file(kernel, rootfs) |
| 39 | |
| 40 | # Used to read androidboot.selinux property |
| 41 | allow kernel { |
| 42 | proc_bootconfig |
| 43 | proc_cmdline |
| 44 | }:file r_file_perms; |
| 45 | |
| 46 | # Get SELinux enforcing status. |
| 47 | allow kernel selinuxfs:dir r_dir_perms; |
| 48 | allow kernel selinuxfs:file r_file_perms; |
| 49 | |
| 50 | # Get file contexts during first stage |
| 51 | allow kernel file_contexts_file:file r_file_perms; |
| 52 | |
| 53 | # Allow init relabel itself. |
| 54 | allow kernel rootfs:file relabelfrom; |
| 55 | allow kernel init_exec:file relabelto; |
| 56 | # TODO: investigate why we need this. |
| 57 | allow kernel init:process share; |
| 58 | |
| 59 | # cgroup filesystem initialization prior to setting the cgroup root directory label. |
| 60 | allow kernel unlabeled:dir search; |
| 61 | |
| 62 | # Mount usbfs. |
| 63 | allow kernel usbfs:filesystem mount; |
| 64 | allow kernel usbfs:dir search; |
| 65 | |
| 66 | # Initial setenforce by init prior to switching to init domain. |
| 67 | # We use dontaudit instead of allow to prevent a kernel spawned userspace |
| 68 | # process from turning off SELinux once enabled. |
| 69 | dontaudit kernel self:security setenforce; |
| 70 | |
| 71 | # Write to /proc/1/oom_adj prior to switching to init domain. |
| 72 | allow kernel self:global_capability_class_set sys_resource; |
| 73 | |
| 74 | # Init reboot before switching selinux domains under certain error |
| 75 | # conditions. Allow it. |
| 76 | # As part of rebooting, init writes "u" to /proc/sysrq-trigger to |
| 77 | # remount filesystems read-only. /data is not mounted at this point, |
| 78 | # so we could ignore this. For now, we allow it. |
| 79 | allow kernel self:global_capability_class_set sys_boot; |
| 80 | allow kernel proc_sysrq:file w_file_perms; |
| 81 | |
| 82 | # Allow writing to /dev/kmsg which was created prior to loading policy. |
| 83 | allow kernel tmpfs:chr_file write; |
| 84 | |
| 85 | # Set checkreqprot by init.rc prior to switching to init domain. |
| 86 | allow kernel selinuxfs:file write; |
| 87 | allow kernel self:security setcheckreqprot; |
| 88 | |
| 89 | # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) |
| 90 | allow kernel { sdcard_type fuse }:file { read write }; |
| 91 | |
| 92 | # f_mtp driver accesses files from kernel context. |
| 93 | allow kernel mediaprovider:fd use; |
| 94 | |
| 95 | # Allow the kernel to read OBB files from app directories. (b/17428116) |
| 96 | # Kernel thread "loop0" reads a vold supplied file descriptor. |
| 97 | # Fixes CTS tests: |
| 98 | # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal |
| 99 | # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs |
| 100 | allow kernel vold:fd use; |
| 101 | allow kernel { app_data_file privapp_data_file }:file read; |
| 102 | allow kernel asec_image_file:file read; |
| 103 | |
| 104 | # Allow mounting loop device in update_engine_unittests. (b/28319454) |
| 105 | # and for LTP kernel tests (b/73220071) |
| 106 | userdebug_or_eng(` |
| 107 | allow kernel update_engine_data_file:file { read write }; |
| 108 | allow kernel nativetest_data_file:file { read write }; |
| 109 | ') |
| 110 | |
| 111 | # Access to /data/media. |
| 112 | # This should be removed if sdcardfs is modified to alter the secontext for its |
| 113 | # accesses to the underlying FS. |
| 114 | allow kernel media_rw_data_file:dir create_dir_perms; |
| 115 | allow kernel media_rw_data_file:file create_file_perms; |
| 116 | |
| 117 | # Access to /data/misc/vold/virtual_disk. |
| 118 | allow kernel vold_data_file:file { read write }; |
| 119 | |
| 120 | # Allow the kernel to read APEX file descriptors and (staged) data files; |
| 121 | # Needed because APEX uses the loopback driver, which issues requests from |
| 122 | # a kernel thread in earlier kernel version. |
| 123 | allow kernel apexd:fd use; |
| 124 | allow kernel { |
| 125 | apex_data_file |
| 126 | staging_data_file |
| 127 | vendor_apex_file |
| 128 | }:file read; |
| 129 | # Also allow the kernel to read/write /data/local/tmp files via loop device |
| 130 | # for ApexTestCases and fiemap_image_test. |
| 131 | userdebug_or_eng(` |
| 132 | allow kernel shell_data_file:file { read write }; |
| 133 | ') |
| 134 | |
| 135 | # Allow the first-stage init (which is running in the kernel domain) to execute the |
| 136 | # dynamic linker when it re-executes /init to switch into the second stage. |
| 137 | # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed |
| 138 | # before the domain is switched to the target domain. So, we need to allow the kernel |
| 139 | # domain (the source domain) to execute the dynamic linker (system_file type). |
| 140 | # TODO(b/110147943) remove these allow rules when we no longer need to support Linux |
| 141 | # kernel older than 4.8. |
| 142 | allow kernel system_file:file execute; |
| 143 | # The label for the dynamic linker is rootfs in the recovery partition. This is because |
| 144 | # the recovery partition which is rootfs does not support xattr and thus labeling can't be |
| 145 | # done at build-time. All files are by default labeled as rootfs upon booting. |
| 146 | recovery_only(` |
| 147 | allow kernel rootfs:file execute; |
| 148 | ') |
| 149 | |
| 150 | # required by VTS lidbm unit test |
| 151 | allow kernel appdomain_tmpfs:file { read write }; |
| 152 | |
| Akilesh Kailash | 1044702 | 2022-07-26 21:26:01 +0000 | [diff] [blame] | 153 | dontaudit kernel metadata_file:dir search; |
| 154 | dontaudit kernel ota_metadata_file:dir rw_dir_perms; |
| 155 | dontaudit kernel sysfs:dir r_dir_perms; |
| 156 | dontaudit kernel sysfs:file { open read write }; |
| 157 | dontaudit kernel sysfs:chr_file { open read write }; |
| 158 | dontaudit kernel dm_device:chr_file ioctl; |
| 159 | dontaudit kernel self:capability { sys_admin setgid mknod }; |
| 160 | |
| 161 | dontaudit kernel dm_user_device:dir { write add_name }; |
| 162 | dontaudit kernel dm_user_device:chr_file { create setattr }; |
| 163 | dontaudit kernel tmpfs:lnk_file read; |
| 164 | dontaudit kernel tmpfs:blk_file { open read }; |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 165 | |
| 166 | ### |
| 167 | ### neverallow rules |
| 168 | ### |
| 169 | |
| 170 | # The initial task starts in the kernel domain (assigned via |
| 171 | # initial_sid_contexts), but nothing ever transitions to it. |
| 172 | neverallow * kernel:process { transition dyntransition }; |
| 173 | |
| 174 | # The kernel domain is never entered via an exec, nor should it |
| 175 | # ever execute a program outside the rootfs without changing to another domain. |
| 176 | # If you encounter an execute_no_trans denial on the kernel domain, then |
| 177 | # possible causes include: |
| 178 | # - The program is a kernel usermodehelper. In this case, define a domain |
| 179 | # for the program and domain_auto_trans() to it. |
| 180 | # - You are running an exploit which switched to the init task credentials |
| 181 | # and is then trying to exec a shell or other program. You lose! |
| 182 | neverallow kernel *:file { entrypoint execute_no_trans }; |
| 183 | |
| 184 | # the kernel should not be accessing files owned by other users. |
| 185 | # Instead of adding dac_{read_search,override}, fix the unix permissions |
| 186 | # on files being accessed. |
| 187 | neverallow kernel self:global_capability_class_set { dac_override dac_read_search }; |
| 188 | |
| 189 | # Nobody should be ptracing kernel threads |
| 190 | neverallow * kernel:process ptrace; |