##################################### # domain_trans(olddomain, type, newdomain) # Allow a transition from olddomain to newdomain # upon executing a file labeled with type. # This only allows the transition; it does not # cause it to occur automatically - use domain_auto_trans # if that is what you want. # define(`domain_trans', ` # Old domain may exec the file and transition to the new domain. allow $1 $2:file { getattr open read execute map }; allow $1 $3:process transition; # New domain is entered by executing the file. allow $3 $2:file { entrypoint open read execute getattr map }; # New domain can send SIGCHLD to its caller. ifelse($1, `init', `', `allow $3 $1:process sigchld;') # Enable AT_SECURE, i.e. libc secure mode. dontaudit $1 $3:process noatsecure; # XXX dontaudit candidate but requires further study. allow $1 $3:process { siginh rlimitinh }; ') ##################################### # domain_auto_trans(olddomain, type, newdomain) # Automatically transition from olddomain to newdomain # upon executing a file labeled with type. # define(`domain_auto_trans', ` # Allow the necessary permissions. domain_trans($1,$2,$3) # Make the transition occur by default. type_transition $1 $2:process $3; ') ##################################### # file_type_trans(domain, dir_type, file_type) # Allow domain to create a file labeled file_type in a # directory labeled dir_type. # This only allows the transition; it does not # cause it to occur automatically - use file_type_auto_trans # if that is what you want. # define(`file_type_trans', ` # Allow the domain to add entries to the directory. allow $1 $2:dir ra_dir_perms; # Allow the domain to create the file. allow $1 $3:notdevfile_class_set create_file_perms; allow $1 $3:dir create_dir_perms; ') ##################################### # file_type_auto_trans(domain, dir_type, file_type) # Automatically label new files with file_type when # they are created by domain in directories labeled dir_type. # define(`file_type_auto_trans', ` # Allow the necessary permissions. file_type_trans($1, $2, $3) # Make the transition occur by default. type_transition $1 $2:dir $3; type_transition $1 $2:notdevfile_class_set $3; ') ##################################### # r_dir_file(domain, type) # Allow the specified domain to read directories, files # and symbolic links of the specified type. define(`r_dir_file', ` allow $1 $2:dir r_dir_perms; allow $1 $2:{ file lnk_file } r_file_perms; ') ##################################### # tmpfs_domain(domain) # Allow access to a unique type for this domain when creating tmpfs / ashmem files. define(`tmpfs_domain', ` type_transition $1 tmpfs:file $1_tmpfs; allow $1 $1_tmpfs:file { read write getattr map }; ') # pdx macros for IPC. pdx is a high-level name which contains transport-specific # rules from underlying transport (e.g. UDS-based implementation). ##################################### # pdx_service_attributes(service) # Defines type attribute used to identify various service-related types. define(`pdx_service_attributes', ` attribute pdx_$1_endpoint_dir_type; attribute pdx_$1_endpoint_socket_type; attribute pdx_$1_channel_socket_type; attribute pdx_$1_server_type; ') ##################################### # pdx_service_socket_types(service, endpoint_dir_t) # Define types for endpoint and channel sockets. define(`pdx_service_socket_types', ` typeattribute $2 pdx_$1_endpoint_dir_type; type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; userdebug_or_eng(` dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; dontaudit su pdx_$1_channel_socket:unix_stream_socket *; ') ') ##################################### # pdx_server(server_domain, service) define(`pdx_server', ` # Mark the server domain as a PDX server. typeattribute $1 pdx_$2_server_type; # Allow the init process to create the initial endpoint socket. allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; # Allow the server domain to use the endpoint socket and accept connections on it. # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights # than we need (e.g. we don"t need "bind" or "connect"). allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; # Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). allow $1 self:process setsockcreate; # Allow the server domain to create a client channel socket. allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; # Prevent other processes from claiming to be a server for the same service. neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; ') ##################################### # pdx_connect(client, service) define(`pdx_connect', ` # Allow client to open the service endpoint file. allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; # Allow the client to connect to endpoint socket. allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; ') ##################################### # pdx_use(client, service) define(`pdx_use', ` # Allow the client to use the PDX channel socket. # Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights # than we need (e.g. we don"t need "bind" or "connect"). allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; # Client needs to use an channel event fd from the server. allow $1 pdx_$2_server_type:fd use; # Servers may receive sync fences, gralloc buffers, etc, from clients. # This could be tightened on a per-server basis, but keeping track of service # clients is error prone. allow pdx_$2_server_type $1:fd use; ') ##################################### # pdx_client(client, service) define(`pdx_client', ` pdx_connect($1, $2) pdx_use($1, $2) ') ##################################### # init_daemon_domain(domain) # Set up a transition from init to the daemon domain # upon executing its binary. define(`init_daemon_domain', ` domain_auto_trans(init, $1_exec, $1) ') ##################################### # app_domain(domain) # Allow a base set of permissions required for all apps. define(`app_domain', ` typeattribute $1 appdomain; # Label tmpfs objects for all apps. type_transition $1 tmpfs:file appdomain_tmpfs; allow $1 appdomain_tmpfs:file { execute getattr map read write }; neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms; neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms; # The Android security model guarantees the confidentiality and integrity # of application data and execution state. Ptrace bypasses those # confidentiality guarantees. Disallow ptrace access from system components # to apps. Crash_dump is excluded, as it needs ptrace access to # produce stack traces. llkd is excluded, as it needs to inspect # the kernel stack for live lock conditions. runas_app is excluded, as it can # only access debuggable apps. neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace; ') ##################################### # untrusted_app_domain(domain) # Allow a base set of permissions required for all untrusted apps. define(`untrusted_app_domain', ` typeattribute $1 untrusted_app_all; ') ##################################### # net_domain(domain) # Allow a base set of permissions required for network access. define(`net_domain', ` typeattribute $1 netdomain; ') ##################################### # bluetooth_domain(domain) # Allow a base set of permissions required for bluetooth access. define(`bluetooth_domain', ` typeattribute $1 bluetoothdomain; ') ##################################### # hal_attribute(hal_name) # Add an attribute for hal implementations along with necessary # restrictions. define(`hal_attribute', ` attribute hal_$1; expandattribute hal_$1 true; attribute hal_$1_client; expandattribute hal_$1_client true; attribute hal_$1_server; expandattribute hal_$1_server false; neverallow { hal_$1_server -halserverdomain } domain:process fork; # hal_*_client and halclientdomain attributes are always expanded for # performance reasons. Neverallow rules targeting expanded attributes can not be # verified by CTS since these attributes are already expanded by that time. build_test_only(` neverallow { hal_$1_server -hal_$1 } domain:process fork; neverallow { hal_$1_client -halclientdomain } domain:process fork; ') ') ##################################### # hal_server_domain(domain, hal_type) # Allow a base set of permissions required for a domain to offer a # HAL implementation of the specified type over HwBinder. # # For example, default implementation of Foo HAL: # type hal_foo_default, domain; # hal_server_domain(hal_foo_default, hal_foo) # define(`hal_server_domain', ` typeattribute $1 halserverdomain; typeattribute $1 $2_server; typeattribute $1 $2; ') ##################################### # hal_client_domain(domain, hal_type) # Allow a base set of permissions required for a domain to be a # client of a HAL of the specified type. # # For example, make some_domain a client of Foo HAL: # hal_client_domain(some_domain, hal_foo) # define(`hal_client_domain', ` typeattribute $1 halclientdomain; typeattribute $1 $2_client; # TODO(b/34170079): Make the inclusion of the rules below conditional also on # non-Treble devices. For now, on non-Treble device, always grant clients of a # HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). not_full_treble(` typeattribute $1 $2; # Find passthrough HAL implementations allow $2 system_file:dir r_dir_perms; allow $2 vendor_file:dir r_dir_perms; allow $2 vendor_file:file { read open getattr execute map }; ') ') ##################################### # passthrough_hal_client_domain(domain, hal_type) # Allow a base set of permissions required for a domain to be a # client of a passthrough HAL of the specified type. # # For example, make some_domain a client of passthrough Foo HAL: # passthrough_hal_client_domain(some_domain, hal_foo) # define(`passthrough_hal_client_domain', ` typeattribute $1 halclientdomain; typeattribute $1 $2_client; typeattribute $1 $2; # Find passthrough HAL implementations allow $2 system_file:dir r_dir_perms; allow $2 vendor_file:dir r_dir_perms; allow $2 vendor_file:file { read open getattr execute map }; ') ##################################### # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. # # Note: If you see denial records that distill to the # following allow rules: # allow clientdomain property_socket:sock_file write; # allow clientdomain init:unix_stream_socket connectto; # allow clientdomain something_prop:property_service set; # # This sequence is indicative of attempting to set a property. # use set_prop(sourcedomain, targetproperty) # define(`unix_socket_connect', ` allow $1 $2_socket:sock_file write; allow $1 $3:unix_stream_socket connectto; ') ##################################### # set_prop(sourcedomain, targetproperty) # Allows source domain to set the # targetproperty. # define(`set_prop', ` unix_socket_connect($1, property, init) allow $1 $2:property_service set; get_prop($1, $2) ') ##################################### # get_prop(sourcedomain, targetproperty) # Allows source domain to read the # targetproperty. # define(`get_prop', ` allow $1 $2:file { getattr open read map }; ') ##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via # socket to serverdomain. define(`unix_socket_send', ` allow $1 $2_socket:sock_file write; allow $1 $3:unix_dgram_socket sendto; ') ##################################### # binder_use(domain) # Allow domain to use Binder IPC. define(`binder_use', ` # Call the servicemanager and transfer references to it. allow $1 servicemanager:binder { call transfer }; # servicemanager performs getpidcon on clients. allow servicemanager $1:dir search; allow servicemanager $1:file { read open }; allow servicemanager $1:process getattr; # rw access to /dev/binder and /dev/ashmem is presently granted to # all domains in domain.te. ') ##################################### # hwbinder_use(domain) # Allow domain to use HwBinder IPC. define(`hwbinder_use', ` # Call the hwservicemanager and transfer references to it. allow $1 hwservicemanager:binder { call transfer }; # Allow hwservicemanager to send out callbacks allow hwservicemanager $1:binder { call transfer }; # hwservicemanager performs getpidcon on clients. allow hwservicemanager $1:dir search; allow hwservicemanager $1:file { read open map }; allow hwservicemanager $1:process getattr; # rw access to /dev/hwbinder and /dev/ashmem is presently granted to # all domains in domain.te. ') ##################################### # vndbinder_use(domain) # Allow domain to use Binder IPC. define(`vndbinder_use', ` # Talk to the vndbinder device node allow $1 vndbinder_device:chr_file rw_file_perms; # Call the vndservicemanager and transfer references to it. allow $1 vndservicemanager:binder { call transfer }; # vndservicemanager performs getpidcon on clients. allow vndservicemanager $1:dir search; allow vndservicemanager $1:file { read open map }; allow vndservicemanager $1:process getattr; ') ##################################### # binder_call(clientdomain, serverdomain) # Allow clientdomain to perform binder IPC to serverdomain. define(`binder_call', ` # Call the server domain and optionally transfer references to it. allow $1 $2:binder { call transfer }; # Allow the serverdomain to transfer references to the client on the reply. allow $2 $1:binder transfer; # Receive and use open files from the server. allow $1 $2:fd use; ') ##################################### # binder_service(domain) # Mark a domain as being a Binder service domain. # Used to allow binder IPC to the various system services. define(`binder_service', ` typeattribute $1 binderservicedomain; ') ##################################### # wakelock_use(domain) # Allow domain to manage wake locks define(`wakelock_use', ` # TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is # deprecated. # Access /sys/power/wake_lock and /sys/power/wake_unlock allow $1 sysfs_wake_lock:file rw_file_perms; # Accessing these files requires CAP_BLOCK_SUSPEND allow $1 self:global_capability2_class_set block_suspend; # system_suspend permissions binder_call($1, system_suspend_server) allow $1 system_suspend_hwservice:hwservice_manager find; # halclientdomain permissions hwbinder_use($1) get_prop($1, hwservicemanager_prop) allow $1 hidl_manager_hwservice:hwservice_manager find; ') ##################################### # selinux_check_access(domain) # Allow domain to check SELinux permissions via selinuxfs. define(`selinux_check_access', ` r_dir_file($1, selinuxfs) allow $1 selinuxfs:file w_file_perms; allow $1 kernel:security compute_av; allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; ') ##################################### # selinux_check_context(domain) # Allow domain to check SELinux contexts via selinuxfs. define(`selinux_check_context', ` r_dir_file($1, selinuxfs) allow $1 selinuxfs:file w_file_perms; allow $1 kernel:security check_context; ') ##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. define(`create_pty', ` # Each domain gets a unique devpts type. type $1_devpts, fs_type; # Label the pty with the unique type when created. type_transition $1 devpts:chr_file $1_devpts; # Allow use of the pty after creation. allow $1 $1_devpts:chr_file { open getattr read write ioctl }; allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; # TIOCSTI is only ever used for exploits. Block it. # b/33073072, b/7530569 # http://www.openwall.com/lists/oss-security/2016/09/26/14 neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms # allowed to everyone via domain.te. ') ##################################### # Non system_app application set # define(`non_system_app_set', `{ appdomain -system_app }') ##################################### # Recovery only # SELinux rules which apply only to recovery mode # define(`recovery_only', ifelse(target_recovery, `true', $1, )) ##################################### # Full TREBLE only # SELinux rules which apply only to full TREBLE devices # define(`full_treble_only', ifelse(target_full_treble, `true', $1, ifelse(target_full_treble, `cts', # BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify $1 # END_TREBLE_ONLY -- this marker is used by CTS -- do not modify , ))) ##################################### # Not full TREBLE # SELinux rules which apply only to devices which are not full TREBLE devices # define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) ##################################### # Compatible property only # SELinux rules which apply only to devices with compatible property # define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, ifelse(target_compatible_property, `cts', # BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify $1 # END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify , ))) ##################################### # Not compatible property # SELinux rules which apply only to devices without compatible property # define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) ##################################### # Userdebug or eng builds # SELinux rules which apply only to userdebug or eng builds # define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) ##################################### # asan builds # SELinux rules which apply only to asan builds # define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) ##################################### # native coverage builds # SELinux rules which apply only to builds with native coverage # define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) ##################################### # Build-time-only test # SELinux rules which are verified during build, but not as part of *TS testing. # define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1)) #################################### # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). # define(`crash_dump_fallback', ` userdebug_or_eng(` allow $1 su:fifo_file append; ') allow $1 anr_data_file:file append; allow $1 dumpstate:fd use; allow $1 incidentd:fd use; # TODO: Figure out why write is needed. allow $1 dumpstate:fifo_file { append write }; allow $1 incidentd:fifo_file { append write }; allow $1 system_server:fifo_file { append write }; allow $1 tombstoned:unix_stream_socket connectto; allow $1 tombstoned:fd use; allow $1 tombstoned_crash_socket:sock_file write; allow $1 tombstone_data_file:file append; ') ##################################### # WITH_DEXPREOPT builds # SELinux rules which apply only when pre-opting. # define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) ##################################### # write_logd(domain) # Ability to write to android log # daemon via sockets define(`write_logd', ` unix_socket_send($1, logdw, logd) allow $1 pmsg_device:chr_file w_file_perms; ') ##################################### # read_logd(domain) # Ability to run logcat and read from android # log daemon via sockets define(`read_logd', ` allow $1 logcat_exec:file rx_file_perms; unix_socket_connect($1, logdr, logd) ') ##################################### # read_runtime_log_tags(domain) # ability to directly map the runtime event log tags define(`read_runtime_log_tags', ` allow $1 runtime_event_log_tags_file:file r_file_perms; ') ##################################### # control_logd(domain) # Ability to control # android log daemon via sockets define(`control_logd', ` # Group AID_LOG checked by filesystem & logd # to permit control commands unix_socket_connect($1, logd, logd) ') ##################################### # use_keystore(domain) # Ability to use keystore. # Keystore is requires the following permissions # to call getpidcon. define(`use_keystore', ` allow keystore $1:dir search; allow keystore $1:file { read open }; allow keystore $1:process getattr; allow $1 keystore_service:service_manager find; binder_call($1, keystore) binder_call(keystore, $1) ') ########################################### # use_drmservice(domain) # Ability to use DrmService which requires # DrmService to call getpidcon. define(`use_drmservice', ` allow drmserver $1:dir search; allow drmserver $1:file { read open }; allow drmserver $1:process getattr; ') ########################################### # add_service(domain, service) # Ability for domain to add a service to service_manager # and find it. It also creates a neverallow preventing # others from adding it. define(`add_service', ` allow $1 $2:service_manager { add find }; neverallow { domain -$1 } $2:service_manager add; ') ########################################### # add_hwservice(domain, service) # Ability for domain to add a service to hwservice_manager # and find it. It also creates a neverallow preventing # others from adding it. define(`add_hwservice', ` allow $1 $2:hwservice_manager { add find }; allow $1 hidl_base_hwservice:hwservice_manager add; neverallow { domain -$1 } $2:hwservice_manager add; ') ########################################### # hal_attribute_hwservice(attribute, service) # Ability for domain to get a service to hwservice_manager # and find it. It also creates a neverallow preventing # others from adding it. # # Used to pair hal_foo_client with hal_foo_hwservice define(`hal_attribute_hwservice', ` allow $1_client $2:hwservice_manager find; add_hwservice($1_server, $2) build_test_only(` neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; ') ') ################################### # can_profile_heap(domain) # Allow processes within the domain to have their heap profiled by heapprofd. # # Note that profiling is performed differently between debug and user builds. # This macro covers both user and debug builds, but see # can_profile_heap_userdebug_or_eng for a variant that can be used when # allowing profiling for a domain only on debug builds, without granting # the exec permission. The exec permission is necessary for user builds, but # only a nice-to-have for development and testing purposes on debug builds. define(`can_profile_heap', ` # Allow central daemon to send signal for client initialization. allow heapprofd $1:process signal; # Allow executing a private heapprofd process to handle profiling on # user builds (also debug builds for testing & development purposes). allow $1 heapprofd_exec:file rx_file_perms; # Allow directory & file read to the central heapprofd daemon, as it scans # /proc/[pid]/cmdline for by-process-name profiling configs. # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities. allow heapprofd $1:file r_file_perms; allow heapprofd $1:dir r_dir_perms; # Profilability on user implies profilability on userdebug and eng. can_profile_heap_userdebug_or_eng($1) ') ################################### # can_profile_heap_userdebug_or_eng(domain) # Allow processes within the domain to have their heap profiled by heapprofd on # debug builds only. # # Only necessary when can_profile_heap cannot be applied, see its description # for rationale. define(`can_profile_heap_userdebug_or_eng', ` userdebug_or_eng(` # Allow central daemon to send signal for client initialization. allow heapprofd $1:process signal; # Allow connecting to the daemon. unix_socket_connect($1, heapprofd, heapprofd) # Allow daemon to use the passed fds. allow heapprofd $1:fd use; # Allow to read and write to heapprofd shmem. # The client needs to read the read and write pointers in order to write. allow $1 heapprofd_tmpfs:file { read write getattr map }; # Use shared memory received over the unix socket. allow $1 heapprofd:fd use; # To read from the received file descriptors. # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the # process they relate to. allow heapprofd $1:file r_file_perms; # Allow searching the /proc/[pid] directory for cmdline. allow heapprofd $1:dir r_dir_perms; ') ') ################################### # never_profile_heap(domain) # Opt out of heap profiling by heapprofd. define(`never_profile_heap', ` neverallow heapprofd $1:file read; neverallow heapprofd $1:process signal; ')