You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

162 lines
3.9 KiB

# ==============================================
# MTK Policy Rule
# ==============================================
# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
neverallow {
coredomain
-appdomain
-app_zygote
-dumpstate
-init
-installd
-iorap_prefetcherd
-iorap_inode2filename
-logd
-mediadrmserver
-mediaextractor
-mediaserver
-runas
-sdcardd
-simpleperf_app_runner
-storaged
-system_server
-toolbox
-vold
-vold_prepare_subdirs
with_asan(`-asan_extract')
-zygote
} system_data_file:file *;
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
neverallow {
dumpstate
logd
runas
sdcardd
simpleperf_app_runner
storaged
zygote
} system_data_file:file ~r_file_perms;
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
neverallow iorap_inode2filename system_data_file:file ~getattr;
neverallow {
mediadrmserver
mediaextractor
mediaserver
} system_data_file:file ~{ read getattr };
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
neverallow vold system_data_file:file ~read;
neverallow ~{
appdomain
app_zygote
dexoptanalyzer
init
installd
iorap_prefetcherd
iorap_inode2filename
logd
rs
runas
simpleperf_app_runner
system_server
tee
vold
webview_zygote
with_asan(`asan_extract')
zygote
} system_data_file:lnk_file *;
neverallow {
appdomain
app_zygote
logd
webview_zygote
} system_data_file:lnk_file ~r_file_perms;
neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr;
neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
neverallow rs system_data_file:lnk_file ~{ read };
neverallow {
runas
simpleperf_app_runner
tee
} system_data_file:lnk_file ~{ read getattr };
neverallow system_server system_data_file:lnk_file ~create_file_perms;
')
# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
# TODO: Remove hal_camera and so on once there are no violations.
#
# allow hal_camera device:dir r_dir_perms;
# hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
neverallow {
coredomain
-cameraserver
-fastbootd
-hal_camera
-init
-otapreopt_chroot
-recovery
-shell
-slideshow
-system_server
-vendor_init
-vold
-ueventd
} device:dir ~{ search getattr };
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
neverallow {
cameraserver
fastbootd
hal_camera
system_server
shell
slideshow
recovery
} device:dir ~r_dir_perms;
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
neverallow vold device:dir ~{ search getattr write };
neverallow ueventd device:dir ~create_dir_perms;
')