You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
572 lines
14 KiB
572 lines
14 KiB
# ==============================================
|
|
# MTK Policy Rule
|
|
# ==============================================
|
|
|
|
# Rules for all domains.
|
|
|
|
# Do not allow access to the generic sysfs label. This is too broad.
|
|
# Instead, if access to part of sysfs is desired, it should have a
|
|
# more specific label.
|
|
full_treble_only(`
|
|
neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;
|
|
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-ueventd
|
|
-vold
|
|
} sysfs:file *;
|
|
|
|
neverallow {
|
|
init
|
|
ueventd
|
|
vold
|
|
} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
|
|
|
|
neverallow ~{
|
|
init
|
|
ueventd
|
|
} sysfs:lnk_file ~r_file_perms;
|
|
|
|
neverallow {
|
|
init
|
|
ueventd
|
|
} sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };
|
|
|
|
neverallow ~{
|
|
init
|
|
otapreopt_chroot
|
|
ueventd
|
|
vendor_init
|
|
} sysfs:dir ~r_dir_perms;
|
|
|
|
neverallow {
|
|
init
|
|
otapreopt_chroot
|
|
ueventd
|
|
vendor_init
|
|
} sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
|
|
')
|
|
|
|
|
|
# Do not allow access to the generic proc label. This is too broad.
|
|
# Instead, if access to part of proc is desired, it should have a
|
|
# more specific label.
|
|
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
|
|
#
|
|
# r_dir_file(hal_audio, proc)
|
|
# hal_server_domain(mtk_hal_audio, hal_audio)
|
|
# hal_client_domain(audioserver, hal_audio)
|
|
#
|
|
full_treble_only(`
|
|
neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;
|
|
|
|
neverallow {
|
|
coredomain
|
|
-audioserver
|
|
-bluetooth
|
|
-init
|
|
-system_server
|
|
-vold
|
|
} proc:file *;
|
|
|
|
neverallow {
|
|
audioserver
|
|
bluetooth
|
|
init
|
|
system_server
|
|
vold
|
|
} proc:file ~r_file_perms;
|
|
|
|
neverallow vendor_init proc:file ~{ read setattr map open };
|
|
|
|
neverallow {
|
|
coredomain
|
|
-audioserver
|
|
-bluetooth
|
|
-init
|
|
-system_server
|
|
} proc:lnk_file ~{ read getattr };
|
|
|
|
neverallow {
|
|
audioserver
|
|
bluetooth
|
|
init
|
|
system_server
|
|
} proc:lnk_file ~r_file_perms;
|
|
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
} proc:dir ~{ r_file_perms search };
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} proc:dir ~{ r_file_perms search setattr };
|
|
')
|
|
|
|
|
|
# Do not allow access to the generic debugfs label. This is too broad.
|
|
# Instead, if access to part of debugfs is desired, it should have a
|
|
# more specific label.
|
|
full_treble_only(`
|
|
neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;
|
|
|
|
neverallow ~{
|
|
dumpstate
|
|
init
|
|
vendor_init
|
|
} debugfs:file *;
|
|
|
|
neverallow dumpstate debugfs:file ~r_file_perms;
|
|
|
|
neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };
|
|
|
|
neverallow vendor_init debugfs:file ~{ read setattr open map };
|
|
|
|
neverallow ~init debugfs:lnk_file *;
|
|
|
|
neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };
|
|
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
} debugfs:dir ~{ search getattr };
|
|
|
|
neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') };
|
|
|
|
neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
|
|
')
|
|
|
|
|
|
# Do not allow access to the generic system_data_file label. This is
|
|
# too broad.
|
|
# Instead, if access to part of system_data_file is desired, it should
|
|
# have a more specific label.
|
|
# TODO: Remove merged_hal_service and so on once there are no violations.
|
|
#
|
|
# allow hal_drm system_data_file:file { getattr read };
|
|
# hal_server_domain(merged_hal_service, hal_drm)
|
|
#
|
|
full_treble_only(`
|
|
neverallow ~{
|
|
init
|
|
installd
|
|
system_server
|
|
} system_data_file:{ chr_file blk_file sock_file fifo_file } *;
|
|
|
|
neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };
|
|
|
|
neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
|
|
|
|
neverallow installd system_data_file:{ chr_file blk_file } *;
|
|
|
|
neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
|
|
|
|
neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
|
|
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-app_zygote
|
|
-init
|
|
-installd
|
|
-iorap_prefetcherd
|
|
-iorap_inode2filename
|
|
-system_server
|
|
-toolbox
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
with_asan(`-asan_extract')
|
|
} system_data_file:file ~r_file_perms;
|
|
|
|
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
|
|
|
|
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
|
|
|
|
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
|
|
|
|
neverallow iorap_inode2filename system_data_file:file ~getattr;
|
|
|
|
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
|
|
|
|
neverallow {
|
|
mediadrmserver
|
|
mediaextractor
|
|
mediaserver
|
|
} system_data_file:file ~{ read getattr };
|
|
|
|
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
|
|
|
|
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
|
|
|
|
neverallow vold system_data_file:file ~read;
|
|
|
|
with_asan(`
|
|
neverallow asan_extract system_data_file:file ~{ create_file_perms relabelfrom execute };
|
|
')
|
|
|
|
neverallow ~{
|
|
appdomain
|
|
app_zygote
|
|
init
|
|
installd
|
|
iorap_prefetcherd
|
|
iorap_inode2filename
|
|
logd
|
|
rs
|
|
runas
|
|
simpleperf_app_runner
|
|
system_server
|
|
tee
|
|
vold
|
|
webview_zygote
|
|
with_asan(`asan_extract')
|
|
zygote
|
|
} system_data_file:lnk_file ~getattr;
|
|
|
|
neverallow {
|
|
appdomain
|
|
app_zygote
|
|
logd
|
|
webview_zygote
|
|
} system_data_file:lnk_file ~r_file_perms;
|
|
|
|
neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
|
|
|
|
neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
|
|
|
|
neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
|
|
|
|
neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };
|
|
|
|
neverallow rs system_data_file:lnk_file ~{ read };
|
|
|
|
neverallow {
|
|
runas
|
|
simpleperf_app_runner
|
|
tee
|
|
} system_data_file:lnk_file ~{ read getattr };
|
|
|
|
neverallow system_server system_data_file:lnk_file ~create_file_perms;
|
|
|
|
with_asan(`
|
|
neverallow asan_extract system_data_file:lnk_file ~create_file_perms ;
|
|
')
|
|
|
|
neverallow ~{
|
|
apexd
|
|
init
|
|
installd
|
|
iorap_prefetcherd
|
|
iorap_inode2filename
|
|
system_server
|
|
toolbox
|
|
traced_probes
|
|
vold
|
|
vold_prepare_subdirs
|
|
with_asan(`asan_extract')
|
|
zygote
|
|
} system_data_file:dir ~{ search getattr };
|
|
|
|
neverallow apexd system_data_file:dir ~r_dir_perms;
|
|
|
|
neverallow init system_data_file:dir ~{
|
|
create search getattr open read setattr ioctl
|
|
mounton
|
|
relabelto
|
|
write add_name remove_name rmdir relabelfrom
|
|
};
|
|
|
|
neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
|
|
|
|
neverallow {
|
|
iorap_prefetcherd
|
|
iorap_inode2filename
|
|
traced_probes
|
|
} system_data_file:dir ~{ open read search getattr };
|
|
|
|
neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
|
|
|
|
neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
|
|
|
|
neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
|
|
|
|
with_asan(`
|
|
neverallow asan_extract system_data_file:dir ~{ create_dir_perms relabelfrom };
|
|
')
|
|
|
|
neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
|
|
')
|
|
|
|
|
|
# Do not allow access to the generic vendor_data_file label. This is
|
|
# too broad.
|
|
# Instead, if access to part of vendor_data_file is desired, it should
|
|
# have a more specific label.
|
|
full_treble_only(`
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:file_class_set *;
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:{ chr_file blk_file } ~{ relabelto };
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };
|
|
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
vold
|
|
vold_prepare_subdirs
|
|
} vendor_data_file:dir ~{ getattr search };
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };
|
|
|
|
neverallow vold vendor_data_file:dir ~create_dir_perms;
|
|
|
|
neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
|
|
')
|
|
|
|
# Do not allow access to the generic app_data_file label. This is too broad.
|
|
# Instead, if access to part of app_data_file is desired, it should have a
|
|
# more specific label.
|
|
#full_treble_only(`
|
|
# neverallow * app_data_file:dir_file_class_set *;
|
|
#')
|
|
|
|
# Do not allow access to the generic default_prop label. This is too broad.
|
|
# Instead, if access to part of default_prop is desired, it should have a
|
|
# more specific label.
|
|
#full_treble_only(`
|
|
# neverallow * default_prop:dir_file_class_set *;
|
|
#')
|
|
|
|
# Do not allow access to the generic vendor_default_prop label. This is
|
|
# too broad.
|
|
# Instead, if access to part of vendor_default_prop is desired, it should
|
|
# have a more specific label.
|
|
#full_treble_only(`
|
|
# neverallow * vendor_default_prop:dir_file_class_set *;
|
|
#')
|
|
|
|
# Do not allow access to the generic device label. This is too broad.
|
|
# Instead, if access to part of device is desired, it should have a
|
|
# more specific label.
|
|
# TODO: Remove hal_camera and so on once there are no violations.
|
|
#
|
|
# allow hal_camera device:dir r_dir_perms;
|
|
# hal_client_domain(cameraserver, hal_camera)
|
|
#
|
|
full_treble_only(`
|
|
neverallow * device:{ sock_file fifo_file } *;
|
|
|
|
neverallow ~{
|
|
init
|
|
shell
|
|
ueventd
|
|
vendor_init
|
|
} device:chr_file *;
|
|
|
|
neverallow { init vendor_init } device:chr_file ~setattr;
|
|
|
|
neverallow shell device:chr_file ~getattr;
|
|
|
|
neverallow ueventd device:chr_file ~{ getattr create setattr unlink };
|
|
|
|
neverallow ~{
|
|
dumpstate
|
|
e2fs
|
|
fsck
|
|
fsck_untrusted
|
|
init
|
|
recovery
|
|
shell
|
|
ueventd
|
|
vendor_init
|
|
} device:blk_file *;
|
|
|
|
neverallow {
|
|
dumpstate
|
|
e2fs
|
|
fsck
|
|
fsck_untrusted
|
|
shell
|
|
vendor_init
|
|
} device:blk_file ~getattr;
|
|
|
|
neverallow init device:blk_file ~r_file_perms;
|
|
|
|
neverallow recovery device:blk_file ~rw_file_perms;
|
|
|
|
neverallow ueventd device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
|
|
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
ueventd
|
|
} device:file *;
|
|
|
|
neverallow init device:file ~{ create_file_perms relabelfrom };
|
|
|
|
neverallow ueventd device:file ~create_file_perms;
|
|
|
|
neverallow vendor_init device:file ~{ read setattr map open getattr };
|
|
|
|
neverallow ~{
|
|
init
|
|
vendor_init
|
|
ueventd
|
|
} device:lnk_file ~r_file_perms;
|
|
|
|
neverallow { init vendor_init } device:lnk_file ~{ r_file_perms create };
|
|
|
|
neverallow ueventd device:lnk_file ~{ r_file_perms create unlink };
|
|
|
|
neverallow {
|
|
coredomain
|
|
-cameraserver
|
|
-fastbootd
|
|
-hal_camera
|
|
-init
|
|
-otapreopt_chroot
|
|
-recovery
|
|
-shell
|
|
-slideshow
|
|
-system_server
|
|
-vendor_init
|
|
-vold
|
|
-ueventd
|
|
} device:dir ~{ search getattr };
|
|
|
|
neverallow {
|
|
cameraserver
|
|
fastbootd
|
|
hal_camera
|
|
system_server
|
|
shell
|
|
slideshow
|
|
recovery
|
|
} device:dir ~r_dir_perms;
|
|
|
|
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
|
|
|
|
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
|
|
|
|
neverallow vold device:dir ~{ search getattr write };
|
|
|
|
neverallow ueventd device:dir ~create_dir_perms;
|
|
')
|
|
|
|
# Do not allow access to the generic socket_device label. This is too broad.
|
|
# Instead, if access to part of socket_device is desired, it should have a
|
|
# more specific label.
|
|
full_treble_only(`
|
|
neverallow * socket_device:{ file sock_file fifo_file } *;
|
|
|
|
neverallow ~{
|
|
init
|
|
shell
|
|
ueventd
|
|
vendor_init
|
|
} socket_device:chr_file *;
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} socket_device:chr_file ~{ setattr };
|
|
|
|
neverallow shell socket_device:chr_file ~{ getattr };
|
|
|
|
neverallow ueventd socket_device:chr_file ~{ getattr create setattr unlink };
|
|
|
|
neverallow ~{
|
|
dumpstate
|
|
e2fs
|
|
fsck
|
|
fsck_untrusted
|
|
init
|
|
recovery
|
|
shell
|
|
ueventd
|
|
vendor_init
|
|
} socket_device:blk_file *;
|
|
|
|
neverallow {
|
|
dumpstate
|
|
e2fs
|
|
fsck
|
|
fsck_untrusted
|
|
shell
|
|
vendor_init
|
|
} socket_device:blk_file ~getattr;
|
|
|
|
neverallow init socket_device:blk_file ~r_file_perms;
|
|
|
|
neverallow recovery socket_device:blk_file ~rw_file_perms;
|
|
|
|
neverallow ueventd socket_device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
|
|
|
|
neverallow ~{
|
|
init
|
|
ueventd
|
|
vendor_init
|
|
} socket_device:lnk_file ~r_file_perms;
|
|
|
|
neverallow {
|
|
init
|
|
vendor_init
|
|
} socket_device:lnk_file ~{ r_file_perms create };
|
|
|
|
neverallow ueventd socket_device:lnk_file ~{ r_file_perms create unlink };
|
|
|
|
neverallow ~{
|
|
init
|
|
ueventd
|
|
vendor_init
|
|
} socket_device:dir ~r_dir_perms;
|
|
|
|
neverallow init socket_device:dir ~{ create_dir_perms relabelto };
|
|
|
|
neverallow {
|
|
ueventd
|
|
vendor_init
|
|
} socket_device:dir ~create_dir_perms;
|
|
|
|
')
|
|
|
|
# Do not allow access to the generic block_device label. This is too broad.
|
|
# Instead, if access to part of block_device is desired, it should have a
|
|
# more specific label.
|
|
#full_treble_only(`
|
|
# neverallow * block_device:dir_file_class_set *;
|
|
#')
|
|
|
|
# Do not allow access to the generic bootdevice_block_device label. This is
|
|
# too broad.
|
|
# Instead, if access to part of bootdevice_block_device is desired, it should
|
|
# have a more specific label.
|
|
#full_treble_only(`
|
|
# neverallow * bootdevice_block_device:dir_file_class_set *;
|
|
#')
|