Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 1 | # Rules for all domains. |
| 2 | |
| 3 | # Allow reaping by init. |
| 4 | allow domain init:process sigchld; |
| 5 | |
| 6 | # Read access to properties mapping. |
| 7 | allow domain kernel:fd use; |
| 8 | allow domain tmpfs:file { read getattr }; |
| 9 | |
| 10 | # Search /storage/emulated tmpfs mount. |
| 11 | allow domain tmpfs:dir r_dir_perms; |
| 12 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 13 | # Intra-domain accesses. |
Stephen Smalley | ad7df7b | 2013-12-20 08:24:12 -0500 | [diff] [blame] | 14 | allow domain self:process ~{ execmem execstack execheap ptrace }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 15 | allow domain self:fd use; |
| 16 | allow domain self:dir r_dir_perms; |
| 17 | allow domain self:lnk_file r_file_perms; |
| 18 | allow domain self:{ fifo_file file } rw_file_perms; |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 19 | allow domain self:unix_dgram_socket { create_socket_perms sendto }; |
| 20 | allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 21 | |
| 22 | # Inherit or receive open files from others. |
| 23 | allow domain init:fd use; |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 24 | allow domain system_server:fd use; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 25 | |
| 26 | # Connect to adbd and use a socket transferred from it. |
Stephen Smalley | c4021ce | 2014-01-03 14:38:41 -0500 | [diff] [blame] | 27 | # This is used for e.g. adb backup/restore. |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 28 | allow domain adbd:unix_stream_socket connectto; |
| 29 | allow domain adbd:fd use; |
Stephen Smalley | c4021ce | 2014-01-03 14:38:41 -0500 | [diff] [blame] | 30 | allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 31 | |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 32 | userdebug_or_eng(` |
| 33 | # Same as adbd rules above, except allow su to do the same thing |
| 34 | allow domain su:unix_stream_socket connectto; |
| 35 | allow domain su:fd use; |
| 36 | allow domain su:unix_stream_socket { getattr getopt read write shutdown }; |
| 37 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 38 | binder_call(domain, su) |
| 39 | |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 40 | # Running something like "pm dump com.android.bluetooth" requires |
| 41 | # fifo writes |
| 42 | allow domain su:fifo_file { write getattr }; |
| 43 | |
| 44 | # allow "gdbserver --attach" to work for su. |
| 45 | allow domain su:process sigchld; |
| 46 | ') |
| 47 | |
Nick Kralevich | 5919d1c | 2013-07-15 11:41:24 -0700 | [diff] [blame] | 48 | ### |
| 49 | ### Talk to debuggerd. |
| 50 | ### |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 51 | allow domain debuggerd:process sigchld; |
| 52 | allow domain debuggerd:unix_stream_socket connectto; |
| 53 | |
| 54 | # Root fs. |
| 55 | allow domain rootfs:dir r_dir_perms; |
Nick Kralevich | 6634a10 | 2013-07-12 18:45:56 -0700 | [diff] [blame] | 56 | allow domain rootfs:file r_file_perms; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 57 | allow domain rootfs:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 58 | |
| 59 | # Device accesses. |
| 60 | allow domain device:dir search; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 61 | allow domain dev_type:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 62 | allow domain devpts:dir search; |
| 63 | allow domain device:file read; |
Robert Craig | 20feb75 | 2014-03-06 10:16:53 -0500 | [diff] [blame] | 64 | allow domain socket_device:dir r_dir_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 65 | allow domain owntty_device:chr_file rw_file_perms; |
| 66 | allow domain null_device:chr_file rw_file_perms; |
| 67 | allow domain zero_device:chr_file r_file_perms; |
| 68 | allow domain ashmem_device:chr_file rw_file_perms; |
| 69 | allow domain binder_device:chr_file rw_file_perms; |
| 70 | allow domain ptmx_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 71 | allow domain log_device:dir search; |
| 72 | allow domain log_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 73 | allow domain alarm_device:chr_file r_file_perms; |
Alex Klyubin | a247705 | 2013-09-10 11:13:15 -0700 | [diff] [blame] | 74 | allow domain urandom_device:chr_file rw_file_perms; |
| 75 | allow domain random_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 76 | allow domain properties_device:file r_file_perms; |
| 77 | |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 78 | # logd access |
| 79 | write_logd(domain) |
| 80 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 81 | # Filesystem accesses. |
| 82 | allow domain fs_type:filesystem getattr; |
| 83 | allow domain fs_type:dir getattr; |
| 84 | |
| 85 | # System file accesses. |
| 86 | allow domain system_file:dir r_dir_perms; |
| 87 | allow domain system_file:file r_file_perms; |
| 88 | allow domain system_file:file execute; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 89 | allow domain system_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 90 | |
| 91 | # Read files already opened under /data. |
| 92 | allow domain system_data_file:dir { search getattr }; |
| 93 | allow domain system_data_file:file { getattr read }; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 94 | allow domain system_data_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 95 | |
| 96 | # Read apk files under /data/app. |
Geremy Condra | 8156073 | 2013-08-30 13:02:30 -0700 | [diff] [blame] | 97 | allow domain apk_data_file:dir { getattr search }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 98 | allow domain apk_data_file:file r_file_perms; |
| 99 | |
| 100 | # Read /data/dalvik-cache. |
| 101 | allow domain dalvikcache_data_file:dir { search getattr }; |
| 102 | allow domain dalvikcache_data_file:file r_file_perms; |
| 103 | |
| 104 | # Read already opened /cache files. |
| 105 | allow domain cache_file:dir r_dir_perms; |
| 106 | allow domain cache_file:file { getattr read }; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 107 | allow domain cache_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 108 | |
Nick Kralevich | 7466f9b | 2013-12-12 15:32:42 -0800 | [diff] [blame] | 109 | # Read timezone related information |
| 110 | r_dir_file(domain, zoneinfo_data_file) |
| 111 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 112 | # For /acct/uid/*/tasks. |
| 113 | allow domain cgroup:dir { search write }; |
| 114 | allow domain cgroup:file w_file_perms; |
| 115 | |
| 116 | #Allow access to ion memory allocation device |
| 117 | allow domain ion_device:chr_file rw_file_perms; |
| 118 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 119 | # Read access to pseudo filesystems. |
| 120 | r_dir_file(domain, proc) |
| 121 | r_dir_file(domain, sysfs) |
Nick Kralevich | 967f39a | 2013-10-30 14:12:21 -0700 | [diff] [blame] | 122 | r_dir_file(domain, sysfs_devices_system_cpu) |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 123 | r_dir_file(domain, inotify) |
| 124 | r_dir_file(domain, cgroup) |
Robert Craig | 529fcbe | 2014-01-07 13:46:56 -0500 | [diff] [blame] | 125 | r_dir_file(domain, proc_net) |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 126 | |
| 127 | # debugfs access |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 128 | allow domain debugfs:dir r_dir_perms; |
Nick Kralevich | 8758cc5 | 2013-07-11 11:30:20 -0700 | [diff] [blame] | 129 | allow domain debugfs:file w_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 130 | |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 131 | # Get SELinux enforcing status. |
| 132 | selinux_getenforce(domain) |
| 133 | |
Stephen Smalley | f926817 | 2014-02-24 11:35:39 -0500 | [diff] [blame] | 134 | # /data/security files |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 135 | allow domain security_file:dir { search getattr }; |
| 136 | allow domain security_file:file getattr; |
Stephen Smalley | f926817 | 2014-02-24 11:35:39 -0500 | [diff] [blame] | 137 | allow domain security_file:lnk_file r_file_perms; |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 138 | |
Robert Craig | 48b1883 | 2014-02-04 11:36:41 -0500 | [diff] [blame] | 139 | # World readable asec image contents |
| 140 | allow domain asec_public_file:file r_file_perms; |
| 141 | allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; |
| 142 | |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 143 | ######## Backwards compatibility - Unlabeled files ############ |
| 144 | |
| 145 | # Revert to DAC rules when looking at unlabeled files. Over time, the number |
| 146 | # of unlabeled files should decrease. |
| 147 | # TODO: delete these rules in the future. |
| 148 | # |
| 149 | # Note on relabelfrom: We allow any app relabelfrom, but without the relabelto |
| 150 | # capability, it's essentially useless. This is needed to allow an app with |
| 151 | # relabelto to relabel unlabeled files. |
| 152 | # |
Stephen Smalley | 91c290b | 2014-01-09 13:34:46 -0500 | [diff] [blame] | 153 | allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 154 | allow domain unlabeled:dir { create_dir_perms relabelfrom }; |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 155 | neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; |
Nick Kralevich | 2637198 | 2013-07-15 17:10:35 -0700 | [diff] [blame] | 156 | |
| 157 | ### |
| 158 | ### neverallow rules |
| 159 | ### |
| 160 | |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 161 | # Limit ability to ptrace or read sensitive /proc/pid files of processes |
| 162 | # with other UIDs to these whitelisted domains. |
| 163 | neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; |
| 164 | |
| 165 | # Limit device node creation and raw I/O to these whitelisted domains. |
Nick Kralevich | 96eeb1e | 2014-02-19 13:33:32 -0800 | [diff] [blame] | 166 | neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod }; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 167 | |
| 168 | # No domain needs mac_override as it is unused by SELinux. |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 169 | neverallow domain self:capability2 mac_override; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 170 | |
| 171 | # Only recovery needs mac_admin to set contexts not defined in current policy. |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 172 | neverallow { domain -recovery } self:capability2 mac_admin; |
| 173 | |
Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 174 | # Only init should be able to load SELinux policies. |
| 175 | # The first load technically occurs while still in the kernel domain, |
| 176 | # but this does not trigger a denial since there is no policy yet. |
| 177 | # Policy reload requires allowing this to the init domain. |
| 178 | neverallow { domain -init } kernel:security load_policy; |
| 179 | |
| 180 | # Only init prior to switching context should be able to set enforcing mode. |
| 181 | # init starts in kernel domain and switches to init domain via setcon in |
| 182 | # the init.rc, so the setenforce occurs while still in kernel. After |
| 183 | # switching domains, there is never any need to setenforce again by init. |
Stephen Smalley | 8b51674 | 2014-01-08 09:29:30 -0500 | [diff] [blame] | 184 | neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot }; |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 185 | |
Stephen Smalley | 853ffaa | 2014-03-06 13:02:50 -0500 | [diff] [blame] | 186 | # No booleans in AOSP policy, so no need to ever set them. |
| 187 | neverallow domain kernel:security setbool; |
| 188 | |
| 189 | # Adjusting the AVC cache threshold. |
| 190 | # Not presently allowed to anything in policy, but possibly something |
| 191 | # that could be set from init.rc. |
| 192 | neverallow { domain -init } kernel:security setsecparam; |
| 193 | |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 194 | # Only init, ueventd and system_server should be able to access HW RNG |
| 195 | neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; |
Alex Klyubin | 8d68831 | 2013-10-03 13:35:56 -0700 | [diff] [blame] | 196 | |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 197 | # Ensure that all entrypoint executables are in exec_type. |
| 198 | neverallow domain { file_type -exec_type }:file entrypoint; |
Geremy Condra | ddf98fa | 2013-10-31 11:17:23 -0700 | [diff] [blame] | 199 | |
| 200 | # Ensure that nothing in userspace can access /dev/mem or /dev/kmem |
| 201 | neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; |
| 202 | neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; |
Stephen Smalley | 7adb999 | 2013-12-06 09:31:40 -0500 | [diff] [blame] | 203 | |
| 204 | # Only init should be able to configure kernel usermodehelpers or |
| 205 | # security-sensitive proc settings. |
| 206 | neverallow { domain -init } usermodehelper:file { append write }; |
| 207 | neverallow { domain -init } proc_security:file { append write }; |
Stephen Smalley | 95e0842 | 2013-12-09 12:49:47 -0500 | [diff] [blame] | 208 | |
| 209 | # No domain should be allowed to ptrace init. |
| 210 | neverallow domain init:process ptrace; |
Nick Kralevich | a730e50 | 2014-01-03 20:44:07 -0800 | [diff] [blame] | 211 | |
| 212 | # Init can't receive binder calls. If this neverallow rule is being |
| 213 | # triggered, it's probably due to a service with no SELinux domain. |
| 214 | neverallow domain init:binder call; |
William Roberts | d0919ec | 2014-01-30 09:10:28 -0800 | [diff] [blame] | 215 | |
| 216 | # Don't allow raw read/write/open access to block_device |
| 217 | # Rather force a relabel to a more specific type |
Nick Kralevich | 96eeb1e | 2014-02-19 13:33:32 -0800 | [diff] [blame] | 218 | neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; |
William Roberts | a637b2f | 2014-01-30 09:15:45 -0800 | [diff] [blame] | 219 | |
| 220 | # Don't allow raw read/write/open access to generic devices. |
| 221 | # Rather force a relabel to a more specific type. |
| 222 | # ueventd is exempt from this, as its managing these devices. |
| 223 | neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; |
Stephen Smalley | b081cc1 | 2014-02-10 13:29:38 -0500 | [diff] [blame] | 224 | |
| 225 | # Limit what domains can mount filesystems or change their mount flags. |
| 226 | # sdcard_type / vfat is exempt as a larger set of domains need |
| 227 | # this capability, including device-specific domains. |
| 228 | neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; |