Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | ##################################### |
| 2 | # domain_trans(olddomain, type, newdomain) |
| 3 | # Allow a transition from olddomain to newdomain |
| 4 | # upon executing a file labeled with type. |
| 5 | # This only allows the transition; it does not |
| 6 | # cause it to occur automatically - use domain_auto_trans |
| 7 | # if that is what you want. |
| 8 | # |
| 9 | define(`domain_trans', ` |
| 10 | # Old domain may exec the file and transition to the new domain. |
| 11 | allow $1 $2:file { getattr open read execute }; |
| 12 | allow $1 $3:process transition; |
| 13 | # New domain is entered by executing the file. |
| 14 | allow $3 $2:file { entrypoint read execute }; |
| 15 | # New domain can send SIGCHLD to its caller. |
| 16 | allow $3 $1:process sigchld; |
| 17 | # Enable AT_SECURE, i.e. libc secure mode. |
| 18 | dontaudit $1 $3:process noatsecure; |
| 19 | # XXX dontaudit candidate but requires further study. |
| 20 | allow $1 $3:process { siginh rlimitinh }; |
| 21 | ') |
| 22 | |
| 23 | ##################################### |
| 24 | # domain_auto_trans(olddomain, type, newdomain) |
| 25 | # Automatically transition from olddomain to newdomain |
| 26 | # upon executing a file labeled with type. |
| 27 | # |
| 28 | define(`domain_auto_trans', ` |
| 29 | # Allow the necessary permissions. |
| 30 | domain_trans($1,$2,$3) |
| 31 | # Make the transition occur by default. |
| 32 | type_transition $1 $2:process $3; |
| 33 | ') |
| 34 | |
| 35 | ##################################### |
| 36 | # file_type_trans(domain, dir_type, file_type) |
| 37 | # Allow domain to create a file labeled file_type in a |
| 38 | # directory labeled dir_type. |
| 39 | # This only allows the transition; it does not |
| 40 | # cause it to occur automatically - use file_type_auto_trans |
| 41 | # if that is what you want. |
| 42 | # |
| 43 | define(`file_type_trans', ` |
| 44 | # Allow the domain to add entries to the directory. |
| 45 | allow $1 $2:dir ra_dir_perms; |
| 46 | # Allow the domain to create the file. |
| 47 | allow $1 $3:notdevfile_class_set create_file_perms; |
| 48 | allow $1 $3:dir create_dir_perms; |
| 49 | ') |
| 50 | |
| 51 | ##################################### |
| 52 | # file_type_auto_trans(domain, dir_type, file_type) |
| 53 | # Automatically label new files with file_type when |
| 54 | # they are created by domain in directories labeled dir_type. |
| 55 | # |
| 56 | define(`file_type_auto_trans', ` |
| 57 | # Allow the necessary permissions. |
| 58 | file_type_trans($1, $2, $3) |
| 59 | # Make the transition occur by default. |
| 60 | type_transition $1 $2:dir $3; |
| 61 | type_transition $1 $2:notdevfile_class_set $3; |
| 62 | ') |
| 63 | |
| 64 | ##################################### |
| 65 | # r_dir_file(domain, type) |
| 66 | # Allow the specified domain to read directories, files |
| 67 | # and symbolic links of the specified type. |
| 68 | define(`r_dir_file', ` |
| 69 | allow $1 $2:dir r_dir_perms; |
| 70 | allow $1 $2:{ file lnk_file } r_file_perms; |
| 71 | ') |
| 72 | |
| 73 | ##################################### |
| 74 | # unconfined_domain(domain) |
Nick Kralevich | 84d8831 | 2013-10-21 13:32:31 -0700 | [diff] [blame] | 75 | # Allow the specified domain to perform more privileged operations |
| 76 | # than would be typically allowed. Please see the comments at the |
| 77 | # top of unconfined.te. |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 78 | # |
| 79 | define(`unconfined_domain', ` |
| 80 | typeattribute $1 mlstrustedsubject; |
| 81 | typeattribute $1 unconfineddomain; |
| 82 | ') |
| 83 | |
| 84 | ##################################### |
| 85 | # tmpfs_domain(domain) |
| 86 | # Define and allow access to a unique type for |
| 87 | # this domain when creating tmpfs / shmem / ashmem files. |
| 88 | define(`tmpfs_domain', ` |
| 89 | type $1_tmpfs, file_type; |
| 90 | type_transition $1 tmpfs:file $1_tmpfs; |
| 91 | # Map with PROT_EXEC. |
| 92 | allow $1 $1_tmpfs:file { read execute execmod }; |
| 93 | ') |
| 94 | |
| 95 | ##################################### |
| 96 | # init_daemon_domain(domain) |
| 97 | # Set up a transition from init to the daemon domain |
| 98 | # upon executing its binary. |
| 99 | define(`init_daemon_domain', ` |
| 100 | domain_auto_trans(init, $1_exec, $1) |
| 101 | tmpfs_domain($1) |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 102 | ') |
| 103 | |
| 104 | ##################################### |
| 105 | # app_domain(domain) |
| 106 | # Allow a base set of permissions required for all apps. |
| 107 | define(`app_domain', ` |
| 108 | typeattribute $1 appdomain; |
| 109 | # Label ashmem objects with our own unique type. |
| 110 | tmpfs_domain($1) |
| 111 | ') |
| 112 | |
| 113 | ##################################### |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 114 | # relabelto_domain(domain) |
| 115 | # Allows this domain to use the relabelto permission |
| 116 | define(`relabelto_domain', ` |
| 117 | typeattribute $1 relabeltodomain; |
| 118 | ') |
| 119 | |
| 120 | ##################################### |
Stephen Smalley | b9760aa | 2012-07-27 11:07:09 -0400 | [diff] [blame] | 121 | # platform_app_domain(domain) |
| 122 | # Allow permissions specific to platform apps. |
| 123 | define(`platform_app_domain', ` |
| 124 | typeattribute $1 platformappdomain; |
| 125 | typeattribute $1 mlstrustedsubject; |
| 126 | ') |
| 127 | |
| 128 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 129 | # net_domain(domain) |
| 130 | # Allow a base set of permissions required for network access. |
| 131 | define(`net_domain', ` |
| 132 | typeattribute $1 netdomain; |
| 133 | ') |
| 134 | |
| 135 | ##################################### |
| 136 | # bluetooth_domain(domain) |
| 137 | # Allow a base set of permissions required for bluetooth access. |
| 138 | define(`bluetooth_domain', ` |
| 139 | typeattribute $1 bluetoothdomain; |
| 140 | ') |
| 141 | |
| 142 | ##################################### |
| 143 | # unix_socket_connect(clientdomain, socket, serverdomain) |
| 144 | # Allow a local socket connection from clientdomain via |
| 145 | # socket to serverdomain. |
| 146 | define(`unix_socket_connect', ` |
| 147 | allow $1 $2_socket:sock_file write; |
| 148 | allow $1 $3:unix_stream_socket connectto; |
| 149 | ') |
| 150 | |
| 151 | ##################################### |
| 152 | # unix_socket_send(clientdomain, socket, serverdomain) |
| 153 | # Allow a local socket send from clientdomain via |
| 154 | # socket to serverdomain. |
| 155 | define(`unix_socket_send', ` |
| 156 | allow $1 $2_socket:sock_file write; |
| 157 | allow $1 $3:unix_dgram_socket sendto; |
| 158 | ') |
| 159 | |
| 160 | ##################################### |
| 161 | # binder_use(domain) |
| 162 | # Allow domain to use Binder IPC. |
| 163 | define(`binder_use', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 164 | # Call the servicemanager and transfer references to it. |
| 165 | allow $1 servicemanager:binder { call transfer }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 166 | # Map /dev/ashmem with PROT_EXEC. |
| 167 | allow $1 ashmem_device:chr_file execute; |
| 168 | # rw access to /dev/binder and /dev/ashmem is presently granted to |
| 169 | # all domains in domain.te. |
| 170 | ') |
| 171 | |
| 172 | ##################################### |
| 173 | # binder_call(clientdomain, serverdomain) |
| 174 | # Allow clientdomain to perform binder IPC to serverdomain. |
| 175 | define(`binder_call', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 176 | # Call the server domain and optionally transfer references to it. |
| 177 | allow $1 $2:binder { call transfer }; |
| 178 | # Allow the serverdomain to transfer references to the client on the reply. |
| 179 | allow $2 $1:binder transfer; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 180 | # Receive and use open files from the server. |
| 181 | allow $1 $2:fd use; |
| 182 | ') |
| 183 | |
| 184 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 185 | # binder_service(domain) |
| 186 | # Mark a domain as being a Binder service domain. |
| 187 | # Used to allow binder IPC to the various system services. |
| 188 | define(`binder_service', ` |
| 189 | typeattribute $1 binderservicedomain; |
| 190 | ') |
| 191 | |
| 192 | ##################################### |
| 193 | # selinux_check_access(domain) |
| 194 | # Allow domain to check SELinux permissions via selinuxfs. |
| 195 | define(`selinux_check_access', ` |
| 196 | allow $1 selinuxfs:dir r_dir_perms; |
| 197 | allow $1 selinuxfs:file rw_file_perms; |
| 198 | allow $1 kernel:security compute_av; |
| 199 | allow $1 self:netlink_selinux_socket *; |
| 200 | ') |
| 201 | |
| 202 | ##################################### |
| 203 | # selinux_check_context(domain) |
| 204 | # Allow domain to check SELinux contexts via selinuxfs. |
| 205 | define(`selinux_check_context', ` |
| 206 | allow $1 selinuxfs:dir r_dir_perms; |
| 207 | allow $1 selinuxfs:file rw_file_perms; |
| 208 | allow $1 kernel:security check_context; |
| 209 | ') |
| 210 | |
| 211 | ##################################### |
| 212 | # selinux_getenforce(domain) |
| 213 | # Allow domain to check whether SELinux is enforcing. |
| 214 | define(`selinux_getenforce', ` |
| 215 | allow $1 selinuxfs:dir r_dir_perms; |
| 216 | allow $1 selinuxfs:file r_file_perms; |
| 217 | ') |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 218 | |
| 219 | ##################################### |
| 220 | # selinux_setenforce(domain) |
| 221 | # Allow domain to set SELinux to enforcing. |
| 222 | define(`selinux_setenforce', ` |
| 223 | allow $1 selinuxfs:dir r_dir_perms; |
| 224 | allow $1 selinuxfs:file rw_file_perms; |
| 225 | allow $1 kernel:security setenforce; |
| 226 | ') |
| 227 | |
| 228 | ##################################### |
| 229 | # selinux_setbool(domain) |
| 230 | # Allow domain to set SELinux booleans. |
| 231 | define(`selinux_setbool', ` |
| 232 | allow $1 selinuxfs:dir r_dir_perms; |
| 233 | allow $1 selinuxfs:file rw_file_perms; |
| 234 | allow $1 kernel:security setbool; |
| 235 | ') |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 236 | |
| 237 | ##################################### |
| 238 | # security_access_policy(domain) |
| 239 | # Read only access to all policy files and |
| 240 | # selinuxfs |
| 241 | define(`security_access_policy', ` |
| 242 | allow $1 security_file:dir r_dir_perms; |
| 243 | allow $1 security_file:file r_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 244 | allow $1 security_file:lnk_file r_file_perms; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 245 | allow $1 selinuxfs:dir r_dir_perms; |
| 246 | allow $1 selinuxfs:file r_file_perms; |
| 247 | allow $1 rootfs:dir r_dir_perms; |
| 248 | allow $1 rootfs:file r_file_perms; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 249 | ') |
| 250 | |
| 251 | ##################################### |
| 252 | # selinux_manage_policy(domain) |
| 253 | # Ability to manage policy files, |
| 254 | # trigger runtime reload, change |
| 255 | # enforcing mode, manipulate booleans |
| 256 | # and access kernel logs. |
| 257 | define(`selinux_manage_policy', ` |
| 258 | selinux_setenforce($1) |
| 259 | selinux_setbool($1) |
| 260 | security_access_policy($1) |
| 261 | unix_socket_connect($1, property, init) |
| 262 | allow $1 security_file:dir create_dir_perms; |
| 263 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 264 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 265 | allow $1 security_prop:property_service set; |
| 266 | ') |
| 267 | |
| 268 | ##################################### |
| 269 | # mmac_manage_policy(domain) |
| 270 | # Ability to manage mmac policy files, |
| 271 | # trigger runtime reload, change |
| 272 | # mmac enforcing mode and access logcat. |
| 273 | define(`mmac_manage_policy', ` |
| 274 | unix_socket_connect($1, property, init) |
| 275 | allow $1 security_file:dir create_dir_perms; |
| 276 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 277 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 278 | allow $1 security_prop:property_service set; |
| 279 | ') |
| 280 | |
| 281 | ##################################### |
| 282 | # access_logcat(domain) |
| 283 | # Ability to read from logcat logs |
| 284 | # and execute the logcat command |
| 285 | define(`access_logcat', ` |
| 286 | allow $1 log_device:chr_file read; |
| 287 | allow $1 system_file:file x_file_perms; |
| 288 | ') |
| 289 | |
| 290 | ##################################### |
| 291 | # access_kmsg(domain) |
| 292 | # Ability to read from kernel logs |
| 293 | # and execute the klogctl syscall |
| 294 | # in a non destructive manner. See |
| 295 | # man 2 klogctl |
| 296 | define(`access_kmsg', ` |
| 297 | allow $1 kernel:system syslog_read; |
William Roberts | 6c4c27e | 2013-04-04 13:17:36 -0700 | [diff] [blame] | 298 | ') |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 299 | |
| 300 | ##################################### |
Alex Klyubin | 77ec892 | 2013-05-09 12:39:32 -0700 | [diff] [blame] | 301 | # write_klog(domain) |
| 302 | # Ability to write to kernel log via |
| 303 | # klog_write() |
| 304 | # See system/core/libcutil/klog.c |
| 305 | define(`write_klog', ` |
| 306 | type_transition $1 device:chr_file klog_device "__kmsg__"; |
| 307 | allow $1 klog_device:chr_file { create open write unlink }; |
Stephen Smalley | a473e29 | 2013-07-30 09:19:00 -0400 | [diff] [blame] | 308 | allow $1 device:dir { write add_name remove_name }; |
Alex Klyubin | 77ec892 | 2013-05-09 12:39:32 -0700 | [diff] [blame] | 309 | ') |
Alex Klyubin | e5e98ae | 2013-05-09 14:05:10 -0700 | [diff] [blame] | 310 | |
| 311 | ##################################### |
Stephen Smalley | 2dc4acf | 2013-09-27 09:44:32 -0400 | [diff] [blame] | 312 | # create_pty(domain) |
| 313 | # Allow domain to create and use a pty, isolated from any other domain ptys. |
| 314 | define(`create_pty', ` |
| 315 | # Each domain gets a unique devpts type. |
| 316 | type $1_devpts, fs_type; |
| 317 | # Label the pty with the unique type when created. |
| 318 | type_transition $1 devpts:chr_file $1_devpts; |
| 319 | # Allow use of the pty after creation. |
| 320 | allow $1 $1_devpts:chr_file { open getattr read write ioctl }; |
| 321 | # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| 322 | # allowed to everyone via domain.te. |
| 323 | ') |
| 324 | |
| 325 | ##################################### |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 326 | # Non system_app application set |
| 327 | # |
| 328 | define(`non_system_app_set', `{ appdomain -system_app }') |