Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 1 | # Rules for all domains. |
| 2 | |
| 3 | # Allow reaping by init. |
| 4 | allow domain init:process sigchld; |
| 5 | |
| 6 | # Read access to properties mapping. |
| 7 | allow domain kernel:fd use; |
| 8 | allow domain tmpfs:file { read getattr }; |
| 9 | |
| 10 | # Search /storage/emulated tmpfs mount. |
| 11 | allow domain tmpfs:dir r_dir_perms; |
| 12 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 13 | # Intra-domain accesses. |
Stephen Smalley | bac4ccc | 2014-06-18 10:09:35 -0400 | [diff] [blame] | 14 | allow domain self:process { |
| 15 | fork |
| 16 | sigchld |
| 17 | sigkill |
| 18 | sigstop |
| 19 | signull |
| 20 | signal |
| 21 | getsched |
| 22 | setsched |
| 23 | getsession |
| 24 | getpgid |
| 25 | setpgid |
| 26 | getcap |
| 27 | setcap |
| 28 | getattr |
| 29 | setrlimit |
| 30 | }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 31 | allow domain self:fd use; |
| 32 | allow domain self:dir r_dir_perms; |
| 33 | allow domain self:lnk_file r_file_perms; |
| 34 | allow domain self:{ fifo_file file } rw_file_perms; |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 35 | allow domain self:unix_dgram_socket { create_socket_perms sendto }; |
| 36 | allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 37 | |
| 38 | # Inherit or receive open files from others. |
| 39 | allow domain init:fd use; |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 40 | allow domain system_server:fd use; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 41 | |
| 42 | # Connect to adbd and use a socket transferred from it. |
Stephen Smalley | c4021ce | 2014-01-03 14:38:41 -0500 | [diff] [blame] | 43 | # This is used for e.g. adb backup/restore. |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 44 | allow domain adbd:unix_stream_socket connectto; |
| 45 | allow domain adbd:fd use; |
Stephen Smalley | c4021ce | 2014-01-03 14:38:41 -0500 | [diff] [blame] | 46 | allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 47 | |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 48 | userdebug_or_eng(` |
| 49 | # Same as adbd rules above, except allow su to do the same thing |
| 50 | allow domain su:unix_stream_socket connectto; |
| 51 | allow domain su:fd use; |
| 52 | allow domain su:unix_stream_socket { getattr getopt read write shutdown }; |
| 53 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 54 | binder_call(domain, su) |
| 55 | |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 56 | # Running something like "pm dump com.android.bluetooth" requires |
| 57 | # fifo writes |
| 58 | allow domain su:fifo_file { write getattr }; |
| 59 | |
| 60 | # allow "gdbserver --attach" to work for su. |
| 61 | allow domain su:process sigchld; |
Nick Kralevich | d7e004e | 2014-10-31 12:40:12 -0700 | [diff] [blame] | 62 | |
| 63 | # Allow writing coredumps to /cores/* |
| 64 | allow domain coredump_file:file create_file_perms; |
| 65 | allow domain coredump_file:dir ra_dir_perms; |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 66 | ') |
| 67 | |
Nick Kralevich | 5919d1c | 2013-07-15 11:41:24 -0700 | [diff] [blame] | 68 | ### |
| 69 | ### Talk to debuggerd. |
| 70 | ### |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 71 | allow domain debuggerd:process sigchld; |
| 72 | allow domain debuggerd:unix_stream_socket connectto; |
| 73 | |
| 74 | # Root fs. |
| 75 | allow domain rootfs:dir r_dir_perms; |
Nick Kralevich | 6634a10 | 2013-07-12 18:45:56 -0700 | [diff] [blame] | 76 | allow domain rootfs:file r_file_perms; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 77 | allow domain rootfs:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 78 | |
| 79 | # Device accesses. |
| 80 | allow domain device:dir search; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 81 | allow domain dev_type:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 82 | allow domain devpts:dir search; |
| 83 | allow domain device:file read; |
Robert Craig | 20feb75 | 2014-03-06 10:16:53 -0500 | [diff] [blame] | 84 | allow domain socket_device:dir r_dir_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 85 | allow domain owntty_device:chr_file rw_file_perms; |
| 86 | allow domain null_device:chr_file rw_file_perms; |
Nick Kralevich | f007d03 | 2014-05-20 06:01:55 -0700 | [diff] [blame] | 87 | allow domain zero_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 88 | allow domain ashmem_device:chr_file rw_file_perms; |
| 89 | allow domain binder_device:chr_file rw_file_perms; |
| 90 | allow domain ptmx_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 91 | allow domain log_device:dir search; |
| 92 | allow domain log_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 93 | allow domain alarm_device:chr_file r_file_perms; |
Alex Klyubin | a247705 | 2013-09-10 11:13:15 -0700 | [diff] [blame] | 94 | allow domain urandom_device:chr_file rw_file_perms; |
| 95 | allow domain random_device:chr_file rw_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 96 | allow domain properties_device:file r_file_perms; |
| 97 | |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 98 | # logd access |
| 99 | write_logd(domain) |
| 100 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 101 | # Filesystem accesses. |
| 102 | allow domain fs_type:filesystem getattr; |
| 103 | allow domain fs_type:dir getattr; |
| 104 | |
| 105 | # System file accesses. |
| 106 | allow domain system_file:dir r_dir_perms; |
| 107 | allow domain system_file:file r_file_perms; |
| 108 | allow domain system_file:file execute; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 109 | allow domain system_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 110 | |
| 111 | # Read files already opened under /data. |
| 112 | allow domain system_data_file:dir { search getattr }; |
| 113 | allow domain system_data_file:file { getattr read }; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 114 | allow domain system_data_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 115 | |
| 116 | # Read apk files under /data/app. |
Geremy Condra | 8156073 | 2013-08-30 13:02:30 -0700 | [diff] [blame] | 117 | allow domain apk_data_file:dir { getattr search }; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 118 | allow domain apk_data_file:file r_file_perms; |
Christopher Tate | 6f6c425 | 2014-05-30 15:21:22 -0700 | [diff] [blame] | 119 | allow domain apk_data_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 120 | |
| 121 | # Read /data/dalvik-cache. |
| 122 | allow domain dalvikcache_data_file:dir { search getattr }; |
| 123 | allow domain dalvikcache_data_file:file r_file_perms; |
| 124 | |
| 125 | # Read already opened /cache files. |
| 126 | allow domain cache_file:dir r_dir_perms; |
| 127 | allow domain cache_file:file { getattr read }; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 128 | allow domain cache_file:lnk_file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 129 | |
Nick Kralevich | 7466f9b | 2013-12-12 15:32:42 -0800 | [diff] [blame] | 130 | # Read timezone related information |
| 131 | r_dir_file(domain, zoneinfo_data_file) |
| 132 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 133 | # For /acct/uid/*/tasks. |
| 134 | allow domain cgroup:dir { search write }; |
| 135 | allow domain cgroup:file w_file_perms; |
| 136 | |
| 137 | #Allow access to ion memory allocation device |
| 138 | allow domain ion_device:chr_file rw_file_perms; |
| 139 | |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 140 | # Read access to pseudo filesystems. |
| 141 | r_dir_file(domain, proc) |
| 142 | r_dir_file(domain, sysfs) |
Nick Kralevich | 967f39a | 2013-10-30 14:12:21 -0700 | [diff] [blame] | 143 | r_dir_file(domain, sysfs_devices_system_cpu) |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 144 | r_dir_file(domain, inotify) |
| 145 | r_dir_file(domain, cgroup) |
Robert Craig | 529fcbe | 2014-01-07 13:46:56 -0500 | [diff] [blame] | 146 | r_dir_file(domain, proc_net) |
Nick Kralevich | f2c0118 | 2014-09-26 10:51:12 -0700 | [diff] [blame] | 147 | allow domain proc_cpuinfo:file r_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 148 | |
| 149 | # debugfs access |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 150 | allow domain debugfs:dir r_dir_perms; |
Nick Kralevich | 8758cc5 | 2013-07-11 11:30:20 -0700 | [diff] [blame] | 151 | allow domain debugfs:file w_file_perms; |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 152 | |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 153 | # Get SELinux enforcing status. |
Stephen Smalley | 00b180d | 2014-06-17 15:05:08 -0400 | [diff] [blame] | 154 | allow domain selinuxfs:dir r_dir_perms; |
| 155 | allow domain selinuxfs:file r_file_perms; |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 156 | |
Stephen Smalley | f926817 | 2014-02-24 11:35:39 -0500 | [diff] [blame] | 157 | # /data/security files |
Nick Kralevich | dbd28d9 | 2013-06-27 15:11:02 -0700 | [diff] [blame] | 158 | allow domain security_file:dir { search getattr }; |
| 159 | allow domain security_file:file getattr; |
Stephen Smalley | f926817 | 2014-02-24 11:35:39 -0500 | [diff] [blame] | 160 | allow domain security_file:lnk_file r_file_perms; |
Nick Kralevich | 0c9708b | 2013-07-10 14:46:05 -0700 | [diff] [blame] | 161 | |
Robert Craig | 48b1883 | 2014-02-04 11:36:41 -0500 | [diff] [blame] | 162 | # World readable asec image contents |
| 163 | allow domain asec_public_file:file r_file_perms; |
| 164 | allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; |
| 165 | |
Riley Spahn | 344fc10 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 166 | allow domain servicemanager:service_manager list; |
Riley Spahn | 344fc10 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 167 | allow domain service_manager_type:service_manager find; |
Riley Spahn | 344fc10 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 168 | |
Nick Kralevich | 2637198 | 2013-07-15 17:10:35 -0700 | [diff] [blame] | 169 | ### |
| 170 | ### neverallow rules |
| 171 | ### |
| 172 | |
Stephen Smalley | cb23ca9 | 2014-05-29 16:37:13 -0400 | [diff] [blame] | 173 | # Do not allow any confined domain to create new unlabeled files. |
Nick Kralevich | 3508d61 | 2014-07-07 13:55:28 -0700 | [diff] [blame] | 174 | neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create; |
Stephen Smalley | cb23ca9 | 2014-05-29 16:37:13 -0400 | [diff] [blame] | 175 | |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 176 | # Limit ability to ptrace or read sensitive /proc/pid files of processes |
| 177 | # with other UIDs to these whitelisted domains. |
| 178 | neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; |
| 179 | |
Nick Kralevich | b59dc27 | 2014-07-09 20:04:59 -0700 | [diff] [blame] | 180 | # Limit device node creation to these whitelisted domains. |
| 181 | neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod; |
| 182 | |
| 183 | # Limit raw I/O to these whitelisted domains. |
| 184 | neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 185 | |
Stephen Smalley | 7ffb997 | 2014-05-14 14:05:49 -0400 | [diff] [blame] | 186 | # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). |
| 187 | neverallow domain self:memprotect mmap_zero; |
| 188 | |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 189 | # No domain needs mac_override as it is unused by SELinux. |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 190 | neverallow domain self:capability2 mac_override; |
Stephen Smalley | 5487ca0 | 2014-02-10 16:31:04 -0500 | [diff] [blame] | 191 | |
| 192 | # Only recovery needs mac_admin to set contexts not defined in current policy. |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 193 | neverallow { domain -recovery } self:capability2 mac_admin; |
| 194 | |
Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 195 | # Only init should be able to load SELinux policies. |
| 196 | # The first load technically occurs while still in the kernel domain, |
| 197 | # but this does not trigger a denial since there is no policy yet. |
| 198 | # Policy reload requires allowing this to the init domain. |
| 199 | neverallow { domain -init } kernel:security load_policy; |
| 200 | |
Stephen Smalley | 3235f61 | 2014-05-30 10:25:00 -0400 | [diff] [blame] | 201 | # Only init and the system_server can set selinux.reload_policy 1 |
| 202 | # to trigger a policy reload. |
| 203 | neverallow { domain -init -system_server } security_prop:property_service set; |
| 204 | |
| 205 | # Only init and system_server can write to /data/security, where runtime |
| 206 | # policy updates live. |
| 207 | # Only init can relabel /data/security (for init.rc restorecon_recursive /data). |
| 208 | neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto }; |
| 209 | # Only init and system_server can create/setattr directories with this type. |
| 210 | # init is for init.rc mkdir /data/security. |
| 211 | # system_server is for creating subdirectories under /data/security. |
| 212 | neverallow { domain -init -system_server } security_file:dir { create setattr }; |
| 213 | # Only system_server can create subdirectories and files under /data/security. |
| 214 | neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir }; |
| 215 | neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename }; |
| 216 | neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename }; |
| 217 | |
Stephen Smalley | fea6e66 | 2013-12-06 08:05:53 -0500 | [diff] [blame] | 218 | # Only init prior to switching context should be able to set enforcing mode. |
| 219 | # init starts in kernel domain and switches to init domain via setcon in |
| 220 | # the init.rc, so the setenforce occurs while still in kernel. After |
| 221 | # switching domains, there is never any need to setenforce again by init. |
Nick Kralevich | abae8a9 | 2014-05-12 14:32:59 -0700 | [diff] [blame] | 222 | neverallow domain kernel:security setenforce; |
| 223 | neverallow { domain -kernel } kernel:security setcheckreqprot; |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 224 | |
Stephen Smalley | 853ffaa | 2014-03-06 13:02:50 -0500 | [diff] [blame] | 225 | # No booleans in AOSP policy, so no need to ever set them. |
| 226 | neverallow domain kernel:security setbool; |
| 227 | |
| 228 | # Adjusting the AVC cache threshold. |
| 229 | # Not presently allowed to anything in policy, but possibly something |
| 230 | # that could be set from init.rc. |
| 231 | neverallow { domain -init } kernel:security setsecparam; |
| 232 | |
William Roberts | 85c5fc2 | 2013-10-06 15:36:11 -0400 | [diff] [blame] | 233 | # Only init, ueventd and system_server should be able to access HW RNG |
| 234 | neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; |
Alex Klyubin | 8d68831 | 2013-10-03 13:35:56 -0700 | [diff] [blame] | 235 | |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 236 | # Ensure that all entrypoint executables are in exec_type. |
| 237 | neverallow domain { file_type -exec_type }:file entrypoint; |
Geremy Condra | ddf98fa | 2013-10-31 11:17:23 -0700 | [diff] [blame] | 238 | |
| 239 | # Ensure that nothing in userspace can access /dev/mem or /dev/kmem |
| 240 | neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; |
| 241 | neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; |
Stephen Smalley | 7adb999 | 2013-12-06 09:31:40 -0500 | [diff] [blame] | 242 | |
| 243 | # Only init should be able to configure kernel usermodehelpers or |
| 244 | # security-sensitive proc settings. |
| 245 | neverallow { domain -init } usermodehelper:file { append write }; |
| 246 | neverallow { domain -init } proc_security:file { append write }; |
Stephen Smalley | 95e0842 | 2013-12-09 12:49:47 -0500 | [diff] [blame] | 247 | |
| 248 | # No domain should be allowed to ptrace init. |
| 249 | neverallow domain init:process ptrace; |
Nick Kralevich | a730e50 | 2014-01-03 20:44:07 -0800 | [diff] [blame] | 250 | |
| 251 | # Init can't receive binder calls. If this neverallow rule is being |
| 252 | # triggered, it's probably due to a service with no SELinux domain. |
| 253 | neverallow domain init:binder call; |
William Roberts | d0919ec | 2014-01-30 09:10:28 -0800 | [diff] [blame] | 254 | |
| 255 | # Don't allow raw read/write/open access to block_device |
| 256 | # Rather force a relabel to a more specific type |
Nick Kralevich | 9f6af08 | 2014-07-02 16:18:16 -0700 | [diff] [blame] | 257 | neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write }; |
William Roberts | a637b2f | 2014-01-30 09:15:45 -0800 | [diff] [blame] | 258 | |
| 259 | # Don't allow raw read/write/open access to generic devices. |
| 260 | # Rather force a relabel to a more specific type. |
| 261 | # ueventd is exempt from this, as its managing these devices. |
Nick Kralevich | 0055ea9 | 2014-11-07 12:02:27 -0800 | [diff] [blame] | 262 | neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write }; |
Stephen Smalley | b081cc1 | 2014-02-10 13:29:38 -0500 | [diff] [blame] | 263 | |
| 264 | # Limit what domains can mount filesystems or change their mount flags. |
| 265 | # sdcard_type / vfat is exempt as a larger set of domains need |
| 266 | # this capability, including device-specific domains. |
| 267 | neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; |
Nick Kralevich | 629fbc9 | 2014-05-23 16:08:23 -0700 | [diff] [blame] | 268 | |
| 269 | # |
| 270 | # Assert that, to the extent possible, we're not loading executable content from |
Stephen Smalley | 9d2703a | 2014-07-21 10:21:20 -0400 | [diff] [blame] | 271 | # outside the rootfs or /system partition except for a few whitelisted domains. |
Nick Kralevich | 629fbc9 | 2014-05-23 16:08:23 -0700 | [diff] [blame] | 272 | # |
| 273 | neverallow { |
| 274 | domain |
| 275 | -appdomain |
| 276 | -dumpstate |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 277 | -shell |
Nick Kralevich | 629fbc9 | 2014-05-23 16:08:23 -0700 | [diff] [blame] | 278 | userdebug_or_eng(`-su') |
| 279 | -system_server |
| 280 | -zygote |
| 281 | } { file_type -system_file -exec_type }:file execute; |
Stephen Smalley | 9d2703a | 2014-07-21 10:21:20 -0400 | [diff] [blame] | 282 | neverallow { |
| 283 | domain |
| 284 | -appdomain # for oemfs |
| 285 | -recovery # for /tmp/update_binary in tmpfs |
| 286 | } { fs_type -rootfs }:file execute; |
Stephen Smalley | ad0d0fc | 2014-05-29 09:22:16 -0400 | [diff] [blame] | 287 | |
| 288 | # Only the init property service should write to /data/property. |
| 289 | neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir }; |
| 290 | neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename }; |
Nick Kralevich | 03ce512 | 2014-05-20 11:09:16 -0700 | [diff] [blame] | 291 | |
| 292 | # Only recovery should be doing writes to /system |
| 293 | neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set |
| 294 | { create write setattr relabelfrom relabelto append unlink link rename }; |
Stephen Smalley | 75e2ef9 | 2014-06-16 13:05:38 -0400 | [diff] [blame] | 295 | |
Stephen Smalley | 04b8a75 | 2014-06-19 11:26:22 -0400 | [diff] [blame] | 296 | # Nothing should be writing to files in the rootfs. |
Nick Kralevich | 0055ea9 | 2014-11-07 12:02:27 -0800 | [diff] [blame] | 297 | neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; |
Stephen Smalley | 04b8a75 | 2014-06-19 11:26:22 -0400 | [diff] [blame] | 298 | |
Stephen Smalley | 75e2ef9 | 2014-06-16 13:05:38 -0400 | [diff] [blame] | 299 | # Restrict context mounts to specific types marked with |
| 300 | # the contextmount_type attribute. |
| 301 | neverallow domain {fs_type -contextmount_type}:filesystem relabelto; |
| 302 | |
| 303 | # Ensure that context mount types are not writable, to ensure that |
| 304 | # the write to /system restriction above is not bypassed via context= |
| 305 | # mount to another type. |
| 306 | neverallow { domain -recovery } contextmount_type:dir_file_class_set |
| 307 | { create write setattr relabelfrom relabelto append unlink link rename }; |
Riley Spahn | 76206ab | 2014-07-07 09:27:53 -0700 | [diff] [blame] | 308 | |
| 309 | # Do not allow service_manager add for default_android_service. |
| 310 | # Instead domains should use a more specific type such as |
| 311 | # system_app_service rather than the generic type. |
| 312 | # New service_types are defined in service.te and new mappings |
| 313 | # from service name to service_type are defined in service_contexts. |
| 314 | neverallow domain default_android_service:service_manager add; |
dcashman | 47bd730 | 2014-09-08 13:11:01 -0700 | [diff] [blame] | 315 | |
| 316 | neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; |