Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | ##################################### |
| 2 | # domain_trans(olddomain, type, newdomain) |
| 3 | # Allow a transition from olddomain to newdomain |
| 4 | # upon executing a file labeled with type. |
| 5 | # This only allows the transition; it does not |
| 6 | # cause it to occur automatically - use domain_auto_trans |
| 7 | # if that is what you want. |
| 8 | # |
| 9 | define(`domain_trans', ` |
| 10 | # Old domain may exec the file and transition to the new domain. |
| 11 | allow $1 $2:file { getattr open read execute }; |
| 12 | allow $1 $3:process transition; |
| 13 | # New domain is entered by executing the file. |
Stephen Smalley | ea219e3 | 2014-03-26 10:32:09 -0400 | [diff] [blame] | 14 | allow $3 $2:file { entrypoint open read execute getattr }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 15 | # New domain can send SIGCHLD to its caller. |
| 16 | allow $3 $1:process sigchld; |
| 17 | # Enable AT_SECURE, i.e. libc secure mode. |
| 18 | dontaudit $1 $3:process noatsecure; |
| 19 | # XXX dontaudit candidate but requires further study. |
| 20 | allow $1 $3:process { siginh rlimitinh }; |
| 21 | ') |
| 22 | |
| 23 | ##################################### |
| 24 | # domain_auto_trans(olddomain, type, newdomain) |
| 25 | # Automatically transition from olddomain to newdomain |
| 26 | # upon executing a file labeled with type. |
| 27 | # |
| 28 | define(`domain_auto_trans', ` |
| 29 | # Allow the necessary permissions. |
| 30 | domain_trans($1,$2,$3) |
| 31 | # Make the transition occur by default. |
| 32 | type_transition $1 $2:process $3; |
| 33 | ') |
| 34 | |
| 35 | ##################################### |
| 36 | # file_type_trans(domain, dir_type, file_type) |
| 37 | # Allow domain to create a file labeled file_type in a |
| 38 | # directory labeled dir_type. |
| 39 | # This only allows the transition; it does not |
| 40 | # cause it to occur automatically - use file_type_auto_trans |
| 41 | # if that is what you want. |
| 42 | # |
| 43 | define(`file_type_trans', ` |
| 44 | # Allow the domain to add entries to the directory. |
| 45 | allow $1 $2:dir ra_dir_perms; |
| 46 | # Allow the domain to create the file. |
| 47 | allow $1 $3:notdevfile_class_set create_file_perms; |
| 48 | allow $1 $3:dir create_dir_perms; |
| 49 | ') |
| 50 | |
| 51 | ##################################### |
| 52 | # file_type_auto_trans(domain, dir_type, file_type) |
| 53 | # Automatically label new files with file_type when |
| 54 | # they are created by domain in directories labeled dir_type. |
| 55 | # |
| 56 | define(`file_type_auto_trans', ` |
| 57 | # Allow the necessary permissions. |
| 58 | file_type_trans($1, $2, $3) |
| 59 | # Make the transition occur by default. |
| 60 | type_transition $1 $2:dir $3; |
| 61 | type_transition $1 $2:notdevfile_class_set $3; |
| 62 | ') |
| 63 | |
| 64 | ##################################### |
| 65 | # r_dir_file(domain, type) |
| 66 | # Allow the specified domain to read directories, files |
| 67 | # and symbolic links of the specified type. |
| 68 | define(`r_dir_file', ` |
| 69 | allow $1 $2:dir r_dir_perms; |
| 70 | allow $1 $2:{ file lnk_file } r_file_perms; |
| 71 | ') |
| 72 | |
| 73 | ##################################### |
| 74 | # unconfined_domain(domain) |
Nick Kralevich | 84d8831 | 2013-10-21 13:32:31 -0700 | [diff] [blame] | 75 | # Allow the specified domain to perform more privileged operations |
| 76 | # than would be typically allowed. Please see the comments at the |
| 77 | # top of unconfined.te. |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 78 | # |
| 79 | define(`unconfined_domain', ` |
| 80 | typeattribute $1 mlstrustedsubject; |
| 81 | typeattribute $1 unconfineddomain; |
| 82 | ') |
| 83 | |
| 84 | ##################################### |
| 85 | # tmpfs_domain(domain) |
| 86 | # Define and allow access to a unique type for |
| 87 | # this domain when creating tmpfs / shmem / ashmem files. |
| 88 | define(`tmpfs_domain', ` |
| 89 | type $1_tmpfs, file_type; |
| 90 | type_transition $1 tmpfs:file $1_tmpfs; |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 91 | allow $1 $1_tmpfs:file { read write }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 92 | ') |
| 93 | |
| 94 | ##################################### |
| 95 | # init_daemon_domain(domain) |
| 96 | # Set up a transition from init to the daemon domain |
| 97 | # upon executing its binary. |
| 98 | define(`init_daemon_domain', ` |
| 99 | domain_auto_trans(init, $1_exec, $1) |
| 100 | tmpfs_domain($1) |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 101 | ') |
| 102 | |
| 103 | ##################################### |
| 104 | # app_domain(domain) |
| 105 | # Allow a base set of permissions required for all apps. |
| 106 | define(`app_domain', ` |
| 107 | typeattribute $1 appdomain; |
| 108 | # Label ashmem objects with our own unique type. |
| 109 | tmpfs_domain($1) |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 110 | # Map with PROT_EXEC. |
| 111 | allow $1 $1_tmpfs:file execute; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 112 | ') |
| 113 | |
| 114 | ##################################### |
| 115 | # net_domain(domain) |
| 116 | # Allow a base set of permissions required for network access. |
| 117 | define(`net_domain', ` |
| 118 | typeattribute $1 netdomain; |
| 119 | ') |
| 120 | |
| 121 | ##################################### |
| 122 | # bluetooth_domain(domain) |
| 123 | # Allow a base set of permissions required for bluetooth access. |
| 124 | define(`bluetooth_domain', ` |
| 125 | typeattribute $1 bluetoothdomain; |
| 126 | ') |
| 127 | |
| 128 | ##################################### |
| 129 | # unix_socket_connect(clientdomain, socket, serverdomain) |
| 130 | # Allow a local socket connection from clientdomain via |
| 131 | # socket to serverdomain. |
| 132 | define(`unix_socket_connect', ` |
| 133 | allow $1 $2_socket:sock_file write; |
| 134 | allow $1 $3:unix_stream_socket connectto; |
| 135 | ') |
| 136 | |
| 137 | ##################################### |
| 138 | # unix_socket_send(clientdomain, socket, serverdomain) |
| 139 | # Allow a local socket send from clientdomain via |
| 140 | # socket to serverdomain. |
| 141 | define(`unix_socket_send', ` |
| 142 | allow $1 $2_socket:sock_file write; |
| 143 | allow $1 $3:unix_dgram_socket sendto; |
| 144 | ') |
| 145 | |
| 146 | ##################################### |
| 147 | # binder_use(domain) |
| 148 | # Allow domain to use Binder IPC. |
| 149 | define(`binder_use', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 150 | # Call the servicemanager and transfer references to it. |
| 151 | allow $1 servicemanager:binder { call transfer }; |
Riley Spahn | 344fc10 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 152 | # servicemanager performs getpidcon on clients. |
| 153 | allow servicemanager $1:dir search; |
| 154 | allow servicemanager $1:file { read open }; |
| 155 | allow servicemanager $1:process getattr; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 156 | # rw access to /dev/binder and /dev/ashmem is presently granted to |
| 157 | # all domains in domain.te. |
| 158 | ') |
| 159 | |
| 160 | ##################################### |
| 161 | # binder_call(clientdomain, serverdomain) |
| 162 | # Allow clientdomain to perform binder IPC to serverdomain. |
| 163 | define(`binder_call', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 164 | # Call the server domain and optionally transfer references to it. |
| 165 | allow $1 $2:binder { call transfer }; |
| 166 | # Allow the serverdomain to transfer references to the client on the reply. |
| 167 | allow $2 $1:binder transfer; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 168 | # Receive and use open files from the server. |
| 169 | allow $1 $2:fd use; |
| 170 | ') |
| 171 | |
| 172 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 173 | # binder_service(domain) |
| 174 | # Mark a domain as being a Binder service domain. |
| 175 | # Used to allow binder IPC to the various system services. |
| 176 | define(`binder_service', ` |
| 177 | typeattribute $1 binderservicedomain; |
| 178 | ') |
| 179 | |
| 180 | ##################################### |
Nick Kralevich | 8599e34 | 2014-05-23 13:33:32 -0700 | [diff] [blame] | 181 | # wakelock_use(domain) |
| 182 | # Allow domain to manage wake locks |
| 183 | define(`wakelock_use', ` |
| 184 | # Access /sys/power/wake_lock and /sys/power/wake_unlock |
| 185 | allow $1 sysfs_wake_lock:file rw_file_perms; |
| 186 | # Accessing these files requires CAP_BLOCK_SUSPEND |
| 187 | allow $1 self:capability2 block_suspend; |
| 188 | ') |
| 189 | |
| 190 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 191 | # selinux_check_access(domain) |
| 192 | # Allow domain to check SELinux permissions via selinuxfs. |
| 193 | define(`selinux_check_access', ` |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 194 | allow $1 selinuxfs:file rw_file_perms; |
| 195 | allow $1 kernel:security compute_av; |
| 196 | allow $1 self:netlink_selinux_socket *; |
| 197 | ') |
| 198 | |
| 199 | ##################################### |
| 200 | # selinux_check_context(domain) |
| 201 | # Allow domain to check SELinux contexts via selinuxfs. |
| 202 | define(`selinux_check_context', ` |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 203 | allow $1 selinuxfs:file rw_file_perms; |
| 204 | allow $1 kernel:security check_context; |
| 205 | ') |
| 206 | |
| 207 | ##################################### |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 208 | # selinux_setenforce(domain) |
| 209 | # Allow domain to set SELinux to enforcing. |
| 210 | define(`selinux_setenforce', ` |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 211 | allow $1 selinuxfs:file rw_file_perms; |
| 212 | allow $1 kernel:security setenforce; |
| 213 | ') |
| 214 | |
| 215 | ##################################### |
| 216 | # selinux_setbool(domain) |
| 217 | # Allow domain to set SELinux booleans. |
| 218 | define(`selinux_setbool', ` |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 219 | allow $1 selinuxfs:file rw_file_perms; |
| 220 | allow $1 kernel:security setbool; |
| 221 | ') |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 222 | |
| 223 | ##################################### |
| 224 | # security_access_policy(domain) |
| 225 | # Read only access to all policy files and |
| 226 | # selinuxfs |
| 227 | define(`security_access_policy', ` |
| 228 | allow $1 security_file:dir r_dir_perms; |
| 229 | allow $1 security_file:file r_file_perms; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 230 | ') |
| 231 | |
| 232 | ##################################### |
| 233 | # selinux_manage_policy(domain) |
Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 234 | # Ability to manage policy files and |
| 235 | # trigger runtime reload. |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 236 | define(`selinux_manage_policy', ` |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 237 | security_access_policy($1) |
| 238 | unix_socket_connect($1, property, init) |
| 239 | allow $1 security_file:dir create_dir_perms; |
| 240 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 241 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 242 | allow $1 security_prop:property_service set; |
| 243 | ') |
| 244 | |
| 245 | ##################################### |
| 246 | # mmac_manage_policy(domain) |
| 247 | # Ability to manage mmac policy files, |
| 248 | # trigger runtime reload, change |
| 249 | # mmac enforcing mode and access logcat. |
| 250 | define(`mmac_manage_policy', ` |
| 251 | unix_socket_connect($1, property, init) |
| 252 | allow $1 security_file:dir create_dir_perms; |
| 253 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 254 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 255 | allow $1 security_prop:property_service set; |
| 256 | ') |
| 257 | |
| 258 | ##################################### |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 259 | # access_kmsg(domain) |
| 260 | # Ability to read from kernel logs |
| 261 | # and execute the klogctl syscall |
| 262 | # in a non destructive manner. See |
| 263 | # man 2 klogctl |
| 264 | define(`access_kmsg', ` |
| 265 | allow $1 kernel:system syslog_read; |
William Roberts | 6c4c27e | 2013-04-04 13:17:36 -0700 | [diff] [blame] | 266 | ') |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 267 | |
| 268 | ##################################### |
Alex Klyubin | 77ec892 | 2013-05-09 12:39:32 -0700 | [diff] [blame] | 269 | # write_klog(domain) |
| 270 | # Ability to write to kernel log via |
| 271 | # klog_write() |
| 272 | # See system/core/libcutil/klog.c |
| 273 | define(`write_klog', ` |
| 274 | type_transition $1 device:chr_file klog_device "__kmsg__"; |
| 275 | allow $1 klog_device:chr_file { create open write unlink }; |
Stephen Smalley | a473e29 | 2013-07-30 09:19:00 -0400 | [diff] [blame] | 276 | allow $1 device:dir { write add_name remove_name }; |
Alex Klyubin | 77ec892 | 2013-05-09 12:39:32 -0700 | [diff] [blame] | 277 | ') |
Alex Klyubin | e5e98ae | 2013-05-09 14:05:10 -0700 | [diff] [blame] | 278 | |
| 279 | ##################################### |
Stephen Smalley | 2dc4acf | 2013-09-27 09:44:32 -0400 | [diff] [blame] | 280 | # create_pty(domain) |
| 281 | # Allow domain to create and use a pty, isolated from any other domain ptys. |
| 282 | define(`create_pty', ` |
| 283 | # Each domain gets a unique devpts type. |
| 284 | type $1_devpts, fs_type; |
| 285 | # Label the pty with the unique type when created. |
| 286 | type_transition $1 devpts:chr_file $1_devpts; |
| 287 | # Allow use of the pty after creation. |
| 288 | allow $1 $1_devpts:chr_file { open getattr read write ioctl }; |
| 289 | # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| 290 | # allowed to everyone via domain.te. |
| 291 | ') |
| 292 | |
| 293 | ##################################### |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 294 | # Non system_app application set |
| 295 | # |
| 296 | define(`non_system_app_set', `{ appdomain -system_app }') |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 297 | |
| 298 | ##################################### |
Stephen Smalley | e60723a | 2014-05-29 16:40:15 -0400 | [diff] [blame] | 299 | # Recovery only |
| 300 | # SELinux rules which apply only to recovery mode |
| 301 | # |
| 302 | define(`recovery_only', ifelse(target_recovery, `true', $1, )) |
| 303 | |
| 304 | ##################################### |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 305 | # Userdebug or eng builds |
| 306 | # SELinux rules which apply only to userdebug or eng builds |
| 307 | # |
| 308 | define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) |
Nick Kralevich | 623975f | 2014-01-11 01:31:03 -0800 | [diff] [blame] | 309 | |
| 310 | ##################################### |
| 311 | # permissive_or_unconfined |
| 312 | # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, |
| 313 | # and "unconfined($1)" otherwise. |
| 314 | # |
| 315 | # This is used for experimental domains, where we want to ensure |
| 316 | # the domain is unconfined+enforcing once new SELinux policy development |
| 317 | # has ceased. |
| 318 | # |
| 319 | define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 320 | |
| 321 | ##################################### |
| 322 | # write_logd(domain) |
| 323 | # Ability to write to android log |
| 324 | # daemon via sockets |
| 325 | define(`write_logd', ` |
| 326 | userdebug_or_eng(` |
Nick Kralevich | 2bcea0a | 2014-06-04 15:53:30 -0700 | [diff] [blame] | 327 | allow $1 logd_debug:file w_file_perms; |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 328 | ') |
| 329 | unix_socket_send($1, logdw, logd) |
| 330 | ') |
| 331 | |
| 332 | ##################################### |
| 333 | # read_logd(domain) |
| 334 | # Ability to read from android |
| 335 | # log daemon via sockets |
| 336 | define(`read_logd', ` |
| 337 | unix_socket_connect($1, logdr, logd) |
| 338 | ') |
| 339 | |
| 340 | ##################################### |
| 341 | # control_logd(domain) |
| 342 | # Ability to control |
| 343 | # android log daemon via sockets |
| 344 | define(`control_logd', ` |
| 345 | # Group AID_LOG checked by filesystem & logd |
| 346 | # to permit control commands |
| 347 | unix_socket_connect($1, logd, logd) |
| 348 | ') |
Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 349 | |
| 350 | ##################################### |
| 351 | # use_keystore(domain) |
| 352 | # Ability to use keystore. |
| 353 | # Keystore is requires the following permissions |
| 354 | # to call getpidcon. |
| 355 | define(`use_keystore', ` |
| 356 | allow keystore $1:dir search; |
| 357 | allow keystore $1:file { read open }; |
| 358 | allow keystore $1:process getattr; |
| 359 | binder_call($1, keystore) |
| 360 | ') |