Nick Kralevich | 84d8831 | 2013-10-21 13:32:31 -0700 | [diff] [blame] | 1 | ####################################################### |
| 2 | # |
| 3 | # This is the unconfined template. This template is the base policy |
| 4 | # which is used by daemons and other privileged components of |
| 5 | # Android. |
| 6 | # |
| 7 | # Historically, this template was called "unconfined" because it |
| 8 | # allowed the domain to do anything it wanted. Over time, |
| 9 | # this has changed, and will continue to change in the future. |
| 10 | # The rules in this file will be removed when no remaining |
| 11 | # unconfined domains require it, or when the rules contradict |
| 12 | # Android security best practices. Domains which need rules not |
| 13 | # provided by the unconfined template should add them directly to |
| 14 | # the relevant policy. |
| 15 | # |
| 16 | # The use of this template is discouraged. |
| 17 | ###################################################### |
| 18 | |
Nick Kralevich | fa34d47 | 2014-05-19 22:54:07 -0700 | [diff] [blame] | 19 | allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; |
Stephen Smalley | 04ee5df | 2014-01-30 13:23:08 -0500 | [diff] [blame] | 20 | allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; |
Stephen Smalley | 853ffaa | 2014-03-06 13:02:50 -0500 | [diff] [blame] | 21 | allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; |
Nick Kralevich | 685e2f9 | 2014-05-28 13:48:52 -0700 | [diff] [blame] | 22 | allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 23 | allow unconfineddomain domain:fd *; |
| 24 | allow unconfineddomain domain:dir r_dir_perms; |
| 25 | allow unconfineddomain domain:lnk_file r_file_perms; |
| 26 | allow unconfineddomain domain:{ fifo_file file } rw_file_perms; |
Nick Kralevich | 0db95cc | 2014-06-20 21:15:56 -0700 | [diff] [blame] | 27 | allow unconfineddomain domain:{ |
| 28 | socket |
| 29 | netlink_socket |
| 30 | key_socket |
| 31 | unix_stream_socket |
| 32 | unix_dgram_socket |
| 33 | netlink_route_socket |
| 34 | netlink_firewall_socket |
| 35 | netlink_tcpdiag_socket |
| 36 | netlink_nflog_socket |
| 37 | netlink_xfrm_socket |
| 38 | netlink_selinux_socket |
| 39 | netlink_audit_socket |
| 40 | netlink_ip6fw_socket |
| 41 | netlink_dnrt_socket |
| 42 | netlink_kobject_uevent_socket |
| 43 | tun_socket |
| 44 | } *; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 45 | allow unconfineddomain domain:ipc_class_set *; |
| 46 | allow unconfineddomain domain:key *; |
Stephen Smalley | ee61528 | 2014-06-20 14:03:20 -0400 | [diff] [blame] | 47 | allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; |
Stephen Smalley | 75e2ef9 | 2014-06-16 13:05:38 -0400 | [diff] [blame] | 48 | allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; |
Nick Kralevich | ee49c0e | 2014-06-07 10:00:59 -0700 | [diff] [blame] | 49 | allow unconfineddomain { |
| 50 | file_type |
| 51 | -keystore_data_file |
| 52 | -property_data_file |
| 53 | -system_file |
| 54 | -exec_type |
| 55 | -security_file |
| 56 | -shell_data_file |
Stephen Smalley | 631a5a8 | 2014-06-20 13:54:10 -0400 | [diff] [blame] | 57 | -app_data_file |
Nick Kralevich | ee49c0e | 2014-06-07 10:00:59 -0700 | [diff] [blame] | 58 | }:{ dir lnk_file sock_file fifo_file } ~relabelto; |
Stephen Smalley | 5622cca | 2014-06-17 15:59:58 -0400 | [diff] [blame] | 59 | allow unconfineddomain exec_type:dir r_dir_perms; |
Stephen Smalley | a893eda | 2014-06-23 12:47:16 -0400 | [diff] [blame] | 60 | allow unconfineddomain exec_type:file { r_file_perms execute }; |
Stephen Smalley | 5622cca | 2014-06-17 15:59:58 -0400 | [diff] [blame] | 61 | allow unconfineddomain exec_type:lnk_file r_file_perms; |
| 62 | allow unconfineddomain system_file:dir r_dir_perms; |
Stephen Smalley | a893eda | 2014-06-23 12:47:16 -0400 | [diff] [blame] | 63 | allow unconfineddomain system_file:file { r_file_perms execute }; |
Stephen Smalley | 5622cca | 2014-06-17 15:59:58 -0400 | [diff] [blame] | 64 | allow unconfineddomain system_file:lnk_file r_file_perms; |
Stephen Smalley | 75e2ef9 | 2014-06-16 13:05:38 -0400 | [diff] [blame] | 65 | allow unconfineddomain { |
| 66 | fs_type |
| 67 | -usermodehelper |
| 68 | -proc_security |
| 69 | -contextmount_type |
Stephen Smalley | 04b8a75 | 2014-06-19 11:26:22 -0400 | [diff] [blame] | 70 | -rootfs |
Stephen Smalley | ee61528 | 2014-06-20 14:03:20 -0400 | [diff] [blame] | 71 | -sdcard_type |
Stephen Smalley | f3c3a1a | 2014-06-19 09:07:17 -0400 | [diff] [blame] | 72 | }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; |
| 73 | allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; |
Nick Kralevich | ee49c0e | 2014-06-07 10:00:59 -0700 | [diff] [blame] | 74 | allow unconfineddomain { |
| 75 | file_type |
| 76 | -keystore_data_file |
| 77 | -property_data_file |
| 78 | -system_file |
| 79 | -exec_type |
| 80 | -security_file |
| 81 | -shell_data_file |
Stephen Smalley | 631a5a8 | 2014-06-20 13:54:10 -0400 | [diff] [blame] | 82 | -app_data_file |
Stephen Smalley | f3c3a1a | 2014-06-19 09:07:17 -0400 | [diff] [blame] | 83 | }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; |
Stephen Smalley | 5622cca | 2014-06-17 15:59:58 -0400 | [diff] [blame] | 84 | allow unconfineddomain rootfs:file execute; |
Stephen Smalley | 75e2ef9 | 2014-06-16 13:05:38 -0400 | [diff] [blame] | 85 | allow unconfineddomain contextmount_type:dir r_dir_perms; |
| 86 | allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 87 | allow unconfineddomain node_type:node *; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 88 | allow unconfineddomain netif_type:netif *; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 89 | allow unconfineddomain domain:peer recv; |
Nick Kralevich | a730e50 | 2014-01-03 20:44:07 -0800 | [diff] [blame] | 90 | allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; |