Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | ##################################### |
| 2 | # domain_trans(olddomain, type, newdomain) |
| 3 | # Allow a transition from olddomain to newdomain |
| 4 | # upon executing a file labeled with type. |
| 5 | # This only allows the transition; it does not |
| 6 | # cause it to occur automatically - use domain_auto_trans |
| 7 | # if that is what you want. |
| 8 | # |
| 9 | define(`domain_trans', ` |
| 10 | # Old domain may exec the file and transition to the new domain. |
| 11 | allow $1 $2:file { getattr open read execute }; |
| 12 | allow $1 $3:process transition; |
| 13 | # New domain is entered by executing the file. |
Stephen Smalley | ea219e3 | 2014-03-26 10:32:09 -0400 | [diff] [blame] | 14 | allow $3 $2:file { entrypoint open read execute getattr }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 15 | # New domain can send SIGCHLD to its caller. |
| 16 | allow $3 $1:process sigchld; |
| 17 | # Enable AT_SECURE, i.e. libc secure mode. |
| 18 | dontaudit $1 $3:process noatsecure; |
| 19 | # XXX dontaudit candidate but requires further study. |
| 20 | allow $1 $3:process { siginh rlimitinh }; |
| 21 | ') |
| 22 | |
| 23 | ##################################### |
| 24 | # domain_auto_trans(olddomain, type, newdomain) |
| 25 | # Automatically transition from olddomain to newdomain |
| 26 | # upon executing a file labeled with type. |
| 27 | # |
| 28 | define(`domain_auto_trans', ` |
| 29 | # Allow the necessary permissions. |
| 30 | domain_trans($1,$2,$3) |
| 31 | # Make the transition occur by default. |
| 32 | type_transition $1 $2:process $3; |
| 33 | ') |
| 34 | |
| 35 | ##################################### |
| 36 | # file_type_trans(domain, dir_type, file_type) |
| 37 | # Allow domain to create a file labeled file_type in a |
| 38 | # directory labeled dir_type. |
| 39 | # This only allows the transition; it does not |
| 40 | # cause it to occur automatically - use file_type_auto_trans |
| 41 | # if that is what you want. |
| 42 | # |
| 43 | define(`file_type_trans', ` |
| 44 | # Allow the domain to add entries to the directory. |
| 45 | allow $1 $2:dir ra_dir_perms; |
| 46 | # Allow the domain to create the file. |
| 47 | allow $1 $3:notdevfile_class_set create_file_perms; |
| 48 | allow $1 $3:dir create_dir_perms; |
| 49 | ') |
| 50 | |
| 51 | ##################################### |
| 52 | # file_type_auto_trans(domain, dir_type, file_type) |
| 53 | # Automatically label new files with file_type when |
| 54 | # they are created by domain in directories labeled dir_type. |
| 55 | # |
| 56 | define(`file_type_auto_trans', ` |
| 57 | # Allow the necessary permissions. |
| 58 | file_type_trans($1, $2, $3) |
| 59 | # Make the transition occur by default. |
| 60 | type_transition $1 $2:dir $3; |
| 61 | type_transition $1 $2:notdevfile_class_set $3; |
| 62 | ') |
| 63 | |
| 64 | ##################################### |
| 65 | # r_dir_file(domain, type) |
| 66 | # Allow the specified domain to read directories, files |
| 67 | # and symbolic links of the specified type. |
| 68 | define(`r_dir_file', ` |
| 69 | allow $1 $2:dir r_dir_perms; |
| 70 | allow $1 $2:{ file lnk_file } r_file_perms; |
| 71 | ') |
| 72 | |
| 73 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 74 | # tmpfs_domain(domain) |
| 75 | # Define and allow access to a unique type for |
| 76 | # this domain when creating tmpfs / shmem / ashmem files. |
| 77 | define(`tmpfs_domain', ` |
| 78 | type $1_tmpfs, file_type; |
| 79 | type_transition $1 tmpfs:file $1_tmpfs; |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 80 | allow $1 $1_tmpfs:file { read write }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 81 | ') |
| 82 | |
| 83 | ##################################### |
| 84 | # init_daemon_domain(domain) |
| 85 | # Set up a transition from init to the daemon domain |
| 86 | # upon executing its binary. |
| 87 | define(`init_daemon_domain', ` |
| 88 | domain_auto_trans(init, $1_exec, $1) |
| 89 | tmpfs_domain($1) |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 90 | ') |
| 91 | |
| 92 | ##################################### |
| 93 | # app_domain(domain) |
| 94 | # Allow a base set of permissions required for all apps. |
| 95 | define(`app_domain', ` |
| 96 | typeattribute $1 appdomain; |
| 97 | # Label ashmem objects with our own unique type. |
| 98 | tmpfs_domain($1) |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 99 | # Map with PROT_EXEC. |
| 100 | allow $1 $1_tmpfs:file execute; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 101 | ') |
| 102 | |
| 103 | ##################################### |
| 104 | # net_domain(domain) |
| 105 | # Allow a base set of permissions required for network access. |
| 106 | define(`net_domain', ` |
| 107 | typeattribute $1 netdomain; |
| 108 | ') |
| 109 | |
| 110 | ##################################### |
| 111 | # bluetooth_domain(domain) |
| 112 | # Allow a base set of permissions required for bluetooth access. |
| 113 | define(`bluetooth_domain', ` |
| 114 | typeattribute $1 bluetoothdomain; |
| 115 | ') |
| 116 | |
| 117 | ##################################### |
| 118 | # unix_socket_connect(clientdomain, socket, serverdomain) |
| 119 | # Allow a local socket connection from clientdomain via |
| 120 | # socket to serverdomain. |
William Roberts | 2f5a6a9 | 2015-05-04 18:22:45 -0700 | [diff] [blame] | 121 | # |
| 122 | # Note: If you see denial records that distill to the |
| 123 | # following allow rules: |
| 124 | # allow clientdomain property_socket:sock_file write; |
| 125 | # allow clientdomain init:unix_stream_socket connectto; |
| 126 | # allow clientdomain something_prop:property_service set; |
| 127 | # |
| 128 | # This sequence is indicative of attempting to set a property. |
| 129 | # use set_prop(sourcedomain, targetproperty) |
| 130 | # |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 131 | define(`unix_socket_connect', ` |
| 132 | allow $1 $2_socket:sock_file write; |
| 133 | allow $1 $3:unix_stream_socket connectto; |
| 134 | ') |
| 135 | |
| 136 | ##################################### |
William Roberts | 2f5a6a9 | 2015-05-04 18:22:45 -0700 | [diff] [blame] | 137 | # set_prop(sourcedomain, targetproperty) |
| 138 | # Allows source domain to set the |
| 139 | # targetproperty. |
| 140 | # |
| 141 | define(`set_prop', ` |
| 142 | unix_socket_connect($1, property, init) |
| 143 | allow $1 $2:property_service set; |
| 144 | ') |
| 145 | |
| 146 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 147 | # unix_socket_send(clientdomain, socket, serverdomain) |
| 148 | # Allow a local socket send from clientdomain via |
| 149 | # socket to serverdomain. |
| 150 | define(`unix_socket_send', ` |
| 151 | allow $1 $2_socket:sock_file write; |
| 152 | allow $1 $3:unix_dgram_socket sendto; |
| 153 | ') |
| 154 | |
| 155 | ##################################### |
| 156 | # binder_use(domain) |
| 157 | # Allow domain to use Binder IPC. |
| 158 | define(`binder_use', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 159 | # Call the servicemanager and transfer references to it. |
| 160 | allow $1 servicemanager:binder { call transfer }; |
Riley Spahn | b8511e0 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 161 | # servicemanager performs getpidcon on clients. |
| 162 | allow servicemanager $1:dir search; |
| 163 | allow servicemanager $1:file { read open }; |
| 164 | allow servicemanager $1:process getattr; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 165 | # rw access to /dev/binder and /dev/ashmem is presently granted to |
| 166 | # all domains in domain.te. |
| 167 | ') |
| 168 | |
| 169 | ##################################### |
| 170 | # binder_call(clientdomain, serverdomain) |
| 171 | # Allow clientdomain to perform binder IPC to serverdomain. |
| 172 | define(`binder_call', ` |
Stephen Smalley | 9ce99e3 | 2012-11-16 09:17:54 -0500 | [diff] [blame] | 173 | # Call the server domain and optionally transfer references to it. |
| 174 | allow $1 $2:binder { call transfer }; |
| 175 | # Allow the serverdomain to transfer references to the client on the reply. |
| 176 | allow $2 $1:binder transfer; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 177 | # Receive and use open files from the server. |
| 178 | allow $1 $2:fd use; |
| 179 | ') |
| 180 | |
| 181 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 182 | # binder_service(domain) |
| 183 | # Mark a domain as being a Binder service domain. |
| 184 | # Used to allow binder IPC to the various system services. |
| 185 | define(`binder_service', ` |
| 186 | typeattribute $1 binderservicedomain; |
| 187 | ') |
| 188 | |
| 189 | ##################################### |
Nick Kralevich | 8599e34 | 2014-05-23 13:33:32 -0700 | [diff] [blame] | 190 | # wakelock_use(domain) |
| 191 | # Allow domain to manage wake locks |
| 192 | define(`wakelock_use', ` |
| 193 | # Access /sys/power/wake_lock and /sys/power/wake_unlock |
| 194 | allow $1 sysfs_wake_lock:file rw_file_perms; |
| 195 | # Accessing these files requires CAP_BLOCK_SUSPEND |
| 196 | allow $1 self:capability2 block_suspend; |
| 197 | ') |
| 198 | |
| 199 | ##################################### |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 200 | # selinux_check_access(domain) |
| 201 | # Allow domain to check SELinux permissions via selinuxfs. |
| 202 | define(`selinux_check_access', ` |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 203 | allow $1 selinuxfs:file rw_file_perms; |
| 204 | allow $1 kernel:security compute_av; |
Jeff Vander Stoep | 90ccbcf | 2016-04-26 11:29:14 -0700 | [diff] [blame] | 205 | allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind }; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 206 | ') |
| 207 | |
| 208 | ##################################### |
| 209 | # selinux_check_context(domain) |
| 210 | # Allow domain to check SELinux contexts via selinuxfs. |
| 211 | define(`selinux_check_context', ` |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 212 | allow $1 selinuxfs:file rw_file_perms; |
| 213 | allow $1 kernel:security check_context; |
| 214 | ') |
| 215 | |
| 216 | ##################################### |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 217 | # selinux_setenforce(domain) |
| 218 | # Allow domain to set SELinux to enforcing. |
| 219 | define(`selinux_setenforce', ` |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 220 | allow $1 selinuxfs:file rw_file_perms; |
| 221 | allow $1 kernel:security setenforce; |
| 222 | ') |
| 223 | |
| 224 | ##################################### |
| 225 | # selinux_setbool(domain) |
| 226 | # Allow domain to set SELinux booleans. |
| 227 | define(`selinux_setbool', ` |
Stephen Smalley | 4c6f1ce | 2012-02-02 13:28:44 -0500 | [diff] [blame] | 228 | allow $1 selinuxfs:file rw_file_perms; |
| 229 | allow $1 kernel:security setbool; |
| 230 | ') |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 231 | |
| 232 | ##################################### |
| 233 | # security_access_policy(domain) |
| 234 | # Read only access to all policy files and |
| 235 | # selinuxfs |
| 236 | define(`security_access_policy', ` |
| 237 | allow $1 security_file:dir r_dir_perms; |
| 238 | allow $1 security_file:file r_file_perms; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 239 | ') |
| 240 | |
| 241 | ##################################### |
| 242 | # selinux_manage_policy(domain) |
Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 243 | # Ability to manage policy files and |
| 244 | # trigger runtime reload. |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 245 | define(`selinux_manage_policy', ` |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 246 | security_access_policy($1) |
| 247 | unix_socket_connect($1, property, init) |
| 248 | allow $1 security_file:dir create_dir_perms; |
| 249 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 250 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 251 | allow $1 security_prop:property_service set; |
| 252 | ') |
| 253 | |
| 254 | ##################################### |
| 255 | # mmac_manage_policy(domain) |
| 256 | # Ability to manage mmac policy files, |
| 257 | # trigger runtime reload, change |
| 258 | # mmac enforcing mode and access logcat. |
| 259 | define(`mmac_manage_policy', ` |
| 260 | unix_socket_connect($1, property, init) |
| 261 | allow $1 security_file:dir create_dir_perms; |
| 262 | allow $1 security_file:file create_file_perms; |
Stephen Smalley | 79e084f | 2013-08-27 09:16:47 -0400 | [diff] [blame] | 263 | allow $1 security_file:lnk_file { create rename unlink }; |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 264 | allow $1 security_prop:property_service set; |
| 265 | ') |
| 266 | |
| 267 | ##################################### |
William Roberts | 9e70c8b | 2013-01-23 14:02:43 -0800 | [diff] [blame] | 268 | # access_kmsg(domain) |
| 269 | # Ability to read from kernel logs |
| 270 | # and execute the klogctl syscall |
| 271 | # in a non destructive manner. See |
| 272 | # man 2 klogctl |
| 273 | define(`access_kmsg', ` |
| 274 | allow $1 kernel:system syslog_read; |
William Roberts | 6c4c27e | 2013-04-04 13:17:36 -0700 | [diff] [blame] | 275 | ') |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 276 | |
| 277 | ##################################### |
Stephen Smalley | 2dc4acf | 2013-09-27 09:44:32 -0400 | [diff] [blame] | 278 | # create_pty(domain) |
| 279 | # Allow domain to create and use a pty, isolated from any other domain ptys. |
| 280 | define(`create_pty', ` |
| 281 | # Each domain gets a unique devpts type. |
| 282 | type $1_devpts, fs_type; |
| 283 | # Label the pty with the unique type when created. |
| 284 | type_transition $1 devpts:chr_file $1_devpts; |
| 285 | # Allow use of the pty after creation. |
| 286 | allow $1 $1_devpts:chr_file { open getattr read write ioctl }; |
| 287 | # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| 288 | # allowed to everyone via domain.te. |
| 289 | ') |
| 290 | |
| 291 | ##################################### |
William Roberts | 8cd20ef | 2013-04-29 07:31:24 -0700 | [diff] [blame] | 292 | # Non system_app application set |
| 293 | # |
| 294 | define(`non_system_app_set', `{ appdomain -system_app }') |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 295 | |
| 296 | ##################################### |
Stephen Smalley | e60723a | 2014-05-29 16:40:15 -0400 | [diff] [blame] | 297 | # Recovery only |
| 298 | # SELinux rules which apply only to recovery mode |
| 299 | # |
| 300 | define(`recovery_only', ifelse(target_recovery, `true', $1, )) |
| 301 | |
| 302 | ##################################### |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 303 | # Userdebug or eng builds |
| 304 | # SELinux rules which apply only to userdebug or eng builds |
| 305 | # |
| 306 | define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) |
Nick Kralevich | 623975f | 2014-01-11 01:31:03 -0800 | [diff] [blame] | 307 | |
| 308 | ##################################### |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 309 | # write_logd(domain) |
| 310 | # Ability to write to android log |
| 311 | # daemon via sockets |
| 312 | define(`write_logd', ` |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 313 | unix_socket_send($1, logdw, logd) |
Mark Salyzyn | 34d32ea | 2014-12-15 12:01:35 -0800 | [diff] [blame] | 314 | allow $1 pmsg_device:chr_file w_file_perms; |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 315 | ') |
| 316 | |
| 317 | ##################################### |
| 318 | # read_logd(domain) |
Stephen Smalley | 54e9bc4 | 2014-09-04 08:44:49 -0400 | [diff] [blame] | 319 | # Ability to run logcat and read from android |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 320 | # log daemon via sockets |
| 321 | define(`read_logd', ` |
Stephen Smalley | 54e9bc4 | 2014-09-04 08:44:49 -0400 | [diff] [blame] | 322 | allow $1 logcat_exec:file rx_file_perms; |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 323 | unix_socket_connect($1, logdr, logd) |
| 324 | ') |
| 325 | |
| 326 | ##################################### |
| 327 | # control_logd(domain) |
| 328 | # Ability to control |
| 329 | # android log daemon via sockets |
| 330 | define(`control_logd', ` |
| 331 | # Group AID_LOG checked by filesystem & logd |
| 332 | # to permit control commands |
| 333 | unix_socket_connect($1, logd, logd) |
| 334 | ') |
Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 335 | |
| 336 | ##################################### |
| 337 | # use_keystore(domain) |
| 338 | # Ability to use keystore. |
| 339 | # Keystore is requires the following permissions |
| 340 | # to call getpidcon. |
| 341 | define(`use_keystore', ` |
| 342 | allow keystore $1:dir search; |
| 343 | allow keystore $1:file { read open }; |
| 344 | allow keystore $1:process getattr; |
dcashman | 6a2451b | 2015-03-02 10:59:05 -0800 | [diff] [blame] | 345 | allow $1 keystore_service:service_manager find; |
Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 346 | binder_call($1, keystore) |
| 347 | ') |
Riley Spahn | b8511e0 | 2014-07-07 13:56:27 -0700 | [diff] [blame] | 348 | |
| 349 | ########################################### |
Riley Spahn | 70f75ce | 2014-07-02 12:42:59 -0700 | [diff] [blame] | 350 | # use_drmservice(domain) |
| 351 | # Ability to use DrmService which requires |
| 352 | # DrmService to call getpidcon. |
| 353 | define(`use_drmservice', ` |
| 354 | allow drmserver $1:dir search; |
| 355 | allow drmserver $1:file { read open }; |
| 356 | allow drmserver $1:process getattr; |
| 357 | ') |