domain.te

# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Intra-domain accesses.
allow domain self:process {
    fork
    sigchld
    sigkill
    sigstop
    signull
    signal
    getsched
    setsched
    getsession
    getpgid
    setpgid
    getcap
    setcap
    getattr
    setrlimit
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };

# Inherit or receive open files from others.
allow domain init:fd use;

userdebug_or_eng(`
  # Same as adbd rules above, except allow su to do the same thing
  allow domain su:unix_stream_socket connectto;
  allow domain su:fd use;
  allow domain su:unix_stream_socket { getattr getopt read write shutdown };

  allow { domain -init } su:binder { call transfer };
  allow { domain -init } su:fd use;

  # Running something like "pm dump com.android.bluetooth" requires
  # fifo writes
  allow domain su:fifo_file { write getattr };

  # allow "gdbserver --attach" to work for su.
  allow domain su:process sigchld;

  # Allow writing coredumps to /cores/*
  allow domain coredump_file:file create_file_perms;
  allow domain coredump_file:dir ra_dir_perms;
')

# Root fs.
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };

# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
  coredomain
  appdomain
  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  -hwservicemanager
} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file r_file_perms;

# For now, everyone can access core property files
# Device specific properties are not granted by default
get_prop(domain, core_property_type)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts_file:file r_file_perms;

allow domain init:key search;
allow domain vold:key search;

# logd access
write_logd(domain)

# System file accesses.
allow domain system_file:dir { search getattr };
allow domain system_file:file { execute read open getattr map };
allow domain system_file:lnk_file { getattr read };

# Make sure system/vendor split doesn not affect non-treble
# devices
not_full_treble(`
    allow domain vendor_file_type:dir { search getattr };
    allow domain vendor_file_type:file { execute read open getattr map };
    allow domain vendor_file_type:lnk_file { getattr read };
')

# All domains are allowed to open and read directories
# that contain HAL implementations (e.g. passthrough
# HALs require clients to have these permissions)
allow domain vendor_hal_file:dir r_dir_perms;

# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:file { execute read open getattr map };

# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
allow domain vndk_sp_file:dir r_dir_perms;
allow domain vndk_sp_file:file { execute read open getattr map };

# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr };

full_treble_only(`
    # Allow all domains to be able to follow /system/vendor symlink
    allow domain vendor_file:lnk_file { getattr open read };

    # This is required to be able to search & read /vendor/lib64
    # in order to lookup vendor libraries. The execute permission
    # for coredomains is granted *only* for same process HALs
    allow domain vendor_file:dir { getattr search };

    # Allow reading and executing out of /vendor to all vendor domains
    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
')

# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };

# libc references /data/misc/zoneinfo for timezone related information
# This directory is considered to be a VNDK-stable
r_dir_file(domain, zoneinfo_data_file)

# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)

r_dir_file(domain, sysfs_usb);

# files under /data.
not_full_treble(`allow domain system_data_file:dir getattr;')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;

# required by the dynamic linker
allow domain proc:lnk_file { getattr read };

# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;

# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file r_file_perms;

# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file r_file_perms;

# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;

# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;

# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
allow domain debugfs_trace_marker:file w_file_perms;

# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this whitelist to domain does