Skip to content
Snippets Groups Projects
domain.te 23 KiB
Newer Older
  • Learn to ignore specific revisions
  • # Rules for all domains.
    
    # Allow reaping by init.
    allow domain init:process sigchld;
    
    # Intra-domain accesses.
    
    allow domain self:process {
        fork
        sigchld
        sigkill
        sigstop
        signull
        signal
        getsched
        setsched
        getsession
        getpgid
        setpgid
        getcap
        setcap
        getattr
        setrlimit
    };
    
    allow domain self:fd use;
    
    allow domain proc:dir r_dir_perms;
    
    allow domain proc_net:dir search;
    
    r_dir_file(domain, self)
    
    allow domain self:{ fifo_file file } rw_file_perms;
    
    Stephen Smalley's avatar
    Stephen Smalley committed
    allow domain self:unix_dgram_socket { create_socket_perms sendto };
    allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
    
    
    # Inherit or receive open files from others.
    allow domain init:fd use;
    
    
    userdebug_or_eng(`
      # Same as adbd rules above, except allow su to do the same thing
      allow domain su:unix_stream_socket connectto;
      allow domain su:fd use;
      allow domain su:unix_stream_socket { getattr getopt read write shutdown };
    
    
      allow { domain -init } su:binder { call transfer };
      allow { domain -init } su:fd use;
    
      # Running something like "pm dump com.android.bluetooth" requires
      # fifo writes
      allow domain su:fifo_file { write getattr };
    
      # allow "gdbserver --attach" to work for su.
      allow domain su:process sigchld;
    
    
      # Allow writing coredumps to /cores/*
      allow domain coredump_file:file create_file_perms;
      allow domain coredump_file:dir ra_dir_perms;
    
    allow domain rootfs:dir search;
    allow domain rootfs:lnk_file read;
    
    
    # Device accesses.
    allow domain device:dir search;
    
    allow domain dev_type:lnk_file r_file_perms;
    
    allow domain devpts:dir search;
    
    allow domain socket_device:dir r_dir_perms;
    
    allow domain owntty_device:chr_file rw_file_perms;
    allow domain null_device:chr_file rw_file_perms;
    
    allow domain zero_device:chr_file rw_file_perms;
    
    allow domain ashmem_device:chr_file rw_file_perms;
    
    allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
    allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
    
    allow domain ptmx_device:chr_file rw_file_perms;
    allow domain alarm_device:chr_file r_file_perms;
    
    allow domain random_device:chr_file rw_file_perms;
    
    allow domain properties_device:dir { search getattr };
    
    allow domain properties_serial:file r_file_perms;
    
    
    # For now, everyone can access core property files
    # Device specific properties are not granted by default
    get_prop(domain, core_property_type)
    
    # Let everyone read log properties, so that liblog can avoid sending unloggable
    # messages to logd.
    get_prop(domain, log_property_type)
    
    dontaudit domain property_type:file audit_access;
    allow domain property_contexts:file r_file_perms;
    
    
    Paul Lawrence's avatar
    Paul Lawrence committed
    allow domain init:key search;
    
    allow domain vold:key search;
    
    # logd access
    write_logd(domain)
    
    
    # System file accesses.
    
    Jeff Vander Stoep's avatar
    Jeff Vander Stoep committed
    allow domain system_file:dir { search getattr };
    
    allow domain system_file:file { execute read open getattr };
    allow domain system_file:lnk_file read;
    
    # Initially grant all domains access to libart.
    # TODO move to a whitelist. b/29795519
    allow domain libart_file:file { execute read open getattr };
    auditallow {
      domain
      -appdomain
    
      -crash_dump
    
      -dex2oat
    
      -dumpstate
    
      -recovery
    
      -webview_zygote
    
      -zygote
    } libart_file:file { execute read open getattr };
    
    
    # read any sysfs symlinks
    allow domain sysfs:lnk_file read;
    
    
    # libc references /data/misc/zoneinfo for timezone related information
    r_dir_file(domain, zoneinfo_data_file)
    
    
    # Lots of processes access current CPU information
    r_dir_file(domain, sysfs_devices_system_cpu)
    
    
    r_dir_file(domain, sysfs_usb);
    
    
    # files under /data.
    
    allow domain system_data_file:dir { search getattr };
    
    Jeff Vander Stoep's avatar
    Jeff Vander Stoep committed
    allow domain system_data_file:lnk_file read;
    
    
    # required by the dynamic linker
    
    allow domain proc:lnk_file { getattr read };
    
    # /proc/cpuinfo
    allow domain proc_cpuinfo:file r_file_perms;
    
    
    # jemalloc needs to read /proc/sys/vm/overcommit_memory
    allow domain proc_overcommit_memory:file r_file_perms;
    
    
    # toybox loads libselinux which stats /sys/fs/selinux/
    
    allow domain selinuxfs:dir search;
    
    allow domain selinuxfs:file getattr;
    allow domain sysfs:dir search;
    
    allow domain selinuxfs:filesystem getattr;
    
    # For /acct/uid/*/tasks.
    allow domain cgroup:dir { search write };
    allow domain cgroup:file w_file_perms;
    
    
    # Almost all processes log tracing information to
    # /sys/kernel/debug/tracing/trace_marker
    # The reason behind this is documented in b/6513400
    allow domain debugfs:dir search;
    
    allow domain debugfs_tracing:dir search;
    
    allow domain debugfs_trace_marker:file w_file_perms;
    
    
    # Filesystem access.
    allow domain fs_type:filesystem getattr;
    allow domain fs_type:dir getattr;
    
    
    # Restrict all domains to a whitelist for common socket types. Additional
    # ioctl commands may be added to individual domains, but this sets safe
    # defaults for all processes. Note that granting this whitelist to domain does
    # not grant the ioctl permission on these socket types. That must be granted
    # separately.
    allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
      ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
    # default whitelist for unix sockets.
    allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
      ioctl unpriv_unix_sock_ioctls;
    
    
    # Restrict PTYs to only whitelisted ioctls.
    # Note that granting this whitelist to domain does
    # not grant the wider ioctl permission. That must be granted
    # separately.
    allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
    
    # All socket ioctls must be restricted to a whitelist.
    
    neverallowxperm domain domain:socket_class_set ioctl { 0 };
    
    # TIOCSTI is only ever used for exploits. Block it.
    # b/33073072, b/7530569
    # http://www.openwall.com/lists/oss-security/2016/09/26/14
    neverallowxperm * devpts:chr_file ioctl TIOCSTI;
    
    
    # Do not allow any domain other than init or recovery to create unlabeled files.
    neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
    
    # Limit device node creation to these whitelisted domains.
    
    neverallow {
      domain
      -kernel
      -init
      -ueventd
      -vold
    } self:capability mknod;
    
    # Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
    neverallow {
      domain
      userdebug_or_eng(`-domain')
      -kernel
      -init
      -recovery
      -ueventd
      -healthd
      -uncrypt
      -tee
    } self:capability sys_rawio;
    
    # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
    
    neverallow * self:memprotect mmap_zero;
    
    # No domain needs mac_override as it is unused by SELinux.
    
    neverallow * self:capability2 mac_override;
    
    
    # Only recovery needs mac_admin to set contexts not defined in current policy.
    
    neverallow { domain -recovery } self:capability2 mac_admin;
    
    
    # Once the policy has been loaded there shall be none to modify the policy.
    # It is sealed.
    neverallow * kernel:security load_policy;
    
    # Only init prior to switching context should be able to set enforcing mode.
    # init starts in kernel domain and switches to init domain via setcon in
    # the init.rc, so the setenforce occurs while still in kernel. After
    # switching domains, there is never any need to setenforce again by init.
    
    neverallow * kernel:security setenforce;
    
    neverallow { domain -kernel } kernel:security setcheckreqprot;
    
    # No booleans in AOSP policy, so no need to ever set them.
    
    neverallow * kernel:security setbool;
    
    
    # Adjusting the AVC cache threshold.
    # Not presently allowed to anything in policy, but possibly something
    # that could be set from init.rc.
    neverallow { domain -init } kernel:security setsecparam;
    
    
    # Only init, ueventd, shell and system_server should be able to access HW RNG
    neverallow {
      domain
      -init
      -shell # For CTS and is restricted to getattr in shell.te
      -system_server
      -ueventd
    } hw_random_device:chr_file *;
    
    # Ensure that all entrypoint executables are in exec_type or postinstall_file.
    neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
    
    
    # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
    
    neverallow {
      domain
      -shell # For CTS and is restricted to getattr in shell.te
    
      -ueventd # Further restricted in ueventd.te
    
    } kmem_device:chr_file *;
    neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
    
    #Ensure that nothing in userspace can access /dev/port
    neverallow {
      domain
      -shell # Shell user should not have any abilities outside of getattr
      -ueventd
    } port_device:chr_file *;
    neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
    
    # Only init should be able to configure kernel usermodehelpers or
    # security-sensitive proc settings.
    neverallow { domain -init } usermodehelper:file { append write };
    neverallow { domain -init } proc_security:file { append write };
    
    
    # No domain should be allowed to ptrace init.
    
    neverallow * init:process ptrace;
    
    # Init can't do anything with binder calls. If this neverallow rule is being
    
    # triggered, it's probably due to a service with no SELinux domain.
    
    neverallow * init:binder *;
    
    
    # Don't allow raw read/write/open access to block_device
    # Rather force a relabel to a more specific type
    
    neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
    
    
    # Don't allow raw read/write/open access to generic devices.
    # Rather force a relabel to a more specific type.
    
    # init is exempt from this as there are character devices that only it uses.
    
    # ueventd is exempt from this, as it is managing these devices.
    neverallow { domain -init -ueventd } device:chr_file { open read write };
    
    
    # Limit what domains can mount filesystems or change their mount flags.
    # sdcard_type / vfat is exempt as a larger set of domains need
    # this capability, including device-specific domains.
    
    neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
    
    
    #
    # Assert that, to the extent possible, we're not loading executable content from
    
    # outside the rootfs or /system partition except for a few whitelisted domains.
    
        -shell
    
        userdebug_or_eng(`-su')
        -system_server
    
        -webview_zygote
    
    } { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
    
    neverallow {
        domain
        -appdomain # for oemfs
        -recovery # for /tmp/update_binary in tmpfs
    } { fs_type -rootfs }:file execute;
    
    # Files from cache should never be executed
    
    neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
    
    # Protect most domains from executing arbitrary content from /data.
    neverallow {
      domain
    
    } {
      data_file_type
      -dalvikcache_data_file
      -system_data_file # shared libs in apks
      -apk_data_file
    
      -ephemeral_apk_data_file
    
    }:file no_x_file_perms;
    
    
    neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
    
    
    # Only the init property service should write to /data/property and /dev/__properties__
    
    neverallow { domain -init } property_data_file:dir no_w_dir_perms;
    
    neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
    neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
    neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
    neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
    
    
    # Only recovery should be doing writes to /system
    neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    
        { create write setattr relabelfrom append unlink link rename };
    neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
    
    # Don't allow mounting on top of /system files or directories
    
    neverallow * exec_type:dir_file_class_set mounton;
    
    neverallow { domain -init } system_file:dir_file_class_set mounton;
    
    # Nothing should be writing to files in the rootfs.
    
    neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
    
    # Restrict context mounts to specific types marked with
    # the contextmount_type attribute.
    
    neverallow * {fs_type -contextmount_type}:filesystem relabelto;
    
    
    # Ensure that context mount types are not writable, to ensure that
    # the write to /system restriction above is not bypassed via context=
    # mount to another type.
    neverallow { domain -recovery } contextmount_type:dir_file_class_set
        { create write setattr relabelfrom relabelto append unlink link rename };
    
    
    # Do not allow service_manager add for default_android_service.
    # Instead domains should use a more specific type such as
    # system_app_service rather than the generic type.
    # New service_types are defined in service.te and new mappings
    # from service name to service_type are defined in service_contexts.
    
    neverallow * default_android_service:service_manager add;
    
    
    # Require that domains explicitly label unknown properties, and do not allow
    # anyone but init to modify unknown properties.
    neverallow { domain -init } default_prop:property_service set;
    
    neverallow { domain -init } mmc_prop:property_service set;
    
    # Do not allow reading device's serial number from system properties except form
    # a few whitelisted domains.
    neverallow {
      domain
      -adbd
      -dumpstate
      -init
      -mediadrmserver
      -recovery
    
      -system_server
    } serialno_prop:file r_file_perms;
    
    
    # Do not allow reading the last boot timestamp from system properties
    neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
    
    
    neverallow {
      domain
      -init
      -recovery
      -system_server
      -shell # Shell is further restricted in shell.te
    
      -ueventd # Further restricted in ueventd.te
    
    } frp_block_device:blk_file rw_file_perms;
    
    # The metadata block device is set aside for device encryption and
    # verified boot metadata. It may be reset at will and should not
    # be used by other domains.
    neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
      { append link rename write open read ioctl lock };
    
    
    # No domain other than recovery and update_engine can write to system partition(s).
    neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
    
    
    # No domains other than install_recovery or recovery can write to recovery.
    neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
    
    # No domains other than a select few can access the misc_block_device. This
    # block device is reserved for OTA use.
    # Do not assert this rule on userdebug/eng builds, due to some devices using
    # this partition for testing purposes.
    neverallow {
      domain
      userdebug_or_eng(`-domain') # exclude debuggable builds
      -init
      -uncrypt
      -update_engine
      -vold
      -recovery
    
    } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
    
    
    # Only servicemanager/hwservicemanager should be able to register with binder as the context manager
    neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
    # The service managers are only allowed to access their own device node
    neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
    neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
    
    
    # Only authorized processes should be writing to files in /data/dalvik-cache
    neverallow {
      domain
      -init # TODO: limit init to relabelfrom for files
      -zygote
      -installd
    
      -cppreopts
    
      -otapreopt_slot
    
    } dalvikcache_data_file:file no_w_file_perms;
    
      -cppreopts
    
      -otapreopt_slot
    
    } dalvikcache_data_file:dir no_w_dir_perms;
    
    
    # Only system_server should be able to send commands via the zygote socket
    neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
    neverallow { domain -system_server } zygote_socket:sock_file write;
    
    
    neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
    neverallow { domain -system_server } webview_zygote_socket:sock_file write;
    
    
    neverallow {
      domain
      -tombstoned
      -crash_dump
      -dumpstate
      -system_server
    } tombstoned:unix_stream_socket connectto;
    neverallow { domain -crash_dump } tombstoned_crash_socket:sock_file write;
    neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
    
    
    # Android does not support System V IPCs.
    #
    # The reason for this is due to the fact that, by design, they lead to global
    # kernel resource leakage.
    #
    # For example, there is no way to automatically release a SysV semaphore
    # allocated in the kernel when:
    #
    # - a buggy or malicious process exits
    # - a non-buggy and non-malicious process crashes or is explicitly killed.
    #
    # Killing processes automatically to make room for new ones is an
    # important part of Android's application lifecycle implementation. This means
    # that, even assuming only non-buggy and non-malicious code, it is very likely
    # that over time, the kernel global tables used to implement SysV IPCs will fill
    # up.
    
    neverallow * *:{ shm sem msg msgq } *;
    
    
    # Do not mount on top of symlinks, fifos, or sockets.
    # Feature parity with Chromium LSM.
    
    neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
    
    
    # Nobody should be able to execute su on user builds.
    # On userdebug/eng builds, only dumpstate, shell, and
    # su itself execute su.
    neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
    
    
    # Do not allow the introduction of new execmod rules. Text relocations
    # and modification of executable pages are unsafe.
    # The only exceptions are for NDK text relocations associated with
    # https://code.google.com/p/android/issues/detail?id=23203
    # which, long term, need to go away.
    
      file_type
      -apk_data_file
      -app_data_file
      -asec_public_file
    }:file execmod;
    
    
    # Do not allow making the stack or heap executable.
    # We would also like to minimize execmem but it seems to be
    # required by some device-specific service domains.
    
    neverallow * self:process { execstack execheap };
    
    # prohibit non-zygote spawned processes from using shared libraries
    
    # with text relocations. b/20013628 .
    
    neverallow { domain -untrusted_app } file_type:file execmod;
    
    
    neverallow { domain -init } proc:{ file dir } mounton;
    
    
    # Ensure that all types assigned to processes are included
    # in the domain attribute, so that all allow and neverallow rules
    # written on domain are applied to all processes.
    # This is achieved by ensuring that it is impossible to transition
    # from a domain to a non-domain type and vice versa.
    
    # TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
    
    neverallow ~domain domain:process { transition dyntransition };
    
    
    #
    # Only system_app and system_server should be creating or writing
    # their files. The proper way to share files is to setup
    # type transitions to a more specific type or assigning a type
    # to its parent directory via a file_contexts entry.
    # Example type transition:
    #  mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
    #
    neverallow {
      domain
      -system_server
      -system_app
      -init
      -installd # for relabelfrom and unlink, check for this in explicit neverallow
    } system_data_file:file no_w_file_perms;
    # do not grant anything greater than r_file_perms and relabelfrom unlink
    # to installd
    neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
    
    # respect system_app sandboxes
    neverallow {
      domain
      -system_app # its own sandbox
      -system_server #populate com.android.providers.settings/databases/settings.db.
      -installd # creation of app sandbox
    
    } system_app_data_file:dir_file_class_set { create unlink open };
    
    # Services should respect app sandboxes
    neverallow {
      domain
      -appdomain
      -installd # creation of sandbox
    } app_data_file:dir_file_class_set { create unlink };
    
    
    #
    # Only these domains should transition to shell domain. This domain is
    # permissible for the "shell user". If you need a process to exec a shell
    # script with differing privilege, define a domain and set up a transition.
    #
    neverallow {
      domain
      -adbd
      -init
      -runas
      -zygote
    } shell:process { transition dyntransition };
    
    # Only domains spawned from zygote and runas may have the appdomain attribute.
    
    neverallow { domain -runas -webview_zygote -zygote } {
    
      appdomain -shell userdebug_or_eng(`-su') -bluetooth
    
    }:process { transition dyntransition };
    
    
    # Minimize read access to shell- or app-writable symlinks.
    # This is to prevent malicious symlink attacks.
    neverallow {
      domain
      -appdomain
      -installd
      -uncrypt  # TODO: see if we can remove
    } app_data_file:lnk_file read;
    
    neverallow {
      domain
      -shell
      userdebug_or_eng(`-uncrypt')
      -installd
    } shell_data_file:lnk_file read;
    
    # In addition to the symlink reading restrictions above, restrict
    # write access to shell owned directories. The /data/local/tmp
    # directory is untrustworthy, and non-whitelisted domains should
    # not be trusting any content in those directories.
    neverallow {
      domain
      -adbd
      -dumpstate
      -installd
      -init
      -shell
      -vold
    } shell_data_file:dir no_w_dir_perms;
    
    neverallow {
      domain
      -adbd
      -appdomain
      -dumpstate
      -init
      -installd
      -system_server # why?
      userdebug_or_eng(`-uncrypt')
    } shell_data_file:dir { open search };
    
    # Same as above for /data/local/tmp files. We allow shell files
    # to be passed around by file descriptor, but not directly opened.
    neverallow {
      domain
      -adbd
      -appdomain
      -dumpstate
      -installd
    
      userdebug_or_eng(`-uncrypt')
    
    } shell_data_file:file open;
    
    
    # servicemanager is the only process which handles list request
    
    neverallow * ~servicemanager:service_manager list;
    
    
    # only service_manager_types can be added to service_manager
    
    # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
    
    # Prevent assigning non property types to properties
    
    # TODO - rework this: neverallow * ~property_type:property_service set; 
    
    
    # Domain types should never be assigned to any files other
    # than the /proc/pid files associated with a process. The
    # executable file used to enter a domain should be labeled
    # with its own _exec type, not with the domain type.
    # Conventionally, this looks something like:
    # $ cat mydaemon.te
    # type mydaemon, domain;
    # type mydaemon_exec, exec_type, file_type;
    # init_daemon_domain(mydaemon)
    # $ grep mydaemon file_contexts
    # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
    
    neverallow * domain:file { execute execute_no_trans entrypoint };
    
    
    # Do not allow access to the generic debugfs label. This is too broad.
    # Instead, if access to part of debugfs is desired, it should have a
    # more specific label.
    # TODO: fix system_server and dumpstate
    neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
    
    
    neverallow {
      domain
      -init
      -recovery
      -sdcardd
      -vold
    } fuse_device:chr_file open;
    neverallow {
      domain
      -dumpstate
      -init
      -priv_app
      -recovery
      -sdcardd
    
      -shell # Restricted by shell.te to only getattr
    
      -system_server
      -ueventd
      -vold
    } fuse_device:chr_file *;
    
    
    # Profiles contain untrusted data and profman parses that. We should only run
    # in from installd forked processes.
    neverallow {
      domain
      -installd
      -profman
    } profman_exec:file no_x_file_perms;
    
    
    # Enforce restrictions on kernel module origin.
    # Do not allow kernel module loading except from system,
    # vendor, and boot partitions.
    neverallow * ~{ system_file rootfs }:system module_load;
    
    
    # Only allow filesystem caps to be set at build time or
    # during upgrade by recovery.
    neverallow {
      domain
      -recovery
    } self:capability setfcap;
    
    
    # Enforce AT_SECURE for executing crash_dump.
    neverallow domain crash_dump:process noatsecure;