diff options
Diffstat (limited to 'prebuilts/api/32.0/private/coredomain.te')
| -rw-r--r-- | prebuilts/api/32.0/private/coredomain.te | 246 |
1 files changed, 246 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/coredomain.te b/prebuilts/api/32.0/private/coredomain.te new file mode 100644 index 000000000..b7f4f5d18 --- /dev/null +++ b/prebuilts/api/32.0/private/coredomain.te @@ -0,0 +1,246 @@ +get_prop(coredomain, boot_status_prop) +get_prop(coredomain, camera_config_prop) +get_prop(coredomain, dalvik_config_prop) +get_prop(coredomain, dalvik_runtime_prop) +get_prop(coredomain, exported_pm_prop) +get_prop(coredomain, ffs_config_prop) +get_prop(coredomain, graphics_config_prop) +get_prop(coredomain, hdmi_config_prop) +get_prop(coredomain, init_service_status_private_prop) +get_prop(coredomain, lmkd_config_prop) +get_prop(coredomain, localization_prop) +get_prop(coredomain, pm_prop) +get_prop(coredomain, radio_control_prop) +get_prop(coredomain, rollback_test_prop) +get_prop(coredomain, setupwizard_prop) +get_prop(coredomain, sqlite_log_prop) +get_prop(coredomain, storagemanager_config_prop) +get_prop(coredomain, surfaceflinger_color_prop) +get_prop(coredomain, systemsound_config_prop) +get_prop(coredomain, telephony_config_prop) +get_prop(coredomain, usb_config_prop) +get_prop(coredomain, usb_control_prop) +get_prop(coredomain, userspace_reboot_config_prop) +get_prop(coredomain, vold_config_prop) +get_prop(coredomain, vts_status_prop) +get_prop(coredomain, zygote_config_prop) +get_prop(coredomain, zygote_wrap_prop) + +# TODO(b/170590987): remove this after cleaning up default_prop +get_prop(coredomain, default_prop) + +full_treble_only(` +neverallow { + coredomain + + # for chowning + -init + + # generic access to sysfs_type + -ueventd + -vold +} sysfs_leds:file *; +') + +# On TREBLE devices, a limited set of files in /vendor are accessible to +# only a few allowlisted coredomains to keep system/vendor separation. +full_treble_only(` + # Limit access to /vendor/app + neverallow { + coredomain + -appdomain + -dex2oat + -dexoptanalyzer + -idmap + -init + -installd + -heapprofd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + } vendor_app_file:dir { open read getattr search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -dex2oat + -dexoptanalyzer + -idmap + -init + -installd + -heapprofd + userdebug_or_eng(`-profcollectd') + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -mediaserver + } vendor_app_file:file r_file_perms; +') + +full_treble_only(` + # Limit access to /vendor/overlay + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -iorap_inode2filename + -iorap_prefetcherd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -app_zygote + -webview_zygote + -zygote + -heapprofd + } vendor_overlay_file:dir { getattr open read search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -iorap_inode2filename + -iorap_prefetcherd + -postinstall_dexopt + -rs # spawned by appdomain, so carryover the exception above + -system_server + -traced_perf + -app_zygote + -webview_zygote + -zygote + -heapprofd + userdebug_or_eng(`-profcollectd') + } vendor_overlay_file:file open; +') + +# Core domains are not permitted to use kernel interfaces which are not +# explicitly labeled. +# TODO(b/65643247): Apply these neverallow rules to all coredomain. +full_treble_only(` + # /proc + neverallow { + coredomain + -init + -vold + } proc:file no_rw_file_perms; + + # /sys + neverallow { + coredomain + -init + -ueventd + -vold + } sysfs:file no_rw_file_perms; + + # /dev + neverallow { + coredomain + -fsck + -init + -ueventd + } device:{ blk_file file } no_rw_file_perms; + + # debugfs + neverallow { + coredomain + no_debugfs_restriction(` + -dumpstate + -init + -system_server + ') + } debugfs:file no_rw_file_perms; + + # tracefs + neverallow { + coredomain + -atrace + -dumpstate + -gpuservice + -init + -traced_perf + -traced_probes + -shell + -system_server + -traceur_app + userdebug_or_eng(`-profcollectd') + } debugfs_tracing:file no_rw_file_perms; + + # inotifyfs + neverallow { + coredomain + -init + } inotify:file no_rw_file_perms; + + # pstorefs + neverallow { + coredomain + -bootstat + -charger + -dumpstate + -healthd + userdebug_or_eng(`-incidentd') + -init + -logd + -logpersist + -recovery_persist + -recovery_refresh + -shell + -system_server + } pstorefs:file no_rw_file_perms; + + # configfs + neverallow { + coredomain + -init + -system_server + } configfs:file no_rw_file_perms; + + # functionfs + neverallow { + coredomain + -adbd + -init + -mediaprovider + -system_server + } functionfs:file no_rw_file_perms; + + # usbfs and binfmt_miscfs + neverallow { + coredomain + -init + }{ usbfs binfmt_miscfs }:file no_rw_file_perms; + + # dmabuf heaps + neverallow { + coredomain + -init + -ueventd + }{ + dmabuf_heap_device_type + -dmabuf_system_heap_device + -dmabuf_system_secure_heap_device + }:chr_file no_rw_file_perms; +') + +# Following /dev nodes must not be directly accessed by coredomain, but should +# instead be wrapped by HALs. +neverallow coredomain { + iio_device + radio_device +}:chr_file { open read append write ioctl }; + +# TODO(b/120243891): HAL permission to tee_device is included into coredomain +# on non-Treble devices. +full_treble_only(` + neverallow coredomain tee_device:chr_file { open read append write ioctl }; +') |