diff options
Diffstat (limited to 'prebuilts/api/32.0/public/te_macros')
| -rw-r--r-- | prebuilts/api/32.0/public/te_macros | 993 |
1 files changed, 993 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/public/te_macros b/prebuilts/api/32.0/public/te_macros new file mode 100644 index 000000000..7dc5062c5 --- /dev/null +++ b/prebuilts/api/32.0/public/te_macros @@ -0,0 +1,993 @@ +##################################### +# domain_trans(olddomain, type, newdomain) +# Allow a transition from olddomain to newdomain +# upon executing a file labeled with type. +# This only allows the transition; it does not +# cause it to occur automatically - use domain_auto_trans +# if that is what you want. +# +define(`domain_trans', ` +# Old domain may exec the file and transition to the new domain. +allow $1 $2:file { getattr open read execute map }; +allow $1 $3:process transition; +# New domain is entered by executing the file. +allow $3 $2:file { entrypoint open read execute getattr map }; +# New domain can send SIGCHLD to its caller. +ifelse($1, `init', `', `allow $3 $1:process sigchld;') +# Enable AT_SECURE, i.e. libc secure mode. +dontaudit $1 $3:process noatsecure; +# XXX dontaudit candidate but requires further study. +allow $1 $3:process { siginh rlimitinh }; +') + +##################################### +# domain_auto_trans(olddomain, type, newdomain) +# Automatically transition from olddomain to newdomain +# upon executing a file labeled with type. +# +define(`domain_auto_trans', ` +# Allow the necessary permissions. +domain_trans($1,$2,$3) +# Make the transition occur by default. +type_transition $1 $2:process $3; +') + +##################################### +# file_type_trans(domain, dir_type, file_type) +# Allow domain to create a file labeled file_type in a +# directory labeled dir_type. +# This only allows the transition; it does not +# cause it to occur automatically - use file_type_auto_trans +# if that is what you want. +# +define(`file_type_trans', ` +# Allow the domain to add entries to the directory. +allow $1 $2:dir ra_dir_perms; +# Allow the domain to create the file. +allow $1 $3:notdevfile_class_set create_file_perms; +allow $1 $3:dir create_dir_perms; +') + +##################################### +# file_type_auto_trans(domain, dir_type, file_type) +# Automatically label new files with file_type when +# they are created by domain in directories labeled dir_type. +# +define(`file_type_auto_trans', ` +# Allow the necessary permissions. +file_type_trans($1, $2, $3) +# Make the transition occur by default. +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +') + +##################################### +# r_dir_file(domain, type) +# Allow the specified domain to read directories, files +# and symbolic links of the specified type. +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } r_file_perms; +') + +##################################### +# tmpfs_domain(domain) +# Allow access to a unique type for this domain when creating tmpfs / ashmem files. +define(`tmpfs_domain', ` +type_transition $1 tmpfs:file $1_tmpfs; +allow $1 $1_tmpfs:file { read write getattr map }; +') + +# pdx macros for IPC. pdx is a high-level name which contains transport-specific +# rules from underlying transport (e.g. UDS-based implementation). + +##################################### +# pdx_service_attributes(service) +# Defines type attribute used to identify various service-related types. +define(`pdx_service_attributes', ` +attribute pdx_$1_endpoint_dir_type; +attribute pdx_$1_endpoint_socket_type; +attribute pdx_$1_channel_socket_type; +attribute pdx_$1_server_type; +') + +##################################### +# pdx_service_socket_types(service, endpoint_dir_t) +# Define types for endpoint and channel sockets. +define(`pdx_service_socket_types', ` +typeattribute $2 pdx_$1_endpoint_dir_type; +type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; +type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; +userdebug_or_eng(` +dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; +dontaudit su pdx_$1_channel_socket:unix_stream_socket *; +') +') + +##################################### +# pdx_server(server_domain, service) +define(`pdx_server', ` +# Mark the server domain as a PDX server. +typeattribute $1 pdx_$2_server_type; +# Allow the init process to create the initial endpoint socket. +allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; +# Allow the server domain to use the endpoint socket and accept connections on it. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; +# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). +allow $1 self:process setsockcreate; +# Allow the server domain to create a client channel socket. +allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; +# Prevent other processes from claiming to be a server for the same service. +neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; +') + +##################################### +# pdx_connect(client, service) +define(`pdx_connect', ` +# Allow client to open the service endpoint file. +allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; +allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; +# Allow the client to connect to endpoint socket. +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; +') + +##################################### +# pdx_use(client, service) +define(`pdx_use', ` +# Allow the client to use the PDX channel socket. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; +# Client needs to use an channel event fd from the server. +allow $1 pdx_$2_server_type:fd use; +# Servers may receive sync fences, gralloc buffers, etc, from clients. +# This could be tightened on a per-server basis, but keeping track of service +# clients is error prone. +allow pdx_$2_server_type $1:fd use; +') + +##################################### +# pdx_client(client, service) +define(`pdx_client', ` +pdx_connect($1, $2) +pdx_use($1, $2) +') + +##################################### +# init_daemon_domain(domain) +# Set up a transition from init to the daemon domain +# upon executing its binary. +define(`init_daemon_domain', ` +domain_auto_trans(init, $1_exec, $1) +') + +#################################### +# userfaultfd_use(domain) +# Allow domain to create/use userfaultfd. +define(`userfaultfd_use', ` +# Set up a type_transition to "userfaultfd" named anonymous inode object. +type $1_userfaultfd; +type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]"; +# Allow domain to create/use userfaultfd anon_inode. +allow $1 $1_userfaultfd:anon_inode { create ioctl read }; +# Other domains may not use userfaultfd anon_inodes created by this domain. +neverallow { domain -$1 } $1_userfaultfd:anon_inode *; +# This domain may not use userfaultfd anon_inodes created by other domains. +neverallow $1 ~$1_userfaultfd:anon_inode *; +') + +##################################### +# app_domain(domain) +# Allow a base set of permissions required for all apps. +define(`app_domain', ` +typeattribute $1 appdomain; +# Label tmpfs objects for all apps. +type_transition $1 tmpfs:file appdomain_tmpfs; +userfaultfd_use($1) +allow $1 appdomain_tmpfs:file { execute getattr map read write }; +neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms; +neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms; +# The Android security model guarantees the confidentiality and integrity +# of application data and execution state. Ptrace bypasses those +# confidentiality guarantees. Disallow ptrace access from system components to +# apps. crash_dump is excluded, as it needs ptrace access to produce stack +# traces. runas_app is excluded, as it operates only on debuggable apps. +# simpleperf is excluded, as it operates only on debuggable or profileable +# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for +# live lock conditions. +neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace; +') + +##################################### +# untrusted_app_domain(domain) +# Allow a base set of permissions required for all untrusted apps. +define(`untrusted_app_domain', ` +typeattribute $1 untrusted_app_all; +') + +##################################### +# net_domain(domain) +# Allow a base set of permissions required for network access. +define(`net_domain', ` +typeattribute $1 netdomain; +') + +##################################### +# bluetooth_domain(domain) +# Allow a base set of permissions required for bluetooth access. +define(`bluetooth_domain', ` +typeattribute $1 bluetoothdomain; +') + +##################################### +# hal_attribute(hal_name) +# Add an attribute for hal implementations along with necessary +# restrictions. +define(`hal_attribute', ` +attribute hal_$1; +expandattribute hal_$1 true; +attribute hal_$1_client; +expandattribute hal_$1_client true; +attribute hal_$1_server; +expandattribute hal_$1_server false; + +neverallow { hal_$1_server -halserverdomain } domain:process fork; +# hal_*_client and halclientdomain attributes are always expanded for +# performance reasons. Neverallow rules targeting expanded attributes can not be +# verified by CTS since these attributes are already expanded by that time. +build_test_only(` +neverallow { hal_$1_server -hal_$1 } domain:process fork; +neverallow { hal_$1_client -halclientdomain } domain:process fork; +') +') + +##################################### +# hal_server_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +# +# For example, default implementation of Foo HAL: +# type hal_foo_default, domain; +# hal_server_domain(hal_foo_default, hal_foo) +# +define(`hal_server_domain', ` +typeattribute $1 halserverdomain; +typeattribute $1 $2_server; +typeattribute $1 $2; +') + +##################################### +# hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a HAL of the specified type. +# +# For example, make some_domain a client of Foo HAL: +# hal_client_domain(some_domain, hal_foo) +# +define(`hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; + +# TODO(b/34170079): Make the inclusion of the rules below conditional also on +# non-Treble devices. For now, on non-Treble device, always grant clients of a +# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). +not_full_treble(` +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') +') + +##################################### +# passthrough_hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a passthrough HAL of the specified type. +# +# For example, make some_domain a client of passthrough Foo HAL: +# passthrough_hal_client_domain(some_domain, hal_foo) +# +define(`passthrough_hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') + +##################################### +# unix_socket_connect(clientdomain, socket, serverdomain) +# Allow a local socket connection from clientdomain via +# socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# +define(`unix_socket_connect', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_stream_socket connectto; +') + +##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +get_prop($1, $2) +') + +##################################### +# get_prop(sourcedomain, targetproperty) +# Allows source domain to read the +# targetproperty. +# +define(`get_prop', ` +allow $1 $2:file { getattr open read map }; +') + +##################################### +# unix_socket_send(clientdomain, socket, serverdomain) +# Allow a local socket send from clientdomain via +# socket to serverdomain. +define(`unix_socket_send', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_dgram_socket sendto; +') + +##################################### +# binder_use(domain) +# Allow domain to use Binder IPC. +define(`binder_use', ` +# Call the servicemanager and transfer references to it. +allow $1 servicemanager:binder { call transfer }; +# Allow servicemanager to send out callbacks +allow servicemanager $1:binder { call transfer }; +# servicemanager performs getpidcon on clients. +allow servicemanager $1:dir search; +allow servicemanager $1:file { read open }; +allow servicemanager $1:process getattr; +# rw access to /dev/binder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# hwbinder_use(domain) +# Allow domain to use HwBinder IPC. +define(`hwbinder_use', ` +# Call the hwservicemanager and transfer references to it. +allow $1 hwservicemanager:binder { call transfer }; +# Allow hwservicemanager to send out callbacks +allow hwservicemanager $1:binder { call transfer }; +# hwservicemanager performs getpidcon on clients. +allow hwservicemanager $1:dir search; +allow hwservicemanager $1:file { read open map }; +allow hwservicemanager $1:process getattr; +# rw access to /dev/hwbinder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# vndbinder_use(domain) +# Allow domain to use Binder IPC. +define(`vndbinder_use', ` +# Talk to the vndbinder device node +allow $1 vndbinder_device:chr_file rw_file_perms; +# Call the vndservicemanager and transfer references to it. +allow $1 vndservicemanager:binder { call transfer }; +# vndservicemanager performs getpidcon on clients. +allow vndservicemanager $1:dir search; +allow vndservicemanager $1:file { read open map }; +allow vndservicemanager $1:process getattr; +') + +##################################### +# binder_call(clientdomain, serverdomain) +# Allow clientdomain to perform binder IPC to serverdomain. +define(`binder_call', ` +# Call the server domain and optionally transfer references to it. +allow $1 $2:binder { call transfer }; +# Allow the serverdomain to transfer references to the client on the reply. +allow $2 $1:binder transfer; +# Receive and use open files from the server. +allow $1 $2:fd use; +') + +##################################### +# binder_service(domain) +# Mark a domain as being a Binder service domain. +# Used to allow binder IPC to the various system services. +define(`binder_service', ` +typeattribute $1 binderservicedomain; +') + +##################################### +# wakelock_use(domain) +# Allow domain to manage wake locks +define(`wakelock_use', ` +# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is +# deprecated. +# Access /sys/power/wake_lock and /sys/power/wake_unlock +allow $1 sysfs_wake_lock:file rw_file_perms; +# Accessing these files requires CAP_BLOCK_SUSPEND +allow $1 self:global_capability2_class_set block_suspend; +# system_suspend permissions +binder_call($1, system_suspend_server) +allow $1 system_suspend_hwservice:hwservice_manager find; +# halclientdomain permissions +hwbinder_use($1) +get_prop($1, hwservicemanager_prop) +allow $1 hidl_manager_hwservice:hwservice_manager find; +') + +##################################### +# selinux_check_access(domain) +# Allow domain to check SELinux permissions via selinuxfs. +define(`selinux_check_access', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security compute_av; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; +') + +##################################### +# selinux_check_context(domain) +# Allow domain to check SELinux contexts via selinuxfs. +define(`selinux_check_context', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security check_context; +') + +##################################### +# create_pty(domain) +# Allow domain to create and use a pty, isolated from any other domain ptys. +define(`create_pty', ` +# Each domain gets a unique devpts type. +type $1_devpts, fs_type; +# Label the pty with the unique type when created. +type_transition $1 devpts:chr_file $1_devpts; +# Allow use of the pty after creation. +allow $1 $1_devpts:chr_file { open getattr read write ioctl }; +allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; +# TIOCSTI is only ever used for exploits. Block it. +# b/33073072, b/7530569 +# http://www.openwall.com/lists/oss-security/2016/09/26/14 +neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; +# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms +# allowed to everyone via domain.te. +') + +##################################### +# Non system_app application set +# +define(`non_system_app_set', `{ appdomain -system_app }') + +##################################### +# Recovery only +# SELinux rules which apply only to recovery mode +# +define(`recovery_only', ifelse(target_recovery, `true', $1, )) + +##################################### +# Not recovery +# SELinux rules which apply only to non-recovery (normal) mode +# +define(`not_recovery', ifelse(target_recovery, `true', , $1)) + +##################################### +# Full TREBLE only +# SELinux rules which apply only to full TREBLE devices +# +define(`full_treble_only', ifelse(target_full_treble, `true', $1, +ifelse(target_full_treble, `cts', +# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not full TREBLE +# SELinux rules which apply only to devices which are not full TREBLE devices +# +define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) + +##################################### +# enforce_debugfs_restriction +# SELinux rules which apply to devices that enable debugfs restrictions. +# The keyword "cts" is used to insert markers to only CTS test the neverallows +# added by the macro for S-launch devices and newer. +define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1, +ifelse(target_enforce_debugfs_restriction, `cts', +# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# no_debugfs_restriction +# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. +define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1)) + +##################################### +# Compatible property only +# SELinux rules which apply only to devices with compatible property +# +define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, +ifelse(target_compatible_property, `cts', +# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not compatible property +# SELinux rules which apply only to devices without compatible property +# +define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) + +##################################### +# Userdebug or eng builds +# SELinux rules which apply only to userdebug or eng builds +# +define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) + +##################################### +# asan builds +# SELinux rules which apply only to asan builds +# +define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) + +##################################### +# native coverage builds +# SELinux rules which apply only to builds with native coverage +# +define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) + +##################################### +# Build-time-only test +# SELinux rules which are verified during build, but not as part of *TS testing. +# +define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1)) + +#################################### +# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). +# +define(`crash_dump_fallback', ` +userdebug_or_eng(` + allow $1 su:fifo_file append; +') +allow $1 anr_data_file:file append; +allow $1 dumpstate:fd use; +allow $1 incidentd:fd use; +# TODO: Figure out why write is needed. +allow $1 dumpstate:fifo_file { append write }; +allow $1 incidentd:fifo_file { append write }; +allow $1 system_server:fifo_file { append write }; +allow $1 tombstoned:unix_stream_socket connectto; +allow $1 tombstoned:fd use; +allow $1 tombstoned_crash_socket:sock_file write; +allow $1 tombstone_data_file:file append; +') + +##################################### +# WITH_DEXPREOPT builds +# SELinux rules which apply only when pre-opting. +# +define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) + +##################################### +# write_logd(domain) +# Ability to write to android log +# daemon via sockets +define(`write_logd', ` +unix_socket_send($1, logdw, logd) +allow $1 pmsg_device:chr_file w_file_perms; +') + +##################################### +# read_logd(domain) +# Ability to run logcat and read from android +# log daemon via sockets +define(`read_logd', ` +allow $1 logcat_exec:file rx_file_perms; +unix_socket_connect($1, logdr, logd) +') + +##################################### +# read_runtime_log_tags(domain) +# ability to directly map the runtime event log tags +define(`read_runtime_log_tags', ` +allow $1 runtime_event_log_tags_file:file r_file_perms; +') + +##################################### +# control_logd(domain) +# Ability to control +# android log daemon via sockets +define(`control_logd', ` +# Group AID_LOG checked by filesystem & logd +# to permit control commands +unix_socket_connect($1, logd, logd) +') + +##################################### +# use_keystore(domain) +# Ability to use keystore. +# Keystore is requires the following permissions +# to call getpidcon. +define(`use_keystore', ` + allow keystore $1:dir search; + allow keystore $1:file { read open }; + allow keystore $1:process getattr; + allow $1 apc_service:service_manager find; + allow $1 keystore_service:service_manager find; + allow $1 legacykeystore_service:service_manager find; + binder_call($1, keystore) + binder_call(keystore, $1) +') + +##################################### +# use_credstore(domain) +# Ability to use credstore. +define(`use_credstore', ` + allow credstore $1:dir search; + allow credstore $1:file { read open }; + allow credstore $1:process getattr; + allow $1 credstore_service:service_manager find; + binder_call($1, credstore) + binder_call(credstore, $1) +') + +########################################### +# use_drmservice(domain) +# Ability to use DrmService which requires +# DrmService to call getpidcon. +define(`use_drmservice', ` + allow drmserver $1:dir search; + allow drmserver $1:file { read open }; + allow drmserver $1:process getattr; +') + +########################################### +# add_service(domain, service) +# Ability for domain to add a service to service_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_service', ` + allow $1 $2:service_manager { add find }; + neverallow { domain -$1 } $2:service_manager add; +') + +########################################### +# add_hwservice(domain, service) +# Ability for domain to add a service to hwservice_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_hwservice', ` + allow $1 $2:hwservice_manager { add find }; + allow $1 hidl_base_hwservice:hwservice_manager add; + neverallow { domain -$1 } $2:hwservice_manager add; +') + +########################################### +# hal_attribute_hwservice(attribute, service) +# Ability for domain to get a service to hwservice_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +# +# Used to pair hal_foo_client with hal_foo_hwservice +define(`hal_attribute_hwservice', ` + allow $1_client $2:hwservice_manager find; + add_hwservice($1_server, $2) + + build_test_only(` + # if you are hitting this neverallow, try using: + # hal_client_domain(<your domain>, hal_<foo>) + # instead + neverallow { domain -$1_client -$1_server } $2:hwservice_manager find; + ') +') + +########################################### +# hal_attribute_service(attribute, service) +# Ability for domain to get a service to service_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +# +# Used to pair hal_foo_client with hal_foo_service +define(`hal_attribute_service', ` + allow $1_client $2:service_manager find; + add_service($1_server, $2) + + build_test_only(` + # if you are hitting this neverallow, try using: + # hal_client_domain(<your domain>, hal_<foo>) + # instead + neverallow { + domain + -$1_client + -$1_server + # some services are allowed to find all services + -atrace + -dumpstate + -shell + -system_app + -traceur_app + } $2:service_manager find; + ') +') + +################################### +# can_profile_heap(domain) +# Allow processes within the domain to have their heap profiled by central +# heapprofd. +define(`can_profile_heap', ` + # Allow central daemon to send signal for client initialization. + allow heapprofd $1:process signal; + # Allow connecting to the daemon. + unix_socket_connect($1, heapprofd, heapprofd) + # Allow daemon to use the passed fds. + allow heapprofd $1:fd use; + # Allow to read and write to heapprofd shmem. + # The client needs to read the read and write pointers in order to write. + allow $1 heapprofd_tmpfs:file { read write getattr map }; + # Use shared memory received over the unix socket. + allow $1 heapprofd:fd use; + + # To read and write from the received file descriptors. + # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the + # process they relate to. + # We need to write to /proc/$PID/page_idle to find idle allocations. + # The client only opens /proc/self/page_idle with RDWR, everything else + # with RDONLY. + # heapprofd cannot open /proc/$PID/mem itself, as it does not have + # sys_ptrace. + allow heapprofd $1:file rw_file_perms; + # Allow searching the /proc/[pid] directory for cmdline. + allow heapprofd $1:dir r_dir_perms; +') + +################################### +# never_profile_heap(domain) +# Opt out of heap profiling by heapprofd. +define(`never_profile_heap', ` + neverallow heapprofd $1:file read; + neverallow heapprofd $1:process signal; +') + +################################### +# can_profile_perf(domain) +# Allow processes within the domain to be profiled, and have their stacks +# sampled, by traced_perf. +define(`can_profile_perf', ` + # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and + # reads /proc/[pid]/cmdline. + allow traced_perf $1:file r_file_perms; + allow traced_perf $1:dir r_dir_perms; + + # Allow central daemon to send signal to request /proc/[pid]/maps and + # /proc/[pid]/mem fds from this process. + allow traced_perf $1:process signal; + + # Allow connecting to the daemon. + unix_socket_connect($1, traced_perf, traced_perf) + # Allow daemon to use the passed fds. + allow traced_perf $1:fd use; +') + +################################### +# never_profile_perf(domain) +# Opt out of profiling by traced_perf. +define(`never_profile_perf', ` + neverallow traced_perf $1:file read; + neverallow traced_perf $1:process signal; +') + +################################### +# perfetto_producer(domain) +# Allow processes within the domain to write data to Perfetto. +# When applying this macro, you might need to also allow traced to use the +# producer tmpfs domain, if the producer will be the one creating the shared +# memory. +define(`perfetto_producer', ` + allow $1 traced:fd use; + allow $1 traced_tmpfs:file { read write getattr map }; + unix_socket_connect($1, traced_producer, traced) + + # Also allow the service to use the producer file descriptors. This is + # necessary when the producer is creating the shared memory, as it will be + # passed to the service as a file descriptor (obtained from memfd_create). + allow traced $1:fd use; +') + +########################################### +# dump_hal(hal_type) +# Ability to dump the hal debug info +# +define(`dump_hal', ` + hal_client_domain(dumpstate, $1); + allow $1_server dumpstate:fifo_file write; + allow $1_server dumpstate:fd use; +') + +##################################### +# treble_sysprop_neverallow(rules) +# SELinux neverallow rules which enforces the accessibility of each property +# outside the owner. +# +# For devices launching with R or later, exported properties must be explicitly marked as +# "restricted" or "public", depending on the accessibility outside the owner. +# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk. +# See {partition}_{accessibility}_prop macros below. +# +# CTS uses these rules only for devices launching with R or later. +# +# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW +# +define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1, +ifelse(target_treble_sysprop_neverallow, `cts', +# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# enforce_sysprop_owner(rules) +# SELinux neverallow rules which enforces the owner of each property. +# +# For devices launching with S or later, all properties must be explicitly marked as one of: +# system_property_type, vendor_property_type, or product_property_type. +# For devices launching with R or eariler, this neverallow rules can be relaxed with defining +# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk. +# See {partition}_{accessibility}_prop macros below. +# +# CTS uses these ules only for devices launching with S or later. +# +define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1, +ifelse(target_enforce_sysprop_owner, `cts', +# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +, ))) + +########################################### +# define_prop(name, owner, scope) +# Define a property with given owner and scope +# +define(`define_prop', ` + type $1, property_type, $2_property_type, $2_$3_property_type; +') + +########################################### +# system_internal_prop(name) +# Define a /system-owned property used only in /system +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`system_internal_prop', ` + define_prop($1, system, internal) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:file no_rw_file_perms; + ') +') + +########################################### +# system_restricted_prop(name) +# Define a /system-owned property which can't be written outside /system +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`system_restricted_prop', ` + define_prop($1, system, restricted) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:property_service set; + ') +') + +########################################### +# system_public_prop(name) +# Define a /system-owned property with no restrictions +# +define(`system_public_prop', `define_prop($1, system, public)') + +########################################### +# system_vendor_config_prop(name) +# Define a /system-owned property which can only be written by vendor_init +# This is a macro for vendor-specific configuration properties which is meant +# to be set once from vendor_init. +# +define(`system_vendor_config_prop', ` + system_public_prop($1) + set_prop(vendor_init, $1) + neverallow { domain -init -vendor_init } $1:property_service set; +') + +########################################### +# product_internal_prop(name) +# Define a /product-owned property used only in /product +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`product_internal_prop', ` + define_prop($1, product, internal) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:file no_rw_file_perms; + ') +') + +########################################### +# product_restricted_prop(name) +# Define a /product-owned property which can't be written outside /product +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`product_restricted_prop', ` + define_prop($1, product, restricted) + treble_sysprop_neverallow(` + neverallow { domain -coredomain } $1:property_service set; + ') +') + +########################################### +# product_public_prop(name) +# Define a /product-owned property with no restrictions +# +define(`product_public_prop', `define_prop($1, product, public)') + +########################################### +# vendor_internal_prop(name) +# Define a /vendor-owned property used only in /vendor +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`vendor_internal_prop', ` + define_prop($1, vendor, internal) + treble_sysprop_neverallow(` +# init and dumpstate are in coredomain, but should be able to read all props. + neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms; + ') +') + +########################################### +# vendor_restricted_prop(name) +# Define a /vendor-owned property which can't be written outside /vendor +# For devices launching with Q or eariler, this restriction can be relaxed with +# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true +# +define(`vendor_restricted_prop', ` + define_prop($1, vendor, restricted) + treble_sysprop_neverallow(` +# init is in coredomain, but should be able to write all props. + neverallow { coredomain -init } $1:property_service set; + ') +') + +########################################### +# vendor_public_prop(name) +# Define a /vendor-owned property with no restrictions +# +define(`vendor_public_prop', `define_prop($1, vendor, public)') + +##################################### +# read_fstab(domain) +# Ability to call ReadDefaultFstab() and ReadFstabFromFile(). +# +define(`read_fstab', ` + allow $1 { metadata_file gsi_metadata_file_type }:dir search; + allow $1 gsi_public_metadata_file:file r_file_perms; +') |