123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 |
- get_prop(coredomain, pm_prop)
- get_prop(coredomain, exported_pm_prop)
- full_treble_only(`
- neverallow {
- coredomain
- # for chowning
- -init
- # generic access to sysfs_type
- -ueventd
- -vold
- } sysfs_leds:file *;
- ')
- # On TREBLE devices, a limited set of files in /vendor are accessible to
- # only a few whitelisted coredomains to keep system/vendor separation.
- full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -rs
- -system_server
- } vendor_app_file:dir { open read getattr search };
- ')
- full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -rs
- -system_server
- -mediaserver
- } vendor_app_file:file r_file_perms;
- ')
- full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -rs
- -system_server
- -app_zygote
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:dir { getattr open read search };
- ')
- full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -postinstall_dexopt
- -rs
- -system_server
- -app_zygote
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
- ')
- # Core domains are not permitted to use kernel interfaces which are not
- # explicitly labeled.
- # TODO(b/65643247): Apply these neverallow rules to all coredomain.
- full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -init
- -vold
- } proc:file no_rw_file_perms;
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
- # debugfs
- neverallow {
- coredomain
- -dumpstate
- -init
- -system_server
- } debugfs:file no_rw_file_perms;
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -init
- userdebug_or_eng(`-perfprofd')
- -traced_probes
- -shell
- -traceur_app
- } debugfs_tracing:file no_rw_file_perms;
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
- ')
- # Following /dev nodes must not be directly accessed by coredomain, but should
- # instead be wrapped by HALs.
- neverallow coredomain {
- iio_device
- radio_device
- }:chr_file { open read append write ioctl };
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`
- neverallow coredomain tee_device:chr_file { open read append write ioctl };
- ')
- # Allow access to ashmemd to request /dev/ashmem fds.
- allow {
- coredomain
- -init
- -iorapd
- -perfprofd
- } ashmem_device_service:service_manager find;
- binder_call({
- coredomain
- -init
- -iorapd
- -perfprofd
- }, ashmemd)
|