drachfly
/
android10


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
							get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)

full_treble_only(`
neverallow {
    coredomain

    # for chowning
    -init

    # generic access to sysfs_type
    -ueventd
    -vold
} sysfs_leds:file *;
')

# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
    # Limit access to /vendor/app
    neverallow {
        coredomain
        -appdomain
        -dex2oat
        -idmap
        -init
        -installd
        userdebug_or_eng(`-perfprofd')
        userdebug_or_eng(`-heapprofd')
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
    } vendor_app_file:dir { open read getattr search };
')

full_treble_only(`
    neverallow {
        coredomain
        -appdomain
        -dex2oat
        -idmap
        -init
        -installd
        userdebug_or_eng(`-perfprofd')
        userdebug_or_eng(`-heapprofd')
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -mediaserver
    } vendor_app_file:file r_file_perms;
')

full_treble_only(`
    # Limit access to /vendor/overlay
    neverallow {
        coredomain
        -appdomain
        -idmap
        -init
        -installd
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -app_zygote
        -webview_zygote
        -zygote
        userdebug_or_eng(`-heapprofd')
    } vendor_overlay_file:dir { getattr open read search };
')

full_treble_only(`
    neverallow {
        coredomain
        -appdomain
        -idmap
        -init
        -installd
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
        -system_server
        -app_zygote
        -webview_zygote
        -zygote
        userdebug_or_eng(`-heapprofd')
    } vendor_overlay_file:file r_file_perms;
')

# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
  # /proc
  neverallow {
    coredomain
    -init
    -vold
  } proc:file no_rw_file_perms;

  # /sys
  neverallow {
    coredomain
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

  # /dev
  neverallow {
    coredomain
    -fsck
    -init
    -ueventd
  } device:{ blk_file file } no_rw_file_perms;

  # debugfs
  neverallow {
    coredomain
    -dumpstate
    -init
    -system_server
  } debugfs:file no_rw_file_perms;

  # tracefs
  neverallow {
    coredomain
    -atrace
    -dumpstate
    -init
    userdebug_or_eng(`-perfprofd')
    -traced_probes
    -shell
    -traceur_app
  } debugfs_tracing:file no_rw_file_perms;

  # inotifyfs
  neverallow {
    coredomain
    -init
  } inotify:file no_rw_file_perms;

  # pstorefs
  neverallow {
    coredomain
    -bootstat
    -charger
    -dumpstate
    -healthd
    userdebug_or_eng(`-incidentd')
    -init
    -logd
    -logpersist
    -recovery_persist
    -recovery_refresh
    -shell
    -system_server
  } pstorefs:file no_rw_file_perms;

  # configfs
  neverallow {
    coredomain
    -init
    -system_server
  } configfs:file no_rw_file_perms;

  # functionfs
  neverallow {
    coredomain
    -adbd
    -init
    -mediaprovider
    -system_server
  } functionfs:file no_rw_file_perms;

  # usbfs and binfmt_miscfs
  neverallow {
    coredomain
    -init
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')

# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
  iio_device
  radio_device
}:chr_file { open read append write ioctl };

# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
  neverallow coredomain tee_device:chr_file { open read append write ioctl };
')

# Allow access to ashmemd to request /dev/ashmem fds.
allow {
  coredomain
  -init
  -iorapd
  -perfprofd
} ashmem_device_service:service_manager find;

binder_call({
  coredomain
  -init
  -iorapd
  -perfprofd
}, ashmemd)