-
Notifications
You must be signed in to change notification settings - Fork 0
/
domain.te
630 lines (537 loc) · 21.3 KB
/
domain.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Intra-domain accesses.
allow domain self:process {
fork
sigchld
sigkill
sigstop
signull
signal
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
getattr
setrlimit
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
# Inherit or receive open files from others.
allow domain init:fd use;
userdebug_or_eng(`
# Same as adbd rules above, except allow su to do the same thing
allow domain su:unix_stream_socket connectto;
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
allow { domain -init } su:binder { call transfer };
allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
allow domain su:fifo_file { write getattr };
# allow "gdbserver --attach" to work for su.
allow domain su:process sigchld;
# Allow writing coredumps to /cores/*
allow domain coredump_file:file create_file_perms;
allow domain coredump_file:dir ra_dir_perms;
')
###
### Talk to debuggerd.
###
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:dir r_dir_perms;
allow domain properties_serial:file r_file_perms;
# For now, everyone can access core property files
# Device specific properties are not granted by default
get_prop(domain, core_property_type)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts:file r_file_perms;
allow domain init:key search;
allow domain vold:key search;
# logd access
write_logd(domain)
# System file accesses.
allow domain system_file:dir { search getattr };
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file read;
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
# libc references /data/misc/zoneinfo for timezone related information
r_dir_file(domain, zoneinfo_data_file)
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, sysfs_usb);
# files under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:lnk_file read;
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
###
### neverallow rules
###
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-debuggerd
-vold
-dumpstate
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
-init
-ueventd
-vold
} self:capability mknod;
userdebug_or_eng(`attribute rmt_placeholder;')
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-init
-recovery
-ueventd
-healthd
-uncrypt
-tee
userdebug_or_eng(`-rmt_placeholder')
} self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
neverallow * self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;
# Only init and the system_server can set selinux.reload_policy 1
# to trigger a policy reload.
neverallow { domain -init -system_server } security_prop:property_service set;
# Only init and system_server can write to /data/security, where runtime
# policy updates live.
# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
# Only init and system_server can create/setattr directories with this type.
# init is for init.rc mkdir /data/security.
# system_server is for creating subdirectories under /data/security.
neverallow { domain -init -system_server } security_file:dir { create setattr };
# Only system_server can create subdirectories and files under /data/security.
neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow * kernel:security setbool;
# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain userdebug_or_eng(`-rmt_placeholder') -kernel -ueventd -init } kmem_device:chr_file *;
neverallow { domain userdebug_or_eng(`-rmt_placeholder') } kmem_device:chr_file ~{ create relabelto unlink setattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
neverallow { domain -init -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
-appdomain
-autoplay_app
-dumpstate
-shell
userdebug_or_eng(`-su')
-system_server
-zygote
-mediaserver
-audioserver
} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
-appdomain # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# Allow rules for ViPER4Android
allow mediaserver mediaserver_tmpfs:file { execute };
allow audioserver audioserver_tmpfs:file { read execute };
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom append unlink link rename };
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
neverallow { domain -init } system_file:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
ifelse(shipping_build, `true',
`neverallow * {fs_type -contextmount_type}:filesystem relabelto;'
,
`neverallow * {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;'
)
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Do not allow service_manager add for default_android_service.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
# New service_types are defined in service.te and new mappings
# from service name to service_type are defined in service_contexts.
neverallow * default_android_service:service_manager add;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
-init
-uncrypt
-update_engine
-vold
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Only servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager } *:binder set_context_mgr;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
# kernel resource leakage.
#
# For example, there is no way to automatically release a SysV semaphore
# allocated in the kernel when:
#
# - a buggy or malicious process exits
# - a non-buggy and non-malicious process crashes or is explicitly killed.
#
# Killing processes automatically to make room for new ones is an
# important part of Android's application lifecycle implementation. This means
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow * *:{ shm sem msg msgq } *;
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -domain') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
ifelse(target_needs_platform_text_relocations, `true',
`neverallow * {
file_type
-system_file
-system_data_file
-apk_data_file
-app_data_file
-asec_public_file
}:file execmod;'
,
`neverallow * {
file_type
-system_data_file
-apk_data_file
-app_data_file
-asec_public_file
}:file execmod;'
)
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow * self:process { execstack execheap };
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
ifelse(target_needs_platform_text_relocations, `true', ,
`neverallow { domain -appdomain } file_type:file execmod;'
)
neverallow { domain -init } proc:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
# written on domain are applied to all processes.
# This is achieved by ensuring that it is impossible to transition
# from a domain to a non-domain type and vice versa.
neverallow domain ~domain:process { transition dyntransition };
neverallow ~domain domain:process { transition dyntransition };
#
# Only system_app and system_server should be creating or writing
# their files. The proper way to share files is to setup
# type transitions to a more specific type or assigning a type
# to its parent directory via a file_contexts entry.
# Example type transition:
# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
#
neverallow {
domain
-system_server
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
domain
-adbd
-init
-runas
-zygote
} shell:process { transition dyntransition };
# Only domains spawned from zygote and runas may have the appdomain attribute.
neverallow { domain -runas -zygote } {
appdomain -shell userdebug_or_eng(`-su -sudaemon -qti-testscripts') -bluetooth
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
domain
-appdomain
-installd
-uncrypt # TODO: see if we can remove
} app_data_file:lnk_file read;
neverallow {
domain
-shell
userdebug_or_eng(`-uncrypt')
-installd
} shell_data_file:lnk_file read;
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
-adbd
-dumpstate
-installd
-init
-shell
-vold
} shell_data_file:dir no_w_dir_perms;
neverallow {
domain
-adbd
-appdomain
-dumpstate
-init
-installd
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
# to be passed around by file descriptor, but not directly opened.
neverallow {
domain
-adbd
-appdomain
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
# servicemanager is the only process which handles list request
neverallow * ~servicemanager:service_manager list;
# only service_manager_types can be added to service_manager
neverallow * ~service_manager_type:service_manager { add find };
# Prevent assigning non property types to properties
neverallow * ~property_type:property_service set;
# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
# executable file used to enter a domain should be labeled
# with its own _exec type, not with the domain type.
# Conventionally, this looks something like:
# $ cat mydaemon.te
# type mydaemon, domain;
# type mydaemon_exec, exec_type, file_type;
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
neverallow * domain:file { execute execute_no_trans entrypoint };
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate userdebug_or_eng(`-qti_debugfs_domain')} debugfs:file no_rw_file_perms;
neverallow {
domain
-init
-recovery
-sdcardd
-vold
} fuse_device:chr_file open;
neverallow {
domain
-dumpstate
-init
-priv_app
-recovery
-sdcardd
-system_server
-ueventd
-vold
} fuse_device:chr_file *;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
domain
-installd
-profman
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
neverallow * ~{ system_file rootfs }:system module_load;