diff options
Diffstat (limited to 'domain.te')
| -rw-r--r-- | domain.te | 79 |
1 files changed, 76 insertions, 3 deletions
@@ -6,6 +6,7 @@ allow domain init:process sigchld; # Read access to properties mapping. allow domain kernel:fd use; allow domain tmpfs:file { read getattr }; +allow domain tmpfs:lnk_file { read getattr }; # Search /storage/emulated tmpfs mount. allow domain tmpfs:dir r_dir_perms; @@ -93,6 +94,7 @@ allow domain urandom_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; allow domain properties_device:file r_file_perms; allow domain init:key search; +allow domain vold:key search; # logd access write_logd(domain) @@ -182,10 +184,17 @@ neverallow { -dumpstate -system_server userdebug_or_eng(`-procrank') + userdebug_or_eng(`-perfprofd') } self:capability sys_ptrace; # Limit device node creation to these whitelisted domains. -neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod; +neverallow { + domain + -kernel + -init + -ueventd + -vold +} self:capability mknod; # Limit raw I/O to these whitelisted domains. neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; @@ -267,7 +276,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_fi # Rather force a relabel to a more specific type. # init is exempt from this as there are character devices that only it uses. # ueventd is exempt from this, as it is managing these devices. -neverallow { domain -init -ueventd -recovery } device:chr_file { open read write }; +neverallow { domain -init -ueventd } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -306,7 +315,7 @@ neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class neverallow domain { system_file exec_type }:dir_file_class_set mounton; # Nothing should be writing to files in the rootfs. -neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. @@ -350,6 +359,14 @@ neverallow { -dex2oat } dalvikcache_data_file:file no_w_file_perms; +neverallow { + domain + -init + -installd + -dex2oat + -zygote +} dalvikcache_data_file:dir no_w_dir_perms; + # Only system_server should be able to send commands via the zygote socket neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; neverallow { domain -system_server } zygote_socket:sock_file write; @@ -400,3 +417,59 @@ neverallow domain { # neverallow { domain -appdomain } file_type:file execmod; neverallow { domain -init } proc:{ file dir } mounton; + +# Ensure that all types assigned to processes are included +# in the domain attribute, so that all allow and neverallow rules +# written on domain are applied to all processes. +# This is achieved by ensuring that it is impossible to transition +# from a domain to a non-domain type and vice versa. +neverallow domain ~domain:process { transition dyntransition }; +neverallow ~domain domain:process { transition dyntransition }; + +# +# Only system_app and system_server should be creating or writing +# their files. The proper way to share files is to setup +# type transitions to a more specific type or assigning a type +# to its parent directory via a file_contexts entry. +# Example type transition: +# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) +# +neverallow { + domain + -system_server + -system_app + -init + -installd # for relabelfrom and unlink, check for this in explicit neverallow +} system_data_file:file no_w_file_perms; +# do not grant anything greater than r_file_perms and relabelfrom unlink +# to installd +neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; + +# +# Only these domains should transition to shell domain. This domain is +# permissible for the "shell user". If you need a process to exec a shell +# script with differing privilege, define a domain and set up a transition. +# +neverallow { + domain + -adbd + -init + -runas + -zygote +} shell:process { transition dyntransition }; + +# Minimize read access to shell- or app-writable symlinks. +# This is to prevent malicious symlink attacks. +neverallow { + domain + -appdomain + -installd + -uncrypt # TODO: see if we can remove +} app_data_file:lnk_file read; + +neverallow { + domain + -shell + userdebug_or_eng(`-uncrypt') + -installd +} shell_data_file:lnk_file read; |