1get_prop(coredomain, pm_prop)
2get_prop(coredomain, exported_pm_prop)
3
4full_treble_only(`
5neverallow {
6    coredomain
7
8    # for chowning
9    -init
10
11    # generic access to sysfs_type
12    -ueventd
13    -vold
14} sysfs_leds:file *;
15')
16
17# On TREBLE devices, a limited set of files in /vendor are accessible to
18# only a few allowlisted coredomains to keep system/vendor separation.
19full_treble_only(`
20    # Limit access to /vendor/app
21    neverallow {
22        coredomain
23        -appdomain
24        -dex2oat
25        -idmap
26        -init
27        -installd
28        userdebug_or_eng(`-perfprofd')
29        userdebug_or_eng(`-heapprofd')
30        -postinstall_dexopt
31        -rs # spawned by appdomain, so carryover the exception above
32        -system_server
33    } vendor_app_file:dir { open read getattr search };
34')
35
36full_treble_only(`
37    neverallow {
38        coredomain
39        -appdomain
40        -dex2oat
41        -idmap
42        -init
43        -installd
44        userdebug_or_eng(`-perfprofd')
45        userdebug_or_eng(`-heapprofd')
46        -postinstall_dexopt
47        -rs # spawned by appdomain, so carryover the exception above
48        -system_server
49        -mediaserver
50    } vendor_app_file:file r_file_perms;
51')
52
53full_treble_only(`
54    # Limit access to /vendor/overlay
55    neverallow {
56        coredomain
57        -appdomain
58        -idmap
59        -init
60        -installd
61        -postinstall_dexopt
62        -rs # spawned by appdomain, so carryover the exception above
63        -system_server
64        -app_zygote
65        -webview_zygote
66        -zygote
67        userdebug_or_eng(`-heapprofd')
68    } vendor_overlay_file:dir { getattr open read search };
69')
70
71full_treble_only(`
72    neverallow {
73        coredomain
74        -appdomain
75        -idmap
76        -init
77        -installd
78        -postinstall_dexopt
79        -rs # spawned by appdomain, so carryover the exception above
80        -system_server
81        -app_zygote
82        -webview_zygote
83        -zygote
84        userdebug_or_eng(`-heapprofd')
85    } vendor_overlay_file:file r_file_perms;
86')
87
88# Core domains are not permitted to use kernel interfaces which are not
89# explicitly labeled.
90# TODO(b/65643247): Apply these neverallow rules to all coredomain.
91full_treble_only(`
92  # /proc
93  neverallow {
94    coredomain
95    -init
96    -vold
97  } proc:file no_rw_file_perms;
98
99  # /sys
100  neverallow {
101    coredomain
102    -init
103    -ueventd
104    -vold
105  } sysfs:file no_rw_file_perms;
106
107  # /dev
108  neverallow {
109    coredomain
110    -fsck
111    -init
112    -ueventd
113  } device:{ blk_file file } no_rw_file_perms;
114
115  # debugfs
116  neverallow {
117    coredomain
118    -dumpstate
119    -init
120    -system_server
121  } debugfs:file no_rw_file_perms;
122
123  # tracefs
124  neverallow {
125    coredomain
126    -atrace
127    -dumpstate
128    -init
129    userdebug_or_eng(`-perfprofd')
130    -traced_probes
131    -shell
132    -traceur_app
133  } debugfs_tracing:file no_rw_file_perms;
134
135  # inotifyfs
136  neverallow {
137    coredomain
138    -init
139  } inotify:file no_rw_file_perms;
140
141  # pstorefs
142  neverallow {
143    coredomain
144    -bootstat
145    -charger
146    -dumpstate
147    -healthd
148    userdebug_or_eng(`-incidentd')
149    -init
150    -logd
151    -logpersist
152    -recovery_persist
153    -recovery_refresh
154    -shell
155    -system_server
156  } pstorefs:file no_rw_file_perms;
157
158  # configfs
159  neverallow {
160    coredomain
161    -init
162    -system_server
163  } configfs:file no_rw_file_perms;
164
165  # functionfs
166  neverallow {
167    coredomain
168    -adbd
169    -init
170    -mediaprovider
171    -system_server
172  } functionfs:file no_rw_file_perms;
173
174  # usbfs and binfmt_miscfs
175  neverallow {
176    coredomain
177    -init
178  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
179')
180
181# Following /dev nodes must not be directly accessed by coredomain, but should
182# instead be wrapped by HALs.
183neverallow coredomain {
184  iio_device
185  radio_device
186}:chr_file { open read append write ioctl };
187
188# TODO(b/120243891): HAL permission to tee_device is included into coredomain
189# on non-Treble devices.
190full_treble_only(`
191  neverallow coredomain tee_device:chr_file { open read append write ioctl };
192')
193
194# Allow access to ashmemd to request /dev/ashmem fds.
195allow {
196  coredomain
197  -init
198  -iorapd
199  -perfprofd
200} ashmem_device_service:service_manager find;
201
202binder_call({
203  coredomain
204  -init
205  -iorapd
206  -perfprofd
207}, ashmemd)
208