1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr };
15# New domain can send SIGCHLD to its caller.
16ifelse($1, `init', `', `allow $3 $1:process sigchld;')
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# tmpfs_domain(domain)
75# Define and allow access to a unique type for
76# this domain when creating tmpfs / shmem / ashmem files.
77define(`tmpfs_domain', `
78type $1_tmpfs, file_type;
79type_transition $1 tmpfs:file $1_tmpfs;
80allow $1 $1_tmpfs:file { read write getattr };
81allow $1 tmpfs:dir { getattr search };
82')
83
84# pdx macros for IPC. pdx is a high-level name which contains transport-specific
85# rules from underlying transport (e.g. UDS-based implementation).
86
87#####################################
88# pdx_service_attributes(service)
89# Defines type attribute used to identify various service-related types.
90define(`pdx_service_attributes', `
91attribute pdx_$1_endpoint_dir_type;
92attribute pdx_$1_endpoint_socket_type;
93attribute pdx_$1_channel_socket_type;
94attribute pdx_$1_server_type;
95')
96
97#####################################
98# pdx_service_socket_types(service, endpoint_dir_t)
99# Define types for endpoint and channel sockets.
100define(`pdx_service_socket_types', `
101typeattribute $2 pdx_$1_endpoint_dir_type;
102type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
103type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
104')
105
106#####################################
107# pdx_server(server_domain, service)
108define(`pdx_server', `
109# Mark the server domain as a PDX server.
110typeattribute $1 pdx_$2_server_type;
111# Allow the init process to create the initial endpoint socket.
112allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
113# Allow the server domain to use the endpoint socket and accept connections on it.
114# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
115# than we need (e.g. we don"t need "bind" or "connect").
116allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
117# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
118allow $1 self:process setsockcreate;
119# Allow the server domain to create a client channel socket.
120allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
121# Prevent other processes from claiming to be a server for the same service.
122neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
123')
124
125#####################################
126# pdx_connect(client, service)
127define(`pdx_connect', `
128# Allow client to open the service endpoint file.
129allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
130allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
131# Allow the client to connect to endpoint socket.
132allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
133')
134
135#####################################
136# pdx_use(client, service)
137define(`pdx_use', `
138# Allow the client to use the PDX channel socket.
139# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
140# than we need (e.g. we don"t need "bind" or "connect").
141allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
142# Client needs to use an channel event fd from the server.
143allow $1 pdx_$2_server_type:fd use;
144# Servers may receive sync fences, gralloc buffers, etc, from clients.
145# This could be tightened on a per-server basis, but keeping track of service
146# clients is error prone.
147allow pdx_$2_server_type $1:fd use;
148')
149
150#####################################
151# pdx_client(client, service)
152define(`pdx_client', `
153pdx_connect($1, $2)
154pdx_use($1, $2)
155')
156
157#####################################
158# init_daemon_domain(domain)
159# Set up a transition from init to the daemon domain
160# upon executing its binary.
161define(`init_daemon_domain', `
162domain_auto_trans(init, $1_exec, $1)
163tmpfs_domain($1)
164')
165
166#####################################
167# app_domain(domain)
168# Allow a base set of permissions required for all apps.
169define(`app_domain', `
170typeattribute $1 appdomain;
171# Label ashmem objects with our own unique type.
172tmpfs_domain($1)
173# Map with PROT_EXEC.
174allow $1 $1_tmpfs:file execute;
175')
176
177#####################################
178# untrusted_app_domain(domain)
179# Allow a base set of permissions required for all untrusted apps.
180define(`untrusted_app_domain', `
181typeattribute $1 untrusted_app_all;
182')
183
184#####################################
185# net_domain(domain)
186# Allow a base set of permissions required for network access.
187define(`net_domain', `
188typeattribute $1 netdomain;
189')
190
191#####################################
192# bluetooth_domain(domain)
193# Allow a base set of permissions required for bluetooth access.
194define(`bluetooth_domain', `
195typeattribute $1 bluetoothdomain;
196')
197
198#####################################
199# hal_server_domain(domain, hal_type)
200# Allow a base set of permissions required for a domain to offer a
201# HAL implementation of the specified type over HwBinder.
202#
203# For example, default implementation of Foo HAL:
204#   type hal_foo_default, domain;
205#   hal_server_domain(hal_foo_default, hal_foo)
206#
207define(`hal_server_domain', `
208typeattribute $1 halserverdomain;
209typeattribute $1 $2_server;
210typeattribute $1 $2;
211')
212
213#####################################
214# hal_client_domain(domain, hal_type)
215# Allow a base set of permissions required for a domain to be a
216# client of a HAL of the specified type.
217#
218# For example, make some_domain a client of Foo HAL:
219#   hal_client_domain(some_domain, hal_foo)
220#
221define(`hal_client_domain', `
222typeattribute $1 halclientdomain;
223typeattribute $1 $2_client;
224
225# TODO(b/34170079): Make the inclusion of the rules below conditional also on
226# non-Treble devices. For now, on non-Treble device, always grant clients of a
227# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
228not_full_treble(`
229typeattribute $1 $2;
230# Find passthrough HAL implementations
231allow $2 system_file:dir r_dir_perms;
232allow $2 vendor_file:dir r_dir_perms;
233allow $2 vendor_file:file { read open getattr execute };
234')
235')
236
237#####################################
238# passthrough_hal_client_domain(domain, hal_type)
239# Allow a base set of permissions required for a domain to be a
240# client of a passthrough HAL of the specified type.
241#
242# For example, make some_domain a client of passthrough Foo HAL:
243#   passthrough_hal_client_domain(some_domain, hal_foo)
244#
245define(`passthrough_hal_client_domain', `
246typeattribute $1 halclientdomain;
247typeattribute $1 $2_client;
248typeattribute $1 $2;
249# Find passthrough HAL implementations
250allow $2 system_file:dir r_dir_perms;
251allow $2 vendor_file:dir r_dir_perms;
252allow $2 vendor_file:file { read open getattr execute };
253')
254
255#####################################
256# unix_socket_connect(clientdomain, socket, serverdomain)
257# Allow a local socket connection from clientdomain via
258# socket to serverdomain.
259#
260# Note: If you see denial records that distill to the
261# following allow rules:
262# allow clientdomain property_socket:sock_file write;
263# allow clientdomain init:unix_stream_socket connectto;
264# allow clientdomain something_prop:property_service set;
265#
266# This sequence is indicative of attempting to set a property.
267# use set_prop(sourcedomain, targetproperty)
268#
269define(`unix_socket_connect', `
270ifelse($2, `property', `
271    ifelse($3,`init', `
272       print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
273   ')
274')
275__unix_socket_connect__($1, $2, $3)
276')
277
278define(`__unix_socket_connect__', `
279allow $1 $2_socket:sock_file write;
280allow $1 $3:unix_stream_socket connectto;
281')
282
283#####################################
284# set_prop(sourcedomain, targetproperty)
285# Allows source domain to set the
286# targetproperty.
287#
288define(`set_prop', `
289__unix_socket_connect__($1, property, init)
290allow $1 $2:property_service set;
291get_prop($1, $2)
292')
293
294#####################################
295# get_prop(sourcedomain, targetproperty)
296# Allows source domain to read the
297# targetproperty.
298#
299define(`get_prop', `
300allow $1 $2:file r_file_perms;
301')
302
303#####################################
304# unix_socket_send(clientdomain, socket, serverdomain)
305# Allow a local socket send from clientdomain via
306# socket to serverdomain.
307define(`unix_socket_send', `
308allow $1 $2_socket:sock_file write;
309allow $1 $3:unix_dgram_socket sendto;
310')
311
312#####################################
313# binder_use(domain)
314# Allow domain to use Binder IPC.
315define(`binder_use', `
316# Call the servicemanager and transfer references to it.
317allow $1 servicemanager:binder { call transfer };
318# servicemanager performs getpidcon on clients.
319allow servicemanager $1:dir search;
320allow servicemanager $1:file { read open };
321allow servicemanager $1:process getattr;
322# rw access to /dev/binder and /dev/ashmem is presently granted to
323# all domains in domain.te.
324')
325
326#####################################
327# hwbinder_use(domain)
328# Allow domain to use HwBinder IPC.
329define(`hwbinder_use', `
330# Call the hwservicemanager and transfer references to it.
331allow $1 hwservicemanager:binder { call transfer };
332# Allow hwservicemanager to send out callbacks
333allow hwservicemanager $1:binder { call transfer };
334# hwservicemanager performs getpidcon on clients.
335allow hwservicemanager $1:dir search;
336allow hwservicemanager $1:file { read open };
337allow hwservicemanager $1:process getattr;
338# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
339# all domains in domain.te.
340')
341
342#####################################
343# vndbinder_use(domain)
344# Allow domain to use Binder IPC.
345define(`vndbinder_use', `
346# Talk to the vndbinder device node
347allow $1 vndbinder_device:chr_file rw_file_perms;
348# Call the vndservicemanager and transfer references to it.
349allow $1 vndservicemanager:binder { call transfer };
350# vndservicemanager performs getpidcon on clients.
351allow vndservicemanager $1:dir search;
352allow vndservicemanager $1:file { read open };
353allow vndservicemanager $1:process getattr;
354')
355
356#####################################
357# binder_call(clientdomain, serverdomain)
358# Allow clientdomain to perform binder IPC to serverdomain.
359define(`binder_call', `
360# Call the server domain and optionally transfer references to it.
361allow $1 $2:binder { call transfer };
362# Allow the serverdomain to transfer references to the client on the reply.
363allow $2 $1:binder transfer;
364# Receive and use open files from the server.
365allow $1 $2:fd use;
366')
367
368#####################################
369# binder_service(domain)
370# Mark a domain as being a Binder service domain.
371# Used to allow binder IPC to the various system services.
372define(`binder_service', `
373typeattribute $1 binderservicedomain;
374')
375
376#####################################
377# wakelock_use(domain)
378# Allow domain to manage wake locks
379define(`wakelock_use', `
380# Access /sys/power/wake_lock and /sys/power/wake_unlock
381allow $1 sysfs_wake_lock:file rw_file_perms;
382# Accessing these files requires CAP_BLOCK_SUSPEND
383allow $1 self:capability2 block_suspend;
384')
385
386#####################################
387# selinux_check_access(domain)
388# Allow domain to check SELinux permissions via selinuxfs.
389define(`selinux_check_access', `
390r_dir_file($1, selinuxfs)
391allow $1 selinuxfs:file w_file_perms;
392allow $1 kernel:security compute_av;
393allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
394')
395
396#####################################
397# selinux_check_context(domain)
398# Allow domain to check SELinux contexts via selinuxfs.
399define(`selinux_check_context', `
400r_dir_file($1, selinuxfs)
401allow $1 selinuxfs:file w_file_perms;
402allow $1 kernel:security check_context;
403')
404
405#####################################
406# create_pty(domain)
407# Allow domain to create and use a pty, isolated from any other domain ptys.
408define(`create_pty', `
409# Each domain gets a unique devpts type.
410type $1_devpts, fs_type;
411# Label the pty with the unique type when created.
412type_transition $1 devpts:chr_file $1_devpts;
413# Allow use of the pty after creation.
414allow $1 $1_devpts:chr_file { open getattr read write ioctl };
415allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
416# TIOCSTI is only ever used for exploits. Block it.
417# b/33073072, b/7530569
418# http://www.openwall.com/lists/oss-security/2016/09/26/14
419neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
420# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
421# allowed to everyone via domain.te.
422')
423
424#####################################
425# Non system_app application set
426#
427define(`non_system_app_set', `{ appdomain -system_app }')
428
429#####################################
430# Recovery only
431# SELinux rules which apply only to recovery mode
432#
433define(`recovery_only', ifelse(target_recovery, `true', $1, ))
434
435#####################################
436# Full TREBLE only
437# SELinux rules which apply only to full TREBLE devices
438#
439define(`full_treble_only', ifelse(target_full_treble, `true', $1,
440ifelse(target_full_treble, `cts',
441# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
442$1
443# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
444, )))
445
446#####################################
447# Not full TREBLE
448# SELinux rules which apply only to devices which are not full TREBLE devices
449#
450define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
451
452#####################################
453# Userdebug or eng builds
454# SELinux rules which apply only to userdebug or eng builds
455#
456define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
457
458#####################################
459# asan builds
460# SELinux rules which apply only to asan builds
461#
462define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
463
464####################################
465# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
466#
467define(`crash_dump_fallback', `
468userdebug_or_eng(`
469  allow $1 su:fifo_file append;
470')
471allow $1 anr_data_file:file append;
472allow $1 dumpstate:fd use;
473# TODO: Figure out why write is needed and remove.
474allow $1 dumpstate:fifo_file { append write };
475allow $1 tombstoned:unix_stream_socket connectto;
476allow $1 tombstoned:fd use;
477allow $1 tombstoned_crash_socket:sock_file write;
478allow $1 tombstone_data_file:file append;
479')
480
481#####################################
482# WITH_DEXPREOPT builds
483# SELinux rules which apply only when pre-opting.
484#
485define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
486
487#####################################
488# write_logd(domain)
489# Ability to write to android log
490# daemon via sockets
491define(`write_logd', `
492unix_socket_send($1, logdw, logd)
493allow $1 pmsg_device:chr_file w_file_perms;
494')
495
496#####################################
497# read_logd(domain)
498# Ability to run logcat and read from android
499# log daemon via sockets
500define(`read_logd', `
501allow $1 logcat_exec:file rx_file_perms;
502unix_socket_connect($1, logdr, logd)
503')
504
505#####################################
506# read_runtime_log_tags(domain)
507# ability to directly map the runtime event log tags
508define(`read_runtime_log_tags', `
509allow $1 runtime_event_log_tags_file:file r_file_perms;
510')
511
512#####################################
513# control_logd(domain)
514# Ability to control
515# android log daemon via sockets
516define(`control_logd', `
517# Group AID_LOG checked by filesystem & logd
518# to permit control commands
519unix_socket_connect($1, logd, logd)
520')
521
522#####################################
523# use_keystore(domain)
524# Ability to use keystore.
525# Keystore is requires the following permissions
526# to call getpidcon.
527define(`use_keystore', `
528  allow keystore $1:dir search;
529  allow keystore $1:file { read open };
530  allow keystore $1:process getattr;
531  allow $1 keystore_service:service_manager find;
532  binder_call($1, keystore)
533')
534
535###########################################
536# use_drmservice(domain)
537# Ability to use DrmService which requires
538# DrmService to call getpidcon.
539define(`use_drmservice', `
540  allow drmserver $1:dir search;
541  allow drmserver $1:file { read open };
542  allow drmserver $1:process getattr;
543')
544
545###########################################
546# add_service(domain, service)
547# Ability for domain to add a service to service_manager
548# and find it. It also creates a neverallow preventing
549# others from adding it.
550define(`add_service', `
551  allow $1 $2:service_manager { add find };
552  neverallow { domain -$1 } $2:service_manager add;
553  neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
554')
555
556###########################################
557# add_hwservice(domain, service)
558# Ability for domain to add a service to hwservice_manager
559# and find it. It also creates a neverallow preventing
560# others from adding it.
561define(`add_hwservice', `
562  allow $1 $2:hwservice_manager { add find };
563  allow $1 hidl_base_hwservice:hwservice_manager add;
564  neverallow { domain -$1 } $2:hwservice_manager add;
565  neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
566')
567
568##########################################
569# print a message with a trailing newline
570# print(`args')
571define(`print', `errprint(`m4: '__file__: __line__`: $*
572')')
573