1#####################################
2# domain_trans(olddomain, type, newdomain)
3# Allow a transition from olddomain to newdomain
4# upon executing a file labeled with type.
5# This only allows the transition; it does not
6# cause it to occur automatically - use domain_auto_trans
7# if that is what you want.
8#
9define(`domain_trans', `
10# Old domain may exec the file and transition to the new domain.
11allow $1 $2:file { getattr open read execute map };
12allow $1 $3:process transition;
13# New domain is entered by executing the file.
14allow $3 $2:file { entrypoint open read execute getattr map };
15# New domain can send SIGCHLD to its caller.
16ifelse($1, `init', `', `allow $3 $1:process sigchld;')
17# Enable AT_SECURE, i.e. libc secure mode.
18dontaudit $1 $3:process noatsecure;
19# XXX dontaudit candidate but requires further study.
20allow $1 $3:process { siginh rlimitinh };
21')
22
23#####################################
24# domain_auto_trans(olddomain, type, newdomain)
25# Automatically transition from olddomain to newdomain
26# upon executing a file labeled with type.
27#
28define(`domain_auto_trans', `
29# Allow the necessary permissions.
30domain_trans($1,$2,$3)
31# Make the transition occur by default.
32type_transition $1 $2:process $3;
33')
34
35#####################################
36# file_type_trans(domain, dir_type, file_type)
37# Allow domain to create a file labeled file_type in a
38# directory labeled dir_type.
39# This only allows the transition; it does not
40# cause it to occur automatically - use file_type_auto_trans
41# if that is what you want.
42#
43define(`file_type_trans', `
44# Allow the domain to add entries to the directory.
45allow $1 $2:dir ra_dir_perms;
46# Allow the domain to create the file.
47allow $1 $3:notdevfile_class_set create_file_perms;
48allow $1 $3:dir create_dir_perms;
49')
50
51#####################################
52# file_type_auto_trans(domain, dir_type, file_type)
53# Automatically label new files with file_type when
54# they are created by domain in directories labeled dir_type.
55#
56define(`file_type_auto_trans', `
57# Allow the necessary permissions.
58file_type_trans($1, $2, $3)
59# Make the transition occur by default.
60type_transition $1 $2:dir $3;
61type_transition $1 $2:notdevfile_class_set $3;
62')
63
64#####################################
65# r_dir_file(domain, type)
66# Allow the specified domain to read directories, files
67# and symbolic links of the specified type.
68define(`r_dir_file', `
69allow $1 $2:dir r_dir_perms;
70allow $1 $2:{ file lnk_file } r_file_perms;
71')
72
73#####################################
74# tmpfs_domain(domain)
75# Define and allow access to a unique type for
76# this domain when creating tmpfs / shmem / ashmem files.
77define(`tmpfs_domain', `
78type $1_tmpfs, file_type;
79type_transition $1 tmpfs:file $1_tmpfs;
80allow $1 $1_tmpfs:file { read write getattr };
81allow $1 tmpfs:dir { getattr search };
82')
83
84# pdx macros for IPC. pdx is a high-level name which contains transport-specific
85# rules from underlying transport (e.g. UDS-based implementation).
86
87#####################################
88# pdx_service_attributes(service)
89# Defines type attribute used to identify various service-related types.
90define(`pdx_service_attributes', `
91attribute pdx_$1_endpoint_dir_type;
92attribute pdx_$1_endpoint_socket_type;
93attribute pdx_$1_channel_socket_type;
94attribute pdx_$1_server_type;
95')
96
97#####################################
98# pdx_service_socket_types(service, endpoint_dir_t)
99# Define types for endpoint and channel sockets.
100define(`pdx_service_socket_types', `
101typeattribute $2 pdx_$1_endpoint_dir_type;
102type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
103type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
104userdebug_or_eng(`
105dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
106dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
107')
108')
109
110#####################################
111# pdx_server(server_domain, service)
112define(`pdx_server', `
113# Mark the server domain as a PDX server.
114typeattribute $1 pdx_$2_server_type;
115# Allow the init process to create the initial endpoint socket.
116allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
117# Allow the server domain to use the endpoint socket and accept connections on it.
118# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
119# than we need (e.g. we don"t need "bind" or "connect").
120allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
121# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
122allow $1 self:process setsockcreate;
123# Allow the server domain to create a client channel socket.
124allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
125# Prevent other processes from claiming to be a server for the same service.
126neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
127')
128
129#####################################
130# pdx_connect(client, service)
131define(`pdx_connect', `
132# Allow client to open the service endpoint file.
133allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
134allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
135# Allow the client to connect to endpoint socket.
136allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
137')
138
139#####################################
140# pdx_use(client, service)
141define(`pdx_use', `
142# Allow the client to use the PDX channel socket.
143# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
144# than we need (e.g. we don"t need "bind" or "connect").
145allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
146# Client needs to use an channel event fd from the server.
147allow $1 pdx_$2_server_type:fd use;
148# Servers may receive sync fences, gralloc buffers, etc, from clients.
149# This could be tightened on a per-server basis, but keeping track of service
150# clients is error prone.
151allow pdx_$2_server_type $1:fd use;
152')
153
154#####################################
155# pdx_client(client, service)
156define(`pdx_client', `
157pdx_connect($1, $2)
158pdx_use($1, $2)
159')
160
161#####################################
162# init_daemon_domain(domain)
163# Set up a transition from init to the daemon domain
164# upon executing its binary.
165define(`init_daemon_domain', `
166domain_auto_trans(init, $1_exec, $1)
167tmpfs_domain($1)
168')
169
170#####################################
171# app_domain(domain)
172# Allow a base set of permissions required for all apps.
173define(`app_domain', `
174typeattribute $1 appdomain;
175# Label ashmem objects with our own unique type.
176tmpfs_domain($1)
177# Map with PROT_EXEC.
178allow $1 $1_tmpfs:file execute;
179')
180
181#####################################
182# untrusted_app_domain(domain)
183# Allow a base set of permissions required for all untrusted apps.
184define(`untrusted_app_domain', `
185typeattribute $1 untrusted_app_all;
186')
187
188#####################################
189# net_domain(domain)
190# Allow a base set of permissions required for network access.
191define(`net_domain', `
192typeattribute $1 netdomain;
193')
194
195#####################################
196# bluetooth_domain(domain)
197# Allow a base set of permissions required for bluetooth access.
198define(`bluetooth_domain', `
199typeattribute $1 bluetoothdomain;
200')
201
202#####################################
203# hal_server_domain(domain, hal_type)
204# Allow a base set of permissions required for a domain to offer a
205# HAL implementation of the specified type over HwBinder.
206#
207# For example, default implementation of Foo HAL:
208#   type hal_foo_default, domain;
209#   hal_server_domain(hal_foo_default, hal_foo)
210#
211define(`hal_server_domain', `
212typeattribute $1 halserverdomain;
213typeattribute $1 $2_server;
214typeattribute $1 $2;
215')
216
217#####################################
218# hal_client_domain(domain, hal_type)
219# Allow a base set of permissions required for a domain to be a
220# client of a HAL of the specified type.
221#
222# For example, make some_domain a client of Foo HAL:
223#   hal_client_domain(some_domain, hal_foo)
224#
225define(`hal_client_domain', `
226typeattribute $1 halclientdomain;
227typeattribute $1 $2_client;
228
229# TODO(b/34170079): Make the inclusion of the rules below conditional also on
230# non-Treble devices. For now, on non-Treble device, always grant clients of a
231# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
232not_full_treble(`
233typeattribute $1 $2;
234# Find passthrough HAL implementations
235allow $2 system_file:dir r_dir_perms;
236allow $2 vendor_file:dir r_dir_perms;
237allow $2 vendor_file:file { read open getattr execute map };
238')
239')
240
241#####################################
242# passthrough_hal_client_domain(domain, hal_type)
243# Allow a base set of permissions required for a domain to be a
244# client of a passthrough HAL of the specified type.
245#
246# For example, make some_domain a client of passthrough Foo HAL:
247#   passthrough_hal_client_domain(some_domain, hal_foo)
248#
249define(`passthrough_hal_client_domain', `
250typeattribute $1 halclientdomain;
251typeattribute $1 $2_client;
252typeattribute $1 $2;
253# Find passthrough HAL implementations
254allow $2 system_file:dir r_dir_perms;
255allow $2 vendor_file:dir r_dir_perms;
256allow $2 vendor_file:file { read open getattr execute map };
257')
258
259#####################################
260# unix_socket_connect(clientdomain, socket, serverdomain)
261# Allow a local socket connection from clientdomain via
262# socket to serverdomain.
263#
264# Note: If you see denial records that distill to the
265# following allow rules:
266# allow clientdomain property_socket:sock_file write;
267# allow clientdomain init:unix_stream_socket connectto;
268# allow clientdomain something_prop:property_service set;
269#
270# This sequence is indicative of attempting to set a property.
271# use set_prop(sourcedomain, targetproperty)
272#
273define(`unix_socket_connect', `
274ifelse($2, `property', `
275    ifelse($3,`init', `
276       print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
277   ')
278')
279__unix_socket_connect__($1, $2, $3)
280')
281
282define(`__unix_socket_connect__', `
283allow $1 $2_socket:sock_file write;
284allow $1 $3:unix_stream_socket connectto;
285')
286
287#####################################
288# set_prop(sourcedomain, targetproperty)
289# Allows source domain to set the
290# targetproperty.
291#
292define(`set_prop', `
293__unix_socket_connect__($1, property, init)
294allow $1 $2:property_service set;
295get_prop($1, $2)
296')
297
298#####################################
299# get_prop(sourcedomain, targetproperty)
300# Allows source domain to read the
301# targetproperty.
302#
303define(`get_prop', `
304allow $1 $2:file r_file_perms;
305')
306
307#####################################
308# unix_socket_send(clientdomain, socket, serverdomain)
309# Allow a local socket send from clientdomain via
310# socket to serverdomain.
311define(`unix_socket_send', `
312allow $1 $2_socket:sock_file write;
313allow $1 $3:unix_dgram_socket sendto;
314')
315
316#####################################
317# binder_use(domain)
318# Allow domain to use Binder IPC.
319define(`binder_use', `
320# Call the servicemanager and transfer references to it.
321allow $1 servicemanager:binder { call transfer };
322# servicemanager performs getpidcon on clients.
323allow servicemanager $1:dir search;
324allow servicemanager $1:file { read open };
325allow servicemanager $1:process getattr;
326# rw access to /dev/binder and /dev/ashmem is presently granted to
327# all domains in domain.te.
328')
329
330#####################################
331# hwbinder_use(domain)
332# Allow domain to use HwBinder IPC.
333define(`hwbinder_use', `
334# Call the hwservicemanager and transfer references to it.
335allow $1 hwservicemanager:binder { call transfer };
336# Allow hwservicemanager to send out callbacks
337allow hwservicemanager $1:binder { call transfer };
338# hwservicemanager performs getpidcon on clients.
339allow hwservicemanager $1:dir search;
340allow hwservicemanager $1:file { read open };
341allow hwservicemanager $1:process getattr;
342# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
343# all domains in domain.te.
344')
345
346#####################################
347# vndbinder_use(domain)
348# Allow domain to use Binder IPC.
349define(`vndbinder_use', `
350# Talk to the vndbinder device node
351allow $1 vndbinder_device:chr_file rw_file_perms;
352# Call the vndservicemanager and transfer references to it.
353allow $1 vndservicemanager:binder { call transfer };
354# vndservicemanager performs getpidcon on clients.
355allow vndservicemanager $1:dir search;
356allow vndservicemanager $1:file { read open };
357allow vndservicemanager $1:process getattr;
358')
359
360#####################################
361# binder_call(clientdomain, serverdomain)
362# Allow clientdomain to perform binder IPC to serverdomain.
363define(`binder_call', `
364# Call the server domain and optionally transfer references to it.
365allow $1 $2:binder { call transfer };
366# Allow the serverdomain to transfer references to the client on the reply.
367allow $2 $1:binder transfer;
368# Receive and use open files from the server.
369allow $1 $2:fd use;
370')
371
372#####################################
373# binder_service(domain)
374# Mark a domain as being a Binder service domain.
375# Used to allow binder IPC to the various system services.
376define(`binder_service', `
377typeattribute $1 binderservicedomain;
378')
379
380#####################################
381# wakelock_use(domain)
382# Allow domain to manage wake locks
383define(`wakelock_use', `
384# Access /sys/power/wake_lock and /sys/power/wake_unlock
385allow $1 sysfs_wake_lock:file rw_file_perms;
386# Accessing these files requires CAP_BLOCK_SUSPEND
387allow $1 self:capability2 block_suspend;
388')
389
390#####################################
391# selinux_check_access(domain)
392# Allow domain to check SELinux permissions via selinuxfs.
393define(`selinux_check_access', `
394r_dir_file($1, selinuxfs)
395allow $1 selinuxfs:file w_file_perms;
396allow $1 kernel:security compute_av;
397allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
398')
399
400#####################################
401# selinux_check_context(domain)
402# Allow domain to check SELinux contexts via selinuxfs.
403define(`selinux_check_context', `
404r_dir_file($1, selinuxfs)
405allow $1 selinuxfs:file w_file_perms;
406allow $1 kernel:security check_context;
407')
408
409#####################################
410# create_pty(domain)
411# Allow domain to create and use a pty, isolated from any other domain ptys.
412define(`create_pty', `
413# Each domain gets a unique devpts type.
414type $1_devpts, fs_type;
415# Label the pty with the unique type when created.
416type_transition $1 devpts:chr_file $1_devpts;
417# Allow use of the pty after creation.
418allow $1 $1_devpts:chr_file { open getattr read write ioctl };
419allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
420# TIOCSTI is only ever used for exploits. Block it.
421# b/33073072, b/7530569
422# http://www.openwall.com/lists/oss-security/2016/09/26/14
423neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
424# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
425# allowed to everyone via domain.te.
426')
427
428#####################################
429# Non system_app application set
430#
431define(`non_system_app_set', `{ appdomain -system_app }')
432
433#####################################
434# Recovery only
435# SELinux rules which apply only to recovery mode
436#
437define(`recovery_only', ifelse(target_recovery, `true', $1, ))
438
439#####################################
440# Full TREBLE only
441# SELinux rules which apply only to full TREBLE devices
442#
443define(`full_treble_only', ifelse(target_full_treble, `true', $1,
444ifelse(target_full_treble, `cts',
445# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
446$1
447# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
448, )))
449
450#####################################
451# Not full TREBLE
452# SELinux rules which apply only to devices which are not full TREBLE devices
453#
454define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
455
456#####################################
457# Userdebug or eng builds
458# SELinux rules which apply only to userdebug or eng builds
459#
460define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
461
462#####################################
463# User builds
464# SELinux rules which apply only to user builds
465#
466define(`userbuild', ifelse(target_build_variant, `user', $1, ))
467
468#####################################
469# asan builds
470# SELinux rules which apply only to asan builds
471#
472define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
473
474####################################
475# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
476#
477define(`crash_dump_fallback', `
478userdebug_or_eng(`
479  allow $1 su:fifo_file append;
480')
481allow $1 anr_data_file:file append;
482allow $1 dumpstate:fd use;
483# TODO: Figure out why write is needed.
484allow $1 dumpstate:fifo_file { append write };
485allow $1 system_server:fifo_file { append write };
486allow $1 tombstoned:unix_stream_socket connectto;
487allow $1 tombstoned:fd use;
488allow $1 tombstoned_crash_socket:sock_file write;
489allow $1 tombstone_data_file:file append;
490')
491
492#####################################
493# WITH_DEXPREOPT builds
494# SELinux rules which apply only when pre-opting.
495#
496define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
497
498#####################################
499# write_logd(domain)
500# Ability to write to android log
501# daemon via sockets
502define(`write_logd', `
503unix_socket_send($1, logdw, logd)
504allow $1 pmsg_device:chr_file w_file_perms;
505')
506
507#####################################
508# read_logd(domain)
509# Ability to run logcat and read from android
510# log daemon via sockets
511define(`read_logd', `
512allow $1 logcat_exec:file rx_file_perms;
513unix_socket_connect($1, logdr, logd)
514')
515
516#####################################
517# read_runtime_log_tags(domain)
518# ability to directly map the runtime event log tags
519define(`read_runtime_log_tags', `
520allow $1 runtime_event_log_tags_file:file r_file_perms;
521')
522
523#####################################
524# control_logd(domain)
525# Ability to control
526# android log daemon via sockets
527define(`control_logd', `
528# Group AID_LOG checked by filesystem & logd
529# to permit control commands
530unix_socket_connect($1, logd, logd)
531')
532
533#####################################
534# use_keystore(domain)
535# Ability to use keystore.
536# Keystore is requires the following permissions
537# to call getpidcon.
538define(`use_keystore', `
539  allow keystore $1:dir search;
540  allow keystore $1:file { read open };
541  allow keystore $1:process getattr;
542  allow $1 keystore_service:service_manager find;
543  binder_call($1, keystore)
544')
545
546###########################################
547# use_drmservice(domain)
548# Ability to use DrmService which requires
549# DrmService to call getpidcon.
550define(`use_drmservice', `
551  allow drmserver $1:dir search;
552  allow drmserver $1:file { read open };
553  allow drmserver $1:process getattr;
554')
555
556###########################################
557# add_service(domain, service)
558# Ability for domain to add a service to service_manager
559# and find it. It also creates a neverallow preventing
560# others from adding it.
561define(`add_service', `
562  allow $1 $2:service_manager { add find };
563  neverallow { domain -$1 } $2:service_manager add;
564')
565
566###########################################
567# add_hwservice(domain, service)
568# Ability for domain to add a service to hwservice_manager
569# and find it. It also creates a neverallow preventing
570# others from adding it.
571define(`add_hwservice', `
572  allow $1 $2:hwservice_manager { add find };
573  allow $1 hidl_base_hwservice:hwservice_manager add;
574  neverallow { domain -$1 } $2:hwservice_manager add;
575')
576
577##########################################
578# print a message with a trailing newline
579# print(`args')
580define(`print', `errprint(`m4: '__file__: __line__`: $*
581')')
582