diff options
Diffstat (limited to 'plat_public/domain.te')
-rw-r--r-- | plat_public/domain.te | 361 |
1 files changed, 361 insertions, 0 deletions
diff --git a/plat_public/domain.te b/plat_public/domain.te new file mode 100644 index 0000000..1478421 --- /dev/null +++ b/plat_public/domain.te @@ -0,0 +1,361 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Rules for all domains. + +# Do not allow access to the generic sysfs label. This is too broad. +# Instead, if access to part of sysfs is desired, it should have a +# more specific label. +full_treble_only(` + neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *; + + neverallow { + coredomain + -init + -ueventd + -vold + } sysfs:file *; + + neverallow { + init + ueventd + vold + } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; + + neverallow ~{ + init + ueventd + } sysfs:lnk_file ~r_file_perms; + + neverallow { + init + ueventd + } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto }; + + neverallow ~{ + init + ueventd + vendor_init + } sysfs:dir ~r_dir_perms; + + neverallow { + init + ueventd + vendor_init + } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr }; +') + + +# Do not allow access to the generic proc label. This is too broad. +# Instead, if access to part of proc is desired, it should have a +# more specific label. +# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. +# +# r_dir_file(hal_audio, proc) +# hal_server_domain(mtk_hal_audio, hal_audio) +# hal_client_domain(audioserver, hal_audio) +# +full_treble_only(` + neverallow * proc:{ chr_file blk_file sock_file fifo_file } *; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + -vold + } proc:file *; + + neverallow { + audioserver + bluetooth + init + system_server + vold + } proc:file ~r_file_perms; + + neverallow vendor_init proc:file ~{ read setattr map open }; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + } proc:lnk_file ~{ read getattr }; + + neverallow { + audioserver + bluetooth + init + system_server + } proc:lnk_file ~r_file_perms; + + neverallow ~{ + init + vendor_init + } proc:dir ~{ r_file_perms search }; + + neverallow { + init + vendor_init + } proc:dir ~{ r_file_perms search setattr }; +') + + +# Do not allow access to the generic debugfs label. This is too broad. +# Instead, if access to part of debugfs is desired, it should have a +# more specific label. +full_treble_only(` + neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *; + + neverallow ~{ + dumpstate + init + vendor_init + } debugfs:file *; + + neverallow dumpstate debugfs:file ~r_file_perms; + + neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:file ~{ read setattr open map }; + + neverallow ~init debugfs:lnk_file *; + + neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto }; + + neverallow ~{ + init + vendor_init + } debugfs:dir ~{ search getattr }; + + neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:dir ~{ search getattr read setattr open }; +') + + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +# full_treble_only(` +# neverallow ~{ +# init +# installd +# system_server +# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; +# +# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; +# +# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; +# +# neverallow installd system_data_file:{ chr_file blk_file } *; +# +# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; +# +# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; +# +# neverallow { +# coredomain +# -appdomain +# -app_zygote +# -init +# -installd +# -iorap_prefetcherd +# -system_server +# -toolbox +# -vold +# -vold_prepare_subdirs +# } system_data_file:file ~r_file_perms; +# +# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; +# +# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; +# +# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; +# +# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; +# +# neverallow { +# mediadrmserver +# mediaextractor +# mediaserver +# } system_data_file:file ~{ read getattr }; +# +# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; +# +# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; +# +# neverallow vold system_data_file:file ~read; +# +# neverallow ~{ +# appdomain +# app_zygote +# init +# installd +# iorap_prefetcherd +# logd +# rs +# runas +# simpleperf_app_runner +# system_server +# tee +# vold +# webview_zygote +# zygote +# } system_data_file:lnk_file ~getattr; +# +# neverallow { +# appdomain +# app_zygote +# logd +# webview_zygote +# } system_data_file:lnk_file ~r_file_perms; +# +# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; +# +# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; +# +# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; +# +# neverallow rs system_data_file:lnk_file ~{ read }; +# +# neverallow { +# runas +# simpleperf_app_runner +# tee +# } system_data_file:lnk_file ~{ read getattr }; +# +# neverallow system_server system_data_file:lnk_file ~create_file_perms; +# +# neverallow ~{ +# init +# installd +# iorap_prefetcherd +# system_server +# toolbox +# traced_probes +# vold +# vold_prepare_subdirs +# zygote +# } system_data_file:dir ~{ search getattr }; +# +# neverallow init system_data_file:dir ~{ +# create search getattr open read setattr ioctl +# mounton +# relabelto +# write add_name remove_name rmdir relabelfrom +# }; +# +# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow { +# iorap_prefetcherd +# traced_probes +# } system_data_file:dir ~{ open read search getattr }; +# +# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; +# +# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; +# +# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; +# +# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +# ') + + +# Do not allow access to the generic vendor_data_file label. This is +# too broad. +# Instead, if access to part of vendor_data_file is desired, it should +# have a more specific label. +full_treble_only(` + neverallow ~{ + init + vendor_init + } vendor_data_file:file_class_set *; + + neverallow { + init + vendor_init + } vendor_data_file:{ chr_file blk_file } ~{ relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto }; + + neverallow ~{ + init + vendor_init + vold + vold_prepare_subdirs + } vendor_data_file:dir ~{ getattr search }; + + neverallow { + init + vendor_init + } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto }; + + neverallow vold vendor_data_file:dir ~create_dir_perms; + + neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom }; +') + +# Do not allow access to the generic app_data_file label. This is too broad. +# Instead, if access to part of app_data_file is desired, it should have a +# more specific label. +#neverallow * app_data_file:dir_file_class_set *; + +# Do not allow access to the generic default_prop label. This is too broad. +# Instead, if access to part of default_prop is desired, it should have a +# more specific label. +#neverallow * default_prop:dir_file_class_set *; + +# Do not allow access to the generic vendor_default_prop label. This is +# too broad. +# Instead, if access to part of vendor_default_prop is desired, it should +# have a more specific label. +#neverallow * vendor_default_prop:dir_file_class_set *; + +# Do not allow access to the generic device label. This is too broad. +# Instead, if access to part of device is desired, it should have a +# more specific label. +#neverallow * device:dir_file_class_set *; + +# Do not allow access to the generic socket_device label. This is too broad. +# Instead, if access to part of socket_device is desired, it should have a +# more specific label. +#neverallow * socket_device:dir_file_class_set *; + +# Do not allow access to the generic block_device label. This is too broad. +# Instead, if access to part of block_device is desired, it should have a +# more specific label. +#neverallow * block_device:dir_file_class_set *; + +# Do not allow access to the generic bootdevice_block_device label. This is +# too broad. +# Instead, if access to part of bootdevice_block_device is desired, it should +# have a more specific label. +#neverallow * bootdevice_block_device:dir_file_class_set *; + |