summaryrefslogtreecommitdiff
path: root/plat_public/domain.te
diff options
context:
space:
mode:
Diffstat (limited to 'plat_public/domain.te')
-rw-r--r--plat_public/domain.te361
1 files changed, 361 insertions, 0 deletions
diff --git a/plat_public/domain.te b/plat_public/domain.te
new file mode 100644
index 0000000..1478421
--- /dev/null
+++ b/plat_public/domain.te
@@ -0,0 +1,361 @@
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+# Rules for all domains.
+
+# Do not allow access to the generic sysfs label. This is too broad.
+# Instead, if access to part of sysfs is desired, it should have a
+# more specific label.
+full_treble_only(`
+ neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;
+
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } sysfs:file *;
+
+ neverallow {
+ init
+ ueventd
+ vold
+ } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
+
+ neverallow ~{
+ init
+ ueventd
+ } sysfs:lnk_file ~r_file_perms;
+
+ neverallow {
+ init
+ ueventd
+ } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };
+
+ neverallow ~{
+ init
+ ueventd
+ vendor_init
+ } sysfs:dir ~r_dir_perms;
+
+ neverallow {
+ init
+ ueventd
+ vendor_init
+ } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
+')
+
+
+# Do not allow access to the generic proc label. This is too broad.
+# Instead, if access to part of proc is desired, it should have a
+# more specific label.
+# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
+#
+# r_dir_file(hal_audio, proc)
+# hal_server_domain(mtk_hal_audio, hal_audio)
+# hal_client_domain(audioserver, hal_audio)
+#
+full_treble_only(`
+ neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;
+
+ neverallow {
+ coredomain
+ -audioserver
+ -bluetooth
+ -init
+ -system_server
+ -vold
+ } proc:file *;
+
+ neverallow {
+ audioserver
+ bluetooth
+ init
+ system_server
+ vold
+ } proc:file ~r_file_perms;
+
+ neverallow vendor_init proc:file ~{ read setattr map open };
+
+ neverallow {
+ coredomain
+ -audioserver
+ -bluetooth
+ -init
+ -system_server
+ } proc:lnk_file ~{ read getattr };
+
+ neverallow {
+ audioserver
+ bluetooth
+ init
+ system_server
+ } proc:lnk_file ~r_file_perms;
+
+ neverallow ~{
+ init
+ vendor_init
+ } proc:dir ~{ r_file_perms search };
+
+ neverallow {
+ init
+ vendor_init
+ } proc:dir ~{ r_file_perms search setattr };
+')
+
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+full_treble_only(`
+ neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;
+
+ neverallow ~{
+ dumpstate
+ init
+ vendor_init
+ } debugfs:file *;
+
+ neverallow dumpstate debugfs:file ~r_file_perms;
+
+ neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };
+
+ neverallow vendor_init debugfs:file ~{ read setattr open map };
+
+ neverallow ~init debugfs:lnk_file *;
+
+ neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };
+
+ neverallow ~{
+ init
+ vendor_init
+ } debugfs:dir ~{ search getattr };
+
+ neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto };
+
+ neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
+')
+
+
+# Do not allow access to the generic system_data_file label. This is
+# too broad.
+# Instead, if access to part of system_data_file is desired, it should
+# have a more specific label.
+# TODO: Remove merged_hal_service and so on once there are no violations.
+#
+# allow hal_drm system_data_file:file { getattr read };
+# hal_server_domain(merged_hal_service, hal_drm)
+#
+# full_treble_only(`
+# neverallow ~{
+# init
+# installd
+# system_server
+# } system_data_file:{ chr_file blk_file sock_file fifo_file } *;
+#
+# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };;
+#
+# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
+#
+# neverallow installd system_data_file:{ chr_file blk_file } *;
+#
+# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };
+#
+# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;
+#
+# neverallow {
+# coredomain
+# -appdomain
+# -app_zygote
+# -init
+# -installd
+# -iorap_prefetcherd
+# -system_server
+# -toolbox
+# -vold
+# -vold_prepare_subdirs
+# } system_data_file:file ~r_file_perms;
+#
+# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
+#
+# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
+#
+# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
+#
+# neverallow iorap_prefetcherd system_data_file:file ~{ open read };
+#
+# neverallow {
+# mediadrmserver
+# mediaextractor
+# mediaserver
+# } system_data_file:file ~{ read getattr };
+#
+# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
+#
+# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
+#
+# neverallow vold system_data_file:file ~read;
+#
+# neverallow ~{
+# appdomain
+# app_zygote
+# init
+# installd
+# iorap_prefetcherd
+# logd
+# rs
+# runas
+# simpleperf_app_runner
+# system_server
+# tee
+# vold
+# webview_zygote
+# zygote
+# } system_data_file:lnk_file ~getattr;
+#
+# neverallow {
+# appdomain
+# app_zygote
+# logd
+# webview_zygote
+# } system_data_file:lnk_file ~r_file_perms;
+#
+# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };
+#
+# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };
+#
+# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };
+#
+# neverallow rs system_data_file:lnk_file ~{ read };
+#
+# neverallow {
+# runas
+# simpleperf_app_runner
+# tee
+# } system_data_file:lnk_file ~{ read getattr };
+#
+# neverallow system_server system_data_file:lnk_file ~create_file_perms;
+#
+# neverallow ~{
+# init
+# installd
+# iorap_prefetcherd
+# system_server
+# toolbox
+# traced_probes
+# vold
+# vold_prepare_subdirs
+# zygote
+# } system_data_file:dir ~{ search getattr };
+#
+# neverallow init system_data_file:dir ~{
+# create search getattr open read setattr ioctl
+# mounton
+# relabelto
+# write add_name remove_name rmdir relabelfrom
+# };
+#
+# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };
+#
+# neverallow {
+# iorap_prefetcherd
+# traced_probes
+# } system_data_file:dir ~{ open read search getattr };
+#
+# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };
+#
+# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };
+#
+# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };
+#
+# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr };
+#
+# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
+# ')
+
+
+# Do not allow access to the generic vendor_data_file label. This is
+# too broad.
+# Instead, if access to part of vendor_data_file is desired, it should
+# have a more specific label.
+full_treble_only(`
+ neverallow ~{
+ init
+ vendor_init
+ } vendor_data_file:file_class_set *;
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:{ chr_file blk_file } ~{ relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };
+
+ neverallow ~{
+ init
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ } vendor_data_file:dir ~{ getattr search };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };
+
+ neverallow vold vendor_data_file:dir ~create_dir_perms;
+
+ neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
+')
+
+# Do not allow access to the generic app_data_file label. This is too broad.
+# Instead, if access to part of app_data_file is desired, it should have a
+# more specific label.
+#neverallow * app_data_file:dir_file_class_set *;
+
+# Do not allow access to the generic default_prop label. This is too broad.
+# Instead, if access to part of default_prop is desired, it should have a
+# more specific label.
+#neverallow * default_prop:dir_file_class_set *;
+
+# Do not allow access to the generic vendor_default_prop label. This is
+# too broad.
+# Instead, if access to part of vendor_default_prop is desired, it should
+# have a more specific label.
+#neverallow * vendor_default_prop:dir_file_class_set *;
+
+# Do not allow access to the generic device label. This is too broad.
+# Instead, if access to part of device is desired, it should have a
+# more specific label.
+#neverallow * device:dir_file_class_set *;
+
+# Do not allow access to the generic socket_device label. This is too broad.
+# Instead, if access to part of socket_device is desired, it should have a
+# more specific label.
+#neverallow * socket_device:dir_file_class_set *;
+
+# Do not allow access to the generic block_device label. This is too broad.
+# Instead, if access to part of block_device is desired, it should have a
+# more specific label.
+#neverallow * block_device:dir_file_class_set *;
+
+# Do not allow access to the generic bootdevice_block_device label. This is
+# too broad.
+# Instead, if access to part of bootdevice_block_device is desired, it should
+# have a more specific label.
+#neverallow * bootdevice_block_device:dir_file_class_set *;
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 18:24:08 +0000