1typeattribute kernel coredomain; 2 3domain_auto_trans(kernel, init_exec, init) 4domain_auto_trans(kernel, snapuserd_exec, snapuserd) 5 6# Allow the kernel to read otapreopt_chroot's file descriptors and files under 7# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. 8allow kernel otapreopt_chroot:fd use; 9allow kernel postinstall_file:file read; 10 11# The following sections are for the transition period during a Virtual A/B 12# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct 13# context, and with properly labelled devices. This must be done before 14# enabling enforcement, eg, in permissive mode while still in the kernel 15# context. 16allow kernel tmpfs:blk_file { getattr relabelfrom }; 17allow kernel tmpfs:chr_file { getattr relabelfrom }; 18allow kernel tmpfs:lnk_file { getattr relabelfrom }; 19allow kernel tmpfs:dir { open read relabelfrom }; 20 21allow kernel block_device:blk_file relabelto; 22allow kernel block_device:lnk_file relabelto; 23allow kernel dm_device:chr_file relabelto; 24allow kernel dm_device:blk_file relabelto; 25allow kernel dm_user_device:dir { read open search relabelto }; 26allow kernel dm_user_device:chr_file relabelto; 27allow kernel kmsg_device:chr_file relabelto; 28allow kernel null_device:chr_file relabelto; 29allow kernel random_device:chr_file relabelto; 30allow kernel snapuserd_exec:file relabelto; 31 32allow kernel kmsg_device:chr_file write; 33allow kernel gsid:fd use; 34 35allow kernel self:global_capability_class_set sys_nice; 36 37# Root fs. 38r_dir_file(kernel, rootfs) 39 40# Used to read androidboot.selinux property 41allow kernel { 42 proc_bootconfig 43 proc_cmdline 44}:file r_file_perms; 45 46# Get SELinux enforcing status. 47allow kernel selinuxfs:dir r_dir_perms; 48allow kernel selinuxfs:file r_file_perms; 49 50# Get file contexts during first stage 51allow kernel file_contexts_file:file r_file_perms; 52 53# Allow init relabel itself. 54allow kernel rootfs:file relabelfrom; 55allow kernel init_exec:file relabelto; 56# TODO: investigate why we need this. 57allow kernel init:process share; 58 59# cgroup filesystem initialization prior to setting the cgroup root directory label. 60allow kernel unlabeled:dir search; 61 62# Mount usbfs. 63allow kernel usbfs:filesystem mount; 64allow kernel usbfs:dir search; 65 66# Initial setenforce by init prior to switching to init domain. 67# We use dontaudit instead of allow to prevent a kernel spawned userspace 68# process from turning off SELinux once enabled. 69dontaudit kernel self:security setenforce; 70 71# Write to /proc/1/oom_adj prior to switching to init domain. 72allow kernel self:global_capability_class_set sys_resource; 73 74# Init reboot before switching selinux domains under certain error 75# conditions. Allow it. 76# As part of rebooting, init writes "u" to /proc/sysrq-trigger to 77# remount filesystems read-only. /data is not mounted at this point, 78# so we could ignore this. For now, we allow it. 79allow kernel self:global_capability_class_set sys_boot; 80allow kernel proc_sysrq:file w_file_perms; 81 82# Allow writing to /dev/kmsg which was created prior to loading policy. 83allow kernel tmpfs:chr_file write; 84 85# Set checkreqprot by init.rc prior to switching to init domain. 86allow kernel selinuxfs:file write; 87allow kernel self:security setcheckreqprot; 88 89# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) 90allow kernel { sdcard_type fuse }:file { read write }; 91 92# f_mtp driver accesses files from kernel context. 93allow kernel mediaprovider:fd use; 94 95# Allow the kernel to read OBB files from app directories. (b/17428116) 96# Kernel thread "loop0" reads a vold supplied file descriptor. 97# Fixes CTS tests: 98# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal 99# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs 100allow kernel vold:fd use; 101allow kernel { app_data_file privapp_data_file }:file read; 102allow kernel asec_image_file:file read; 103 104# Allow mounting loop device in update_engine_unittests. (b/28319454) 105# and for LTP kernel tests (b/73220071) 106userdebug_or_eng(` 107 allow kernel update_engine_data_file:file { read write }; 108 allow kernel nativetest_data_file:file { read write }; 109') 110 111# Access to /data/media. 112# This should be removed if sdcardfs is modified to alter the secontext for its 113# accesses to the underlying FS. 114allow kernel media_rw_data_file:dir create_dir_perms; 115allow kernel media_rw_data_file:file create_file_perms; 116 117# Access to /data/misc/vold/virtual_disk. 118allow kernel vold_data_file:file { read write }; 119 120# Allow the kernel to read APEX file descriptors and (staged) data files; 121# Needed because APEX uses the loopback driver, which issues requests from 122# a kernel thread in earlier kernel version. 123allow kernel apexd:fd use; 124allow kernel { 125 apex_data_file 126 staging_data_file 127 vendor_apex_file 128}:file read; 129# Also allow the kernel to read/write /data/local/tmp files via loop device 130# for ApexTestCases and fiemap_image_test. 131userdebug_or_eng(` 132 allow kernel shell_data_file:file { read write }; 133') 134 135# Allow the first-stage init (which is running in the kernel domain) to execute the 136# dynamic linker when it re-executes /init to switch into the second stage. 137# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed 138# before the domain is switched to the target domain. So, we need to allow the kernel 139# domain (the source domain) to execute the dynamic linker (system_file type). 140# TODO(b/110147943) remove these allow rules when we no longer need to support Linux 141# kernel older than 4.8. 142allow kernel system_file:file execute; 143# The label for the dynamic linker is rootfs in the recovery partition. This is because 144# the recovery partition which is rootfs does not support xattr and thus labeling can't be 145# done at build-time. All files are by default labeled as rootfs upon booting. 146recovery_only(` 147 allow kernel rootfs:file execute; 148') 149 150# required by VTS lidbm unit test 151allow kernel appdomain_tmpfs:file { read write }; 152 153dontaudit kernel metadata_file:dir search; 154dontaudit kernel ota_metadata_file:dir rw_dir_perms; 155dontaudit kernel sysfs:dir r_dir_perms; 156dontaudit kernel sysfs:file { open read write }; 157dontaudit kernel sysfs:chr_file { open read write }; 158dontaudit kernel dm_device:chr_file ioctl; 159dontaudit kernel self:capability { sys_admin setgid mknod }; 160 161dontaudit kernel dm_user_device:dir { write add_name }; 162dontaudit kernel dm_user_device:chr_file { create setattr }; 163dontaudit kernel tmpfs:lnk_file read; 164dontaudit kernel tmpfs:blk_file { open read }; 165 166### 167### neverallow rules 168### 169 170# The initial task starts in the kernel domain (assigned via 171# initial_sid_contexts), but nothing ever transitions to it. 172neverallow * kernel:process { transition dyntransition }; 173 174# The kernel domain is never entered via an exec, nor should it 175# ever execute a program outside the rootfs without changing to another domain. 176# If you encounter an execute_no_trans denial on the kernel domain, then 177# possible causes include: 178# - The program is a kernel usermodehelper. In this case, define a domain 179# for the program and domain_auto_trans() to it. 180# - You are running an exploit which switched to the init task credentials 181# and is then trying to exec a shell or other program. You lose! 182neverallow kernel *:file { entrypoint execute_no_trans }; 183 184# the kernel should not be accessing files owned by other users. 185# Instead of adding dac_{read_search,override}, fix the unix permissions 186# on files being accessed. 187neverallow kernel self:global_capability_class_set { dac_override dac_read_search }; 188 189# Nobody should be ptracing kernel threads 190neverallow * kernel:process ptrace; 191