neverallows/non_plat/neverallows.te - device/mediatek/wembley-sepolicy - Gitiles

 # ==============================================
 # MTK Policy Rule
 # ==============================================

 # Do not allow access to the generic sysfs label. This is too broad.
 # Instead, if access to part of sysfs is desired, it should have a
 # more specific label.
 # TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
 #   allow hal_usb sysfs:file write;
 #   hal_server_domain(mtk_hal_usb, hal_usb)
 #
 #   r_dir_file(hal_wifi, sysfs_type)
 #   hal_server_domain(mtk_hal_wifi, hal_wifi)
 #
 full_treble_only(`
   neverallow ~{
     apexd
     init
     merged_hal_service
     mtk_hal_bluetooth
     # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
     mtk_hal_camera
     mtk_hal_power
     mtk_hal_usb
     mtk_hal_wifi
     hal_bluetooth_btlinux
     hal_bluetooth_default
     hal_drm_clearkey
     hal_drm_clearkey_aidl
     hal_drm_default
     hal_drm_widevine
     hal_fingerprint_default
     hal_radio_config_default
     hal_radio_default
     hal_usb_default
     hal_wifi_default
     hal_wifi_supplicant_default
     rild
     tee
     ueventd
     vendor_init
     vold
     } sysfs:file *;

   neverallow {
     merged_hal_service
     mtk_hal_bluetooth
     mtk_hal_power
     mtk_hal_wifi
     hal_bluetooth_btlinux
     hal_bluetooth_default
     hal_drm_clearkey
     hal_drm_clearkey_aidl
     hal_drm_default
     hal_drm_widevine
     hal_fingerprint_default
     hal_radio_config_default
     hal_radio_default
     hal_wifi_default
     hal_wifi_supplicant_default
     rild
     tee
   } sysfs:file ~r_file_perms;

   neverallow {
     hal_usb_default
     init
     mtk_hal_usb
     ueventd
     vendor_init
     vold
   } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
 ')

 # Do not allow access to the generic proc label. This is too broad.
 # Instead, if access to part of proc is desired, it should have a
 # more specific label.
 # TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
 #
 #   r_dir_file(hal_audio, proc)
 #   hal_server_domain(mtk_hal_audio, hal_audio)
 #   hal_client_domain(audioserver, hal_audio)
 #
 full_treble_only(`
   neverallow ~{
     audiocmdservice_atci
     audioserver
     bluetooth
     hal_audio_default
     hal_graphics_allocator_default
     init
     merged_hal_service
     mtk_hal_audio
     rild
     system_server
     vendor_init
     vold
     } proc:file *;

   neverallow {
     audiocmdservice_atci
     audioserver
     bluetooth
     hal_audio_default
     hal_graphics_allocator_default
     init
     merged_hal_service
     mtk_hal_audio
     rild
     system_server
     vold
     } proc:file ~r_file_perms;

   neverallow vendor_init proc:file ~{ r_file_perms setattr };

   neverallow ~{
     audiocmdservice_atci
     audioserver
     bluetooth
     hal_audio_default
     init
     mtk_hal_audio
     rild
     system_server
     } proc:lnk_file ~{ read getattr };

   neverallow {
     audiocmdservice_atci
     audioserver
     bluetooth
     hal_audio_default
     init
     mtk_hal_audio
     rild
     system_server
     } proc:lnk_file ~r_file_perms;
 ')


 # Do not allow access to the generic system_data_file label. This is
 # too broad.
 # Instead, if access to part of system_data_file is desired, it should
 # have a more specific label.
 # TODO: Remove merged_hal_service and so on once there are no violations.
 #
 #   allow hal_drm system_data_file:file { getattr read };
 #   hal_server_domain(merged_hal_service, hal_drm)
 #
 full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain
     -hal_cas_default
     -hal_drm_clearkey
     -hal_drm_clearkey_aidl
     -hal_drm_default
     -hal_drm_widevine
     -merged_hal_service
     -tee
     } system_data_file:file *;

   neverallow ~{
     appdomain
     app_zygote
     hal_drm_clearkey
     hal_drm_clearkey_aidl
     hal_drm_default
     hal_drm_widevine
     init
     installd
     iorap_prefetcherd
     mediadrmserver
     mediaextractor
     mediaserver
     merged_hal_service
     system_server
     tee
     toolbox
     vold
     vold_prepare_subdirs
     with_asan(`asan_extract')
     } system_data_file:file ~r_file_perms;

   neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

   neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

   neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

   neverallow iorap_prefetcherd system_data_file:file ~{ open read };

   neverallow {
     hal_drm_clearkey
     hal_drm_clearkey_aidl
     hal_drm_default
     hal_drm_widevine
     mediadrmserver
     mediaextractor
     mediaserver
     merged_hal_service
     tee
     } system_data_file:file ~{ getattr read };

   neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

   neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

   neverallow vold system_data_file:file ~read;
 ')

 # Do not allow access to the generic device label. This is too broad.
 # Instead, if access to part of device is desired, it should have a
 # more specific label.
 # TODO: Remove hal_camera and so on once there are no violations.
 #
 #   allow hal_camera device:dir r_dir_perms;
 #   hal_client_domain(cameraserver, hal_camera)
 #
 full_treble_only(`
   neverallow ~{
     apexd
     cameraserver
     fastbootd
     hal_camera
     hal_camera_default
     init
     mtk_hal_camera
     otapreopt_chroot
     recovery
     shell
     slideshow
     system_server
     vendor_init
     vold
     ueventd
     } device:dir ~{ search getattr };

   neverallow {
     cameraserver
     fastbootd
     hal_camera
     hal_camera_default
     mtk_hal_camera
     system_server
     shell
     slideshow
     recovery
     } device:dir ~r_dir_perms;

   neverallow init device:dir ~{ create_dir_perms mounton relabelto };

   neverallow vendor_init device:dir ~{ create_dir_perms mounton };

   neverallow vold device:dir ~{ search getattr write };

   neverallow ueventd device:dir ~create_dir_perms;
 ')
	# ==============================================
	# MTK Policy Rule
	# ==============================================

	# Do not allow access to the generic sysfs label. This is too broad.
	# Instead, if access to part of sysfs is desired, it should have a
	# more specific label.
	# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
	# allow hal_usb sysfs:file write;
	# hal_server_domain(mtk_hal_usb, hal_usb)
	#
	# r_dir_file(hal_wifi, sysfs_type)
	# hal_server_domain(mtk_hal_wifi, hal_wifi)
	#
	full_treble_only(`
	neverallow ~{
	apexd
	init
	merged_hal_service
	mtk_hal_bluetooth
	# TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
	mtk_hal_camera
	mtk_hal_power
	mtk_hal_usb
	mtk_hal_wifi
	hal_bluetooth_btlinux
	hal_bluetooth_default
	hal_drm_clearkey
	hal_drm_clearkey_aidl
	hal_drm_default
	hal_drm_widevine
	hal_fingerprint_default
	hal_radio_config_default
	hal_radio_default
	hal_usb_default
	hal_wifi_default
	hal_wifi_supplicant_default
	rild
	tee
	ueventd
	vendor_init
	vold
	} sysfs:file *;

	neverallow {
	merged_hal_service
	mtk_hal_bluetooth
	mtk_hal_power
	mtk_hal_wifi
	hal_bluetooth_btlinux
	hal_bluetooth_default
	hal_drm_clearkey
	hal_drm_clearkey_aidl
	hal_drm_default
	hal_drm_widevine
	hal_fingerprint_default
	hal_radio_config_default
	hal_radio_default
	hal_wifi_default
	hal_wifi_supplicant_default
	rild
	tee
	} sysfs:file ~r_file_perms;

	neverallow {
	hal_usb_default
	init
	mtk_hal_usb
	ueventd
	vendor_init
	vold
	} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
	')

	# Do not allow access to the generic proc label. This is too broad.
	# Instead, if access to part of proc is desired, it should have a
	# more specific label.
	# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
	#
	# r_dir_file(hal_audio, proc)
	# hal_server_domain(mtk_hal_audio, hal_audio)
	# hal_client_domain(audioserver, hal_audio)
	#
	full_treble_only(`
	neverallow ~{
	audiocmdservice_atci
	audioserver
	bluetooth
	hal_audio_default
	hal_graphics_allocator_default
	init
	merged_hal_service
	mtk_hal_audio
	rild
	system_server
	vendor_init
	vold
	} proc:file *;

	neverallow {
	audiocmdservice_atci
	audioserver
	bluetooth
	hal_audio_default
	hal_graphics_allocator_default
	init
	merged_hal_service
	mtk_hal_audio
	rild
	system_server
	vold
	} proc:file ~r_file_perms;

	neverallow vendor_init proc:file ~{ r_file_perms setattr };

	neverallow ~{
	audiocmdservice_atci
	audioserver
	bluetooth
	hal_audio_default
	init
	mtk_hal_audio
	rild
	system_server
	} proc:lnk_file ~{ read getattr };

	neverallow {
	audiocmdservice_atci
	audioserver
	bluetooth
	hal_audio_default
	init
	mtk_hal_audio
	rild
	system_server
	} proc:lnk_file ~r_file_perms;
	')


	# Do not allow access to the generic system_data_file label. This is
	# too broad.
	# Instead, if access to part of system_data_file is desired, it should
	# have a more specific label.
	# TODO: Remove merged_hal_service and so on once there are no violations.
	#
	# allow hal_drm system_data_file:file { getattr read };
	# hal_server_domain(merged_hal_service, hal_drm)
	#
	full_treble_only(`
	neverallow {
	domain
	-coredomain
	-appdomain
	-hal_cas_default
	-hal_drm_clearkey
	-hal_drm_clearkey_aidl
	-hal_drm_default
	-hal_drm_widevine
	-merged_hal_service
	-tee
	} system_data_file:file *;

	neverallow ~{
	appdomain
	app_zygote
	hal_drm_clearkey
	hal_drm_clearkey_aidl
	hal_drm_default
	hal_drm_widevine
	init
	installd
	iorap_prefetcherd
	mediadrmserver
	mediaextractor
	mediaserver
	merged_hal_service
	system_server
	tee
	toolbox
	vold
	vold_prepare_subdirs
	with_asan(`asan_extract')
	} system_data_file:file ~r_file_perms;

	neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

	neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

	neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

	neverallow iorap_prefetcherd system_data_file:file ~{ open read };

	neverallow {
	hal_drm_clearkey
	hal_drm_clearkey_aidl
	hal_drm_default
	hal_drm_widevine
	mediadrmserver
	mediaextractor
	mediaserver
	merged_hal_service
	tee
	} system_data_file:file ~{ getattr read };

	neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

	neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

	neverallow vold system_data_file:file ~read;
	')

	# Do not allow access to the generic device label. This is too broad.
	# Instead, if access to part of device is desired, it should have a
	# more specific label.
	# TODO: Remove hal_camera and so on once there are no violations.
	#
	# allow hal_camera device:dir r_dir_perms;
	# hal_client_domain(cameraserver, hal_camera)
	#
	full_treble_only(`
	neverallow ~{
	apexd
	cameraserver
	fastbootd
	hal_camera
	hal_camera_default
	init
	mtk_hal_camera
	otapreopt_chroot
	recovery
	shell
	slideshow
	system_server
	vendor_init
	vold
	ueventd
	} device:dir ~{ search getattr };

	neverallow {
	cameraserver
	fastbootd
	hal_camera
	hal_camera_default
	mtk_hal_camera
	system_server
	shell
	slideshow
	recovery
	} device:dir ~r_dir_perms;

	neverallow init device:dir ~{ create_dir_perms mounton relabelto };

	neverallow vendor_init device:dir ~{ create_dir_perms mounton };

	neverallow vold device:dir ~{ search getattr write };

	neverallow ueventd device:dir ~create_dir_perms;
	')