#####################################
|
# domain_trans(olddomain, type, newdomain)
|
# Allow a transition from olddomain to newdomain
|
# upon executing a file labeled with type.
|
# This only allows the transition; it does not
|
# cause it to occur automatically - use domain_auto_trans
|
# if that is what you want.
|
#
|
define(`domain_trans', `
|
# Old domain may exec the file and transition to the new domain.
|
allow $1 $2:file { getattr open read execute map };
|
allow $1 $3:process transition;
|
# New domain is entered by executing the file.
|
allow $3 $2:file { entrypoint open read execute getattr map };
|
# New domain can send SIGCHLD to its caller.
|
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
|
# Enable AT_SECURE, i.e. libc secure mode.
|
dontaudit $1 $3:process noatsecure;
|
# XXX dontaudit candidate but requires further study.
|
allow $1 $3:process { siginh rlimitinh };
|
')
|
|
#####################################
|
# domain_auto_trans(olddomain, type, newdomain)
|
# Automatically transition from olddomain to newdomain
|
# upon executing a file labeled with type.
|
#
|
define(`domain_auto_trans', `
|
# Allow the necessary permissions.
|
domain_trans($1,$2,$3)
|
# Make the transition occur by default.
|
type_transition $1 $2:process $3;
|
')
|
|
#####################################
|
# file_type_trans(domain, dir_type, file_type)
|
# Allow domain to create a file labeled file_type in a
|
# directory labeled dir_type.
|
# This only allows the transition; it does not
|
# cause it to occur automatically - use file_type_auto_trans
|
# if that is what you want.
|
#
|
define(`file_type_trans', `
|
# Allow the domain to add entries to the directory.
|
allow $1 $2:dir ra_dir_perms;
|
# Allow the domain to create the file.
|
allow $1 $3:notdevfile_class_set create_file_perms;
|
allow $1 $3:dir create_dir_perms;
|
')
|
|
#####################################
|
# file_type_auto_trans(domain, dir_type, file_type)
|
# Automatically label new files with file_type when
|
# they are created by domain in directories labeled dir_type.
|
#
|
define(`file_type_auto_trans', `
|
# Allow the necessary permissions.
|
file_type_trans($1, $2, $3)
|
# Make the transition occur by default.
|
type_transition $1 $2:dir $3;
|
type_transition $1 $2:notdevfile_class_set $3;
|
')
|
|
#####################################
|
# r_dir_file(domain, type)
|
# Allow the specified domain to read directories, files
|
# and symbolic links of the specified type.
|
define(`r_dir_file', `
|
allow $1 $2:dir r_dir_perms;
|
allow $1 $2:{ file lnk_file } r_file_perms;
|
')
|
|
#####################################
|
# tmpfs_domain(domain)
|
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
|
define(`tmpfs_domain', `
|
type_transition $1 tmpfs:file $1_tmpfs;
|
allow $1 $1_tmpfs:file { read write getattr map };
|
')
|
|
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
|
# rules from underlying transport (e.g. UDS-based implementation).
|
|
#####################################
|
# pdx_service_attributes(service)
|
# Defines type attribute used to identify various service-related types.
|
define(`pdx_service_attributes', `
|
attribute pdx_$1_endpoint_dir_type;
|
attribute pdx_$1_endpoint_socket_type;
|
attribute pdx_$1_channel_socket_type;
|
attribute pdx_$1_server_type;
|
')
|
|
#####################################
|
# pdx_service_socket_types(service, endpoint_dir_t)
|
# Define types for endpoint and channel sockets.
|
define(`pdx_service_socket_types', `
|
typeattribute $2 pdx_$1_endpoint_dir_type;
|
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
|
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
|
userdebug_or_eng(`
|
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
|
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
|
')
|
')
|
|
#####################################
|
# pdx_server(server_domain, service)
|
define(`pdx_server', `
|
# Mark the server domain as a PDX server.
|
typeattribute $1 pdx_$2_server_type;
|
# Allow the init process to create the initial endpoint socket.
|
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
|
# Allow the server domain to use the endpoint socket and accept connections on it.
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
# than we need (e.g. we don"t need "bind" or "connect").
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
|
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
|
allow $1 self:process setsockcreate;
|
# Allow the server domain to create a client channel socket.
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
|
# Prevent other processes from claiming to be a server for the same service.
|
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
|
')
|
|
#####################################
|
# pdx_connect(client, service)
|
define(`pdx_connect', `
|
# Allow client to open the service endpoint file.
|
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
|
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
|
# Allow the client to connect to endpoint socket.
|
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
|
')
|
|
#####################################
|
# pdx_use(client, service)
|
define(`pdx_use', `
|
# Allow the client to use the PDX channel socket.
|
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
|
# than we need (e.g. we don"t need "bind" or "connect").
|
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
|
# Client needs to use an channel event fd from the server.
|
allow $1 pdx_$2_server_type:fd use;
|
# Servers may receive sync fences, gralloc buffers, etc, from clients.
|
# This could be tightened on a per-server basis, but keeping track of service
|
# clients is error prone.
|
allow pdx_$2_server_type $1:fd use;
|
')
|
|
#####################################
|
# pdx_client(client, service)
|
define(`pdx_client', `
|
pdx_connect($1, $2)
|
pdx_use($1, $2)
|
')
|
|
#####################################
|
# init_daemon_domain(domain)
|
# Set up a transition from init to the daemon domain
|
# upon executing its binary.
|
define(`init_daemon_domain', `
|
domain_auto_trans(init, $1_exec, $1)
|
')
|
|
#####################################
|
# app_domain(domain)
|
# Allow a base set of permissions required for all apps.
|
define(`app_domain', `
|
typeattribute $1 appdomain;
|
# Label tmpfs objects for all apps.
|
type_transition $1 tmpfs:file appdomain_tmpfs;
|
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
|
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
|
# The Android security model guarantees the confidentiality and integrity
|
# of application data and execution state. Ptrace bypasses those
|
# confidentiality guarantees. Disallow ptrace access from system components
|
# to apps. Crash_dump is excluded, as it needs ptrace access to
|
# produce stack traces. llkd is excluded, as it needs to inspect
|
# the kernel stack for live lock conditions. runas_app is excluded, as it can
|
# only access debuggable apps.
|
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
|
')
|
|
#####################################
|
# untrusted_app_domain(domain)
|
# Allow a base set of permissions required for all untrusted apps.
|
define(`untrusted_app_domain', `
|
typeattribute $1 untrusted_app_all;
|
')
|
|
#####################################
|
# net_domain(domain)
|
# Allow a base set of permissions required for network access.
|
define(`net_domain', `
|
typeattribute $1 netdomain;
|
')
|
|
#####################################
|
# bluetooth_domain(domain)
|
# Allow a base set of permissions required for bluetooth access.
|
define(`bluetooth_domain', `
|
typeattribute $1 bluetoothdomain;
|
')
|
|
#####################################
|
# hal_attribute(hal_name)
|
# Add an attribute for hal implementations along with necessary
|
# restrictions.
|
define(`hal_attribute', `
|
attribute hal_$1;
|
expandattribute hal_$1 true;
|
attribute hal_$1_client;
|
expandattribute hal_$1_client true;
|
attribute hal_$1_server;
|
expandattribute hal_$1_server false;
|
|
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
# hal_*_client and halclientdomain attributes are always expanded for
|
# performance reasons. Neverallow rules targeting expanded attributes can not be
|
# verified by CTS since these attributes are already expanded by that time.
|
build_test_only(`
|
neverallow { hal_$1_server -hal_$1 } domain:process fork;
|
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
')
|
')
|
|
#####################################
|
# hal_server_domain(domain, hal_type)
|
# Allow a base set of permissions required for a domain to offer a
|
# HAL implementation of the specified type over HwBinder.
|
#
|
# For example, default implementation of Foo HAL:
|
# type hal_foo_default, domain;
|
# hal_server_domain(hal_foo_default, hal_foo)
|
#
|
define(`hal_server_domain', `
|
typeattribute $1 halserverdomain;
|
typeattribute $1 $2_server;
|
typeattribute $1 $2;
|
')
|
|
#####################################
|
# hal_client_domain(domain, hal_type)
|
# Allow a base set of permissions required for a domain to be a
|
# client of a HAL of the specified type.
|
#
|
# For example, make some_domain a client of Foo HAL:
|
# hal_client_domain(some_domain, hal_foo)
|
#
|
define(`hal_client_domain', `
|
typeattribute $1 halclientdomain;
|
typeattribute $1 $2_client;
|
|
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
|
# non-Treble devices. For now, on non-Treble device, always grant clients of a
|
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
|
not_full_treble(`
|
typeattribute $1 $2;
|
# Find passthrough HAL implementations
|
allow $2 system_file:dir r_dir_perms;
|
allow $2 vendor_file:dir r_dir_perms;
|
allow $2 vendor_file:file { read open getattr execute map };
|
')
|
')
|
|
#####################################
|
# passthrough_hal_client_domain(domain, hal_type)
|
# Allow a base set of permissions required for a domain to be a
|
# client of a passthrough HAL of the specified type.
|
#
|
# For example, make some_domain a client of passthrough Foo HAL:
|
# passthrough_hal_client_domain(some_domain, hal_foo)
|
#
|
define(`passthrough_hal_client_domain', `
|
typeattribute $1 halclientdomain;
|
typeattribute $1 $2_client;
|
typeattribute $1 $2;
|
# Find passthrough HAL implementations
|
allow $2 system_file:dir r_dir_perms;
|
allow $2 vendor_file:dir r_dir_perms;
|
allow $2 vendor_file:file { read open getattr execute map };
|
')
|
|
#####################################
|
# unix_socket_connect(clientdomain, socket, serverdomain)
|
# Allow a local socket connection from clientdomain via
|
# socket to serverdomain.
|
#
|
# Note: If you see denial records that distill to the
|
# following allow rules:
|
# allow clientdomain property_socket:sock_file write;
|
# allow clientdomain init:unix_stream_socket connectto;
|
# allow clientdomain something_prop:property_service set;
|
#
|
# This sequence is indicative of attempting to set a property.
|
# use set_prop(sourcedomain, targetproperty)
|
#
|
define(`unix_socket_connect', `
|
allow $1 $2_socket:sock_file write;
|
allow $1 $3:unix_stream_socket connectto;
|
')
|
|
#####################################
|
# set_prop(sourcedomain, targetproperty)
|
# Allows source domain to set the
|
# targetproperty.
|
#
|
define(`set_prop', `
|
unix_socket_connect($1, property, init)
|
allow $1 $2:property_service set;
|
get_prop($1, $2)
|
')
|
|
#####################################
|
# get_prop(sourcedomain, targetproperty)
|
# Allows source domain to read the
|
# targetproperty.
|
#
|
define(`get_prop', `
|
allow $1 $2:file { getattr open read map };
|
')
|
|
#####################################
|
# unix_socket_send(clientdomain, socket, serverdomain)
|
# Allow a local socket send from clientdomain via
|
# socket to serverdomain.
|
define(`unix_socket_send', `
|
allow $1 $2_socket:sock_file write;
|
allow $1 $3:unix_dgram_socket sendto;
|
')
|
|
#####################################
|
# binder_use(domain)
|
# Allow domain to use Binder IPC.
|
define(`binder_use', `
|
# Call the servicemanager and transfer references to it.
|
allow $1 servicemanager:binder { call transfer };
|
# servicemanager performs getpidcon on clients.
|
allow servicemanager $1:dir search;
|
allow servicemanager $1:file { read open };
|
allow servicemanager $1:process getattr;
|
# rw access to /dev/binder and /dev/ashmem is presently granted to
|
# all domains in domain.te.
|
')
|
|
#####################################
|
# hwbinder_use(domain)
|
# Allow domain to use HwBinder IPC.
|
define(`hwbinder_use', `
|
# Call the hwservicemanager and transfer references to it.
|
allow $1 hwservicemanager:binder { call transfer };
|
# Allow hwservicemanager to send out callbacks
|
allow hwservicemanager $1:binder { call transfer };
|
# hwservicemanager performs getpidcon on clients.
|
allow hwservicemanager $1:dir search;
|
allow hwservicemanager $1:file { read open map };
|
allow hwservicemanager $1:process getattr;
|
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
|
# all domains in domain.te.
|
')
|
|
#####################################
|
# vndbinder_use(domain)
|
# Allow domain to use Binder IPC.
|
define(`vndbinder_use', `
|
# Talk to the vndbinder device node
|
allow $1 vndbinder_device:chr_file rw_file_perms;
|
# Call the vndservicemanager and transfer references to it.
|
allow $1 vndservicemanager:binder { call transfer };
|
# vndservicemanager performs getpidcon on clients.
|
allow vndservicemanager $1:dir search;
|
allow vndservicemanager $1:file { read open map };
|
allow vndservicemanager $1:process getattr;
|
')
|
|
#####################################
|
# binder_call(clientdomain, serverdomain)
|
# Allow clientdomain to perform binder IPC to serverdomain.
|
define(`binder_call', `
|
# Call the server domain and optionally transfer references to it.
|
allow $1 $2:binder { call transfer };
|
# Allow the serverdomain to transfer references to the client on the reply.
|
allow $2 $1:binder transfer;
|
# Receive and use open files from the server.
|
allow $1 $2:fd use;
|
')
|
|
#####################################
|
# binder_service(domain)
|
# Mark a domain as being a Binder service domain.
|
# Used to allow binder IPC to the various system services.
|
define(`binder_service', `
|
typeattribute $1 binderservicedomain;
|
')
|
|
#####################################
|
# wakelock_use(domain)
|
# Allow domain to manage wake locks
|
define(`wakelock_use', `
|
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
|
# deprecated.
|
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
allow $1 sysfs_wake_lock:file rw_file_perms;
|
# Accessing these files requires CAP_BLOCK_SUSPEND
|
allow $1 self:global_capability2_class_set block_suspend;
|
# system_suspend permissions
|
binder_call($1, system_suspend_server)
|
allow $1 system_suspend_hwservice:hwservice_manager find;
|
# halclientdomain permissions
|
hwbinder_use($1)
|
get_prop($1, hwservicemanager_prop)
|
allow $1 hidl_manager_hwservice:hwservice_manager find;
|
')
|
|
#####################################
|
# selinux_check_access(domain)
|
# Allow domain to check SELinux permissions via selinuxfs.
|
define(`selinux_check_access', `
|
r_dir_file($1, selinuxfs)
|
allow $1 selinuxfs:file w_file_perms;
|
allow $1 kernel:security compute_av;
|
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
|
')
|
|
#####################################
|
# selinux_check_context(domain)
|
# Allow domain to check SELinux contexts via selinuxfs.
|
define(`selinux_check_context', `
|
r_dir_file($1, selinuxfs)
|
allow $1 selinuxfs:file w_file_perms;
|
allow $1 kernel:security check_context;
|
')
|
|
#####################################
|
# create_pty(domain)
|
# Allow domain to create and use a pty, isolated from any other domain ptys.
|
define(`create_pty', `
|
# Each domain gets a unique devpts type.
|
type $1_devpts, fs_type;
|
# Label the pty with the unique type when created.
|
type_transition $1 devpts:chr_file $1_devpts;
|
# Allow use of the pty after creation.
|
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
|
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
|
# TIOCSTI is only ever used for exploits. Block it.
|
# b/33073072, b/7530569
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
|
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
|
# allowed to everyone via domain.te.
|
')
|
|
#####################################
|
# Non system_app application set
|
#
|
define(`non_system_app_set', `{ appdomain -system_app }')
|
|
#####################################
|
# Recovery only
|
# SELinux rules which apply only to recovery mode
|
#
|
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
|
|
#####################################
|
# Full TREBLE only
|
# SELinux rules which apply only to full TREBLE devices
|
#
|
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
|
ifelse(target_full_treble, `cts',
|
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
$1
|
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
|
, )))
|
|
#####################################
|
# Not full TREBLE
|
# SELinux rules which apply only to devices which are not full TREBLE devices
|
#
|
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
|
|
#####################################
|
# Compatible property only
|
# SELinux rules which apply only to devices with compatible property
|
#
|
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
|
ifelse(target_compatible_property, `cts',
|
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
$1
|
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
|
, )))
|
|
#####################################
|
# Not compatible property
|
# SELinux rules which apply only to devices without compatible property
|
#
|
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
|
|
#####################################
|
# Userdebug or eng builds
|
# SELinux rules which apply only to userdebug or eng builds
|
#
|
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
|
|
#####################################
|
# asan builds
|
# SELinux rules which apply only to asan builds
|
#
|
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
|
|
#####################################
|
# native coverage builds
|
# SELinux rules which apply only to builds with native coverage
|
#
|
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
|
|
#####################################
|
# Build-time-only test
|
# SELinux rules which are verified during build, but not as part of *TS testing.
|
#
|
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
|
|
####################################
|
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
|
#
|
define(`crash_dump_fallback', `
|
userdebug_or_eng(`
|
allow $1 su:fifo_file append;
|
')
|
allow $1 anr_data_file:file append;
|
allow $1 dumpstate:fd use;
|
allow $1 incidentd:fd use;
|
# TODO: Figure out why write is needed.
|
allow $1 dumpstate:fifo_file { append write };
|
allow $1 incidentd:fifo_file { append write };
|
allow $1 system_server:fifo_file { append write };
|
allow $1 tombstoned:unix_stream_socket connectto;
|
allow $1 tombstoned:fd use;
|
allow $1 tombstoned_crash_socket:sock_file write;
|
allow $1 tombstone_data_file:file append;
|
')
|
|
#####################################
|
# WITH_DEXPREOPT builds
|
# SELinux rules which apply only when pre-opting.
|
#
|
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
|
|
#####################################
|
# write_logd(domain)
|
# Ability to write to android log
|
# daemon via sockets
|
define(`write_logd', `
|
unix_socket_send($1, logdw, logd)
|
allow $1 pmsg_device:chr_file w_file_perms;
|
')
|
|
#####################################
|
# read_logd(domain)
|
# Ability to run logcat and read from android
|
# log daemon via sockets
|
define(`read_logd', `
|
allow $1 logcat_exec:file rx_file_perms;
|
unix_socket_connect($1, logdr, logd)
|
')
|
|
#####################################
|
# read_runtime_log_tags(domain)
|
# ability to directly map the runtime event log tags
|
define(`read_runtime_log_tags', `
|
allow $1 runtime_event_log_tags_file:file r_file_perms;
|
')
|
|
#####################################
|
# control_logd(domain)
|
# Ability to control
|
# android log daemon via sockets
|
define(`control_logd', `
|
# Group AID_LOG checked by filesystem & logd
|
# to permit control commands
|
unix_socket_connect($1, logd, logd)
|
')
|
|
#####################################
|
# use_keystore(domain)
|
# Ability to use keystore.
|
# Keystore is requires the following permissions
|
# to call getpidcon.
|
define(`use_keystore', `
|
allow keystore $1:dir search;
|
allow keystore $1:file { read open };
|
allow keystore $1:process getattr;
|
allow $1 keystore_service:service_manager find;
|
binder_call($1, keystore)
|
binder_call(keystore, $1)
|
')
|
|
###########################################
|
# use_drmservice(domain)
|
# Ability to use DrmService which requires
|
# DrmService to call getpidcon.
|
define(`use_drmservice', `
|
allow drmserver $1:dir search;
|
allow drmserver $1:file { read open };
|
allow drmserver $1:process getattr;
|
')
|
|
###########################################
|
# add_service(domain, service)
|
# Ability for domain to add a service to service_manager
|
# and find it. It also creates a neverallow preventing
|
# others from adding it.
|
define(`add_service', `
|
allow $1 $2:service_manager { add find };
|
neverallow { domain -$1 } $2:service_manager add;
|
')
|
|
###########################################
|
# add_hwservice(domain, service)
|
# Ability for domain to add a service to hwservice_manager
|
# and find it. It also creates a neverallow preventing
|
# others from adding it.
|
define(`add_hwservice', `
|
allow $1 $2:hwservice_manager { add find };
|
allow $1 hidl_base_hwservice:hwservice_manager add;
|
neverallow { domain -$1 } $2:hwservice_manager add;
|
')
|
|
###########################################
|
# hal_attribute_hwservice(attribute, service)
|
# Ability for domain to get a service to hwservice_manager
|
# and find it. It also creates a neverallow preventing
|
# others from adding it.
|
#
|
# Used to pair hal_foo_client with hal_foo_hwservice
|
define(`hal_attribute_hwservice', `
|
allow $1_client $2:hwservice_manager find;
|
add_hwservice($1_server, $2)
|
|
build_test_only(`
|
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
|
')
|
')
|
|
###################################
|
# can_profile_heap(domain)
|
# Allow processes within the domain to have their heap profiled by heapprofd.
|
#
|
# Note that profiling is performed differently between debug and user builds.
|
# This macro covers both user and debug builds, but see
|
# can_profile_heap_userdebug_or_eng for a variant that can be used when
|
# allowing profiling for a domain only on debug builds, without granting
|
# the exec permission. The exec permission is necessary for user builds, but
|
# only a nice-to-have for development and testing purposes on debug builds.
|
define(`can_profile_heap', `
|
# Allow central daemon to send signal for client initialization.
|
allow heapprofd $1:process signal;
|
|
# Allow executing a private heapprofd process to handle profiling on
|
# user builds (also debug builds for testing & development purposes).
|
allow $1 heapprofd_exec:file rx_file_perms;
|
|
# Allow directory & file read to the central heapprofd daemon, as it scans
|
# /proc/[pid]/cmdline for by-process-name profiling configs.
|
# Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
|
allow heapprofd $1:file r_file_perms;
|
allow heapprofd $1:dir r_dir_perms;
|
|
# Profilability on user implies profilability on userdebug and eng.
|
can_profile_heap_userdebug_or_eng($1)
|
')
|
|
###################################
|
# can_profile_heap_userdebug_or_eng(domain)
|
# Allow processes within the domain to have their heap profiled by heapprofd on
|
# debug builds only.
|
#
|
# Only necessary when can_profile_heap cannot be applied, see its description
|
# for rationale.
|
define(`can_profile_heap_userdebug_or_eng', `
|
userdebug_or_eng(`
|
# Allow central daemon to send signal for client initialization.
|
allow heapprofd $1:process signal;
|
# Allow connecting to the daemon.
|
unix_socket_connect($1, heapprofd, heapprofd)
|
# Allow daemon to use the passed fds.
|
allow heapprofd $1:fd use;
|
# Allow to read and write to heapprofd shmem.
|
# The client needs to read the read and write pointers in order to write.
|
allow $1 heapprofd_tmpfs:file { read write getattr map };
|
# Use shared memory received over the unix socket.
|
allow $1 heapprofd:fd use;
|
|
# To read from the received file descriptors.
|
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
|
# process they relate to.
|
allow heapprofd $1:file r_file_perms;
|
# Allow searching the /proc/[pid] directory for cmdline.
|
allow heapprofd $1:dir r_dir_perms;
|
')
|
')
|
|
###################################
|
# never_profile_heap(domain)
|
# Opt out of heap profiling by heapprofd.
|
define(`never_profile_heap', `
|
neverallow heapprofd $1:file read;
|
neverallow heapprofd $1:process signal;
|
')
|
