2012-01-04 18:33:27 +01:00
|
|
|
# Filesystem types
|
|
|
|
|
type labeledfs, fs_type;
|
|
|
|
|
type pipefs, fs_type;
|
|
|
|
|
type sockfs, fs_type;
|
|
|
|
|
type rootfs, fs_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc, fs_type, proc_type;
|
2019-12-08 21:11:01 +01:00
|
|
|
type binderfs, fs_type;
|
|
|
|
|
type binderfs_logs, fs_type;
|
|
|
|
|
type binderfs_logs_proc, fs_type;
|
2023-10-12 06:48:19 +02:00
|
|
|
type binderfs_logs_stats, fs_type;
|
2024-04-22 08:43:18 +02:00
|
|
|
|
|
|
|
|
starting_at_board_api(202504, `
|
|
|
|
|
type binderfs_logs_transactions, fs_type;
|
|
|
|
|
')
|
|
|
|
|
|
2022-02-24 17:15:56 +01:00
|
|
|
type binderfs_features, fs_type;
|
2013-12-06 15:31:40 +01:00
|
|
|
# Security-sensitive proc nodes that should not be writable to most.
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_security, fs_type, proc_type;
|
|
|
|
|
type proc_drop_caches, fs_type, proc_type;
|
|
|
|
|
type proc_overcommit_memory, fs_type, proc_type;
|
|
|
|
|
type proc_min_free_order_shift, fs_type, proc_type;
|
2019-05-16 20:47:04 +02:00
|
|
|
type proc_kpageflags, fs_type, proc_type;
|
2021-07-01 06:10:26 +02:00
|
|
|
type proc_watermark_boost_factor, fs_type, proc_type;
|
2023-11-06 15:35:45 +01:00
|
|
|
type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
|
2024-04-25 02:58:55 +02:00
|
|
|
|
|
|
|
|
starting_at_board_api(202504, `
|
|
|
|
|
type proc_compaction_proactiveness, fs_type, proc_type;
|
|
|
|
|
')
|
|
|
|
|
|
2013-12-06 15:31:40 +01:00
|
|
|
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
|
2018-02-16 03:07:18 +01:00
|
|
|
type usermodehelper, fs_type, proc_type;
|
2017-07-12 19:37:57 +02:00
|
|
|
type sysfs_usermodehelper, fs_type, sysfs_type;
|
2018-04-03 18:53:23 +02:00
|
|
|
type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
|
|
|
|
|
type proc_bluetooth_writable, fs_type, proc_type;
|
|
|
|
|
type proc_abi, fs_type, proc_type;
|
|
|
|
|
type proc_asound, fs_type, proc_type;
|
2021-02-17 18:30:52 +01:00
|
|
|
type proc_bootconfig, fs_type, proc_type;
|
2021-11-11 10:51:15 +01:00
|
|
|
type proc_bpf, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_buddyinfo, fs_type, proc_type;
|
2024-04-26 20:28:28 +02:00
|
|
|
starting_at_board_api(202504, `
|
|
|
|
|
type proc_cgroups, fs_type, proc_type;
|
|
|
|
|
')
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_cmdline, fs_type, proc_type;
|
2021-10-29 05:31:44 +02:00
|
|
|
type proc_cpu_alignment, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_cpuinfo, fs_type, proc_type;
|
|
|
|
|
type proc_dirty, fs_type, proc_type;
|
|
|
|
|
type proc_diskstats, fs_type, proc_type;
|
|
|
|
|
type proc_extra_free_kbytes, fs_type, proc_type;
|
|
|
|
|
type proc_filesystems, fs_type, proc_type;
|
2019-03-09 00:47:22 +01:00
|
|
|
type proc_fs_verity, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_hostname, fs_type, proc_type;
|
|
|
|
|
type proc_hung_task, fs_type, proc_type;
|
|
|
|
|
type proc_interrupts, fs_type, proc_type;
|
|
|
|
|
type proc_iomem, fs_type, proc_type;
|
2020-10-09 10:15:10 +02:00
|
|
|
type proc_kallsyms, fs_type, proc_type;
|
2019-01-30 00:27:21 +01:00
|
|
|
type proc_keys, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_kmsg, fs_type, proc_type;
|
|
|
|
|
type proc_loadavg, fs_type, proc_type;
|
2021-01-07 00:14:24 +01:00
|
|
|
type proc_locks, fs_type, proc_type;
|
2019-04-26 18:27:58 +02:00
|
|
|
type proc_lowmemorykiller, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_max_map_count, fs_type, proc_type;
|
|
|
|
|
type proc_meminfo, fs_type, proc_type;
|
|
|
|
|
type proc_misc, fs_type, proc_type;
|
|
|
|
|
type proc_modules, fs_type, proc_type;
|
|
|
|
|
type proc_mounts, fs_type, proc_type;
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
type proc_net, fs_type, proc_type, proc_net_type;
|
2018-09-28 19:55:14 +02:00
|
|
|
type proc_net_tcp_udp, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_page_cluster, fs_type, proc_type;
|
|
|
|
|
type proc_pagetypeinfo, fs_type, proc_type;
|
|
|
|
|
type proc_panic, fs_type, proc_type;
|
|
|
|
|
type proc_perf, fs_type, proc_type;
|
|
|
|
|
type proc_pid_max, fs_type, proc_type;
|
|
|
|
|
type proc_pipe_conf, fs_type, proc_type;
|
2018-05-11 00:36:59 +02:00
|
|
|
type proc_pressure_cpu, fs_type, proc_type;
|
|
|
|
|
type proc_pressure_io, fs_type, proc_type;
|
|
|
|
|
type proc_pressure_mem, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_random, fs_type, proc_type;
|
|
|
|
|
type proc_sched, fs_type, proc_type;
|
2018-06-14 16:34:19 +02:00
|
|
|
type proc_slabinfo, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_stat, fs_type, proc_type;
|
|
|
|
|
type proc_swaps, fs_type, proc_type;
|
|
|
|
|
type proc_sysrq, fs_type, proc_type;
|
|
|
|
|
type proc_timer, fs_type, proc_type;
|
|
|
|
|
type proc_tty_drivers, fs_type, proc_type;
|
|
|
|
|
type proc_uid_cputime_showstat, fs_type, proc_type;
|
|
|
|
|
type proc_uid_cputime_removeuid, fs_type, proc_type;
|
|
|
|
|
type proc_uid_io_stats, fs_type, proc_type;
|
|
|
|
|
type proc_uid_procstat_set, fs_type, proc_type;
|
|
|
|
|
type proc_uid_time_in_state, fs_type, proc_type;
|
|
|
|
|
type proc_uid_concurrent_active_time, fs_type, proc_type;
|
|
|
|
|
type proc_uid_concurrent_policy_time, fs_type, proc_type;
|
|
|
|
|
type proc_uid_cpupower, fs_type, proc_type;
|
|
|
|
|
type proc_uptime, fs_type, proc_type;
|
|
|
|
|
type proc_version, fs_type, proc_type;
|
|
|
|
|
type proc_vmallocinfo, fs_type, proc_type;
|
|
|
|
|
type proc_vmstat, fs_type, proc_type;
|
2021-07-29 23:29:47 +02:00
|
|
|
type proc_watermark_scale_factor, fs_type, proc_type;
|
2018-02-16 03:07:18 +01:00
|
|
|
type proc_zoneinfo, fs_type, proc_type;
|
2021-07-29 15:24:38 +02:00
|
|
|
type proc_vendor_sched, proc_type, fs_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type selinuxfs, fs_type, mlstrustedobject;
|
2020-05-28 15:04:48 +02:00
|
|
|
type fusectlfs, fs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type cgroup, fs_type, mlstrustedobject;
|
2020-05-27 23:10:39 +02:00
|
|
|
type cgroup_v2, fs_type;
|
2014-05-08 19:18:52 +02:00
|
|
|
type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
2017-10-10 05:39:34 +02:00
|
|
|
type sysfs_android_usb, fs_type, sysfs_type;
|
2016-03-25 15:52:22 +01:00
|
|
|
type sysfs_uio, sysfs_type, fs_type;
|
2016-01-05 23:32:54 +01:00
|
|
|
type sysfs_batteryinfo, fs_type, sysfs_type;
|
2012-11-16 15:06:47 +01:00
|
|
|
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
2021-04-16 14:02:06 +02:00
|
|
|
type sysfs_devfreq_cur, fs_type, sysfs_type;
|
|
|
|
|
type sysfs_devfreq_dir, fs_type, sysfs_type;
|
2021-10-08 18:30:42 +02:00
|
|
|
type sysfs_devices_block, fs_type, sysfs_type;
|
2017-10-05 22:50:07 +02:00
|
|
|
type sysfs_dm, fs_type, sysfs_type;
|
2019-12-16 13:39:15 +01:00
|
|
|
type sysfs_dm_verity, fs_type, sysfs_type;
|
2021-02-01 19:25:05 +01:00
|
|
|
type sysfs_dma_heap, fs_type, sysfs_type;
|
2021-01-11 06:09:37 +01:00
|
|
|
type sysfs_dmabuf_stats, fs_type, sysfs_type;
|
/proc, /sys access from uncrypt, update_engine, postinstall_dexopt
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-04 19:34:11 +02:00
|
|
|
type sysfs_dt_firmware_android, fs_type, sysfs_type;
|
2019-02-15 21:15:21 +01:00
|
|
|
type sysfs_extcon, fs_type, sysfs_type;
|
2019-11-17 23:41:33 +01:00
|
|
|
type sysfs_ion, fs_type, sysfs_type;
|
2017-10-10 05:39:34 +02:00
|
|
|
type sysfs_ipv4, fs_type, sysfs_type;
|
2017-12-06 19:09:50 +01:00
|
|
|
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
|
2017-01-05 02:56:04 +01:00
|
|
|
type sysfs_leds, fs_type, sysfs_type;
|
2018-12-18 15:38:59 +01:00
|
|
|
type sysfs_loop, fs_type, sysfs_type;
|
2022-02-24 19:32:16 +01:00
|
|
|
type sysfs_gpu, fs_type, sysfs_type;
|
2016-03-12 00:23:49 +01:00
|
|
|
type sysfs_hwrandom, fs_type, sysfs_type;
|
2012-03-19 20:56:01 +01:00
|
|
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
2013-09-29 00:46:21 +02:00
|
|
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
2017-10-02 00:53:01 +02:00
|
|
|
type sysfs_net, fs_type, sysfs_type;
|
2017-10-10 05:39:34 +02:00
|
|
|
type sysfs_power, fs_type, sysfs_type;
|
|
|
|
|
type sysfs_rtc, fs_type, sysfs_type;
|
2019-11-07 22:37:34 +01:00
|
|
|
type sysfs_suspend_stats, fs_type, sysfs_type;
|
2017-10-10 05:39:34 +02:00
|
|
|
type sysfs_switch, fs_type, sysfs_type;
|
2023-10-04 00:31:22 +02:00
|
|
|
type sysfs_sync_on_suspend, fs_type, sysfs_type;
|
2019-03-13 20:06:01 +01:00
|
|
|
type sysfs_transparent_hugepage, fs_type, sysfs_type;
|
2022-04-07 01:36:58 +02:00
|
|
|
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
|
2018-03-21 18:43:30 +01:00
|
|
|
type sysfs_usb, fs_type, sysfs_type;
|
2019-11-07 22:37:34 +01:00
|
|
|
type sysfs_wakeup, fs_type, sysfs_type;
|
2017-10-10 05:39:34 +02:00
|
|
|
type sysfs_wakeup_reasons, fs_type, sysfs_type;
|
2017-05-02 22:45:08 +02:00
|
|
|
type sysfs_fs_ext4_features, sysfs_type, fs_type;
|
2019-02-15 23:29:05 +01:00
|
|
|
type sysfs_fs_f2fs, sysfs_type, fs_type;
|
2021-11-12 01:53:26 +01:00
|
|
|
type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
|
2023-03-01 23:32:25 +01:00
|
|
|
type sysfs_fs_fuse_features, sysfs_type, fs_type;
|
2021-01-15 06:01:25 +01:00
|
|
|
type sysfs_fs_incfs_features, sysfs_type, fs_type;
|
2021-05-05 07:40:23 +02:00
|
|
|
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
|
2021-07-29 15:24:38 +02:00
|
|
|
type sysfs_vendor_sched, sysfs_type, fs_type;
|
|
|
|
|
userdebug_or_eng(`
|
|
|
|
|
typeattribute sysfs_vendor_sched mlstrustedobject;
|
|
|
|
|
')
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
type fs_bpf, fs_type, bpffs_type;
|
|
|
|
|
# TODO: S+ fs_bpf_tethering (used by mainline) should be private
|
|
|
|
|
type fs_bpf_tethering, fs_type, bpffs_type;
|
|
|
|
|
type fs_bpf_vendor, fs_type, bpffs_type;
|
2024-04-22 08:43:18 +02:00
|
|
|
|
|
|
|
|
starting_at_board_api(202504, `
|
|
|
|
|
type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
|
|
|
|
|
type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
|
2016-03-02 01:13:50 +01:00
|
|
|
type configfs, fs_type;
|
2020-08-31 09:24:40 +02:00
|
|
|
# /sys/devices/cs_etm
|
|
|
|
|
type sysfs_devices_cs_etm, fs_type, sysfs_type;
|
2013-10-23 18:08:23 +02:00
|
|
|
# /sys/devices/system/cpu
|
|
|
|
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
2014-02-13 21:19:50 +01:00
|
|
|
# /sys/module/lowmemorykiller
|
|
|
|
|
type sysfs_lowmemorykiller, fs_type, sysfs_type;
|
2016-06-30 23:23:12 +02:00
|
|
|
# /sys/module/wlan/parameters/fwpath
|
|
|
|
|
type sysfs_wlan_fwpath, fs_type, sysfs_type;
|
2016-10-11 20:01:49 +02:00
|
|
|
type sysfs_vibrator, fs_type, sysfs_type;
|
2020-11-21 04:17:22 +01:00
|
|
|
type sysfs_uhid, fs_type, sysfs_type;
|
2016-03-24 17:23:54 +01:00
|
|
|
type sysfs_thermal, sysfs_type, fs_type;
|
|
|
|
|
|
2016-01-04 23:23:23 +01:00
|
|
|
type sysfs_zram, fs_type, sysfs_type;
|
|
|
|
|
type sysfs_zram_uevent, fs_type, sysfs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type inotify, fs_type, mlstrustedobject;
|
2012-11-13 19:00:05 +01:00
|
|
|
type devpts, fs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type tmpfs, fs_type;
|
|
|
|
|
type shm, fs_type;
|
|
|
|
|
type mqueue, fs_type;
|
2021-06-23 10:21:49 +02:00
|
|
|
type fuse, fusefs_type, fs_type, mlstrustedobject;
|
2023-01-17 18:22:34 +01:00
|
|
|
type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject;
|
2016-03-02 01:13:50 +01:00
|
|
|
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
2014-07-08 20:45:09 +02:00
|
|
|
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
2018-03-30 20:22:54 +02:00
|
|
|
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
2017-06-26 00:35:54 +02:00
|
|
|
type debugfs, fs_type, debugfs_type;
|
2020-06-10 12:27:12 +02:00
|
|
|
type debugfs_kprobes, fs_type, debugfs_type;
|
2016-06-18 00:05:10 +02:00
|
|
|
type debugfs_mmc, fs_type, debugfs_type;
|
2021-05-05 07:01:51 +02:00
|
|
|
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
|
|
|
|
|
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
|
|
|
|
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
|
|
|
|
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
|
|
|
|
|
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
|
|
|
|
|
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
|
2018-01-22 23:00:46 +01:00
|
|
|
type debugfs_wakeup_sources, fs_type, debugfs_type;
|
2021-05-05 07:01:51 +02:00
|
|
|
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
|
2020-02-19 00:26:44 +01:00
|
|
|
type securityfs, fs_type;
|
2017-04-14 21:12:50 +02:00
|
|
|
|
2014-04-10 06:32:54 +02:00
|
|
|
type pstorefs, fs_type;
|
2016-09-22 20:07:50 +02:00
|
|
|
type functionfs, fs_type, mlstrustedobject;
|
2014-05-30 14:49:51 +02:00
|
|
|
type oemfs, fs_type, contextmount_type;
|
2014-06-07 16:31:31 +02:00
|
|
|
type usbfs, fs_type;
|
2015-04-11 02:42:49 +02:00
|
|
|
type binfmt_miscfs, fs_type;
|
2021-06-23 10:21:49 +02:00
|
|
|
type app_fusefs, fs_type, fusefs_type, contextmount_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
|
|
|
|
# File types
|
|
|
|
|
type unlabeled, file_type;
|
2017-04-02 02:17:12 +02:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /system.
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_file, system_file_type, file_type;
|
2018-10-07 01:16:46 +02:00
|
|
|
# Default type for /system/asan.options
|
|
|
|
|
type system_asan_options_file, system_file_type, file_type;
|
2019-01-10 22:59:37 +01:00
|
|
|
# Type for /system/etc/event-log-tags (liblog implementation detail)
|
|
|
|
|
type system_event_log_tags_file, system_file_type, file_type;
|
2018-08-12 00:34:49 +02:00
|
|
|
# Default type for anything under /system/lib[64].
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_lib_file, system_file_type, file_type;
|
2019-03-14 18:45:33 +01:00
|
|
|
# system libraries that are available only to bootstrap processes
|
|
|
|
|
type system_bootstrap_lib_file, system_file_type, file_type;
|
2019-07-15 22:33:48 +02:00
|
|
|
# Default type for the group file /system/etc/group.
|
|
|
|
|
type system_group_file, system_file_type, file_type;
|
2018-08-12 00:34:49 +02:00
|
|
|
# Default type for linker executable /system/bin/linker[64].
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_linker_exec, system_file_type, file_type;
|
2018-08-12 00:34:49 +02:00
|
|
|
# Default type for linker config /system/etc/ld.config.*.
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_linker_config_file, system_file_type, file_type;
|
2019-07-15 22:33:48 +02:00
|
|
|
# Default type for the passwd file /system/etc/passwd.
|
|
|
|
|
type system_passwd_file, system_file_type, file_type;
|
2018-08-12 00:34:49 +02:00
|
|
|
# Default type for linker config /system/etc/seccomp_policy/*.
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_seccomp_policy_file, system_file_type, file_type;
|
2018-08-12 00:34:49 +02:00
|
|
|
# Default type for cacerts in /system/etc/security/cacerts/*.
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_security_cacerts_file, system_file_type, file_type;
|
2018-10-11 19:49:59 +02:00
|
|
|
# Default type for /system/bin/tcpdump.
|
|
|
|
|
type tcpdump_exec, system_file_type, exec_type, file_type;
|
2018-09-27 17:45:16 +02:00
|
|
|
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
|
2018-09-27 19:21:37 +02:00
|
|
|
type system_zoneinfo_file, system_file_type, file_type;
|
2019-01-11 02:10:31 +01:00
|
|
|
# Cgroups description file under /system/etc/cgroups.json
|
|
|
|
|
type cgroup_desc_file, system_file_type, file_type;
|
2020-11-21 03:57:36 +01:00
|
|
|
# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
|
|
|
|
|
type cgroup_desc_api_file, system_file_type, file_type;
|
2019-02-20 00:02:14 +01:00
|
|
|
# Vendor cgroups description file under /vendor/etc/cgroups.json
|
|
|
|
|
type vendor_cgroup_desc_file, vendor_file_type, file_type;
|
2019-01-11 02:10:31 +01:00
|
|
|
# Task profiles file under /system/etc/task_profiles.json
|
|
|
|
|
type task_profiles_file, system_file_type, file_type;
|
2020-11-21 03:57:36 +01:00
|
|
|
# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
|
|
|
|
|
type task_profiles_api_file, system_file_type, file_type;
|
2019-02-20 00:02:14 +01:00
|
|
|
# Vendor task profiles file under /vendor/etc/task_profiles.json
|
|
|
|
|
type vendor_task_profiles_file, vendor_file_type, file_type;
|
2019-07-17 16:48:30 +02:00
|
|
|
# Type for /system/apex/com.android.art
|
|
|
|
|
type art_apex_dir, system_file_type, file_type;
|
2019-11-22 06:56:10 +01:00
|
|
|
# /linkerconfig(/.*)?
|
|
|
|
|
type linkerconfig_file, file_type;
|
2020-02-13 03:16:09 +01:00
|
|
|
# Control files under /data/incremental
|
|
|
|
|
type incremental_control_file, file_type, data_file_type, core_data_file_type;
|
2024-02-15 08:34:47 +01:00
|
|
|
# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
|
|
|
|
|
type bootanim_oem_file, file_type, system_file_type;
|
2017-04-02 02:17:12 +02:00
|
|
|
|
|
|
|
|
# Default type for directories search for
|
|
|
|
|
# HAL implementations
|
|
|
|
|
type vendor_hal_file, vendor_file_type, file_type;
|
|
|
|
|
# Default type for under /vendor or /system/vendor
|
|
|
|
|
type vendor_file, vendor_file_type, file_type;
|
|
|
|
|
# Default type for everything in /vendor/app
|
|
|
|
|
type vendor_app_file, vendor_file_type, file_type;
|
|
|
|
|
# Default type for everything under /vendor/etc/
|
|
|
|
|
type vendor_configs_file, vendor_file_type, file_type;
|
2018-08-08 19:02:12 +02:00
|
|
|
# Default type for all *same process* HALs and their lib/bin dependencies.
|
2017-04-02 02:17:12 +02:00
|
|
|
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
|
|
|
|
|
type same_process_hal_file, vendor_file_type, file_type;
|
2017-04-10 06:37:40 +02:00
|
|
|
# Default type for vndk-sp libs. /vendor/lib/vndk-sp
|
|
|
|
|
type vndk_sp_file, vendor_file_type, file_type;
|
2017-04-02 02:17:12 +02:00
|
|
|
# Default type for everything in /vendor/framework
|
|
|
|
|
type vendor_framework_file, vendor_file_type, file_type;
|
|
|
|
|
# Default type for everything in /vendor/overlay
|
|
|
|
|
type vendor_overlay_file, vendor_file_type, file_type;
|
2018-04-30 23:38:21 +02:00
|
|
|
# Type for all vendor public libraries. These libs should only be exposed to
|
|
|
|
|
# apps. ABI stability of these libs is vendor's responsibility.
|
|
|
|
|
type vendor_public_lib_file, vendor_file_type, file_type;
|
2021-01-25 13:57:56 +01:00
|
|
|
# Type for all vendor public libraries for system. These libs should only be exposed to
|
|
|
|
|
# system. ABI stability of these libs is vendor's responsibility.
|
|
|
|
|
type vendor_public_framework_file, vendor_file_type, file_type;
|
2023-11-15 09:59:30 +01:00
|
|
|
# Type for all microdroid related files in the vendor partition.
|
2023-11-27 07:01:40 +01:00
|
|
|
# Files having this type should be read-only.
|
2023-11-15 09:59:30 +01:00
|
|
|
type vendor_microdroid_file, vendor_file_type, file_type;
|
2017-04-02 02:17:12 +02:00
|
|
|
|
2024-04-30 00:03:20 +02:00
|
|
|
starting_at_board_api(202504, `
|
|
|
|
|
# boot otas for 16KB developer option
|
|
|
|
|
type vendor_boot_ota_file, vendor_file_type, file_type;
|
|
|
|
|
')
|
|
|
|
|
|
2018-10-08 21:04:15 +02:00
|
|
|
# Input configuration
|
|
|
|
|
type vendor_keylayout_file, vendor_file_type, file_type;
|
|
|
|
|
type vendor_keychars_file, vendor_file_type, file_type;
|
|
|
|
|
type vendor_idc_file, vendor_file_type, file_type;
|
|
|
|
|
|
2021-11-18 23:59:29 +01:00
|
|
|
# Type for vendor uuid mapping config file
|
|
|
|
|
type vendor_uuid_mapping_config_file, vendor_file_type, file_type;
|
|
|
|
|
|
2021-08-09 02:24:45 +02:00
|
|
|
# SoC-specific virtual machine disk files
|
|
|
|
|
type vendor_vm_file, vendor_file_type, file_type;
|
|
|
|
|
# SoC-specific virtual machine disk files that are mutable
|
|
|
|
|
type vendor_vm_data_file, vendor_file_type, file_type;
|
|
|
|
|
|
2018-04-20 20:14:49 +02:00
|
|
|
# /metadata partition itself
|
|
|
|
|
type metadata_file, file_type;
|
|
|
|
|
# Vold files within /metadata
|
2018-02-01 19:15:34 +01:00
|
|
|
type vold_metadata_file, file_type;
|
2019-01-23 04:05:29 +01:00
|
|
|
# GSI files within /metadata
|
2021-03-22 06:46:12 +01:00
|
|
|
type gsi_metadata_file, gsi_metadata_file_type, file_type;
|
|
|
|
|
# DSU (GSI) files within /metadata that are globally readable.
|
|
|
|
|
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
|
2019-02-28 23:11:34 +01:00
|
|
|
# system_server shares Weaver slot information in /metadata
|
|
|
|
|
type password_slot_metadata_file, file_type;
|
2019-03-12 16:37:13 +01:00
|
|
|
# APEX files within /metadata
|
|
|
|
|
type apex_metadata_file, file_type;
|
2019-07-09 04:03:59 +02:00
|
|
|
# libsnapshot files within /metadata
|
|
|
|
|
type ota_metadata_file, file_type;
|
2019-05-23 21:49:42 +02:00
|
|
|
# property files within /metadata/bootstat
|
|
|
|
|
type metadata_bootstat_file, file_type;
|
2020-06-02 11:47:16 +02:00
|
|
|
# userspace reboot files within /metadata/userspacereboot
|
|
|
|
|
type userspace_reboot_metadata_file, file_type;
|
2020-05-19 13:43:18 +02:00
|
|
|
# Staged install files within /metadata/staged-install
|
|
|
|
|
type staged_install_file, file_type;
|
2020-12-05 18:25:35 +01:00
|
|
|
# Metadata information within /metadata/watchdog
|
|
|
|
|
type watchdog_metadata_file, file_type;
|
2023-05-25 08:59:05 +02:00
|
|
|
# Repair mode files within /metadata/repair-mode
|
|
|
|
|
type repair_mode_metadata_file, file_type;
|
2024-02-13 04:18:32 +01:00
|
|
|
# Aconfig storage file
|
|
|
|
|
type aconfig_storage_metadata_file, file_type;
|
|
|
|
|
# Aconfig storage flag value persistent copy
|
|
|
|
|
type aconfig_storage_flags_metadata_file, file_type;
|
2018-02-01 19:15:34 +01:00
|
|
|
|
2018-11-06 00:03:16 +01:00
|
|
|
# Type for /dev/cpu_variant:.*.
|
|
|
|
|
type dev_cpu_variant, file_type;
|
2016-11-08 00:11:39 +01:00
|
|
|
# Speedup access for trusted applications to the runtime event tags
|
|
|
|
|
type runtime_event_log_tags_file, file_type;
|
2014-09-04 14:44:49 +02:00
|
|
|
# Type for /system/bin/logcat.
|
2018-09-27 19:21:37 +02:00
|
|
|
type logcat_exec, system_file_type, exec_type, file_type;
|
2019-01-11 02:10:31 +01:00
|
|
|
# Speedup access to cgroup map file
|
|
|
|
|
type cgroup_rc_file, file_type;
|
2014-10-31 20:40:12 +01:00
|
|
|
# /cores for coredumps on userdebug / eng builds
|
|
|
|
|
type coredump_file, file_type;
|
2019-08-02 00:57:47 +02:00
|
|
|
# Type of /data itself
|
|
|
|
|
type system_data_root_file, file_type, data_file_type, core_data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /data.
|
2017-03-28 07:44:40 +02:00
|
|
|
type system_data_file, file_type, data_file_type, core_data_file_type;
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# Default type for directories containing per-user encrypted directories, such
|
|
|
|
|
# as /data/user and /data/user_de.
|
|
|
|
|
type system_userdir_file, file_type, data_file_type, core_data_file_type;
|
Relabel /data/system/packages.list to new type.
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.
Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list
diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };
Bug: 123186697
Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 19:14:38 +01:00
|
|
|
# Type for /data/system/packages.list.
|
|
|
|
|
# TODO(b/129332765): Narrow down permissions to this.
|
|
|
|
|
# Find out users of system_data_file that should be granted only this.
|
|
|
|
|
type packages_list_file, file_type, data_file_type, core_data_file_type;
|
2022-03-25 19:08:59 +01:00
|
|
|
type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# Default type for anything inside /data/vendor_{ce,de}.
|
2018-02-08 01:29:06 +01:00
|
|
|
type vendor_data_file, file_type, data_file_type;
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# Type for /data/vendor_{ce,de} themselves. This has core_data_file_type
|
|
|
|
|
# because these directories themselves are platform-managed; only the files
|
|
|
|
|
# *inside* them are vendor data. (Somewhat similar to system_data_root_file.)
|
|
|
|
|
type vendor_userdir_file, file_type, data_file_type, core_data_file_type;
|
2015-03-11 23:44:14 +01:00
|
|
|
# Unencrypted data
|
2017-03-28 07:44:40 +02:00
|
|
|
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
|
2019-08-16 22:41:55 +02:00
|
|
|
# installd-create files in /data/misc/installd such as layout_version
|
2017-03-28 07:44:40 +02:00
|
|
|
type install_data_file, file_type, data_file_type, core_data_file_type;
|
2012-03-07 20:59:01 +01:00
|
|
|
# /data/drm - DRM plugin data
|
2017-03-28 07:44:40 +02:00
|
|
|
type drm_data_file, file_type, data_file_type, core_data_file_type;
|
2014-10-21 06:56:02 +02:00
|
|
|
# /data/adb - adb debugging files
|
2017-03-28 07:44:40 +02:00
|
|
|
type adb_data_file, file_type, data_file_type, core_data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/anr - ANR traces
|
2017-03-28 07:44:40 +02:00
|
|
|
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/tombstones - core dumps
|
2017-03-28 07:44:40 +02:00
|
|
|
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2017-12-15 23:01:44 +01:00
|
|
|
# /data/vendor/tombstones/wifi - vendor wifi dumps
|
|
|
|
|
type tombstone_wifi_data_file, file_type, data_file_type;
|
2018-08-17 09:35:42 +02:00
|
|
|
# /data/apex - APEX data files
|
|
|
|
|
type apex_data_file, file_type, data_file_type, core_data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/app - user-installed apps
|
2017-03-28 07:44:40 +02:00
|
|
|
type apk_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2013-04-03 20:21:46 +02:00
|
|
|
# /data/app-private - forward-locked apps
|
2017-03-28 07:44:40 +02:00
|
|
|
type apk_private_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/dalvik-cache
|
2017-03-28 07:44:40 +02:00
|
|
|
type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
|
2015-12-03 06:23:30 +01:00
|
|
|
# /data/ota
|
2017-03-28 07:44:40 +02:00
|
|
|
type ota_data_file, file_type, data_file_type, core_data_file_type;
|
2016-05-25 06:07:48 +02:00
|
|
|
# /data/ota_package
|
2017-03-28 07:44:40 +02:00
|
|
|
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-02-01 20:28:39 +01:00
|
|
|
# /data/misc/profiles
|
2020-12-04 15:07:52 +01:00
|
|
|
type user_profile_root_file, file_type, data_file_type, core_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-05-27 21:41:35 +02:00
|
|
|
# /data/misc/profman
|
2017-03-28 07:44:40 +02:00
|
|
|
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
|
2020-01-02 09:14:48 +01:00
|
|
|
# /data/misc/prereboot
|
|
|
|
|
type prereboot_data_file, file_type, data_file_type, core_data_file_type;
|
2014-06-16 23:19:31 +02:00
|
|
|
# /data/resource-cache
|
2017-03-28 07:44:40 +02:00
|
|
|
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/local - writable by shell
|
2020-10-27 18:35:33 +01:00
|
|
|
type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
|
2014-05-29 15:22:16 +02:00
|
|
|
# /data/property
|
2017-03-28 07:44:40 +02:00
|
|
|
type property_data_file, file_type, data_file_type, core_data_file_type;
|
2014-12-05 06:40:22 +01:00
|
|
|
# /data/bootchart
|
2017-03-28 07:44:40 +02:00
|
|
|
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
|
2018-04-16 16:49:49 +02:00
|
|
|
# /data/system/dropbox
|
|
|
|
|
type dropbox_data_file, file_type, data_file_type, core_data_file_type;
|
2015-04-08 01:40:44 +02:00
|
|
|
# /data/system/heapdump
|
2017-03-28 07:44:40 +02:00
|
|
|
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2015-10-29 00:45:58 +01:00
|
|
|
# /data/nativetest
|
2017-03-28 07:44:40 +02:00
|
|
|
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
|
2020-09-01 01:11:11 +02:00
|
|
|
# /data/local/tests
|
|
|
|
|
type shell_test_data_file, file_type, data_file_type, core_data_file_type;
|
2016-02-23 01:50:01 +01:00
|
|
|
# /data/system_de/0/ringtones
|
2017-03-28 07:44:40 +02:00
|
|
|
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-05-20 20:08:45 +02:00
|
|
|
# /data/preloads
|
2017-03-28 07:44:40 +02:00
|
|
|
type preloads_data_file, file_type, data_file_type, core_data_file_type;
|
2017-03-14 19:42:03 +01:00
|
|
|
# /data/preloads/media
|
2017-03-28 07:44:40 +02:00
|
|
|
type preloads_media_file, file_type, data_file_type, core_data_file_type;
|
2017-03-30 00:50:32 +02:00
|
|
|
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
|
|
|
|
|
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
|
2018-11-09 01:46:19 +01:00
|
|
|
# /data/server_configurable_flags
|
|
|
|
|
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
|
2019-02-27 12:21:20 +01:00
|
|
|
# /data/app-staging
|
2019-01-02 15:20:52 +01:00
|
|
|
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
2019-04-24 03:45:40 +02:00
|
|
|
# /vendor/apex
|
|
|
|
|
type vendor_apex_file, vendor_file_type, file_type;
|
2023-05-31 10:51:14 +02:00
|
|
|
# apex_manifest.pb in vendor apex
|
|
|
|
|
type vendor_apex_metadata_file, vendor_file_type, file_type;
|
2023-02-06 09:32:45 +01:00
|
|
|
# /data/system/shutdown-checkpoints
|
|
|
|
|
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
# Mount locations managed by vold
|
|
|
|
|
type mnt_media_rw_file, file_type;
|
|
|
|
|
type mnt_user_file, file_type;
|
2020-01-13 21:42:37 +01:00
|
|
|
type mnt_pass_through_file, file_type;
|
2015-04-07 01:21:54 +02:00
|
|
|
type mnt_expand_file, file_type;
|
2019-04-12 00:23:24 +02:00
|
|
|
type mnt_sdcard_file, file_type;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
type storage_file, file_type;
|
|
|
|
|
|
|
|
|
|
# Label for storage dirs which are just mount stubs
|
|
|
|
|
type mnt_media_rw_stub_file, file_type;
|
|
|
|
|
type storage_stub_file, file_type;
|
2018-04-11 05:49:45 +02:00
|
|
|
|
|
|
|
|
# Mount location for read-write vendor partitions.
|
|
|
|
|
type mnt_vendor_file, file_type;
|
2018-04-11 05:49:45 +02:00
|
|
|
|
2018-06-29 04:10:00 +02:00
|
|
|
# Mount location for read-write product partitions.
|
|
|
|
|
type mnt_product_file, file_type;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
|
2018-08-17 09:35:42 +02:00
|
|
|
# Mount point used for APEX images
|
|
|
|
|
type apex_mnt_dir, file_type;
|
|
|
|
|
|
2020-05-11 13:49:07 +02:00
|
|
|
# /apex/apex-info-list.xml created by apexd
|
|
|
|
|
type apex_info_file, file_type;
|
|
|
|
|
|
2016-03-02 01:14:45 +01:00
|
|
|
# /postinstall: Mount point used by update_engine to run postinstall.
|
|
|
|
|
type postinstall_mnt_dir, file_type;
|
|
|
|
|
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
|
2016-04-06 01:07:25 +02:00
|
|
|
type postinstall_file, file_type;
|
2019-01-24 15:32:17 +01:00
|
|
|
# /postinstall/apex: Mount point used for APEX images within /postinstall.
|
|
|
|
|
type postinstall_apex_mnt_dir, file_type;
|
2016-03-02 01:14:45 +01:00
|
|
|
|
2019-12-13 13:30:26 +01:00
|
|
|
# /data_mirror: Contains mirror directory for storing all apps data.
|
|
|
|
|
type mirror_data_file, file_type, core_data_file_type;
|
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/misc subdirectories
|
2017-03-28 07:44:40 +02:00
|
|
|
type adb_keys_file, file_type, data_file_type, core_data_file_type;
|
2021-07-12 15:21:48 +02:00
|
|
|
type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
2019-11-19 19:10:16 +01:00
|
|
|
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
|
2021-01-28 22:14:20 +01:00
|
|
|
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
|
2019-12-02 19:29:48 +01:00
|
|
|
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
|
2020-12-23 16:21:23 +01:00
|
|
|
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type audio_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
|
2020-10-27 18:35:33 +01:00
|
|
|
type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type camera_data_file, file_type, data_file_type, core_data_file_type;
|
2020-01-17 22:47:53 +01:00
|
|
|
type credstore_data_file, file_type, data_file_type, core_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type incident_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type keychain_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type keystore_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type media_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
type media_userdir_file, file_type, data_file_type, core_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type net_data_file, file_type, data_file_type, core_data_file_type;
|
2017-12-14 10:56:32 +01:00
|
|
|
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
|
2020-10-27 18:35:33 +01:00
|
|
|
type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
2020-07-08 11:09:49 +02:00
|
|
|
type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
|
2020-10-27 18:35:33 +01:00
|
|
|
type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
|
2017-03-28 07:44:40 +02:00
|
|
|
type recovery_data_file, file_type, data_file_type, core_data_file_type;
|
2020-09-24 14:46:46 +02:00
|
|
|
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2020-02-04 02:01:49 +01:00
|
|
|
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
|
2023-02-02 20:57:18 +01:00
|
|
|
type stats_config_data_file, file_type, data_file_type, core_data_file_type;
|
2018-08-22 08:59:46 +02:00
|
|
|
type stats_data_file, file_type, data_file_type, core_data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
|
2017-04-26 22:20:20 +02:00
|
|
|
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
|
2018-01-16 01:44:04 +01:00
|
|
|
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2017-03-28 07:44:40 +02:00
|
|
|
type vpn_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type wifi_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
type vold_data_file, file_type, data_file_type, core_data_file_type;
|
2017-03-29 06:59:24 +02:00
|
|
|
type tee_data_file, file_type, data_file_type;
|
2017-03-28 07:44:40 +02:00
|
|
|
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
|
2017-11-06 12:56:00 +01:00
|
|
|
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
|
2023-04-29 02:25:49 +02:00
|
|
|
type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
|
2015-11-10 19:49:57 +01:00
|
|
|
# /data/misc/trace for method traces on userdebug / eng builds
|
2017-03-28 07:44:40 +02:00
|
|
|
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2019-01-23 04:05:29 +01:00
|
|
|
type gsi_data_file, file_type, data_file_type, core_data_file_type;
|
2020-12-24 08:11:15 +01:00
|
|
|
type radio_core_data_file, file_type, data_file_type, core_data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/data subdirectories - app sandboxes
|
2020-10-27 18:35:33 +01:00
|
|
|
type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
2018-08-03 00:54:23 +02:00
|
|
|
# /data/data subdirectories - priv-app sandboxes
|
2020-10-27 18:35:33 +01:00
|
|
|
type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
2014-05-07 19:10:02 +02:00
|
|
|
# /data/data subdirectory for system UID apps.
|
2020-10-27 18:35:33 +01:00
|
|
|
type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
|
2014-03-12 18:31:14 +01:00
|
|
|
# Compatibility with type name used in Android 4.3 and 4.4.
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /cache
|
2017-11-06 17:33:33 +01:00
|
|
|
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2018-07-02 17:13:40 +02:00
|
|
|
# Type for /cache/overlay /mnt/scratch/overlay
|
2018-06-13 17:02:29 +02:00
|
|
|
type overlayfs_file, file_type, data_file_type, core_data_file_type;
|
2016-01-28 20:30:41 +01:00
|
|
|
# Type for /cache/backup_stage/* (fd interchange with apps)
|
2017-11-06 17:33:33 +01:00
|
|
|
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-01-28 20:30:41 +01:00
|
|
|
# type for anything under /cache/backup (local transport storage)
|
2017-11-06 17:33:33 +01:00
|
|
|
type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
|
2015-12-22 21:37:17 +01:00
|
|
|
# Type for anything under /cache/recovery
|
2017-11-06 17:33:33 +01:00
|
|
|
type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /efs
|
|
|
|
|
type efs_file, file_type;
|
2012-03-19 15:29:36 +01:00
|
|
|
# Type for wallpaper file.
|
2017-03-28 07:44:40 +02:00
|
|
|
type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-03-09 00:06:44 +01:00
|
|
|
# Type for shortcut manager icon file.
|
2017-03-28 07:44:40 +02:00
|
|
|
type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2016-02-25 16:37:06 +01:00
|
|
|
# Type for user icon file.
|
2017-03-28 07:44:40 +02:00
|
|
|
type icon_file, file_type, data_file_type, core_data_file_type;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /mnt/asec
|
2017-03-28 07:44:40 +02:00
|
|
|
type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2014-02-04 17:36:41 +01:00
|
|
|
# Elements of asec files (/mnt/asec) that are world readable
|
2017-03-28 07:44:40 +02:00
|
|
|
type asec_public_file, file_type, data_file_type, core_data_file_type;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /data/app-asec
|
2017-03-28 07:44:40 +02:00
|
|
|
type asec_image_file, file_type, data_file_type, core_data_file_type;
|
2012-12-04 14:13:58 +01:00
|
|
|
# /data/backup and /data/secure/backup
|
2017-03-28 07:44:40 +02:00
|
|
|
type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2012-05-31 15:40:12 +02:00
|
|
|
# All devices have bluetooth efs files. But they
|
|
|
|
|
# vary per device, so this type is used in per
|
2012-09-07 03:50:35 +02:00
|
|
|
# device policy
|
2012-05-31 15:40:12 +02:00
|
|
|
type bluetooth_efs_file, file_type;
|
2016-12-16 04:46:43 +01:00
|
|
|
# Type for fingerprint template file
|
2017-03-28 07:44:40 +02:00
|
|
|
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
|
2018-11-19 19:42:11 +01:00
|
|
|
# Type for _new_ fingerprint template file
|
|
|
|
|
type fingerprint_vendor_data_file, file_type, data_file_type;
|
2016-01-28 07:48:39 +01:00
|
|
|
# Type for appfuse file.
|
2017-03-28 07:44:40 +02:00
|
|
|
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2018-11-16 00:28:07 +01:00
|
|
|
# Type for face template file
|
|
|
|
|
type face_vendor_data_file, file_type, data_file_type;
|
|
|
|
|
# Type for iris template file
|
|
|
|
|
type iris_vendor_data_file, file_type, data_file_type;
|
2012-05-31 15:40:12 +02:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Socket types
|
2017-03-31 02:39:00 +02:00
|
|
|
type adbd_socket, file_type, coredomain_socket;
|
2017-11-06 17:33:33 +01:00
|
|
|
type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
|
2017-03-31 02:39:00 +02:00
|
|
|
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type dumpstate_socket, file_type, coredomain_socket;
|
|
|
|
|
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type lmkd_socket, file_type, coredomain_socket;
|
|
|
|
|
type logd_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type mdns_socket, file_type, coredomain_socket;
|
|
|
|
|
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
|
2017-11-06 17:33:33 +01:00
|
|
|
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
|
2017-03-31 02:39:00 +02:00
|
|
|
type mtpd_socket, file_type, coredomain_socket;
|
2024-01-16 15:19:28 +01:00
|
|
|
type ot_daemon_socket, file_type, coredomain_socket;
|
2017-03-31 02:39:00 +02:00
|
|
|
type property_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type racoon_socket, file_type, coredomain_socket;
|
2018-05-29 19:54:16 +02:00
|
|
|
type recovery_socket, file_type, coredomain_socket;
|
2012-01-04 18:33:27 +01:00
|
|
|
type rild_socket, file_type;
|
|
|
|
|
type rild_debug_socket, file_type;
|
2020-10-20 07:11:29 +02:00
|
|
|
type snapuserd_socket, file_type, coredomain_socket;
|
2021-07-27 00:03:11 +02:00
|
|
|
type snapuserd_proxy_socket, file_type, coredomain_socket;
|
2018-08-22 08:59:46 +02:00
|
|
|
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
2018-01-24 16:01:13 +01:00
|
|
|
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
|
2017-11-06 17:33:33 +01:00
|
|
|
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
2019-12-30 06:38:38 +01:00
|
|
|
type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
2017-03-31 02:39:00 +02:00
|
|
|
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
2017-05-15 19:39:16 +02:00
|
|
|
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
2017-03-31 02:39:00 +02:00
|
|
|
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
2018-10-20 02:01:24 +02:00
|
|
|
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
|
2020-01-22 20:16:13 +01:00
|
|
|
type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
|
|
|
|
|
type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
|
2017-03-31 02:39:00 +02:00
|
|
|
type uncrypt_socket, file_type, coredomain_socket;
|
2018-01-24 16:01:13 +01:00
|
|
|
type wpa_socket, file_type, data_file_type, core_data_file_type;
|
2017-03-31 02:39:00 +02:00
|
|
|
type zygote_socket, file_type, coredomain_socket;
|
2018-12-21 14:29:55 +01:00
|
|
|
type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
|
2012-07-10 23:36:22 +02:00
|
|
|
# UART (for GPS) control proc file
|
|
|
|
|
type gps_control, file_type;
|
|
|
|
|
|
2017-05-01 22:01:44 +02:00
|
|
|
# PDX endpoint types
|
|
|
|
|
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
|
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
|
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
|
|
|
|
|
|
pdx_service_socket_types(display_client, pdx_display_dir)
|
|
|
|
|
pdx_service_socket_types(display_manager, pdx_display_dir)
|
|
|
|
|
pdx_service_socket_types(display_screenshot, pdx_display_dir)
|
|
|
|
|
pdx_service_socket_types(display_vsync, pdx_display_dir)
|
|
|
|
|
pdx_service_socket_types(performance_client, pdx_performance_dir)
|
|
|
|
|
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
|
|
|
|
|
|
2017-03-24 23:02:13 +01:00
|
|
|
# file_contexts files
|
2018-09-27 19:21:37 +02:00
|
|
|
type file_contexts_file, system_file_type, file_type;
|
2017-03-24 23:02:13 +01:00
|
|
|
|
2017-03-27 21:06:04 +02:00
|
|
|
# mac_permissions file
|
2018-09-27 19:21:37 +02:00
|
|
|
type mac_perms_file, system_file_type, file_type;
|
2017-03-27 21:06:04 +02:00
|
|
|
|
2015-12-02 01:58:27 +01:00
|
|
|
# property_contexts file
|
2018-09-27 19:21:37 +02:00
|
|
|
type property_contexts_file, system_file_type, file_type;
|
2015-12-02 01:58:27 +01:00
|
|
|
|
2017-03-27 19:57:07 +02:00
|
|
|
# seapp_contexts file
|
2018-09-27 19:21:37 +02:00
|
|
|
type seapp_contexts_file, system_file_type, file_type;
|
2017-03-27 19:57:07 +02:00
|
|
|
|
2017-03-27 20:39:16 +02:00
|
|
|
# sepolicy files binary and others
|
2018-09-27 19:21:37 +02:00
|
|
|
type sepolicy_file, system_file_type, file_type;
|
2017-03-27 20:39:16 +02:00
|
|
|
|
2017-03-24 20:24:43 +01:00
|
|
|
# service_contexts file
|
2018-09-27 19:21:37 +02:00
|
|
|
type service_contexts_file, system_file_type, file_type;
|
2015-12-02 01:58:27 +01:00
|
|
|
|
2020-07-25 22:02:29 +02:00
|
|
|
# keystore2_key_contexts_file
|
|
|
|
|
type keystore2_key_contexts_file, system_file_type, file_type;
|
|
|
|
|
|
2020-06-12 10:25:41 +02:00
|
|
|
# vendor service_contexts file
|
|
|
|
|
type vendor_service_contexts_file, vendor_file_type, file_type;
|
|
|
|
|
|
2017-04-08 01:14:43 +02:00
|
|
|
# hwservice_contexts file
|
2018-09-27 19:21:37 +02:00
|
|
|
type hwservice_contexts_file, system_file_type, file_type;
|
2017-04-08 01:14:43 +02:00
|
|
|
|
2017-04-01 02:29:53 +02:00
|
|
|
# vndservice_contexts file
|
|
|
|
|
type vndservice_contexts_file, file_type;
|
|
|
|
|
|
2021-03-02 16:46:50 +01:00
|
|
|
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
|
2021-05-05 07:01:51 +02:00
|
|
|
type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
|
2021-03-02 16:46:50 +01:00
|
|
|
|
2021-03-31 19:23:40 +02:00
|
|
|
# kernel modules
|
|
|
|
|
type vendor_kernel_modules, vendor_file_type, file_type;
|
|
|
|
|
|
2022-02-10 01:35:54 +01:00
|
|
|
# system_dlkm
|
|
|
|
|
type system_dlkm_file, system_dlkm_file_type, file_type;
|
|
|
|
|
|
2017-04-04 00:23:16 +02:00
|
|
|
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
|
|
|
|
|
with_asan(`type asanwrapper_exec, exec_type, file_type;')
|
|
|
|
|
|
2017-10-21 05:24:15 +02:00
|
|
|
# Deprecated in SDK version 28
|
|
|
|
|
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
|
2024-03-28 02:37:28 +01:00
|
|
|
|
|
|
|
|
# system/sepolicy/public is for vendor-facing type and attribute definitions.
|
|
|
|
|
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
|
|
|
|
# Instead, add such policy rules to system/sepolicy/private/*.te.
|
