2012-01-04 18:33:27 +01:00
|
|
|
# Filesystem types
|
|
|
|
type labeledfs, fs_type;
|
|
|
|
type pipefs, fs_type;
|
|
|
|
type sockfs, fs_type;
|
|
|
|
type rootfs, fs_type;
|
|
|
|
type proc, fs_type;
|
2013-12-06 15:31:40 +01:00
|
|
|
# Security-sensitive proc nodes that should not be writable to most.
|
|
|
|
type proc_security, fs_type;
|
2015-05-15 05:55:31 +02:00
|
|
|
type proc_drop_caches, fs_type;
|
2016-06-28 00:38:25 +02:00
|
|
|
type proc_overcommit_memory, fs_type;
|
2013-12-06 15:31:40 +01:00
|
|
|
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
|
|
|
|
type usermodehelper, fs_type, sysfs_type;
|
2012-07-19 20:07:04 +02:00
|
|
|
type qtaguid_proc, fs_type, mlstrustedobject;
|
2013-03-27 11:30:25 +01:00
|
|
|
type proc_bluetooth_writable, fs_type;
|
2014-09-26 19:51:12 +02:00
|
|
|
type proc_cpuinfo, fs_type;
|
2016-07-29 20:48:19 +02:00
|
|
|
type proc_interrupts, fs_type;
|
2015-07-13 17:39:17 +02:00
|
|
|
type proc_iomem, fs_type;
|
2016-02-24 02:09:48 +01:00
|
|
|
type proc_meminfo, fs_type;
|
2017-03-03 21:17:49 +01:00
|
|
|
type proc_misc, fs_type;
|
2017-03-02 09:02:29 +01:00
|
|
|
type proc_modules, fs_type;
|
2014-01-07 19:46:56 +01:00
|
|
|
type proc_net, fs_type;
|
2017-03-07 02:27:54 +01:00
|
|
|
type proc_perf, fs_type;
|
2016-07-29 20:48:19 +02:00
|
|
|
type proc_stat, fs_type;
|
2014-03-05 15:50:08 +01:00
|
|
|
type proc_sysrq, fs_type;
|
2016-07-29 20:48:19 +02:00
|
|
|
type proc_timer, fs_type;
|
2017-01-04 17:43:09 +01:00
|
|
|
type proc_tty_drivers, fs_type;
|
2015-05-13 02:14:35 +02:00
|
|
|
type proc_uid_cputime_showstat, fs_type;
|
|
|
|
type proc_uid_cputime_removeuid, fs_type;
|
2017-01-12 01:20:49 +01:00
|
|
|
type proc_uid_io_stats, fs_type;
|
2017-01-18 02:33:50 +01:00
|
|
|
type proc_uid_procstat_set, fs_type;
|
2017-06-07 19:39:11 +02:00
|
|
|
type proc_uid_time_in_state, fs_type;
|
2016-08-08 19:48:01 +02:00
|
|
|
type proc_zoneinfo, fs_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type selinuxfs, fs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type cgroup, fs_type, mlstrustedobject;
|
2014-05-08 19:18:52 +02:00
|
|
|
type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
2016-03-25 15:52:22 +01:00
|
|
|
type sysfs_uio, sysfs_type, fs_type;
|
2016-01-05 23:32:54 +01:00
|
|
|
type sysfs_batteryinfo, fs_type, sysfs_type;
|
2012-11-16 15:06:47 +01:00
|
|
|
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
2017-01-05 02:56:04 +01:00
|
|
|
type sysfs_leds, fs_type, sysfs_type;
|
2016-03-12 00:23:49 +01:00
|
|
|
type sysfs_hwrandom, fs_type, sysfs_type;
|
2012-03-19 20:56:01 +01:00
|
|
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
2013-09-29 00:46:21 +02:00
|
|
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
2015-07-24 22:25:45 +02:00
|
|
|
type sysfs_mac_address, fs_type, sysfs_type;
|
2016-06-10 18:04:58 +02:00
|
|
|
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
|
2016-03-02 01:13:50 +01:00
|
|
|
type configfs, fs_type;
|
2013-10-23 18:08:23 +02:00
|
|
|
# /sys/devices/system/cpu
|
|
|
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
2014-02-13 21:19:50 +01:00
|
|
|
# /sys/module/lowmemorykiller
|
|
|
|
type sysfs_lowmemorykiller, fs_type, sysfs_type;
|
2016-06-30 23:23:12 +02:00
|
|
|
# /sys/module/wlan/parameters/fwpath
|
|
|
|
type sysfs_wlan_fwpath, fs_type, sysfs_type;
|
2016-10-11 20:01:49 +02:00
|
|
|
type sysfs_vibrator, fs_type, sysfs_type;
|
2016-03-24 17:23:54 +01:00
|
|
|
|
|
|
|
type sysfs_thermal, sysfs_type, fs_type;
|
|
|
|
|
2016-01-04 23:23:23 +01:00
|
|
|
type sysfs_zram, fs_type, sysfs_type;
|
|
|
|
type sysfs_zram_uevent, fs_type, sysfs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type inotify, fs_type, mlstrustedobject;
|
2012-11-13 19:00:05 +01:00
|
|
|
type devpts, fs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type tmpfs, fs_type;
|
|
|
|
type shm, fs_type;
|
|
|
|
type mqueue, fs_type;
|
2014-07-08 20:45:09 +02:00
|
|
|
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
2016-03-02 01:13:50 +01:00
|
|
|
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
2014-07-08 20:45:09 +02:00
|
|
|
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
2015-12-14 22:57:26 +01:00
|
|
|
type debugfs, fs_type;
|
2016-06-18 00:05:10 +02:00
|
|
|
type debugfs_mmc, fs_type, debugfs_type;
|
2015-12-08 02:02:31 +01:00
|
|
|
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
2015-12-14 22:57:26 +01:00
|
|
|
type debugfs_tracing, fs_type, debugfs_type;
|
2016-05-18 00:32:04 +02:00
|
|
|
type debugfs_tracing_instances, fs_type, debugfs_type;
|
|
|
|
type debugfs_wifi_tracing, fs_type, debugfs_type;
|
tracefs: avoid overly generic regexes
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
2017-02-12 07:01:58 +01:00
|
|
|
type tracing_shell_writable, fs_type, debugfs_type;
|
2014-04-10 06:32:54 +02:00
|
|
|
type pstorefs, fs_type;
|
2016-09-22 20:07:50 +02:00
|
|
|
type functionfs, fs_type, mlstrustedobject;
|
2014-05-30 14:49:51 +02:00
|
|
|
type oemfs, fs_type, contextmount_type;
|
2014-06-07 16:31:31 +02:00
|
|
|
type usbfs, fs_type;
|
2015-04-11 02:42:49 +02:00
|
|
|
type binfmt_miscfs, fs_type;
|
2016-01-28 07:48:39 +01:00
|
|
|
type app_fusefs, fs_type, contextmount_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
|
|
|
# File types
|
|
|
|
type unlabeled, file_type;
|
|
|
|
# Default type for anything under /system.
|
|
|
|
type system_file, file_type;
|
2016-11-08 00:11:39 +01:00
|
|
|
# Speedup access for trusted applications to the runtime event tags
|
|
|
|
type runtime_event_log_tags_file, file_type;
|
2014-09-04 14:44:49 +02:00
|
|
|
# Type for /system/bin/logcat.
|
|
|
|
type logcat_exec, exec_type, file_type;
|
2014-10-31 20:40:12 +01:00
|
|
|
# /cores for coredumps on userdebug / eng builds
|
|
|
|
type coredump_file, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /data.
|
|
|
|
type system_data_file, file_type, data_file_type;
|
2015-03-11 23:44:14 +01:00
|
|
|
# Unencrypted data
|
|
|
|
type unencrypted_data_file, file_type, data_file_type;
|
2014-05-12 17:18:21 +02:00
|
|
|
# /data/.layout_version or other installd-created files that
|
|
|
|
# are created in a system_data_file directory.
|
|
|
|
type install_data_file, file_type, data_file_type;
|
2012-03-07 20:59:01 +01:00
|
|
|
# /data/drm - DRM plugin data
|
|
|
|
type drm_data_file, file_type, data_file_type;
|
2014-10-21 06:56:02 +02:00
|
|
|
# /data/adb - adb debugging files
|
|
|
|
type adb_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/anr - ANR traces
|
2012-04-04 22:00:11 +02:00
|
|
|
type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/tombstones - core dumps
|
2017-01-19 19:47:15 +01:00
|
|
|
type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/app - user-installed apps
|
2012-03-19 15:24:52 +01:00
|
|
|
type apk_data_file, file_type, data_file_type;
|
|
|
|
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
2013-04-03 20:21:46 +02:00
|
|
|
# /data/app-private - forward-locked apps
|
|
|
|
type apk_private_data_file, file_type, data_file_type;
|
|
|
|
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/dalvik-cache
|
|
|
|
type dalvikcache_data_file, file_type, data_file_type;
|
2015-12-03 06:23:30 +01:00
|
|
|
# /data/ota
|
|
|
|
type ota_data_file, file_type, data_file_type;
|
2016-05-25 06:07:48 +02:00
|
|
|
# /data/ota_package
|
|
|
|
type ota_package_file, file_type, data_file_type, mlstrustedobject;
|
2016-02-01 20:28:39 +01:00
|
|
|
# /data/misc/profiles
|
|
|
|
type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
|
2016-05-27 21:41:35 +02:00
|
|
|
# /data/misc/profman
|
|
|
|
type profman_dump_data_file, file_type, data_file_type;
|
2014-06-16 23:19:31 +02:00
|
|
|
# /data/resource-cache
|
|
|
|
type resourcecache_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/local - writable by shell
|
2014-09-11 21:51:28 +02:00
|
|
|
type shell_data_file, file_type, data_file_type, mlstrustedobject;
|
2014-05-29 15:22:16 +02:00
|
|
|
# /data/property
|
|
|
|
type property_data_file, file_type, data_file_type;
|
2014-12-05 06:40:22 +01:00
|
|
|
# /data/bootchart
|
|
|
|
type bootchart_data_file, file_type, data_file_type;
|
2015-04-08 01:40:44 +02:00
|
|
|
# /data/system/heapdump
|
|
|
|
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
|
2015-10-29 00:45:58 +01:00
|
|
|
# /data/nativetest
|
|
|
|
type nativetest_data_file, file_type, data_file_type;
|
2016-02-23 01:50:01 +01:00
|
|
|
# /data/system_de/0/ringtones
|
2016-03-06 00:57:45 +01:00
|
|
|
type ringtone_file, file_type, data_file_type, mlstrustedobject;
|
2016-05-20 20:08:45 +02:00
|
|
|
# /data/preloads
|
|
|
|
type preloads_data_file, file_type, data_file_type;
|
2017-03-14 19:42:03 +01:00
|
|
|
# /data/preloads/media
|
|
|
|
type preloads_media_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
# Mount locations managed by vold
|
|
|
|
type mnt_media_rw_file, file_type;
|
|
|
|
type mnt_user_file, file_type;
|
2015-04-07 01:21:54 +02:00
|
|
|
type mnt_expand_file, file_type;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
type storage_file, file_type;
|
|
|
|
|
|
|
|
# Label for storage dirs which are just mount stubs
|
|
|
|
type mnt_media_rw_stub_file, file_type;
|
|
|
|
type storage_stub_file, file_type;
|
|
|
|
|
2016-03-02 01:14:45 +01:00
|
|
|
# /postinstall: Mount point used by update_engine to run postinstall.
|
|
|
|
type postinstall_mnt_dir, file_type;
|
|
|
|
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
|
2016-04-06 01:07:25 +02:00
|
|
|
type postinstall_file, file_type;
|
2016-03-02 01:14:45 +01:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/misc subdirectories
|
2013-12-13 00:23:10 +01:00
|
|
|
type adb_keys_file, file_type, data_file_type;
|
2013-11-07 19:42:46 +01:00
|
|
|
type audio_data_file, file_type, data_file_type;
|
2016-08-04 22:40:23 +02:00
|
|
|
type audiohal_data_file, file_type, data_file_type;
|
2016-02-24 01:16:16 +01:00
|
|
|
type audioserver_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type bluetooth_data_file, file_type, data_file_type;
|
2016-09-16 21:55:42 +02:00
|
|
|
type bluetooth_logs_data_file, file_type, data_file_type;
|
2016-01-19 19:54:20 +01:00
|
|
|
type bootstat_data_file, file_type, data_file_type;
|
2015-06-24 08:24:17 +02:00
|
|
|
type boottrace_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type camera_data_file, file_type, data_file_type;
|
2015-04-18 02:56:31 +02:00
|
|
|
type gatekeeper_data_file, file_type, data_file_type;
|
2016-11-21 08:23:04 +01:00
|
|
|
type incident_data_file, file_type, data_file_type;
|
2014-10-13 13:10:08 +02:00
|
|
|
type keychain_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type keystore_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type media_data_file, file_type, data_file_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
|
2014-10-13 13:10:08 +02:00
|
|
|
type misc_user_data_file, file_type, data_file_type;
|
2014-07-08 07:04:57 +02:00
|
|
|
type net_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type nfc_data_file, file_type, data_file_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type radio_data_file, file_type, data_file_type, mlstrustedobject;
|
2017-02-07 00:52:24 +01:00
|
|
|
type reboot_data_file, file_type, data_file_type;
|
2016-03-16 16:11:49 +01:00
|
|
|
type recovery_data_file, file_type, data_file_type;
|
2014-05-23 12:01:58 +02:00
|
|
|
type shared_relro_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type systemkeys_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type vpn_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type wifi_data_file, file_type, data_file_type;
|
2013-12-13 00:32:42 +01:00
|
|
|
type zoneinfo_data_file, file_type, data_file_type;
|
2015-04-01 00:03:13 +02:00
|
|
|
type vold_data_file, file_type, data_file_type;
|
2015-05-06 00:11:44 +02:00
|
|
|
type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
|
2015-11-10 19:49:57 +01:00
|
|
|
# /data/misc/trace for method traces on userdebug / eng builds
|
|
|
|
type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/data subdirectories - app sandboxes
|
|
|
|
type app_data_file, file_type, data_file_type;
|
2014-05-07 19:10:02 +02:00
|
|
|
# /data/data subdirectory for system UID apps.
|
2015-02-11 02:10:05 +01:00
|
|
|
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
|
2014-03-12 18:31:14 +01:00
|
|
|
# Compatibility with type name used in Android 4.3 and 4.4.
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /cache
|
|
|
|
type cache_file, file_type, mlstrustedobject;
|
2016-01-28 20:30:41 +01:00
|
|
|
# Type for /cache/backup_stage/* (fd interchange with apps)
|
2012-12-04 14:13:58 +01:00
|
|
|
type cache_backup_file, file_type, mlstrustedobject;
|
2016-01-28 20:30:41 +01:00
|
|
|
# type for anything under /cache/backup (local transport storage)
|
|
|
|
type cache_private_backup_file, file_type;
|
2015-12-22 21:37:17 +01:00
|
|
|
# Type for anything under /cache/recovery
|
|
|
|
type cache_recovery_file, file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /efs
|
|
|
|
type efs_file, file_type;
|
2012-03-19 15:29:36 +01:00
|
|
|
# Type for wallpaper file.
|
2016-02-23 01:50:01 +01:00
|
|
|
type wallpaper_file, file_type, data_file_type, mlstrustedobject;
|
2016-03-09 00:06:44 +01:00
|
|
|
# Type for shortcut manager icon file.
|
|
|
|
type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
|
2016-02-25 16:37:06 +01:00
|
|
|
# Type for user icon file.
|
|
|
|
type icon_file, file_type, data_file_type;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /mnt/asec
|
2014-09-30 17:12:55 +02:00
|
|
|
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
|
2014-02-04 17:36:41 +01:00
|
|
|
# Elements of asec files (/mnt/asec) that are world readable
|
|
|
|
type asec_public_file, file_type, data_file_type;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /data/app-asec
|
|
|
|
type asec_image_file, file_type, data_file_type;
|
2012-12-04 14:13:58 +01:00
|
|
|
# /data/backup and /data/secure/backup
|
|
|
|
type backup_data_file, file_type, data_file_type, mlstrustedobject;
|
2012-05-31 15:40:12 +02:00
|
|
|
# All devices have bluetooth efs files. But they
|
|
|
|
# vary per device, so this type is used in per
|
2012-09-07 03:50:35 +02:00
|
|
|
# device policy
|
2012-05-31 15:40:12 +02:00
|
|
|
type bluetooth_efs_file, file_type;
|
2016-12-16 04:46:43 +01:00
|
|
|
# Type for fingerprint template file
|
2015-05-13 00:16:06 +02:00
|
|
|
type fingerprintd_data_file, file_type, data_file_type;
|
2016-01-28 07:48:39 +01:00
|
|
|
# Type for appfuse file.
|
2016-03-22 09:14:30 +01:00
|
|
|
type app_fuse_file, file_type, data_file_type, mlstrustedobject;
|
2012-05-31 15:40:12 +02:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Socket types
|
2012-11-16 15:06:47 +01:00
|
|
|
type adbd_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type bluetooth_socket, file_type;
|
|
|
|
type dnsproxyd_socket, file_type, mlstrustedobject;
|
2013-12-14 07:19:45 +01:00
|
|
|
type dumpstate_socket, file_type;
|
2014-05-01 20:12:10 +02:00
|
|
|
type fwmarkd_socket, file_type, mlstrustedobject;
|
2013-12-06 01:55:34 +01:00
|
|
|
type lmkd_socket, file_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type logd_socket, file_type, mlstrustedobject;
|
2014-09-08 22:06:40 +02:00
|
|
|
type logdr_socket, file_type, mlstrustedobject;
|
|
|
|
type logdw_socket, file_type, mlstrustedobject;
|
2013-09-19 21:09:38 +02:00
|
|
|
type mdns_socket, file_type;
|
2014-09-11 21:51:28 +02:00
|
|
|
type mdnsd_socket, file_type, mlstrustedobject;
|
2015-05-27 00:12:45 +02:00
|
|
|
type misc_logd_file, file_type;
|
2014-03-05 15:50:08 +01:00
|
|
|
type mtpd_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type netd_socket, file_type;
|
2016-05-06 18:20:28 +02:00
|
|
|
type property_socket, file_type, mlstrustedobject;
|
2013-01-07 15:21:18 +01:00
|
|
|
type racoon_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type rild_socket, file_type;
|
|
|
|
type rild_debug_socket, file_type;
|
|
|
|
type system_wpa_socket, file_type;
|
2017-03-21 23:44:11 +01:00
|
|
|
type system_ndebug_socket, file_type, mlstrustedobject;
|
2016-10-19 23:39:30 +02:00
|
|
|
type tombstoned_crash_socket, file_type, mlstrustedobject;
|
2017-05-15 19:39:16 +02:00
|
|
|
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
2016-10-19 23:39:30 +02:00
|
|
|
type tombstoned_intercept_socket, file_type;
|
2016-02-26 19:30:12 +01:00
|
|
|
type uncrypt_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type vold_socket, file_type;
|
2016-09-21 23:01:50 +02:00
|
|
|
type webview_zygote_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type wpa_socket, file_type;
|
2016-07-11 20:20:33 +02:00
|
|
|
# hostapd control interface.
|
|
|
|
type hostapd_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type zygote_socket, file_type;
|
2015-03-19 10:56:26 +01:00
|
|
|
type sap_uim_socket, file_type;
|
2012-07-10 23:36:22 +02:00
|
|
|
# UART (for GPS) control proc file
|
|
|
|
type gps_control, file_type;
|
|
|
|
|
2017-05-01 22:01:44 +02:00
|
|
|
# PDX endpoint types
|
|
|
|
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
|
|
|
|
|
|
|
|
pdx_service_socket_types(display_client, pdx_display_dir)
|
|
|
|
pdx_service_socket_types(display_manager, pdx_display_dir)
|
|
|
|
pdx_service_socket_types(display_screenshot, pdx_display_dir)
|
|
|
|
pdx_service_socket_types(display_vsync, pdx_display_dir)
|
|
|
|
pdx_service_socket_types(performance_client, pdx_performance_dir)
|
|
|
|
pdx_service_socket_types(sensors_client, pdx_sensors_dir)
|
|
|
|
pdx_service_socket_types(pose_client, pdx_pose_dir)
|
|
|
|
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
|
|
|
|
|
2015-12-02 01:58:27 +01:00
|
|
|
# property_contexts file
|
|
|
|
type property_contexts, file_type;
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Allow files to be created in their appropriate filesystems.
|
|
|
|
allow fs_type self:filesystem associate;
|
2017-07-26 19:19:33 +02:00
|
|
|
allow cgroup tmpfs:filesystem associate;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow sysfs_type sysfs:filesystem associate;
|
2016-05-13 14:36:33 +02:00
|
|
|
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow file_type labeledfs:filesystem associate;
|
|
|
|
allow file_type tmpfs:filesystem associate;
|
2013-05-10 17:29:35 +02:00
|
|
|
allow file_type rootfs:filesystem associate;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow dev_type tmpfs:filesystem associate;
|
2016-01-28 07:48:39 +01:00
|
|
|
allow app_fuse_file app_fusefs:filesystem associate;
|
2016-03-02 01:14:45 +01:00
|
|
|
allow postinstall_file self:filesystem associate;
|
2014-06-15 17:41:55 +02:00
|
|
|
|
|
|
|
# It's a bug to assign the file_type attribute and fs_type attribute
|
|
|
|
# to any type. Do not allow it.
|
|
|
|
#
|
|
|
|
# For example, the following is a bug:
|
|
|
|
# type apk_data_file, file_type, data_file_type, fs_type;
|
|
|
|
# Should be:
|
|
|
|
# type apk_data_file, file_type, data_file_type;
|
2014-07-29 20:50:30 +02:00
|
|
|
neverallow fs_type file_type:filesystem associate;
|