2012-01-04 18:33:27 +01:00
|
|
|
# Filesystem types
|
|
|
|
|
type labeledfs, fs_type;
|
|
|
|
|
type pipefs, fs_type;
|
|
|
|
|
type sockfs, fs_type;
|
|
|
|
|
type rootfs, fs_type;
|
|
|
|
|
type proc, fs_type;
|
2013-12-06 15:31:40 +01:00
|
|
|
# Security-sensitive proc nodes that should not be writable to most.
|
|
|
|
|
type proc_security, fs_type;
|
|
|
|
|
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
|
|
|
|
|
type usermodehelper, fs_type, sysfs_type;
|
2012-07-19 20:07:04 +02:00
|
|
|
type qtaguid_proc, fs_type, mlstrustedobject;
|
2013-03-27 11:30:25 +01:00
|
|
|
type proc_bluetooth_writable, fs_type;
|
2014-01-07 19:46:56 +01:00
|
|
|
type proc_net, fs_type;
|
2014-03-05 15:50:08 +01:00
|
|
|
type proc_sysrq, fs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type selinuxfs, fs_type;
|
|
|
|
|
type cgroup, fs_type, mlstrustedobject;
|
2014-05-08 19:18:52 +02:00
|
|
|
type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
2012-11-16 15:06:47 +01:00
|
|
|
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
2012-03-19 20:56:01 +01:00
|
|
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
2013-09-29 00:46:21 +02:00
|
|
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
2013-10-23 18:08:23 +02:00
|
|
|
# /sys/devices/system/cpu
|
|
|
|
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
2014-02-13 21:19:50 +01:00
|
|
|
# /sys/module/lowmemorykiller
|
|
|
|
|
type sysfs_lowmemorykiller, fs_type, sysfs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type inotify, fs_type, mlstrustedobject;
|
2012-11-13 19:00:05 +01:00
|
|
|
type devpts, fs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type tmpfs, fs_type;
|
|
|
|
|
type shm, fs_type;
|
|
|
|
|
type mqueue, fs_type;
|
2013-03-07 01:26:36 +01:00
|
|
|
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
|
|
|
|
|
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type debugfs, fs_type, mlstrustedobject;
|
2014-04-10 06:32:54 +02:00
|
|
|
type pstorefs, fs_type;
|
2014-04-15 23:53:05 +02:00
|
|
|
type functionfs, fs_type;
|
2014-05-30 14:49:51 +02:00
|
|
|
type oemfs, fs_type, contextmount_type;
|
2014-06-07 16:31:31 +02:00
|
|
|
type usbfs, fs_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
|
|
|
|
# File types
|
|
|
|
|
type unlabeled, file_type;
|
|
|
|
|
# Default type for anything under /system.
|
|
|
|
|
type system_file, file_type;
|
|
|
|
|
# Default type for anything under /data.
|
|
|
|
|
type system_data_file, file_type, data_file_type;
|
2014-05-12 17:18:21 +02:00
|
|
|
# /data/.layout_version or other installd-created files that
|
|
|
|
|
# are created in a system_data_file directory.
|
|
|
|
|
type install_data_file, file_type, data_file_type;
|
2012-03-07 20:59:01 +01:00
|
|
|
# /data/drm - DRM plugin data
|
|
|
|
|
type drm_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/anr - ANR traces
|
2012-04-04 22:00:11 +02:00
|
|
|
type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/tombstones - core dumps
|
|
|
|
|
type tombstone_data_file, file_type, data_file_type;
|
|
|
|
|
# /data/app - user-installed apps
|
2012-03-19 15:24:52 +01:00
|
|
|
type apk_data_file, file_type, data_file_type;
|
|
|
|
|
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
2013-04-03 20:21:46 +02:00
|
|
|
# /data/app-private - forward-locked apps
|
|
|
|
|
type apk_private_data_file, file_type, data_file_type;
|
|
|
|
|
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/dalvik-cache
|
|
|
|
|
type dalvikcache_data_file, file_type, data_file_type;
|
2014-04-09 20:24:33 +02:00
|
|
|
# /data/dalvik-cache/profiles
|
|
|
|
|
type dalvikcache_profiles_data_file, file_type, data_file_type;
|
2014-06-16 23:19:31 +02:00
|
|
|
# /data/resource-cache
|
|
|
|
|
type resourcecache_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/local - writable by shell
|
|
|
|
|
type shell_data_file, file_type, data_file_type;
|
|
|
|
|
# /data/gps
|
|
|
|
|
type gps_data_file, file_type, data_file_type;
|
2014-05-29 15:22:16 +02:00
|
|
|
# /data/property
|
|
|
|
|
type property_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/misc subdirectories
|
2013-12-13 00:23:10 +01:00
|
|
|
type adb_keys_file, file_type, data_file_type;
|
2013-11-07 19:42:46 +01:00
|
|
|
type audio_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type bluetooth_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type camera_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type keystore_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type media_data_file, file_type, data_file_type;
|
2013-12-17 20:39:35 +01:00
|
|
|
type media_rw_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type nfc_data_file, file_type, data_file_type;
|
|
|
|
|
type radio_data_file, file_type, data_file_type;
|
2014-05-23 12:01:58 +02:00
|
|
|
type shared_relro_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type systemkeys_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
type vpn_data_file, file_type, data_file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type wifi_data_file, file_type, data_file_type;
|
2013-12-13 00:32:42 +01:00
|
|
|
type zoneinfo_data_file, file_type, data_file_type;
|
2013-12-13 00:23:10 +01:00
|
|
|
|
2013-11-07 19:42:46 +01:00
|
|
|
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
|
|
|
|
|
typealias audio_data_file alias audio_firmware_file;
|
2012-01-04 18:33:27 +01:00
|
|
|
# /data/data subdirectories - app sandboxes
|
|
|
|
|
type app_data_file, file_type, data_file_type;
|
2014-05-07 19:10:02 +02:00
|
|
|
# /data/data subdirectory for system UID apps.
|
|
|
|
|
type system_app_data_file, file_type, data_file_type;
|
2014-03-12 18:31:14 +01:00
|
|
|
# Compatibility with type name used in Android 4.3 and 4.4.
|
|
|
|
|
typealias app_data_file alias platform_app_data_file;
|
2014-03-12 18:39:38 +01:00
|
|
|
typealias app_data_file alias download_file;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /cache
|
|
|
|
|
type cache_file, file_type, mlstrustedobject;
|
2012-12-04 14:13:58 +01:00
|
|
|
# Type for /cache/.*\.{data|restore} and default
|
|
|
|
|
# type for anything under /cache/backup
|
|
|
|
|
type cache_backup_file, file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
# Default type for anything under /efs
|
|
|
|
|
type efs_file, file_type;
|
2012-03-19 15:29:36 +01:00
|
|
|
# Type for wallpaper file.
|
2012-06-27 14:50:27 +02:00
|
|
|
type wallpaper_file, file_type, mlstrustedobject;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /mnt/asec
|
|
|
|
|
type asec_apk_file, file_type, data_file_type;
|
2014-02-04 17:36:41 +01:00
|
|
|
# Elements of asec files (/mnt/asec) that are world readable
|
|
|
|
|
type asec_public_file, file_type, data_file_type;
|
2012-10-22 19:50:01 +02:00
|
|
|
# /data/app-asec
|
|
|
|
|
type asec_image_file, file_type, data_file_type;
|
2012-12-04 14:13:58 +01:00
|
|
|
# /data/backup and /data/secure/backup
|
|
|
|
|
type backup_data_file, file_type, data_file_type, mlstrustedobject;
|
2013-01-23 23:02:43 +01:00
|
|
|
# For /data/security
|
|
|
|
|
type security_file, file_type;
|
2012-05-31 15:40:12 +02:00
|
|
|
# All devices have bluetooth efs files. But they
|
|
|
|
|
# vary per device, so this type is used in per
|
2012-09-07 03:50:35 +02:00
|
|
|
# device policy
|
2012-05-31 15:40:12 +02:00
|
|
|
type bluetooth_efs_file, file_type;
|
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Socket types
|
2012-11-16 15:06:47 +01:00
|
|
|
type adbd_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type bluetooth_socket, file_type;
|
|
|
|
|
type dnsproxyd_socket, file_type, mlstrustedobject;
|
2013-12-14 07:19:45 +01:00
|
|
|
type dumpstate_socket, file_type;
|
2014-05-01 20:12:10 +02:00
|
|
|
type fwmarkd_socket, file_type, mlstrustedobject;
|
2012-01-04 18:33:27 +01:00
|
|
|
type gps_socket, file_type;
|
|
|
|
|
type installd_socket, file_type;
|
2013-12-06 01:55:34 +01:00
|
|
|
type lmkd_socket, file_type;
|
2013-11-13 00:34:52 +01:00
|
|
|
type logd_debug, file_type;
|
|
|
|
|
type logd_socket, file_type;
|
|
|
|
|
type logdr_socket, file_type;
|
|
|
|
|
type logdw_socket, file_type;
|
2013-09-19 21:09:38 +02:00
|
|
|
type mdns_socket, file_type;
|
2014-02-24 19:04:49 +01:00
|
|
|
type mdnsd_socket, file_type;
|
2014-03-05 15:50:08 +01:00
|
|
|
type mtpd_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type netd_socket, file_type;
|
|
|
|
|
type property_socket, file_type;
|
2013-01-07 15:21:18 +01:00
|
|
|
type racoon_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type rild_socket, file_type;
|
|
|
|
|
type rild_debug_socket, file_type;
|
|
|
|
|
type system_wpa_socket, file_type;
|
2013-09-27 16:24:49 +02:00
|
|
|
type system_ndebug_socket, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
type vold_socket, file_type;
|
|
|
|
|
type wpa_socket, file_type;
|
|
|
|
|
type zygote_socket, file_type;
|
|
|
|
|
|
2012-07-10 23:36:22 +02:00
|
|
|
# UART (for GPS) control proc file
|
|
|
|
|
type gps_control, file_type;
|
|
|
|
|
|
2012-01-04 18:33:27 +01:00
|
|
|
# Allow files to be created in their appropriate filesystems.
|
|
|
|
|
allow fs_type self:filesystem associate;
|
|
|
|
|
allow sysfs_type sysfs:filesystem associate;
|
|
|
|
|
allow file_type labeledfs:filesystem associate;
|
|
|
|
|
allow file_type tmpfs:filesystem associate;
|
2013-05-10 17:29:35 +02:00
|
|
|
allow file_type rootfs:filesystem associate;
|
2012-01-04 18:33:27 +01:00
|
|
|
allow dev_type tmpfs:filesystem associate;
|
2014-06-15 17:41:55 +02:00
|
|
|
|
|
|
|
|
# It's a bug to assign the file_type attribute and fs_type attribute
|
|
|
|
|
# to any type. Do not allow it.
|
|
|
|
|
#
|
|
|
|
|
# For example, the following is a bug:
|
|
|
|
|
# type apk_data_file, file_type, data_file_type, fs_type;
|
|
|
|
|
# Should be:
|
|
|
|
|
# type apk_data_file, file_type, data_file_type;
|
|
|
|
|
neverallow fs_type file_type:filesystem *;
|
