2017-02-16 21:04:40 +01:00
|
|
|
# /proc/config.gz
|
2018-02-16 03:07:18 +01:00
|
|
|
type config_gz, fs_type, proc_type;
|
2017-09-26 21:58:29 +02:00
|
|
|
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
# /sys/fs/bpf/<dir> for mainline tethering use
|
|
|
|
# TODO: move S+ fs_bpf_tethering here from public/file.te
|
|
|
|
type fs_bpf_net_private, fs_type, bpffs_type;
|
|
|
|
type fs_bpf_net_shared, fs_type, bpffs_type;
|
|
|
|
type fs_bpf_netd_readonly, fs_type, bpffs_type;
|
|
|
|
type fs_bpf_netd_shared, fs_type, bpffs_type;
|
2022-12-01 15:45:35 +01:00
|
|
|
type fs_bpf_loader, fs_type, bpffs_type;
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# /data/misc/storaged
|
|
|
|
type storaged_data_file, file_type, data_file_type, core_data_file_type;
|
2017-11-17 17:23:32 +01:00
|
|
|
|
|
|
|
# /data/misc/wmtrace for wm traces
|
2023-01-20 21:14:31 +01:00
|
|
|
type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2018-01-24 17:07:09 +01:00
|
|
|
|
2021-02-09 21:03:40 +01:00
|
|
|
# /data/misc/a11ytrace for accessibility traces
|
|
|
|
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2018-01-24 17:07:09 +01:00
|
|
|
# /data/misc/perfetto-traces for perfetto traces
|
|
|
|
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
|
2018-11-29 19:37:18 +01:00
|
|
|
|
2021-01-07 18:12:21 +01:00
|
|
|
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
|
|
|
|
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2020-10-13 22:13:09 +02:00
|
|
|
# /data/misc/perfetto-configs for perfetto configs
|
|
|
|
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2022-05-11 22:43:54 +02:00
|
|
|
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
|
|
|
|
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
|
2022-03-15 18:28:02 +01:00
|
|
|
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
|
|
|
|
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
|
|
|
|
|
2018-11-29 19:37:18 +01:00
|
|
|
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
|
|
|
|
type debugfs_kcov, fs_type, debugfs_type;
|
|
|
|
|
2019-01-11 18:37:46 +01:00
|
|
|
# App executable files in /data/data directories
|
|
|
|
type app_exec_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
typealias app_exec_data_file alias rs_data_file;
|
2019-01-14 16:02:12 +01:00
|
|
|
|
|
|
|
# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
|
|
|
|
# of application data.
|
|
|
|
type rollback_data_file, file_type, data_file_type, core_data_file_type;
|
2019-07-08 12:02:05 +02:00
|
|
|
|
2021-10-06 07:13:20 +02:00
|
|
|
# /data/misc_ce/checkin for checkin apps.
|
|
|
|
type checkin_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2019-08-07 22:01:15 +02:00
|
|
|
# /data/gsi/ota
|
|
|
|
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
|
2019-10-15 22:13:56 +02:00
|
|
|
|
2020-12-25 10:32:13 +01:00
|
|
|
# /data/gsi_persistent_data
|
|
|
|
type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2019-10-15 22:13:56 +02:00
|
|
|
# /data/misc/emergencynumberdb
|
|
|
|
type emergency_data_file, file_type, data_file_type, core_data_file_type;
|
2020-06-18 06:43:23 +02:00
|
|
|
|
|
|
|
# /data/misc/profcollectd
|
|
|
|
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
|
2020-10-16 16:29:55 +02:00
|
|
|
|
|
|
|
# /data/misc/apexdata/com.android.art
|
2021-07-12 15:21:48 +02:00
|
|
|
type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
2020-10-16 16:29:55 +02:00
|
|
|
|
|
|
|
# /data/misc/apexdata/com.android.art/staging
|
|
|
|
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
|
2021-01-21 22:08:31 +01:00
|
|
|
|
2021-07-12 16:12:37 +02:00
|
|
|
# /data/misc/apexdata/com.android.compos
|
|
|
|
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
|
|
|
|
2022-02-08 16:44:06 +01:00
|
|
|
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
|
|
|
|
# for backward compatibility b/217581286
|
|
|
|
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
|
|
|
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
|
|
|
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
2022-04-20 12:48:06 +02:00
|
|
|
type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
2022-02-08 16:44:06 +01:00
|
|
|
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
|
|
|
|
|
2021-01-21 22:08:31 +01:00
|
|
|
# /data/font/files
|
|
|
|
type font_data_file, file_type, data_file_type, core_data_file_type;
|
2020-11-27 12:23:54 +01:00
|
|
|
|
2022-01-28 19:48:27 +01:00
|
|
|
# /data/misc/dmesgd
|
|
|
|
type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2021-04-09 16:17:38 +02:00
|
|
|
# /data/misc/odrefresh
|
|
|
|
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2020-11-27 12:23:54 +01:00
|
|
|
# /data/misc/odsign
|
|
|
|
type odsign_data_file, file_type, data_file_type, core_data_file_type;
|
2021-03-19 12:08:49 +01:00
|
|
|
|
2022-02-24 12:50:35 +01:00
|
|
|
# /data/misc/odsign_metrics
|
|
|
|
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2021-05-19 19:10:43 +02:00
|
|
|
# /data/misc/virtualizationservice
|
2022-12-15 14:38:42 +01:00
|
|
|
# The type needs to be mlstrustedobject to allow for being accessed from
|
|
|
|
# virtualizationmanager, which runs at a more constrained MLS level.
|
|
|
|
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
2021-05-19 19:10:43 +02:00
|
|
|
|
2021-03-19 12:08:49 +01:00
|
|
|
# /data/system/environ
|
|
|
|
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
|
2021-03-29 19:19:12 +02:00
|
|
|
|
2021-12-23 23:37:41 +01:00
|
|
|
# /data/bootanim
|
|
|
|
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
|
|
|
|
|
2021-03-29 19:19:12 +02:00
|
|
|
# /dev/kvm
|
2022-12-15 14:38:42 +01:00
|
|
|
# The type needs to be mlstrustedobject to allow for being accessed from
|
|
|
|
# crosvm, which runs at a more constrained MLS level.
|
|
|
|
type kvm_device, dev_type, mlstrustedobject;
|
2021-09-21 14:32:24 +02:00
|
|
|
|
|
|
|
# /apex/com.android.virt/bin/fd_server
|
|
|
|
type fd_server_exec, system_file_type, exec_type, file_type;
|
2021-11-17 08:51:11 +01:00
|
|
|
|
2022-02-14 15:33:37 +01:00
|
|
|
# /apex/com.android.compos/bin/compsvc
|
|
|
|
type compos_exec, exec_type, file_type, system_file_type;
|
|
|
|
# /apex/com.android.compos/bin/compos_key_helper
|
|
|
|
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
|
|
|
|
2021-11-17 08:51:11 +01:00
|
|
|
# /metadata/sepolicy
|
|
|
|
type sepolicy_metadata_file, file_type;
|
2021-12-03 15:21:54 +01:00
|
|
|
|
|
|
|
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
|
|
|
# property labeled.
|
|
|
|
type sepolicy_test_file, file_type;
|
2022-07-19 22:29:31 +02:00
|
|
|
|
|
|
|
# /apex/com.android.art/bin/art_exec
|
|
|
|
# This executable does not have its own domain because it is executed in the caller's domain. For
|
|
|
|
# example, it is executed in the `artd` domain when artd calls it.
|
|
|
|
type art_exec_exec, system_file_type, exec_type, file_type;
|
2022-09-16 16:31:39 +02:00
|
|
|
|
|
|
|
# Filesystem entry for for PRNG seeder socket. Processes require
|
|
|
|
# write permission on this to connect, and needs to be mlstrustedobject
|
|
|
|
# in to satisfy MLS constraints for trusted domains.
|
|
|
|
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
|
2023-02-06 17:49:24 +01:00
|
|
|
|
|
|
|
# /sys/firmware/devicetree/base/avf
|
|
|
|
type sysfs_dt_avf, fs_type, sysfs_type;
|