SE Android policy.

Android.mk

@@ -0,0 +1,34 @@
+LOCAL_PATH:= $(call my-dir)
+include $(CLEAR_VARS)
+
+# SELinux policy version.
+# Must be <= /selinux/policyvers reported by the Android kernel.
+# Must be within the compatibility range reported by checkpolicy -V.
+POLICYVERS := 24
+
+MLS_SENS=1
+MLS_CATS=1024
+
+file := $(TARGET_ROOT_OUT)/policy.$(POLICYVERS)
+$(file) : $(LOCAL_PATH)/policy.$(POLICYVERS) | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)
+
+$(LOCAL_PATH)/policy.$(POLICYVERS): $(LOCAL_PATH)/policy.conf
+	checkpolicy -M -c $(POLICYVERS) -o $@ $<
+
+$(LOCAL_PATH)/policy.conf: $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts))
+	m4 -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -s $^ > $@
+
+file := $(TARGET_ROOT_OUT)/file_contexts
+$(file) : $(LOCAL_PATH)/file_contexts | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)
+
+file := $(TARGET_ROOT_OUT)/seapp_contexts
+$(file) : $(LOCAL_PATH)/seapp_contexts | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)

access_vectors

@@ -0,0 +1,882 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+	open
+	audit_access
+	execmod
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class lnk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class blk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class sock_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fifo_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+	dccp_recv
+	dccp_send
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	dccp_recv
+	dccp_send
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read
+	syslog_mod
+	syslog_console
+	module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the capability2 class.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+class capability2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+	passwd	# change another user passwd
+	chfn	# change another user finger info
+	chsh	# change another user shell
+	rootok  # pam_rootok check (skip auth)
+	crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+	create
+	destroy
+	read
+	write
+	blend
+	getattr
+	setattr
+	list_child
+	add_child
+	remove_child
+	list_property
+	get_property
+	set_property
+	manage
+	override
+	show
+	hide
+	send
+	receive
+}
+
+class x_screen
+{
+	getattr
+	setattr
+	hide_cursor
+	show_cursor
+	saver_getattr
+	saver_setattr
+	saver_hide
+	saver_show
+}
+
+class x_gc
+{
+	create
+	destroy
+	getattr
+	setattr
+	use
+}
+
+class x_font
+{
+	create
+	destroy
+	getattr
+	add_glyph
+	remove_glyph
+	use
+}
+
+class x_colormap
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	add_color
+	remove_color
+	install
+	uninstall
+	use
+}
+
+class x_property
+{
+	create
+	destroy
+	read
+	write
+	append
+	getattr
+	setattr
+}
+
+class x_selection
+{
+	read
+	write
+	getattr
+	setattr
+}
+
+class x_cursor
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	setattr
+	use
+}
+
+class x_client
+{
+	destroy
+	getattr
+	setattr
+	manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+	getattr
+	setattr
+	record
+	debug
+	grab
+	manage
+}
+
+class x_extension
+{
+	query
+	use
+}
+
+class x_resource
+{
+	read
+	write
+}
+
+class x_event
+{
+	send
+	receive
+}
+
+class x_synthetic_event
+{
+	send
+	receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+	acquire_svc
+	send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+	getpwd
+	getgrp
+	gethost
+	getstat
+	admin
+	shmempwd
+	shmemgrp
+	shmemhost
+	getserv
+	shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	flow_in		# deprecated
+	flow_out	# deprecated
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class context
+{
+	translate
+	contains
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param	# deprecated
+	set_param	# deprecated
+}
+
+class db_table
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+	install
+}
+
+class db_column
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+	search
+	add_name
+	remove_name
+}
+
+class db_view
+inherits database
+{
+	expand
+}
+
+class db_sequence
+inherits database
+{
+	get_value
+	next_value
+	set_value
+}
+
+class db_language
+inherits database
+{
+	implement
+	execute
+}
+
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+	receive
+}
+
+class zygote
+{
+	specifyids
+	specifyrlimits
+	specifycapabilities
+	specifyinvokewith
+	specifyseinfo
+}

adbd.te

@@ -0,0 +1,29 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain, mlstrustedsubject;
+allow adbd adb_device:chr_file rw_file_perms;
+allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
+allow adbd rootfs:file entrypoint;
+allow adbd init:process sigchld;
+allow adbd self:tcp_socket *;
+allow adbd self:unix_stream_socket *;
+allow adbd node:tcp_socket node_bind;
+allow adbd port:tcp_socket name_bind;
+allow adbd devpts:chr_file rw_file_perms;
+allow adbd cgroup:dir { write add_name create };
+allow adbd labeledfs:filesystem remount;
+allow adbd shell_data_file:dir rw_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+allow adbd graphics_device:dir search;
+allow adbd graphics_device:chr_file r_file_perms;
+allow adbd log_device:chr_file r_file_perms;
+# XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
+allow adbd system_file:file rx_file_perms;
+unix_socket_connect(adbd, vold, vold)
+# Talk to init via the property socket.
+unix_socket_connect(adbd, property, init)
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)

app.te

@@ -0,0 +1,107 @@
+#
+# Domains for apps that do not run with one of the predefined
+# platform UIDs (system, radio, nfc, ...).
+#
+
+#
+# Trusted apps.
+#
+type trusted_app, domain;
+app_domain(trusted_app)
+# Access the network.
+net_domain(trusted_app)
+# Access bluetooth.
+bluetooth_domain(trusted_app)
+# Read logs.
+allow trusted_app log_device:chr_file read;
+# Write to /cache.
+allow trusted_app cache_file:dir rw_dir_perms;
+allow trusted_app cache_file:file create_file_perms;
+# Read from /data/local.
+allow trusted_app shell_data_file:dir search;
+allow trusted_app shell_data_file:file { open getattr read };
+allow trusted_app shell_data_file:lnk_file read;
+# Access the sdcard.
+allow trusted_app sdcard:dir create_dir_perms;
+allow trusted_app sdcard:file create_file_perms;
+# Populate /data/app/vmdl*.tmp file created by system server.
+# It would be better if this was labeled differently.
+allow trusted_app apk_data_file:file write;
+# Perform binder IPC to any app domain.
+binder_call(trusted_app, appdomain)
+binder_transfer(trusted_app, appdomain)
+
+#
+# An example of a specific domain for a specific app
+# A domain for com.android.browser.
+type browser_app, domain;
+app_domain(browser_app)
+# Access the network.
+net_domain(browser_app)
+
+#
+# Untrusted apps.
+#
+type untrusted_app, domain;
+app_domain(untrusted_app)
+# Boolean-controlled options for untrusted apps.
+# Network access.
+bool app_network true;
+if (app_network) {
+# Cannot use net_domain within a conditional - type attribute.
+allow untrusted_app self:{ tcp_socket udp_socket } *;
+allow untrusted_app port_type:tcp_socket name_connect;
+allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
+allow untrusted_app port_type:udp_socket name_bind;
+allow untrusted_app port_type:tcp_socket name_bind;
+unix_socket_connect(untrusted_app, dnsproxyd, netd)
+}
+# Bluetooth access.
+bool app_bluetooth false;
+if (app_bluetooth) {
+# No specific SELinux class for bluetooth sockets presently.
+allow untrusted_app self:socket *;
+}
+# SDCard rw access.
+bool app_sdcard_rw true;
+if (app_sdcard_rw) {
+allow untrusted_app sdcard:dir create_dir_perms;
+allow untrusted_app sdcard:file create_file_perms;
+}
+# Native app support.
+bool app_ndk false;
+if (app_ndk) {
+allow untrusted_app app_data_file:file execute;
+}
+
+#
+# Rules for all app domains.
+#
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Communicate over a FIFO to system processes.
+allow appdomain system:fifo_file rw_file_perms;
+
+# App sandbox file accesses.
+allow appdomain app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+
+# lib subdirectory of /data/data dir is system-owned.
+allow appdomain system_data_file:dir r_dir_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+binder_transfer(appdomain, binderservicedomain)
+# Perform binder IPC to apps in the trusted_app domain.
+binder_call(appdomain, trusted_app)
+binder_transfer(appdomain, trusted_app)

attributes

@@ -0,0 +1,57 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+attribute fs_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;

bluetooth.te

@@ -0,0 +1,4 @@
+# Domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;

bluetoothd.te

@@ -0,0 +1,10 @@
+# bluetoothd - bluetooth daemon
+type bluetoothd, domain;
+type bluetoothd_exec, exec_type, file_type;
+
+init_daemon_domain(bluetoothd)
+allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
+allow bluetoothd self:socket *;
+allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
+allow bluetoothd bluetoothd_data_file:file create_file_perms;
+unix_socket_connect(bluetoothd, dbus, dbusd)

cts.te

@@ -0,0 +1,42 @@
+#
+# Rules to allow the Android CTS to run.
+# Do not enable in production policy.
+#
+
+bool android_cts false;
+if (android_cts) {
+# Reads /proc/pid entries to check that no unexpected root
+# processes are running.
+allow appdomain domain:dir r_dir_perms;
+allow appdomain domain:{ file lnk_file } r_file_perms;
+
+# Will still fail when trying to read other app /proc/pid
+# entries due to MLS constraints.  Just silence the denials.
+dontaudit appdomain appdomain:dir r_dir_perms;
+dontaudit appdomain appdomain:file r_file_perms;
+
+# Walk the file tree, stat any file.
+allow appdomain file_type:dir r_dir_perms;
+allow appdomain fs_type:dir r_dir_perms;
+allow appdomain dev_type:dir r_dir_perms;
+allow appdomain file_type:dir_file_class_set getattr;
+allow appdomain dev_type:dir_file_class_set getattr;
+allow appdomain fs_type:dir_file_class_set getattr;
+
+# Execute the shell or other system executables.
+allow appdomain shell_exec:file rx_file_perms;
+allow appdomain system_file:file rx_file_perms;
+
+# Read routing information.
+allow netdomain self:netlink_route_socket { create read write nlmsg_read };
+
+# Tries to open /dev/alarm for writing but expects failure.
+dontaudit appdomain alarm_device:chr_file write;
+
+# Tries to create and use a netlink kobject uevent socket
+# to test for a vulnerable vold.
+dontaudit appdomain self:netlink_kobject_uevent_socket create;
+
+# Tries to override DAC restrictions but expects to fail.
+dontaudit shell self:capability dac_override;
+}

dbusd.te

@@ -0,0 +1,8 @@
+# dbus daemon
+type dbusd, domain;
+type dbusd_exec, exec_type, file_type;
+
+init_daemon_domain(dbusd)
+# Reads /proc/pid/cmdline of clients
+r_dir_file(dbusd, system)
+r_dir_file(dbusd, bluetoothd)

debuggerd.te

@@ -0,0 +1,14 @@
+# debugger interface
+type debuggerd, domain;
+type debuggerd_exec, exec_type, file_type;
+
+init_daemon_domain(debuggerd)
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill };
+allow debuggerd domain:dir r_dir_perms;
+allow debuggerd domain:file r_file_perms;
+allow debuggerd domain:process ptrace;
+allow debuggerd tombstone_data_file:dir create_dir_perms;
+allow debuggerd tombstone_data_file:file create_file_perms;
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file r_file_perms;

device.te

@@ -0,0 +1,38 @@
+# Device types
+type device, dev_type, fs_type;
+type akm_device, dev_type;
+type accelerometer_device, dev_type;
+type alarm_device, dev_type, mlstrustedobject;
+type adb_device, dev_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type loop_device, dev_type;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type full_device, dev_type;
+type graphics_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type log_device, dev_type, mlstrustedobject;
+type mtd_device, dev_type;
+type nfc_device, dev_type;
+type nv_device, dev_type, mlstrustedobject;
+type powervr_device, dev_type, mlstrustedobject;
+type ptmx_device, dev_type, mlstrustedobject;
+type qemu_device, dev_type;
+type kmsg_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type urandom_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type;

domain.te

@@ -0,0 +1,96 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# binder adjusts the nice value during IPC.
+allow domain self:capability sys_nice;
+
+# Intra-domain accesses.
+allow domain self:process ~{ execstack execheap };
+allow domain self:fd use;
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr read write shutdown };
+
+# Talk to debuggerd.
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir r_dir_perms;
+allow domain rootfs:lnk_file read;
+
+# Device accesses.
+allow domain device:dir search;
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file r_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain powervr_device:chr_file rw_file_perms;
+allow domain log_device:dir search;
+allow domain log_device:chr_file w_file_perms;
+allow domain nv_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain urandom_device:chr_file r_file_perms;
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+
+# System file accesses.
+allow domain system_file:dir r_dir_perms;
+allow domain system_file:file r_file_perms;
+allow domain system_file:file execute;
+allow domain system_file:lnk_file read;
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file read;
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir search;
+allow domain apk_data_file:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file r_file_perms;
+
+# Read already opened /cache files.
+allow domain cache_file:dir r_dir_perms;
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file read;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir search;
+allow domain cgroup:file w_file_perms;
+
+# For /sys/qemu_trace files in the emulator.
+bool in_qemu false;
+if (in_qemu) {
+allow domain sysfs:file rw_file_perms;
+}
+allow domain sysfs_writable:file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(domain, proc)
+r_dir_file(domain, sysfs)
+r_dir_file(domain, inotify)
+r_dir_file(domain, cgroup)
+
+# Ignore /sys/kernel/debug
+dontaudit domain debugfs:dir search;

drmserver.te

@@ -0,0 +1,10 @@
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+init_daemon_domain(drmserver)
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system)

file.te

@@ -0,0 +1,75 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+type selinuxfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, mlstrustedobject;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type sdcard, fs_type, mlstrustedobject;
+type debugfs, fs_type, mlstrustedobject;
+
+# File types
+type unlabeled, file_type;
+# Default type for anything under /system.
+type system_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type;
+# /data/gps
+type gps_data_file, file_type, data_file_type;
+# /data/misc subdirectories
+type bluetoothd_data_file, file_type, data_file_type;
+type bluetooth_data_file, file_type, data_file_type;
+type keystore_data_file, file_type, data_file_type;
+type vpn_data_file, file_type, data_file_type;
+type systemkeys_data_file, file_type, data_file_type;
+type wifi_data_file, file_type, data_file_type;
+type radio_data_file, file_type, data_file_type;
+type nfc_data_file, file_type, data_file_type;
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type;
+# Default type for anything under /cache
+type cache_file, file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+
+# Socket types
+type bluetooth_socket, file_type;
+type dbus_socket, file_type;
+type dnsproxyd_socket, file_type, mlstrustedobject;
+type gps_socket, file_type;
+type installd_socket, file_type;
+type keystore_socket, file_type;
+type netd_socket, file_type;
+type property_socket, file_type;
+type qemud_socket, file_type;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type;
+type vold_socket, file_type;
+type wpa_socket, file_type;
+type zygote_socket, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;

file_contexts

@@ -0,0 +1,129 @@
+###########################################
+# Root
+#
+# Nothing required since it is initramfs and implicitly labeled
+# by genfscon rootfs in ocontexts.
+#
+##########################
+# Devices
+#
+/dev(/.*)?		u:object_r:device:s0
+/dev/akm8973.*		u:object_r:akm_device:s0
+/dev/accelerometer	u:object_r:accelerometer_device:s0
+/dev/alarm		u:object_r:alarm_device:s0
+/dev/android_adb.*	u:object_r:adb_device:s0
+/dev/ashmem		u:object_r:ashmem_device:s0
+/dev/audio.*		u:object_r:audio_device:s0
+/dev/binder		u:object_r:binder_device:s0
+/dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/ram[0-9]*	u:object_r:ram_device:s0
+/dev/block/mtdblock5	u:object_r:radio_device:s0
+/dev/cam		u:object_r:camera_device:s0
+/dev/console		u:object_r:console_device:s0
+/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
+/dev/device-mapper	u:object_r:dm_device:s0
+/dev/full		u:object_r:full_device:s0
+/dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/input(/.*)		u:object_r:input_device:s0
+/dev/kmem		u:object_r:kmem_device:s0
+/dev/log(/.*)?		u:object_r:log_device:s0
+/dev/mem		u:object_r:kmem_device:s0
+/dev/modem.*		u:object_r:radio_device:s0
+/dev/mtd(/.*)?		u:object_r:mtd_device:s0
+/dev/mtd/mtd5		u:object_r:radio_device:s0
+/dev/mtd/mtd5ro		u:object_r:radio_device:s0
+/dev/pn544		u:object_r:nfc_device:s0
+/dev/ptmx		u:object_r:ptmx_device:s0
+/dev/pvrsrvkm		u:object_r:powervr_device:s0
+/dev/qemu_.*		u:object_r:qemu_device:s0
+/dev/kmsg		u:object_r:kmsg_device:s0
+/dev/null		u:object_r:null_device:s0
+/dev/nvhdcp1		u:object_r:video_device:s0
+/dev/nvmap		u:object_r:nv_device:s0
+/dev/nvhost-.*		u:object_r:nv_device:s0
+/dev/random		u:object_r:random_device:s0
+/dev/s3c-jpg		u:object_r:camera_device:s0
+/dev/s3c-mem		u:object_r:camera_device:s0
+/dev/s3c-mfc		u:object_r:graphics_device:s0
+/dev/snd(/.*)?		u:object_r:audio_device:s0
+/dev/socket		u:object_r:socket_device:s0
+/dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
+/dev/socket/dbus_bluetooth	u:object_r:bluetooth_socket:s0
+/dev/socket/dbus	u:object_r:dbus_socket:s0
+/dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
+/dev/socket/installd	u:object_r:installd_socket:s0
+/dev/socket/keystore	u:object_r:keystore_socket:s0
+/dev/socket/netd	u:object_r:netd_socket:s0
+/dev/socket/property_service	u:object_r:property_socket:s0
+/dev/socket/qemud	u:object_r:qemud_socket:s0
+/dev/socket/rild	u:object_r:rild_socket:s0
+/dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
+/dev/socket/vold	u:object_r:vold_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote	u:object_r:zygote_socket:s0
+/dev/spdif_out.*	u:object_r:audio_device:s0
+/dev/tegra.*		u:object_r:video_device:s0
+/dev/tty[0-9]*		u:object_r:tty_device:s0
+/dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/uinput		u:object_r:input_device:s0
+/dev/urandom		u:object_r:urandom_device:s0
+/dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
+/dev/video[0-9]*	u:object_r:video_device:s0
+/dev/zero		u:object_r:zero_device:s0
+#############################
+# System files
+#
+/system(/.*)?		u:object_r:system_file:s0
+/system/bin/ash		u:object_r:shell_exec:s0
+/system/bin/mksh	u:object_r:shell_exec:s0
+/system/bin/sh		--	u:object_r:shell_exec:s0
+/system/bin/app_process	u:object_r:zygote_exec:s0
+/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
+/system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
+/system/bin/drmserver	u:object_r:drmserver_exec:s0
+/system/bin/vold	u:object_r:vold_exec:s0
+/system/bin/netd	u:object_r:netd_exec:s0
+/system/bin/rild	u:object_r:rild_exec:s0
+/system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/dbus-daemon	u:object_r:dbusd_exec:s0
+/system/bin/installd	u:object_r:installd_exec:s0
+/system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/debuggerd	u:object_r:debuggerd_exec:s0
+/system/bin/bluetoothd	u:object_r:bluetoothd_exec:s0
+/system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
+/system/bin/qemud	u:object_r:qemud_exec:s0
+/system/xbin/su		u:object_r:su_exec:s0
+/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
+#############################
+# Data files
+#
+/data(/.*)?		u:object_r:system_data_file:s0
+/data/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/anr(/.*)?		u:object_r:anr_data_file:s0
+/data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
+/data/local(/.*)?	u:object_r:shell_data_file:s0
+# Misc data
+/data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
+/data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
+/data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
+/data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
+/data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
+/data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
+# App sandboxes
+/data/data/.*		u:object_r:app_data_file:s0
+#############################
+# efs files
+#
+/efs(/.*)?		u:object_r:efs_file:s0
+#############################
+# Cache files
+#
+/cache(/.*)?		u:object_r:cache_file:s0
+#############################
+# sysfs files
+#
+/sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0

global_macros

@@ -0,0 +1,40 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 }')
+
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans }')
+define(`r_file_perms', `{ getattr open read ioctl lock }')
+define(`w_file_perms', `{ open append write }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`link_file_perms', `{ getattr link unlink rename }')
+define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl }')
+define(`w_dir_perms', `{ open search write add_name remove_name }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')

gpsd.te

@@ -0,0 +1,14 @@
+# gpsd - GPS daemon
+type gpsd, domain;
+type gpsd_exec, exec_type, file_type;
+
+init_daemon_domain(gpsd)
+net_domain(gpsd)
+allow gpsd gps_data_file:dir rw_dir_perms;
+allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd gps_socket:sock_file create_file_perms;
+# XXX Label sysfs files with a specific type?
+allow gpsd sysfs:file rw_file_perms;

init.te

@@ -0,0 +1,5 @@
+# init switches to init domain (via init.rc).
+type init, domain;
+# init is unconfined.
+unconfined_domain(init)
+tmpfs_domain(init)

initial_sids

@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK

installd.te

@@ -0,0 +1,21 @@
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+
+init_daemon_domain(installd)
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file create_file_perms;
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd data_file_type:dir create_dir_perms;
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:file { getattr unlink };
+allow installd apk_data_file:file r_file_perms;
+allow installd system_file:file x_file_perms;
+allow installd cgroup:dir create_dir_perms;
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+# Read /seapp_contexts, presently on the rootfs.
+allow installd rootfs:file r_file_perms;

kernel.te

@@ -0,0 +1,4 @@
+# Life begins with the kernel.
+type kernel, domain;
+# The kernel is unconfined.
+unconfined_domain(kernel)

keystore.te

@@ -0,0 +1,7 @@
+type keystore, domain;
+type keystore_exec, exec_type, file_type;
+
+# keystore daemon
+init_daemon_domain(keystore)
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;

mediaserver.te

@@ -0,0 +1,26 @@
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+type mediaserver_exec, exec_type, file_type;
+
+init_daemon_domain(mediaserver)
+net_domain(mediaserver)
+typeattribute mediaserver mlstrustedsubject;
+allow mediaserver kernel:system module_request;
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file { read getattr };
+r_dir_file(mediaserver, sdcard)
+allow mediaserver sdcard:file write;
+allow mediaserver camera_device:chr_file rw_file_perms;
+allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+allow mediaserver audio_device:dir r_dir_perms;
+allow mediaserver audio_device:chr_file rw_file_perms;
+allow mediaserver qemu_device:chr_file rw_file_perms;
+# XXX Label with a specific type?
+allow mediaserver sysfs:file rw_file_perms;
+# XXX Why?
+allow mediaserver apk_data_file:file { read getattr };

mls

@@ -0,0 +1,112 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
+
+
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition:  Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+	     (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations:  No write down unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+	     (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# These permissions are between the process and its local socket,
+# not between a process/socket and its peer.
+# Equivalence is the normal situation; anything else requires trust.
+mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Datagram send: Sender must be dominated by receiver unless one of them is
+# trusted.
+mlsconstrain unix_dgram_socket { sendto }
+	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect:  Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations:  Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be dominated by the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a MLS trusted subject and can receive data at any level.
+mlsconstrain fifo_file { read getattr }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+#
+# IPC constraints
+#
+
+# Create/destroy: equivalence or trusted.
+mlsconstrain ipc_class_set { create destroy }
+	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+# Read ops: No read up unless trusted.
+mlsconstrain ipc_class_set r_ipc_perms
+	     (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Write ops: No write down unless trusted.
+mlsconstrain ipc_class_set w_ipc_perms
+	     (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

mls_macros

@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')

net.te

@@ -0,0 +1,18 @@
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+# Use network sockets.
+allow netdomain self:{ tcp_socket udp_socket } *;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
+# Get route information.
+allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)

netd.te

@@ -0,0 +1,30 @@
+# network manager
+type netd, domain;
+type netd_exec, exec_type, file_type;
+
+init_daemon_domain(netd)
+typeattribute netd mlstrustedsubject;
+allow netd self:capability { net_admin net_raw sys_module };
+allow netd self:netlink_kobject_uevent_socket *;
+allow netd self:netlink_route_socket *;
+allow netd self:netlink_nflog_socket *;
+allow netd self:rawip_socket *;
+allow netd self:udp_socket *;
+allow netd node:udp_socket node_bind;
+allow netd port:udp_socket name_bind;
+allow netd self:unix_stream_socket *;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+allow netd devpts:chr_file rw_file_perms;
+
+# For /proc/sys/net/ipv[46]/route/flush.
+# XXX Split /proc/sys/net into its own type.
+allow netd proc:file write;
+
+# For firmware_path
+# XXX Split into its own type.
+allow netd sysfs:file write;
+
+# Load network drivers.
+allow netd kernel:system module_request;
+

nfc.te

@@ -0,0 +1,10 @@
+# nfc subsystem
+type nfc, domain;
+app_domain(nfc)
+
+# NFC device access.
+allow nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;

ocontexts

@@ -0,0 +1,65 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
+
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:sdcard:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:sdcard:s0
+
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0

policy_capabilities

@@ -0,0 +1,5 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;

qemud.te

@@ -0,0 +1,6 @@
+# qemu support daemon
+type qemud, domain;
+type qemud_exec, exec_type, file_type;
+
+init_daemon_domain(qemud)
+allow qemud serial_device:chr_file rw_file_perms;

radio.te

@@ -0,0 +1,17 @@
+# phone subsystem
+type radio, domain;
+app_domain(radio)
+net_domain(radio)
+bluetooth_domain(radio)
+
+# Talks to init via the property socket.
+unix_socket_connect(radio, property, init)
+
+# Talks to rild via the rild socket.
+unix_socket_connect(radio, rild, rild)
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;

rild.te

@@ -0,0 +1,21 @@
+# rild - radio interface layer daemon
+type rild, domain;
+type rild_exec, exec_type, file_type;
+
+init_daemon_domain(rild)
+net_domain(rild)
+allow rild kernel:system module_request;
+unix_socket_connect(rild, property, init)
+unix_socket_connect(rild, qemud, qemud)
+allow rild self:capability { setuid net_admin net_raw };
+allow rild alarm_device:chr_file rw_file_perms;
+allow rild cgroup:dir create_dir_perms;
+allow rild radio_device:chr_file rw_file_perms;
+allow rild qemu_device:chr_file rw_file_perms;
+allow rild mtd_device:dir search;
+allow rild efs_file:dir create_dir_perms;
+allow rild efs_file:file create_file_perms;
+allow rild shell_exec:file rx_file_perms;
+dontaudit rild self:capability sys_admin;
+# XXX Label sysfs files with a specific type?
+allow rild sysfs:file rw_file_perms;

roles

@@ -0,0 +1 @@
+role r types domain;

seapp_contexts

@@ -0,0 +1,37 @@
+# Input selectors: 
+#	isSystemServer (boolean)
+#	user (string)
+#	seinfo (string)
+#	name (string)
+# isSystemServer=true can only be used once.
+# An unspecified boolean defaults to false.
+# An unspecified string selector will match any value.
+# A user string selector that ends in * will perform a prefix match.
+# seinfo= is only used when looking up app process security contexts.
+# All specified input selectors in an entry must match (i.e. logical AND).
+# Matching is case-insensitive.
+# Precedence rules:
+# 	  (1) isSystemServer=true before isSystemServer=false.
+#	  (2) Specified user= string before unspecified user= string.
+#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (4) Longer user= prefix before shorter user= prefix. 
+#	  (5) Specified seinfo= string before unspecified seinfo= string.
+#	  (6) Specified name= string before unspecified name= string.
+#
+# Outputs:
+#	domain (string)
+#	type (string)
+#	levelFromUid (boolean)
+#	level (string)
+# Only entries that specify domain= will be used for app process labeling.
+# Only entries that specify type= will be used for app directory labeling.
+# levelfromUid is only supported for app UIDs presently.
+# level may be used to specify a fixed level for any UID. 
+#
+isSystemServer=true domain=system
+user=system domain=system_app type=system_data_file
+user=nfc domain=nfc type=nfc_data_file
+user=radio domain=radio type=radio_data_file
+user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
+user=app_* seinfo=systemApp domain=trusted_app levelFromUid=true
+user=app_* seinfo=systemApp name=com.android.browser domain=browser_app levelFromUid=true

security_classes

@@ -0,0 +1,137 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd			# userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable		# userspace
+class x_screen			# userspace
+class x_gc			# userspace
+class x_font			# userspace
+class x_colormap		# userspace
+class x_property		# userspace
+class x_selection		# userspace
+class x_cursor			# userspace
+class x_client			# userspace
+class x_device			# userspace
+class x_server			# userspace
+class x_extension		# userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus			# userspace
+class nscd			# userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context			# userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource		# userspace
+class x_event			# userspace
+class x_synthetic_event		# userspace
+class x_application_data	# userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer			# userspace
+class x_keyboard		# userspace
+
+# More Database stuff
+class db_schema			# userspace
+class db_view			# userspace
+class db_sequence		# userspace
+class db_language		# userspace
+
+class binder
+class zygote
+
+# FLASK

servicemanager.te

@@ -0,0 +1,14 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain;
+type servicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(servicemanager)
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains.  It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager domain:binder { receive transfer };

shell.te

@@ -0,0 +1,30 @@
+type shell, domain;
+type shell_exec, file_type;
+domain_auto_trans(adbd, shell_exec, shell)
+domain_auto_trans(init, shell_exec, shell)
+allow shell rootfs:dir r_dir_perms;
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+allow shell system_file:file x_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+allow shell dalvikcache_data_file:file write;
+
+# Run dmesg.
+allow shell kernel:system syslog_read;
+
+# Run cat /proc/kmsg.
+allow shell kernel:system syslog_mod;
+
+# Run logcat.
+allow shell log_device:chr_file r_file_perms;
+
+# Run app_process.
+# XXX Split into its own domain?
+app_domain(shell)

su.te

@@ -0,0 +1,6 @@
+type su, domain;
+type su_exec, file_type;
+domain_auto_trans(shell, su_exec, su)
+
+# su is unconfined.
+unconfined_domain(su)

surfaceflinger.te

@@ -0,0 +1,24 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
+type surfaceflinger_exec, exec_type, file_type;
+
+init_daemon_domain(surfaceflinger)
+typeattribute surfaceflinger mlstrustedsubject;
+
+# Talk to init over the property socket.
+unix_socket_connect(surfaceflinger, property, init)
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, system)
+binder_service(surfaceflinger)
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket *;

system.te

@@ -0,0 +1,134 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings.  These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+app_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+binder_transfer(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system, domain, mlstrustedsubject;
+
+# Child of the zygote.
+allow system zygote:fd use;
+allow system zygote:process sigchld;
+allow system zygote_tmpfs:file read;
+
+# system server gets network and bluetooth permissions.
+net_domain(system)
+bluetooth_domain(system)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+# XXX See if we can remove some of these.
+allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
+
+# Use netlink uevent sockets.
+allow system self:netlink_kobject_uevent_socket *;
+
+# Kill apps.
+allow system appdomain:process { sigkill signal };
+
+# Read /proc data for apps.
+allow system appdomain:dir r_dir_perms;
+allow system appdomain:{ file lnk_file } rw_file_perms;
+
+# Write to /proc/net/xt_qtaguid/ctrl.
+# XXX Split /proc/net into its own type.
+allow system proc:file write;
+
+# Notify init of death.
+allow system init:process sigchld;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system, property, init)
+unix_socket_connect(system, qemud, qemud)
+unix_socket_connect(system, installd, installd)
+unix_socket_connect(system, netd, netd)
+unix_socket_connect(system, vold, vold)
+unix_socket_connect(system, zygote, zygote)
+unix_socket_connect(system, keystore, keystore)
+unix_socket_connect(system, dbus, dbusd)
+unix_socket_connect(system, gps, gpsd)
+unix_socket_connect(system, bluetooth, bluetoothd)
+unix_socket_send(system, wpa, wpa)
+
+# Perform Binder IPC.
+tmpfs_domain(system)
+binder_use(system)
+binder_call(system, binderservicedomain)
+binder_call(system, appdomain)
+binder_service(system)
+# Transfer other Binder references.
+binder_transfer(system, binderservicedomain)
+binder_transfer(system, appdomain)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(system, appdomain)
+r_dir_file(system, mediaserver)
+allow system appdomain:process getattr;
+allow system mediaserver:process getattr;
+
+# Specify any arguments to zygote.
+allow system self:zygote *;
+
+# Check SELinux permissions.
+selinux_check_access(system)
+
+# XXX Label sysfs files with a specific type?
+allow system sysfs:file rw_file_perms;
+
+# Access devices.
+allow system device:chr_file rw_file_perms;
+allow system akm_device:chr_file rw_file_perms;
+allow system accelerometer_device:chr_file rw_file_perms;
+allow system alarm_device:chr_file rw_file_perms;
+allow system graphics_device:dir search;
+allow system graphics_device:chr_file rw_file_perms;
+allow system input_device:dir r_dir_perms;
+allow system input_device:chr_file rw_file_perms;
+allow system tty_device:chr_file rw_file_perms;
+allow system urandom_device:chr_file rw_file_perms;
+allow system video_device:chr_file rw_file_perms;
+allow system qemu_device:chr_file rw_file_perms;
+
+# Manage data files.
+allow system data_file_type:dir create_dir_perms;
+allow system data_file_type:notdevfile_class_set create_file_perms;
+
+# Create a socket for receiving info from wpa.
+type_transition system wifi_data_file:sock_file system_wpa_socket;
+allow system system_wpa_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system cache_file:dir create_dir_perms;
+allow system cache_file:file create_file_perms;
+
+# Run system programs, e.g. dexopt.
+allow system system_file:file x_file_perms;
+
+# Silently deny any /proc accesses that are not allowed.
+# This suppresses noise from walking the process list.
+dontaudit system domain:dir r_dir_perms;
+dontaudit system domain:file r_file_perms;

te_macros

@@ -0,0 +1,207 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint read execute };
+# New domain can send SIGCHLD to its caller.
+allow $3 $1:process sigchld;
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# unconfined_domain(domain)
+# Allow the specified domain to do anything.
+#
+define(`unconfined_domain', `
+typeattribute $1 mlstrustedsubject;
+typeattribute $1 unconfineddomain;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+define(`tmpfs_domain', `
+type $1_tmpfs, file_type;
+type_transition $1 tmpfs:file $1_tmpfs;
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file { read execute execmod };
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+tmpfs_domain($1)
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Get Binder references from the servicemanager.
+allow $1 servicemanager:binder call;
+# Transfer and receive own Binder references.
+allow $1 self:binder { transfer receive };
+# Map /dev/ashmem with PROT_EXEC.
+allow $1 ashmem_device:chr_file execute;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# First we receive a Binder ref to the server, then we call it.
+allow $1 $2:binder { receive call };
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_transfer(clientdomain, serverdomain)
+# Allow clientdomain to transfer Binder references created by serverdomain.
+define(`binder_transfer', `
+allow $1 $2:binder transfer;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket *;
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# selinux_getenforce(domain)
+# Allow domain to check whether SELinux is enforcing.
+define(`selinux_getenforce', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file r_file_perms;
+')

ueventd.te

@@ -0,0 +1,19 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+tmpfs_domain(ueventd)
+allow ueventd rootfs:file r_file_perms;
+allow ueventd rootfs:file entrypoint;
+allow ueventd init:process sigchld;
+allow ueventd self:capability { chown mknod net_admin setgid fsetid };
+allow ueventd kernel:fd use;
+allow ueventd device:file create_file_perms;
+allow ueventd device:chr_file rw_file_perms;
+allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs:file setattr;
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { create setattr unlink };
+allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket *;

unconfined.te

@@ -0,0 +1,23 @@
+allow unconfineddomain self:capability_class_set *;
+allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:system *;
+allow unconfineddomain self:memprotect *;
+allow unconfineddomain domain:process *;
+allow unconfineddomain domain:fd *;
+allow unconfineddomain domain:dir r_dir_perms;
+allow unconfineddomain domain:lnk_file r_file_perms;
+allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
+allow unconfineddomain domain:socket_class_set *;
+allow unconfineddomain domain:ipc_class_set *;
+allow unconfineddomain domain:key *;
+allow unconfineddomain fs_type:filesystem *;
+allow unconfineddomain fs_type:dir_file_class_set *;
+allow unconfineddomain dev_type:dir_file_class_set *;
+allow unconfineddomain file_type:dir_file_class_set *;
+allow unconfineddomain node_type:node *;
+allow unconfineddomain node_type:{ tcp_socket udp_socket } node_bind;
+allow unconfineddomain netif_type:netif *;
+allow unconfineddomain port_type:socket_class_set name_bind;
+allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
+allow unconfineddomain domain:peer recv;
+allow unconfineddomain domain:binder { call transfer receive };

users

@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;

vold.te

@@ -0,0 +1,56 @@
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type;
+
+init_daemon_domain(vold)
+typeattribute vold mlstrustedsubject;
+allow vold system_file:file x_file_perms;
+allow vold block_device:dir create_dir_perms;
+allow vold block_device:blk_file create_file_perms;
+allow vold block_device:lnk_file read;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold sdcard:dir mounton;
+allow vold sdcard:filesystem { mount remount unmount };
+allow vold sdcard:dir create_dir_perms;
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:capability { net_admin dac_override mknod sys_admin };
+allow vold self:netlink_kobject_uevent_socket *;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file rw_file_perms;
+allow vold loop_device:blk_file rw_file_perms;
+allow vold dm_device:chr_file rw_file_perms;
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:capability { sys_ptrace };
+
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file rw_file_perms;
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Set property.
+unix_socket_connect(vold, property, init)
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file rw_file_perms;
+
+# Request AES module.
+allow vold kernel:system module_request;
+
+# Write to /proc/sysrq-trigger
+# XXX Label with a distinct type?
+allow vold proc:file write;
+
+# Create and mount on /data/tmp_mnt.
+allow vold system_data_file:dir { write create add_name mounton };

wpa_supplicant.te

@@ -0,0 +1,16 @@
+# wpa - wpa supplicant or equivalent
+type wpa, domain;
+type wpa_exec, exec_type, file_type;
+
+init_daemon_domain(wpa)
+allow wpa kernel:system module_request;
+allow wpa self:capability { setuid net_admin setgid net_raw };
+allow wpa cgroup:dir create_dir_perms;
+allow wpa self:netlink_route_socket *;
+allow wpa self:netlink_socket *;
+allow wpa self:packet_socket *;
+allow wpa self:udp_socket *;
+allow wpa wifi_data_file:dir create_dir_perms;
+allow wpa wifi_data_file:file create_file_perms;
+unix_socket_send(wpa, system_wpa, system)
+allow wpa random_device:chr_file r_file_perms;

zygote.te

@@ -0,0 +1,31 @@
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
+
+init_daemon_domain(zygote)
+typeattribute zygote mlstrustedsubject;
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid };
+# Switch SELinux context to app domains.
+allow zygote system:process dyntransition;
+allow zygote appdomain:process dyntransition;
+# Move children into the peer process group.
+allow zygote system:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+# Write to system data.
+allow zygote system_data_file:dir rw_dir_perms;
+allow zygote system_data_file:file create_file_perms;
+allow zygote dalvikcache_data_file:dir rw_dir_perms;
+allow zygote dalvikcache_data_file:file create_file_perms;
+# Execute dexopt.
+allow zygote system_file:file x_file_perms;
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+# Read /seapp_contexts, presently on the rootfs.
+allow zygote rootfs:file r_file_perms;
+