# rules removed from the domain attribute # Read access to properties mapping. allow domain_deprecated kernel:fd use; allow domain_deprecated tmpfs:file { read getattr }; allow domain_deprecated tmpfs:lnk_file { read getattr }; # Search /storage/emulated tmpfs mount. allow domain_deprecated tmpfs:dir r_dir_perms; # Inherit or receive open files from others. allow domain_deprecated system_server:fd use; # Connect to adbd and use a socket transferred from it. # This is used for e.g. adb backup/restore. allow domain_deprecated adbd:unix_stream_socket connectto; allow domain_deprecated adbd:fd use; allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; # Root fs. allow domain_deprecated rootfs:dir r_dir_perms; allow domain_deprecated rootfs:file r_file_perms; allow domain_deprecated rootfs:lnk_file r_file_perms; # Device accesses. allow domain_deprecated device:file read; # Filesystem accesses. allow domain_deprecated fs_type:filesystem getattr; allow domain_deprecated fs_type:dir getattr; # System file accesses. allow domain_deprecated system_file:dir r_dir_perms; allow domain_deprecated system_file:file r_file_perms; allow domain_deprecated system_file:lnk_file r_file_perms; # Read files already opened under /data. allow domain_deprecated system_data_file:dir { search getattr }; allow domain_deprecated system_data_file:file { getattr read }; allow domain_deprecated system_data_file:lnk_file r_file_perms; # Read apk files under /data/app. allow domain_deprecated apk_data_file:dir { getattr search }; allow domain_deprecated apk_data_file:file r_file_perms; allow domain_deprecated apk_data_file:lnk_file r_file_perms; # Read /data/dalvik-cache. allow domain_deprecated dalvikcache_data_file:dir { search getattr }; allow domain_deprecated dalvikcache_data_file:file r_file_perms; # Read already opened /cache files. allow domain_deprecated cache_file:dir r_dir_perms; allow domain_deprecated cache_file:file { getattr read }; allow domain_deprecated cache_file:lnk_file r_file_perms; # For /acct/uid/*/tasks. allow domain_deprecated cgroup:dir { search write }; allow domain_deprecated cgroup:file w_file_perms; #Allow access to ion memory allocation device allow domain_deprecated ion_device:chr_file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(domain_deprecated, proc) r_dir_file(domain_deprecated, sysfs) r_dir_file(domain_deprecated, sysfs_devices_system_cpu) r_dir_file(domain_deprecated, inotify) r_dir_file(domain_deprecated, cgroup) r_dir_file(domain_deprecated, proc_net) allow domain_deprecated proc_cpuinfo:file r_file_perms; # debugfs access allow domain_deprecated debugfs:dir r_dir_perms; # TODO: The following line can likely be deleted. The only reason # it was exposed was to allow /sys/kernel/debug/tracing/trace_marker # write access. This was in the days before labels could be assigned # to individual files on debugfs # (b/18935184, https://android-review.googlesource.com/122130) allow domain_deprecated debugfs:file w_file_perms; # Get SELinux enforcing status. allow domain_deprecated selinuxfs:dir r_dir_perms; allow domain_deprecated selinuxfs:file r_file_perms; # /data/security files allow domain_deprecated security_file:dir { search getattr }; allow domain_deprecated security_file:file getattr; allow domain_deprecated security_file:lnk_file r_file_perms; # World readable asec image contents allow domain_deprecated asec_public_file:file r_file_perms; allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;