tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/prebuilts/api/202404/202404_general_sepolicy.conf
Inseob Kim 4b9929e2fc Finalize prebuilt CTS artifacts 
These three files, general_sepolicy.conf / mapping.cil /
plat_sepolicy.cil will be used to test vendor sepolicy's neverallow
rules.

Bug: 330671085
Test: build
Change-Id: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
Merged-In: I763c9a1e647d614b84c0f7fe3d69affbe64f6153
(cherry picked from commit 6f18a17ff8)
2024-04-16 16:18:01 +09:00

83067 lines
2.2 MiB
Raw Blame History

#line 1 "system/sepolicy/private/security_classes"
# FLASK
#
# Define the security object classes
#
# Classes marked as userspace are classes
# for userspace object managers
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class anon_inode
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
# extended netlink sockets
class netlink_route_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_dnrt_socket
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
# Kernel access key retention
class key
class dccp_socket
class memprotect
# network peer labels
class peer
# Capabilities >= 32
class capability2
# kernel services that need to override task security, e.g. cachefiles
class kernel_service
class tun_socket
class binder
# Updated netlink classes for more recent netlink protocols.
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket
# Infiniband
class infiniband_pkey
class infiniband_endport
# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns
# New socket classes introduced by extended_socket_class policy capability.
# These two were previously mapped to rawip_socket.
class sctp_socket
class icmp_socket
# These were previously mapped to socket.
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket
class process2
class bpf
class xdp_socket
class perf_event
class io_uring
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
# Property service
class property_service # userspace
# Service manager
class service_manager # userspace
# hardware service manager # userspace
class hwservice_manager
# Legacy Keystore key permissions
class keystore_key # userspace
# Keystore 2.0 permissions
class keystore2 # userspace
# Keystore 2.0 key permissions
class keystore2_key # userspace
# Diced permissions
class diced # userspace
class drmservice # userspace
# FLASK
#line 1 "system/sepolicy/private/initial_sids"
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
# FLASK
#line 1 "system/sepolicy/private/access_vectors"
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
unlink
link
rename
execute
quotaon
mounton
audit_access
open
execmod
watch
watch_mount
watch_sb
watch_with_perm
watch_reads
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common for capability access vectors.
#
common cap
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
mac_admin
syslog
wake_alarm
block_suspend
audit_read
perfmon
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
watch
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class anon_inode
inherits file
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
recvfrom
sendto
}
class netif
{
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
getrlimit
}
class process2
{
nnp_transition
nosuid_transition
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
validate_trans
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
module_load
}
#
# Define the access vector interpretation for controlling capabilities
#
class capability
inherits cap
class capability2
inherits cap2
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_readpriv
nlmsg_getneigh
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
# network peer labels
class peer
{
recv
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
{
attach_queue
}
class binder
{
impersonate
call
set_context_mgr
transfer
}
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
name_connect
association
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
class smc_socket
inherits socket
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
class property_service
{
set
}
class service_manager
{
add
find
list
}
class hwservice_manager
{
add
find
list
}
class keystore_key
{
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
add_auth
user_changed
gen_unique_id
}
class keystore2
{
add_auth
change_password
change_user
clear_ns
clear_uid
delete_all_keys
early_boot_ended
get_attestation_key
get_auth_token
get_last_auth_time
get_state
list
lock
pull_metrics
report_off_body
reset
unlock
}
class keystore2_key
{
convert_storage_key_to_ephemeral
delete
gen_unique_id
get_info
grant
manage_blob
rebind
req_forced_op
update
use
use_dev_id
}
class diced
{
demote
demote_self
derive
get_attestation_chain
use_seal
use_sign
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
class xdp_socket
inherits socket
class perf_event
{
open
cpu
kernel
tracepoint
read
write
}
class lockdown
{
integrity
confidentiality
}
class io_uring
{
override_creds
sqpoll
cmd
}
#line 1 "system/sepolicy/public/global_macros"
#####################################
# Common groupings of object classes.
#
#####################################
# Common groupings of permissions.
#
#####################################
# Common socket permission sets.
#line 1 "system/sepolicy/public/neverallow_macros"
#
# Common neverallow permissions
#####################################
# neverallow_establish_socket_comms(src, dst)
# neverallow src domain establishing socket connections to dst domain.
#
#line 15
#line 1 "system/sepolicy/private/mls_macros"
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
#line 10
########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
#line 24
#line 34
########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
#line 45
########################################
#
# Basic level names for system low and high
#
#line 1 "system/sepolicy/private/mls_decl"
#########################################
# MLS declarations
#
# Generate the desired number of sensitivities and categories.
#line 6
# Each sensitivity has a name and zero or more aliases.
#line 6
sensitivity s0;
#line 6
#line 6
#line 6
# Define the ordering of the sensitivity levels (least to greatest)
#line 6
dominance { s0 }
#line 6
category c0;
#line 7
category c1;
#line 7
category c2;
#line 7
category c3;
#line 7
category c4;
#line 7
category c5;
#line 7
category c6;
#line 7
category c7;
#line 7
category c8;
#line 7
category c9;
#line 7
category c10;
#line 7
category c11;
#line 7
category c12;
#line 7
category c13;
#line 7
category c14;
#line 7
category c15;
#line 7
category c16;
#line 7
category c17;
#line 7
category c18;
#line 7
category c19;
#line 7
category c20;
#line 7
category c21;
#line 7
category c22;
#line 7
category c23;
#line 7
category c24;
#line 7
category c25;
#line 7
category c26;
#line 7
category c27;
#line 7
category c28;
#line 7
category c29;
#line 7
category c30;
#line 7
category c31;
#line 7
category c32;
#line 7
category c33;
#line 7
category c34;
#line 7
category c35;
#line 7
category c36;
#line 7
category c37;
#line 7
category c38;
#line 7
category c39;
#line 7
category c40;
#line 7
category c41;
#line 7
category c42;
#line 7
category c43;
#line 7
category c44;
#line 7
category c45;
#line 7
category c46;
#line 7
category c47;
#line 7
category c48;
#line 7
category c49;
#line 7
category c50;
#line 7
category c51;
#line 7
category c52;
#line 7
category c53;
#line 7
category c54;
#line 7
category c55;
#line 7
category c56;
#line 7
category c57;
#line 7
category c58;
#line 7
category c59;
#line 7
category c60;
#line 7
category c61;
#line 7
category c62;
#line 7
category c63;
#line 7
category c64;
#line 7
category c65;
#line 7
category c66;
#line 7
category c67;
#line 7
category c68;
#line 7
category c69;
#line 7
category c70;
#line 7
category c71;
#line 7
category c72;
#line 7
category c73;
#line 7
category c74;
#line 7
category c75;
#line 7
category c76;
#line 7
category c77;
#line 7
category c78;
#line 7
category c79;
#line 7
category c80;
#line 7
category c81;
#line 7
category c82;
#line 7
category c83;
#line 7
category c84;
#line 7
category c85;
#line 7
category c86;
#line 7
category c87;
#line 7
category c88;
#line 7
category c89;
#line 7
category c90;
#line 7
category c91;
#line 7
category c92;
#line 7
category c93;
#line 7
category c94;
#line 7
category c95;
#line 7
category c96;
#line 7
category c97;
#line 7
category c98;
#line 7
category c99;
#line 7
category c100;
#line 7
category c101;
#line 7
category c102;
#line 7
category c103;
#line 7
category c104;
#line 7
category c105;
#line 7
category c106;
#line 7
category c107;
#line 7
category c108;
#line 7
category c109;
#line 7
category c110;
#line 7
category c111;
#line 7
category c112;
#line 7
category c113;
#line 7
category c114;
#line 7
category c115;
#line 7
category c116;
#line 7
category c117;
#line 7
category c118;
#line 7
category c119;
#line 7
category c120;
#line 7
category c121;
#line 7
category c122;
#line 7
category c123;
#line 7
category c124;
#line 7
category c125;
#line 7
category c126;
#line 7
category c127;
#line 7
category c128;
#line 7
category c129;
#line 7
category c130;
#line 7
category c131;
#line 7
category c132;
#line 7
category c133;
#line 7
category c134;
#line 7
category c135;
#line 7
category c136;
#line 7
category c137;
#line 7
category c138;
#line 7
category c139;
#line 7
category c140;
#line 7
category c141;
#line 7
category c142;
#line 7
category c143;
#line 7
category c144;
#line 7
category c145;
#line 7
category c146;
#line 7
category c147;
#line 7
category c148;
#line 7
category c149;
#line 7
category c150;
#line 7
category c151;
#line 7
category c152;
#line 7
category c153;
#line 7
category c154;
#line 7
category c155;
#line 7
category c156;
#line 7
category c157;
#line 7
category c158;
#line 7
category c159;
#line 7
category c160;
#line 7
category c161;
#line 7
category c162;
#line 7
category c163;
#line 7
category c164;
#line 7
category c165;
#line 7
category c166;
#line 7
category c167;
#line 7
category c168;
#line 7
category c169;
#line 7
category c170;
#line 7
category c171;
#line 7
category c172;
#line 7
category c173;
#line 7
category c174;
#line 7
category c175;
#line 7
category c176;
#line 7
category c177;
#line 7
category c178;
#line 7
category c179;
#line 7
category c180;
#line 7
category c181;
#line 7
category c182;
#line 7
category c183;
#line 7
category c184;
#line 7
category c185;
#line 7
category c186;
#line 7
category c187;
#line 7
category c188;
#line 7
category c189;
#line 7
category c190;
#line 7
category c191;
#line 7
category c192;
#line 7
category c193;
#line 7
category c194;
#line 7
category c195;
#line 7
category c196;
#line 7
category c197;
#line 7
category c198;
#line 7
category c199;
#line 7
category c200;
#line 7
category c201;
#line 7
category c202;
#line 7
category c203;
#line 7
category c204;
#line 7
category c205;
#line 7
category c206;
#line 7
category c207;
#line 7
category c208;
#line 7
category c209;
#line 7
category c210;
#line 7
category c211;
#line 7
category c212;
#line 7
category c213;
#line 7
category c214;
#line 7
category c215;
#line 7
category c216;
#line 7
category c217;
#line 7
category c218;
#line 7
category c219;
#line 7
category c220;
#line 7
category c221;
#line 7
category c222;
#line 7
category c223;
#line 7
category c224;
#line 7
category c225;
#line 7
category c226;
#line 7
category c227;
#line 7
category c228;
#line 7
category c229;
#line 7
category c230;
#line 7
category c231;
#line 7
category c232;
#line 7
category c233;
#line 7
category c234;
#line 7
category c235;
#line 7
category c236;
#line 7
category c237;
#line 7
category c238;
#line 7
category c239;
#line 7
category c240;
#line 7
category c241;
#line 7
category c242;
#line 7
category c243;
#line 7
category c244;
#line 7
category c245;
#line 7
category c246;
#line 7
category c247;
#line 7
category c248;
#line 7
category c249;
#line 7
category c250;
#line 7
category c251;
#line 7
category c252;
#line 7
category c253;
#line 7
category c254;
#line 7
category c255;
#line 7
category c256;
#line 7
category c257;
#line 7
category c258;
#line 7
category c259;
#line 7
category c260;
#line 7
category c261;
#line 7
category c262;
#line 7
category c263;
#line 7
category c264;
#line 7
category c265;
#line 7
category c266;
#line 7
category c267;
#line 7
category c268;
#line 7
category c269;
#line 7
category c270;
#line 7
category c271;
#line 7
category c272;
#line 7
category c273;
#line 7
category c274;
#line 7
category c275;
#line 7
category c276;
#line 7
category c277;
#line 7
category c278;
#line 7
category c279;
#line 7
category c280;
#line 7
category c281;
#line 7
category c282;
#line 7
category c283;
#line 7
category c284;
#line 7
category c285;
#line 7
category c286;
#line 7
category c287;
#line 7
category c288;
#line 7
category c289;
#line 7
category c290;
#line 7
category c291;
#line 7
category c292;
#line 7
category c293;
#line 7
category c294;
#line 7
category c295;
#line 7
category c296;
#line 7
category c297;
#line 7
category c298;
#line 7
category c299;
#line 7
category c300;
#line 7
category c301;
#line 7
category c302;
#line 7
category c303;
#line 7
category c304;
#line 7
category c305;
#line 7
category c306;
#line 7
category c307;
#line 7
category c308;
#line 7
category c309;
#line 7
category c310;
#line 7
category c311;
#line 7
category c312;
#line 7
category c313;
#line 7
category c314;
#line 7
category c315;
#line 7
category c316;
#line 7
category c317;
#line 7
category c318;
#line 7
category c319;
#line 7
category c320;
#line 7
category c321;
#line 7
category c322;
#line 7
category c323;
#line 7
category c324;
#line 7
category c325;
#line 7
category c326;
#line 7
category c327;
#line 7
category c328;
#line 7
category c329;
#line 7
category c330;
#line 7
category c331;
#line 7
category c332;
#line 7
category c333;
#line 7
category c334;
#line 7
category c335;
#line 7
category c336;
#line 7
category c337;
#line 7
category c338;
#line 7
category c339;
#line 7
category c340;
#line 7
category c341;
#line 7
category c342;
#line 7
category c343;
#line 7
category c344;
#line 7
category c345;
#line 7
category c346;
#line 7
category c347;
#line 7
category c348;
#line 7
category c349;
#line 7
category c350;
#line 7
category c351;
#line 7
category c352;
#line 7
category c353;
#line 7
category c354;
#line 7
category c355;
#line 7
category c356;
#line 7
category c357;
#line 7
category c358;
#line 7
category c359;
#line 7
category c360;
#line 7
category c361;
#line 7
category c362;
#line 7
category c363;
#line 7
category c364;
#line 7
category c365;
#line 7
category c366;
#line 7
category c367;
#line 7
category c368;
#line 7
category c369;
#line 7
category c370;
#line 7
category c371;
#line 7
category c372;
#line 7
category c373;
#line 7
category c374;
#line 7
category c375;
#line 7
category c376;
#line 7
category c377;
#line 7
category c378;
#line 7
category c379;
#line 7
category c380;
#line 7
category c381;
#line 7
category c382;
#line 7
category c383;
#line 7
category c384;
#line 7
category c385;
#line 7
category c386;
#line 7
category c387;
#line 7
category c388;
#line 7
category c389;
#line 7
category c390;
#line 7
category c391;
#line 7
category c392;
#line 7
category c393;
#line 7
category c394;
#line 7
category c395;
#line 7
category c396;
#line 7
category c397;
#line 7
category c398;
#line 7
category c399;
#line 7
category c400;
#line 7
category c401;
#line 7
category c402;
#line 7
category c403;
#line 7
category c404;
#line 7
category c405;
#line 7
category c406;
#line 7
category c407;
#line 7
category c408;
#line 7
category c409;
#line 7
category c410;
#line 7
category c411;
#line 7
category c412;
#line 7
category c413;
#line 7
category c414;
#line 7
category c415;
#line 7
category c416;
#line 7
category c417;
#line 7
category c418;
#line 7
category c419;
#line 7
category c420;
#line 7
category c421;
#line 7
category c422;
#line 7
category c423;
#line 7
category c424;
#line 7
category c425;
#line 7
category c426;
#line 7
category c427;
#line 7
category c428;
#line 7
category c429;
#line 7
category c430;
#line 7
category c431;
#line 7
category c432;
#line 7
category c433;
#line 7
category c434;
#line 7
category c435;
#line 7
category c436;
#line 7
category c437;
#line 7
category c438;
#line 7
category c439;
#line 7
category c440;
#line 7
category c441;
#line 7
category c442;
#line 7
category c443;
#line 7
category c444;
#line 7
category c445;
#line 7
category c446;
#line 7
category c447;
#line 7
category c448;
#line 7
category c449;
#line 7
category c450;
#line 7
category c451;
#line 7
category c452;
#line 7
category c453;
#line 7
category c454;
#line 7
category c455;
#line 7
category c456;
#line 7
category c457;
#line 7
category c458;
#line 7
category c459;
#line 7
category c460;
#line 7
category c461;
#line 7
category c462;
#line 7
category c463;
#line 7
category c464;
#line 7
category c465;
#line 7
category c466;
#line 7
category c467;
#line 7
category c468;
#line 7
category c469;
#line 7
category c470;
#line 7
category c471;
#line 7
category c472;
#line 7
category c473;
#line 7
category c474;
#line 7
category c475;
#line 7
category c476;
#line 7
category c477;
#line 7
category c478;
#line 7
category c479;
#line 7
category c480;
#line 7
category c481;
#line 7
category c482;
#line 7
category c483;
#line 7
category c484;
#line 7
category c485;
#line 7
category c486;
#line 7
category c487;
#line 7
category c488;
#line 7
category c489;
#line 7
category c490;
#line 7
category c491;
#line 7
category c492;
#line 7
category c493;
#line 7
category c494;
#line 7
category c495;
#line 7
category c496;
#line 7
category c497;
#line 7
category c498;
#line 7
category c499;
#line 7
category c500;
#line 7
category c501;
#line 7
category c502;
#line 7
category c503;
#line 7
category c504;
#line 7
category c505;
#line 7
category c506;
#line 7
category c507;
#line 7
category c508;
#line 7
category c509;
#line 7
category c510;
#line 7
category c511;
#line 7
category c512;
#line 7
category c513;
#line 7
category c514;
#line 7
category c515;
#line 7
category c516;
#line 7
category c517;
#line 7
category c518;
#line 7
category c519;
#line 7
category c520;
#line 7
category c521;
#line 7
category c522;
#line 7
category c523;
#line 7
category c524;
#line 7
category c525;
#line 7
category c526;
#line 7
category c527;
#line 7
category c528;
#line 7
category c529;
#line 7
category c530;
#line 7
category c531;
#line 7
category c532;
#line 7
category c533;
#line 7
category c534;
#line 7
category c535;
#line 7
category c536;
#line 7
category c537;
#line 7
category c538;
#line 7
category c539;
#line 7
category c540;
#line 7
category c541;
#line 7
category c542;
#line 7
category c543;
#line 7
category c544;
#line 7
category c545;
#line 7
category c546;
#line 7
category c547;
#line 7
category c548;
#line 7
category c549;
#line 7
category c550;
#line 7
category c551;
#line 7
category c552;
#line 7
category c553;
#line 7
category c554;
#line 7
category c555;
#line 7
category c556;
#line 7
category c557;
#line 7
category c558;
#line 7
category c559;
#line 7
category c560;
#line 7
category c561;
#line 7
category c562;
#line 7
category c563;
#line 7
category c564;
#line 7
category c565;
#line 7
category c566;
#line 7
category c567;
#line 7
category c568;
#line 7
category c569;
#line 7
category c570;
#line 7
category c571;
#line 7
category c572;
#line 7
category c573;
#line 7
category c574;
#line 7
category c575;
#line 7
category c576;
#line 7
category c577;
#line 7
category c578;
#line 7
category c579;
#line 7
category c580;
#line 7
category c581;
#line 7
category c582;
#line 7
category c583;
#line 7
category c584;
#line 7
category c585;
#line 7
category c586;
#line 7
category c587;
#line 7
category c588;
#line 7
category c589;
#line 7
category c590;
#line 7
category c591;
#line 7
category c592;
#line 7
category c593;
#line 7
category c594;
#line 7
category c595;
#line 7
category c596;
#line 7
category c597;
#line 7
category c598;
#line 7
category c599;
#line 7
category c600;
#line 7
category c601;
#line 7
category c602;
#line 7
category c603;
#line 7
category c604;
#line 7
category c605;
#line 7
category c606;
#line 7
category c607;
#line 7
category c608;
#line 7
category c609;
#line 7
category c610;
#line 7
category c611;
#line 7
category c612;
#line 7
category c613;
#line 7
category c614;
#line 7
category c615;
#line 7
category c616;
#line 7
category c617;
#line 7
category c618;
#line 7
category c619;
#line 7
category c620;
#line 7
category c621;
#line 7
category c622;
#line 7
category c623;
#line 7
category c624;
#line 7
category c625;
#line 7
category c626;
#line 7
category c627;
#line 7
category c628;
#line 7
category c629;
#line 7
category c630;
#line 7
category c631;
#line 7
category c632;
#line 7
category c633;
#line 7
category c634;
#line 7
category c635;
#line 7
category c636;
#line 7
category c637;
#line 7
category c638;
#line 7
category c639;
#line 7
category c640;
#line 7
category c641;
#line 7
category c642;
#line 7
category c643;
#line 7
category c644;
#line 7
category c645;
#line 7
category c646;
#line 7
category c647;
#line 7
category c648;
#line 7
category c649;
#line 7
category c650;
#line 7
category c651;
#line 7
category c652;
#line 7
category c653;
#line 7
category c654;
#line 7
category c655;
#line 7
category c656;
#line 7
category c657;
#line 7
category c658;
#line 7
category c659;
#line 7
category c660;
#line 7
category c661;
#line 7
category c662;
#line 7
category c663;
#line 7
category c664;
#line 7
category c665;
#line 7
category c666;
#line 7
category c667;
#line 7
category c668;
#line 7
category c669;
#line 7
category c670;
#line 7
category c671;
#line 7
category c672;
#line 7
category c673;
#line 7
category c674;
#line 7
category c675;
#line 7
category c676;
#line 7
category c677;
#line 7
category c678;
#line 7
category c679;
#line 7
category c680;
#line 7
category c681;
#line 7
category c682;
#line 7
category c683;
#line 7
category c684;
#line 7
category c685;
#line 7
category c686;
#line 7
category c687;
#line 7
category c688;
#line 7
category c689;
#line 7
category c690;
#line 7
category c691;
#line 7
category c692;
#line 7
category c693;
#line 7
category c694;
#line 7
category c695;
#line 7
category c696;
#line 7
category c697;
#line 7
category c698;
#line 7
category c699;
#line 7
category c700;
#line 7
category c701;
#line 7
category c702;
#line 7
category c703;
#line 7
category c704;
#line 7
category c705;
#line 7
category c706;
#line 7
category c707;
#line 7
category c708;
#line 7
category c709;
#line 7
category c710;
#line 7
category c711;
#line 7
category c712;
#line 7
category c713;
#line 7
category c714;
#line 7
category c715;
#line 7
category c716;
#line 7
category c717;
#line 7
category c718;
#line 7
category c719;
#line 7
category c720;
#line 7
category c721;
#line 7
category c722;
#line 7
category c723;
#line 7
category c724;
#line 7
category c725;
#line 7
category c726;
#line 7
category c727;
#line 7
category c728;
#line 7
category c729;
#line 7
category c730;
#line 7
category c731;
#line 7
category c732;
#line 7
category c733;
#line 7
category c734;
#line 7
category c735;
#line 7
category c736;
#line 7
category c737;
#line 7
category c738;
#line 7
category c739;
#line 7
category c740;
#line 7
category c741;
#line 7
category c742;
#line 7
category c743;
#line 7
category c744;
#line 7
category c745;
#line 7
category c746;
#line 7
category c747;
#line 7
category c748;
#line 7
category c749;
#line 7
category c750;
#line 7
category c751;
#line 7
category c752;
#line 7
category c753;
#line 7
category c754;
#line 7
category c755;
#line 7
category c756;
#line 7
category c757;
#line 7
category c758;
#line 7
category c759;
#line 7
category c760;
#line 7
category c761;
#line 7
category c762;
#line 7
category c763;
#line 7
category c764;
#line 7
category c765;
#line 7
category c766;
#line 7
category c767;
#line 7
category c768;
#line 7
category c769;
#line 7
category c770;
#line 7
category c771;
#line 7
category c772;
#line 7
category c773;
#line 7
category c774;
#line 7
category c775;
#line 7
category c776;
#line 7
category c777;
#line 7
category c778;
#line 7
category c779;
#line 7
category c780;
#line 7
category c781;
#line 7
category c782;
#line 7
category c783;
#line 7
category c784;
#line 7
category c785;
#line 7
category c786;
#line 7
category c787;
#line 7
category c788;
#line 7
category c789;
#line 7
category c790;
#line 7
category c791;
#line 7
category c792;
#line 7
category c793;
#line 7
category c794;
#line 7
category c795;
#line 7
category c796;
#line 7
category c797;
#line 7
category c798;
#line 7
category c799;
#line 7
category c800;
#line 7
category c801;
#line 7
category c802;
#line 7
category c803;
#line 7
category c804;
#line 7
category c805;
#line 7
category c806;
#line 7
category c807;
#line 7
category c808;
#line 7
category c809;
#line 7
category c810;
#line 7
category c811;
#line 7
category c812;
#line 7
category c813;
#line 7
category c814;
#line 7
category c815;
#line 7
category c816;
#line 7
category c817;
#line 7
category c818;
#line 7
category c819;
#line 7
category c820;
#line 7
category c821;
#line 7
category c822;
#line 7
category c823;
#line 7
category c824;
#line 7
category c825;
#line 7
category c826;
#line 7
category c827;
#line 7
category c828;
#line 7
category c829;
#line 7
category c830;
#line 7
category c831;
#line 7
category c832;
#line 7
category c833;
#line 7
category c834;
#line 7
category c835;
#line 7
category c836;
#line 7
category c837;
#line 7
category c838;
#line 7
category c839;
#line 7
category c840;
#line 7
category c841;
#line 7
category c842;
#line 7
category c843;
#line 7
category c844;
#line 7
category c845;
#line 7
category c846;
#line 7
category c847;
#line 7
category c848;
#line 7
category c849;
#line 7
category c850;
#line 7
category c851;
#line 7
category c852;
#line 7
category c853;
#line 7
category c854;
#line 7
category c855;
#line 7
category c856;
#line 7
category c857;
#line 7
category c858;
#line 7
category c859;
#line 7
category c860;
#line 7
category c861;
#line 7
category c862;
#line 7
category c863;
#line 7
category c864;
#line 7
category c865;
#line 7
category c866;
#line 7
category c867;
#line 7
category c868;
#line 7
category c869;
#line 7
category c870;
#line 7
category c871;
#line 7
category c872;
#line 7
category c873;
#line 7
category c874;
#line 7
category c875;
#line 7
category c876;
#line 7
category c877;
#line 7
category c878;
#line 7
category c879;
#line 7
category c880;
#line 7
category c881;
#line 7
category c882;
#line 7
category c883;
#line 7
category c884;
#line 7
category c885;
#line 7
category c886;
#line 7
category c887;
#line 7
category c888;
#line 7
category c889;
#line 7
category c890;
#line 7
category c891;
#line 7
category c892;
#line 7
category c893;
#line 7
category c894;
#line 7
category c895;
#line 7
category c896;
#line 7
category c897;
#line 7
category c898;
#line 7
category c899;
#line 7
category c900;
#line 7
category c901;
#line 7
category c902;
#line 7
category c903;
#line 7
category c904;
#line 7
category c905;
#line 7
category c906;
#line 7
category c907;
#line 7
category c908;
#line 7
category c909;
#line 7
category c910;
#line 7
category c911;
#line 7
category c912;
#line 7
category c913;
#line 7
category c914;
#line 7
category c915;
#line 7
category c916;
#line 7
category c917;
#line 7
category c918;
#line 7
category c919;
#line 7
category c920;
#line 7
category c921;
#line 7
category c922;
#line 7
category c923;
#line 7
category c924;
#line 7
category c925;
#line 7
category c926;
#line 7
category c927;
#line 7
category c928;
#line 7
category c929;
#line 7
category c930;
#line 7
category c931;
#line 7
category c932;
#line 7
category c933;
#line 7
category c934;
#line 7
category c935;
#line 7
category c936;
#line 7
category c937;
#line 7
category c938;
#line 7
category c939;
#line 7
category c940;
#line 7
category c941;
#line 7
category c942;
#line 7
category c943;
#line 7
category c944;
#line 7
category c945;
#line 7
category c946;
#line 7
category c947;
#line 7
category c948;
#line 7
category c949;
#line 7
category c950;
#line 7
category c951;
#line 7
category c952;
#line 7
category c953;
#line 7
category c954;
#line 7
category c955;
#line 7
category c956;
#line 7
category c957;
#line 7
category c958;
#line 7
category c959;
#line 7
category c960;
#line 7
category c961;
#line 7
category c962;
#line 7
category c963;
#line 7
category c964;
#line 7
category c965;
#line 7
category c966;
#line 7
category c967;
#line 7
category c968;
#line 7
category c969;
#line 7
category c970;
#line 7
category c971;
#line 7
category c972;
#line 7
category c973;
#line 7
category c974;
#line 7
category c975;
#line 7
category c976;
#line 7
category c977;
#line 7
category c978;
#line 7
category c979;
#line 7
category c980;
#line 7
category c981;
#line 7
category c982;
#line 7
category c983;
#line 7
category c984;
#line 7
category c985;
#line 7
category c986;
#line 7
category c987;
#line 7
category c988;
#line 7
category c989;
#line 7
category c990;
#line 7
category c991;
#line 7
category c992;
#line 7
category c993;
#line 7
category c994;
#line 7
category c995;
#line 7
category c996;
#line 7
category c997;
#line 7
category c998;
#line 7
category c999;
#line 7
category c1000;
#line 7
category c1001;
#line 7
category c1002;
#line 7
category c1003;
#line 7
category c1004;
#line 7
category c1005;
#line 7
category c1006;
#line 7
category c1007;
#line 7
category c1008;
#line 7
category c1009;
#line 7
category c1010;
#line 7
category c1011;
#line 7
category c1012;
#line 7
category c1013;
#line 7
category c1014;
#line 7
category c1015;
#line 7
category c1016;
#line 7
category c1017;
#line 7
category c1018;
#line 7
category c1019;
#line 7
category c1020;
#line 7
category c1021;
#line 7
category c1022;
#line 7
category c1023;
#line 7
# Generate level definitions for each sensitivity and category.
level s0:c0.c1023;
#line 10
#line 1 "system/sepolicy/private/mls"
#################################################
# MLS policy constraints
#
#
# Process constraints
#
# Process transition: Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(l1 dom l2 or t1 == mlstrustedsubject);
# Process write operations: Require equivalence unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
(l1 eq l2 or t1 == mlstrustedsubject);
#
# Socket constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Sockets inherit the range of their creator.
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { create relabelfrom relabelto }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Datagram send: Sender must be equivalent to the receiver unless one of them
# is trusted.
mlsconstrain unix_dgram_socket { sendto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
# Stream connect: Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
#
# Directory/file constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
# Userfaultfd constraints
#
# To enforce that anonymous inodes are self contained in the application's process.
mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
(l1 eq l2);
#
# Constraints for app data files only.
#
# Only constrain open, not read/write, so already open fds can be used.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
(t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a domain type, so that processes can communicate via unnamed pipes
# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
#line 1 "system/sepolicy/private/policy_capabilities"
# Enable new networking controls.
policycap network_peer_controls;
# Enable open permission check.
policycap open_perms;
# Enable separate security classes for
# all network address families previously
# mapped to the socket class and for
# ICMP and SCTP sockets previously mapped
# to the rawip_socket class.
policycap extended_socket_class;
# Enable NoNewPrivileges support. Requires libsepol 2.7+
# and kernel 4.14 (estimated).
#
# Checks enabled;
# process2: nnp_transition, nosuid_transition
#
policycap nnp_nosuid_transition;
#line 1 "system/sepolicy/flagging/te_macros"
####################################
# is_flag_enabled(flag, rules)
# SELinux rules which apply only if given feature is turned on
####################################
# is_flag_disabled(flag, rules)
# SELinux rules which apply only if given feature is turned off
#line 1 "system/sepolicy/public/te_macros"
#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
#line 21
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
#line 33
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
#line 49
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
#line 62
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
#line 71
#####################################
# tmpfs_domain(domain)
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
#line 79
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
# pdx_service_attributes(service)
# Defines type attribute used to identify various service-related types.
#line 92
#####################################
# pdx_service_socket_types(service, endpoint_dir_t)
# Define types for endpoint and channel sockets.
#line 105
#####################################
# pdx_server(server_domain, service)
#line 124
#####################################
# pdx_connect(client, service)
#line 134
#####################################
# pdx_use(client, service)
#line 149
#####################################
# pdx_client(client, service)
#line 156
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
#line 164
####################################
# userfaultfd_use(domain)
# Allow domain to create/use userfaultfd.
#line 179
####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
# virtualizationservice and virtualizationmanager.
#line 204
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
#line 226
#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
#line 233
#####################################
# isolated_app_domain(domain)
# Allow a base set of permissions required for all isolated apps.
#line 240
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
#line 247
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
#line 254
#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
#line 276
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
#line 291
#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
# hal_client_domain(some_domain, hal_foo)
#
#line 315
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
#line 333
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
#line 352
#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
#line 363
#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
#line 372
#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
#line 381
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
#line 397
#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
#line 413
#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
#line 427
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
#line 439
#####################################
# binder_service(domain)
# Deprecated. Consider granting the exact permissions required by your service.
#line 446
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
#line 468
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
#line 478
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
#line 487
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
#line 506
#####################################
# Non system_app application set
#
#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
#####################################
# Not recovery
# SELinux rules which apply only to non-recovery (normal) mode
#
#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
#line 534
#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
#####################################
# enforce_debugfs_restriction
# SELinux rules which apply to devices that enable debugfs restrictions.
# The keyword "cts" is used to insert markers to only CTS test the neverallows
# added by the macro for S-launch devices and newer.
#line 552
#####################################
# no_debugfs_restriction
# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
#line 568
#####################################
# Not compatible property
# SELinux rules which apply only to devices without compatible property
#
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
#line 618
#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
#line 633
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
#line 642
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
#line 649
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
#line 659
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
#line 675
#####################################
# use_credstore(domain)
# Ability to use credstore.
#line 687
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
#line 697
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#line 713
###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#line 724
###########################################
# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
#line 743
###########################################
# hal_attribute_service(attribute, service)
# Ability for domain to get a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_service
#line 771
###################################
# can_profile_heap(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
#line 801
###################################
# never_profile_heap(domain)
# Opt out of heap profiling by heapprofd.
#line 809
###################################
# can_profile_perf(domain)
# Allow processes within the domain to be profiled, and have their stacks
# sampled, by traced_perf.
#line 829
###################################
# never_profile_perf(domain)
# Opt out of profiling by traced_perf.
#line 837
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
# When applying this macro, you might need to also allow traced to use the
# producer tmpfs domain, if the producer will be the one creating the shared
# memory.
#line 854
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
#
#line 864
#####################################
# treble_sysprop_neverallow(rules)
# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
# For devices launching with R or later, exported properties must be explicitly marked as
# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
#
#line 886
#####################################
# enforce_sysprop_owner(rules)
# SELinux neverallow rules which enforces the owner of each property.
#
# For devices launching with S or later, all properties must be explicitly marked as one of:
# system_property_type, vendor_property_type, or product_property_type.
# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these ules only for devices launching with S or later.
#
#line 905
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
#
#line 913
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 926
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 939
###########################################
# system_public_prop(name)
# Define a /system-owned property with no restrictions
#
###########################################
# system_vendor_config_prop(name)
# Define a /system-owned property which can only be written by vendor_init
# This is a macro for vendor-specific configuration properties which is meant
# to be set once from vendor_init.
#
#line 957
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 970
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 983
###########################################
# product_public_prop(name)
# Define a /product-owned property with no restrictions
#
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 1003
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
#line 1017
###########################################
# vendor_public_prop(name)
# Define a /vendor-owned property with no restrictions
#
#####################################
# read_fstab(domain)
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
#
#line 1033
######################################
# use_bootstrap_libs(domain)
# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
#line 1041
######################################
# use_apex_info(domain)
# Allow access to apex information
#line 1050
####################################
# io_uring_use(domain)
# Allow domain to create/use io_uring.
#line 1068
#line 1 "system/sepolicy/public/ioctl_defines"
#line 1 "system/sepolicy/public/ioctl_macros"
# socket ioctls allowed to unprivileged apps
#line 12
# socket ioctls never allowed to unprivileged apps
#line 42
# commonly used ioctls on unix sockets
#line 47
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
#line 54
# point to point ioctls
#line 68
# unprivileged binder ioctls
#line 77
#line 1 "system/sepolicy/public/attributes"
######################################
# Attribute declarations
#
# All types used for devices.
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
attribute dev_type;
# Attribute for all bpf filesystem subtypes.
attribute bpffs_type;
# All types used for processes.
attribute domain;
# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute fs_type;
# All types used for context= mounts.
attribute contextmount_type;
# All types referencing a FUSE filesystem.
# When mounting a new FUSE filesystem, the fscontext= option should be used to
# set a domain-specific type with this attribute. See app_fusefs for an
# example.
attribute fusefs_type;
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
expandattribute core_data_file_type false;
# All types used for app private data files in seapp_contexts.
# Such types should not be applied to any other files.
attribute app_data_file_type;
expandattribute app_data_file_type false;
# All types in /system
attribute system_file_type;
# All types in /system_dlkm
attribute system_dlkm_file_type;
# All types in /vendor
attribute vendor_file_type;
# All types used for procfs files.
attribute proc_type;
expandattribute proc_type false;
# Types in /proc/net, excluding qtaguid types.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
attribute proc_net_type;
expandattribute proc_net_type true;
# All types used for sysfs files.
attribute sysfs_type;
# All types use for debugfs files.
attribute debugfs_type;
# All types used for tracefs files.
attribute tracefs_type;
# Attribute used for all sdcards
attribute sdcard_type;
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
# All types used for property service
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute property_type;
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
# All properties used to configure log filtering.
attribute log_property_type;
# All properties that are not specific to device but are added from
# outside of AOSP. (e.g. OEM-specific properties)
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
# Properties used for representing ownership. All properties should have one
# of: system_property_type, product_property_type, or vendor_property_type.
# All properties defined by /system.
attribute system_property_type;
expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
expandattribute system_public_property_type false;
# All keystore2_key labels.
attribute keystore2_key_type;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
# All properties defined by /vendor.
attribute vendor_property_type;
expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
# All HwBinder services that untrusted apps can't directly access
attribute protected_hwservice;
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
# All services declared as part of an HAL
attribute hal_service_type;
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps.
attribute appdomain;
# All third party apps (except isolated_app and ephemeral_app)
attribute untrusted_app_all;
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
attribute isolated_app_all;
# All service types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_service;
# All device types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_device;
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# Specific domains that expose a binder service.
# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
attribute bpfdomain;
expandattribute bpfdomain false;
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
# All vendor hwservice.
attribute vendor_hwservice_type;
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;
# All domains which violate the requirement of not sharing files by path
# between between vendor and core domains.
# TODO(b/34980020)
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;
# All system domains which violate the requirement of not executing vendor
# binaries/libraries.
# TODO(b/62041836)
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
# All system domains which violate the requirement of not writing vendor
# properties.
# TODO(b/78598545): Remove this once there are no violations
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;
# All system domains which violate the requirement of not writing to
# /mnt/vendor/*. Must not be used on devices launched with P or later.
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
# transition to treble and will be removed in a future platform
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
attribute untrusted_app_visible_hwservice_violators;
expandattribute untrusted_app_visible_hwservice_violators false;
# halserver domains that are accessible to untrusted applications. These
# domains are typically those hosting hwservices attributed by the
# untrusted_app_visible_hwservice_violators.
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
# It is a temporary allowance to aid the transition to treble and will be
# removed in the future platform version, requiring all halserver domains that
# are labeled with this attribute to be submitted to AOSP in order to maintain
# their app-visibility.
attribute untrusted_app_visible_halserver_violators;
expandattribute untrusted_app_visible_halserver_violators false;
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
expandattribute pdx_channel_socket_type false;
#line 310
attribute pdx_display_client_endpoint_dir_type;
#line 310
attribute pdx_display_client_endpoint_socket_type;
#line 310
attribute pdx_display_client_channel_socket_type;
#line 310
attribute pdx_display_client_server_type;
#line 310
#line 311
attribute pdx_display_manager_endpoint_dir_type;
#line 311
attribute pdx_display_manager_endpoint_socket_type;
#line 311
attribute pdx_display_manager_channel_socket_type;
#line 311
attribute pdx_display_manager_server_type;
#line 311
#line 312
attribute pdx_display_screenshot_endpoint_dir_type;
#line 312
attribute pdx_display_screenshot_endpoint_socket_type;
#line 312
attribute pdx_display_screenshot_channel_socket_type;
#line 312
attribute pdx_display_screenshot_server_type;
#line 312
#line 313
attribute pdx_display_vsync_endpoint_dir_type;
#line 313
attribute pdx_display_vsync_endpoint_socket_type;
#line 313
attribute pdx_display_vsync_channel_socket_type;
#line 313
attribute pdx_display_vsync_server_type;
#line 313
#line 314
attribute pdx_performance_client_endpoint_dir_type;
#line 314
attribute pdx_performance_client_endpoint_socket_type;
#line 314
attribute pdx_performance_client_channel_socket_type;
#line 314
attribute pdx_performance_client_server_type;
#line 314
#line 315
attribute pdx_bufferhub_client_endpoint_dir_type;
#line 315
attribute pdx_bufferhub_client_endpoint_socket_type;
#line 315
attribute pdx_bufferhub_client_channel_socket_type;
#line 315
attribute pdx_bufferhub_client_server_type;
#line 315
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;
# Exempt for halserverdomain to access sockets. Only builds for automotive
# device types are allowed to use this attribute (enforced by CTS).
# Unlike phone, in a car many modules are external from Android perspective and
# HALs should be able to communicate with those devices through sockets.
attribute hal_automotive_socket_exemption;
# HALs
#line 330
attribute hal_allocator;
#line 330
expandattribute hal_allocator true;
#line 330
attribute hal_allocator_client;
#line 330
expandattribute hal_allocator_client true;
#line 330
attribute hal_allocator_server;
#line 330
expandattribute hal_allocator_server false;
#line 330
#line 330
neverallow { hal_allocator_server -halserverdomain } domain:process fork;
#line 330
# hal_*_client and halclientdomain attributes are always expanded for
#line 330
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 330
# verified by CTS since these attributes are already expanded by that time.
#line 330
#line 330
;
#line 331
attribute hal_atrace;
#line 331
expandattribute hal_atrace true;
#line 331
attribute hal_atrace_client;
#line 331
expandattribute hal_atrace_client true;
#line 331
attribute hal_atrace_server;
#line 331
expandattribute hal_atrace_server false;
#line 331
#line 331
neverallow { hal_atrace_server -halserverdomain } domain:process fork;
#line 331
# hal_*_client and halclientdomain attributes are always expanded for
#line 331
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 331
# verified by CTS since these attributes are already expanded by that time.
#line 331
#line 331
;
#line 332
attribute hal_audio;
#line 332
expandattribute hal_audio true;
#line 332
attribute hal_audio_client;
#line 332
expandattribute hal_audio_client true;
#line 332
attribute hal_audio_server;
#line 332
expandattribute hal_audio_server false;
#line 332
#line 332
neverallow { hal_audio_server -halserverdomain } domain:process fork;
#line 332
# hal_*_client and halclientdomain attributes are always expanded for
#line 332
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 332
# verified by CTS since these attributes are already expanded by that time.
#line 332
#line 332
;
#line 333
attribute hal_audiocontrol;
#line 333
expandattribute hal_audiocontrol true;
#line 333
attribute hal_audiocontrol_client;
#line 333
expandattribute hal_audiocontrol_client true;
#line 333
attribute hal_audiocontrol_server;
#line 333
expandattribute hal_audiocontrol_server false;
#line 333
#line 333
neverallow { hal_audiocontrol_server -halserverdomain } domain:process fork;
#line 333
# hal_*_client and halclientdomain attributes are always expanded for
#line 333
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 333
# verified by CTS since these attributes are already expanded by that time.
#line 333
#line 333
;
#line 334
attribute hal_authgraph;
#line 334
expandattribute hal_authgraph true;
#line 334
attribute hal_authgraph_client;
#line 334
expandattribute hal_authgraph_client true;
#line 334
attribute hal_authgraph_server;
#line 334
expandattribute hal_authgraph_server false;
#line 334
#line 334
neverallow { hal_authgraph_server -halserverdomain } domain:process fork;
#line 334
# hal_*_client and halclientdomain attributes are always expanded for
#line 334
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 334
# verified by CTS since these attributes are already expanded by that time.
#line 334
#line 334
;
#line 335
attribute hal_authsecret;
#line 335
expandattribute hal_authsecret true;
#line 335
attribute hal_authsecret_client;
#line 335
expandattribute hal_authsecret_client true;
#line 335
attribute hal_authsecret_server;
#line 335
expandattribute hal_authsecret_server false;
#line 335
#line 335
neverallow { hal_authsecret_server -halserverdomain } domain:process fork;
#line 335
# hal_*_client and halclientdomain attributes are always expanded for
#line 335
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 335
# verified by CTS since these attributes are already expanded by that time.
#line 335
#line 335
;
#line 336
attribute hal_bluetooth;
#line 336
expandattribute hal_bluetooth true;
#line 336
attribute hal_bluetooth_client;
#line 336
expandattribute hal_bluetooth_client true;
#line 336
attribute hal_bluetooth_server;
#line 336
expandattribute hal_bluetooth_server false;
#line 336
#line 336
neverallow { hal_bluetooth_server -halserverdomain } domain:process fork;
#line 336
# hal_*_client and halclientdomain attributes are always expanded for
#line 336
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 336
# verified by CTS since these attributes are already expanded by that time.
#line 336
#line 336
;
#line 337
attribute hal_bootctl;
#line 337
expandattribute hal_bootctl true;
#line 337
attribute hal_bootctl_client;
#line 337
expandattribute hal_bootctl_client true;
#line 337
attribute hal_bootctl_server;
#line 337
expandattribute hal_bootctl_server false;
#line 337
#line 337
neverallow { hal_bootctl_server -halserverdomain } domain:process fork;
#line 337
# hal_*_client and halclientdomain attributes are always expanded for
#line 337
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 337
# verified by CTS since these attributes are already expanded by that time.
#line 337
#line 337
;
#line 338
attribute hal_broadcastradio;
#line 338
expandattribute hal_broadcastradio true;
#line 338
attribute hal_broadcastradio_client;
#line 338
expandattribute hal_broadcastradio_client true;
#line 338
attribute hal_broadcastradio_server;
#line 338
expandattribute hal_broadcastradio_server false;
#line 338
#line 338
neverallow { hal_broadcastradio_server -halserverdomain } domain:process fork;
#line 338
# hal_*_client and halclientdomain attributes are always expanded for
#line 338
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 338
# verified by CTS since these attributes are already expanded by that time.
#line 338
#line 338
;
#line 339
attribute hal_camera;
#line 339
expandattribute hal_camera true;
#line 339
attribute hal_camera_client;
#line 339
expandattribute hal_camera_client true;
#line 339
attribute hal_camera_server;
#line 339
expandattribute hal_camera_server false;
#line 339
#line 339
neverallow { hal_camera_server -halserverdomain } domain:process fork;
#line 339
# hal_*_client and halclientdomain attributes are always expanded for
#line 339
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 339
# verified by CTS since these attributes are already expanded by that time.
#line 339
#line 339
;
#line 340
attribute hal_can_bus;
#line 340
expandattribute hal_can_bus true;
#line 340
attribute hal_can_bus_client;
#line 340
expandattribute hal_can_bus_client true;
#line 340
attribute hal_can_bus_server;
#line 340
expandattribute hal_can_bus_server false;
#line 340
#line 340
neverallow { hal_can_bus_server -halserverdomain } domain:process fork;
#line 340
# hal_*_client and halclientdomain attributes are always expanded for
#line 340
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 340
# verified by CTS since these attributes are already expanded by that time.
#line 340
#line 340
;
#line 341
attribute hal_can_controller;
#line 341
expandattribute hal_can_controller true;
#line 341
attribute hal_can_controller_client;
#line 341
expandattribute hal_can_controller_client true;
#line 341
attribute hal_can_controller_server;
#line 341
expandattribute hal_can_controller_server false;
#line 341
#line 341
neverallow { hal_can_controller_server -halserverdomain } domain:process fork;
#line 341
# hal_*_client and halclientdomain attributes are always expanded for
#line 341
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 341
# verified by CTS since these attributes are already expanded by that time.
#line 341
#line 341
;
#line 342
attribute hal_cas;
#line 342
expandattribute hal_cas true;
#line 342
attribute hal_cas_client;
#line 342
expandattribute hal_cas_client true;
#line 342
attribute hal_cas_server;
#line 342
expandattribute hal_cas_server false;
#line 342
#line 342
neverallow { hal_cas_server -halserverdomain } domain:process fork;
#line 342
# hal_*_client and halclientdomain attributes are always expanded for
#line 342
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 342
# verified by CTS since these attributes are already expanded by that time.
#line 342
#line 342
;
#line 343
attribute hal_codec2;
#line 343
expandattribute hal_codec2 true;
#line 343
attribute hal_codec2_client;
#line 343
expandattribute hal_codec2_client true;
#line 343
attribute hal_codec2_server;
#line 343
expandattribute hal_codec2_server false;
#line 343
#line 343
neverallow { hal_codec2_server -halserverdomain } domain:process fork;
#line 343
# hal_*_client and halclientdomain attributes are always expanded for
#line 343
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 343
# verified by CTS since these attributes are already expanded by that time.
#line 343
#line 343
;
#line 344
attribute hal_configstore;
#line 344
expandattribute hal_configstore true;
#line 344
attribute hal_configstore_client;
#line 344
expandattribute hal_configstore_client true;
#line 344
attribute hal_configstore_server;
#line 344
expandattribute hal_configstore_server false;
#line 344
#line 344
neverallow { hal_configstore_server -halserverdomain } domain:process fork;
#line 344
# hal_*_client and halclientdomain attributes are always expanded for
#line 344
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 344
# verified by CTS since these attributes are already expanded by that time.
#line 344
#line 344
;
#line 345
attribute hal_confirmationui;
#line 345
expandattribute hal_confirmationui true;
#line 345
attribute hal_confirmationui_client;
#line 345
expandattribute hal_confirmationui_client true;
#line 345
attribute hal_confirmationui_server;
#line 345
expandattribute hal_confirmationui_server false;
#line 345
#line 345
neverallow { hal_confirmationui_server -halserverdomain } domain:process fork;
#line 345
# hal_*_client and halclientdomain attributes are always expanded for
#line 345
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 345
# verified by CTS since these attributes are already expanded by that time.
#line 345
#line 345
;
#line 346
attribute hal_contexthub;
#line 346
expandattribute hal_contexthub true;
#line 346
attribute hal_contexthub_client;
#line 346
expandattribute hal_contexthub_client true;
#line 346
attribute hal_contexthub_server;
#line 346
expandattribute hal_contexthub_server false;
#line 346
#line 346
neverallow { hal_contexthub_server -halserverdomain } domain:process fork;
#line 346
# hal_*_client and halclientdomain attributes are always expanded for
#line 346
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 346
# verified by CTS since these attributes are already expanded by that time.
#line 346
#line 346
;
#line 347
attribute hal_drm;
#line 347
expandattribute hal_drm true;
#line 347
attribute hal_drm_client;
#line 347
expandattribute hal_drm_client true;
#line 347
attribute hal_drm_server;
#line 347
expandattribute hal_drm_server false;
#line 347
#line 347
neverallow { hal_drm_server -halserverdomain } domain:process fork;
#line 347
# hal_*_client and halclientdomain attributes are always expanded for
#line 347
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 347
# verified by CTS since these attributes are already expanded by that time.
#line 347
#line 347
;
#line 348
attribute hal_dumpstate;
#line 348
expandattribute hal_dumpstate true;
#line 348
attribute hal_dumpstate_client;
#line 348
expandattribute hal_dumpstate_client true;
#line 348
attribute hal_dumpstate_server;
#line 348
expandattribute hal_dumpstate_server false;
#line 348
#line 348
neverallow { hal_dumpstate_server -halserverdomain } domain:process fork;
#line 348
# hal_*_client and halclientdomain attributes are always expanded for
#line 348
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 348
# verified by CTS since these attributes are already expanded by that time.
#line 348
#line 348
;
#line 349
attribute hal_evs;
#line 349
expandattribute hal_evs true;
#line 349
attribute hal_evs_client;
#line 349
expandattribute hal_evs_client true;
#line 349
attribute hal_evs_server;
#line 349
expandattribute hal_evs_server false;
#line 349
#line 349
neverallow { hal_evs_server -halserverdomain } domain:process fork;
#line 349
# hal_*_client and halclientdomain attributes are always expanded for
#line 349
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 349
# verified by CTS since these attributes are already expanded by that time.
#line 349
#line 349
;
#line 350
attribute hal_face;
#line 350
expandattribute hal_face true;
#line 350
attribute hal_face_client;
#line 350
expandattribute hal_face_client true;
#line 350
attribute hal_face_server;
#line 350
expandattribute hal_face_server false;
#line 350
#line 350
neverallow { hal_face_server -halserverdomain } domain:process fork;
#line 350
# hal_*_client and halclientdomain attributes are always expanded for
#line 350
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 350
# verified by CTS since these attributes are already expanded by that time.
#line 350
#line 350
;
#line 351
attribute hal_fastboot;
#line 351
expandattribute hal_fastboot true;
#line 351
attribute hal_fastboot_client;
#line 351
expandattribute hal_fastboot_client true;
#line 351
attribute hal_fastboot_server;
#line 351
expandattribute hal_fastboot_server false;
#line 351
#line 351
neverallow { hal_fastboot_server -halserverdomain } domain:process fork;
#line 351
# hal_*_client and halclientdomain attributes are always expanded for
#line 351
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 351
# verified by CTS since these attributes are already expanded by that time.
#line 351
#line 351
;
#line 352
attribute hal_fingerprint;
#line 352
expandattribute hal_fingerprint true;
#line 352
attribute hal_fingerprint_client;
#line 352
expandattribute hal_fingerprint_client true;
#line 352
attribute hal_fingerprint_server;
#line 352
expandattribute hal_fingerprint_server false;
#line 352
#line 352
neverallow { hal_fingerprint_server -halserverdomain } domain:process fork;
#line 352
# hal_*_client and halclientdomain attributes are always expanded for
#line 352
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 352
# verified by CTS since these attributes are already expanded by that time.
#line 352
#line 352
;
#line 353
attribute hal_gatekeeper;
#line 353
expandattribute hal_gatekeeper true;
#line 353
attribute hal_gatekeeper_client;
#line 353
expandattribute hal_gatekeeper_client true;
#line 353
attribute hal_gatekeeper_server;
#line 353
expandattribute hal_gatekeeper_server false;
#line 353
#line 353
neverallow { hal_gatekeeper_server -halserverdomain } domain:process fork;
#line 353
# hal_*_client and halclientdomain attributes are always expanded for
#line 353
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 353
# verified by CTS since these attributes are already expanded by that time.
#line 353
#line 353
;
#line 354
attribute hal_gnss;
#line 354
expandattribute hal_gnss true;
#line 354
attribute hal_gnss_client;
#line 354
expandattribute hal_gnss_client true;
#line 354
attribute hal_gnss_server;
#line 354
expandattribute hal_gnss_server false;
#line 354
#line 354
neverallow { hal_gnss_server -halserverdomain } domain:process fork;
#line 354
# hal_*_client and halclientdomain attributes are always expanded for
#line 354
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 354
# verified by CTS since these attributes are already expanded by that time.
#line 354
#line 354
;
#line 355
attribute hal_graphics_allocator;
#line 355
expandattribute hal_graphics_allocator true;
#line 355
attribute hal_graphics_allocator_client;
#line 355
expandattribute hal_graphics_allocator_client true;
#line 355
attribute hal_graphics_allocator_server;
#line 355
expandattribute hal_graphics_allocator_server false;
#line 355
#line 355
neverallow { hal_graphics_allocator_server -halserverdomain } domain:process fork;
#line 355
# hal_*_client and halclientdomain attributes are always expanded for
#line 355
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 355
# verified by CTS since these attributes are already expanded by that time.
#line 355
#line 355
;
#line 356
attribute hal_graphics_composer;
#line 356
expandattribute hal_graphics_composer true;
#line 356
attribute hal_graphics_composer_client;
#line 356
expandattribute hal_graphics_composer_client true;
#line 356
attribute hal_graphics_composer_server;
#line 356
expandattribute hal_graphics_composer_server false;
#line 356
#line 356
neverallow { hal_graphics_composer_server -halserverdomain } domain:process fork;
#line 356
# hal_*_client and halclientdomain attributes are always expanded for
#line 356
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 356
# verified by CTS since these attributes are already expanded by that time.
#line 356
#line 356
;
#line 357
attribute hal_health;
#line 357
expandattribute hal_health true;
#line 357
attribute hal_health_client;
#line 357
expandattribute hal_health_client true;
#line 357
attribute hal_health_server;
#line 357
expandattribute hal_health_server false;
#line 357
#line 357
neverallow { hal_health_server -halserverdomain } domain:process fork;
#line 357
# hal_*_client and halclientdomain attributes are always expanded for
#line 357
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 357
# verified by CTS since these attributes are already expanded by that time.
#line 357
#line 357
;
#line 358
attribute hal_health_storage;
#line 358
expandattribute hal_health_storage true;
#line 358
attribute hal_health_storage_client;
#line 358
expandattribute hal_health_storage_client true;
#line 358
attribute hal_health_storage_server;
#line 358
expandattribute hal_health_storage_server false;
#line 358
#line 358
neverallow { hal_health_storage_server -halserverdomain } domain:process fork;
#line 358
# hal_*_client and halclientdomain attributes are always expanded for
#line 358
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 358
# verified by CTS since these attributes are already expanded by that time.
#line 358
#line 358
;
#line 359
attribute hal_identity;
#line 359
expandattribute hal_identity true;
#line 359
attribute hal_identity_client;
#line 359
expandattribute hal_identity_client true;
#line 359
attribute hal_identity_server;
#line 359
expandattribute hal_identity_server false;
#line 359
#line 359
neverallow { hal_identity_server -halserverdomain } domain:process fork;
#line 359
# hal_*_client and halclientdomain attributes are always expanded for
#line 359
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 359
# verified by CTS since these attributes are already expanded by that time.
#line 359
#line 359
;
#line 360
attribute hal_input_classifier;
#line 360
expandattribute hal_input_classifier true;
#line 360
attribute hal_input_classifier_client;
#line 360
expandattribute hal_input_classifier_client true;
#line 360
attribute hal_input_classifier_server;
#line 360
expandattribute hal_input_classifier_server false;
#line 360
#line 360
neverallow { hal_input_classifier_server -halserverdomain } domain:process fork;
#line 360
# hal_*_client and halclientdomain attributes are always expanded for
#line 360
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 360
# verified by CTS since these attributes are already expanded by that time.
#line 360
#line 360
;
#line 361
attribute hal_input_processor;
#line 361
expandattribute hal_input_processor true;
#line 361
attribute hal_input_processor_client;
#line 361
expandattribute hal_input_processor_client true;
#line 361
attribute hal_input_processor_server;
#line 361
expandattribute hal_input_processor_server false;
#line 361
#line 361
neverallow { hal_input_processor_server -halserverdomain } domain:process fork;
#line 361
# hal_*_client and halclientdomain attributes are always expanded for
#line 361
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 361
# verified by CTS since these attributes are already expanded by that time.
#line 361
#line 361
;
#line 362
attribute hal_ir;
#line 362
expandattribute hal_ir true;
#line 362
attribute hal_ir_client;
#line 362
expandattribute hal_ir_client true;
#line 362
attribute hal_ir_server;
#line 362
expandattribute hal_ir_server false;
#line 362
#line 362
neverallow { hal_ir_server -halserverdomain } domain:process fork;
#line 362
# hal_*_client and halclientdomain attributes are always expanded for
#line 362
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 362
# verified by CTS since these attributes are already expanded by that time.
#line 362
#line 362
;
#line 363
attribute hal_ivn;
#line 363
expandattribute hal_ivn true;
#line 363
attribute hal_ivn_client;
#line 363
expandattribute hal_ivn_client true;
#line 363
attribute hal_ivn_server;
#line 363
expandattribute hal_ivn_server false;
#line 363
#line 363
neverallow { hal_ivn_server -halserverdomain } domain:process fork;
#line 363
# hal_*_client and halclientdomain attributes are always expanded for
#line 363
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 363
# verified by CTS since these attributes are already expanded by that time.
#line 363
#line 363
;
#line 364
attribute hal_keymaster;
#line 364
expandattribute hal_keymaster true;
#line 364
attribute hal_keymaster_client;
#line 364
expandattribute hal_keymaster_client true;
#line 364
attribute hal_keymaster_server;
#line 364
expandattribute hal_keymaster_server false;
#line 364
#line 364
neverallow { hal_keymaster_server -halserverdomain } domain:process fork;
#line 364
# hal_*_client and halclientdomain attributes are always expanded for
#line 364
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 364
# verified by CTS since these attributes are already expanded by that time.
#line 364
#line 364
;
#line 365
attribute hal_keymint;
#line 365
expandattribute hal_keymint true;
#line 365
attribute hal_keymint_client;
#line 365
expandattribute hal_keymint_client true;
#line 365
attribute hal_keymint_server;
#line 365
expandattribute hal_keymint_server false;
#line 365
#line 365
neverallow { hal_keymint_server -halserverdomain } domain:process fork;
#line 365
# hal_*_client and halclientdomain attributes are always expanded for
#line 365
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 365
# verified by CTS since these attributes are already expanded by that time.
#line 365
#line 365
;
#line 366
attribute hal_light;
#line 366
expandattribute hal_light true;
#line 366
attribute hal_light_client;
#line 366
expandattribute hal_light_client true;
#line 366
attribute hal_light_server;
#line 366
expandattribute hal_light_server false;
#line 366
#line 366
neverallow { hal_light_server -halserverdomain } domain:process fork;
#line 366
# hal_*_client and halclientdomain attributes are always expanded for
#line 366
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 366
# verified by CTS since these attributes are already expanded by that time.
#line 366
#line 366
;
#line 367
attribute hal_lowpan;
#line 367
expandattribute hal_lowpan true;
#line 367
attribute hal_lowpan_client;
#line 367
expandattribute hal_lowpan_client true;
#line 367
attribute hal_lowpan_server;
#line 367
expandattribute hal_lowpan_server false;
#line 367
#line 367
neverallow { hal_lowpan_server -halserverdomain } domain:process fork;
#line 367
# hal_*_client and halclientdomain attributes are always expanded for
#line 367
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 367
# verified by CTS since these attributes are already expanded by that time.
#line 367
#line 367
;
#line 368
attribute hal_macsec;
#line 368
expandattribute hal_macsec true;
#line 368
attribute hal_macsec_client;
#line 368
expandattribute hal_macsec_client true;
#line 368
attribute hal_macsec_server;
#line 368
expandattribute hal_macsec_server false;
#line 368
#line 368
neverallow { hal_macsec_server -halserverdomain } domain:process fork;
#line 368
# hal_*_client and halclientdomain attributes are always expanded for
#line 368
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 368
# verified by CTS since these attributes are already expanded by that time.
#line 368
#line 368
;
#line 369
attribute hal_memtrack;
#line 369
expandattribute hal_memtrack true;
#line 369
attribute hal_memtrack_client;
#line 369
expandattribute hal_memtrack_client true;
#line 369
attribute hal_memtrack_server;
#line 369
expandattribute hal_memtrack_server false;
#line 369
#line 369
neverallow { hal_memtrack_server -halserverdomain } domain:process fork;
#line 369
# hal_*_client and halclientdomain attributes are always expanded for
#line 369
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 369
# verified by CTS since these attributes are already expanded by that time.
#line 369
#line 369
;
#line 370
attribute hal_neuralnetworks;
#line 370
expandattribute hal_neuralnetworks true;
#line 370
attribute hal_neuralnetworks_client;
#line 370
expandattribute hal_neuralnetworks_client true;
#line 370
attribute hal_neuralnetworks_server;
#line 370
expandattribute hal_neuralnetworks_server false;
#line 370
#line 370
neverallow { hal_neuralnetworks_server -halserverdomain } domain:process fork;
#line 370
# hal_*_client and halclientdomain attributes are always expanded for
#line 370
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 370
# verified by CTS since these attributes are already expanded by that time.
#line 370
#line 370
;
#line 371
attribute hal_nfc;
#line 371
expandattribute hal_nfc true;
#line 371
attribute hal_nfc_client;
#line 371
expandattribute hal_nfc_client true;
#line 371
attribute hal_nfc_server;
#line 371
expandattribute hal_nfc_server false;
#line 371
#line 371
neverallow { hal_nfc_server -halserverdomain } domain:process fork;
#line 371
# hal_*_client and halclientdomain attributes are always expanded for
#line 371
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 371
# verified by CTS since these attributes are already expanded by that time.
#line 371
#line 371
;
#line 372
attribute hal_nlinterceptor;
#line 372
expandattribute hal_nlinterceptor true;
#line 372
attribute hal_nlinterceptor_client;
#line 372
expandattribute hal_nlinterceptor_client true;
#line 372
attribute hal_nlinterceptor_server;
#line 372
expandattribute hal_nlinterceptor_server false;
#line 372
#line 372
neverallow { hal_nlinterceptor_server -halserverdomain } domain:process fork;
#line 372
# hal_*_client and halclientdomain attributes are always expanded for
#line 372
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 372
# verified by CTS since these attributes are already expanded by that time.
#line 372
#line 372
;
#line 373
attribute hal_oemlock;
#line 373
expandattribute hal_oemlock true;
#line 373
attribute hal_oemlock_client;
#line 373
expandattribute hal_oemlock_client true;
#line 373
attribute hal_oemlock_server;
#line 373
expandattribute hal_oemlock_server false;
#line 373
#line 373
neverallow { hal_oemlock_server -halserverdomain } domain:process fork;
#line 373
# hal_*_client and halclientdomain attributes are always expanded for
#line 373
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 373
# verified by CTS since these attributes are already expanded by that time.
#line 373
#line 373
;
#line 374
attribute hal_omx;
#line 374
expandattribute hal_omx true;
#line 374
attribute hal_omx_client;
#line 374
expandattribute hal_omx_client true;
#line 374
attribute hal_omx_server;
#line 374
expandattribute hal_omx_server false;
#line 374
#line 374
neverallow { hal_omx_server -halserverdomain } domain:process fork;
#line 374
# hal_*_client and halclientdomain attributes are always expanded for
#line 374
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 374
# verified by CTS since these attributes are already expanded by that time.
#line 374
#line 374
;
#line 375
attribute hal_power;
#line 375
expandattribute hal_power true;
#line 375
attribute hal_power_client;
#line 375
expandattribute hal_power_client true;
#line 375
attribute hal_power_server;
#line 375
expandattribute hal_power_server false;
#line 375
#line 375
neverallow { hal_power_server -halserverdomain } domain:process fork;
#line 375
# hal_*_client and halclientdomain attributes are always expanded for
#line 375
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 375
# verified by CTS since these attributes are already expanded by that time.
#line 375
#line 375
;
#line 376
attribute hal_power_stats;
#line 376
expandattribute hal_power_stats true;
#line 376
attribute hal_power_stats_client;
#line 376
expandattribute hal_power_stats_client true;
#line 376
attribute hal_power_stats_server;
#line 376
expandattribute hal_power_stats_server false;
#line 376
#line 376
neverallow { hal_power_stats_server -halserverdomain } domain:process fork;
#line 376
# hal_*_client and halclientdomain attributes are always expanded for
#line 376
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 376
# verified by CTS since these attributes are already expanded by that time.
#line 376
#line 376
;
#line 377
attribute hal_rebootescrow;
#line 377
expandattribute hal_rebootescrow true;
#line 377
attribute hal_rebootescrow_client;
#line 377
expandattribute hal_rebootescrow_client true;
#line 377
attribute hal_rebootescrow_server;
#line 377
expandattribute hal_rebootescrow_server false;
#line 377
#line 377
neverallow { hal_rebootescrow_server -halserverdomain } domain:process fork;
#line 377
# hal_*_client and halclientdomain attributes are always expanded for
#line 377
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 377
# verified by CTS since these attributes are already expanded by that time.
#line 377
#line 377
;
#line 378
attribute hal_remoteaccess;
#line 378
expandattribute hal_remoteaccess true;
#line 378
attribute hal_remoteaccess_client;
#line 378
expandattribute hal_remoteaccess_client true;
#line 378
attribute hal_remoteaccess_server;
#line 378
expandattribute hal_remoteaccess_server false;
#line 378
#line 378
neverallow { hal_remoteaccess_server -halserverdomain } domain:process fork;
#line 378
# hal_*_client and halclientdomain attributes are always expanded for
#line 378
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 378
# verified by CTS since these attributes are already expanded by that time.
#line 378
#line 378
;
#line 379
attribute hal_secretkeeper;
#line 379
expandattribute hal_secretkeeper true;
#line 379
attribute hal_secretkeeper_client;
#line 379
expandattribute hal_secretkeeper_client true;
#line 379
attribute hal_secretkeeper_server;
#line 379
expandattribute hal_secretkeeper_server false;
#line 379
#line 379
neverallow { hal_secretkeeper_server -halserverdomain } domain:process fork;
#line 379
# hal_*_client and halclientdomain attributes are always expanded for
#line 379
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 379
# verified by CTS since these attributes are already expanded by that time.
#line 379
#line 379
;
#line 380
attribute hal_remotelyprovisionedcomponent_avf;
#line 380
expandattribute hal_remotelyprovisionedcomponent_avf true;
#line 380
attribute hal_remotelyprovisionedcomponent_avf_client;
#line 380
expandattribute hal_remotelyprovisionedcomponent_avf_client true;
#line 380
attribute hal_remotelyprovisionedcomponent_avf_server;
#line 380
expandattribute hal_remotelyprovisionedcomponent_avf_server false;
#line 380
#line 380
neverallow { hal_remotelyprovisionedcomponent_avf_server -halserverdomain } domain:process fork;
#line 380
# hal_*_client and halclientdomain attributes are always expanded for
#line 380
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 380
# verified by CTS since these attributes are already expanded by that time.
#line 380
#line 380
;
#line 381
attribute hal_secure_element;
#line 381
expandattribute hal_secure_element true;
#line 381
attribute hal_secure_element_client;
#line 381
expandattribute hal_secure_element_client true;
#line 381
attribute hal_secure_element_server;
#line 381
expandattribute hal_secure_element_server false;
#line 381
#line 381
neverallow { hal_secure_element_server -halserverdomain } domain:process fork;
#line 381
# hal_*_client and halclientdomain attributes are always expanded for
#line 381
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 381
# verified by CTS since these attributes are already expanded by that time.
#line 381
#line 381
;
#line 382
attribute hal_sensors;
#line 382
expandattribute hal_sensors true;
#line 382
attribute hal_sensors_client;
#line 382
expandattribute hal_sensors_client true;
#line 382
attribute hal_sensors_server;
#line 382
expandattribute hal_sensors_server false;
#line 382
#line 382
neverallow { hal_sensors_server -halserverdomain } domain:process fork;
#line 382
# hal_*_client and halclientdomain attributes are always expanded for
#line 382
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 382
# verified by CTS since these attributes are already expanded by that time.
#line 382
#line 382
;
#line 383
attribute hal_telephony;
#line 383
expandattribute hal_telephony true;
#line 383
attribute hal_telephony_client;
#line 383
expandattribute hal_telephony_client true;
#line 383
attribute hal_telephony_server;
#line 383
expandattribute hal_telephony_server false;
#line 383
#line 383
neverallow { hal_telephony_server -halserverdomain } domain:process fork;
#line 383
# hal_*_client and halclientdomain attributes are always expanded for
#line 383
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 383
# verified by CTS since these attributes are already expanded by that time.
#line 383
#line 383
;
#line 384
attribute hal_tetheroffload;
#line 384
expandattribute hal_tetheroffload true;
#line 384
attribute hal_tetheroffload_client;
#line 384
expandattribute hal_tetheroffload_client true;
#line 384
attribute hal_tetheroffload_server;
#line 384
expandattribute hal_tetheroffload_server false;
#line 384
#line 384
neverallow { hal_tetheroffload_server -halserverdomain } domain:process fork;
#line 384
# hal_*_client and halclientdomain attributes are always expanded for
#line 384
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 384
# verified by CTS since these attributes are already expanded by that time.
#line 384
#line 384
;
#line 385
attribute hal_thermal;
#line 385
expandattribute hal_thermal true;
#line 385
attribute hal_thermal_client;
#line 385
expandattribute hal_thermal_client true;
#line 385
attribute hal_thermal_server;
#line 385
expandattribute hal_thermal_server false;
#line 385
#line 385
neverallow { hal_thermal_server -halserverdomain } domain:process fork;
#line 385
# hal_*_client and halclientdomain attributes are always expanded for
#line 385
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 385
# verified by CTS since these attributes are already expanded by that time.
#line 385
#line 385
;
#line 386
attribute hal_threadnetwork;
#line 386
expandattribute hal_threadnetwork true;
#line 386
attribute hal_threadnetwork_client;
#line 386
expandattribute hal_threadnetwork_client true;
#line 386
attribute hal_threadnetwork_server;
#line 386
expandattribute hal_threadnetwork_server false;
#line 386
#line 386
neverallow { hal_threadnetwork_server -halserverdomain } domain:process fork;
#line 386
# hal_*_client and halclientdomain attributes are always expanded for
#line 386
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 386
# verified by CTS since these attributes are already expanded by that time.
#line 386
#line 386
;
#line 387
attribute hal_tv_cec;
#line 387
expandattribute hal_tv_cec true;
#line 387
attribute hal_tv_cec_client;
#line 387
expandattribute hal_tv_cec_client true;
#line 387
attribute hal_tv_cec_server;
#line 387
expandattribute hal_tv_cec_server false;
#line 387
#line 387
neverallow { hal_tv_cec_server -halserverdomain } domain:process fork;
#line 387
# hal_*_client and halclientdomain attributes are always expanded for
#line 387
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 387
# verified by CTS since these attributes are already expanded by that time.
#line 387
#line 387
;
#line 388
attribute hal_tv_hdmi_cec;
#line 388
expandattribute hal_tv_hdmi_cec true;
#line 388
attribute hal_tv_hdmi_cec_client;
#line 388
expandattribute hal_tv_hdmi_cec_client true;
#line 388
attribute hal_tv_hdmi_cec_server;
#line 388
expandattribute hal_tv_hdmi_cec_server false;
#line 388
#line 388
neverallow { hal_tv_hdmi_cec_server -halserverdomain } domain:process fork;
#line 388
# hal_*_client and halclientdomain attributes are always expanded for
#line 388
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 388
# verified by CTS since these attributes are already expanded by that time.
#line 388
#line 388
;
#line 389
attribute hal_tv_hdmi_connection;
#line 389
expandattribute hal_tv_hdmi_connection true;
#line 389
attribute hal_tv_hdmi_connection_client;
#line 389
expandattribute hal_tv_hdmi_connection_client true;
#line 389
attribute hal_tv_hdmi_connection_server;
#line 389
expandattribute hal_tv_hdmi_connection_server false;
#line 389
#line 389
neverallow { hal_tv_hdmi_connection_server -halserverdomain } domain:process fork;
#line 389
# hal_*_client and halclientdomain attributes are always expanded for
#line 389
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 389
# verified by CTS since these attributes are already expanded by that time.
#line 389
#line 389
;
#line 390
attribute hal_tv_hdmi_earc;
#line 390
expandattribute hal_tv_hdmi_earc true;
#line 390
attribute hal_tv_hdmi_earc_client;
#line 390
expandattribute hal_tv_hdmi_earc_client true;
#line 390
attribute hal_tv_hdmi_earc_server;
#line 390
expandattribute hal_tv_hdmi_earc_server false;
#line 390
#line 390
neverallow { hal_tv_hdmi_earc_server -halserverdomain } domain:process fork;
#line 390
# hal_*_client and halclientdomain attributes are always expanded for
#line 390
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 390
# verified by CTS since these attributes are already expanded by that time.
#line 390
#line 390
;
#line 391
attribute hal_tv_input;
#line 391
expandattribute hal_tv_input true;
#line 391
attribute hal_tv_input_client;
#line 391
expandattribute hal_tv_input_client true;
#line 391
attribute hal_tv_input_server;
#line 391
expandattribute hal_tv_input_server false;
#line 391
#line 391
neverallow { hal_tv_input_server -halserverdomain } domain:process fork;
#line 391
# hal_*_client and halclientdomain attributes are always expanded for
#line 391
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 391
# verified by CTS since these attributes are already expanded by that time.
#line 391
#line 391
;
#line 392
attribute hal_tv_tuner;
#line 392
expandattribute hal_tv_tuner true;
#line 392
attribute hal_tv_tuner_client;
#line 392
expandattribute hal_tv_tuner_client true;
#line 392
attribute hal_tv_tuner_server;
#line 392
expandattribute hal_tv_tuner_server false;
#line 392
#line 392
neverallow { hal_tv_tuner_server -halserverdomain } domain:process fork;
#line 392
# hal_*_client and halclientdomain attributes are always expanded for
#line 392
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 392
# verified by CTS since these attributes are already expanded by that time.
#line 392
#line 392
;
#line 393
attribute hal_usb;
#line 393
expandattribute hal_usb true;
#line 393
attribute hal_usb_client;
#line 393
expandattribute hal_usb_client true;
#line 393
attribute hal_usb_server;
#line 393
expandattribute hal_usb_server false;
#line 393
#line 393
neverallow { hal_usb_server -halserverdomain } domain:process fork;
#line 393
# hal_*_client and halclientdomain attributes are always expanded for
#line 393
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 393
# verified by CTS since these attributes are already expanded by that time.
#line 393
#line 393
;
#line 394
attribute hal_usb_gadget;
#line 394
expandattribute hal_usb_gadget true;
#line 394
attribute hal_usb_gadget_client;
#line 394
expandattribute hal_usb_gadget_client true;
#line 394
attribute hal_usb_gadget_server;
#line 394
expandattribute hal_usb_gadget_server false;
#line 394
#line 394
neverallow { hal_usb_gadget_server -halserverdomain } domain:process fork;
#line 394
# hal_*_client and halclientdomain attributes are always expanded for
#line 394
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 394
# verified by CTS since these attributes are already expanded by that time.
#line 394
#line 394
;
#line 395
attribute hal_uwb;
#line 395
expandattribute hal_uwb true;
#line 395
attribute hal_uwb_client;
#line 395
expandattribute hal_uwb_client true;
#line 395
attribute hal_uwb_server;
#line 395
expandattribute hal_uwb_server false;
#line 395
#line 395
neverallow { hal_uwb_server -halserverdomain } domain:process fork;
#line 395
# hal_*_client and halclientdomain attributes are always expanded for
#line 395
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 395
# verified by CTS since these attributes are already expanded by that time.
#line 395
#line 395
;
# TODO(b/196225233): Remove this attribute and its usages elsewhere
# once all chip vendors integrate to the new UWB stack.
#line 398
attribute hal_uwb_vendor;
#line 398
expandattribute hal_uwb_vendor true;
#line 398
attribute hal_uwb_vendor_client;
#line 398
expandattribute hal_uwb_vendor_client true;
#line 398
attribute hal_uwb_vendor_server;
#line 398
expandattribute hal_uwb_vendor_server false;
#line 398
#line 398
neverallow { hal_uwb_vendor_server -halserverdomain } domain:process fork;
#line 398
# hal_*_client and halclientdomain attributes are always expanded for
#line 398
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 398
# verified by CTS since these attributes are already expanded by that time.
#line 398
#line 398
;
#line 399
attribute hal_vehicle;
#line 399
expandattribute hal_vehicle true;
#line 399
attribute hal_vehicle_client;
#line 399
expandattribute hal_vehicle_client true;
#line 399
attribute hal_vehicle_server;
#line 399
expandattribute hal_vehicle_server false;
#line 399
#line 399
neverallow { hal_vehicle_server -halserverdomain } domain:process fork;
#line 399
# hal_*_client and halclientdomain attributes are always expanded for
#line 399
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 399
# verified by CTS since these attributes are already expanded by that time.
#line 399
#line 399
;
#line 400
attribute hal_vibrator;
#line 400
expandattribute hal_vibrator true;
#line 400
attribute hal_vibrator_client;
#line 400
expandattribute hal_vibrator_client true;
#line 400
attribute hal_vibrator_server;
#line 400
expandattribute hal_vibrator_server false;
#line 400
#line 400
neverallow { hal_vibrator_server -halserverdomain } domain:process fork;
#line 400
# hal_*_client and halclientdomain attributes are always expanded for
#line 400
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 400
# verified by CTS since these attributes are already expanded by that time.
#line 400
#line 400
;
#line 401
attribute hal_vr;
#line 401
expandattribute hal_vr true;
#line 401
attribute hal_vr_client;
#line 401
expandattribute hal_vr_client true;
#line 401
attribute hal_vr_server;
#line 401
expandattribute hal_vr_server false;
#line 401
#line 401
neverallow { hal_vr_server -halserverdomain } domain:process fork;
#line 401
# hal_*_client and halclientdomain attributes are always expanded for
#line 401
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 401
# verified by CTS since these attributes are already expanded by that time.
#line 401
#line 401
;
#line 402
attribute hal_weaver;
#line 402
expandattribute hal_weaver true;
#line 402
attribute hal_weaver_client;
#line 402
expandattribute hal_weaver_client true;
#line 402
attribute hal_weaver_server;
#line 402
expandattribute hal_weaver_server false;
#line 402
#line 402
neverallow { hal_weaver_server -halserverdomain } domain:process fork;
#line 402
# hal_*_client and halclientdomain attributes are always expanded for
#line 402
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 402
# verified by CTS since these attributes are already expanded by that time.
#line 402
#line 402
;
#line 403
attribute hal_wifi;
#line 403
expandattribute hal_wifi true;
#line 403
attribute hal_wifi_client;
#line 403
expandattribute hal_wifi_client true;
#line 403
attribute hal_wifi_server;
#line 403
expandattribute hal_wifi_server false;
#line 403
#line 403
neverallow { hal_wifi_server -halserverdomain } domain:process fork;
#line 403
# hal_*_client and halclientdomain attributes are always expanded for
#line 403
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 403
# verified by CTS since these attributes are already expanded by that time.
#line 403
#line 403
;
#line 404
attribute hal_wifi_hostapd;
#line 404
expandattribute hal_wifi_hostapd true;
#line 404
attribute hal_wifi_hostapd_client;
#line 404
expandattribute hal_wifi_hostapd_client true;
#line 404
attribute hal_wifi_hostapd_server;
#line 404
expandattribute hal_wifi_hostapd_server false;
#line 404
#line 404
neverallow { hal_wifi_hostapd_server -halserverdomain } domain:process fork;
#line 404
# hal_*_client and halclientdomain attributes are always expanded for
#line 404
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 404
# verified by CTS since these attributes are already expanded by that time.
#line 404
#line 404
;
#line 405
attribute hal_wifi_supplicant;
#line 405
expandattribute hal_wifi_supplicant true;
#line 405
attribute hal_wifi_supplicant_client;
#line 405
expandattribute hal_wifi_supplicant_client true;
#line 405
attribute hal_wifi_supplicant_server;
#line 405
expandattribute hal_wifi_supplicant_server false;
#line 405
#line 405
neverallow { hal_wifi_supplicant_server -halserverdomain } domain:process fork;
#line 405
# hal_*_client and halclientdomain attributes are always expanded for
#line 405
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 405
# verified by CTS since these attributes are already expanded by that time.
#line 405
#line 405
;
# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute evsmanager_service_server;
attribute remote_provisioning_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
# Types for VM managers
attribute vm_manager_device_type;
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
# Types used for module-specific APEX data directories under
# /data/{misc,misc_ce,misc_de}/apexdata.
attribute apex_data_file_type;
# Domains used for charger.
# This is the common type for domains that executes charger's
# functionalities, including setting and getting necessary properties,
# permissions to maintain the health loop, writing to kernel log, handling
# inputs and drawing screens, etc.
attribute charger_type;
# All types of ART properties.
attribute dalvik_config_prop_type;
#line 1 "system/sepolicy/public/adbd.te"
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
# Access /data/local/tests.
allow adbd shell_test_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow adbd shell_test_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow adbd shell_test_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/public/aidl_lazy_test_server.te"
type aidl_lazy_test_server, domain;
type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
#line 9
#line 1 "system/sepolicy/public/apexd.te"
# apexd -- manager for APEX packages
type apexd, domain;
type apexd_exec, exec_type, file_type, system_file_type;
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow apexd servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager apexd:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager apexd:dir search;
#line 5
allow servicemanager apexd:file { read open };
#line 5
allow servicemanager apexd:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 6
allow apexd apex_service:service_manager { add find };
#line 6
neverallow { domain -apexd } apex_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
neverallow { domain } apexd:process ptrace;
#line 1 "system/sepolicy/public/app.te"
###
### Domain for all zygote spawned apps
###
### This file is the base policy for all zygote spawned apps.
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
type appdomain_tmpfs, file_type;
###
### Neverallow rules
###
### These are things that Android apps should NEVER be able to do
###
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
neverallow { appdomain -bluetooth -network_stack } self:{ capability capability2 cap_userns cap2_userns } *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
neverallow { appdomain -nfc } nfc_device:chr_file
{ read write };
neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
{ read write };
neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
neverallow { appdomain -network_stack }
domain:{
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_audit_socket
netlink_dnrt_socket
} *;
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
neverallow { appdomain -network_stack }
domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces. llkd is excluded, as it needs ptrace access to
# inspect stack traces for live lock conditions.
neverallow {
domain
-appdomain
-crash_dump
} appdomain:process ptrace;
# Read or write access to /proc/pid entries for any non-app domain.
# A different form of hidepid=2 like protections
neverallow appdomain { domain -appdomain }:file { append create link unlink relabelfrom rename setattr write };
neverallow { appdomain -shell } { domain -appdomain }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
# -perfetto is to allow shell (which is an appdomain) to kill perfetto
# (see private/shell.te).
neverallow appdomain { domain -appdomain -perfetto }:process
{ sigkill sigstop signal };
# Write to rootfs.
neverallow appdomain rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
neverallow appdomain system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
neverallow appdomain exec_type:file
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
neverallow appdomain system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
neverallow appdomain drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -shell }
shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -bluetooth }
bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { domain -credstore -init } credstore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *;
neverallow appdomain
keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
neverallow { appdomain -platform_app }
apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
{ apk_tmp_file apk_private_tmp_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *;
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ { chr_file blk_file } dir fifo_file lnk_file sock_file } *;
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
# Access to factory files.
neverallow appdomain efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
neverallow { appdomain -shell } efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } read;
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
neverallow appdomain
proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;
# prevent creation/manipulation of globally readable symlinks
neverallow appdomain {
apk_data_file
cache_file
cache_recovery_file
dev_type
rootfs
system_file
tmpfs
}:lnk_file { append create link unlink relabelfrom rename setattr write };
# Applications should use the activity model for receiving events
neverallow {
appdomain
-shell # bugreport
} input_device:chr_file ~getattr;
# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
-bluetooth
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow system_app to access Nfc-related system properties.
#line 196
#line 196
allow system_app property_socket:sock_file write;
#line 196
allow system_app init:unix_stream_socket connectto;
#line 196
#line 196
allow system_app nfc_prop:property_service set;
#line 196
#line 196
allow system_app nfc_prop:file { getattr open read map };
#line 196
#line 196
# allow system_app to access radio_config system properties.
#line 199
#line 199
allow system_app property_socket:sock_file write;
#line 199
allow system_app init:unix_stream_socket connectto;
#line 199
#line 199
allow system_app radio_control_prop:property_service set;
#line 199
#line 199
allow system_app radio_control_prop:file { getattr open read map };
#line 199
#line 199
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
# Apps cannot access proc_uid_concurrent_active_time
neverallow appdomain proc_uid_concurrent_active_time:file *;
# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
# perform UID lookups.
neverallow { appdomain -shell } proc_net_tcp_udp:file *;
# Apps cannot access bootstrap files. The bootstrap files are only for
# extremely early processes (like init, etc.) which are started before
# the runtime APEX is activated and Bionic libs are provided from there.
# If app process accesses (or even load/execute) the bootstrap files,
# it might cause problems such as ODR violation, etc.
neverallow appdomain system_bootstrap_lib_file:file
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
#line 1 "system/sepolicy/public/app_zygote.te"
# app_zygote is an auxiliary zygote process that is used to spawn
# isolated service processes for individual applications. It is
# spawned from the regular zygote process as a "child zygote".
type app_zygote, domain;
type app_zygote_tmpfs, file_type;
#line 1 "system/sepolicy/public/artd.te"
# ART service daemon.
type artd, domain;
#line 1 "system/sepolicy/public/asan_extract.te"
# asan_extract
#
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.
#line 33
#line 1 "system/sepolicy/public/atrace.te"
type atrace, domain, coredomain;
#line 1 "system/sepolicy/public/audioserver.te"
# audioserver - audio services daemon
type audioserver, domain;
type audioserver_tmpfs, file_type;
# Allow audioserver to signal audio HAL processes and dump their stacks.
allow audioserver hal_audio_server:process signal;
# Allow audioserver to access sensorservice.
allow audioserver sensorservice_service:service_manager find;
allow audioserver system_server:unix_stream_socket { read write };
#line 1 "system/sepolicy/public/blkid.te"
# blkid called from vold
type blkid, domain;
#line 1 "system/sepolicy/public/blkid_untrusted.te"
# blkid for untrusted block devices
type blkid_untrusted, domain;
#line 1 "system/sepolicy/public/bluetooth.te"
# bluetooth subsystem
type bluetooth, domain;
#line 1 "system/sepolicy/public/bootanim.te"
# bootanimation oneshot service
type bootanim, domain;
type bootanim_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute bootanim halclientdomain;
#line 5
typeattribute bootanim hal_configstore_client;
#line 5
#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5
#line 5
typeattribute bootanim hal_configstore;
#line 5
# Find passthrough HAL implementations
#line 5
allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_configstore vendor_file:file { read open getattr execute map };
#line 5
#line 5
#line 6
typeattribute bootanim halclientdomain;
#line 6
typeattribute bootanim hal_graphics_allocator_client;
#line 6
#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6
#line 6
typeattribute bootanim hal_graphics_allocator;
#line 6
# Find passthrough HAL implementations
#line 6
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 6
#line 6
#line 7
typeattribute bootanim halclientdomain;
#line 7
typeattribute bootanim hal_graphics_composer_client;
#line 7
#line 7
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 7
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 7
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 7
#line 7
typeattribute bootanim hal_graphics_composer;
#line 7
# Find passthrough HAL implementations
#line 7
allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_graphics_composer vendor_file:file { read open getattr execute map };
#line 7
#line 7
#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow bootanim servicemanager:binder { call transfer };
#line 9
# Allow servicemanager to send out callbacks
#line 9
allow servicemanager bootanim:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager bootanim:dir search;
#line 9
allow servicemanager bootanim:file { read open };
#line 9
allow servicemanager bootanim:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow bootanim surfaceflinger:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow surfaceflinger bootanim:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow bootanim surfaceflinger:fd use;
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow bootanim audioserver:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow audioserver bootanim:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow bootanim audioserver:fd use;
#line 11
#line 13
# Call the hwservicemanager and transfer references to it.
#line 13
allow bootanim hwservicemanager:binder { call transfer };
#line 13
# Allow hwservicemanager to send out callbacks
#line 13
allow hwservicemanager bootanim:binder { call transfer };
#line 13
# hwservicemanager performs getpidcon on clients.
#line 13
allow hwservicemanager bootanim:dir search;
#line 13
allow hwservicemanager bootanim:file { read open map };
#line 13
allow hwservicemanager bootanim:process getattr;
#line 13
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 13
# all domains in domain.te.
#line 13
allow bootanim gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow bootanim gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow bootanim sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads };
# /oem access
allow bootanim oemfs:dir { open getattr read search ioctl lock watch watch_reads };
# boot animations on oem are stored with specific label
allow bootanim bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads };
allow bootanim audio_device:dir { open getattr read search ioctl lock watch watch_reads };
allow bootanim audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow access to DMA-BUF system heap
allow bootanim dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow bootanim hal_graphics_allocator:fd use;
# Fences
allow bootanim hal_graphics_composer:fd use;
# Read access to pseudo filesystems.
allow bootanim proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
# System file accesses.
allow bootanim system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/public/bootstat.te"
# bootstat command
type bootstat, domain;
type bootstat_exec, system_file_type, exec_type, file_type;
#line 5
allow bootstat runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 5
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow bootstat bootstat_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow bootstat metadata_file:dir search;
allow bootstat metadata_bootstat_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow bootstat metadata_bootstat_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# ToDo: TBI move access for the following to a system health HAL
# Allow access to /sys/fs/pstore/ and syslog
allow bootstat pstorefs:dir search;
allow bootstat pstorefs:file { getattr open read ioctl lock map watch watch_reads };
allow bootstat kernel:system syslog_read;
# Allow access to reading the logs to read aspects of system health
#line 23
allow bootstat logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 23
#line 23
allow bootstat logdr_socket:sock_file write;
#line 23
allow bootstat logd:unix_stream_socket connectto;
#line 23
#line 23
# Allow bootstat write to statsd.
#line 26
allow bootstat statsdw_socket:sock_file write;
#line 26
allow bootstat statsd:unix_dgram_socket sendto;
#line 26
neverallow {
domain
-bootstat
-init
} system_boot_reason_prop:property_service set;
#line 1 "system/sepolicy/public/bpfloader.te"
type bpfloader, domain, coredomain;
#line 1 "system/sepolicy/public/bufferhubd.te"
# bufferhubd
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute bufferhubd halclientdomain;
#line 5
typeattribute bufferhubd hal_graphics_allocator_client;
#line 5
#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5
#line 5
typeattribute bufferhubd hal_graphics_allocator;
#line 5
# Find passthrough HAL implementations
#line 5
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 5
#line 5
# TODO(b/112338294): remove these after migrate to Binder
#line 8
# Mark the server domain as a PDX server.
#line 8
typeattribute bufferhubd pdx_bufferhub_client_server_type;
#line 8
# Allow the init process to create the initial endpoint socket.
#line 8
allow init pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { create bind };
#line 8
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 8
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 8
# than we need (e.g. we don"t need "bind" or "connect").
#line 8
allow bufferhubd pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 8
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 8
allow bufferhubd self:process setsockcreate;
#line 8
# Allow the server domain to create a client channel socket.
#line 8
allow bufferhubd pdx_bufferhub_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 8
# Prevent other processes from claiming to be a server for the same service.
#line 8
neverallow {domain -bufferhubd} pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { listen accept };
#line 8
#line 9
#line 9
# Allow client to open the service endpoint file.
#line 9
allow bufferhubd pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow bufferhubd pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 9
# Allow the client to connect to endpoint socket.
#line 9
allow bufferhubd pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 9
#line 9
#line 9
# Allow the client to use the PDX channel socket.
#line 9
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 9
# than we need (e.g. we don"t need "bind" or "connect").
#line 9
allow bufferhubd pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 9
# Client needs to use an channel event fd from the server.
#line 9
allow bufferhubd pdx_performance_client_server_type:fd use;
#line 9
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 9
# This could be tightened on a per-server basis, but keeping track of service
#line 9
# clients is error prone.
#line 9
allow pdx_performance_client_server_type bufferhubd:fd use;
#line 9
#line 9
# Access the GPU.
allow bufferhubd gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access /dev/ion
allow bufferhubd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
# Codec2 is similar to OMX
allow bufferhubd hal_codec2_server:fd use;
#line 1 "system/sepolicy/public/camera_service_server.te"
#line 1
allow camera_service_server fwk_camera_hwservice:hwservice_manager { add find };
#line 1
allow camera_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
neverallow { domain -camera_service_server } fwk_camera_hwservice:hwservice_manager add;
#line 1
#line 1 "system/sepolicy/public/cameraserver.te"
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
type cameraserver_tmpfs, file_type;
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow cameraserver servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager cameraserver:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager cameraserver:dir search;
#line 6
allow servicemanager cameraserver:file { read open };
#line 6
allow servicemanager cameraserver:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow cameraserver binderservicedomain:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow binderservicedomain cameraserver:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow cameraserver binderservicedomain:fd use;
#line 7
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow cameraserver appdomain:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow appdomain cameraserver:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow cameraserver appdomain:fd use;
#line 8
#line 9
typeattribute cameraserver binderservicedomain;
#line 9
#line 11
typeattribute cameraserver halclientdomain;
#line 11
typeattribute cameraserver hal_camera_client;
#line 11
#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11
#line 11
typeattribute cameraserver hal_camera;
#line 11
# Find passthrough HAL implementations
#line 11
allow hal_camera system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_camera vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_camera vendor_file:file { read open getattr execute map };
#line 11
#line 11
#line 13
typeattribute cameraserver halclientdomain;
#line 13
typeattribute cameraserver hal_graphics_allocator_client;
#line 13
#line 13
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 13
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 13
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 13
#line 13
typeattribute cameraserver hal_graphics_allocator;
#line 13
# Find passthrough HAL implementations
#line 13
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 13
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 13
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 13
#line 13
allow cameraserver ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow cameraserver dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
#line 21
allow cameraserver cameraserver_service:service_manager { add find };
#line 21
neverallow { domain -cameraserver } cameraserver_service:service_manager add;
#line 21
#line 21
# On debug builds with root, allow binder services to use binder over TCP.
#line 21
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 21
#line 21
#line 22
allow cameraserver fwk_camera_service:service_manager { add find };
#line 22
neverallow { domain -cameraserver } fwk_camera_service:service_manager add;
#line 22
#line 22
# On debug builds with root, allow binder services to use binder over TCP.
#line 22
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 22
#line 22
#line 23
allow cameraserver fwk_camera_hwservice:hwservice_manager { add find };
#line 23
allow cameraserver hidl_base_hwservice:hwservice_manager add;
#line 23
neverallow { domain -cameraserver } fwk_camera_hwservice:hwservice_manager add;
#line 23
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
allow cameraserver hal_camera_service:service_manager find;
allow cameraserver virtual_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
###
### neverallow rules
###
# cameraserver should never execute any executable without a
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ udp_socket rawip_socket } *;
neverallow cameraserver { domain }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
allow cameraserver adbd:unix_stream_socket { read write };
allow cameraserver shell:fd use;
allow cameraserver shell:unix_stream_socket { read write };
allow cameraserver shell:fifo_file { read write };
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
#line 75
typeattribute cameraserver halclientdomain;
#line 75
typeattribute cameraserver hal_codec2_client;
#line 75
#line 75
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 75
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 75
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 75
#line 75
typeattribute cameraserver hal_codec2;
#line 75
# Find passthrough HAL implementations
#line 75
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 75
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 75
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 75
#line 75
#line 76
typeattribute cameraserver halclientdomain;
#line 76
typeattribute cameraserver hal_omx_client;
#line 76
#line 76
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 76
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 76
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 76
#line 76
typeattribute cameraserver hal_omx;
#line 76
# Find passthrough HAL implementations
#line 76
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_omx vendor_file:file { read open getattr execute map };
#line 76
#line 76
#line 77
typeattribute cameraserver halclientdomain;
#line 77
typeattribute cameraserver hal_allocator_client;
#line 77
#line 77
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 77
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 77
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 77
#line 77
typeattribute cameraserver hal_allocator;
#line 77
# Find passthrough HAL implementations
#line 77
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 77
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 77
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 77
#line 77
# Allow shell commands from ADB for CTS testing/dumping
#line 84
#line 1 "system/sepolicy/public/charger.te"
type charger, charger_type, domain;
type charger_exec, system_file_type, exec_type, file_type;
# The system charger is a client of HIDL health HAL.
#line 5
typeattribute charger halclientdomain;
#line 5
typeattribute charger hal_health_client;
#line 5
#line 5
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 5
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 5
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 5
#line 5
typeattribute charger hal_health;
#line 5
# Find passthrough HAL implementations
#line 5
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow hal_health vendor_file:file { read open getattr execute map };
#line 5
#line 5
#line 1 "system/sepolicy/public/charger_type.te"
# Write to /dev/kmsg
allow charger_type kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read access to pseudo filesystems.
#line 5
allow charger_type rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow charger_type rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 5
#line 6
allow charger_type cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow charger_type cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 6
#line 7
allow charger_type cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow charger_type cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 7
# Allow to read /sys/class/power_supply directory
allow charger_type sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
allow charger_type self:{ capability cap_userns } {
sys_boot
sys_tty_config
};
#line 17
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 17
# deprecated.
#line 17
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 17
allow charger_type sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 17
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 17
allow charger_type self:{ capability2 cap2_userns } block_suspend;
#line 17
# system_suspend permissions
#line 17
#line 17
# Call the server domain and optionally transfer references to it.
#line 17
allow charger_type system_suspend_server:binder { call transfer };
#line 17
# Allow the serverdomain to transfer references to the client on the reply.
#line 17
allow system_suspend_server charger_type:binder transfer;
#line 17
# Receive and use open files from the server.
#line 17
allow charger_type system_suspend_server:fd use;
#line 17
#line 17
allow charger_type system_suspend_hwservice:hwservice_manager find;
#line 17
# halclientdomain permissions
#line 17
#line 17
# Call the hwservicemanager and transfer references to it.
#line 17
allow charger_type hwservicemanager:binder { call transfer };
#line 17
# Allow hwservicemanager to send out callbacks
#line 17
allow hwservicemanager charger_type:binder { call transfer };
#line 17
# hwservicemanager performs getpidcon on clients.
#line 17
allow hwservicemanager charger_type:dir search;
#line 17
allow hwservicemanager charger_type:file { read open map };
#line 17
allow hwservicemanager charger_type:process getattr;
#line 17
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 17
# all domains in domain.te.
#line 17
#line 17
#line 17
allow charger_type hwservicemanager_prop:file { getattr open read map };
#line 17
#line 17
allow charger_type hidl_manager_hwservice:hwservice_manager find;
#line 17
# AIDL suspend hal permissions
#line 17
allow charger_type hal_system_suspend_service:service_manager find;
#line 17
#line 17
# Call the servicemanager and transfer references to it.
#line 17
allow charger_type servicemanager:binder { call transfer };
#line 17
# Allow servicemanager to send out callbacks
#line 17
allow servicemanager charger_type:binder { call transfer };
#line 17
# servicemanager performs getpidcon on clients.
#line 17
allow servicemanager charger_type:dir search;
#line 17
allow servicemanager charger_type:file { read open };
#line 17
allow servicemanager charger_type:process getattr;
#line 17
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 17
# all domains in domain.te.
#line 17
#line 17
allow charger_type self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Read/write to /sys/power/state
allow charger_type sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 24
allow charger_type sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads };
#line 24
allow charger_type sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 24
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow charger_type pstorefs:dir { open getattr read search ioctl lock watch watch_reads };
allow charger_type pstorefs:file { getattr open read ioctl lock map watch watch_reads };
allow charger_type graphics_device:dir { open getattr read search ioctl lock watch watch_reads };
allow charger_type graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow charger_type input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow charger_type input_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow charger_type tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow charger_type proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/charger_vendor.te"
# Context when health HAL runs charger mode
type charger_vendor, charger_type, domain;
#line 4
typeattribute charger_vendor halserverdomain;
#line 4
typeattribute charger_vendor hal_health_server;
#line 4
typeattribute charger_vendor hal_health;
#line 4
typeattribute charger_vendor bpfdomain;
#line 1 "system/sepolicy/public/crash_dump.te"
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:{ capability cap_userns } { sys_ptrace };
#line 13
# Use inherited file descriptors
allow crash_dump domain:fd use;
# Read/write IPC pipes inherited from crashing processes.
allow crash_dump domain:fifo_file { read write };
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };
# Read information from /proc/$PID.
allow crash_dump domain:process getattr;
#line 27
allow crash_dump domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 27
allow crash_dump domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 27
allow crash_dump exec_type:file { getattr open read ioctl lock map watch watch_reads };
# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };
# Read uptime
allow crash_dump proc_uptime:file { getattr open read ioctl lock map watch watch_reads };
# Read APK files.
#line 41
allow crash_dump apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 41
allow crash_dump apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 41
;
# Read all /vendor
#line 44
allow crash_dump { vendor_file same_process_hal_file }:dir { open getattr read search ioctl lock watch watch_reads };
#line 44
allow crash_dump { vendor_file same_process_hal_file }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 44
# Read all /data/local/tests
#line 47
allow crash_dump shell_test_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 47
allow crash_dump shell_test_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 47
# Talk to tombstoned
#line 50
allow crash_dump tombstoned_crash_socket:sock_file write;
#line 50
allow crash_dump tombstoned:unix_stream_socket connectto;
#line 50
# Talk to ActivityManager.
#line 53
allow crash_dump system_ndebug_socket:sock_file write;
#line 53
allow crash_dump system_server:unix_stream_socket connectto;
#line 53
# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };
# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };
# crash_dump writes out logcat logs at the bottom of tombstones,
# which is super useful in some cases.
#line 63
allow crash_dump logdr_socket:sock_file write;
#line 63
allow crash_dump logd:unix_stream_socket connectto;
#line 63
# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
core_data_file_type
vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
###
### neverallow assertions
###
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;
#line 1 "system/sepolicy/public/credstore.te"
type credstore, domain;
type credstore_exec, system_file_type, exec_type, file_type;
# credstore daemon
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow credstore servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager credstore:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager credstore:dir search;
#line 5
allow servicemanager credstore:file { read open };
#line 5
allow servicemanager credstore:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 6
typeattribute credstore binderservicedomain;
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow credstore system_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_server credstore:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow credstore system_server:fd use;
#line 7
allow credstore credstore_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow credstore credstore_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 12
allow credstore credstore_service:service_manager { add find };
#line 12
neverallow { domain -credstore } credstore_service:service_manager add;
#line 12
#line 12
# On debug builds with root, allow binder services to use binder over TCP.
#line 12
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 12
#line 12
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
allow credstore authorization_service:service_manager find;
allow credstore keystore:keystore2 get_auth_token;
#line 18
allow credstore cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow credstore cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 18
#line 19
allow credstore cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow credstore cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 19
#line 1 "system/sepolicy/public/device.te"
# Device types
type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type vndbinder_device, dev_type;
type block_device, dev_type;
type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type ublk_block_device, dev_type;
type dm_user_device, dev_type;
type ublk_control_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type, mlstrustedobject;
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type secure_element_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type video_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
type usb_device, dev_type, mlstrustedobject;
type usb_serial_device, dev_type;
type gnss_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
# varies per device. This type
# is used in per device policy
type hci_attach_dev, dev_type;
# All devices have a rpmsg device for
# achieving remoteproc and rpmsg modules
type rpmsg_device, dev_type;
# Partition layout block device
type root_block_device, dev_type;
# factory reset protection block device
type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions
type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions
type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
# dtbo block device, type used for getting DTBO information for AVF.
# Documented at https://source.android.com/docs/core/architecture/dto/partitions
type dtbo_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
# Zoned block device.
type zoned_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions
type cache_block_device, dev_type;
# Block device for any swap partition.
type swap_block_device, dev_type;
# Metadata block device mounted on /metadata, used for encryption metadata and
# various other purposes.
# Documented at https://source.android.com/devices/bootloader/partitions
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
# Root disk file for disk tunables
type rootdisk_sysdev, dev_type;
# vfio device
type vfio_device, dev_type;
#line 1 "system/sepolicy/public/dhcp.te"
type dhcp, domain;
type dhcp_exec, system_file_type, exec_type, file_type;
#line 4
typeattribute dhcp netdomain;
#line 4
allow dhcp cgroup:dir { create write add_name };
allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:{ capability cap_userns } { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow dhcp system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow dhcp vendor_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net_type:file write;
allow dhcp dhcp_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow dhcp dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# PAN connections
allow dhcp netd:fd use;
allow dhcp netd:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
#line 1 "system/sepolicy/public/display_service_server.te"
#line 1
allow display_service_server fwk_display_hwservice:hwservice_manager { add find };
#line 1
allow display_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
neverallow { domain -display_service_server } fwk_display_hwservice:hwservice_manager add;
#line 1
#line 1 "system/sepolicy/public/dnsmasq.te"
# DNS, DHCP services
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute dnsmasq netdomain;
#line 5
allowxperm dnsmasq self:udp_socket ioctl
#line 6
{
#line 6
# qualcomm rmnet ioctls
#line 6
0x00006900 0x00006902
#line 6
# socket ioctls
#line 6
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 6
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 6
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 6
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 6
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 6
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 6
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 6
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 6
0x00008991 0x00008992 0x00008993 0x00008994
#line 6
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 6
# device and protocol specific ioctls
#line 6
0x000089f0-0x000089ff
#line 6
0x000089e0-0x000089ef
#line 6
# Wireless extension ioctls
#line 6
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 6
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 6
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 6
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 6
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 6
0x00008b34 0x00008b35 0x00008b36
#line 6
# Dev private ioctl i.e. hardware specific ioctls
#line 6
0x00008be0-0x00008bff
#line 6
};
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:{ capability cap_userns } { dac_override dac_read_search };
allow dnsmasq self:{ capability cap_userns } { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name lock };
allow dnsmasq dhcp_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
#line 1 "system/sepolicy/public/domain.te"
# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Intra-domain accesses.
allow domain self:process {
fork
sigchld
sigkill
sigstop
signull
signal
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
getattr
setrlimit
};
allow domain self:fd use;
allow domain proc:dir { open getattr read search ioctl lock watch watch_reads };
allow domain proc_net_type:dir search;
#line 27
allow domain self:dir { open getattr read search ioctl lock watch watch_reads };
#line 27
allow domain self:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 27
allow domain self:{ fifo_file file } { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain self:unix_dgram_socket { { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } } sendto };
allow domain self:unix_stream_socket { { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } } connectto };
# Inherit or receive open files from others.
allow domain init:fd use;
#line 52
#line 58
# Allow everyone to read aconfig flags
#line 61
allow domain device_config_aconfig_flags_prop:file { getattr open read map };
#line 61
;
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow domain devpts:dir search;
allow domain dmabuf_heap_device:dir { open getattr read search ioctl lock watch watch_reads };
allow domain socket_device:dir { open getattr read search ioctl lock watch watch_reads };
allow domain owntty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain null_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain zero_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# /dev/ashmem is being deprecated by means of constraining and eventually
# removing all "open" permissions. We preserve the other permissions.
allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
# This device is used by libcutils, which is accessible to everyone.
allow domain ashmem_libcutils_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 86
allow {domain -hwservicemanager -vndservicemanager } servicemanager_prop:file { getattr open read map };
#line 86
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
allowxperm domain binder_device:chr_file ioctl { {
#line 90
0xc0306201 0x40086203 0x40046205
#line 90
0x40046206 0x40046207 0x40046208
#line 90
0xc0046209 0xc018620b 0xc018620c
#line 90
0x4018620d 0x40046210
#line 90
0xc0486211
#line 90
} };
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
allow domain binderfs_features:dir search;
allow domain binderfs_features:file { getattr open read ioctl lock map watch watch_reads };
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain ptmx_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain random_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow domain proc_random:dir { open getattr read search ioctl lock watch watch_reads };
allow domain proc_random:file { getattr open read ioctl lock map watch watch_reads };
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file { getattr open read ioctl lock map watch watch_reads };
allow domain property_info:file { getattr open read ioctl lock map watch watch_reads };
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
#line 109
allow domain log_property_type:file { getattr open read map };
#line 109
dontaudit domain property_type:file audit_access;
allow domain property_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain init:key search;
allow domain vold:key search;
# logd access
#line 117
#line 117
allow domain logdw_socket:sock_file write;
#line 117
allow domain logd:unix_dgram_socket sendto;
#line 117
#line 117
allow domain pmsg_device:chr_file { open append write lock map };
#line 117
# Directory/link file access for path resolution.
allow domain {
system_file
system_lib_file
system_seccomp_policy_file
system_security_cacerts_file
}:dir { open getattr read search ioctl lock watch watch_reads };
allow domain system_file:lnk_file { getattr read };
# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
allow domain system_seccomp_policy_file:file { getattr open read ioctl lock map watch watch_reads };
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain system_group_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain system_passwd_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain system_lib_file:file { execute read open getattr map };
# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
allow domain system_linker_exec:lnk_file { read open getattr };
allow domain system_lib_file:lnk_file { read open getattr };
allow domain system_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
allow { appdomain coredomain } system_file:file { execute read open getattr map };
# Make sure system/vendor split doesn not affect non-treble
# devices
#line 148
allow domain system_file:file { execute read open getattr map };
#line 148
allow domain vendor_file_type:dir { search getattr };
#line 148
allow domain vendor_file_type:file { execute read open getattr map };
#line 148
allow domain vendor_file_type:lnk_file { getattr read };
#line 153
# All domains are allowed to open and read directories
# that contain HAL implementations (e.g. passthrough
# HALs require clients to have these permissions)
allow domain vendor_hal_file:dir { open getattr read search ioctl lock watch watch_reads };
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir { open getattr read search ioctl lock watch watch_reads };
allow {
domain
-coredomain # access is explicitly granted to individual coredomains
} same_process_hal_file:file { execute read open getattr map };
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
allow domain vndk_sp_file:dir { open getattr read search ioctl lock watch watch_reads };
allow domain vndk_sp_file:file { execute read open getattr map };
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir { open getattr read search ioctl lock watch watch_reads };
allow domain vendor_configs_file:file { read open getattr map };
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 176
#line 176
# Allow all domains to be able to follow /system/vendor and/or
#line 176
# /vendor/odm symlinks.
#line 176
allow domain vendor_file_type:lnk_file { getattr open read };
#line 176
#line 176
# This is required to be able to search & read /vendor/lib64
#line 176
# in order to lookup vendor libraries. The execute permission
#line 176
# for coredomains is granted *only* for same process HALs
#line 176
allow domain vendor_file:dir { getattr search };
#line 176
#line 176
# Allow reading and executing out of /vendor to all vendor domains
#line 176
allow { domain -coredomain } vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 176
allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
#line 176
allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
#line 176
#line 176
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 190
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
# libc references /system/usr/share/zoneinfo for timezone related information.
# This directory is considered to be a VNDK-stable
allow domain { system_zoneinfo_file }:file { getattr open read ioctl lock map watch watch_reads };
allow domain { system_zoneinfo_file }:dir { open getattr read search ioctl lock watch watch_reads };
# Lots of processes access current CPU information
#line 201
allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl lock watch watch_reads };
#line 201
allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 201
#line 203
allow domain sysfs_usb:dir { open getattr read search ioctl lock watch watch_reads };
#line 203
allow domain sysfs_usb:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 203
;
# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
allow domain sysfs_transparent_hugepage:dir search;
allow domain sysfs_transparent_hugepage:file { getattr open read ioctl lock map watch watch_reads };
# Allow search access, and sometimes getattr access, to various directories
# under /data. We are fairly lenient in allowing search access to top-level
# dirs that commonly need to be traversed to get access to the "real" files, as
# this greatly simplifies the policy and doesn't open up much attack surface.
#line 214
allow domain system_data_file:dir getattr;
#line 216
allow { coredomain appdomain } system_data_file:dir getattr;
# Anything that accesses anything in /data needs search access to /data itself.
# This includes vendor components, as they need to access /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
# system_data_file is the default type for directories in /data. Anything
# accessing data files with a more specific type often has to traverse a
# system_data_file directory such as /data/misc to get there.
allow domain system_data_file:dir search;
# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
# search access to these directories themselves. getattr access is sometimes
# needed too.
allow { coredomain appdomain } system_userdir_file:dir { search getattr };
# Anything that accesses files in /data/media needs search access to /data/media
# itself.
allow { coredomain appdomain } media_userdir_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_userdir_file:dir { getattr search };
allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
# /proc/cpuinfo
allow domain proc_cpuinfo:file { getattr open read ioctl lock map watch watch_reads };
# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file { getattr open read ioctl lock map watch watch_reads };
# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file { getattr open read ioctl lock map watch watch_reads };
# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file { open append write lock map };
# Linux lockdown mode offered coarse-grained definitions for access controls. In
# previous versions of the policy, the integrity permission was neverallowed.
# It was found that this permission mainly duplicates pre-existing rules in
# the policy (see b/285443587). Additionally, some access were found to be
# required (b/269377822). The access vector was removed from kernel 5.16
# onwards. Grant unconditional access, these rules should be removed from the
# policy once no kernel <5.16 are supported.
allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl {
#line 281
{
#line 281
# Socket ioctls for gathering information about the interface
#line 281
0x00008906 0x00008907
#line 281
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 281
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 281
# Wireless extension ioctls. Primarily get functions.
#line 281
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 281
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 281
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 281
} {
#line 281
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 281
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 281
} };
# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl {
#line 284
0x00005411 0x00005451 0x00005450 0x00005401 0x00005413 0x00005414 0x0000541b
#line 284
};
# Restrict PTYs to only allowed ioctls.
# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl {
#line 290
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 290
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 290
};
# All domains must clearly enumerate what ioctls they use
# on filesystem objects (plain files, directories, symbolic links,
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir { file lnk_file sock_file fifo_file } blk_file } ioctl { 0x00005451 0x00005450 };
# If a domain has ioctl access to tun_device, it must clearly enumerate the
# ioctls used. Safe defaults are listed below.
allowxperm domain tun_device:chr_file ioctl { 0x00005451 0x00005450 };
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { 0x00005401 };
allowxperm domain domain:fifo_file ioctl { 0x00005401 };
# If a domain has access to perform an ioctl on a block device, allow these
# very common, benign ioctls
allowxperm domain dev_type:blk_file ioctl { 0x80081272 0x00001268 };
# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
# TODO: consider only compiling these rules if we know the
# /data partition is F2FS
allowxperm domain { file_type sdcard_type }:file ioctl {
0xf505
0xf502
0xf50c
0xf50e
0xf50d
0xf501
};
# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:service_manager { add find };
# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
# Under ASAN, /system/asan.options needs to be globally accessible.
# read APEX dir and stat any symlink pointing to APEXs.
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
#line 343
allow domain device_config_media_native_prop:file { getattr open read map };
#line 343
# Allow everyone to read from flag value boot snapshot files and general pb files
# The boot copy of the flag value files serves flag read traffic for all processes, thus
# needs to be readable by everybody. Also, the metadata directory will contain pb file
# that records where flag storage files are, so also needs to be readable by everbody.
allow domain { aconfig_storage_metadata_file }:file { getattr open read ioctl lock map watch watch_reads };
###
### neverallow rules
###
# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir { file lnk_file sock_file fifo_file } { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
neverallowxperm domain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } ioctl { 0x00008905 };
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl 0x00005412;
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } create;
# Limit device node creation to these allowed domains.
neverallow {
domain
-kernel
-init
-ueventd
-vold
} self:{ capability cap_userns } mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
neverallow * self:{ capability2 cap2_userns } mac_override;
# Disallow attempts to set contexts not defined in current policy
# This helps guarantee that unknown or dangerous contents will not ever
# be set.
neverallow * self:{ capability2 cap2_userns } mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
neverallow * kernel:security load_policy;
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow * kernel:security setbool;
# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
-prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
domain
-shell # stat of /dev, getattr only
-ueventd
} keychord_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# The dynamic linker always calls access(2) on the path. Don't generate SElinux
# denials since the linker does not actually access the path in case the path
# does not exist or isn't accessible for the process.
dontaudit domain postinstall_mnt_dir:dir audit_access;
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
-shell # Shell user should not have any abilities outside of getattr
-ueventd
} port_device:chr_file *;
neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
neverallow * vendor_init:binder *;
# Binderfs logs contain sensitive information about other processes.
neverallow { domain -dumpstate -init -vendor_init } { binderfs_logs binderfs_logs_proc }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
neverallow * *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# The test files and executables MUST not be accessible to any domain
neverallow { domain } nativetest_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } { append create link unlink relabelfrom rename setattr write };
neverallow domain nativetest_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain } nativetest_data_file:file { execute execute_no_trans };
neverallow { domain -shell -init -adbd } shell_test_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } { append create link unlink relabelfrom rename setattr write };
neverallow { domain -shell -init -adbd } shell_test_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -init } property_data_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } property_type:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } properties_device:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow { domain -init } properties_serial:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
# Nobody should be doing writes to /system & /vendor
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
neverallow {
domain
} {
system_file_type
vendor_file_type
exec_type
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create write setattr relabelfrom append unlink link rename };
neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
neverallow * {fs_type -contextmount_type}:filesystem relabelto;
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
neverallow * contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
{ create setattr relabelfrom relabelto append link rename };
neverallow { domain } contextmount_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { write unlink };
# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
neverallow * default_android_vndservice:service_manager *;
neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
# decisions are expressed in SELinux policy. However, it's unclear whether this
# lookup has security implications. If it doesn't, hwservicemanager should be
# modified to not offer this lookup.
# This rule can be removed if hwservicemanager is modified to not permit these
# lookups.
neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } vndk_prop:property_service set;
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 544
#line 544
neverallow { domain -init } mmc_prop:property_service set;
#line 544
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
#line 544
neverallow { domain -init } exported_secure_prop:property_service set;
#line 544
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
#line 544
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
#line 544
neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
#line 544
#line 544
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 551
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 553
#line 553
neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
#line 553
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 553
#line 553
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 556
# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
# old platforms shouldn't be regarded as a problem.
dontaudit domain future_pm_prop:file read;
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
neverallow {
domain
-adbd
-dumpstate
-fastbootd
-hal_camera_server
-hal_cas_server
-hal_drm_server
-hal_keymint_server
-init
-mediadrmserver
-mediaserver
-recovery
-shell
-system_server
-vendor_init
} serialno_prop:file { getattr open read ioctl lock map watch watch_reads };
neverallow {
domain
-init
-recovery
-system_server
-ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
neverallow {
domain
-init
-recovery
-vold
-e2fs
-fsck
-fastbootd
-hal_fastboot_server
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
neverallow {
domain
-fastbootd
-recovery
-update_engine
} system_block_device:blk_file { write append };
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow servicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow hwservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow hwservicemanager vndbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow vndservicemanager binder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow vndservicemanager hwbinder_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 633
#line 633
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
#line 633
# services which can change any time framework/core is updated, breakage is likely.
#line 633
#
#line 633
# Note, this same logic applies to untrusted apps, but neverallows for these are separate.
#line 633
neverallow {
#line 633
appdomain
#line 633
-coredomain
#line 633
} {
#line 633
service_manager_type
#line 633
#line 633
-app_api_service
#line 633
-ephemeral_app_api_service
#line 633
#line 633
-hal_service_type # see app_neverallows.te
#line 633
#line 633
-apc_service
#line 633
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
#line 633
-cameraserver_service
#line 633
-drmserver_service
#line 633
-credstore_service
#line 633
-keystore_maintenance_service
#line 633
-keystore_service
#line 633
-legacykeystore_service
#line 633
-mediadrmserver_service
#line 633
-mediaextractor_service
#line 633
-mediametrics_service
#line 633
-mediaserver_service
#line 633
-nfc_service
#line 633
-radio_service
#line 633
-virtual_touchpad_service
#line 633
-vr_manager_service
#line 633
#line 633
}:service_manager find;
#line 633
#line 633
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 667
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 670
#line 670
neverallow {
#line 670
coredomain
#line 670
-shell
#line 670
#line 670
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
#line 670
} vndbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 670
#line 670
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 677
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 678
#line 678
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
#line 678
#line 678
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 680
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 681
#line 681
neverallow {
#line 681
coredomain
#line 681
-shell
#line 681
#line 681
} vndservice_manager_type:service_manager *;
#line 681
#line 681
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 687
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 688
#line 688
neverallow {
#line 688
coredomain
#line 688
-shell
#line 688
#line 688
} vndservicemanager:binder *;
#line 688
#line 688
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 694
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
# Most general rules first, more specific rules below.
# Core domains are not permitted to initiate communications to vendor domain sockets.
# We are not restricting the use of already established sockets because it is fine for a process
# to obtain an already established socket via some public/official/stable API and then exchange
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
# and thus does not break the core-vendor separation.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 705
#line 705
#line 705
neverallow {
#line 705
coredomain
#line 705
-init
#line 705
-adbd
#line 705
} {
#line 705
domain
#line 705
-coredomain
#line 705
-socket_between_core_and_vendor_violators
#line 705
}:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 705
neverallow {
#line 705
coredomain
#line 705
-init
#line 705
-adbd
#line 705
} {
#line 705
domain
#line 705
-coredomain
#line 705
-socket_between_core_and_vendor_violators
#line 705
}:unix_stream_socket connectto;
#line 705
;
#line 705
#line 705
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 715
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 718
#line 718
neverallow {
#line 718
domain
#line 718
-coredomain
#line 718
-appdomain # appdomain restrictions below
#line 718
-data_between_core_and_vendor_violators # b/70393317
#line 718
-socket_between_core_and_vendor_violators
#line 718
-vendor_init
#line 718
} {
#line 718
coredomain_socket
#line 718
core_data_file_type
#line 718
unlabeled # used only by core domains
#line 718
}:sock_file ~{ append getattr ioctl read write };
#line 718
#line 718
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 731
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 732
#line 732
neverallow {
#line 732
appdomain
#line 732
-coredomain
#line 732
} {
#line 732
coredomain_socket
#line 732
unlabeled # used only by core domains
#line 732
core_data_file_type
#line 732
-app_data_file
#line 732
-privapp_data_file
#line 732
-pdx_endpoint_socket_type # used by VR layer
#line 732
-pdx_channel_socket_type # used by VR layer
#line 732
}:sock_file ~{ append getattr ioctl read write };
#line 732
#line 732
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 745
# Core domains are not permitted to create/open sockets owned by vendor domains
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 748
#line 748
neverallow {
#line 748
coredomain
#line 748
-init
#line 748
-ueventd
#line 748
-socket_between_core_and_vendor_violators
#line 748
} {
#line 748
file_type
#line 748
dev_type
#line 748
-coredomain_socket
#line 748
-core_data_file_type
#line 748
-app_data_file_type
#line 748
-unlabeled
#line 748
}:sock_file ~{ append getattr ioctl read write };
#line 748
#line 748
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 762
# On TREBLE devices, vendor and system components are only allowed to share
# files by passing open FDs over hwbinder. Ban all directory access and all file
# accesses other than what can be applied to an open FD such as
# ioctl/stat/read/write/append. This is enforced by segregating /data.
# Vendor domains may directly access file in /data/vendor by path, but may only
# access files outside of /data/vendor via an open FD passed over hwbinder.
# Likewise, core domains may only directly access files outside /data/vendor by
# path and files in /data/vendor by open FD.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 772
#line 772
# only coredomains may only access core_data_file_type, particularly not
#line 772
# /data/vendor
#line 772
neverallow {
#line 772
coredomain
#line 772
-appdomain # TODO(b/34980020) remove exemption for appdomain
#line 772
-data_between_core_and_vendor_violators
#line 772
-init
#line 772
-vold_prepare_subdirs
#line 772
} {
#line 772
data_file_type
#line 772
-core_data_file_type
#line 772
-app_data_file_type
#line 772
}:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 772
#line 772
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 786
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 787
#line 787
neverallow {
#line 787
coredomain
#line 787
-appdomain # TODO(b/34980020) remove exemption for appdomain
#line 787
-data_between_core_and_vendor_violators
#line 787
-init
#line 787
-vold_prepare_subdirs
#line 787
} {
#line 787
data_file_type
#line 787
-core_data_file_type
#line 787
-app_data_file_type
#line 787
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
#line 787
# neverallow. Currently only getattr and search are allowed.
#line 787
-vendor_data_file
#line 787
}:dir *;
#line 787
#line 787
#line 787
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 803
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 804
#line 804
# vendor domains may only access files in /data/vendor, never core_data_file_types
#line 804
neverallow {
#line 804
domain
#line 804
-appdomain # TODO(b/34980020) remove exemption for appdomain
#line 804
-coredomain
#line 804
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 804
-vendor_init
#line 804
} {
#line 804
core_data_file_type
#line 804
#line 804
}:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 804
neverallow {
#line 804
vendor_init
#line 804
-data_between_core_and_vendor_violators
#line 804
} {
#line 804
core_data_file_type
#line 804
-unencrypted_data_file
#line 804
#line 804
}:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 804
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
#line 804
# The vendor init binary lives on the system partition so there is not a concern with stability.
#line 804
neverallow vendor_init unencrypted_data_file:file ~{ getattr open read ioctl lock map watch watch_reads };
#line 804
#line 804
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 827
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 828
#line 828
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
#line 828
neverallow {
#line 828
domain
#line 828
-appdomain # TODO(b/34980020) remove exemption for appdomain
#line 828
-coredomain
#line 828
-data_between_core_and_vendor_violators
#line 828
-vendor_init
#line 828
} {
#line 828
core_data_file_type
#line 828
-system_data_file # default label for files on /data. Covered below...
#line 828
-system_data_root_file
#line 828
-vendor_userdir_file
#line 828
-vendor_data_file
#line 828
#line 828
}:dir *;
#line 828
neverallow {
#line 828
vendor_init
#line 828
-data_between_core_and_vendor_violators
#line 828
} {
#line 828
core_data_file_type
#line 828
-unencrypted_data_file
#line 828
-system_data_file
#line 828
-system_data_root_file
#line 828
-vendor_userdir_file
#line 828
-vendor_data_file
#line 828
#line 828
}:dir *;
#line 828
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
#line 828
# The vendor init binary lives on the system partition so there is not a concern with stability.
#line 828
neverallow vendor_init unencrypted_data_file:dir ~search;
#line 828
#line 828
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 859
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 860
#line 860
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
#line 860
neverallow {
#line 860
domain
#line 860
-appdomain # TODO(b/34980020) remove exemption for appdomain
#line 860
-coredomain
#line 860
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 860
} {
#line 860
system_data_file # default label for files on /data. Covered below
#line 860
}:dir ~{ getattr search };
#line 860
#line 860
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 870
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 872
#line 872
# coredomains may not access dirs in /data/vendor.
#line 872
neverallow {
#line 872
coredomain
#line 872
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 872
-init
#line 872
-vold # vold creates per-user storage for both system and vendor
#line 872
-vold_prepare_subdirs
#line 872
} {
#line 872
vendor_data_file # default label for files on /data. Covered below
#line 872
}:dir ~{ getattr search };
#line 872
#line 872
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 883
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 885
#line 885
# coredomains may not access dirs in /data/vendor.
#line 885
neverallow {
#line 885
coredomain
#line 885
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
#line 885
-init
#line 885
} {
#line 885
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
#line 885
}:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ append getattr ioctl read write map };
#line 885
#line 885
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 894
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 896
#line 896
# Non-vendor domains are not allowed to file execute shell
#line 896
# from vendor
#line 896
neverallow {
#line 896
coredomain
#line 896
-init
#line 896
-shell
#line 896
-ueventd
#line 896
} vendor_shell_exec:file { execute execute_no_trans };
#line 896
#line 896
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 905
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 907
#line 907
# Do not allow vendor components to execute files from system
#line 907
# except for the ones allowed here.
#line 907
neverallow {
#line 907
domain
#line 907
-coredomain
#line 907
-appdomain
#line 907
-vendor_executes_system_violators
#line 907
-vendor_init
#line 907
} {
#line 907
system_file_type
#line 907
-system_lib_file
#line 907
-system_linker_exec
#line 907
-crash_dump_exec
#line 907
-netutils_wrapper_exec
#line 907
#line 907
# Vendor components still can invoke shell commands via /system/bin/sh
#line 907
-shell_exec
#line 907
-toolbox_exec
#line 907
}:file { entrypoint execute execute_no_trans };
#line 907
#line 907
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 927
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 929
#line 929
# Do not allow coredomain to access entrypoint for files other
#line 929
# than system_file_type and postinstall_file
#line 929
neverallow coredomain {
#line 929
file_type
#line 929
-system_file_type
#line 929
-postinstall_file
#line 929
}:file entrypoint;
#line 929
# Do not allow domains other than coredomain to access entrypoint
#line 929
# for anything but vendor_file_type and init_exec for vendor_init.
#line 929
neverallow { domain -coredomain } {
#line 929
file_type
#line 929
-vendor_file_type
#line 929
-init_exec
#line 929
}:file entrypoint;
#line 929
#line 929
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 944
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 946
#line 946
# Do not allow system components to execute files from vendor
#line 946
# except for the ones allowed here.
#line 946
neverallow {
#line 946
coredomain
#line 946
-init
#line 946
-shell
#line 946
-system_executes_vendor_violators
#line 946
-ueventd
#line 946
} {
#line 946
vendor_file_type
#line 946
-same_process_hal_file
#line 946
-vndk_sp_file
#line 946
-vendor_app_file
#line 946
-vendor_public_framework_file
#line 946
-vendor_public_lib_file
#line 946
}:file execute;
#line 946
#line 946
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 963
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 965
#line 965
neverallow {
#line 965
coredomain
#line 965
-shell
#line 965
-system_executes_vendor_violators
#line 965
} {
#line 965
vendor_file_type
#line 965
-same_process_hal_file
#line 965
}:file execute_no_trans;
#line 965
#line 965
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 974
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 976
#line 976
# Do not allow vendor components access to /system files except for the
#line 976
# ones allowed here.
#line 976
neverallow {
#line 976
domain
#line 976
-appdomain
#line 976
-coredomain
#line 976
-vendor_executes_system_violators
#line 976
# vendor_init needs access to init_exec for domain transition. vendor_init
#line 976
# neverallows are covered in public/vendor_init.te
#line 976
-vendor_init
#line 976
} {
#line 976
system_file_type
#line 976
-crash_dump_exec
#line 976
-file_contexts_file
#line 976
-netutils_wrapper_exec
#line 976
-property_contexts_file
#line 976
-system_event_log_tags_file
#line 976
-system_group_file
#line 976
-system_lib_file
#line 976
#line 976
-system_linker_exec
#line 976
-system_linker_config_file
#line 976
-system_passwd_file
#line 976
-system_seccomp_policy_file
#line 976
-system_security_cacerts_file
#line 976
-system_zoneinfo_file
#line 976
-task_profiles_api_file
#line 976
-task_profiles_file
#line 976
#line 976
# Vendor components still can invoke shell commands via /system/bin/sh
#line 976
-shell_exec
#line 976
-toolbox_exec
#line 976
}:file *;
#line 976
#line 976
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 1010
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
neverallow { domain -init -system_server } heapdump_data_file:file read;
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
# kernel resource leakage.
#
# For example, there is no way to automatically release a SysV semaphore
# allocated in the kernel when:
#
# - a buggy or malicious process exits
# - a non-buggy and non-malicious process crashes or is explicitly killed.
#
# Killing processes automatically to make room for new ones is an
# important part of Android's application lifecycle implementation. This means
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow * *:{ shm sem msg msgq } *;
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
neverallow { domain } su_exec:file { execute execute_no_trans };
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
neverallow * {
file_type
-apk_data_file
-app_data_file
-asec_public_file
}:file execmod;
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
neverallow * self:process { execstack execheap };
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
# written on domain are applied to all processes.
# This is achieved by ensuring that it is impossible to transition
# from a domain to a non-domain type and vice versa.
# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
neverallow ~domain domain:process { transition dyntransition };
#
# Only system_app and system_server should be creating or writing
# their files. The proper way to share files is to setup
# type transitions to a more specific type or assigning a type
# to its parent directory via a file_contexts entry.
# Example type transition:
# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
#
neverallow {
domain
-system_server
-system_app
-init
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
} system_data_file:file { append create link unlink relabelfrom rename setattr write };
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
neverallow installd system_data_file:file ~{ { getattr open read ioctl lock map watch watch_reads } relabelfrom unlink };
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
# script with differing privilege, define a domain and set up a transition.
#
neverallow {
domain
-adbd
-init
-runas
-zygote
} shell:process { transition dyntransition };
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
# the appdomain attribute. simpleperf is excluded as a domain transitioned to
# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
appdomain -shell -simpleperf
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
domain
-appdomain
-artd
-installd
} { app_data_file privapp_data_file }:lnk_file read;
neverallow {
domain
-shell
-installd
} shell_data_file:lnk_file read;
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
servicemanager
vndservicemanager
}:service_manager list;
# hwservicemanager is the only process which handles hw list requests
neverallow * ~{
hwservicemanager
}:hwservice_manager list;
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
# Prevent assigning non property types to properties
# TODO - rework this: neverallow * ~property_type:property_service set;
# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
# executable file used to enter a domain should be labeled
# with its own _exec type, not with the domain type.
# Conventionally, this looks something like:
# $ cat mydaemon.te
# type mydaemon, domain;
# type mydaemon_exec, exec_type, file_type;
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
neverallow * domain:file { execute execute_no_trans entrypoint };
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
# Don't allow access to the FUSE control filesystem, except to vold and init's
neverallow { domain -vold -init -vendor_init } fusectlfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Profiles contain untrusted data and profman parses that. We should only run
# it from installd and artd forked processes.
neverallow {
domain
-installd
-profman
-artd
} profman_exec:file { execute execute_no_trans };
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, boot, and system_dlkm partitions.
# TODO(b/218951883): Remove usage of system and rootfs as origin
neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
neverallow * self:{ capability cap_userns } setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
# Do not permit non-core domains to register HwBinder services which are
# guaranteed to be provided by core domains only.
neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
# Do not permit the registeration of HwBinder services which are guaranteed to
# be passthrough only (i.e., run in the process of their clients instead of a
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
# These filesystems don't allow files or directories to be created, so the permission
# to do so should never be granted.
neverallow domain {
proc_type
sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
#line 1248
# Platform must not have access to /mnt/vendor.
neverallow {
coredomain
-init
-ueventd
-vold
-system_writes_mnt_vendor_violators
} mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 1260
#line 1260
neverallow {
#line 1260
coredomain
#line 1260
-appdomain
#line 1260
} {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
#line 1260
#line 1260
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 1265
# Vendor domian must not have access to /mnt/product.
neverallow {
domain
-coredomain
} mnt_product_file:dir *;
# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 1274
#line 1274
neverallow {
#line 1274
coredomain
#line 1274
-shell
#line 1274
# For access to block device information under /sys/class/block.
#line 1274
-apexd
#line 1274
# Read sysfs block device information.
#line 1274
-init
#line 1274
# Generate uevents for health info
#line 1274
-ueventd
#line 1274
# Recovery uses health HAL passthrough implementation.
#line 1274
-recovery
#line 1274
# Charger uses health HAL passthrough implementation.
#line 1274
-charger
#line 1274
# TODO(b/110891300): remove this exception
#line 1274
-incidentd
#line 1274
} sysfs_batteryinfo:file { open read };
#line 1274
#line 1274
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 1291
neverallow {
domain
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
# Only apps targetting < Q are allowed to open /dev/ashmem directly.
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
neverallow {
domain
-ephemeral_app # We don't distinguish ephemeral apps based on target API.
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
#line 1 "system/sepolicy/public/drmserver.te"
# drmserver - DRM service
type drmserver, domain;
type drmserver_exec, system_file_type, exec_type, file_type;
typeattribute drmserver mlstrustedsubject;
#line 7
typeattribute drmserver netdomain;
#line 7
# Perform Binder IPC to system server.
#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow drmserver servicemanager:binder { call transfer };
#line 10
# Allow servicemanager to send out callbacks
#line 10
allow servicemanager drmserver:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager drmserver:dir search;
#line 10
allow servicemanager drmserver:file { read open };
#line 10
allow servicemanager drmserver:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow drmserver system_server:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow system_server drmserver:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow drmserver system_server:fd use;
#line 11
#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow drmserver appdomain:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow appdomain drmserver:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow drmserver appdomain:fd use;
#line 12
#line 13
# Call the server domain and optionally transfer references to it.
#line 13
allow drmserver mediametrics:binder { call transfer };
#line 13
# Allow the serverdomain to transfer references to the client on the reply.
#line 13
allow mediametrics drmserver:binder transfer;
#line 13
# Receive and use open files from the server.
#line 13
allow drmserver mediametrics:fd use;
#line 13
#line 14
typeattribute drmserver binderservicedomain;
#line 14
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
# Perform Binder IPC to mediaserver
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow drmserver mediaserver:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow mediaserver drmserver:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow drmserver mediaserver:fd use;
#line 19
allow drmserver { sdcard_type fuse }:dir search;
allow drmserver drm_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow drmserver drm_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
allow drmserver { sdcard_type fuse }:file { read write getattr map };
#line 26
allow drmserver efs_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 26
allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 26
type drmserver_socket, file_type;
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
auditallow drmserver apk_data_file:dir { add_name write };
allow drmserver drmserver_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
auditallow drmserver drmserver_socket:sock_file create;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
# After taking a video, drmserver looks at the video file.
#line 40
allow drmserver media_rw_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 40
allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 40
# Read resources from open apk files passed over Binder.
allow drmserver apk_data_file:file { read getattr map };
allow drmserver asec_apk_file:file { read getattr map };
allow drmserver ringtone_file:file { read getattr map };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr map };
# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file { getattr open read ioctl lock map watch watch_reads };
# overlay package access
allow drmserver vendor_overlay_file:file { read map };
#line 57
allow drmserver drmserver_service:service_manager { add find };
#line 57
neverallow { domain -drmserver } drmserver_service:service_manager add;
#line 57
#line 57
# On debug builds with root, allow binder services to use binder over TCP.
#line 57
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 57
#line 57
allow drmserver permission_service:service_manager find;
allow drmserver mediametrics_service:service_manager find;
#line 61
#line 61
allow drmserver selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 61
allow drmserver selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 61
#line 61
allow drmserver selinuxfs:file { open append write lock map };
#line 61
allow drmserver kernel:security compute_av;
#line 61
allow drmserver self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 61
#line 63
allow drmserver cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 63
allow drmserver cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 63
#line 64
allow drmserver cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 64
allow drmserver cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 64
#line 65
allow drmserver system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 65
allow drmserver system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 65
#line 1 "system/sepolicy/public/dumpstate.te"
# dumpstate
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute dumpstate netdomain;
#line 5
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow dumpstate servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager dumpstate:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager dumpstate:dir search;
#line 6
allow servicemanager dumpstate:file { read open };
#line 6
allow servicemanager dumpstate:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 7
# deprecated.
#line 7
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 7
allow dumpstate sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 7
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 7
allow dumpstate self:{ capability2 cap2_userns } block_suspend;
#line 7
# system_suspend permissions
#line 7
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow dumpstate system_suspend_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_suspend_server dumpstate:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow dumpstate system_suspend_server:fd use;
#line 7
#line 7
allow dumpstate system_suspend_hwservice:hwservice_manager find;
#line 7
# halclientdomain permissions
#line 7
#line 7
# Call the hwservicemanager and transfer references to it.
#line 7
allow dumpstate hwservicemanager:binder { call transfer };
#line 7
# Allow hwservicemanager to send out callbacks
#line 7
allow hwservicemanager dumpstate:binder { call transfer };
#line 7
# hwservicemanager performs getpidcon on clients.
#line 7
allow hwservicemanager dumpstate:dir search;
#line 7
allow hwservicemanager dumpstate:file { read open map };
#line 7
allow hwservicemanager dumpstate:process getattr;
#line 7
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 7
#line 7
allow dumpstate hwservicemanager_prop:file { getattr open read map };
#line 7
#line 7
allow dumpstate hidl_manager_hwservice:hwservice_manager find;
#line 7
# AIDL suspend hal permissions
#line 7
allow dumpstate hal_system_suspend_service:service_manager find;
#line 7
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow dumpstate servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager dumpstate:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager dumpstate:dir search;
#line 7
allow servicemanager dumpstate:file { read open };
#line 7
allow servicemanager dumpstate:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 7
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:{ capability cap_userns } { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
#line 14
allow dumpstate domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 14
allow dumpstate self:{ capability cap_userns } {
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
allow dumpstate vendor_file:file execute_no_trans;
allow dumpstate toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Create and write into /data/anr/
allow dumpstate self:{ capability cap_userns } { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow dumpstate anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow dumpstate to append into apps' private files.
allow dumpstate { privapp_data_file app_data_file }:file append;
# Read dmesg
allow dumpstate self:{ capability2 cap2_userns } syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate pstorefs:file { getattr open read ioctl lock map watch watch_reads };
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {
# This list comes from native_processes_to_dump in dumputils/dump_utils.c
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
mediaswcodec
sdcardd
surfaceflinger
vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
evsmanagerd
hal_audio_server
hal_audiocontrol_server
hal_bluetooth_server
hal_broadcastradio_server
hal_camera_server
hal_codec2_server
hal_drm_server
hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
hal_power_stats_server
hal_sensors_server
hal_thermal_server
hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
# Connect to tombstoned to intercept dumps.
#line 105
allow dumpstate tombstoned_intercept_socket:sock_file write;
#line 105
allow dumpstate tombstoned:unix_stream_socket connectto;
#line 105
# Access to /sys
allow dumpstate sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate {
sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
sysfs_zram
}:file { getattr open read ioctl lock map watch watch_reads };
# Ignore other file access under /sys.
dontaudit dumpstate sysfs:file { getattr open read ioctl lock map watch watch_reads };
# Other random bits of data we want to collect
#line 122
allow dumpstate debugfs:file { getattr open read ioctl lock map watch watch_reads };
#line 122
auditallow dumpstate debugfs:file { getattr open read ioctl lock map watch watch_reads };
#line 122
#line 122
allow dumpstate debugfs_mmc:file { getattr open read ioctl lock map watch watch_reads };
#line 127
# df for
allow dumpstate {
block_device
cache_file
metadata_file
rootfs
selinuxfs
storage_file
tmpfs
}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
# Read /dev/cpuctl and /dev/cpuset
#line 144
allow dumpstate cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 144
allow dumpstate cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 144
#line 145
allow dumpstate cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 145
allow dumpstate cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 145
# Allow dumpstate to make binder calls to any binder service
#line 148
# Call the server domain and optionally transfer references to it.
#line 148
allow dumpstate binderservicedomain:binder { call transfer };
#line 148
# Allow the serverdomain to transfer references to the client on the reply.
#line 148
allow binderservicedomain dumpstate:binder transfer;
#line 148
# Receive and use open files from the server.
#line 148
allow dumpstate binderservicedomain:fd use;
#line 148
#line 149
# Call the server domain and optionally transfer references to it.
#line 149
allow dumpstate { appdomain artd netd wificond }:binder { call transfer };
#line 149
# Allow the serverdomain to transfer references to the client on the reply.
#line 149
allow { appdomain artd netd wificond } dumpstate:binder transfer;
#line 149
# Receive and use open files from the server.
#line 149
allow dumpstate { appdomain artd netd wificond }:fd use;
#line 149
# Allow dumpstate to call dump() on specific hals.
#line 152
#line 152
typeattribute dumpstate halclientdomain;
#line 152
typeattribute dumpstate hal_audio_client;
#line 152
#line 152
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 152
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 152
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 152
#line 152
typeattribute dumpstate hal_audio;
#line 152
# Find passthrough HAL implementations
#line 152
allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 152
allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 152
allow hal_audio vendor_file:file { read open getattr execute map };
#line 152
#line 152
;
#line 152
allow hal_audio_server dumpstate:fifo_file write;
#line 152
allow hal_audio_server dumpstate:fd use;
#line 152
#line 153
#line 153
typeattribute dumpstate halclientdomain;
#line 153
typeattribute dumpstate hal_audiocontrol_client;
#line 153
#line 153
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 153
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 153
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 153
#line 153
typeattribute dumpstate hal_audiocontrol;
#line 153
# Find passthrough HAL implementations
#line 153
allow hal_audiocontrol system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 153
allow hal_audiocontrol vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 153
allow hal_audiocontrol vendor_file:file { read open getattr execute map };
#line 153
#line 153
;
#line 153
allow hal_audiocontrol_server dumpstate:fifo_file write;
#line 153
allow hal_audiocontrol_server dumpstate:fd use;
#line 153
#line 154
#line 154
typeattribute dumpstate halclientdomain;
#line 154
typeattribute dumpstate hal_authgraph_client;
#line 154
#line 154
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 154
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 154
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 154
#line 154
typeattribute dumpstate hal_authgraph;
#line 154
# Find passthrough HAL implementations
#line 154
allow hal_authgraph system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 154
allow hal_authgraph vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 154
allow hal_authgraph vendor_file:file { read open getattr execute map };
#line 154
#line 154
;
#line 154
allow hal_authgraph_server dumpstate:fifo_file write;
#line 154
allow hal_authgraph_server dumpstate:fd use;
#line 154
#line 155
#line 155
typeattribute dumpstate halclientdomain;
#line 155
typeattribute dumpstate hal_authsecret_client;
#line 155
#line 155
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 155
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 155
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 155
#line 155
typeattribute dumpstate hal_authsecret;
#line 155
# Find passthrough HAL implementations
#line 155
allow hal_authsecret system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 155
allow hal_authsecret vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 155
allow hal_authsecret vendor_file:file { read open getattr execute map };
#line 155
#line 155
;
#line 155
allow hal_authsecret_server dumpstate:fifo_file write;
#line 155
allow hal_authsecret_server dumpstate:fd use;
#line 155
#line 156
#line 156
typeattribute dumpstate halclientdomain;
#line 156
typeattribute dumpstate hal_bluetooth_client;
#line 156
#line 156
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 156
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 156
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 156
#line 156
typeattribute dumpstate hal_bluetooth;
#line 156
# Find passthrough HAL implementations
#line 156
allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 156
allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 156
allow hal_bluetooth vendor_file:file { read open getattr execute map };
#line 156
#line 156
;
#line 156
allow hal_bluetooth_server dumpstate:fifo_file write;
#line 156
allow hal_bluetooth_server dumpstate:fd use;
#line 156
#line 157
#line 157
typeattribute dumpstate halclientdomain;
#line 157
typeattribute dumpstate hal_broadcastradio_client;
#line 157
#line 157
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 157
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 157
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 157
#line 157
typeattribute dumpstate hal_broadcastradio;
#line 157
# Find passthrough HAL implementations
#line 157
allow hal_broadcastradio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 157
allow hal_broadcastradio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 157
allow hal_broadcastradio vendor_file:file { read open getattr execute map };
#line 157
#line 157
;
#line 157
allow hal_broadcastradio_server dumpstate:fifo_file write;
#line 157
allow hal_broadcastradio_server dumpstate:fd use;
#line 157
#line 158
#line 158
typeattribute dumpstate halclientdomain;
#line 158
typeattribute dumpstate hal_camera_client;
#line 158
#line 158
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 158
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 158
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 158
#line 158
typeattribute dumpstate hal_camera;
#line 158
# Find passthrough HAL implementations
#line 158
allow hal_camera system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 158
allow hal_camera vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 158
allow hal_camera vendor_file:file { read open getattr execute map };
#line 158
#line 158
;
#line 158
allow hal_camera_server dumpstate:fifo_file write;
#line 158
allow hal_camera_server dumpstate:fd use;
#line 158
#line 159
#line 159
typeattribute dumpstate halclientdomain;
#line 159
typeattribute dumpstate hal_codec2_client;
#line 159
#line 159
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 159
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 159
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 159
#line 159
typeattribute dumpstate hal_codec2;
#line 159
# Find passthrough HAL implementations
#line 159
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 159
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 159
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 159
#line 159
;
#line 159
allow hal_codec2_server dumpstate:fifo_file write;
#line 159
allow hal_codec2_server dumpstate:fd use;
#line 159
#line 160
#line 160
typeattribute dumpstate halclientdomain;
#line 160
typeattribute dumpstate hal_contexthub_client;
#line 160
#line 160
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 160
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 160
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 160
#line 160
typeattribute dumpstate hal_contexthub;
#line 160
# Find passthrough HAL implementations
#line 160
allow hal_contexthub system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 160
allow hal_contexthub vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 160
allow hal_contexthub vendor_file:file { read open getattr execute map };
#line 160
#line 160
;
#line 160
allow hal_contexthub_server dumpstate:fifo_file write;
#line 160
allow hal_contexthub_server dumpstate:fd use;
#line 160
#line 161
#line 161
typeattribute dumpstate halclientdomain;
#line 161
typeattribute dumpstate hal_drm_client;
#line 161
#line 161
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 161
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 161
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 161
#line 161
typeattribute dumpstate hal_drm;
#line 161
# Find passthrough HAL implementations
#line 161
allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 161
allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 161
allow hal_drm vendor_file:file { read open getattr execute map };
#line 161
#line 161
;
#line 161
allow hal_drm_server dumpstate:fifo_file write;
#line 161
allow hal_drm_server dumpstate:fd use;
#line 161
#line 162
#line 162
typeattribute dumpstate halclientdomain;
#line 162
typeattribute dumpstate hal_dumpstate_client;
#line 162
#line 162
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 162
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 162
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 162
#line 162
typeattribute dumpstate hal_dumpstate;
#line 162
# Find passthrough HAL implementations
#line 162
allow hal_dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 162
allow hal_dumpstate vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 162
allow hal_dumpstate vendor_file:file { read open getattr execute map };
#line 162
#line 162
;
#line 162
allow hal_dumpstate_server dumpstate:fifo_file write;
#line 162
allow hal_dumpstate_server dumpstate:fd use;
#line 162
#line 163
#line 163
typeattribute dumpstate halclientdomain;
#line 163
typeattribute dumpstate hal_evs_client;
#line 163
#line 163
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 163
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 163
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 163
#line 163
typeattribute dumpstate hal_evs;
#line 163
# Find passthrough HAL implementations
#line 163
allow hal_evs system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 163
allow hal_evs vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 163
allow hal_evs vendor_file:file { read open getattr execute map };
#line 163
#line 163
;
#line 163
allow hal_evs_server dumpstate:fifo_file write;
#line 163
allow hal_evs_server dumpstate:fd use;
#line 163
#line 164
#line 164
typeattribute dumpstate halclientdomain;
#line 164
typeattribute dumpstate hal_face_client;
#line 164
#line 164
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 164
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 164
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 164
#line 164
typeattribute dumpstate hal_face;
#line 164
# Find passthrough HAL implementations
#line 164
allow hal_face system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 164
allow hal_face vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 164
allow hal_face vendor_file:file { read open getattr execute map };
#line 164
#line 164
;
#line 164
allow hal_face_server dumpstate:fifo_file write;
#line 164
allow hal_face_server dumpstate:fd use;
#line 164
#line 165
#line 165
typeattribute dumpstate halclientdomain;
#line 165
typeattribute dumpstate hal_fingerprint_client;
#line 165
#line 165
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 165
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 165
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 165
#line 165
typeattribute dumpstate hal_fingerprint;
#line 165
# Find passthrough HAL implementations
#line 165
allow hal_fingerprint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 165
allow hal_fingerprint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 165
allow hal_fingerprint vendor_file:file { read open getattr execute map };
#line 165
#line 165
;
#line 165
allow hal_fingerprint_server dumpstate:fifo_file write;
#line 165
allow hal_fingerprint_server dumpstate:fd use;
#line 165
#line 166
#line 166
typeattribute dumpstate halclientdomain;
#line 166
typeattribute dumpstate hal_gnss_client;
#line 166
#line 166
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 166
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 166
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 166
#line 166
typeattribute dumpstate hal_gnss;
#line 166
# Find passthrough HAL implementations
#line 166
allow hal_gnss system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 166
allow hal_gnss vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 166
allow hal_gnss vendor_file:file { read open getattr execute map };
#line 166
#line 166
;
#line 166
allow hal_gnss_server dumpstate:fifo_file write;
#line 166
allow hal_gnss_server dumpstate:fd use;
#line 166
#line 167
#line 167
typeattribute dumpstate halclientdomain;
#line 167
typeattribute dumpstate hal_graphics_allocator_client;
#line 167
#line 167
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 167
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 167
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 167
#line 167
typeattribute dumpstate hal_graphics_allocator;
#line 167
# Find passthrough HAL implementations
#line 167
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 167
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 167
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 167
#line 167
;
#line 167
allow hal_graphics_allocator_server dumpstate:fifo_file write;
#line 167
allow hal_graphics_allocator_server dumpstate:fd use;
#line 167
#line 168
#line 168
typeattribute dumpstate halclientdomain;
#line 168
typeattribute dumpstate hal_graphics_composer_client;
#line 168
#line 168
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 168
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 168
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 168
#line 168
typeattribute dumpstate hal_graphics_composer;
#line 168
# Find passthrough HAL implementations
#line 168
allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 168
allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 168
allow hal_graphics_composer vendor_file:file { read open getattr execute map };
#line 168
#line 168
;
#line 168
allow hal_graphics_composer_server dumpstate:fifo_file write;
#line 168
allow hal_graphics_composer_server dumpstate:fd use;
#line 168
#line 169
#line 169
typeattribute dumpstate halclientdomain;
#line 169
typeattribute dumpstate hal_health_client;
#line 169
#line 169
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 169
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 169
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 169
#line 169
typeattribute dumpstate hal_health;
#line 169
# Find passthrough HAL implementations
#line 169
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 169
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 169
allow hal_health vendor_file:file { read open getattr execute map };
#line 169
#line 169
;
#line 169
allow hal_health_server dumpstate:fifo_file write;
#line 169
allow hal_health_server dumpstate:fd use;
#line 169
#line 170
#line 170
typeattribute dumpstate halclientdomain;
#line 170
typeattribute dumpstate hal_identity_client;
#line 170
#line 170
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 170
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 170
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 170
#line 170
typeattribute dumpstate hal_identity;
#line 170
# Find passthrough HAL implementations
#line 170
allow hal_identity system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 170
allow hal_identity vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 170
allow hal_identity vendor_file:file { read open getattr execute map };
#line 170
#line 170
;
#line 170
allow hal_identity_server dumpstate:fifo_file write;
#line 170
allow hal_identity_server dumpstate:fd use;
#line 170
#line 171
#line 171
typeattribute dumpstate halclientdomain;
#line 171
typeattribute dumpstate hal_input_processor_client;
#line 171
#line 171
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 171
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 171
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 171
#line 171
typeattribute dumpstate hal_input_processor;
#line 171
# Find passthrough HAL implementations
#line 171
allow hal_input_processor system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 171
allow hal_input_processor vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 171
allow hal_input_processor vendor_file:file { read open getattr execute map };
#line 171
#line 171
;
#line 171
allow hal_input_processor_server dumpstate:fifo_file write;
#line 171
allow hal_input_processor_server dumpstate:fd use;
#line 171
#line 172
#line 172
typeattribute dumpstate halclientdomain;
#line 172
typeattribute dumpstate hal_keymint_client;
#line 172
#line 172
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 172
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 172
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 172
#line 172
typeattribute dumpstate hal_keymint;
#line 172
# Find passthrough HAL implementations
#line 172
allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 172
allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 172
allow hal_keymint vendor_file:file { read open getattr execute map };
#line 172
#line 172
;
#line 172
allow hal_keymint_server dumpstate:fifo_file write;
#line 172
allow hal_keymint_server dumpstate:fd use;
#line 172
#line 173
#line 173
typeattribute dumpstate halclientdomain;
#line 173
typeattribute dumpstate hal_light_client;
#line 173
#line 173
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 173
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 173
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 173
#line 173
typeattribute dumpstate hal_light;
#line 173
# Find passthrough HAL implementations
#line 173
allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 173
allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 173
allow hal_light vendor_file:file { read open getattr execute map };
#line 173
#line 173
;
#line 173
allow hal_light_server dumpstate:fifo_file write;
#line 173
allow hal_light_server dumpstate:fd use;
#line 173
#line 174
#line 174
typeattribute dumpstate halclientdomain;
#line 174
typeattribute dumpstate hal_memtrack_client;
#line 174
#line 174
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 174
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 174
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 174
#line 174
typeattribute dumpstate hal_memtrack;
#line 174
# Find passthrough HAL implementations
#line 174
allow hal_memtrack system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 174
allow hal_memtrack vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 174
allow hal_memtrack vendor_file:file { read open getattr execute map };
#line 174
#line 174
;
#line 174
allow hal_memtrack_server dumpstate:fifo_file write;
#line 174
allow hal_memtrack_server dumpstate:fd use;
#line 174
#line 175
#line 175
typeattribute dumpstate halclientdomain;
#line 175
typeattribute dumpstate hal_neuralnetworks_client;
#line 175
#line 175
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 175
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 175
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 175
#line 175
typeattribute dumpstate hal_neuralnetworks;
#line 175
# Find passthrough HAL implementations
#line 175
allow hal_neuralnetworks system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 175
allow hal_neuralnetworks vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 175
allow hal_neuralnetworks vendor_file:file { read open getattr execute map };
#line 175
#line 175
;
#line 175
allow hal_neuralnetworks_server dumpstate:fifo_file write;
#line 175
allow hal_neuralnetworks_server dumpstate:fd use;
#line 175
#line 176
#line 176
typeattribute dumpstate halclientdomain;
#line 176
typeattribute dumpstate hal_nfc_client;
#line 176
#line 176
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 176
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 176
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 176
#line 176
typeattribute dumpstate hal_nfc;
#line 176
# Find passthrough HAL implementations
#line 176
allow hal_nfc system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 176
allow hal_nfc vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 176
allow hal_nfc vendor_file:file { read open getattr execute map };
#line 176
#line 176
;
#line 176
allow hal_nfc_server dumpstate:fifo_file write;
#line 176
allow hal_nfc_server dumpstate:fd use;
#line 176
#line 177
#line 177
typeattribute dumpstate halclientdomain;
#line 177
typeattribute dumpstate hal_oemlock_client;
#line 177
#line 177
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 177
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 177
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 177
#line 177
typeattribute dumpstate hal_oemlock;
#line 177
# Find passthrough HAL implementations
#line 177
allow hal_oemlock system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 177
allow hal_oemlock vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 177
allow hal_oemlock vendor_file:file { read open getattr execute map };
#line 177
#line 177
;
#line 177
allow hal_oemlock_server dumpstate:fifo_file write;
#line 177
allow hal_oemlock_server dumpstate:fd use;
#line 177
#line 178
#line 178
typeattribute dumpstate halclientdomain;
#line 178
typeattribute dumpstate hal_power_client;
#line 178
#line 178
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 178
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 178
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 178
#line 178
typeattribute dumpstate hal_power;
#line 178
# Find passthrough HAL implementations
#line 178
allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 178
allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 178
allow hal_power vendor_file:file { read open getattr execute map };
#line 178
#line 178
;
#line 178
allow hal_power_server dumpstate:fifo_file write;
#line 178
allow hal_power_server dumpstate:fd use;
#line 178
#line 179
#line 179
typeattribute dumpstate halclientdomain;
#line 179
typeattribute dumpstate hal_power_stats_client;
#line 179
#line 179
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 179
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 179
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 179
#line 179
typeattribute dumpstate hal_power_stats;
#line 179
# Find passthrough HAL implementations
#line 179
allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 179
allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 179
allow hal_power_stats vendor_file:file { read open getattr execute map };
#line 179
#line 179
;
#line 179
allow hal_power_stats_server dumpstate:fifo_file write;
#line 179
allow hal_power_stats_server dumpstate:fd use;
#line 179
#line 180
#line 180
typeattribute dumpstate halclientdomain;
#line 180
typeattribute dumpstate hal_rebootescrow_client;
#line 180
#line 180
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 180
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 180
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 180
#line 180
typeattribute dumpstate hal_rebootescrow;
#line 180
# Find passthrough HAL implementations
#line 180
allow hal_rebootescrow system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 180
allow hal_rebootescrow vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 180
allow hal_rebootescrow vendor_file:file { read open getattr execute map };
#line 180
#line 180
;
#line 180
allow hal_rebootescrow_server dumpstate:fifo_file write;
#line 180
allow hal_rebootescrow_server dumpstate:fd use;
#line 180
#line 181
#line 181
typeattribute dumpstate halclientdomain;
#line 181
typeattribute dumpstate hal_secretkeeper_client;
#line 181
#line 181
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 181
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 181
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 181
#line 181
typeattribute dumpstate hal_secretkeeper;
#line 181
# Find passthrough HAL implementations
#line 181
allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 181
allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 181
allow hal_secretkeeper vendor_file:file { read open getattr execute map };
#line 181
#line 181
;
#line 181
allow hal_secretkeeper_server dumpstate:fifo_file write;
#line 181
allow hal_secretkeeper_server dumpstate:fd use;
#line 181
#line 182
#line 182
typeattribute dumpstate halclientdomain;
#line 182
typeattribute dumpstate hal_sensors_client;
#line 182
#line 182
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 182
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 182
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 182
#line 182
typeattribute dumpstate hal_sensors;
#line 182
# Find passthrough HAL implementations
#line 182
allow hal_sensors system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 182
allow hal_sensors vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 182
allow hal_sensors vendor_file:file { read open getattr execute map };
#line 182
#line 182
;
#line 182
allow hal_sensors_server dumpstate:fifo_file write;
#line 182
allow hal_sensors_server dumpstate:fd use;
#line 182
#line 183
#line 183
typeattribute dumpstate halclientdomain;
#line 183
typeattribute dumpstate hal_thermal_client;
#line 183
#line 183
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 183
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 183
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 183
#line 183
typeattribute dumpstate hal_thermal;
#line 183
# Find passthrough HAL implementations
#line 183
allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 183
allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 183
allow hal_thermal vendor_file:file { read open getattr execute map };
#line 183
#line 183
;
#line 183
allow hal_thermal_server dumpstate:fifo_file write;
#line 183
allow hal_thermal_server dumpstate:fd use;
#line 183
#line 184
#line 184
typeattribute dumpstate halclientdomain;
#line 184
typeattribute dumpstate hal_vehicle_client;
#line 184
#line 184
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 184
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 184
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 184
#line 184
typeattribute dumpstate hal_vehicle;
#line 184
# Find passthrough HAL implementations
#line 184
allow hal_vehicle system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 184
allow hal_vehicle vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 184
allow hal_vehicle vendor_file:file { read open getattr execute map };
#line 184
#line 184
;
#line 184
allow hal_vehicle_server dumpstate:fifo_file write;
#line 184
allow hal_vehicle_server dumpstate:fd use;
#line 184
#line 185
#line 185
typeattribute dumpstate halclientdomain;
#line 185
typeattribute dumpstate hal_weaver_client;
#line 185
#line 185
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 185
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 185
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 185
#line 185
typeattribute dumpstate hal_weaver;
#line 185
# Find passthrough HAL implementations
#line 185
allow hal_weaver system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 185
allow hal_weaver vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 185
allow hal_weaver vendor_file:file { read open getattr execute map };
#line 185
#line 185
;
#line 185
allow hal_weaver_server dumpstate:fifo_file write;
#line 185
allow hal_weaver_server dumpstate:fd use;
#line 185
#line 186
#line 186
typeattribute dumpstate halclientdomain;
#line 186
typeattribute dumpstate hal_wifi_client;
#line 186
#line 186
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 186
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 186
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 186
#line 186
typeattribute dumpstate hal_wifi;
#line 186
# Find passthrough HAL implementations
#line 186
allow hal_wifi system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 186
allow hal_wifi vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 186
allow hal_wifi vendor_file:file { read open getattr execute map };
#line 186
#line 186
;
#line 186
allow hal_wifi_server dumpstate:fifo_file write;
#line 186
allow hal_wifi_server dumpstate:fd use;
#line 186
# Vibrate the device after we are done collecting the bugreport
#line 189
typeattribute dumpstate halclientdomain;
#line 189
typeattribute dumpstate hal_vibrator_client;
#line 189
#line 189
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 189
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 189
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 189
#line 189
typeattribute dumpstate hal_vibrator;
#line 189
# Find passthrough HAL implementations
#line 189
allow hal_vibrator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 189
allow hal_vibrator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 189
allow hal_vibrator vendor_file:file { read open getattr execute map };
#line 189
#line 189
# Reading /proc/PID/maps of other processes
allow dumpstate self:{ capability cap_userns } sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow dumpstate shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Run a shell.
allow dumpstate shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate bluetooth_logs_data_file:file { getattr open read ioctl lock map watch watch_reads };
# For Nfc
allow dumpstate nfc_logs_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate nfc_logs_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow dumpstate gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
# logd access
#line 220
allow dumpstate logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 220
#line 220
allow dumpstate logdr_socket:sock_file write;
#line 220
allow dumpstate logd:unix_stream_socket connectto;
#line 220
#line 220
#line 221
# Group AID_LOG checked by filesystem & logd
#line 221
# to permit control commands
#line 221
#line 221
allow dumpstate logd_socket:sock_file write;
#line 221
allow dumpstate logd:unix_stream_socket connectto;
#line 221
#line 221
#line 222
allow dumpstate runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 222
# Read files in /proc
allow dumpstate {
proc_bootconfig
proc_buddyinfo
proc_cmdline
proc_meminfo
proc_modules
proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
proc_qtaguid_stat
proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
}:file { getattr open read ioctl lock map watch watch_reads };
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file { getattr open read ioctl lock map watch watch_reads };
# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate cache_recovery_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate recovery_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/misc/snapuserd_log
allow dumpstate snapuserd_log_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate snapuserd_log_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/misc/profiles/{cur,ref}/
#line 272
# Access /data/misc/logd
allow dumpstate misc_logd_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate misc_logd_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/misc/prereboot
allow dumpstate prereboot_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate prereboot_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate app_fuse_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate overlayfs_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate {
service_manager_type
-apex_service
-dumpstate_service
-gatekeeper_service
-hal_service_type
-virtual_touchpad_service
-vold_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
apex_service
dumpstate_service
gatekeeper_service
hal_service_type
virtual_touchpad_service
vold_service
}:service_manager find;
# Most of these are neverallowed.
dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read any system properties
#line 314
allow dumpstate property_type:file { getattr open read map };
#line 314
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads };
# Create a service for talking back to system_server
#line 324
allow dumpstate dumpstate_service:service_manager { add find };
#line 324
neverallow { domain -dumpstate } dumpstate_service:service_manager add;
#line 324
#line 324
# On debug builds with root, allow binder services to use binder over TCP.
#line 324
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 324
#line 324
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow dumpstate to run top
allow dumpstate proc_stat:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate proc_pressure_cpu:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate proc_pressure_mem:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate proc_pressure_io:file { getattr open read ioctl lock map watch watch_reads };
# Allow dumpstate to run ps
allow dumpstate proc_pid_max:file { getattr open read ioctl lock map watch watch_reads };
# Allow dumpstate to talk to installd over binder
#line 340
# Call the server domain and optionally transfer references to it.
#line 340
allow dumpstate installd:binder { call transfer };
#line 340
# Allow the serverdomain to transfer references to the client on the reply.
#line 340
allow installd dumpstate:binder transfer;
#line 340
# Receive and use open files from the server.
#line 340
allow dumpstate installd:fd use;
#line 340
;
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read };
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } getattr;
# Allow dumpstate to read linkerconfig directory
allow dumpstate linkerconfig_file:dir { read open };
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
mnt_user_file
mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
#line 371
# Call the server domain and optionally transfer references to it.
#line 371
allow dumpstate bufferhubd:binder { call transfer };
#line 371
# Allow the serverdomain to transfer references to the client on the reply.
#line 371
allow bufferhubd dumpstate:binder transfer;
#line 371
# Receive and use open files from the server.
#line 371
allow dumpstate bufferhubd:fd use;
#line 371
;
# Allow dumpstate to talk to mediaswcodec over binder
#line 374
# Call the server domain and optionally transfer references to it.
#line 374
allow dumpstate mediaswcodec:binder { call transfer };
#line 374
# Allow the serverdomain to transfer references to the client on the reply.
#line 374
allow mediaswcodec dumpstate:binder transfer;
#line 374
# Receive and use open files from the server.
#line 374
allow dumpstate mediaswcodec:fd use;
#line 374
;
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate snapshotctl_log_data_file:file { getattr open read ioctl lock map watch watch_reads };
#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate binderfs_logs:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate binderfs_logs_proc:file { getattr open read ioctl lock map watch watch_reads };
allow dumpstate binderfs_logs_stats:file { getattr open read ioctl lock map watch watch_reads };
#line 386
allow dumpstate apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
#line 386
allow dumpstate apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 386
#line 386
allow dumpstate vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 386
allow dumpstate vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 386
#line 386
# Allow reading files under /data/system/shutdown-checkpoints/
allow dumpstate shutdown_checkpoints_system_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dumpstate shutdown_checkpoints_system_data_file:file { getattr open read ioctl lock map watch watch_reads };
###
### neverallow rules
###
# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
domain
-system_server
-shell
-traceur_app
-dumpstate
} dumpstate_service:service_manager find;
#line 1 "system/sepolicy/public/e2fs.te"
type e2fs, domain, coredomain;
type e2fs_exec, system_file_type, exec_type, file_type;
allow e2fs devpts:chr_file { read write getattr ioctl };
allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow e2fs metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow e2fs dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow e2fs zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Vold needs to capture mkfs.ext4's output
allow e2fs vold:fd use;
# Need to be able to format a partition
allow e2fs sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
allow e2fs sysfs_dm:file { getattr open read ioctl lock map watch watch_reads };
allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
0x0000127d 0x00001277 0x0000127b 0x0000127c 0x0000125e 0xc0101282 0x40101283
};
allow e2fs {
proc_filesystems
proc_mounts
proc_swaps
}:file { getattr open read ioctl lock map watch watch_reads };
# access /sys/fs/ext4/features
allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file { getattr open read ioctl lock map watch watch_reads };
# access SELinux context files
allow e2fs file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/ephemeral_app.te"
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
#line 1 "system/sepolicy/public/evsmanagerd.te"
# evsmanager daemon
type evsmanagerd, domain;
#line 1 "system/sepolicy/public/extra_free_kbytes.te"
# The extra_free_kbytes.sh script run by init.
type extra_free_kbytes, domain;
type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
# required permissions to run the script from init
allow extra_free_kbytes shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow extra_free_kbytes system_file:file { getattr execute execute_no_trans map };
allow extra_free_kbytes toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# files used by the script
allow extra_free_kbytes proc_extra_free_kbytes:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow extra_free_kbytes proc_watermark_scale_factor:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow extra_free_kbytes proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/fastbootd.te"
# fastbootd (used in recovery init.rc for /sbin/fastbootd)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type fastbootd, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
#line 119
###
### neverallow rules
###
# Write permission is required to wipe userdata
# until recovery supports vold.
neverallow fastbootd {
data_file_type
}:file { { execute execute_no_trans } };
#line 1 "system/sepolicy/public/file.te"
# Filesystem types
type labeledfs, fs_type;
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
type binderfs_logs_stats, fs_type;
type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
type proc_bpf, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpu_alignment, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
type proc_net, fs_type, proc_type, proc_net_type;
type proc_net_tcp_udp, fs_type, proc_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
type proc_perf, fs_type, proc_type;
type proc_pid_max, fs_type, proc_type;
type proc_pipe_conf, fs_type, proc_type;
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
type proc_timer, fs_type, proc_type;
type proc_tty_drivers, fs_type, proc_type;
type proc_uid_cputime_showstat, fs_type, proc_type;
type proc_uid_cputime_removeuid, fs_type, proc_type;
type proc_uid_io_stats, fs_type, proc_type;
type proc_uid_procstat_set, fs_type, proc_type;
type proc_uid_time_in_state, fs_type, proc_type;
type proc_uid_concurrent_active_time, fs_type, proc_type;
type proc_uid_concurrent_policy_time, fs_type, proc_type;
type proc_uid_cpupower, fs_type, proc_type;
type proc_uptime, fs_type, proc_type;
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_watermark_scale_factor, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
type sysfs_gpu, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_sync_on_suspend, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
type sysfs_fs_fuse_features, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type sysfs_vendor_sched, sysfs_type, fs_type;
#line 135
type fs_bpf, fs_type, bpffs_type;
# TODO: S+ fs_bpf_tethering (used by mainline) should be private
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type fuse, fusefs_type, fs_type, mlstrustedobject;
type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, fusefs_type, contextmount_type;
# File types
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, system_file_type, file_type;
# Default type for /system/asan.options
type system_asan_options_file, system_file_type, file_type;
# Type for /system/etc/event-log-tags (liblog implementation detail)
type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# system libraries that are available only to bootstrap processes
type system_bootstrap_lib_file, system_file_type, file_type;
# Default type for the group file /system/etc/group.
type system_group_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
type system_linker_config_file, system_file_type, file_type;
# Default type for the passwd file /system/etc/passwd.
type system_passwd_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
type system_security_cacerts_file, system_file_type, file_type;
# Default type for /system/bin/tcpdump.
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
type cgroup_desc_api_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
type task_profiles_api_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
# Control files under /data/incremental
type incremental_control_file, file_type, data_file_type, core_data_file_type;
# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
type bootanim_oem_file, file_type, system_file_type;
# Default type for directories search for
# HAL implementations
type vendor_hal_file, vendor_file_type, file_type;
# Default type for under /vendor or /system/vendor
type vendor_file, vendor_file_type, file_type;
# Default type for everything in /vendor/app
type vendor_app_file, vendor_file_type, file_type;
# Default type for everything under /vendor/etc/
type vendor_configs_file, vendor_file_type, file_type;
# Default type for all *same process* HALs and their lib/bin dependencies.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
# Default type for vndk-sp libs. /vendor/lib/vndk-sp
type vndk_sp_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
# Type for all microdroid related files in the vendor partition.
# Files having this type should be read-only.
type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
type vendor_keychars_file, vendor_file_type, file_type;
type vendor_idc_file, vendor_file_type, file_type;
# Type for vendor uuid mapping config file
type vendor_uuid_mapping_config_file, vendor_file_type, file_type;
# SoC-specific virtual machine disk files
type vendor_vm_file, vendor_file_type, file_type;
# SoC-specific virtual machine disk files that are mutable
type vendor_vm_data_file, vendor_file_type, file_type;
# /metadata partition itself
type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, gsi_metadata_file_type, file_type;
# DSU (GSI) files within /metadata that are globally readable.
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
type apex_metadata_file, file_type;
# libsnapshot files within /metadata
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
# userspace reboot files within /metadata/userspacereboot
type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
# Repair mode files within /metadata/repair-mode
type repair_mode_metadata_file, file_type;
# Aconfig storage file
type aconfig_storage_metadata_file, file_type;
# Aconfig storage flag value persistent copy
type aconfig_storage_flags_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
# Speedup access to cgroup map file
type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Type of /data itself
type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Default type for directories containing per-user encrypted directories, such
# as /data/user and /data/user_de.
type system_userdir_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything inside /data/vendor_{ce,de}.
type vendor_data_file, file_type, data_file_type;
# Type for /data/vendor_{ce,de} themselves. This has core_data_file_type
# because these directories themselves are platform-managed; only the files
# *inside* them are vendor data. (Somewhat similar to system_data_root_file.)
type vendor_userdir_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# installd-create files in /data/misc/installd such as layout_version
type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/vendor/tombstones/wifi - vendor wifi dumps
type tombstone_wifi_data_file, file_type, data_file_type;
# /data/apex - APEX data files
type apex_data_file, file_type, data_file_type, core_data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type, core_data_file_type;
type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/prereboot
type prereboot_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/dropbox
type dropbox_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/local/tests
type shell_test_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
# apex_manifest.pb in vendor apex
type vendor_apex_metadata_file, vendor_file_type, file_type;
# /data/system/shutdown-checkpoints
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
type mnt_pass_through_file, file_type;
type mnt_expand_file, file_type;
type mnt_sdcard_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
# Mount location for read-write vendor partitions.
type mnt_vendor_file, file_type;
# Mount location for read-write product partitions.
type mnt_product_file, file_type;
# Mount point used for APEX images
type apex_mnt_dir, file_type;
# /apex/apex-info-list.xml created by apexd
type apex_info_file, file_type;
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
# /postinstall/apex: Mount point used for APEX images within /postinstall.
type postinstall_apex_mnt_dir, file_type;
# /data_mirror: Contains mirror directory for storing all apps data.
type mirror_data_file, file_type, core_data_file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
type credstore_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
type keystore_data_file, file_type, data_file_type, core_data_file_type;
type media_data_file, file_type, data_file_type, core_data_file_type;
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type media_userdir_file, file_type, data_file_type, core_data_file_type;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_config_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectories - priv-app sandboxes
type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for /cache/overlay /mnt/scratch/overlay
type overlayfs_file, file_type, data_file_type, core_data_file_type;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
# Type for anything under /cache/recovery
type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for _new_ fingerprint template file
type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for face template file
type face_vendor_data_file, file_type, data_file_type;
# Type for iris template file
type iris_vendor_data_file, file_type, data_file_type;
# Socket types
type adbd_socket, file_type, coredomain_socket;
type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
type lmkd_socket, file_type, coredomain_socket;
type logd_socket, file_type, coredomain_socket, mlstrustedobject;
type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
type ot_daemon_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type snapuserd_socket, file_type, coredomain_socket;
type snapuserd_proxy_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;
# PDX endpoint types
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
#line 577
typeattribute pdx_display_dir pdx_display_client_endpoint_dir_type;
#line 577
type pdx_display_client_endpoint_socket, pdx_display_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 577
type pdx_display_client_channel_socket, pdx_display_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 577
#line 577
#line 578
typeattribute pdx_display_dir pdx_display_manager_endpoint_dir_type;
#line 578
type pdx_display_manager_endpoint_socket, pdx_display_manager_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 578
type pdx_display_manager_channel_socket, pdx_display_manager_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 578
#line 578
#line 579
typeattribute pdx_display_dir pdx_display_screenshot_endpoint_dir_type;
#line 579
type pdx_display_screenshot_endpoint_socket, pdx_display_screenshot_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 579
type pdx_display_screenshot_channel_socket, pdx_display_screenshot_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 579
#line 579
#line 580
typeattribute pdx_display_dir pdx_display_vsync_endpoint_dir_type;
#line 580
type pdx_display_vsync_endpoint_socket, pdx_display_vsync_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 580
type pdx_display_vsync_channel_socket, pdx_display_vsync_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 580
#line 580
#line 581
typeattribute pdx_performance_dir pdx_performance_client_endpoint_dir_type;
#line 581
type pdx_performance_client_endpoint_socket, pdx_performance_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 581
type pdx_performance_client_channel_socket, pdx_performance_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 581
#line 581
#line 582
typeattribute pdx_bufferhub_dir pdx_bufferhub_client_endpoint_dir_type;
#line 582
type pdx_bufferhub_client_endpoint_socket, pdx_bufferhub_client_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
#line 582
type pdx_bufferhub_client_channel_socket, pdx_bufferhub_client_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
#line 582
#line 582
# file_contexts files
type file_contexts_file, system_file_type, file_type;
# mac_permissions file
type mac_perms_file, system_file_type, file_type;
# property_contexts file
type property_contexts_file, system_file_type, file_type;
# seapp_contexts file
type seapp_contexts_file, system_file_type, file_type;
# sepolicy files binary and others
type sepolicy_file, system_file_type, file_type;
# service_contexts file
type service_contexts_file, system_file_type, file_type;
# keystore2_key_contexts_file
type keystore2_key_contexts_file, system_file_type, file_type;
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
# vndservice_contexts file
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
# system_dlkm
type system_dlkm_file, system_dlkm_file_type, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
# For example, the following is a bug:
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
#line 1 "system/sepolicy/public/fingerprintd.te"
type fingerprintd, domain;
type fingerprintd_exec, system_file_type, exec_type, file_type;
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow fingerprintd servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager fingerprintd:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager fingerprintd:dir search;
#line 4
allow servicemanager fingerprintd:file { read open };
#line 4
allow servicemanager fingerprintd:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
# Scan through /system/lib64/hw looking for installed HALs
allow fingerprintd system_file:dir { open getattr read search ioctl lock watch watch_reads };
# need to find KeyStore and add self
#line 10
allow fingerprintd fingerprintd_service:service_manager { add find };
#line 10
neverallow { domain -fingerprintd } fingerprintd_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
# allow HAL module to read dir contents
allow fingerprintd fingerprintd_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } };
# allow HAL module to read/write/unlink contents of this dir
allow fingerprintd fingerprintd_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Need to add auth tokens to KeyStore
#line 19
allow keystore fingerprintd:dir search;
#line 19
allow keystore fingerprintd:file { read open };
#line 19
allow keystore fingerprintd:process getattr;
#line 19
allow fingerprintd apc_service:service_manager find;
#line 19
allow fingerprintd keystore_service:service_manager find;
#line 19
allow fingerprintd legacykeystore_service:service_manager find;
#line 19
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow fingerprintd keystore:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow keystore fingerprintd:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow fingerprintd keystore:fd use;
#line 19
#line 19
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow keystore fingerprintd:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow fingerprintd keystore:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow keystore fingerprintd:fd use;
#line 19
#line 19
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow fingerprintd system_server:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow system_server fingerprintd:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow fingerprintd system_server:fd use;
#line 23
;
allow fingerprintd permission_service:service_manager find;
allow fingerprintd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/flags_health_check.te"
# The flags_health_check command run by init.
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
allow flags_health_check server_configurable_flags_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow flags_health_check server_configurable_flags_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/public/fsck.te"
# Any fsck program run by init
type fsck, domain;
type fsck_exec, system_file_type, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck vold:fd use;
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices
allow fsck userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow fsck cache_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow fsck dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow fsck zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 23
# e2fsck performs a comprehensive search of /proc/mounts to check whether the
# checked filesystem is currently mounted.
allow fsck metadata_file:dir getattr;
allow fsck block_device:dir search;
allow fsck mirror_data_file:dir search;
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {
0x0000127c
0x0000125e
0xc0101282
};
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck dev_type:blk_file getattr;
allow fsck {
proc_mounts
proc_swaps
sysfs_dm
}:file { getattr open read ioctl lock map watch watch_reads };
allow fsck rootfs:dir { open getattr read search ioctl lock watch watch_reads };
allow fsck sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
###
### neverallow rules
###
# fsck should never be run on these block devices
neverallow fsck {
boot_block_device
frp_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
vold_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
neverallow * fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
#line 1 "system/sepolicy/public/fsck_untrusted.te"
# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow fsck_untrusted proc_mounts:file { getattr open read ioctl lock map watch watch_reads };
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck_untrusted dev_type:blk_file getattr;
###
### neverallow rules
###
# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
# permissions, that is a code mistake that needs to be fixed, not a permission that
# should be granted. Same with setgid and setuid.
neverallow fsck_untrusted self:{ capability cap_userns } { setgid setuid sys_admin };
###
### dontaudit rules
###
# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
# here, but nothing bad happens if they can't, and they shouldn't be allowed.
dontaudit fsck_untrusted sysfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
dontaudit fsck_untrusted sysfs_dm:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
dontaudit fsck_untrusted sysfs_dm:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Ignore attempts to access tmpfs. fsck don't need to do this.
dontaudit fsck_untrusted tmpfs:lnk_file read;
#line 1 "system/sepolicy/public/gatekeeperd.te"
type gatekeeperd, domain;
type gatekeeperd_exec, system_file_type, exec_type, file_type;
# gatekeeperd
#line 5
typeattribute gatekeeperd binderservicedomain;
#line 5
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow gatekeeperd servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager gatekeeperd:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager gatekeeperd:dir search;
#line 6
allow servicemanager gatekeeperd:file { read open };
#line 6
allow servicemanager gatekeeperd:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
### These rules should eventually be granted only when needed.
allow gatekeeperd ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Load HAL implementation
allow gatekeeperd system_file:dir { open getattr read search ioctl lock watch watch_reads };
###
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
#line 17
typeattribute gatekeeperd halclientdomain;
#line 17
typeattribute gatekeeperd hal_gatekeeper_client;
#line 17
#line 17
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 17
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 17
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 17
#line 17
typeattribute gatekeeperd hal_gatekeeper;
#line 17
# Find passthrough HAL implementations
#line 17
allow hal_gatekeeper system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_gatekeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_gatekeeper vendor_file:file { read open getattr execute map };
#line 17
#line 17
###
# need to find KeyStore and add self
#line 21
allow gatekeeperd gatekeeper_service:service_manager { add find };
#line 21
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
#line 21
#line 21
# On debug builds with root, allow binder services to use binder over TCP.
#line 21
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 21
#line 21
# Need to add auth tokens to KeyStore
#line 24
allow keystore gatekeeperd:dir search;
#line 24
allow keystore gatekeeperd:file { read open };
#line 24
allow keystore gatekeeperd:process getattr;
#line 24
allow gatekeeperd apc_service:service_manager find;
#line 24
allow gatekeeperd keystore_service:service_manager find;
#line 24
allow gatekeeperd legacykeystore_service:service_manager find;
#line 24
#line 24
# Call the server domain and optionally transfer references to it.
#line 24
allow gatekeeperd keystore:binder { call transfer };
#line 24
# Allow the serverdomain to transfer references to the client on the reply.
#line 24
allow keystore gatekeeperd:binder transfer;
#line 24
# Receive and use open files from the server.
#line 24
allow gatekeeperd keystore:fd use;
#line 24
#line 24
#line 24
# Call the server domain and optionally transfer references to it.
#line 24
allow keystore gatekeeperd:binder { call transfer };
#line 24
# Allow the serverdomain to transfer references to the client on the reply.
#line 24
allow gatekeeperd keystore:binder transfer;
#line 24
# Receive and use open files from the server.
#line 24
allow keystore gatekeeperd:fd use;
#line 24
#line 24
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
# for SID file access
allow gatekeeperd gatekeeper_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow gatekeeperd gatekeeper_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
#line 40
allow gatekeeperd cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 40
allow gatekeeperd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 40
#line 41
allow gatekeeperd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 41
allow gatekeeperd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 41
#line 1 "system/sepolicy/public/gmscore_app.te"
###
### A domain for further sandboxing the PrebuiltGMSCore app.
###
type gmscore_app, domain;
#line 1 "system/sepolicy/public/gpuservice.te"
# gpuservice - server for gpu stats and other gpu related services
type gpuservice, domain;
#line 1 "system/sepolicy/public/hal_allocator.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_allocator_client hal_allocator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_allocator_server hal_allocator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_allocator_client hal_allocator_server:fd use;
#line 2
#line 4
allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_allocator_server hidl_allocator_hwservice:hwservice_manager { add find };
#line 4
allow hal_allocator_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_allocator_server } hidl_allocator_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
#line 1 "system/sepolicy/public/hal_atrace.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_atrace_client hal_atrace_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_atrace_server hal_atrace_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_atrace_client hal_atrace_server:fd use;
#line 2
#line 4
allow hal_atrace_client hal_atrace_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_atrace_server hal_atrace_hwservice:hwservice_manager { add find };
#line 4
allow hal_atrace_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_atrace_server } hal_atrace_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 1 "system/sepolicy/public/hal_audio.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_audio_client hal_audio_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_audio_server hal_audio_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_audio_client hal_audio_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_audio_server hal_audio_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_audio_client hal_audio_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_audio_server hal_audio_client:fd use;
#line 3
#line 5
allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_audio_server hal_audio_hwservice:hwservice_manager { add find };
#line 5
allow hal_audio_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_audio_server } hal_audio_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_audio_client hal_audio_service:service_manager find;
#line 6
#line 6
allow hal_audio_server hal_audio_service:service_manager { add find };
#line 6
neverallow { domain -hal_audio_server } hal_audio_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
allow hal_audio ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow hal_audio_server servicemanager:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow servicemanager hal_audio_server:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow hal_audio_server servicemanager:fd use;
#line 10
#line 12
allow hal_audio proc:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_audio proc:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
#line 13
allow hal_audio proc_asound:dir { open getattr read search ioctl lock watch watch_reads };
#line 13
allow hal_audio proc_asound:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 13
allow hal_audio_server audio_device:dir { open getattr read search ioctl lock watch watch_reads };
allow hal_audio_server audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
allow hal_audio dumpstate:fd use;
allow hal_audio dumpstate:fifo_file write;
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
# Allow sound trigger hal to access shared memory from system server.
allow hal_audio_server system_server_tmpfs:file { getattr map read };
# allow self to set scheduler (and allows Binder RT PI)
allow hal_audio_server self:{ capability cap_userns } sys_nice;
# allow hal audio to use vnbinder
#line 32
# Talk to the vndbinder device node
#line 32
allow hal_audio vndbinder_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 32
# Call the vndservicemanager and transfer references to it.
#line 32
allow hal_audio vndservicemanager:binder { call transfer };
#line 32
# vndservicemanager performs getpidcon on clients.
#line 32
allow vndservicemanager hal_audio:dir search;
#line 32
allow vndservicemanager hal_audio:file { read open map };
#line 32
allow vndservicemanager hal_audio:process getattr;
#line 32
###
### neverallow rules
###
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
#line 44
allow hal_audio audio_config_prop:file { getattr open read map };
#line 44
#line 45
allow hal_audio bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 45
#line 46
allow hal_audio bluetooth_audio_hal_prop:file { getattr open read map };
#line 46
#line 1 "system/sepolicy/public/hal_audiocontrol.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_audiocontrol_client hal_audiocontrol_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_audiocontrol_server hal_audiocontrol_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_audiocontrol_client hal_audiocontrol_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_audiocontrol_server hal_audiocontrol_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_audiocontrol_client hal_audiocontrol_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_audiocontrol_server hal_audiocontrol_client:fd use;
#line 3
#line 5
allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_audiocontrol_server hal_audiocontrol_hwservice:hwservice_manager { add find };
#line 5
allow hal_audiocontrol_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_audiocontrol_server } hal_audiocontrol_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_audiocontrol_client hal_audiocontrol_service:service_manager find;
#line 6
#line 6
allow hal_audiocontrol_server hal_audiocontrol_service:service_manager { add find };
#line 6
neverallow { domain -hal_audiocontrol_server } hal_audiocontrol_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_audiocontrol_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_audiocontrol_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_audiocontrol_server servicemanager:fd use;
#line 8
#line 1 "system/sepolicy/public/hal_authgraph.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_authgraph_client hal_authgraph_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_authgraph_server hal_authgraph_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_authgraph_client hal_authgraph_server:fd use;
#line 1
#line 3
allow hal_authgraph_client hal_authgraph_service:service_manager find;
#line 3
#line 3
allow hal_authgraph_server hal_authgraph_service:service_manager { add find };
#line 3
neverallow { domain -hal_authgraph_server } hal_authgraph_service:service_manager add;
#line 3
#line 3
# On debug builds with root, allow binder services to use binder over TCP.
#line 3
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 3
#line 3
#line 3
#line 3
#line 3
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_authgraph_server servicemanager:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow servicemanager hal_authgraph_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_authgraph_server servicemanager:fd use;
#line 4
allow hal_authgraph_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_authgraph_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/hal_authsecret.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_authsecret_client hal_authsecret_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_authsecret_server hal_authsecret_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_authsecret_client hal_authsecret_server:fd use;
#line 2
#line 4
allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_authsecret_server hal_authsecret_hwservice:hwservice_manager { add find };
#line 4
allow hal_authsecret_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_authsecret_server } hal_authsecret_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_authsecret_client hal_authsecret_service:service_manager find;
#line 5
#line 5
allow hal_authsecret_server hal_authsecret_service:service_manager { add find };
#line 5
neverallow { domain -hal_authsecret_server } hal_authsecret_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_authsecret_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_authsecret_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_authsecret_server servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_bluetooth.te"
# HwBinder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_bluetooth_client hal_bluetooth_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_bluetooth_server hal_bluetooth_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_bluetooth_client hal_bluetooth_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_bluetooth_server hal_bluetooth_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_bluetooth_client hal_bluetooth_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_bluetooth_server hal_bluetooth_client:fd use;
#line 3
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_bluetooth_server servicemanager:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow servicemanager hal_bluetooth_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_bluetooth_server servicemanager:fd use;
#line 4
#line 6
allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
#line 6
#line 6
allow hal_bluetooth_server hal_bluetooth_hwservice:hwservice_manager { add find };
#line 6
allow hal_bluetooth_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hal_bluetooth_server } hal_bluetooth_hwservice:hwservice_manager add;
#line 6
#line 6
#line 6
#line 6
#line 7
allow hal_bluetooth_client hal_bluetooth_service:service_manager find;
#line 7
#line 7
allow hal_bluetooth_server hal_bluetooth_service:service_manager { add find };
#line 7
neverallow { domain -hal_bluetooth_server } hal_bluetooth_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
#line 9
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 9
# deprecated.
#line 9
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 9
allow hal_bluetooth sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 9
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 9
allow hal_bluetooth self:{ capability2 cap2_userns } block_suspend;
#line 9
# system_suspend permissions
#line 9
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow hal_bluetooth system_suspend_server:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow system_suspend_server hal_bluetooth:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow hal_bluetooth system_suspend_server:fd use;
#line 9
#line 9
allow hal_bluetooth system_suspend_hwservice:hwservice_manager find;
#line 9
# halclientdomain permissions
#line 9
#line 9
# Call the hwservicemanager and transfer references to it.
#line 9
allow hal_bluetooth hwservicemanager:binder { call transfer };
#line 9
# Allow hwservicemanager to send out callbacks
#line 9
allow hwservicemanager hal_bluetooth:binder { call transfer };
#line 9
# hwservicemanager performs getpidcon on clients.
#line 9
allow hwservicemanager hal_bluetooth:dir search;
#line 9
allow hwservicemanager hal_bluetooth:file { read open map };
#line 9
allow hwservicemanager hal_bluetooth:process getattr;
#line 9
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
#line 9
#line 9
allow hal_bluetooth hwservicemanager_prop:file { getattr open read map };
#line 9
#line 9
allow hal_bluetooth hidl_manager_hwservice:hwservice_manager find;
#line 9
# AIDL suspend hal permissions
#line 9
allow hal_bluetooth hal_system_suspend_service:service_manager find;
#line 9
#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow hal_bluetooth servicemanager:binder { call transfer };
#line 9
# Allow servicemanager to send out callbacks
#line 9
allow servicemanager hal_bluetooth:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager hal_bluetooth:dir search;
#line 9
allow servicemanager hal_bluetooth:file { read open };
#line 9
allow servicemanager hal_bluetooth:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
#line 9
;
# The HAL toggles rfkill to power the chip off/on.
allow hal_bluetooth self:{ capability cap_userns } net_admin;
# bluetooth factory file accesses.
#line 15
allow hal_bluetooth bluetooth_efs_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hal_bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# sysfs access.
#line 20
allow hal_bluetooth sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_bluetooth sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
allow hal_bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_bluetooth self:{ capability2 cap2_userns } wake_alarm;
# Allow write access to bluetooth-specific properties
#line 25
#line 25
allow hal_bluetooth property_socket:sock_file write;
#line 25
allow hal_bluetooth init:unix_stream_socket connectto;
#line 25
#line 25
allow hal_bluetooth bluetooth_a2dp_offload_prop:property_service set;
#line 25
#line 25
allow hal_bluetooth bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 25
#line 25
#line 26
#line 26
allow hal_bluetooth property_socket:sock_file write;
#line 26
allow hal_bluetooth init:unix_stream_socket connectto;
#line 26
#line 26
allow hal_bluetooth bluetooth_audio_hal_prop:property_service set;
#line 26
#line 26
allow hal_bluetooth bluetooth_audio_hal_prop:file { getattr open read map };
#line 26
#line 26
#line 27
#line 27
allow hal_bluetooth property_socket:sock_file write;
#line 27
allow hal_bluetooth init:unix_stream_socket connectto;
#line 27
#line 27
allow hal_bluetooth bluetooth_prop:property_service set;
#line 27
#line 27
allow hal_bluetooth bluetooth_prop:file { getattr open read map };
#line 27
#line 27
#line 28
#line 28
allow hal_bluetooth property_socket:sock_file write;
#line 28
allow hal_bluetooth init:unix_stream_socket connectto;
#line 28
#line 28
allow hal_bluetooth exported_bluetooth_prop:property_service set;
#line 28
#line 28
allow hal_bluetooth exported_bluetooth_prop:file { getattr open read map };
#line 28
#line 28
# /proc access (bluesleep etc.).
allow hal_bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# allow to run with real-time scheduling policy
allow hal_bluetooth self:{ capability cap_userns } sys_nice;
#line 1 "system/sepolicy/public/hal_bootctl.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_bootctl_client hal_bootctl_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_bootctl_server hal_bootctl_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_bootctl_client hal_bootctl_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_bootctl_server hal_bootctl_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_bootctl_client hal_bootctl_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_bootctl_server hal_bootctl_client:fd use;
#line 3
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow hal_bootctl_server servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager hal_bootctl_server:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager hal_bootctl_server:dir search;
#line 4
allow servicemanager hal_bootctl_server:file { read open };
#line 4
allow servicemanager hal_bootctl_server:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 6
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
#line 6
#line 6
allow hal_bootctl_server hal_bootctl_hwservice:hwservice_manager { add find };
#line 6
allow hal_bootctl_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hal_bootctl_server } hal_bootctl_hwservice:hwservice_manager add;
#line 6
#line 6
#line 6
#line 6
allow hal_bootctl_server proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads };
# Needed to wait for AIDL hal services
#line 10
allow hal_bootctl_client hal_bootctl_service:service_manager find;
#line 10
#line 10
allow hal_bootctl_server hal_bootctl_service:service_manager { add find };
#line 10
neverallow { domain -hal_bootctl_server } hal_bootctl_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
#line 10
#line 10
#line 10
;
#line 1 "system/sepolicy/public/hal_broadcastradio.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_broadcastradio_client hal_broadcastradio_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_broadcastradio_server hal_broadcastradio_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_broadcastradio_client hal_broadcastradio_server:fd use;
#line 1
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_broadcastradio_server hal_broadcastradio_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_broadcastradio_client hal_broadcastradio_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_broadcastradio_server hal_broadcastradio_client:fd use;
#line 2
#line 4
allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_broadcastradio_server hal_broadcastradio_hwservice:hwservice_manager { add find };
#line 4
allow hal_broadcastradio_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_broadcastradio_server } hal_broadcastradio_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_broadcastradio_client hal_broadcastradio_service:service_manager find;
#line 5
#line 5
allow hal_broadcastradio_server hal_broadcastradio_service:service_manager { add find };
#line 5
neverallow { domain -hal_broadcastradio_server } hal_broadcastradio_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_broadcastradio_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_broadcastradio_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_broadcastradio_server servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_camera.te"
# HwBinder IPC from clients to server and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_camera_client hal_camera_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_camera_server hal_camera_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_camera_client hal_camera_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_camera_server hal_camera_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_camera_client hal_camera_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_camera_server hal_camera_client:fd use;
#line 3
#binder IPC from client to service manager and callbacks
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow hal_camera_server servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager hal_camera_server:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager hal_camera_server:dir search;
#line 6
allow servicemanager hal_camera_server:file { read open };
#line 6
allow servicemanager hal_camera_server:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 8
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
#line 8
#line 8
allow hal_camera_server hal_camera_hwservice:hwservice_manager { add find };
#line 8
allow hal_camera_server hidl_base_hwservice:hwservice_manager add;
#line 8
neverallow { domain -hal_camera_server } hal_camera_hwservice:hwservice_manager add;
#line 8
#line 8
#line 8
#line 8
#line 9
allow hal_camera_client hal_camera_service:service_manager find;
#line 9
#line 9
allow hal_camera_server hal_camera_service:service_manager { add find };
#line 9
neverallow { domain -hal_camera_server } hal_camera_service:service_manager add;
#line 9
#line 9
# On debug builds with root, allow binder services to use binder over TCP.
#line 9
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 9
#line 9
#line 9
#line 9
#line 9
allow hal_camera device:dir { open getattr read search ioctl lock watch watch_reads };
allow hal_camera video_device:dir { open getattr read search ioctl lock watch watch_reads };
allow hal_camera video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_camera camera_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_camera ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_camera dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
allow hal_camera hal_allocator_server:fd use;
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_camera shell:fd use;
allow hal_camera shell:fifo_file write;
###
### neverallow rules
###
# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera_server { domain }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
#line 1 "system/sepolicy/public/hal_can.te"
# CAN controller
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_can_controller_client hal_can_controller_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_can_controller_server hal_can_controller_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_can_controller_client hal_can_controller_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_can_controller_server hal_can_controller_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_can_controller_client hal_can_controller_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_can_controller_server hal_can_controller_client:fd use;
#line 3
#line 4
allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_can_controller_server hal_can_controller_hwservice:hwservice_manager { add find };
#line 4
allow hal_can_controller_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_can_controller_server } hal_can_controller_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
# CAN bus
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_can_bus_client hal_can_bus_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow hal_can_bus_server hal_can_bus_client:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_can_bus_client hal_can_bus_server:fd use;
#line 7
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_can_bus_server hal_can_bus_client:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow hal_can_bus_client hal_can_bus_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_can_bus_server hal_can_bus_client:fd use;
#line 8
#line 9
allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
#line 9
#line 9
allow hal_can_bus_server hal_can_bus_hwservice:hwservice_manager { add find };
#line 9
allow hal_can_bus_server hidl_base_hwservice:hwservice_manager add;
#line 9
neverallow { domain -hal_can_bus_server } hal_can_bus_hwservice:hwservice_manager add;
#line 9
#line 9
#line 9
#line 9
# AIDL HAL for CAN buses (ICanController)
#line 12
allow hal_can_controller_client hal_can_controller_service:service_manager find;
#line 12
#line 12
allow hal_can_controller_server hal_can_controller_service:service_manager { add find };
#line 12
neverallow { domain -hal_can_controller_server } hal_can_controller_service:service_manager add;
#line 12
#line 12
# On debug builds with root, allow binder services to use binder over TCP.
#line 12
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 12
#line 12
#line 12
#line 12
#line 12
#line 13
# Call the servicemanager and transfer references to it.
#line 13
allow hal_can_controller servicemanager:binder { call transfer };
#line 13
# Allow servicemanager to send out callbacks
#line 13
allow servicemanager hal_can_controller:binder { call transfer };
#line 13
# servicemanager performs getpidcon on clients.
#line 13
allow servicemanager hal_can_controller:dir search;
#line 13
allow servicemanager hal_can_controller:file { read open };
#line 13
allow servicemanager hal_can_controller:process getattr;
#line 13
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 13
# all domains in domain.te.
#line 13
#line 1 "system/sepolicy/public/hal_cas.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_cas_client hal_cas_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_cas_server hal_cas_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_cas_client hal_cas_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_cas_server hal_cas_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_cas_client hal_cas_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_cas_server hal_cas_client:fd use;
#line 3
#line 5
allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_cas_server hal_cas_hwservice:hwservice_manager { add find };
#line 5
allow hal_cas_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_cas_server } hal_cas_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
#line 8
allow hal_cas_client hal_cas_service:service_manager find;
#line 8
#line 8
allow hal_cas_server hal_cas_service:service_manager { add find };
#line 8
neverallow { domain -hal_cas_server } hal_cas_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
#line 8
#line 8
#line 8
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow hal_cas_server servicemanager:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow servicemanager hal_cas_server:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow hal_cas_server servicemanager:fd use;
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow hal_cas_client servicemanager:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow servicemanager hal_cas_client:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow hal_cas_client servicemanager:fd use;
#line 11
# Permit reading device's serial number from system properties
#line 14
allow hal_cas_server serialno_prop:file { getattr open read map };
#line 14
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
# Read access to pseudo filesystems
#line 20
allow hal_cas cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_cas cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file { open append write lock map };
#line 24
allow hal_cas cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 24
allow hal_cas cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 24
allow hal_cas cgroup_v2:dir { search write };
allow hal_cas cgroup_v2:file { open append write lock map };
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_cas hal_graphics_allocator:fd use;
allow hal_cas tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
###
### neverallow rules
###
# hal_cas should never execute any executable without a
# domain transition
neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 43
{
#line 43
# qualcomm rmnet ioctls
#line 43
0x00006900 0x00006902
#line 43
# socket ioctls
#line 43
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 43
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 43
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 43
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 43
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 43
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 43
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 43
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 43
0x00008991 0x00008992 0x00008993 0x00008994
#line 43
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 43
# device and protocol specific ioctls
#line 43
0x000089f0-0x000089ff
#line 43
0x000089e0-0x000089ef
#line 43
# Wireless extension ioctls
#line 43
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 43
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 43
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 43
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 43
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 43
0x00008b34 0x00008b35 0x00008b36
#line 43
# Dev private ioctl i.e. hardware specific ioctls
#line 43
0x00008be0-0x00008bff
#line 43
};
#line 1 "system/sepolicy/public/hal_codec2.te"
#line 1
allow hal_codec2_client media_variant_prop:file { getattr open read map };
#line 1
#line 2
allow hal_codec2_server media_variant_prop:file { getattr open read map };
#line 2
#line 3
allow hal_codec2_client codec2_config_prop:file { getattr open read map };
#line 3
#line 4
allow hal_codec2_server codec2_config_prop:file { getattr open read map };
#line 4
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_codec2_client hal_codec2_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow hal_codec2_server hal_codec2_client:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_codec2_client hal_codec2_server:fd use;
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_codec2_server hal_codec2_client:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow hal_codec2_client hal_codec2_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_codec2_server hal_codec2_client:fd use;
#line 7
#line 9
allow hal_codec2_client hal_codec2_hwservice:hwservice_manager find;
#line 9
#line 9
allow hal_codec2_server hal_codec2_hwservice:hwservice_manager { add find };
#line 9
allow hal_codec2_server hidl_base_hwservice:hwservice_manager add;
#line 9
neverallow { domain -hal_codec2_server } hal_codec2_hwservice:hwservice_manager add;
#line 9
#line 9
#line 9
#line 9
#line 10
allow hal_codec2_client hal_codec2_service:service_manager find;
#line 10
#line 10
allow hal_codec2_server hal_codec2_service:service_manager { add find };
#line 10
neverallow { domain -hal_codec2_server } hal_codec2_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
#line 10
#line 10
#line 10
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
# Allow server access to composer sync fences
allow hal_codec2_server hal_graphics_composer:fd use;
# Allow both server and client access to ion
allow hal_codec2_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow server access to camera HAL's fences
allow hal_codec2_server hal_camera:fd use;
# Receive gralloc buffer FDs from bufferhubd.
allow hal_codec2_server bufferhubd:fd use;
allow hal_codec2_client ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# codec2 aidl graphic buffer allocation waitable object
allow hal_codec2_server su:fifo_file read;
allow hal_codec2_server mediaserver:fifo_file read;
allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;
#line 1 "system/sepolicy/public/hal_configstore.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_configstore_client hal_configstore_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_configstore_server hal_configstore_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_configstore_client hal_configstore_server:fd use;
#line 2
#line 4
allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
#line 4
#line 4
allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { add find };
#line 4
allow hal_configstore_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_configstore_server } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
#line 8
#line 8
allow hal_configstore_server anr_data_file:file append;
#line 8
allow hal_configstore_server dumpstate:fd use;
#line 8
allow hal_configstore_server incidentd:fd use;
#line 8
# TODO: Figure out why write is needed.
#line 8
allow hal_configstore_server dumpstate:fifo_file { append write };
#line 8
allow hal_configstore_server incidentd:fifo_file { append write };
#line 8
allow hal_configstore_server system_server:fifo_file { append write };
#line 8
allow hal_configstore_server tombstoned:unix_stream_socket connectto;
#line 8
allow hal_configstore_server tombstoned:fd use;
#line 8
allow hal_configstore_server tombstoned_crash_socket:sock_file write;
#line 8
allow hal_configstore_server tombstone_data_file:file append;
#line 8
###
### neverallow rules
###
# Should never execute an executable without a domain transition
neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
# Should never need network access. Disallow sockets except for
# for unix stream/dgram sockets used for logging/debugging.
neverallow hal_configstore_server domain:{
rawip_socket tcp_socket udp_socket
netlink_route_socket netlink_selinux_socket
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
neverallow hal_configstore_server {
domain
-hal_configstore_server
-logd
-prng_seeder
-tombstoned
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
neverallow hal_configstore_server {
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
# No privileged capabilities
neverallow hal_configstore_server self:{ capability capability2 cap_userns cap2_userns } *;
# No ptracing other processes
neverallow hal_configstore_server *:process ptrace;
# no relabeling
neverallow hal_configstore_server *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { relabelfrom relabelto };
#line 1 "system/sepolicy/public/hal_confirmationui.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_confirmationui_client hal_confirmationui_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_confirmationui_server hal_confirmationui_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_confirmationui_client hal_confirmationui_server:fd use;
#line 2
#line 4
allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_confirmationui_server hal_confirmationui_hwservice:hwservice_manager { add find };
#line 4
allow hal_confirmationui_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_confirmationui_server } hal_confirmationui_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_confirmationui_client hal_confirmationui_service:service_manager find;
#line 5
#line 5
allow hal_confirmationui_server hal_confirmationui_service:service_manager { add find };
#line 5
neverallow { domain -hal_confirmationui_server } hal_confirmationui_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_confirmationui_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_confirmationui_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_confirmationui_server servicemanager:fd use;
#line 6
#line 1 "system/sepolicy/public/hal_contexthub.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_contexthub_client hal_contexthub_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_contexthub_server hal_contexthub_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_contexthub_client hal_contexthub_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_contexthub_server hal_contexthub_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_contexthub_client hal_contexthub_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_contexthub_server hal_contexthub_client:fd use;
#line 3
#line 5
allow hal_contexthub_server hal_contexthub_service:service_manager { add find };
#line 5
neverallow { domain -hal_contexthub_server } hal_contexthub_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_contexthub_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_contexthub_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_contexthub_server servicemanager:fd use;
#line 6
allow hal_contexthub_client hal_contexthub_service:service_manager find;
#line 10
allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
#line 10
#line 10
allow hal_contexthub_server hal_contexthub_hwservice:hwservice_manager { add find };
#line 10
allow hal_contexthub_server hidl_base_hwservice:hwservice_manager add;
#line 10
neverallow { domain -hal_contexthub_server } hal_contexthub_hwservice:hwservice_manager add;
#line 10
#line 10
#line 10
#line 10
#line 1 "system/sepolicy/public/hal_drm.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the servicemanager and transfer references to it.
#line 2
allow hal_drm_server servicemanager:binder { call transfer };
#line 2
# Allow servicemanager to send out callbacks
#line 2
allow servicemanager hal_drm_server:binder { call transfer };
#line 2
# servicemanager performs getpidcon on clients.
#line 2
allow servicemanager hal_drm_server:dir search;
#line 2
allow servicemanager hal_drm_server:file { read open };
#line 2
allow servicemanager hal_drm_server:process getattr;
#line 2
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 2
# all domains in domain.te.
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_drm_client hal_drm_server:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_drm_server hal_drm_client:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_drm_client hal_drm_server:fd use;
#line 3
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_drm_server hal_drm_client:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow hal_drm_client hal_drm_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_drm_server hal_drm_client:fd use;
#line 4
#line 6
allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
#line 6
#line 6
allow hal_drm_server hal_drm_hwservice:hwservice_manager { add find };
#line 6
allow hal_drm_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hal_drm_server } hal_drm_hwservice:hwservice_manager add;
#line 6
#line 6
#line 6
#line 6
#line 7
allow hal_drm_client hal_drm_service:service_manager find;
#line 7
#line 7
allow hal_drm_server hal_drm_service:service_manager { add find };
#line 7
neverallow { domain -hal_drm_server } hal_drm_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
# Permit reading device's serial number from system properties
#line 15
allow hal_drm_server serialno_prop:file { getattr open read map };
#line 15
# Permit reading force L3 system property
#line 17
allow hal_drm_server drm_forcel3_prop:file { getattr open read map };
#line 17
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
# Read access to pseudo filesystems
#line 23
allow hal_drm cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow hal_drm cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 23
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file { open append write lock map };
#line 27
allow hal_drm cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 27
allow hal_drm cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 27
allow hal_drm cgroup_v2:dir { search write };
allow hal_drm cgroup_v2:file { open append write lock map };
# Allow dumpsys Widevine without root
#line 35
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_drm hal_graphics_allocator:fd use;
# Allow access to hidl_memory allocation service
allow hal_drm hal_allocator_server:fd use;
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
allow hal_drm sysfs:file { getattr open read ioctl lock map watch watch_reads };
allow hal_drm tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_drm_server { appdomain -isolated_app }:fd use;
# only allow unprivileged socket ioctl commands
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
ioctl {
#line 55
{
#line 55
# Socket ioctls for gathering information about the interface
#line 55
0x00008906 0x00008907
#line 55
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 55
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 55
# Wireless extension ioctls. Primarily get functions.
#line 55
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 55
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 55
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 55
} {
#line 55
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 55
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 55
} };
###
### neverallow rules
###
# hal_drm should never execute any executable without a
# domain transition
neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 66
{
#line 66
# qualcomm rmnet ioctls
#line 66
0x00006900 0x00006902
#line 66
# socket ioctls
#line 66
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 66
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 66
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 66
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 66
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 66
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 66
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 66
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 66
0x00008991 0x00008992 0x00008993 0x00008994
#line 66
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 66
# device and protocol specific ioctls
#line 66
0x000089f0-0x000089ff
#line 66
0x000089e0-0x000089ef
#line 66
# Wireless extension ioctls
#line 66
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 66
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 66
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 66
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 66
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 66
0x00008b34 0x00008b35 0x00008b36
#line 66
# Dev private ioctl i.e. hardware specific ioctls
#line 66
0x00008be0-0x00008bff
#line 66
};
#line 1 "system/sepolicy/public/hal_dumpstate.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_dumpstate_client hal_dumpstate_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_dumpstate_server hal_dumpstate_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_dumpstate_client hal_dumpstate_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_dumpstate_server hal_dumpstate_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_dumpstate_client hal_dumpstate_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_dumpstate_server hal_dumpstate_client:fd use;
#line 3
#line 5
#line 5
allow hal_dumpstate_server property_socket:sock_file write;
#line 5
allow hal_dumpstate_server init:unix_stream_socket connectto;
#line 5
#line 5
allow hal_dumpstate_server hal_dumpstate_config_prop:property_service set;
#line 5
#line 5
allow hal_dumpstate_server hal_dumpstate_config_prop:file { getattr open read map };
#line 5
#line 5
#line 7
allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
#line 7
#line 7
allow hal_dumpstate_server hal_dumpstate_hwservice:hwservice_manager { add find };
#line 7
allow hal_dumpstate_server hidl_base_hwservice:hwservice_manager add;
#line 7
neverallow { domain -hal_dumpstate_server } hal_dumpstate_hwservice:hwservice_manager add;
#line 7
#line 7
#line 7
#line 7
#line 8
allow hal_dumpstate_client hal_dumpstate_service:service_manager find;
#line 8
#line 8
allow hal_dumpstate_server hal_dumpstate_service:service_manager { add find };
#line 8
neverallow { domain -hal_dumpstate_server } hal_dumpstate_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
#line 8
#line 8
#line 8
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow hal_dumpstate_server servicemanager:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow servicemanager hal_dumpstate_server:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow hal_dumpstate_server servicemanager:fd use;
#line 10
#line 12
# Call the servicemanager and transfer references to it.
#line 12
allow hal_dumpstate_server servicemanager:binder { call transfer };
#line 12
# Allow servicemanager to send out callbacks
#line 12
allow servicemanager hal_dumpstate_server:binder { call transfer };
#line 12
# servicemanager performs getpidcon on clients.
#line 12
allow servicemanager hal_dumpstate_server:dir search;
#line 12
allow servicemanager hal_dumpstate_server:file { read open };
#line 12
allow servicemanager hal_dumpstate_server:process getattr;
#line 12
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 12
# all domains in domain.te.
#line 12
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
allow hal_dumpstate proc_interrupts:file { getattr open read ioctl lock map watch watch_reads };
# Log fsck results
#line 20
allow hal_dumpstate fscklogs:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_dumpstate fscklogs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
#line 1 "system/sepolicy/public/hal_evs.te"
#line 1
# Call the hwservicemanager and transfer references to it.
#line 1
allow hal_evs_client hwservicemanager:binder { call transfer };
#line 1
# Allow hwservicemanager to send out callbacks
#line 1
allow hwservicemanager hal_evs_client:binder { call transfer };
#line 1
# hwservicemanager performs getpidcon on clients.
#line 1
allow hwservicemanager hal_evs_client:dir search;
#line 1
allow hwservicemanager hal_evs_client:file { read open map };
#line 1
allow hwservicemanager hal_evs_client:process getattr;
#line 1
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 1
# all domains in domain.te.
#line 1
#line 2
# Call the hwservicemanager and transfer references to it.
#line 2
allow hal_evs_server hwservicemanager:binder { call transfer };
#line 2
# Allow hwservicemanager to send out callbacks
#line 2
allow hwservicemanager hal_evs_server:binder { call transfer };
#line 2
# hwservicemanager performs getpidcon on clients.
#line 2
allow hwservicemanager hal_evs_server:dir search;
#line 2
allow hwservicemanager hal_evs_server:file { read open map };
#line 2
allow hwservicemanager hal_evs_server:process getattr;
#line 2
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 2
# all domains in domain.te.
#line 2
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_evs_client hal_evs_server:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow hal_evs_server hal_evs_client:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_evs_client hal_evs_server:fd use;
#line 4
#line 5
# Call the server domain and optionally transfer references to it.
#line 5
allow hal_evs_server hal_evs_client:binder { call transfer };
#line 5
# Allow the serverdomain to transfer references to the client on the reply.
#line 5
allow hal_evs_client hal_evs_server:binder transfer;
#line 5
# Receive and use open files from the server.
#line 5
allow hal_evs_server hal_evs_client:fd use;
#line 5
# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
# except it allows evsmanagerd to add hal_evs_hwservice.
allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
# Allows to add a service
#line 15
allow hal_evs_client hal_evs_service:service_manager find;
#line 15
#line 15
allow hal_evs_server hal_evs_service:service_manager { add find };
#line 15
neverallow { domain -hal_evs_server } hal_evs_service:service_manager add;
#line 15
#line 15
# On debug builds with root, allow binder services to use binder over TCP.
#line 15
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 15
#line 15
#line 15
#line 15
#line 15
#line 1 "system/sepolicy/public/hal_face.te"
# Allow HwBinder IPC from client to server, and vice versa for callbacks.
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_face_client hal_face_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_face_server hal_face_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_face_client hal_face_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_face_server hal_face_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_face_client hal_face_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_face_server hal_face_client:fd use;
#line 3
#line 5
allow hal_face_client hal_face_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_face_server hal_face_hwservice:hwservice_manager { add find };
#line 5
allow hal_face_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_face_server } hal_face_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_face_client hal_face_service:service_manager find;
#line 6
#line 6
allow hal_face_server hal_face_service:service_manager { add find };
#line 6
neverallow { domain -hal_face_server } hal_face_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_face_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_face_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_face_server:dir search;
#line 8
allow servicemanager hal_face_server:file { read open };
#line 8
allow servicemanager hal_face_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow read/write access to the face template directory.
allow hal_face face_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow hal_face face_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
#line 1 "system/sepolicy/public/hal_fastboot.te"
# allow binder connection from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_fastboot_client hal_fastboot_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_fastboot_server hal_fastboot_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_fastboot_client hal_fastboot_server:fd use;
#line 2
# allow client to find the service, allow server to register the service
#line 4
allow hal_fastboot_client hal_fastboot_service:service_manager find;
#line 4
#line 4
allow hal_fastboot_server hal_fastboot_service:service_manager { add find };
#line 4
neverallow { domain -hal_fastboot_server } hal_fastboot_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
# allow binder communication from server to service_manager
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_fastboot_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_fastboot_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_fastboot_server servicemanager:fd use;
#line 6
#line 1 "system/sepolicy/public/hal_fingerprint.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_fingerprint_client hal_fingerprint_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_fingerprint_server hal_fingerprint_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_fingerprint_client hal_fingerprint_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_fingerprint_server hal_fingerprint_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_fingerprint_client hal_fingerprint_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_fingerprint_server hal_fingerprint_client:fd use;
#line 3
#line 5
allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_fingerprint_server hal_fingerprint_hwservice:hwservice_manager { add find };
#line 5
allow hal_fingerprint_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_fingerprint_server } hal_fingerprint_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_fingerprint_client hal_fingerprint_service:service_manager find;
#line 6
#line 6
allow hal_fingerprint_server hal_fingerprint_service:service_manager { add find };
#line 6
neverallow { domain -hal_fingerprint_server } hal_fingerprint_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_fingerprint_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_fingerprint_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_fingerprint_server:dir search;
#line 8
allow servicemanager hal_fingerprint_server:file { read open };
#line 8
allow servicemanager hal_fingerprint_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
# For memory allocation
allow hal_fingerprint ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow hal_fingerprint fingerprint_vendor_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } };
allow hal_fingerprint fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
#line 16
allow hal_fingerprint cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow hal_fingerprint cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 16
#line 17
allow hal_fingerprint cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_fingerprint cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 17
#line 18
allow hal_fingerprint sysfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_fingerprint sysfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 18
#line 1 "system/sepolicy/public/hal_gatekeeper.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_gatekeeper_client hal_gatekeeper_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_gatekeeper_server hal_gatekeeper_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_gatekeeper_client hal_gatekeeper_server:fd use;
#line 1
#line 3
allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
#line 3
#line 3
allow hal_gatekeeper_server hal_gatekeeper_hwservice:hwservice_manager { add find };
#line 3
allow hal_gatekeeper_server hidl_base_hwservice:hwservice_manager add;
#line 3
neverallow { domain -hal_gatekeeper_server } hal_gatekeeper_hwservice:hwservice_manager add;
#line 3
#line 3
#line 3
#line 3
#line 4
allow hal_gatekeeper_client hal_gatekeeper_service:service_manager find;
#line 4
#line 4
allow hal_gatekeeper_server hal_gatekeeper_service:service_manager { add find };
#line 4
neverallow { domain -hal_gatekeeper_server } hal_gatekeeper_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
#line 5
# Call the server domain and optionally transfer references to it.
#line 5
allow hal_gatekeeper_server servicemanager:binder { call transfer };
#line 5
# Allow the serverdomain to transfer references to the client on the reply.
#line 5
allow servicemanager hal_gatekeeper_server:binder transfer;
#line 5
# Receive and use open files from the server.
#line 5
allow hal_gatekeeper_server servicemanager:fd use;
#line 5
# TEE access.
allow hal_gatekeeper tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_gatekeeper ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/hal_gnss.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_gnss_client hal_gnss_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_gnss_server hal_gnss_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_gnss_client hal_gnss_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_gnss_server hal_gnss_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_gnss_client hal_gnss_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_gnss_server hal_gnss_client:fd use;
#line 3
#line 5
allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_gnss_server hal_gnss_hwservice:hwservice_manager { add find };
#line 5
allow hal_gnss_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_gnss_server } hal_gnss_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_gnss_client hal_gnss_service:service_manager find;
#line 6
#line 6
allow hal_gnss_server hal_gnss_service:service_manager { add find };
#line 6
neverallow { domain -hal_gnss_server } hal_gnss_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow hal_gnss_server servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager hal_gnss_server:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager hal_gnss_server:dir search;
#line 7
allow servicemanager hal_gnss_server:file { read open };
#line 7
allow servicemanager hal_gnss_server:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_gnss_client servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_gnss_client:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_gnss_client:dir search;
#line 8
allow servicemanager hal_gnss_client:file { read open };
#line 8
allow servicemanager hal_gnss_client:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 1 "system/sepolicy/public/hal_graphics_allocator.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_graphics_allocator_client hal_graphics_allocator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_graphics_allocator_server hal_graphics_allocator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_graphics_allocator_client hal_graphics_allocator_server:fd use;
#line 2
#line 4
allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_graphics_allocator_server hal_graphics_allocator_hwservice:hwservice_manager { add find };
#line 4
allow hal_graphics_allocator_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_graphics_allocator_server } hal_graphics_allocator_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find;
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_graphics_allocator gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow hal_graphics_allocator ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Access the secure heap
allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:{ capability cap_userns } sys_nice;
# IAllocator stable-aidl
#line 22
allow hal_graphics_allocator_client hal_graphics_allocator_service:service_manager find;
#line 22
#line 22
allow hal_graphics_allocator_server hal_graphics_allocator_service:service_manager { add find };
#line 22
neverallow { domain -hal_graphics_allocator_server } hal_graphics_allocator_service:service_manager add;
#line 22
#line 22
# On debug builds with root, allow binder services to use binder over TCP.
#line 22
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 22
#line 22
#line 22
#line 22
#line 22
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow hal_graphics_allocator_server servicemanager:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow servicemanager hal_graphics_allocator_server:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow hal_graphics_allocator_server servicemanager:fd use;
#line 23
#line 24
# Call the server domain and optionally transfer references to it.
#line 24
allow hal_graphics_allocator_client servicemanager:binder { call transfer };
#line 24
# Allow the serverdomain to transfer references to the client on the reply.
#line 24
allow servicemanager hal_graphics_allocator_client:binder transfer;
#line 24
# Receive and use open files from the server.
#line 24
allow hal_graphics_allocator_client servicemanager:fd use;
#line 24
#line 1 "system/sepolicy/public/hal_graphics_composer.te"
type hal_graphics_composer_server_tmpfs, file_type;
attribute hal_graphics_composer_client_tmpfs;
expandattribute hal_graphics_composer_client_tmpfs true;
# HwBinder IPC from client to server, and callbacks
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_graphics_composer_client hal_graphics_composer_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow hal_graphics_composer_server hal_graphics_composer_client:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_graphics_composer_client hal_graphics_composer_server:fd use;
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_graphics_composer_server hal_graphics_composer_client:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow hal_graphics_composer_client hal_graphics_composer_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_graphics_composer_server hal_graphics_composer_client:fd use;
#line 7
allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
#line 11
allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
#line 11
#line 11
allow hal_graphics_composer_server hal_graphics_composer_hwservice:hwservice_manager { add find };
#line 11
allow hal_graphics_composer_server hidl_base_hwservice:hwservice_manager add;
#line 11
neverallow { domain -hal_graphics_composer_server } hal_graphics_composer_hwservice:hwservice_manager add;
#line 11
#line 11
#line 11
#line 11
# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_graphics_composer gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow hal_graphics_composer ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow hal_graphics_composer dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
allow hal_graphics_composer graphics_device:dir search;
allow hal_graphics_composer graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:{ capability cap_userns } sys_nice;
# allow surfaceflinger to use a pipe for dumpsys output
allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
#line 39
# Call the server domain and optionally transfer references to it.
#line 39
allow hal_graphics_composer_client servicemanager:binder { call transfer };
#line 39
# Allow the serverdomain to transfer references to the client on the reply.
#line 39
allow servicemanager hal_graphics_composer_client:binder transfer;
#line 39
# Receive and use open files from the server.
#line 39
allow hal_graphics_composer_client servicemanager:fd use;
#line 39
#line 40
# Call the server domain and optionally transfer references to it.
#line 40
allow hal_graphics_composer_server servicemanager:binder { call transfer };
#line 40
# Allow the serverdomain to transfer references to the client on the reply.
#line 40
allow servicemanager hal_graphics_composer_server:binder transfer;
#line 40
# Receive and use open files from the server.
#line 40
allow hal_graphics_composer_server servicemanager:fd use;
#line 40
#line 42
allow hal_graphics_composer_client hal_graphics_composer_service:service_manager find;
#line 42
#line 42
allow hal_graphics_composer_server hal_graphics_composer_service:service_manager { add find };
#line 42
neverallow { domain -hal_graphics_composer_server } hal_graphics_composer_service:service_manager add;
#line 42
#line 42
# On debug builds with root, allow binder services to use binder over TCP.
#line 42
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 42
#line 42
#line 42
#line 42
#line 42
#line 1 "system/sepolicy/public/hal_health.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_health_client hal_health_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_health_server hal_health_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_health_client hal_health_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_health_server hal_health_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_health_client hal_health_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_health_server hal_health_client:fd use;
#line 3
#line 5
allow hal_health_client hal_health_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_health_server hal_health_hwservice:hwservice_manager { add find };
#line 5
allow hal_health_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_health_server } hal_health_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_health_client hal_health_service:service_manager find;
#line 6
#line 6
allow hal_health_server hal_health_service:service_manager { add find };
#line 6
neverallow { domain -hal_health_server } hal_health_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
# Common rules for a health service.
# Allow to listen to uevents for updates
allow hal_health_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Allow to read /sys/class/power_supply directory
allow hal_health_server sysfs:dir { open getattr read search ioctl lock watch watch_reads };
# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
# HAL service.
#line 19
allow hal_health_server sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_health_server sysfs_batteryinfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 19
# Allow to wake up to send periodic events
#line 22
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 22
# deprecated.
#line 22
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 22
allow hal_health_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 22
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 22
allow hal_health_server self:{ capability2 cap2_userns } block_suspend;
#line 22
# system_suspend permissions
#line 22
#line 22
# Call the server domain and optionally transfer references to it.
#line 22
allow hal_health_server system_suspend_server:binder { call transfer };
#line 22
# Allow the serverdomain to transfer references to the client on the reply.
#line 22
allow system_suspend_server hal_health_server:binder transfer;
#line 22
# Receive and use open files from the server.
#line 22
allow hal_health_server system_suspend_server:fd use;
#line 22
#line 22
allow hal_health_server system_suspend_hwservice:hwservice_manager find;
#line 22
# halclientdomain permissions
#line 22
#line 22
# Call the hwservicemanager and transfer references to it.
#line 22
allow hal_health_server hwservicemanager:binder { call transfer };
#line 22
# Allow hwservicemanager to send out callbacks
#line 22
allow hwservicemanager hal_health_server:binder { call transfer };
#line 22
# hwservicemanager performs getpidcon on clients.
#line 22
allow hwservicemanager hal_health_server:dir search;
#line 22
allow hwservicemanager hal_health_server:file { read open map };
#line 22
allow hwservicemanager hal_health_server:process getattr;
#line 22
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 22
# all domains in domain.te.
#line 22
#line 22
#line 22
allow hal_health_server hwservicemanager_prop:file { getattr open read map };
#line 22
#line 22
allow hal_health_server hidl_manager_hwservice:hwservice_manager find;
#line 22
# AIDL suspend hal permissions
#line 22
allow hal_health_server hal_system_suspend_service:service_manager find;
#line 22
#line 22
# Call the servicemanager and transfer references to it.
#line 22
allow hal_health_server servicemanager:binder { call transfer };
#line 22
# Allow servicemanager to send out callbacks
#line 22
allow servicemanager hal_health_server:binder { call transfer };
#line 22
# servicemanager performs getpidcon on clients.
#line 22
allow servicemanager hal_health_server:dir search;
#line 22
allow servicemanager hal_health_server:file { read open };
#line 22
allow servicemanager hal_health_server:process getattr;
#line 22
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 22
# all domains in domain.te.
#line 22
#line 22
# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file { getattr { open append write lock map } };
# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
# Use bpf programs
allow hal_health_server fs_bpf_vendor:dir search;
allow hal_health_server fs_bpf_vendor:file read;
allow hal_health_server bpfloader:bpf prog_run;
#line 1 "system/sepolicy/public/hal_health_storage.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_health_storage_client hal_health_storage_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_health_storage_server hal_health_storage_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_health_storage_client hal_health_storage_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_health_storage_server hal_health_storage_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_health_storage_client hal_health_storage_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_health_storage_server hal_health_storage_client:fd use;
#line 3
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow hal_health_storage_server servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager hal_health_storage_server:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager hal_health_storage_server:dir search;
#line 5
allow servicemanager hal_health_storage_server:file { read open };
#line 5
allow servicemanager hal_health_storage_server:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 7
allow hal_health_storage_client hal_health_storage_hwservice:hwservice_manager find;
#line 7
#line 7
allow hal_health_storage_server hal_health_storage_hwservice:hwservice_manager { add find };
#line 7
allow hal_health_storage_server hidl_base_hwservice:hwservice_manager add;
#line 7
neverallow { domain -hal_health_storage_server } hal_health_storage_hwservice:hwservice_manager add;
#line 7
#line 7
#line 7
#line 7
#line 8
allow hal_health_storage_client hal_health_storage_service:service_manager find;
#line 8
#line 8
allow hal_health_storage_server hal_health_storage_service:service_manager { add find };
#line 8
neverallow { domain -hal_health_storage_server } hal_health_storage_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
#line 8
#line 8
#line 8
# Allow ReadDefaultFstab().
#line 11
allow hal_health_storage_server { metadata_file gsi_metadata_file_type }:dir search;
#line 11
allow hal_health_storage_server gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 11
allow hal_health_storage_server { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 11
#line 1 "system/sepolicy/public/hal_identity.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_identity_client hal_identity_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_identity_server hal_identity_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_identity_client hal_identity_server:fd use;
#line 2
#line 4
allow hal_identity_client hal_identity_service:service_manager find;
#line 4
#line 4
allow hal_identity_server hal_identity_service:service_manager { add find };
#line 4
neverallow { domain -hal_identity_server } hal_identity_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_identity_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_identity_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_identity_server servicemanager:fd use;
#line 6
#line 1 "system/sepolicy/public/hal_input_classifier.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_input_classifier_client hal_input_classifier_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_input_classifier_server hal_input_classifier_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_input_classifier_client hal_input_classifier_server:fd use;
#line 2
#line 4
allow hal_input_classifier_client hal_input_classifier_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_input_classifier_server hal_input_classifier_hwservice:hwservice_manager { add find };
#line 4
allow hal_input_classifier_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_input_classifier_server } hal_input_classifier_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 1 "system/sepolicy/public/hal_input_processor.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_input_processor_client hal_input_processor_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_input_processor_server hal_input_processor_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_input_processor_client hal_input_processor_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_input_processor_server servicemanager:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow servicemanager hal_input_processor_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_input_processor_server servicemanager:fd use;
#line 3
#line 5
allow hal_input_processor_client hal_input_processor_service:service_manager find;
#line 5
#line 5
allow hal_input_processor_server hal_input_processor_service:service_manager { add find };
#line 5
neverallow { domain -hal_input_processor_server } hal_input_processor_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
# Allow dumping of the HAL
allow hal_input_processor_server dumpstate:fifo_file write;
#line 1 "system/sepolicy/public/hal_ir.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_ir_client hal_ir_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_ir_server hal_ir_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_ir_client hal_ir_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_ir_server hal_ir_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_ir_client hal_ir_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_ir_server hal_ir_client:fd use;
#line 3
#line 5
allow hal_ir_client hal_ir_service:service_manager find;
#line 5
#line 5
allow hal_ir_server hal_ir_service:service_manager { add find };
#line 5
neverallow { domain -hal_ir_server } hal_ir_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_ir_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_ir_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_ir_server servicemanager:fd use;
#line 6
#line 8
allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
#line 8
#line 8
allow hal_ir_server hal_ir_hwservice:hwservice_manager { add find };
#line 8
allow hal_ir_server hidl_base_hwservice:hwservice_manager add;
#line 8
neverallow { domain -hal_ir_server } hal_ir_hwservice:hwservice_manager add;
#line 8
#line 8
#line 8
#line 8
#line 1 "system/sepolicy/public/hal_ivn.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_ivn_client hal_ivn_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_ivn_server hal_ivn_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_ivn_client hal_ivn_server:fd use;
#line 2
#line 4
allow hal_ivn_client hal_ivn_service:service_manager find;
#line 4
#line 4
allow hal_ivn_server hal_ivn_service:service_manager { add find };
#line 4
neverallow { domain -hal_ivn_server } hal_ivn_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 1 "system/sepolicy/public/hal_keymaster.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_keymaster_client hal_keymaster_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_keymaster_server hal_keymaster_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_keymaster_client hal_keymaster_server:fd use;
#line 2
#line 4
allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_keymaster_server hal_keymaster_hwservice:hwservice_manager { add find };
#line 4
allow hal_keymaster_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_keymaster_server } hal_keymaster_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
allow hal_keymaster tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_keymaster ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/hal_keymint.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_keymint_client hal_keymint_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_keymint_server hal_keymint_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_keymint_client hal_keymint_server:fd use;
#line 1
#line 3
allow hal_keymint_client hal_keymint_service:service_manager find;
#line 3
#line 3
allow hal_keymint_server hal_keymint_service:service_manager { add find };
#line 3
neverallow { domain -hal_keymint_server } hal_keymint_service:service_manager add;
#line 3
#line 3
# On debug builds with root, allow binder services to use binder over TCP.
#line 3
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 3
#line 3
#line 3
#line 3
#line 3
#line 4
allow hal_keymint_client hal_remotelyprovisionedcomponent_service:service_manager find;
#line 4
#line 4
allow hal_keymint_server hal_remotelyprovisionedcomponent_service:service_manager { add find };
#line 4
neverallow { domain -hal_keymint_server } hal_remotelyprovisionedcomponent_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
#line 5
# Call the server domain and optionally transfer references to it.
#line 5
allow hal_keymint_server servicemanager:binder { call transfer };
#line 5
# Allow the serverdomain to transfer references to the client on the reply.
#line 5
allow servicemanager hal_keymint_server:binder transfer;
#line 5
# Receive and use open files from the server.
#line 5
allow hal_keymint_server servicemanager:fd use;
#line 5
allow hal_keymint_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_keymint_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/hal_light.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_light_client hal_light_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_light_server hal_light_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_light_client hal_light_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_light_server hal_light_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_light_client hal_light_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_light_server hal_light_client:fd use;
#line 3
#line 5
allow hal_light_client hal_light_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_light_server hal_light_hwservice:hwservice_manager { add find };
#line 5
allow hal_light_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_light_server } hal_light_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_light_client hal_light_service:service_manager find;
#line 6
#line 6
allow hal_light_server hal_light_service:service_manager { add find };
#line 6
neverallow { domain -hal_light_server } hal_light_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_light_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_light_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_light_server servicemanager:fd use;
#line 8
#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow hal_light_client servicemanager:binder { call transfer };
#line 9
# Allow servicemanager to send out callbacks
#line 9
allow servicemanager hal_light_client:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager hal_light_client:dir search;
#line 9
allow servicemanager hal_light_client:file { read open };
#line 9
allow servicemanager hal_light_client:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
allow hal_light_server dumpstate:fifo_file write;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_light sysfs_leds:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/public/hal_lowpan.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_lowpan_client hal_lowpan_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_lowpan_server hal_lowpan_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_lowpan_client hal_lowpan_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_lowpan_server hal_lowpan_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_lowpan_client hal_lowpan_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_lowpan_server hal_lowpan_client:fd use;
#line 3
# Allow hal_lowpan_client to be able to find the hal_lowpan_server
#line 7
allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
#line 7
#line 7
allow hal_lowpan_server hal_lowpan_hwservice:hwservice_manager { add find };
#line 7
allow hal_lowpan_server hidl_base_hwservice:hwservice_manager add;
#line 7
neverallow { domain -hal_lowpan_server } hal_lowpan_hwservice:hwservice_manager add;
#line 7
#line 7
#line 7
#line 7
# hal_lowpan domain can write/read to/from lowpan_prop
#line 10
#line 10
allow hal_lowpan_server property_socket:sock_file write;
#line 10
allow hal_lowpan_server init:unix_stream_socket connectto;
#line 10
#line 10
allow hal_lowpan_server lowpan_prop:property_service set;
#line 10
#line 10
allow hal_lowpan_server lowpan_prop:file { getattr open read map };
#line 10
#line 10
# Allow hal_lowpan_server to open lowpan_devices
allow hal_lowpan_server lowpan_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
###
### neverallow rules
###
# Only LoWPAN HAL may directly access LoWPAN hardware
neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
#line 1 "system/sepolicy/public/hal_macsec.te"
# Binder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_macsec_client hal_macsec_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_macsec_server hal_macsec_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_macsec_client hal_macsec_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_macsec_server hal_macsec_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_macsec_client hal_macsec_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_macsec_server hal_macsec_client:fd use;
#line 3
#line 5
allow hal_macsec_client hal_macsec_service:service_manager find;
#line 5
#line 5
allow hal_macsec_server hal_macsec_service:service_manager { add find };
#line 5
neverallow { domain -hal_macsec_server } hal_macsec_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow hal_macsec_server servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager hal_macsec_server:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager hal_macsec_server:dir search;
#line 7
allow servicemanager hal_macsec_server:file { read open };
#line 7
allow servicemanager hal_macsec_server:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 1 "system/sepolicy/public/hal_memtrack.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_memtrack_client hal_memtrack_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_memtrack_server hal_memtrack_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_memtrack_client hal_memtrack_server:fd use;
#line 2
#line 4
allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_memtrack_server hal_memtrack_hwservice:hwservice_manager { add find };
#line 4
allow hal_memtrack_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_memtrack_server } hal_memtrack_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 6
allow hal_memtrack_client hal_memtrack_service:service_manager find;
#line 6
#line 6
allow hal_memtrack_server hal_memtrack_service:service_manager { add find };
#line 6
neverallow { domain -hal_memtrack_server } hal_memtrack_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_memtrack_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_memtrack_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_memtrack_server servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_neuralnetworks.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_neuralnetworks_client hal_neuralnetworks_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_neuralnetworks_server hal_neuralnetworks_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_neuralnetworks_client hal_neuralnetworks_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_neuralnetworks_server hal_neuralnetworks_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_neuralnetworks_client hal_neuralnetworks_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_neuralnetworks_server hal_neuralnetworks_client:fd use;
#line 3
#line 5
allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_neuralnetworks_server hal_neuralnetworks_hwservice:hwservice_manager { add find };
#line 5
allow hal_neuralnetworks_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_neuralnetworks_server } hal_neuralnetworks_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;
allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_graphics_allocator:fd use;
allow hal_neuralnetworks gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_neuralnetworks gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
# Allow NN HAL service to read a client-provided fd residing in /data/app/.
allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
#line 32
allow hal_neuralnetworks_client nnapi_ext_deny_product_prop:file { getattr open read map };
#line 32
;
# Allow NN HAL client to read device_config_nnapi_native_prop.
#line 35
allow hal_neuralnetworks_client device_config_nnapi_native_prop:file { getattr open read map };
#line 35
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
# Define sepolicy for NN AIDL HAL service
#line 42
allow hal_neuralnetworks_client hal_neuralnetworks_service:service_manager find;
#line 42
#line 42
allow hal_neuralnetworks_server hal_neuralnetworks_service:service_manager { add find };
#line 42
neverallow { domain -hal_neuralnetworks_server } hal_neuralnetworks_service:service_manager add;
#line 42
#line 42
# On debug builds with root, allow binder services to use binder over TCP.
#line 42
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 42
#line 42
#line 42
#line 42
#line 42
#line 43
# Call the server domain and optionally transfer references to it.
#line 43
allow hal_neuralnetworks_server servicemanager:binder { call transfer };
#line 43
# Allow the serverdomain to transfer references to the client on the reply.
#line 43
allow servicemanager hal_neuralnetworks_server:binder transfer;
#line 43
# Receive and use open files from the server.
#line 43
allow hal_neuralnetworks_server servicemanager:fd use;
#line 43
#line 45
# Call the servicemanager and transfer references to it.
#line 45
allow hal_neuralnetworks_server servicemanager:binder { call transfer };
#line 45
# Allow servicemanager to send out callbacks
#line 45
allow servicemanager hal_neuralnetworks_server:binder { call transfer };
#line 45
# servicemanager performs getpidcon on clients.
#line 45
allow servicemanager hal_neuralnetworks_server:dir search;
#line 45
allow servicemanager hal_neuralnetworks_server:file { read open };
#line 45
allow servicemanager hal_neuralnetworks_server:process getattr;
#line 45
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 45
# all domains in domain.te.
#line 45
allow hal_neuralnetworks_server dumpstate:fifo_file write;
#line 1 "system/sepolicy/public/hal_neverallows.te"
# only HALs responsible for network hardware should have privileged
# network capabilities
neverallow {
halserverdomain
-hal_bluetooth_server
-hal_can_controller_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
} self:{ capability cap_userns } { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
# NOTE: HALs for automotive devices have an exemption from this rule because in
# a car it is common to have external modules and HALs need to communicate to
# those modules using network. Using this exemption for non-automotive builds
# will result in CTS failure.
neverallow {
halserverdomain
-hal_automotive_socket_exemption
-hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
-hal_bluetooth_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
halserverdomain
-hal_automotive_socket_exemption
-hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_nlinterceptor_server
-hal_bluetooth_server
} {
domain
}:tcp_socket *;
# The UWB HAL is not actually a networking HAL but may need to bring up and down
# interfaces. Restrict it to only these networking operations.
neverallow hal_uwb_vendor_server self:{ capability cap_userns } { net_raw };
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
# the domain comprised of the union of all the HALs.
#
# This is a problem because
# 1) Security sensitive components should only be accessed by specific HALs.
# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
# the platform.
# 3) The platform cannot reason about defense in depth if there are
# monolithic domains etc.
#
# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
# its OK for them to share a process its not OK with them to share processes
# with other hals.
#
# The following neverallow rules, in conjuntion with CTS tests, assert that
# these security principles are adhered to.
#
# Do not allow a hal to exec another process without a domain transition.
# TODO remove exemptions.
neverallow {
halserverdomain
-hal_dumpstate_server
-hal_telephony_server
} {
file_type
fs_type
# May invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
}:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
# Only allow transitioning to a domain by running its executable. Do not
# allow transitioning into a HAL domain by use of seclabel in an
# init.*.rc script.
neverallow * halserverdomain:process dyntransition;
#line 1 "system/sepolicy/public/hal_nfc.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_nfc_client hal_nfc_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_nfc_server hal_nfc_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_nfc_client hal_nfc_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_nfc_server hal_nfc_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_nfc_client hal_nfc_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_nfc_server hal_nfc_client:fd use;
#line 3
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_nfc_server servicemanager:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow servicemanager hal_nfc_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_nfc_server servicemanager:fd use;
#line 4
#line 6
allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
#line 6
#line 6
allow hal_nfc_server hal_nfc_hwservice:hwservice_manager { add find };
#line 6
allow hal_nfc_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hal_nfc_server } hal_nfc_hwservice:hwservice_manager add;
#line 6
#line 6
#line 6
#line 6
#line 7
allow hal_nfc_client hal_nfc_service:service_manager find;
#line 7
#line 7
allow hal_nfc_server hal_nfc_service:service_manager { add find };
#line 7
neverallow { domain -hal_nfc_server } hal_nfc_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
# Set NFC properties (used by bcm2079x HAL).
#line 10
#line 10
allow hal_nfc property_socket:sock_file write;
#line 10
allow hal_nfc init:unix_stream_socket connectto;
#line 10
#line 10
allow hal_nfc nfc_prop:property_service set;
#line 10
#line 10
allow hal_nfc nfc_prop:file { getattr open read map };
#line 10
#line 10
# NFC device access.
allow hal_nfc nfc_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/hal_nlinterceptor.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_nlinterceptor_client hal_nlinterceptor_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_nlinterceptor_server hal_nlinterceptor_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_nlinterceptor_client hal_nlinterceptor_server:fd use;
#line 1
#line 3
allow hal_nlinterceptor_client hal_nlinterceptor_service:service_manager find;
#line 3
#line 3
allow hal_nlinterceptor_server hal_nlinterceptor_service:service_manager { add find };
#line 3
neverallow { domain -hal_nlinterceptor_server } hal_nlinterceptor_service:service_manager add;
#line 3
#line 3
# On debug builds with root, allow binder services to use binder over TCP.
#line 3
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 3
#line 3
#line 3
#line 3
#line 3
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_nlinterceptor servicemanager:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow servicemanager hal_nlinterceptor:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_nlinterceptor servicemanager:fd use;
#line 4
allow hal_nlinterceptor self:{ capability cap_userns } net_admin;
allow hal_nlinterceptor self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_nlinterceptor self:netlink_route_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_readpriv nlmsg_write };
#line 1 "system/sepolicy/public/hal_oemlock.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_oemlock_client hal_oemlock_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_oemlock_server hal_oemlock_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_oemlock_client hal_oemlock_server:fd use;
#line 2
#line 4
allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_oemlock_server hal_oemlock_hwservice:hwservice_manager { add find };
#line 4
allow hal_oemlock_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_oemlock_server } hal_oemlock_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_oemlock_client hal_oemlock_service:service_manager find;
#line 5
#line 5
allow hal_oemlock_server hal_oemlock_service:service_manager { add find };
#line 5
neverallow { domain -hal_oemlock_server } hal_oemlock_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_oemlock_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_oemlock_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_oemlock_server servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_omx.te"
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow hal_omx_server binderservicedomain:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow binderservicedomain hal_omx_server:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow hal_omx_server binderservicedomain:fd use;
#line 4
#line 5
# Call the server domain and optionally transfer references to it.
#line 5
allow hal_omx_server { appdomain -isolated_app }:binder { call transfer };
#line 5
# Allow the serverdomain to transfer references to the client on the reply.
#line 5
allow { appdomain -isolated_app } hal_omx_server:binder transfer;
#line 5
# Receive and use open files from the server.
#line 5
allow hal_omx_server { appdomain -isolated_app }:fd use;
#line 5
# Allow hal_omx_server access to composer sync fences
allow hal_omx_server hal_graphics_composer:fd use;
allow hal_omx_server ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_omx_server hal_camera:fd use;
#line 13
#line 13
allow hal_omx_server anr_data_file:file append;
#line 13
allow hal_omx_server dumpstate:fd use;
#line 13
allow hal_omx_server incidentd:fd use;
#line 13
# TODO: Figure out why write is needed.
#line 13
allow hal_omx_server dumpstate:fifo_file { append write };
#line 13
allow hal_omx_server incidentd:fifo_file { append write };
#line 13
allow hal_omx_server system_server:fifo_file { append write };
#line 13
allow hal_omx_server tombstoned:unix_stream_socket connectto;
#line 13
allow hal_omx_server tombstoned:fd use;
#line 13
allow hal_omx_server tombstoned_crash_socket:sock_file write;
#line 13
allow hal_omx_server tombstone_data_file:file append;
#line 13
# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
# via PDX. Thus, there is no need to use pdx_client macro.
allow hal_omx_server bufferhubd:fd use;
#line 21
allow hal_omx_client hal_omx_hwservice:hwservice_manager find;
#line 21
#line 21
allow hal_omx_server hal_omx_hwservice:hwservice_manager { add find };
#line 21
allow hal_omx_server hidl_base_hwservice:hwservice_manager add;
#line 21
neverallow { domain -hal_omx_server } hal_omx_hwservice:hwservice_manager add;
#line 21
#line 21
#line 21
#line 21
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
#line 25
allow hal_omx_client media_variant_prop:file { getattr open read map };
#line 25
#line 26
allow hal_omx_server media_variant_prop:file { getattr open read map };
#line 26
#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow hal_omx_client hal_omx_server:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow hal_omx_server hal_omx_client:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow hal_omx_client hal_omx_server:fd use;
#line 28
#line 29
# Call the server domain and optionally transfer references to it.
#line 29
allow hal_omx_server hal_omx_client:binder { call transfer };
#line 29
# Allow the serverdomain to transfer references to the client on the reply.
#line 29
allow hal_omx_client hal_omx_server:binder transfer;
#line 29
# Receive and use open files from the server.
#line 29
allow hal_omx_server hal_omx_client:fd use;
#line 29
###
### neverallow rules
###
# hal_omx_server should never execute any executable without a
# domain transition
neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
neverallow hal_omx_server { domain }:tcp_socket *;
#line 1 "system/sepolicy/public/hal_power.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_power_client hal_power_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_power_server hal_power_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_power_client hal_power_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_power_server hal_power_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_power_client hal_power_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_power_server hal_power_client:fd use;
#line 3
#line 5
allow hal_power_client hal_power_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_power_server hal_power_hwservice:hwservice_manager { add find };
#line 5
allow hal_power_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_power_server } hal_power_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_power_client hal_power_service:service_manager find;
#line 6
#line 6
allow hal_power_server hal_power_service:service_manager { add find };
#line 6
neverallow { domain -hal_power_server } hal_power_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_power_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_power_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_power_server servicemanager:fd use;
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow hal_power_client servicemanager:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow servicemanager hal_power_client:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow hal_power_client servicemanager:fd use;
#line 9
#line 1 "system/sepolicy/public/hal_power_stats.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_power_stats_client hal_power_stats_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_power_stats_server hal_power_stats_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_power_stats_client hal_power_stats_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_power_stats_server hal_power_stats_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_power_stats_client hal_power_stats_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_power_stats_server hal_power_stats_client:fd use;
#line 3
#line 5
allow hal_power_stats_client hal_power_stats_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_power_stats_server hal_power_stats_hwservice:hwservice_manager { add find };
#line 5
allow hal_power_stats_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_power_stats_server } hal_power_stats_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_power_stats_client hal_power_stats_service:service_manager find;
#line 6
#line 6
allow hal_power_stats_server hal_power_stats_service:service_manager { add find };
#line 6
neverallow { domain -hal_power_stats_server } hal_power_stats_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_power_stats_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_power_stats_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_power_stats_server servicemanager:fd use;
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow hal_power_stats_client servicemanager:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow servicemanager hal_power_stats_client:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow hal_power_stats_client servicemanager:fd use;
#line 9
#line 1 "system/sepolicy/public/hal_rebootescrow.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_rebootescrow_client hal_rebootescrow_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_rebootescrow_server hal_rebootescrow_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_rebootescrow_client hal_rebootescrow_server:fd use;
#line 2
#line 4
allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
#line 4
#line 4
allow hal_rebootescrow_server hal_rebootescrow_service:service_manager { add find };
#line 4
neverallow { domain -hal_rebootescrow_server } hal_rebootescrow_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow hal_rebootescrow_server servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager hal_rebootescrow_server:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager hal_rebootescrow_server:dir search;
#line 6
allow servicemanager hal_rebootescrow_server:file { read open };
#line 6
allow servicemanager hal_rebootescrow_server:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 1 "system/sepolicy/public/hal_remoteaccess.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_remoteaccess_client hal_remoteaccess_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_remoteaccess_server hal_remoteaccess_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_remoteaccess_client hal_remoteaccess_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_remoteaccess_server hal_remoteaccess_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_remoteaccess_client hal_remoteaccess_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_remoteaccess_server hal_remoteaccess_client:fd use;
#line 3
#line 5
allow hal_remoteaccess_client hal_remoteaccess_service:service_manager find;
#line 5
#line 5
allow hal_remoteaccess_server hal_remoteaccess_service:service_manager { add find };
#line 5
neverallow { domain -hal_remoteaccess_server } hal_remoteaccess_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 1 "system/sepolicy/public/hal_remotelyprovisionedcomponent_avf.te"
# allow binder connection from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_remotelyprovisionedcomponent_avf_server hal_remotelyprovisionedcomponent_avf_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_server:fd use;
#line 2
# allow client to find the service, allow server to register the service
#line 5
allow hal_remotelyprovisionedcomponent_avf_client hal_remotelyprovisionedcomponent_avf_service:service_manager find;
#line 5
#line 5
allow hal_remotelyprovisionedcomponent_avf_server hal_remotelyprovisionedcomponent_avf_service:service_manager { add find };
#line 5
neverallow { domain -hal_remotelyprovisionedcomponent_avf_server } hal_remotelyprovisionedcomponent_avf_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
# allow binder communication from server to service_manager
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_remotelyprovisionedcomponent_avf_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_remotelyprovisionedcomponent_avf_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_remotelyprovisionedcomponent_avf_server:dir search;
#line 8
allow servicemanager hal_remotelyprovisionedcomponent_avf_server:file { read open };
#line 8
allow servicemanager hal_remotelyprovisionedcomponent_avf_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 1 "system/sepolicy/public/hal_secretkeeper.te"
# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
# storage of secrets guarded by DICE policies.
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_secretkeeper_client hal_secretkeeper_server:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_secretkeeper_server hal_secretkeeper_client:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_secretkeeper_client hal_secretkeeper_server:fd use;
#line 3
#line 5
allow hal_secretkeeper_client hal_secretkeeper_service:service_manager find;
#line 5
#line 5
allow hal_secretkeeper_server hal_secretkeeper_service:service_manager { add find };
#line 5
neverallow { domain -hal_secretkeeper_server } hal_secretkeeper_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow hal_secretkeeper_server servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager hal_secretkeeper_server:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager hal_secretkeeper_server:dir search;
#line 7
allow servicemanager hal_secretkeeper_server:file { read open };
#line 7
allow servicemanager hal_secretkeeper_server:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_secretkeeper_client servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_secretkeeper_client:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_secretkeeper_client:dir search;
#line 8
allow servicemanager hal_secretkeeper_client:file { read open };
#line 8
allow servicemanager hal_secretkeeper_client:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
# The Secretkeeper HAL service needs to communicate with a trusted application running
# in the TEE, which is represented by the tee_device permission.
allow hal_secretkeeper_server tee_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/hal_secure_element.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_secure_element_client hal_secure_element_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_secure_element_server hal_secure_element_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_secure_element_client hal_secure_element_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_secure_element_server hal_secure_element_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_secure_element_client hal_secure_element_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_secure_element_server hal_secure_element_client:fd use;
#line 3
#line 5
allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_secure_element_server hal_secure_element_hwservice:hwservice_manager { add find };
#line 5
allow hal_secure_element_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_secure_element_server } hal_secure_element_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_secure_element_client hal_secure_element_service:service_manager find;
#line 6
#line 6
allow hal_secure_element_server hal_secure_element_service:service_manager { add find };
#line 6
neverallow { domain -hal_secure_element_server } hal_secure_element_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_secure_element_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_secure_element_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_secure_element_server:dir search;
#line 8
allow servicemanager hal_secure_element_server:file { read open };
#line 8
allow servicemanager hal_secure_element_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
allow hal_secure_element_client hal_secure_element_service:service_manager find;
#line 1 "system/sepolicy/public/hal_sensors.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_sensors_client hal_sensors_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_sensors_server hal_sensors_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_sensors_client hal_sensors_server:fd use;
#line 2
#line 4
allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_sensors_server hal_sensors_hwservice:hwservice_manager { add find };
#line 4
allow hal_sensors_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_sensors_server } hal_sensors_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
# fd is passed in from framework sensorservice HAL.
allow hal_sensors hal_allocator:fd use;
# allow to run with real-time scheduling policy
allow hal_sensors self:{ capability cap_userns } sys_nice;
#line 16
allow hal_sensors_server hal_sensors_service:service_manager { add find };
#line 16
neverallow { domain -hal_sensors_server } hal_sensors_service:service_manager add;
#line 16
#line 16
# On debug builds with root, allow binder services to use binder over TCP.
#line 16
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 16
#line 16
#line 17
# Call the server domain and optionally transfer references to it.
#line 17
allow hal_sensors_server servicemanager:binder { call transfer };
#line 17
# Allow the serverdomain to transfer references to the client on the reply.
#line 17
allow servicemanager hal_sensors_server:binder transfer;
#line 17
# Receive and use open files from the server.
#line 17
allow hal_sensors_server servicemanager:fd use;
#line 17
allow hal_sensors_client hal_sensors_service:service_manager find;
#line 1 "system/sepolicy/public/hal_telephony.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_telephony_client hal_telephony_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_telephony_server hal_telephony_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_telephony_client hal_telephony_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_telephony_server hal_telephony_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_telephony_client hal_telephony_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_telephony_server hal_telephony_client:fd use;
#line 3
#line 5
allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_telephony_server hal_telephony_hwservice:hwservice_manager { add find };
#line 5
allow hal_telephony_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_telephony_server } hal_telephony_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_telephony_client hal_radio_service:service_manager find;
#line 6
#line 6
allow hal_telephony_server hal_radio_service:service_manager { add find };
#line 6
neverallow { domain -hal_telephony_server } hal_radio_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
allowxperm hal_telephony_server self:udp_socket ioctl
#line 8
{
#line 8
# qualcomm rmnet ioctls
#line 8
0x00006900 0x00006902
#line 8
# socket ioctls
#line 8
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 8
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 8
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 8
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 8
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 8
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 8
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 8
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 8
0x00008991 0x00008992 0x00008993 0x00008994
#line 8
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 8
# device and protocol specific ioctls
#line 8
0x000089f0-0x000089ff
#line 8
0x000089e0-0x000089ef
#line 8
# Wireless extension ioctls
#line 8
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 8
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 8
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 8
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 8
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 8
0x00008b34 0x00008b35 0x00008b36
#line 8
# Dev private ioctl i.e. hardware specific ioctls
#line 8
0x00008be0-0x00008bff
#line 8
};
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
allow hal_telephony_server self:{ capability cap_userns } { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow hal_telephony_server cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
allow hal_telephony_server cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow hal_telephony_server cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
allow hal_telephony_server radio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_telephony_server radio_device:blk_file { getattr open read ioctl lock map watch watch_reads };
allow hal_telephony_server efs_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow hal_telephony_server efs_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow hal_telephony_server vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow hal_telephony_server bluetooth_efs_file:file { getattr open read ioctl lock map watch watch_reads };
allow hal_telephony_server bluetooth_efs_file:dir { open getattr read search ioctl lock watch watch_reads };
# property service
#line 25
allow hal_telephony_server telephony_config_prop:file { getattr open read map };
#line 25
#line 26
#line 26
allow hal_telephony_server property_socket:sock_file write;
#line 26
allow hal_telephony_server init:unix_stream_socket connectto;
#line 26
#line 26
allow hal_telephony_server radio_control_prop:property_service set;
#line 26
#line 26
allow hal_telephony_server radio_control_prop:file { getattr open read map };
#line 26
#line 26
#line 27
#line 27
allow hal_telephony_server property_socket:sock_file write;
#line 27
allow hal_telephony_server init:unix_stream_socket connectto;
#line 27
#line 27
allow hal_telephony_server radio_prop:property_service set;
#line 27
#line 27
allow hal_telephony_server radio_prop:file { getattr open read map };
#line 27
#line 27
#line 28
#line 28
allow hal_telephony_server property_socket:sock_file write;
#line 28
allow hal_telephony_server init:unix_stream_socket connectto;
#line 28
#line 28
allow hal_telephony_server telephony_status_prop:property_service set;
#line 28
#line 28
allow hal_telephony_server telephony_status_prop:file { getattr open read map };
#line 28
#line 28
allow hal_telephony_server tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow hal_telephony_server to create and use netlink sockets.
allow hal_telephony_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_telephony_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_telephony_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Access to wake locks
#line 38
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 38
# deprecated.
#line 38
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 38
allow hal_telephony_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 38
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 38
allow hal_telephony_server self:{ capability2 cap2_userns } block_suspend;
#line 38
# system_suspend permissions
#line 38
#line 38
# Call the server domain and optionally transfer references to it.
#line 38
allow hal_telephony_server system_suspend_server:binder { call transfer };
#line 38
# Allow the serverdomain to transfer references to the client on the reply.
#line 38
allow system_suspend_server hal_telephony_server:binder transfer;
#line 38
# Receive and use open files from the server.
#line 38
allow hal_telephony_server system_suspend_server:fd use;
#line 38
#line 38
allow hal_telephony_server system_suspend_hwservice:hwservice_manager find;
#line 38
# halclientdomain permissions
#line 38
#line 38
# Call the hwservicemanager and transfer references to it.
#line 38
allow hal_telephony_server hwservicemanager:binder { call transfer };
#line 38
# Allow hwservicemanager to send out callbacks
#line 38
allow hwservicemanager hal_telephony_server:binder { call transfer };
#line 38
# hwservicemanager performs getpidcon on clients.
#line 38
allow hwservicemanager hal_telephony_server:dir search;
#line 38
allow hwservicemanager hal_telephony_server:file { read open map };
#line 38
allow hwservicemanager hal_telephony_server:process getattr;
#line 38
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 38
# all domains in domain.te.
#line 38
#line 38
#line 38
allow hal_telephony_server hwservicemanager_prop:file { getattr open read map };
#line 38
#line 38
allow hal_telephony_server hidl_manager_hwservice:hwservice_manager find;
#line 38
# AIDL suspend hal permissions
#line 38
allow hal_telephony_server hal_system_suspend_service:service_manager find;
#line 38
#line 38
# Call the servicemanager and transfer references to it.
#line 38
allow hal_telephony_server servicemanager:binder { call transfer };
#line 38
# Allow servicemanager to send out callbacks
#line 38
allow servicemanager hal_telephony_server:binder { call transfer };
#line 38
# servicemanager performs getpidcon on clients.
#line 38
allow servicemanager hal_telephony_server:dir search;
#line 38
allow servicemanager hal_telephony_server:file { read open };
#line 38
allow servicemanager hal_telephony_server:process getattr;
#line 38
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 38
# all domains in domain.te.
#line 38
#line 38
#line 40
allow hal_telephony_server proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 40
allow hal_telephony_server proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 40
#line 41
allow hal_telephony_server sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 41
allow hal_telephony_server sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 41
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Allow AIDL HAL shim to call HIDL HAL implementation
#line 47
# Call the server domain and optionally transfer references to it.
#line 47
allow hal_telephony_server hal_telephony_server:binder { call transfer };
#line 47
# Allow the serverdomain to transfer references to the client on the reply.
#line 47
allow hal_telephony_server hal_telephony_server:binder transfer;
#line 47
# Receive and use open files from the server.
#line 47
allow hal_telephony_server hal_telephony_server:fd use;
#line 47
#line 1 "system/sepolicy/public/hal_tetheroffload.te"
## HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tetheroffload_client hal_tetheroffload_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tetheroffload_server hal_tetheroffload_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tetheroffload_client hal_tetheroffload_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tetheroffload_server hal_tetheroffload_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tetheroffload_client hal_tetheroffload_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tetheroffload_server hal_tetheroffload_client:fd use;
#line 3
#line 5
allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_tetheroffload_server hal_tetheroffload_hwservice:hwservice_manager { add find };
#line 5
allow hal_tetheroffload_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_tetheroffload_server } hal_tetheroffload_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_tetheroffload_client hal_tetheroffload_service:service_manager find;
#line 6
#line 6
allow hal_tetheroffload_server hal_tetheroffload_service:service_manager { add find };
#line 6
neverallow { domain -hal_tetheroffload_server } hal_tetheroffload_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_tetheroffload_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_tetheroffload_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_tetheroffload_server:dir search;
#line 8
allow servicemanager hal_tetheroffload_server:file { read open };
#line 8
allow servicemanager hal_tetheroffload_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
#line 1 "system/sepolicy/public/hal_thermal.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_thermal_client hal_thermal_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_thermal_server hal_thermal_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_thermal_client hal_thermal_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_thermal_server hal_thermal_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_thermal_client hal_thermal_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_thermal_server hal_thermal_client:fd use;
#line 3
#line 5
allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_thermal_server hal_thermal_hwservice:hwservice_manager { add find };
#line 5
allow hal_thermal_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_thermal_server } hal_thermal_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_thermal_client hal_thermal_service:service_manager find;
#line 6
#line 6
allow hal_thermal_server hal_thermal_service:service_manager { add find };
#line 6
neverallow { domain -hal_thermal_server } hal_thermal_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
allow hal_thermal_server hal_thermal_service:service_manager { add find };
#line 8
neverallow { domain -hal_thermal_server } hal_thermal_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow hal_thermal_server servicemanager:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow servicemanager hal_thermal_server:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow hal_thermal_server servicemanager:fd use;
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow hal_thermal_client servicemanager:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow servicemanager hal_thermal_client:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow hal_thermal_client servicemanager:fd use;
#line 10
#line 1 "system/sepolicy/public/hal_threadnetwork.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_threadnetwork_client hal_threadnetwork_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_threadnetwork_server hal_threadnetwork_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_threadnetwork_client hal_threadnetwork_server:fd use;
#line 1
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_threadnetwork_server hal_threadnetwork_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_threadnetwork_client hal_threadnetwork_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_threadnetwork_server hal_threadnetwork_client:fd use;
#line 2
#line 4
allow hal_threadnetwork_client hal_threadnetwork_service:service_manager find;
#line 4
#line 4
allow hal_threadnetwork_server hal_threadnetwork_service:service_manager { add find };
#line 4
neverallow { domain -hal_threadnetwork_server } hal_threadnetwork_service:service_manager add;
#line 4
#line 4
# On debug builds with root, allow binder services to use binder over TCP.
#line 4
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 4
#line 4
#line 4
#line 4
#line 4
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_threadnetwork_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_threadnetwork_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_threadnetwork_server servicemanager:fd use;
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_threadnetwork_client servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_threadnetwork_client:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_threadnetwork_client servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_tv_cec.te"
# HwBinder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_cec_client hal_tv_cec_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_cec_server hal_tv_cec_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_cec_client hal_tv_cec_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_cec_server hal_tv_cec_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_cec_client hal_tv_cec_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_cec_server hal_tv_cec_client:fd use;
#line 3
#line 5
allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_tv_cec_server hal_tv_cec_hwservice:hwservice_manager { add find };
#line 5
allow hal_tv_cec_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_tv_cec_server } hal_tv_cec_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 1 "system/sepolicy/public/hal_tv_hdmi_cec.te"
# Binder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_client:fd use;
#line 3
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow hal_tv_hdmi_cec_client servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager hal_tv_hdmi_cec_client:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager hal_tv_hdmi_cec_client:dir search;
#line 4
allow servicemanager hal_tv_hdmi_cec_client:file { read open };
#line 4
allow servicemanager hal_tv_hdmi_cec_client:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow hal_tv_hdmi_cec_server servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager hal_tv_hdmi_cec_server:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager hal_tv_hdmi_cec_server:dir search;
#line 5
allow servicemanager hal_tv_hdmi_cec_server:file { read open };
#line 5
allow servicemanager hal_tv_hdmi_cec_server:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 7
allow hal_tv_hdmi_cec_client hal_tv_hdmi_cec_service:service_manager find;
#line 7
#line 7
allow hal_tv_hdmi_cec_server hal_tv_hdmi_cec_service:service_manager { add find };
#line 7
neverallow { domain -hal_tv_hdmi_cec_server } hal_tv_hdmi_cec_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
#line 1 "system/sepolicy/public/hal_tv_hdmi_connection.te"
# Binder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_client:fd use;
#line 3
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow hal_tv_hdmi_connection_client servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager hal_tv_hdmi_connection_client:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager hal_tv_hdmi_connection_client:dir search;
#line 4
allow servicemanager hal_tv_hdmi_connection_client:file { read open };
#line 4
allow servicemanager hal_tv_hdmi_connection_client:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow hal_tv_hdmi_connection_server servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager hal_tv_hdmi_connection_server:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager hal_tv_hdmi_connection_server:dir search;
#line 5
allow servicemanager hal_tv_hdmi_connection_server:file { read open };
#line 5
allow servicemanager hal_tv_hdmi_connection_server:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 7
allow hal_tv_hdmi_connection_client hal_tv_hdmi_connection_service:service_manager find;
#line 7
#line 7
allow hal_tv_hdmi_connection_server hal_tv_hdmi_connection_service:service_manager { add find };
#line 7
neverallow { domain -hal_tv_hdmi_connection_server } hal_tv_hdmi_connection_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
#line 1 "system/sepolicy/public/hal_tv_hdmi_earc.te"
# Binder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_client:fd use;
#line 3
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow hal_tv_hdmi_earc_client servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager hal_tv_hdmi_earc_client:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager hal_tv_hdmi_earc_client:dir search;
#line 4
allow servicemanager hal_tv_hdmi_earc_client:file { read open };
#line 4
allow servicemanager hal_tv_hdmi_earc_client:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow hal_tv_hdmi_earc_server servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager hal_tv_hdmi_earc_server:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager hal_tv_hdmi_earc_server:dir search;
#line 5
allow servicemanager hal_tv_hdmi_earc_server:file { read open };
#line 5
allow servicemanager hal_tv_hdmi_earc_server:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 7
allow hal_tv_hdmi_earc_client hal_tv_hdmi_earc_service:service_manager find;
#line 7
#line 7
allow hal_tv_hdmi_earc_server hal_tv_hdmi_earc_service:service_manager { add find };
#line 7
neverallow { domain -hal_tv_hdmi_earc_server } hal_tv_hdmi_earc_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
#line 1 "system/sepolicy/public/hal_tv_input.te"
# HwBinder IPC from clients into server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_input_client hal_tv_input_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_input_server hal_tv_input_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_input_client hal_tv_input_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_tv_input_server hal_tv_input_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_tv_input_client hal_tv_input_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_tv_input_server hal_tv_input_client:fd use;
#line 3
#line 5
allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_tv_input_server hal_tv_input_hwservice:hwservice_manager { add find };
#line 5
allow hal_tv_input_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_tv_input_server } hal_tv_input_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_tv_input_client hal_tv_input_service:service_manager find;
#line 6
#line 6
allow hal_tv_input_server hal_tv_input_service:service_manager { add find };
#line 6
neverallow { domain -hal_tv_input_server } hal_tv_input_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_tv_input_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_tv_input_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_tv_input_server servicemanager:fd use;
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow hal_tv_input_client servicemanager:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow servicemanager hal_tv_input_client:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow hal_tv_input_client servicemanager:fd use;
#line 9
#line 1 "system/sepolicy/public/hal_tv_tuner.te"
#line 1
# Call the server domain and optionally transfer references to it.
#line 1
allow hal_tv_tuner_client hal_tv_tuner_server:binder { call transfer };
#line 1
# Allow the serverdomain to transfer references to the client on the reply.
#line 1
allow hal_tv_tuner_server hal_tv_tuner_client:binder transfer;
#line 1
# Receive and use open files from the server.
#line 1
allow hal_tv_tuner_client hal_tv_tuner_server:fd use;
#line 1
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_tv_tuner_server hal_tv_tuner_client:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_tv_tuner_client hal_tv_tuner_server:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_tv_tuner_server hal_tv_tuner_client:fd use;
#line 2
#line 4
allow hal_tv_tuner_client hal_tv_tuner_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_tv_tuner_server hal_tv_tuner_hwservice:hwservice_manager { add find };
#line 4
allow hal_tv_tuner_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_tv_tuner_server } hal_tv_tuner_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_tv_tuner_client hal_tv_tuner_service:service_manager find;
#line 5
#line 5
allow hal_tv_tuner_server hal_tv_tuner_service:service_manager { add find };
#line 5
neverallow { domain -hal_tv_tuner_server } hal_tv_tuner_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_tv_tuner_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_tv_tuner_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_tv_tuner_server servicemanager:fd use;
#line 7
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_tv_tuner_client servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_tv_tuner_client:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_tv_tuner_client servicemanager:fd use;
#line 8
#line 1 "system/sepolicy/public/hal_usb.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_usb_client hal_usb_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_usb_server hal_usb_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_usb_client hal_usb_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_usb_server hal_usb_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_usb_client hal_usb_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_usb_server hal_usb_client:fd use;
#line 3
#line 5
allow hal_usb_client hal_usb_service:service_manager find;
#line 5
#line 5
allow hal_usb_server hal_usb_service:service_manager { add find };
#line 5
neverallow { domain -hal_usb_server } hal_usb_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_usb_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_usb_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_usb_server servicemanager:fd use;
#line 6
#line 8
allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
#line 8
#line 8
allow hal_usb_server hal_usb_hwservice:hwservice_manager { add find };
#line 8
allow hal_usb_server hidl_base_hwservice:hwservice_manager add;
#line 8
neverallow { domain -hal_usb_server } hal_usb_hwservice:hwservice_manager add;
#line 8
#line 8
#line 8
#line 8
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
allow hal_usb self:netlink_kobject_uevent_socket getopt;
allow hal_usb self:netlink_kobject_uevent_socket bind;
allow hal_usb self:netlink_kobject_uevent_socket read;
allow hal_usb sysfs:dir open;
allow hal_usb sysfs:dir read;
allow hal_usb sysfs:file read;
allow hal_usb sysfs:file open;
allow hal_usb sysfs:file write;
allow hal_usb sysfs:file getattr;
#line 1 "system/sepolicy/public/hal_usb_gadget.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_usb_gadget_client hal_usb_gadget_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_usb_gadget_server hal_usb_gadget_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_usb_gadget_client hal_usb_gadget_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_usb_gadget_server hal_usb_gadget_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_usb_gadget_client hal_usb_gadget_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_usb_gadget_server hal_usb_gadget_client:fd use;
#line 3
#line 5
allow hal_usb_gadget_client hal_usb_gadget_service:service_manager find;
#line 5
#line 5
allow hal_usb_gadget_server hal_usb_gadget_service:service_manager { add find };
#line 5
neverallow { domain -hal_usb_gadget_server } hal_usb_gadget_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow hal_usb_gadget_server servicemanager:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow servicemanager hal_usb_gadget_server:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow hal_usb_gadget_server servicemanager:fd use;
#line 6
#line 8
allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
#line 8
#line 8
allow hal_usb_gadget_server hal_usb_gadget_hwservice:hwservice_manager { add find };
#line 8
allow hal_usb_gadget_server hidl_base_hwservice:hwservice_manager add;
#line 8
neverallow { domain -hal_usb_gadget_server } hal_usb_gadget_hwservice:hwservice_manager add;
#line 8
#line 8
#line 8
#line 8
# Configuring usb gadget functions
allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
allow hal_usb_gadget_server configfs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow hal_usb_gadget_server configfs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow hal_usb_gadget_server functionfs:dir { read search };
allow hal_usb_gadget_server functionfs:file read;
allow hal_usb_gadget_server proc_interrupts:file { getattr open read ioctl lock map watch watch_reads };
# Read access to ro.usb.uvc.enabled
#line 19
allow hal_usb_gadget_server usb_uvc_enabled_prop:file { getattr open read map };
#line 19
#line 1 "system/sepolicy/public/hal_uwb.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_uwb_client hal_uwb_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_uwb_server hal_uwb_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_uwb_client hal_uwb_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_uwb_server hal_uwb_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_uwb_client hal_uwb_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_uwb_server hal_uwb_client:fd use;
#line 3
#line 5
allow hal_uwb_client hal_uwb_service:service_manager find;
#line 5
#line 5
allow hal_uwb_server hal_uwb_service:service_manager { add find };
#line 5
neverallow { domain -hal_uwb_server } hal_uwb_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_uwb_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_uwb_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_uwb_server servicemanager:fd use;
#line 7
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_uwb_client servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_uwb_client:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_uwb_client servicemanager:fd use;
#line 8
#line 1 "system/sepolicy/public/hal_vehicle.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vehicle_client hal_vehicle_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vehicle_server hal_vehicle_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vehicle_client hal_vehicle_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_vehicle_server hal_vehicle_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_vehicle_client hal_vehicle_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_vehicle_server hal_vehicle_client:fd use;
#line 3
#line 6
allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
#line 6
#line 6
allow hal_vehicle_server hal_vehicle_hwservice:hwservice_manager { add find };
#line 6
allow hal_vehicle_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hal_vehicle_server } hal_vehicle_hwservice:hwservice_manager add;
#line 6
#line 6
#line 6
#line 6
#line 7
allow hal_vehicle_client hal_vehicle_service:service_manager find;
#line 7
#line 7
allow hal_vehicle_server hal_vehicle_service:service_manager { add find };
#line 7
neverallow { domain -hal_vehicle_server } hal_vehicle_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 7
#line 7
#line 7
#line 1 "system/sepolicy/public/hal_vibrator.te"
# HwBinder IPC client/server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vibrator_client hal_vibrator_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vibrator_server hal_vibrator_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vibrator_client hal_vibrator_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_vibrator_server hal_vibrator_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_vibrator_client hal_vibrator_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_vibrator_server hal_vibrator_client:fd use;
#line 3
;
#line 5
allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_vibrator_server hal_vibrator_hwservice:hwservice_manager { add find };
#line 5
allow hal_vibrator_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_vibrator_server } hal_vibrator_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_vibrator_client hal_vibrator_service:service_manager find;
#line 6
#line 6
allow hal_vibrator_server hal_vibrator_service:service_manager { add find };
#line 6
neverallow { domain -hal_vibrator_server } hal_vibrator_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow hal_vibrator_server servicemanager:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow servicemanager hal_vibrator_server:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow hal_vibrator_server servicemanager:fd use;
#line 8
allow hal_vibrator_server dumpstate:fifo_file write;
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow hal_vibrator sysfs_vibrator:dir search;
# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
allow hal_vibrator fwk_vibrator_control_service:service_manager find;
#line 1 "system/sepolicy/public/hal_vr.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_vr_client hal_vr_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_vr_server hal_vr_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_vr_client hal_vr_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_vr_server hal_vr_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_vr_client hal_vr_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_vr_server hal_vr_client:fd use;
#line 3
#line 5
allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_vr_server hal_vr_hwservice:hwservice_manager { add find };
#line 5
allow hal_vr_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_vr_server } hal_vr_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 1 "system/sepolicy/public/hal_weaver.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_weaver_client hal_weaver_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_weaver_server hal_weaver_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_weaver_client hal_weaver_server:fd use;
#line 2
#line 4
allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
#line 4
#line 4
allow hal_weaver_server hal_weaver_hwservice:hwservice_manager { add find };
#line 4
allow hal_weaver_server hidl_base_hwservice:hwservice_manager add;
#line 4
neverallow { domain -hal_weaver_server } hal_weaver_hwservice:hwservice_manager add;
#line 4
#line 4
#line 4
#line 4
#line 5
allow hal_weaver_client hal_weaver_service:service_manager find;
#line 5
#line 5
allow hal_weaver_server hal_weaver_service:service_manager { add find };
#line 5
neverallow { domain -hal_weaver_server } hal_weaver_service:service_manager add;
#line 5
#line 5
# On debug builds with root, allow binder services to use binder over TCP.
#line 5
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 5
#line 5
#line 5
#line 5
#line 5
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow hal_weaver_server servicemanager:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow servicemanager hal_weaver_server:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow hal_weaver_server servicemanager:fd use;
#line 7
#line 1 "system/sepolicy/public/hal_wifi.te"
# HwBinder IPC from client to server, and callbacks
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_client hal_wifi_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_server hal_wifi_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_client hal_wifi_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_server hal_wifi_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_client hal_wifi_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_server hal_wifi_client:fd use;
#line 3
#line 5
allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_wifi_server hal_wifi_hwservice:hwservice_manager { add find };
#line 5
allow hal_wifi_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_wifi_server } hal_wifi_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_wifi_client hal_wifi_service:service_manager find;
#line 6
#line 6
allow hal_wifi_server hal_wifi_service:service_manager { add find };
#line 6
neverallow { domain -hal_wifi_server } hal_wifi_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_wifi_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_wifi_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_wifi_server:dir search;
#line 8
allow servicemanager hal_wifi_server:file { read open };
#line 8
allow servicemanager hal_wifi_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 10
allow hal_wifi proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow hal_wifi proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
#line 11
allow hal_wifi sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_wifi sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 11
#line 13
#line 13
allow hal_wifi_server property_socket:sock_file write;
#line 13
allow hal_wifi_server init:unix_stream_socket connectto;
#line 13
#line 13
allow hal_wifi_server wifi_hal_prop:property_service set;
#line 13
#line 13
allow hal_wifi_server wifi_hal_prop:file { getattr open read map };
#line 13
#line 13
#line 14
#line 14
allow hal_wifi property_socket:sock_file write;
#line 14
allow hal_wifi init:unix_stream_socket connectto;
#line 14
#line 14
allow hal_wifi wifi_prop:property_service set;
#line 14
#line 14
allow hal_wifi wifi_prop:file { getattr open read map };
#line 14
#line 14
# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allowxperm hal_wifi self:udp_socket ioctl { 0x00008914 0x00008924 0x00008946 };
allow hal_wifi self:{ capability cap_userns } { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow hal_wifi self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { { open append write lock map } };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
# Allow hal_wifi to send dump info to dumpstate
allow hal_wifi dumpstate:fifo_file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
allow hal_wifi_server tombstone_wifi_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow hal_wifi_server tombstone_wifi_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/public/hal_wifi_hostapd.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_hostapd_client hal_wifi_hostapd_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_hostapd_server hal_wifi_hostapd_client:fd use;
#line 3
#line 5
allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_wifi_hostapd_server hal_wifi_hostapd_hwservice:hwservice_manager { add find };
#line 5
allow hal_wifi_hostapd_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_wifi_hostapd_server } hal_wifi_hostapd_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_wifi_hostapd_client hal_wifi_hostapd_service:service_manager find;
#line 6
#line 6
allow hal_wifi_hostapd_server hal_wifi_hostapd_service:service_manager { add find };
#line 6
neverallow { domain -hal_wifi_hostapd_server } hal_wifi_hostapd_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow hal_wifi_hostapd_server servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager hal_wifi_hostapd_server:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager hal_wifi_hostapd_server:dir search;
#line 8
allow servicemanager hal_wifi_hostapd_server:file { read open };
#line 8
allow servicemanager hal_wifi_hostapd_server:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
allow hal_wifi_hostapd_server dumpstate:fifo_file write;
allow hal_wifi_hostapd_server self:{ capability cap_userns } { net_admin net_raw };
allow hal_wifi_hostapd_server sysfs_net:dir search;
# Allow hal_wifi_hostapd to access /proc/net/psched
allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
# Various socket permissions.
allowxperm hal_wifi_hostapd_server self:udp_socket ioctl
#line 20
{
#line 20
# qualcomm rmnet ioctls
#line 20
0x00006900 0x00006902
#line 20
# socket ioctls
#line 20
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 20
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 20
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 20
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 20
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 20
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 20
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 20
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 20
0x00008991 0x00008992 0x00008993 0x00008994
#line 20
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 20
# device and protocol specific ioctls
#line 20
0x000089f0-0x000089ff
#line 20
0x000089e0-0x000089ef
#line 20
# Wireless extension ioctls
#line 20
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 20
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 20
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 20
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 20
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 20
0x00008b34 0x00008b35 0x00008b36
#line 20
# Dev private ioctl i.e. hardware specific ioctls
#line 20
0x00008be0-0x00008bff
#line 20
};
allow hal_wifi_hostapd_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
###
### neverallow rules
###
# hal_wifi_hostapd should not trust any data from sdcards
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
#line 1 "system/sepolicy/public/hal_wifi_supplicant.te"
# HwBinder IPC from client to server
#line 2
# Call the server domain and optionally transfer references to it.
#line 2
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder { call transfer };
#line 2
# Allow the serverdomain to transfer references to the client on the reply.
#line 2
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder transfer;
#line 2
# Receive and use open files from the server.
#line 2
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:fd use;
#line 2
#line 3
# Call the server domain and optionally transfer references to it.
#line 3
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:binder { call transfer };
#line 3
# Allow the serverdomain to transfer references to the client on the reply.
#line 3
allow hal_wifi_supplicant_client hal_wifi_supplicant_server:binder transfer;
#line 3
# Receive and use open files from the server.
#line 3
allow hal_wifi_supplicant_server hal_wifi_supplicant_client:fd use;
#line 3
#line 5
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
#line 5
#line 5
allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice:hwservice_manager { add find };
#line 5
allow hal_wifi_supplicant_server hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hal_wifi_supplicant_server } hal_wifi_supplicant_hwservice:hwservice_manager add;
#line 5
#line 5
#line 5
#line 5
#line 6
allow hal_wifi_supplicant_client hal_wifi_supplicant_service:service_manager find;
#line 6
#line 6
allow hal_wifi_supplicant_server hal_wifi_supplicant_service:service_manager { add find };
#line 6
neverallow { domain -hal_wifi_supplicant_server } hal_wifi_supplicant_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
#line 6
#line 6
#line 6
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl
#line 9
{
#line 9
# qualcomm rmnet ioctls
#line 9
0x00006900 0x00006902
#line 9
# socket ioctls
#line 9
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 9
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 9
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 9
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 9
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 9
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 9
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 9
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 9
0x00008991 0x00008992 0x00008993 0x00008994
#line 9
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 9
# device and protocol specific ioctls
#line 9
0x000089f0-0x000089ff
#line 9
0x000089e0-0x000089ef
#line 9
# Wireless extension ioctls
#line 9
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 9
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 9
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 9
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 9
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 9
0x00008b34 0x00008b35 0x00008b36
#line 9
# Dev private ioctl i.e. hardware specific ioctls
#line 9
0x00008be0-0x00008bff
#line 9
};
#line 11
allow hal_wifi_supplicant sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_wifi_supplicant sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 11
#line 12
allow hal_wifi_supplicant proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_wifi_supplicant proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
allow hal_wifi_supplicant self:{ capability cap_userns } { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow hal_wifi_supplicant cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_supplicant self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow hal_wifi_supplicant self:packet_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allowxperm hal_wifi_supplicant self:packet_socket ioctl {
#line 21
{
#line 21
# Socket ioctls for gathering information about the interface
#line 21
0x00008906 0x00008907
#line 21
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 21
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 21
# Wireless extension ioctls. Primarily get functions.
#line 21
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 21
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 21
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 21
}
#line 21
{
#line 21
# qualcomm rmnet ioctls
#line 21
0x00006900 0x00006902
#line 21
# socket ioctls
#line 21
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 21
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 21
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 21
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 21
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 21
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 21
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 21
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 21
0x00008991 0x00008992 0x00008993 0x00008994
#line 21
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 21
# device and protocol specific ioctls
#line 21
0x000089f0-0x000089ff
#line 21
0x000089e0-0x000089ef
#line 21
# Wireless extension ioctls
#line 21
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 21
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 21
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 21
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 21
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 21
0x00008b34 0x00008b35 0x00008b36
#line 21
# Dev private ioctl i.e. hardware specific ioctls
#line 21
0x00008be0-0x00008bff
#line 21
} {
#line 21
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 21
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 21
} };
#line 23
allow keystore hal_wifi_supplicant:dir search;
#line 23
allow keystore hal_wifi_supplicant:file { read open };
#line 23
allow keystore hal_wifi_supplicant:process getattr;
#line 23
allow hal_wifi_supplicant apc_service:service_manager find;
#line 23
allow hal_wifi_supplicant keystore_service:service_manager find;
#line 23
allow hal_wifi_supplicant legacykeystore_service:service_manager find;
#line 23
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow hal_wifi_supplicant keystore:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow keystore hal_wifi_supplicant:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow hal_wifi_supplicant keystore:fd use;
#line 23
#line 23
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow keystore hal_wifi_supplicant:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow hal_wifi_supplicant keystore:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow keystore hal_wifi_supplicant:fd use;
#line 23
#line 23
#line 24
# Call the servicemanager and transfer references to it.
#line 24
allow hal_wifi_supplicant_server servicemanager:binder { call transfer };
#line 24
# Allow servicemanager to send out callbacks
#line 24
allow servicemanager hal_wifi_supplicant_server:binder { call transfer };
#line 24
# servicemanager performs getpidcon on clients.
#line 24
allow servicemanager hal_wifi_supplicant_server:dir search;
#line 24
allow servicemanager hal_wifi_supplicant_server:file { read open };
#line 24
allow servicemanager hal_wifi_supplicant_server:process getattr;
#line 24
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 24
# all domains in domain.te.
#line 24
# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {
get_info
use
};
###
### neverallow rules
###
# wpa_supplicant should not trust any data from sdcards
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
#line 1 "system/sepolicy/public/healthd.te"
# healthd - battery/charger monitoring service daemon
# healthd is removed. The type is kept for backwards compatibility.
type healthd, domain;
#line 1 "system/sepolicy/public/heapprofd.te"
type heapprofd, domain, coredomain;
#line 1 "system/sepolicy/public/hwservice.te"
# hwservice types. By default most of the HALs are protected_hwservice, which means
# access from untrusted apps is prohibited.
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
# Following is the hwservices that are explicitly not marked with protected_hwservice.
# These are directly accessible from untrusted apps.
# - same process services: because they by definition run in the process
# of the client and thus have the same access as the client domain in which
# the process runs
# - coredomain_hwservice: are considered safer than ordinary hwservices which
# are from vendor partition
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
# designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
# - hal_drm_hwservice: versions > API 29 are designed specifically with
# untrusted app access in mind.
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
type hal_cas_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_graphics_allocator_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_base_hwservice, hwservice_manager_type;
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
###
### Neverallow rules
###
# hwservicemanager handles registering or looking up named services.
# It does not make sense to register or lookup something which is not a
# hwservice. Trigger a compile error if this occurs.
neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
#line 1 "system/sepolicy/public/hwservicemanager.te"
# hwservicemanager - the Binder context manager for HAL services
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, system_file_type, exec_type, file_type;
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
# Additionally, it initiates binder IPC calls to
# clients who request service notifications. The permission
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Read hwservice_contexts
allow hwservicemanager hwservice_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Check SELinux permissions.
#line 20
#line 20
allow hwservicemanager selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hwservicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
#line 20
allow hwservicemanager selinuxfs:file { open append write lock map };
#line 20
allow hwservicemanager kernel:security compute_av;
#line 20
allow hwservicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 20
#line 1 "system/sepolicy/public/idmap.te"
# idmap, when executed by installd
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
# Allow read + write access to /data/resource-cache
allow idmap resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow idmap resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow idmap apk_data_file:dir search;
# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
allow idmap { apk_tmp_file apk_private_tmp_file }:file { getattr open read ioctl lock map watch watch_reads };
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
# Allow apps access to /vendor/app
#line 18
allow idmap vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow idmap vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 18
# Allow apps access to /vendor/overlay
#line 21
allow idmap vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow idmap vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 21
# Allow the idmap2d binary to register as a service and communicate via AIDL
#line 24
# Call the servicemanager and transfer references to it.
#line 24
allow idmap servicemanager:binder { call transfer };
#line 24
# Allow servicemanager to send out callbacks
#line 24
allow servicemanager idmap:binder { call transfer };
#line 24
# servicemanager performs getpidcon on clients.
#line 24
allow servicemanager idmap:dir search;
#line 24
allow servicemanager idmap:file { read open };
#line 24
allow servicemanager idmap:process getattr;
#line 24
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 24
# all domains in domain.te.
#line 24
#line 25
typeattribute idmap binderservicedomain;
#line 25
#line 26
allow idmap idmap_service:service_manager { add find };
#line 26
neverallow { domain -idmap } idmap_service:service_manager add;
#line 26
#line 26
# On debug builds with root, allow binder services to use binder over TCP.
#line 26
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 26
#line 26
#line 1 "system/sepolicy/public/incident.te"
# The incident command is used to call into the incidentd service to
# take an incident report (binary, shared bugreport), download incident
# reports that have already been taken, and monitor for new ones.
# It doesn't do anything else.
# incident
type incident, domain;
#line 1 "system/sepolicy/public/incident_helper.te"
# The incident_helper is called by incidentd and
# can only read/write data from/to incidentd
# incident_helper
type incident_helper, domain;
#line 1 "system/sepolicy/public/incidentd.te"
# incidentd
type incidentd, domain;
#line 1 "system/sepolicy/public/init.te"
# init is its own domain.
type init, domain, mlstrustedsubject;
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#
# init direct restorecon calls.
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
#line 18
# allow init to mount and unmount debugfs in debug builds
#line 23
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
#line 38
allow init lmkd_socket:sock_file write;
#line 38
allow init lmkd:unix_stream_socket connectto;
#line 38
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
# and /dev/urandom
allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
metadata_block_device
misc_block_device
recovery_block_device
system_block_device
userdata_block_device
}:{ blk_file lnk_file } relabelto;
allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.
allow init mnt_sdcard_file:lnk_file create;
# setrlimit
allow init self:{ capability cap_userns } sys_resource;
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
# Create /dev/fscklogs files.
allow init fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;
# Access /dev/console.
allow init console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access /dev/tty0.
allow init tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Call mount(2).
allow init self:{ capability cap_userns } sys_admin;
# Call setns(2).
allow init self:{ capability cap_userns } sys_chroot;
# Create and mount on directories in /.
allow init rootfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init {
rootfs
cache_file
cgroup
linkerconfig_file
storage_file
mnt_user_file
system_data_file
system_data_root_file
system_dlkm_file
system_file
vendor_file
postinstall_mnt_dir
mirror_data_file
shell_data_file
}:dir mounton;
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
# Bind-mount on /system/apex/com.android.art
allow init art_apex_dir:dir mounton;
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init tmpfs:dir mounton;
allow init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init cgroup:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init cgroup_rc_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads };
allow init cgroup_desc_api_file:file { getattr open read ioctl lock map watch watch_reads };
allow init vendor_cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads };
allow init cgroup_v2:dir { mounton { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } }};
allow init cgroup_v2:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# /config
allow init configfs:dir mounton;
allow init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# /metadata
allow init metadata_file:dir mounton;
# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:{ capability cap_userns } { dac_override dac_read_search };
# Set system clock.
allow init self:{ capability cap_userns } sys_time;
allow init self:{ capability cap_userns } { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file { getattr open read ioctl lock map watch watch_reads };
allowxperm init dev_type:blk_file ioctl 0x0000125d;
allowxperm init system_data_root_file:dir ioctl 0x587d;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init {
fs_type
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 172
-debugfs_type
#line 172
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 172
}:filesystem ~relabelto;
# Allow init to mount/unmount debugfs in non-user builds.
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 176
#line 176
#line 176
#line 176
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 178
# Allow init to mount tracefs in /sys/kernel/tracing
allow init debugfs_tracing_debug:filesystem mount;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir { open getattr read search ioctl lock watch watch_reads };
allow init contextmount_type:{ file lnk_file sock_file fifo_file } { getattr open read ioctl lock map watch watch_reads };
# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:{ capability cap_userns } { chown fowner fsetid };
allow init {
file_type
-app_data_file
-bpffs_type
-exec_type
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
file_type
-app_data_file
-bpffs_type
-credstore_data_file
-exec_type
-keystore_data_file
-media_userdir_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-system_userdir_file
-vendor_file_type
-vendor_userdir_file
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
allow init {
file_type
-apex_info_file
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 255
-debugfs_type
#line 255
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 255
}:file { create getattr open read write setattr relabelfrom unlink map };
allow init tracefs_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom };
# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
# subcontext for action/service defined in APEXes.
allow init apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
allow init {
file_type
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {
file_type
-apex_mnt_dir
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow init {
file_type
-bpffs_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-exec_type
-app_data_file
-privapp_data_file
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file { open append write lock map };
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init debugfs_tracing_instances:file { open append write lock map };
allow init debugfs_wifi_tracing:file { open append write lock map };
# chown/chmod on pseudo files.
allow init {
fs_type
-bpffs_type
-contextmount_type
-keychord_device
-proc_type
-sdcard_type
-fusefs_type
-sysfs_type
-rootfs
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 340
-debugfs_type
#line 340
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 340
}:file { open read setattr };
allow init {
fs_type
-bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
-rootfs
}:dir { open read setattr search };
allow init {
binder_device
console_device
devpts
dm_device
hwbinder_device
input_device
kmsg_device
null_device
owntty_device
pmsg_device
ptmx_device
random_device
tty_device
zero_device
}:chr_file { read open };
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow init unlabeled:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom };
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:{ capability2 cap2_userns } syslog;
# init access to /proc.
#line 378
allow init proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 378
allow init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 378
allow init proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
#line 387
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_bootconfig
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
proc_meminfo
proc_stat # Read /proc/stat for bootchart.
proc_uptime
proc_version
}:file { getattr open read ioctl lock map watch watch_reads };
allow init {
proc_abi
proc_cpu_alignment
proc_dirty
proc_hostname
proc_hung_task
proc_extra_free_kbytes
proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory # /proc/sys/vm/overcommit_memory
proc_panic
proc_page_cluster
proc_perf
proc_sched
proc_sysrq
proc_watermark_boost_factor
}:file { open append write lock map };
allow init {
proc_security
}:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
proc_bootconfig
proc_kmsg
proc_net
proc_pagetypeinfo
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
proc_qtaguid_ctrl
proc_vmallocinfo
}:file setattr;
# init access to /sys files.
allow init {
sysfs_android_usb
sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
sysfs_dm
sysfs_lru_gen_enabled
}:file { open append write lock map };
allow init {
sysfs_dt_firmware_android
sysfs_fs_ext4_features
}:file { getattr open read ioctl lock map watch watch_reads };
allow init {
sysfs_zram
}:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# allow init to create loop devices with /dev/loop-control
allow init loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm init loop_device:blk_file ioctl {
0x00004c00
0x00004c01
0x00004c82
0x00004c09
0x00004c08
0x00004c03
0x00004c04
};
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file { open append write lock map };
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
sysfs_power
sysfs_vibrator
sysfs_wake_lock
sysfs_zram
}:file setattr;
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init self:{ capability cap_userns } net_admin;
# Reboot.
allow init self:{ capability cap_userns } sys_boot;
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
allow init self:{ capability cap_userns } kill;
allow init domain:process { getpgid sigkill signal };
# Init creates credstore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init credstore_data_file:dir { open create read getattr setattr search };
allow init credstore_data_file:file { getattr };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
allow init self:{ capability cap_userns } { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
#line 529
allow init domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 529
allow init domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 529
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
# Get file context
allow init file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# sepolicy access
allow init sepolicy_file:file { getattr open read ioctl lock map watch watch_reads };
# Perform SELinux access checks on setting properties.
#line 544
#line 544
allow init selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 544
allow init selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 544
#line 544
allow init selinuxfs:file { open append write lock map };
#line 544
allow init kernel:security compute_av;
#line 544
allow init self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 544
# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;
# Create sockets for the services.
allow init domain:unix_stream_socket { create bind setopt };
allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init property_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Set any property.
allow init property_type:property_service set;
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_relay };
allow init self:{ capability cap_userns } audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl 0x00008914;
allow init self:{ capability cap_userns } net_raw;
# Set scheduling info for psi monitor thread.
# TODO: delete or revise this line b/131761776
allow init kernel:process { getsched setsched };
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# keychord retrieval from /dev/input/ devices
allow init input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow init input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access dm-user for OTA boot
allow init dm_user_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file { getattr open read ioctl lock map watch watch_reads };
allow init kernel:system syslog_read;
# linux keyring configuration
allow init init:key { write search setattr };
# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Set encryption policy on dirs in /data
allowxperm init { data_file_type unlabeled }:dir ioctl {
0x400c6615
0x800c6613
};
# Raw writes to misc block device
allow init misc_block_device:blk_file { open append write lock map };
#line 621
allow init system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 621
allow init system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 621
#line 622
allow init system_dlkm_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 622
allow init system_dlkm_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 622
#line 623
allow init vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 623
allow init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 623
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
# Metadata setup
allow init vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow init metadata_bootstat_file:file { open append write lock map };
allow init userspace_reboot_metadata_file:file { open append write lock map };
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } setattr };
# init is using bootstrap bionic
#line 642
allow init system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 642
allow init system_bootstrap_lib_file:file { execute read open getattr map };
#line 642
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
# allow filesystem tuning
allow init userdata_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow disk tuning
allow init rootdisk_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
###
### neverallow rules
###
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init app_data_file_type:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
# when init is executing other binaries. The use of LD_PRELOAD for init spawned
# services is generally considered a no-no, as it injects libraries which the
# binary was not expecting. This is especially problematic for APEXes. The use
# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
# code into a process which wasn't expecting that code, with potentially
# unexpected side effects. (b/140789528)
neverallow init *:process noatsecure;
# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
neverallow init servicemanager:service_manager list;
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
# init owns the root of /data
# TODO(b/140259336) We want to remove vendor_init
# TODO(b/141108496) We want to remove toolbox
neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
#line 1 "system/sepolicy/public/inputflinger.te"
# inputflinger
type inputflinger, domain;
type inputflinger_exec, system_file_type, exec_type, file_type;
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow inputflinger servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager inputflinger:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager inputflinger:dir search;
#line 5
allow servicemanager inputflinger:file { read open };
#line 5
allow servicemanager inputflinger:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 6
typeattribute inputflinger binderservicedomain;
#line 6
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow inputflinger system_server:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow system_server inputflinger:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow inputflinger system_server:fd use;
#line 8
#line 10
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 10
# deprecated.
#line 10
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 10
allow inputflinger sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 10
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 10
allow inputflinger self:{ capability2 cap2_userns } block_suspend;
#line 10
# system_suspend permissions
#line 10
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow inputflinger system_suspend_server:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow system_suspend_server inputflinger:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow inputflinger system_suspend_server:fd use;
#line 10
#line 10
allow inputflinger system_suspend_hwservice:hwservice_manager find;
#line 10
# halclientdomain permissions
#line 10
#line 10
# Call the hwservicemanager and transfer references to it.
#line 10
allow inputflinger hwservicemanager:binder { call transfer };
#line 10
# Allow hwservicemanager to send out callbacks
#line 10
allow hwservicemanager inputflinger:binder { call transfer };
#line 10
# hwservicemanager performs getpidcon on clients.
#line 10
allow hwservicemanager inputflinger:dir search;
#line 10
allow hwservicemanager inputflinger:file { read open map };
#line 10
allow hwservicemanager inputflinger:process getattr;
#line 10
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10
#line 10
#line 10
allow inputflinger hwservicemanager_prop:file { getattr open read map };
#line 10
#line 10
allow inputflinger hidl_manager_hwservice:hwservice_manager find;
#line 10
# AIDL suspend hal permissions
#line 10
allow inputflinger hal_system_suspend_service:service_manager find;
#line 10
#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow inputflinger servicemanager:binder { call transfer };
#line 10
# Allow servicemanager to send out callbacks
#line 10
allow servicemanager inputflinger:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager inputflinger:dir search;
#line 10
allow servicemanager inputflinger:file { read open };
#line 10
allow servicemanager inputflinger:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10
#line 10
allow inputflinger input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow inputflinger input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 15
allow inputflinger cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow inputflinger cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
#line 16
allow inputflinger cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow inputflinger cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 16
#line 1 "system/sepolicy/public/installd.te"
# installer daemon
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow installd apk_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom link };
allow installd apk_data_file:lnk_file { create { getattr open read ioctl lock map watch watch_reads } unlink };
allow installd asec_apk_file:file { getattr open read ioctl lock map watch watch_reads };
allow installd apk_tmp_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow installd apk_tmp_file:dir { relabelfrom { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } };
allow installd oemfs:dir { open getattr read search ioctl lock watch watch_reads };
allow installd oemfs:file { getattr open read ioctl lock map watch watch_reads };
allow installd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
#line 25
#line 25
allow installd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 25
allow installd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 25
#line 25
allow installd selinuxfs:file { open append write lock map };
#line 25
allow installd kernel:security check_context;
#line 25
#line 27
allow installd rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 27
allow installd rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 27
# Scan through APKs in /system/app and /system/priv-app
#line 29
allow installd system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow installd system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 29
# Scan through APKs in /vendor/app
#line 31
allow installd vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 31
allow installd vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 31
# Scan through JARs in /vendor/framework
#line 33
allow installd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow installd vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
#line 35
allow installd vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow installd vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 35
# Vendor overlay can be found in vendor apex
allow installd vendor_apex_metadata_file:dir { getattr search };
# Get file context
allow installd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Get seapp_context
allow installd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Required to initially create subdirectories of /data/user/$userId
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Also, allow read for lnk_file so that we can process symlinks within
# /data/user/$userId when optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Manage lower filesystem via pass_through mounts
allow installd mnt_pass_through_file:dir { open getattr read search ioctl lock watch watch_reads };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd media_userdir_file:dir { open getattr read search ioctl lock watch watch_reads };
allow installd tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
allow installd storage_file:dir search;
allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
allow installd { sdcard_type fuse }:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads };
allow installd misc_user_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd misc_user_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow installd keychain_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd keychain_data_file:file {{ getattr open read ioctl lock map watch watch_reads } unlink};
# Create /data/misc/installd/layout_version.* file
allow installd install_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow installd install_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow installd dalvikcache_data_file:lnk_file getattr;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow installd resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rmdir };
allow installd unlabeled:{ file lnk_file sock_file fifo_file } { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file { getattr open read ioctl lock map watch watch_reads };
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:{ file lnk_file sock_file fifo_file } { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
allow installd app_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom relabelto };
allow installd app_data_file_type:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom relabelto };
# Allow setting extended attributes (for project quota IDs) on dirs and files
# and to enable project ID inheritance through FS_IOC_SETFLAGS
# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
0x801c581f
0x401c5820
0x80086601
0x40086602
};
# Similar for the files under /data/misc/profiles/
allow installd user_profile_root_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow installd user_profile_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow installd user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow installd user_profile_data_file:file unlink;
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# execute toybox for app relocation
allow installd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow installd to publish a binder service and make binder calls.
#line 144
# Call the servicemanager and transfer references to it.
#line 144
allow installd servicemanager:binder { call transfer };
#line 144
# Allow servicemanager to send out callbacks
#line 144
allow servicemanager installd:binder { call transfer };
#line 144
# servicemanager performs getpidcon on clients.
#line 144
allow servicemanager installd:dir search;
#line 144
allow servicemanager installd:file { read open };
#line 144
allow servicemanager installd:process getattr;
#line 144
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 144
# all domains in domain.te.
#line 144
#line 145
allow installd installd_service:service_manager { add find };
#line 145
neverallow { domain -installd } installd_service:service_manager add;
#line 145
#line 145
# On debug builds with root, allow binder services to use binder over TCP.
#line 145
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 145
#line 145
allow installd dumpstate:fifo_file { getattr write };
# Allow installd to call into the system server so it can check permissions.
#line 149
# Call the server domain and optionally transfer references to it.
#line 149
allow installd system_server:binder { call transfer };
#line 149
# Allow the serverdomain to transfer references to the client on the reply.
#line 149
allow system_server installd:binder transfer;
#line 149
# Receive and use open files from the server.
#line 149
allow installd system_server:fd use;
#line 149
allow installd permission_service:service_manager find;
# Allow installd to read and write quotas
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };
# Allow installd to delete from /data/preloads when trimming data caches
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow installd preloads_data_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir };
allow installd preloads_media_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow installd preloads_media_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir };
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
#add for move app to sd card
#line 167
allow installd storage_config_prop:file { getattr open read map };
#line 167
# Allow installd to access apps installed on the Incremental File System
# Accessing files on the Incremental File System uses fds opened in the context of vold.
allow installd vold:fd use;
###
### Neverallow rules
###
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
neverallow installd {
domain
-system_server
-servicemanager
}:binder call;
#line 1 "system/sepolicy/public/isolated_app.te"
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
type isolated_app, domain;
#line 1 "system/sepolicy/public/isolated_compute_app.te"
type isolated_compute_app, domain;
#line 1 "system/sepolicy/public/kernel.te"
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
allow kernel self:{ capability cap_userns } sys_nice;
# Root fs.
#line 7
allow kernel rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow kernel rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 7
# Used to read androidboot.selinux property
allow kernel {
proc_bootconfig
proc_cmdline
}:file { getattr open read ioctl lock map watch watch_reads };
# Get SELinux enforcing status.
allow kernel selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
allow kernel selinuxfs:file { getattr open read ioctl lock map watch watch_reads };
# Get file contexts during first stage
allow kernel file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this.
allow kernel init:process share;
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
# Mount usbfs.
allow kernel usbfs:filesystem mount;
allow kernel usbfs:dir search;
# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:{ capability cap_userns } sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
allow kernel self:{ capability cap_userns } sys_boot;
allow kernel proc_sysrq:file { open append write lock map };
# Allow writing to /dev/kmsg which was created prior to loading policy.
allow kernel tmpfs:chr_file write;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel { sdcard_type fuse }:file { read write };
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
allow kernel vold:fd use;
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
# Allow mounting loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
#line 78
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow kernel media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow kernel media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
# Allow the kernel to read APEX file descriptors and (staged) data files;
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
allow kernel {
apex_data_file
staging_data_file
vendor_apex_file
}:file read;
# Also allow the kernel to read/write /data/local/tmp files via loop device
# for ApexTestCases and fiemap_image_test.
#line 102
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
# before the domain is switched to the target domain. So, we need to allow the kernel
# domain (the source domain) to execute the dynamic linker (system_file type).
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
# kernel older than 4.8.
allow kernel system_file:file execute;
# The label for the dynamic linker is rootfs in the recovery partition. This is because
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
# done at build-time. All files are by default labeled as rootfs upon booting.
#line 117
# required by VTS lidbm unit test
allow kernel appdomain_tmpfs:file { read write };
###
### neverallow rules
###
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
neverallow * kernel:process { transition dyntransition };
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
neverallow kernel *:file { entrypoint execute_no_trans };
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:{ capability cap_userns } { dac_override dac_read_search };
# Nobody should be ptracing kernel threads
neverallow * kernel:process ptrace;
#line 1 "system/sepolicy/public/keystore.te"
type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow keystore servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager keystore:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager keystore:dir search;
#line 6
allow servicemanager keystore:file { read open };
#line 6
allow servicemanager keystore:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
typeattribute keystore binderservicedomain;
#line 7
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow keystore remote_provisioning_service_server:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow remote_provisioning_service_server keystore:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow keystore remote_provisioning_service_server:fd use;
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow keystore system_server:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow system_server keystore:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow keystore system_server:fd use;
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow keystore wificond:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow wificond keystore:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow keystore wificond:fd use;
#line 10
allow keystore keystore_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow keystore keystore_exec:file { getattr };
#line 16
allow keystore keystore_service:service_manager { add find };
#line 16
neverallow { domain -keystore } keystore_service:service_manager add;
#line 16
#line 16
# On debug builds with root, allow binder services to use binder over TCP.
#line 16
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 16
#line 16
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
#line 20
allow keystore apc_service:service_manager { add find };
#line 20
neverallow { domain -keystore } apc_service:service_manager add;
#line 20
#line 20
# On debug builds with root, allow binder services to use binder over TCP.
#line 20
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 20
#line 20
#line 21
allow keystore keystore_compat_hal_service:service_manager { add find };
#line 21
neverallow { domain -keystore } keystore_compat_hal_service:service_manager add;
#line 21
#line 21
# On debug builds with root, allow binder services to use binder over TCP.
#line 21
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 21
#line 21
#line 22
allow keystore authorization_service:service_manager { add find };
#line 22
neverallow { domain -keystore } authorization_service:service_manager add;
#line 22
#line 22
# On debug builds with root, allow binder services to use binder over TCP.
#line 22
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 22
#line 22
#line 23
allow keystore keystore_maintenance_service:service_manager { add find };
#line 23
neverallow { domain -keystore } keystore_maintenance_service:service_manager add;
#line 23
#line 23
# On debug builds with root, allow binder services to use binder over TCP.
#line 23
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 23
#line 23
#line 24
allow keystore keystore_metrics_service:service_manager { add find };
#line 24
neverallow { domain -keystore } keystore_metrics_service:service_manager add;
#line 24
#line 24
# On debug builds with root, allow binder services to use binder over TCP.
#line 24
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 24
#line 24
#line 25
allow keystore legacykeystore_service:service_manager { add find };
#line 25
neverallow { domain -keystore } legacykeystore_service:service_manager add;
#line 25
#line 25
# On debug builds with root, allow binder services to use binder over TCP.
#line 25
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 25
#line 25
# Check SELinux permissions.
#line 28
#line 28
allow keystore selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 28
allow keystore selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 28
#line 28
allow keystore selinuxfs:file { open append write lock map };
#line 28
allow keystore kernel:security compute_av;
#line 28
allow keystore self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 28
#line 30
allow keystore cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 30
allow keystore cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 30
#line 31
allow keystore cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 31
allow keystore cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 31
###
### Neverallow rules
###
### Protect ourself from others
###
neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:{ file lnk_file sock_file fifo_file } *;
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain } keystore:process ptrace;
# The software KeyMint implementation used in km_compat needs
# to read the vendor security patch level.
#line 50
allow keystore vendor_security_patch_level_prop:file { getattr open read map };
#line 50
;
# Allow keystore to read its vendor configuration
#line 53
allow keystore keystore_config_prop:file { getattr open read map };
#line 53
#line 1 "system/sepolicy/public/keystore_keys.te"
# A keystore2 namespace for WI-FI.
type wifi_key, keystore2_key_type;
#line 1 "system/sepolicy/public/llkd.te"
# llkd Live LocK Daemon
type llkd, domain, mlstrustedsubject;
type llkd_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/public/lmkd.te"
# lmkd low memory killer daemon
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, system_file_type, exec_type, file_type;
allow lmkd self:{ capability cap_userns } { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
allow lmkd self:{ capability cap_userns } ipc_lock;
## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
## TODO: maybe scope this down?
#line 15
allow lmkd domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow lmkd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
allow lmkd domain:file write;
## Writes to /sys/module/lowmemorykiller/parameters/minfree
#line 19
allow lmkd sysfs_lowmemorykiller:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow lmkd sysfs_lowmemorykiller:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 19
allow lmkd sysfs_lowmemorykiller:file { open append write lock map };
# setsched and send kill signals to any registered process
allow lmkd domain:process { setsched sigkill };
# TODO: delete this line b/131761776
allow lmkd kernel:process { setsched };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file { getattr open read ioctl lock map watch watch_reads };
allow lmkd cgroup_v2:file { getattr open read ioctl lock map watch watch_reads };
# Set self to SCHED_FIFO
allow lmkd self:{ capability cap_userns } sys_nice;
allow lmkd proc_zoneinfo:file { getattr open read ioctl lock map watch watch_reads };
allow lmkd proc_vmstat:file { getattr open read ioctl lock map watch watch_reads };
# live lock watchdog process allowed to look through /proc/
allow lmkd domain:dir { search open read };
allow lmkd domain:file { open read };
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read /proc/lowmemorykiller
allow lmkd proc_lowmemorykiller:file { getattr open read ioctl lock map watch watch_reads };
# Read /proc/meminfo
allow lmkd proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
# Read /proc/pressure/cpu and /proc/pressure/io
allow lmkd proc_pressure_cpu:file { getattr open read ioctl lock map watch watch_reads };
allow lmkd proc_pressure_io:file { getattr open read ioctl lock map watch watch_reads };
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow lmkd to connect during reinit.
allow lmkd lmkd_socket:sock_file write;
# Allow lmkd to write to statsd.
#line 66
allow lmkd statsdw_socket:sock_file write;
#line 66
allow lmkd statsd:unix_dgram_socket sendto;
#line 66
### neverallow rules
# never honor LD_PRELOAD
neverallow * lmkd:process noatsecure;
neverallow lmkd self:{ capability cap_userns } sys_ptrace;
#line 1 "system/sepolicy/public/logd.te"
# android user-space log manager
type logd, domain, mlstrustedsubject;
type logd_exec, system_file_type, exec_type, file_type;
# Read access to pseudo filesystems.
#line 6
allow logd cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow logd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 6
#line 7
allow logd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow logd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 7
#line 8
allow logd proc_kmsg:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow logd proc_kmsg:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 8
#line 9
allow logd proc_meminfo:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow logd proc_meminfo:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 9
allow logd self:{ capability cap_userns } { setuid setgid setpcap sys_nice audit_control };
allow logd self:{ capability2 cap2_userns } syslog;
allow logd self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr { open append write lock map } };
allow logd system_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
allow logd packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
allow logd pstorefs:dir search;
allow logd pstorefs:file { getattr open read ioctl lock map watch watch_reads };
#line 24
allow logd runtime_event_log_tags_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 27
allow logd domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 27
allow logd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 27
allow logd kernel:system syslog_mod;
#line 31
# Group AID_LOG checked by filesystem & logd
#line 31
# to permit control commands
#line 31
#line 31
allow logd logd_socket:sock_file write;
#line 31
allow logd logd:unix_stream_socket connectto;
#line 31
#line 31
#line 32
allow logd runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 32
allow runtime_event_log_tags_file tmpfs:filesystem associate;
# Typically harmlessly blindly trying to access via liblog
# event tag mapping while in the untrusted_app domain.
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };
# Logd sets defaults if certain properties are empty.
#line 43
#line 43
allow logd property_socket:sock_file write;
#line 43
allow logd init:unix_stream_socket connectto;
#line 43
#line 43
allow logd logd_prop:property_service set;
#line 43
#line 43
allow logd logd_prop:file { getattr open read map };
#line 43
#line 43
###
### Neverallow rules
###
### logd should NEVER do any of this
# Block device access.
neverallow logd dev_type:blk_file { read write };
# ptrace any other app
neverallow logd domain:process ptrace;
# ... and nobody may ptrace me (except on userdebug or eng builds)
neverallow { domain } logd:process ptrace;
# Write to /system.
neverallow logd system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Write to files in /data/data or system files on /data
neverallow logd {
app_data_file_type
system_data_file
packages_list_file
-shell_data_file # for bugreports
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;
# protect the event-log-tags file
neverallow {
domain
-init
-logd
} runtime_event_log_tags_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/public/logpersist.te"
# android debug logging, logpersist domains
type logpersist, domain;
# logcatd is a shell script that execs logcat with various parameters.
allow logpersist shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow logpersist logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
###
### Neverallow rules
###
### logpersist should NEVER do any of this
# Block device access.
neverallow logpersist dev_type:blk_file { read write };
# ptrace any other app
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
neverallow logpersist { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
# neverallow_with_undefined_domains {
# domain
# -init # goldfish, logcatd, raft
# -mmi # bat, mtp8996, msmcobalt
# -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
allowxperm logpersist misc_logd_file:file ioctl {
0xf512
0x40086602
};
#line 1 "system/sepolicy/public/mdnsd.te"
# mdns daemon
type mdnsd, domain;
#line 1 "system/sepolicy/public/mediadrmserver.te"
# mediadrmserver - mediadrm daemon
type mediadrmserver, domain;
type mediadrmserver_exec, system_file_type, exec_type, file_type;
typeattribute mediadrmserver mlstrustedsubject;
#line 7
typeattribute mediadrmserver netdomain;
#line 7
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow mediadrmserver servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager mediadrmserver:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager mediadrmserver:dir search;
#line 8
allow servicemanager mediadrmserver:file { read open };
#line 8
allow servicemanager mediadrmserver:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow mediadrmserver binderservicedomain:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow binderservicedomain mediadrmserver:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow mediadrmserver binderservicedomain:fd use;
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow mediadrmserver appdomain:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow appdomain mediadrmserver:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow mediadrmserver appdomain:fd use;
#line 10
#line 11
typeattribute mediadrmserver binderservicedomain;
#line 11
#line 12
typeattribute mediadrmserver halclientdomain;
#line 12
typeattribute mediadrmserver hal_drm_client;
#line 12
#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12
#line 12
typeattribute mediadrmserver hal_drm;
#line 12
# Find passthrough HAL implementations
#line 12
allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_drm vendor_file:file { read open getattr execute map };
#line 12
#line 12
#line 14
allow mediadrmserver mediadrmserver_service:service_manager { add find };
#line 14
neverallow { domain -mediadrmserver } mediadrmserver_service:service_manager add;
#line 14
#line 14
# On debug builds with root, allow binder services to use binder over TCP.
#line 14
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 14
#line 14
allow mediadrmserver mediaserver_service:service_manager find;
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
allow mediadrmserver system_file:dir { open getattr read search ioctl lock watch watch_reads };
# TODO(b/80317992): remove
#line 22
# Call the server domain and optionally transfer references to it.
#line 22
allow mediadrmserver hal_omx_server:binder { call transfer };
#line 22
# Allow the serverdomain to transfer references to the client on the reply.
#line 22
allow hal_omx_server mediadrmserver:binder transfer;
#line 22
# Receive and use open files from the server.
#line 22
allow mediadrmserver hal_omx_server:fd use;
#line 22
###
### neverallow rules
###
# mediadrmserver should never execute any executable without a
# domain transition
neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 33
{
#line 33
# qualcomm rmnet ioctls
#line 33
0x00006900 0x00006902
#line 33
# socket ioctls
#line 33
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 33
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 33
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 33
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 33
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 33
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 33
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 33
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 33
0x00008991 0x00008992 0x00008993 0x00008994
#line 33
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 33
# device and protocol specific ioctls
#line 33
0x000089f0-0x000089ff
#line 33
0x000089e0-0x000089ef
#line 33
# Wireless extension ioctls
#line 33
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 33
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 33
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 33
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 33
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 33
0x00008b34 0x00008b35 0x00008b36
#line 33
# Dev private ioctl i.e. hardware specific ioctls
#line 33
0x00008be0-0x00008bff
#line 33
};
#line 1 "system/sepolicy/public/mediaextractor.te"
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
type mediaextractor_tmpfs, file_type;
typeattribute mediaextractor mlstrustedsubject;
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow mediaextractor servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager mediaextractor:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager mediaextractor:dir search;
#line 8
allow servicemanager mediaextractor:file { read open };
#line 8
allow servicemanager mediaextractor:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow mediaextractor binderservicedomain:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow binderservicedomain mediaextractor:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow mediaextractor binderservicedomain:fd use;
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow mediaextractor appdomain:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow appdomain mediaextractor:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow mediaextractor appdomain:fd use;
#line 10
#line 11
typeattribute mediaextractor binderservicedomain;
#line 11
#line 13
allow mediaextractor mediaextractor_service:service_manager { add find };
#line 13
neverallow { domain -mediaextractor } mediaextractor_service:service_manager add;
#line 13
#line 13
# On debug builds with root, allow binder services to use binder over TCP.
#line 13
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 13
#line 13
allow mediaextractor mediametrics_service:service_manager find;
allow mediaextractor hidl_token_hwservice:hwservice_manager find;
allow mediaextractor system_server:fd use;
#line 19
typeattribute mediaextractor halclientdomain;
#line 19
typeattribute mediaextractor hal_cas_client;
#line 19
#line 19
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 19
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 19
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 19
#line 19
typeattribute mediaextractor hal_cas;
#line 19
# Find passthrough HAL implementations
#line 19
allow hal_cas system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_cas vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_cas vendor_file:file { read open getattr execute map };
#line 19
#line 19
#line 20
typeattribute mediaextractor halclientdomain;
#line 20
typeattribute mediaextractor hal_allocator_client;
#line 20
#line 20
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 20
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 20
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 20
#line 20
typeattribute mediaextractor hal_allocator;
#line 20
# Find passthrough HAL implementations
#line 20
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 20
#line 20
#line 22
allow mediaextractor cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow mediaextractor cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
#line 23
allow mediaextractor cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow mediaextractor cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 23
allow mediaextractor proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
#line 26
#line 26
allow mediaextractor anr_data_file:file append;
#line 26
allow mediaextractor dumpstate:fd use;
#line 26
allow mediaextractor incidentd:fd use;
#line 26
# TODO: Figure out why write is needed.
#line 26
allow mediaextractor dumpstate:fifo_file { append write };
#line 26
allow mediaextractor incidentd:fifo_file { append write };
#line 26
allow mediaextractor system_server:fifo_file { append write };
#line 26
allow mediaextractor tombstoned:unix_stream_socket connectto;
#line 26
allow mediaextractor tombstoned:fd use;
#line 26
allow mediaextractor tombstoned_crash_socket:sock_file write;
#line 26
allow mediaextractor tombstone_data_file:file append;
#line 26
# allow mediaextractor read permissions for file sources
allow mediaextractor { sdcard_type fuse }:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
# Read resources from open apk files passed over Binder
allow mediaextractor apk_data_file:file { read getattr };
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
# overlay package access
allow mediaextractor vendor_overlay_file:file { read map };
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
###
### neverallow rules
###
# mediaextractor should never execute any executable without a
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
neverallow mediaextractor { domain }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
# descriptor opened outside the process.
neverallow mediaextractor {
data_file_type
# for loading media extractor plugins
}:file open;
#line 1 "system/sepolicy/public/mediametrics.te"
# mediametrics - daemon for collecting media.metrics data
type mediametrics, domain;
type mediametrics_exec, system_file_type, exec_type, file_type;
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow mediametrics servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager mediametrics:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager mediametrics:dir search;
#line 6
allow servicemanager mediametrics:file { read open };
#line 6
allow servicemanager mediametrics:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow mediametrics binderservicedomain:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow binderservicedomain mediametrics:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow mediametrics binderservicedomain:fd use;
#line 7
#line 8
typeattribute mediametrics binderservicedomain;
#line 8
#line 10
allow mediametrics mediametrics_service:service_manager { add find };
#line 10
neverallow { domain -mediametrics } mediametrics_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
allow mediametrics system_server:fd use;
#line 14
allow mediametrics cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow mediametrics cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 14
#line 15
allow mediametrics cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow mediametrics cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
allow mediametrics proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
# allows interactions with dumpsys to GMScore
allow mediametrics { app_data_file privapp_data_file }:file write;
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
# Allow metrics service to send information to statsd socket.
#line 25
allow mediametrics statsdw_socket:sock_file write;
#line 25
allow mediametrics statsd:unix_dgram_socket sendto;
#line 25
###
### neverallow rules
###
# mediametrics should never execute any executable without a
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ udp_socket rawip_socket } *;
neverallow mediametrics { domain }:tcp_socket *;
#line 1 "system/sepolicy/public/mediaprovider.te"
###
### A domain for android.process.media, which contains both
### MediaProvider and DownloadProvider and associated services.
###
type mediaprovider, domain;
#line 1 "system/sepolicy/public/mediaserver.te"
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;
#line 8
typeattribute mediaserver netdomain;
#line 8
#line 10
allow mediaserver sdcard_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
#line 11
allow mediaserver fuse:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow mediaserver fuse:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 11
#line 12
allow mediaserver cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow mediaserver cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
#line 13
allow mediaserver cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 13
allow mediaserver cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 13
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 24
#line 26
# Call the servicemanager and transfer references to it.
#line 26
allow mediaserver servicemanager:binder { call transfer };
#line 26
# Allow servicemanager to send out callbacks
#line 26
allow servicemanager mediaserver:binder { call transfer };
#line 26
# servicemanager performs getpidcon on clients.
#line 26
allow servicemanager mediaserver:dir search;
#line 26
allow servicemanager mediaserver:file { read open };
#line 26
allow servicemanager mediaserver:process getattr;
#line 26
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 26
# all domains in domain.te.
#line 26
#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow mediaserver binderservicedomain:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow binderservicedomain mediaserver:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow mediaserver binderservicedomain:fd use;
#line 27
#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow mediaserver appdomain:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow appdomain mediaserver:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow mediaserver appdomain:fd use;
#line 28
#line 29
typeattribute mediaserver binderservicedomain;
#line 29
allow mediaserver media_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow mediaserver media_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow mediaserver gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow mediaserver video_device:dir { open getattr read search ioctl lock watch watch_reads };
allow mediaserver video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file { getattr open read ioctl lock map watch watch_reads };
#line 56
allow mediaserver media_rw_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 56
allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 56
# Grant access to read files on appfuse.
allow mediaserver app_fuse_file:file { read getattr };
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
#line 63
allow mediaserver drmserver_socket:sock_file write;
#line 63
allow mediaserver drmserver:unix_stream_socket connectto;
#line 63
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
#line 67
allow mediaserver bluetooth_socket:sock_file write;
#line 67
allow mediaserver bluetooth:unix_stream_socket connectto;
#line 67
# Needed for mediaserver to send information to statsd socket.
#line 70
allow mediaserver statsdw_socket:sock_file write;
#line 70
allow mediaserver statsd:unix_dgram_socket sendto;
#line 70
#line 72
allow mediaserver mediaserver_service:service_manager { add find };
#line 72
neverallow { domain -mediaserver } mediaserver_service:service_manager add;
#line 72
#line 72
# On debug builds with root, allow binder services to use binder over TCP.
#line 72
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 72
#line 72
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audio_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver package_native_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file { getattr open read ioctl lock map watch watch_reads };
# /oem boot animation file
allow mediaserver bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads };
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };
#line 107
allow drmserver mediaserver:dir search;
#line 107
allow drmserver mediaserver:file { read open };
#line 107
allow drmserver mediaserver:process getattr;
#line 107
allow mediaserver drmserver:drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
};
# only allow unprivileged socket ioctl commands
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
ioctl {
#line 121
{
#line 121
# Socket ioctls for gathering information about the interface
#line 121
0x00008906 0x00008907
#line 121
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 121
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 121
# Wireless extension ioctls. Primarily get functions.
#line 121
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 121
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 121
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 121
} {
#line 121
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 121
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 121
} };
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow mediaserver media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow mediaserver media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access to media in /data/preloads
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediaserver dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediaserver dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
# overlay package access
allow mediaserver vendor_overlay_file:file { read getattr map };
#line 147
typeattribute mediaserver halclientdomain;
#line 147
typeattribute mediaserver hal_allocator_client;
#line 147
#line 147
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 147
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 147
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 147
#line 147
typeattribute mediaserver hal_allocator;
#line 147
# Find passthrough HAL implementations
#line 147
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 147
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 147
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 147
#line 147
###
### neverallow rules
###
# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 158
{
#line 158
# qualcomm rmnet ioctls
#line 158
0x00006900 0x00006902
#line 158
# socket ioctls
#line 158
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 158
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 158
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 158
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 158
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 158
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 158
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 158
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 158
0x00008991 0x00008992 0x00008993 0x00008994
#line 158
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 158
# device and protocol specific ioctls
#line 158
0x000089f0-0x000089ff
#line 158
0x000089e0-0x000089ef
#line 158
# Wireless extension ioctls
#line 158
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 158
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 158
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 158
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 158
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 158
0x00008b34 0x00008b35 0x00008b36
#line 158
# Dev private ioctl i.e. hardware specific ioctls
#line 158
0x00008be0-0x00008bff
#line 158
};
#line 1 "system/sepolicy/public/mediaswcodec.te"
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
#line 4
typeattribute mediaswcodec halserverdomain;
#line 4
typeattribute mediaswcodec hal_codec2_server;
#line 4
typeattribute mediaswcodec hal_codec2;
#line 4
# mediaswcodec may use an input surface from a different Codec2 service or an
# OMX service
#line 8
typeattribute mediaswcodec halclientdomain;
#line 8
typeattribute mediaswcodec hal_codec2_client;
#line 8
#line 8
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 8
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 8
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 8
#line 8
typeattribute mediaswcodec hal_codec2;
#line 8
# Find passthrough HAL implementations
#line 8
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 8
#line 8
#line 9
typeattribute mediaswcodec halclientdomain;
#line 9
typeattribute mediaswcodec hal_omx_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute mediaswcodec hal_omx;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_omx vendor_file:file { read open getattr execute map };
#line 9
#line 9
#line 11
typeattribute mediaswcodec halclientdomain;
#line 11
typeattribute mediaswcodec hal_allocator_client;
#line 11
#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11
#line 11
typeattribute mediaswcodec hal_allocator;
#line 11
# Find passthrough HAL implementations
#line 11
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 11
#line 11
#line 12
typeattribute mediaswcodec halclientdomain;
#line 12
typeattribute mediaswcodec hal_graphics_allocator_client;
#line 12
#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12
#line 12
typeattribute mediaswcodec hal_graphics_allocator;
#line 12
# Find passthrough HAL implementations
#line 12
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 12
#line 12
# get aac_drc_* properties
#line 15
allow mediaswcodec aac_drc_prop:file { getattr open read map };
#line 15
#line 17
#line 17
allow mediaswcodec anr_data_file:file append;
#line 17
allow mediaswcodec dumpstate:fd use;
#line 17
allow mediaswcodec incidentd:fd use;
#line 17
# TODO: Figure out why write is needed.
#line 17
allow mediaswcodec dumpstate:fifo_file { append write };
#line 17
allow mediaswcodec incidentd:fifo_file { append write };
#line 17
allow mediaswcodec system_server:fifo_file { append write };
#line 17
allow mediaswcodec tombstoned:unix_stream_socket connectto;
#line 17
allow mediaswcodec tombstoned:fd use;
#line 17
allow mediaswcodec tombstoned_crash_socket:sock_file write;
#line 17
allow mediaswcodec tombstone_data_file:file append;
#line 17
# mediaswcodec_server should never execute any executable without a
# domain transition
neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
neverallow mediaswcodec { domain }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediaswcodec gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow mediaswcodec gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/public/mediatranscoding.te"
type mediatranscoding, domain;
#line 1 "system/sepolicy/public/modprobe.te"
type modprobe, domain;
allow modprobe proc_modules:file { getattr open read ioctl lock map watch watch_reads };
allow modprobe proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
allow modprobe self:{ capability cap_userns } sys_module;
allow modprobe kernel:key search;
allow modprobe system_dlkm_file:dir search;
allow modprobe system_dlkm_file:file { getattr open read ioctl lock map watch watch_reads };
allow modprobe system_dlkm_file:system module_load;
#line 13
#line 1 "system/sepolicy/public/mtp.te"
# vpn tunneling protocol manager
type mtp, domain;
#line 1 "system/sepolicy/public/net.te"
## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
###
### Domain with network access
###
# Use network sockets.
allow netdomain self:tcp_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
allow netdomain self:{ icmp_socket udp_socket rawip_socket } { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# Talks to netd via dnsproxyd socket.
#line 20
allow netdomain dnsproxyd_socket:sock_file write;
#line 20
allow netdomain netd:unix_stream_socket connectto;
#line 20
# Talks to netd via fwmarkd socket.
#line 23
allow netdomain fwmarkd_socket:sock_file write;
#line 23
allow netdomain netd:unix_stream_socket connectto;
#line 23
#line 1 "system/sepolicy/public/netd.te"
# network manager
type netd, domain, mlstrustedsubject;
type netd_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute netd netdomain;
#line 5
# Connect to mdnsd via mdnsd socket.
#line 7
allow netd mdnsd_socket:sock_file write;
#line 7
allow netd mdnsd:unix_stream_socket connectto;
#line 7
# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl
#line 9
{
#line 9
# qualcomm rmnet ioctls
#line 9
0x00006900 0x00006902
#line 9
# socket ioctls
#line 9
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 9
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 9
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 9
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 9
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 9
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 9
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 9
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 9
0x00008991 0x00008992 0x00008993 0x00008994
#line 9
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 9
# device and protocol specific ioctls
#line 9
0x000089f0-0x000089ff
#line 9
0x000089e0-0x000089ef
#line 9
# Wireless extension ioctls
#line 9
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 9
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 9
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 9
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 9
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 9
0x00008b34 0x00008b35 0x00008b36
#line 9
# Dev private ioctl i.e. hardware specific ioctls
#line 9
0x00008be0-0x00008bff
#line 9
};
#line 11
allow netd cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow netd cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 11
allow netd system_server:fd use;
allow netd self:{ capability cap_userns } { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
dontaudit netd self:{ capability cap_userns } fsetid;
# Allow netd to open /dev/tun, set it up and pass it to clatd
allow netd tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm netd tun_device:chr_file ioctl { 0x800454d2 0x400454ca };
allow netd self:tun_socket create;
allow netd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write };
allow netd self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow netd system_file:file { getattr execute execute_no_trans map };
allow netd vendor_file:file { getattr execute execute_no_trans map };
allow netd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
# exist, suppress the denial.
allow netd system_file:file lock;
dontaudit netd system_file:dir write;
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
# after migration complete
allow netd proc_qtaguid_ctrl:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 53
allow netd proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 53
allow netd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 53
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 59
allow netd sysfs_net:dir { open getattr read search ioctl lock watch watch_reads };
#line 59
allow netd sysfs_net:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 59
# Allows setting interface MTU
allow netd sysfs_net:file { open append write lock map };
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
#line 67
allow netd cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 67
allow netd cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 67
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
allow netd self:{ capability cap_userns } { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow netd net_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow netd self:{ capability cap_userns } fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
#line 86
# Call the servicemanager and transfer references to it.
#line 86
allow netd servicemanager:binder { call transfer };
#line 86
# Allow servicemanager to send out callbacks
#line 86
allow servicemanager netd:binder { call transfer };
#line 86
# servicemanager performs getpidcon on clients.
#line 86
allow servicemanager netd:dir search;
#line 86
allow servicemanager netd:file { read open };
#line 86
allow servicemanager netd:process getattr;
#line 86
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 86
# all domains in domain.te.
#line 86
#line 87
allow netd netd_service:service_manager { add find };
#line 87
neverallow { domain -netd } netd_service:service_manager add;
#line 87
#line 87
# On debug builds with root, allow binder services to use binder over TCP.
#line 87
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 87
#line 87
#line 88
allow netd dnsresolver_service:service_manager { add find };
#line 88
neverallow { domain -netd } dnsresolver_service:service_manager add;
#line 88
#line 88
# On debug builds with root, allow binder services to use binder over TCP.
#line 88
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 88
#line 88
#line 89
allow netd mdns_service:service_manager { add find };
#line 89
neverallow { domain -netd } mdns_service:service_manager add;
#line 89
#line 89
# On debug builds with root, allow binder services to use binder over TCP.
#line 89
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 89
#line 89
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
allow netd permission_service:service_manager find;
# Allow netd to talk to the framework service which collects netd events.
allow netd netd_listener_service:service_manager find;
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{
icmp_socket
tcp_socket
udp_socket
rawip_socket
tun_socket
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read };
# Allow netd to register as hal server.
#line 113
allow netd system_net_netd_hwservice:hwservice_manager { add find };
#line 113
allow netd hidl_base_hwservice:hwservice_manager add;
#line 113
neverallow { domain -netd } system_net_netd_hwservice:hwservice_manager add;
#line 113
#line 114
# Call the hwservicemanager and transfer references to it.
#line 114
allow netd hwservicemanager:binder { call transfer };
#line 114
# Allow hwservicemanager to send out callbacks
#line 114
allow hwservicemanager netd:binder { call transfer };
#line 114
# hwservicemanager performs getpidcon on clients.
#line 114
allow hwservicemanager netd:dir search;
#line 114
allow hwservicemanager netd:file { read open map };
#line 114
allow hwservicemanager netd:process getattr;
#line 114
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 114
# all domains in domain.te.
#line 114
# AIDL hal server
#line 117
# Call the server domain and optionally transfer references to it.
#line 117
allow system_net_netd_service servicemanager:binder { call transfer };
#line 117
# Allow the serverdomain to transfer references to the client on the reply.
#line 117
allow servicemanager system_net_netd_service:binder transfer;
#line 117
# Receive and use open files from the server.
#line 117
allow system_net_netd_service servicemanager:fd use;
#line 117
#line 118
allow netd system_net_netd_service:service_manager { add find };
#line 118
neverallow { domain -netd } system_net_netd_service:service_manager add;
#line 118
#line 118
# On debug builds with root, allow binder services to use binder over TCP.
#line 118
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 118
#line 118
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} dnsresolver_service:service_manager find;
# only system_server, dumpstate and network stack app may find mdns service
neverallow {
domain
-system_server
-dumpstate
-network_stack
-netd
-netutils_wrapper
} mdns_service:service_manager find;
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack }:binder call;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow netd proc_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
dontaudit netd proc_net:dir write;
neverallow netd sysfs_net:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
dontaudit netd sysfs_net:dir write;
# Netd should not have SYS_ADMIN privs.
neverallow netd self:capability sys_admin;
dontaudit netd self:capability sys_admin;
# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
dontaudit netd appdomain:unix_stream_socket { read write };
#line 1 "system/sepolicy/public/netutils_wrapper.te"
type netutils_wrapper, domain;
type netutils_wrapper_exec, system_file_type, exec_type, file_type;
neverallow domain netutils_wrapper_exec:file execute_no_trans;
#line 1 "system/sepolicy/public/network_stack.te"
# Network stack service app
type network_stack, domain;
#line 1 "system/sepolicy/public/nfc.te"
# nfc subsystem
type nfc, domain;
#line 1 "system/sepolicy/public/otapreopt_chroot.te"
# otapreopt_chroot seclabel
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
type otapreopt_chroot, domain;
#line 1 "system/sepolicy/public/perfetto.te"
type perfetto, domain, coredomain;
#line 1 "system/sepolicy/public/performanced.te"
# performanced
type performanced, domain, mlstrustedsubject;
type performanced_exec, system_file_type, exec_type, file_type;
# Needed to check for app permissions.
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow performanced servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager performanced:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager performanced:dir search;
#line 6
allow servicemanager performanced:file { read open };
#line 6
allow servicemanager performanced:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow performanced system_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_server performanced:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow performanced system_server:fd use;
#line 7
allow performanced permission_service:service_manager find;
#line 10
# Mark the server domain as a PDX server.
#line 10
typeattribute performanced pdx_performance_client_server_type;
#line 10
# Allow the init process to create the initial endpoint socket.
#line 10
allow init pdx_performance_client_endpoint_socket_type:unix_stream_socket { create bind };
#line 10
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 10
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 10
# than we need (e.g. we don"t need "bind" or "connect").
#line 10
allow performanced pdx_performance_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 10
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 10
allow performanced self:process setsockcreate;
#line 10
# Allow the server domain to create a client channel socket.
#line 10
allow performanced pdx_performance_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 10
# Prevent other processes from claiming to be a server for the same service.
#line 10
neverallow {domain -performanced} pdx_performance_client_endpoint_socket_type:unix_stream_socket { listen accept };
#line 10
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:{ capability cap_userns } { setuid setgid sys_nice };
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
#line 18
allow performanced { appdomain bufferhubd kernel surfaceflinger }:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow performanced { appdomain bufferhubd kernel surfaceflinger }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 18
dontaudit performanced domain:dir read;
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
# These /proc accesses only show up in permissive mode but they
# generate a lot of noise in the log.
#line 27
# Access /dev/cpuset/cpuset.cpus
#line 30
allow performanced cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 30
allow performanced cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 30
#line 31
allow performanced cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 31
allow performanced cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 31
#line 1 "system/sepolicy/public/platform_app.te"
###
### Apps signed with the platform key.
###
type platform_app, domain;
#line 1 "system/sepolicy/public/postinstall.te"
# Domain where the postinstall program runs during the update.
# Extend the permissions in this domain to allow this program to access other
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;
# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow postinstall postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow postinstall postinstall_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow postinstall system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow postinstall toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow postinstall to execute shell in recovery.
#line 25
#
# For OTA dexopt.
#
# Allow postinstall scripts to talk to the system server.
#line 32
# Call the servicemanager and transfer references to it.
#line 32
allow postinstall servicemanager:binder { call transfer };
#line 32
# Allow servicemanager to send out callbacks
#line 32
allow servicemanager postinstall:binder { call transfer };
#line 32
# servicemanager performs getpidcon on clients.
#line 32
allow servicemanager postinstall:dir search;
#line 32
allow servicemanager postinstall:file { read open };
#line 32
allow servicemanager postinstall:process getattr;
#line 32
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 32
# all domains in domain.te.
#line 32
#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow postinstall system_server:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow system_server postinstall:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow postinstall system_server:fd use;
#line 33
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
# Allow postinstall scripts to trigger f2fs garbage collection
allow postinstall sysfs_fs_f2fs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow postinstall sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads };
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
#line 1 "system/sepolicy/public/ppp.te"
# Point to Point Protocol daemon
type ppp, domain;
#line 1 "system/sepolicy/public/priv_app.te"
###
### A domain for further sandboxing privileged apps.
###
type priv_app, domain;
#line 1 "system/sepolicy/public/prng_seeder.te"
# PRNG seeder daemon
type prng_seeder, domain;
#line 1 "system/sepolicy/public/profman.te"
# profman
type profman, domain;
type profman_exec, system_file_type, exec_type, file_type;
allow profman user_profile_data_file:file { getattr read write lock map };
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read map };
allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
# Allow query ART device config properties
#line 24
allow profman device_config_runtime_native_prop:file { getattr open read map };
#line 24
#line 25
allow profman device_config_runtime_native_boot_prop:file { getattr open read map };
#line 25
###
### neverallow rules
###
neverallow profman app_data_file_type:{ file lnk_file sock_file fifo_file } open;
#line 1 "system/sepolicy/public/property.te"
# Properties used only in /system
#
# DO NOT ADD system_internal_prop here.
# Instead, add to private/property.te.
# TODO(b/150331497): move these to private/property.te
#line 6
#line 6
type apexd_prop, property_type, system_property_type, system_internal_property_type;
#line 6
#line 6
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 6
#line 6
neverallow { domain -coredomain } apexd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
#line 6
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 6
#line 6
#line 7
#line 7
type bootloader_boot_reason_prop, property_type, system_property_type, system_internal_property_type;
#line 7
#line 7
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 7
#line 7
neverallow { domain -coredomain } bootloader_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
#line 7
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 7
#line 7
#line 8
#line 8
type device_config_activity_manager_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 8
#line 8
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 8
#line 8
neverallow { domain -coredomain } device_config_activity_manager_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 8
#line 8
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 8
#line 8
#line 9
#line 9
type device_config_boot_count_prop, property_type, system_property_type, system_internal_property_type;
#line 9
#line 9
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 9
#line 9
neverallow { domain -coredomain } device_config_boot_count_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
#line 9
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 9
#line 9
#line 10
#line 10
type device_config_input_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 10
#line 10
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 10
#line 10
neverallow { domain -coredomain } device_config_input_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 10
#line 10
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 10
#line 10
#line 11
#line 11
type device_config_netd_native_prop, property_type, system_property_type, system_internal_property_type;
#line 11
#line 11
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 11
#line 11
neverallow { domain -coredomain } device_config_netd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 11
#line 11
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 11
#line 11
#line 12
#line 12
type device_config_reset_performed_prop, property_type, system_property_type, system_internal_property_type;
#line 12
#line 12
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 12
#line 12
neverallow { domain -coredomain } device_config_reset_performed_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 12
#line 12
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 12
#line 12
#line 13
#line 13
type firstboot_prop, property_type, system_property_type, system_internal_property_type;
#line 13
#line 13
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 13
#line 13
neverallow { domain -coredomain } firstboot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
#line 13
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 13
#line 13
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
# DO NOT ADD ANY PROPERTIES HERE
#line 15
#line 15
#line 15
type boottime_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } boottime_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type charger_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } charger_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type cold_boot_done_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } cold_boot_done_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_adbd_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_apexd_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_apexd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_bootanim_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_bootanim_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_bugreport_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_bugreport_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_console_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_console_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_dumpstate_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_dumpstate_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_fuse_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_fuse_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_gsid_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_gsid_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_interface_restart_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_interface_restart_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_interface_stop_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_interface_stop_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_mdnsd_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_mdnsd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_restart_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_restart_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_rildaemon_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_rildaemon_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type ctl_sigstop_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } ctl_sigstop_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type dynamic_system_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } dynamic_system_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type heapprofd_enabled_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } heapprofd_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type llkd_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } llkd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type lpdumpd_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } lpdumpd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type mmc_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } mmc_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type mock_ota_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } mock_ota_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type net_dns_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } net_dns_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type overlay_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } overlay_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type persistent_properties_ready_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } persistent_properties_ready_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type safemode_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } safemode_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type system_lmk_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } system_lmk_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type system_trace_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } system_trace_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type test_boot_reason_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } test_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type time_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } time_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type traced_enabled_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } traced_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
#line 15
type traced_lazy_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } traced_lazy_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 15
#line 15
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 50
# Properties which can't be written outside system
#line 53
#line 53
type aac_drc_prop, property_type, system_property_type, system_restricted_property_type;
#line 53
#line 53
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 53
#line 53
neverallow { domain -coredomain } aac_drc_prop:property_service set;
#line 53
#line 53
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 53
#line 53
#line 54
#line 54
type adaptive_haptics_prop, property_type, system_property_type, system_restricted_property_type;
#line 54
#line 54
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 54
#line 54
neverallow { domain -coredomain } adaptive_haptics_prop:property_service set;
#line 54
#line 54
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 54
#line 54
#line 55
#line 55
type apex_ready_prop, property_type, system_property_type, system_restricted_property_type;
#line 55
#line 55
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 55
#line 55
neverallow { domain -coredomain } apex_ready_prop:property_service set;
#line 55
#line 55
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 55
#line 55
#line 56
#line 56
type arm64_memtag_prop, property_type, system_property_type, system_restricted_property_type;
#line 56
#line 56
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 56
#line 56
neverallow { domain -coredomain } arm64_memtag_prop:property_service set;
#line 56
#line 56
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 56
#line 56
#line 57
#line 57
type binder_cache_bluetooth_server_prop, property_type, system_property_type, system_restricted_property_type;
#line 57
#line 57
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 57
#line 57
neverallow { domain -coredomain } binder_cache_bluetooth_server_prop:property_service set;
#line 57
#line 57
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 57
#line 57
#line 58
#line 58
type binder_cache_system_server_prop, property_type, system_property_type, system_restricted_property_type;
#line 58
#line 58
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 58
#line 58
neverallow { domain -coredomain } binder_cache_system_server_prop:property_service set;
#line 58
#line 58
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 58
#line 58
#line 59
#line 59
type binder_cache_telephony_server_prop, property_type, system_property_type, system_restricted_property_type;
#line 59
#line 59
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 59
#line 59
neverallow { domain -coredomain } binder_cache_telephony_server_prop:property_service set;
#line 59
#line 59
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 59
#line 59
#line 60
#line 60
type boot_status_prop, property_type, system_property_type, system_restricted_property_type;
#line 60
#line 60
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 60
#line 60
neverallow { domain -coredomain } boot_status_prop:property_service set;
#line 60
#line 60
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 60
#line 60
#line 61
#line 61
type bootanim_system_prop, property_type, system_property_type, system_restricted_property_type;
#line 61
#line 61
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 61
#line 61
neverallow { domain -coredomain } bootanim_system_prop:property_service set;
#line 61
#line 61
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 61
#line 61
#line 62
#line 62
type bootloader_prop, property_type, system_property_type, system_restricted_property_type;
#line 62
#line 62
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 62
#line 62
neverallow { domain -coredomain } bootloader_prop:property_service set;
#line 62
#line 62
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 62
#line 62
#line 63
#line 63
type boottime_public_prop, property_type, system_property_type, system_restricted_property_type;
#line 63
#line 63
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 63
#line 63
neverallow { domain -coredomain } boottime_public_prop:property_service set;
#line 63
#line 63
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 63
#line 63
#line 64
#line 64
type bq_config_prop, property_type, system_property_type, system_restricted_property_type;
#line 64
#line 64
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 64
#line 64
neverallow { domain -coredomain } bq_config_prop:property_service set;
#line 64
#line 64
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 64
#line 64
#line 65
#line 65
type build_bootimage_prop, property_type, system_property_type, system_restricted_property_type;
#line 65
#line 65
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 65
#line 65
neverallow { domain -coredomain } build_bootimage_prop:property_service set;
#line 65
#line 65
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 65
#line 65
#line 66
#line 66
type build_prop, property_type, system_property_type, system_restricted_property_type;
#line 66
#line 66
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 66
#line 66
neverallow { domain -coredomain } build_prop:property_service set;
#line 66
#line 66
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 66
#line 66
#line 67
#line 67
type composd_vm_art_prop, property_type, system_property_type, system_restricted_property_type;
#line 67
#line 67
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 67
#line 67
neverallow { domain -coredomain } composd_vm_art_prop:property_service set;
#line 67
#line 67
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 67
#line 67
#line 68
#line 68
type device_config_aconfig_flags_prop, property_type, system_property_type, system_restricted_property_type;
#line 68
#line 68
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 68
#line 68
neverallow { domain -coredomain } device_config_aconfig_flags_prop:property_service set;
#line 68
#line 68
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 68
#line 68
#line 69
#line 69
type device_config_camera_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 69
#line 69
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 69
#line 69
neverallow { domain -coredomain } device_config_camera_native_prop:property_service set;
#line 69
#line 69
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 69
#line 69
#line 70
#line 70
type device_config_edgetpu_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 70
#line 70
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 70
#line 70
neverallow { domain -coredomain } device_config_edgetpu_native_prop:property_service set;
#line 70
#line 70
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 70
#line 70
#line 71
#line 71
type device_config_media_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 71
#line 71
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 71
#line 71
neverallow { domain -coredomain } device_config_media_native_prop:property_service set;
#line 71
#line 71
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 71
#line 71
#line 72
#line 72
type device_config_nnapi_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 72
#line 72
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 72
#line 72
neverallow { domain -coredomain } device_config_nnapi_native_prop:property_service set;
#line 72
#line 72
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 72
#line 72
#line 73
#line 73
type device_config_runtime_native_boot_prop, property_type, system_property_type, system_restricted_property_type;
#line 73
#line 73
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 73
#line 73
neverallow { domain -coredomain } device_config_runtime_native_boot_prop:property_service set;
#line 73
#line 73
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 73
#line 73
#line 74
#line 74
type device_config_runtime_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 74
#line 74
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 74
#line 74
neverallow { domain -coredomain } device_config_runtime_native_prop:property_service set;
#line 74
#line 74
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 74
#line 74
#line 75
#line 75
type device_config_surface_flinger_native_boot_prop, property_type, system_property_type, system_restricted_property_type;
#line 75
#line 75
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 75
#line 75
neverallow { domain -coredomain } device_config_surface_flinger_native_boot_prop:property_service set;
#line 75
#line 75
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 75
#line 75
#line 76
#line 76
type device_config_vendor_system_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 76
#line 76
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 76
#line 76
neverallow { domain -coredomain } device_config_vendor_system_native_prop:property_service set;
#line 76
#line 76
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 76
#line 76
#line 77
#line 77
type device_config_vendor_system_native_boot_prop, property_type, system_property_type, system_restricted_property_type;
#line 77
#line 77
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 77
#line 77
neverallow { domain -coredomain } device_config_vendor_system_native_boot_prop:property_service set;
#line 77
#line 77
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 77
#line 77
#line 78
#line 78
type drm_forcel3_prop, property_type, system_property_type, system_restricted_property_type;
#line 78
#line 78
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 78
#line 78
neverallow { domain -coredomain } drm_forcel3_prop:property_service set;
#line 78
#line 78
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 78
#line 78
#line 79
#line 79
type fingerprint_prop, property_type, system_property_type, system_restricted_property_type;
#line 79
#line 79
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 79
#line 79
neverallow { domain -coredomain } fingerprint_prop:property_service set;
#line 79
#line 79
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 79
#line 79
#line 80
#line 80
type gwp_asan_prop, property_type, system_property_type, system_restricted_property_type;
#line 80
#line 80
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 80
#line 80
neverallow { domain -coredomain } gwp_asan_prop:property_service set;
#line 80
#line 80
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 80
#line 80
#line 81
#line 81
type hal_instrumentation_prop, property_type, system_property_type, system_restricted_property_type;
#line 81
#line 81
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 81
#line 81
neverallow { domain -coredomain } hal_instrumentation_prop:property_service set;
#line 81
#line 81
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 81
#line 81
#line 82
#line 82
type userdebug_or_eng_prop, property_type, system_property_type, system_restricted_property_type;
#line 82
#line 82
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 82
#line 82
neverallow { domain -coredomain } userdebug_or_eng_prop:property_service set;
#line 82
#line 82
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 82
#line 82
#line 83
#line 83
type init_service_status_prop, property_type, system_property_type, system_restricted_property_type;
#line 83
#line 83
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 83
#line 83
neverallow { domain -coredomain } init_service_status_prop:property_service set;
#line 83
#line 83
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 83
#line 83
#line 84
#line 84
type libc_debug_prop, property_type, system_property_type, system_restricted_property_type;
#line 84
#line 84
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 84
#line 84
neverallow { domain -coredomain } libc_debug_prop:property_service set;
#line 84
#line 84
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 84
#line 84
#line 85
#line 85
type module_sdkextensions_prop, property_type, system_property_type, system_restricted_property_type;
#line 85
#line 85
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 85
#line 85
neverallow { domain -coredomain } module_sdkextensions_prop:property_service set;
#line 85
#line 85
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 85
#line 85
#line 86
#line 86
type nnapi_ext_deny_product_prop, property_type, system_property_type, system_restricted_property_type;
#line 86
#line 86
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 86
#line 86
neverallow { domain -coredomain } nnapi_ext_deny_product_prop:property_service set;
#line 86
#line 86
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 86
#line 86
#line 87
#line 87
type persist_wm_debug_prop, property_type, system_property_type, system_restricted_property_type;
#line 87
#line 87
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 87
#line 87
neverallow { domain -coredomain } persist_wm_debug_prop:property_service set;
#line 87
#line 87
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 87
#line 87
#line 88
#line 88
type power_debug_prop, property_type, system_property_type, system_restricted_property_type;
#line 88
#line 88
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 88
#line 88
neverallow { domain -coredomain } power_debug_prop:property_service set;
#line 88
#line 88
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 88
#line 88
#line 89
#line 89
type property_service_version_prop, property_type, system_property_type, system_restricted_property_type;
#line 89
#line 89
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 89
#line 89
neverallow { domain -coredomain } property_service_version_prop:property_service set;
#line 89
#line 89
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 89
#line 89
#line 90
#line 90
type provisioned_prop, property_type, system_property_type, system_restricted_property_type;
#line 90
#line 90
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 90
#line 90
neverallow { domain -coredomain } provisioned_prop:property_service set;
#line 90
#line 90
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 90
#line 90
#line 91
#line 91
type restorecon_prop, property_type, system_property_type, system_restricted_property_type;
#line 91
#line 91
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 91
#line 91
neverallow { domain -coredomain } restorecon_prop:property_service set;
#line 91
#line 91
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 91
#line 91
#line 92
#line 92
type retaildemo_prop, property_type, system_property_type, system_restricted_property_type;
#line 92
#line 92
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 92
#line 92
neverallow { domain -coredomain } retaildemo_prop:property_service set;
#line 92
#line 92
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 92
#line 92
#line 93
#line 93
type servicemanager_prop, property_type, system_property_type, system_restricted_property_type;
#line 93
#line 93
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 93
#line 93
neverallow { domain -coredomain } servicemanager_prop:property_service set;
#line 93
#line 93
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 93
#line 93
#line 94
#line 94
type smart_idle_maint_enabled_prop, property_type, system_property_type, system_restricted_property_type;
#line 94
#line 94
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 94
#line 94
neverallow { domain -coredomain } smart_idle_maint_enabled_prop:property_service set;
#line 94
#line 94
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 94
#line 94
#line 95
#line 95
type socket_hook_prop, property_type, system_property_type, system_restricted_property_type;
#line 95
#line 95
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 95
#line 95
neverallow { domain -coredomain } socket_hook_prop:property_service set;
#line 95
#line 95
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 95
#line 95
#line 96
#line 96
type sqlite_log_prop, property_type, system_property_type, system_restricted_property_type;
#line 96
#line 96
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 96
#line 96
neverallow { domain -coredomain } sqlite_log_prop:property_service set;
#line 96
#line 96
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 96
#line 96
#line 97
#line 97
type surfaceflinger_display_prop, property_type, system_property_type, system_restricted_property_type;
#line 97
#line 97
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 97
#line 97
neverallow { domain -coredomain } surfaceflinger_display_prop:property_service set;
#line 97
#line 97
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 97
#line 97
#line 98
#line 98
type system_boot_reason_prop, property_type, system_property_type, system_restricted_property_type;
#line 98
#line 98
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 98
#line 98
neverallow { domain -coredomain } system_boot_reason_prop:property_service set;
#line 98
#line 98
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 98
#line 98
#line 99
#line 99
type system_jvmti_agent_prop, property_type, system_property_type, system_restricted_property_type;
#line 99
#line 99
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 99
#line 99
neverallow { domain -coredomain } system_jvmti_agent_prop:property_service set;
#line 99
#line 99
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 99
#line 99
#line 100
#line 100
type traced_oome_heap_session_count_prop, property_type, system_property_type, system_restricted_property_type;
#line 100
#line 100
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 100
#line 100
neverallow { domain -coredomain } traced_oome_heap_session_count_prop:property_service set;
#line 100
#line 100
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 100
#line 100
#line 101
#line 101
type ab_update_gki_prop, property_type, system_property_type, system_restricted_property_type;
#line 101
#line 101
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 101
#line 101
neverallow { domain -coredomain } ab_update_gki_prop:property_service set;
#line 101
#line 101
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 101
#line 101
#line 102
#line 102
type usb_prop, property_type, system_property_type, system_restricted_property_type;
#line 102
#line 102
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 102
#line 102
neverallow { domain -coredomain } usb_prop:property_service set;
#line 102
#line 102
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 102
#line 102
#line 103
#line 103
type userspace_reboot_exported_prop, property_type, system_property_type, system_restricted_property_type;
#line 103
#line 103
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 103
#line 103
neverallow { domain -coredomain } userspace_reboot_exported_prop:property_service set;
#line 103
#line 103
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 103
#line 103
#line 104
#line 104
type vold_status_prop, property_type, system_property_type, system_restricted_property_type;
#line 104
#line 104
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 104
#line 104
neverallow { domain -coredomain } vold_status_prop:property_service set;
#line 104
#line 104
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 104
#line 104
#line 105
#line 105
type vts_status_prop, property_type, system_property_type, system_restricted_property_type;
#line 105
#line 105
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 105
#line 105
neverallow { domain -coredomain } vts_status_prop:property_service set;
#line 105
#line 105
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 105
#line 105
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
# DO NOT ADD ANY PROPERTIES HERE
#line 107
#line 107
#line 107
type config_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } config_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type cppreopt_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } cppreopt_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type dalvik_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } dalvik_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type debuggerd_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } debuggerd_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type device_logging_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } device_logging_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type dhcp_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } dhcp_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type dumpstate_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } dumpstate_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type exported3_system_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } exported3_system_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type exported_dumpstate_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } exported_dumpstate_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type exported_secure_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } exported_secure_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type heapprofd_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } heapprofd_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type net_radio_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } net_radio_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type pan_result_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } pan_result_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type persist_debug_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } persist_debug_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type shell_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } shell_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type test_harness_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } test_harness_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type theme_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } theme_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type use_memfd_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } use_memfd_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
#line 107
type vold_prop, property_type, system_property_type, system_restricted_property_type;
#line 107
#line 107
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
neverallow { domain -coredomain } vold_prop:property_service set;
#line 107
#line 107
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 107
#line 107
#line 107
#line 107
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 128
# Properties which can be written only by vendor_init
#line 131
#line 131
type apexd_config_prop, property_type, system_property_type, system_public_property_type;
#line 131
#line 131
#line 131
#line 131
allow vendor_init property_socket:sock_file write;
#line 131
allow vendor_init init:unix_stream_socket connectto;
#line 131
#line 131
allow vendor_init apexd_config_prop:property_service set;
#line 131
#line 131
allow vendor_init apexd_config_prop:file { getattr open read map };
#line 131
#line 131
#line 131
neverallow { domain -init -vendor_init } apexd_config_prop:property_service set;
#line 131
#line 132
#line 132
type apexd_select_prop, property_type, system_property_type, system_public_property_type;
#line 132
#line 132
#line 132
#line 132
allow vendor_init property_socket:sock_file write;
#line 132
allow vendor_init init:unix_stream_socket connectto;
#line 132
#line 132
allow vendor_init apexd_select_prop:property_service set;
#line 132
#line 132
allow vendor_init apexd_select_prop:file { getattr open read map };
#line 132
#line 132
#line 132
neverallow { domain -init -vendor_init } apexd_select_prop:property_service set;
#line 132
#line 133
#line 133
type aaudio_config_prop, property_type, system_property_type, system_public_property_type;
#line 133
#line 133
#line 133
#line 133
allow vendor_init property_socket:sock_file write;
#line 133
allow vendor_init init:unix_stream_socket connectto;
#line 133
#line 133
allow vendor_init aaudio_config_prop:property_service set;
#line 133
#line 133
allow vendor_init aaudio_config_prop:file { getattr open read map };
#line 133
#line 133
#line 133
neverallow { domain -init -vendor_init } aaudio_config_prop:property_service set;
#line 133
#line 134
#line 134
type apk_verity_prop, property_type, system_property_type, system_public_property_type;
#line 134
#line 134
#line 134
#line 134
allow vendor_init property_socket:sock_file write;
#line 134
allow vendor_init init:unix_stream_socket connectto;
#line 134
#line 134
allow vendor_init apk_verity_prop:property_service set;
#line 134
#line 134
allow vendor_init apk_verity_prop:file { getattr open read map };
#line 134
#line 134
#line 134
neverallow { domain -init -vendor_init } apk_verity_prop:property_service set;
#line 134
#line 135
#line 135
type audio_config_prop, property_type, system_property_type, system_public_property_type;
#line 135
#line 135
#line 135
#line 135
allow vendor_init property_socket:sock_file write;
#line 135
allow vendor_init init:unix_stream_socket connectto;
#line 135
#line 135
allow vendor_init audio_config_prop:property_service set;
#line 135
#line 135
allow vendor_init audio_config_prop:file { getattr open read map };
#line 135
#line 135
#line 135
neverallow { domain -init -vendor_init } audio_config_prop:property_service set;
#line 135
#line 136
#line 136
type bootanim_config_prop, property_type, system_property_type, system_public_property_type;
#line 136
#line 136
#line 136
#line 136
allow vendor_init property_socket:sock_file write;
#line 136
allow vendor_init init:unix_stream_socket connectto;
#line 136
#line 136
allow vendor_init bootanim_config_prop:property_service set;
#line 136
#line 136
allow vendor_init bootanim_config_prop:file { getattr open read map };
#line 136
#line 136
#line 136
neverallow { domain -init -vendor_init } bootanim_config_prop:property_service set;
#line 136
#line 137
#line 137
type bluetooth_config_prop, property_type, system_property_type, system_public_property_type;
#line 137
#line 137
#line 137
#line 137
allow vendor_init property_socket:sock_file write;
#line 137
allow vendor_init init:unix_stream_socket connectto;
#line 137
#line 137
allow vendor_init bluetooth_config_prop:property_service set;
#line 137
#line 137
allow vendor_init bluetooth_config_prop:file { getattr open read map };
#line 137
#line 137
#line 137
neverallow { domain -init -vendor_init } bluetooth_config_prop:property_service set;
#line 137
#line 138
#line 138
type build_attestation_prop, property_type, system_property_type, system_public_property_type;
#line 138
#line 138
#line 138
#line 138
allow vendor_init property_socket:sock_file write;
#line 138
allow vendor_init init:unix_stream_socket connectto;
#line 138
#line 138
allow vendor_init build_attestation_prop:property_service set;
#line 138
#line 138
allow vendor_init build_attestation_prop:file { getattr open read map };
#line 138
#line 138
#line 138
neverallow { domain -init -vendor_init } build_attestation_prop:property_service set;
#line 138
#line 139
#line 139
type build_config_prop, property_type, system_property_type, system_public_property_type;
#line 139
#line 139
#line 139
#line 139
allow vendor_init property_socket:sock_file write;
#line 139
allow vendor_init init:unix_stream_socket connectto;
#line 139
#line 139
allow vendor_init build_config_prop:property_service set;
#line 139
#line 139
allow vendor_init build_config_prop:file { getattr open read map };
#line 139
#line 139
#line 139
neverallow { domain -init -vendor_init } build_config_prop:property_service set;
#line 139
#line 140
#line 140
type build_odm_prop, property_type, system_property_type, system_public_property_type;
#line 140
#line 140
#line 140
#line 140
allow vendor_init property_socket:sock_file write;
#line 140
allow vendor_init init:unix_stream_socket connectto;
#line 140
#line 140
allow vendor_init build_odm_prop:property_service set;
#line 140
#line 140
allow vendor_init build_odm_prop:file { getattr open read map };
#line 140
#line 140
#line 140
neverallow { domain -init -vendor_init } build_odm_prop:property_service set;
#line 140
#line 141
#line 141
type build_vendor_prop, property_type, system_property_type, system_public_property_type;
#line 141
#line 141
#line 141
#line 141
allow vendor_init property_socket:sock_file write;
#line 141
allow vendor_init init:unix_stream_socket connectto;
#line 141
#line 141
allow vendor_init build_vendor_prop:property_service set;
#line 141
#line 141
allow vendor_init build_vendor_prop:file { getattr open read map };
#line 141
#line 141
#line 141
neverallow { domain -init -vendor_init } build_vendor_prop:property_service set;
#line 141
#line 142
#line 142
type camera_calibration_prop, property_type, system_property_type, system_public_property_type;
#line 142
#line 142
#line 142
#line 142
allow vendor_init property_socket:sock_file write;
#line 142
allow vendor_init init:unix_stream_socket connectto;
#line 142
#line 142
allow vendor_init camera_calibration_prop:property_service set;
#line 142
#line 142
allow vendor_init camera_calibration_prop:file { getattr open read map };
#line 142
#line 142
#line 142
neverallow { domain -init -vendor_init } camera_calibration_prop:property_service set;
#line 142
#line 143
#line 143
type camera_config_prop, property_type, system_property_type, system_public_property_type;
#line 143
#line 143
#line 143
#line 143
allow vendor_init property_socket:sock_file write;
#line 143
allow vendor_init init:unix_stream_socket connectto;
#line 143
#line 143
allow vendor_init camera_config_prop:property_service set;
#line 143
#line 143
allow vendor_init camera_config_prop:file { getattr open read map };
#line 143
#line 143
#line 143
neverallow { domain -init -vendor_init } camera_config_prop:property_service set;
#line 143
#line 144
#line 144
type camera2_extensions_prop, property_type, system_property_type, system_public_property_type;
#line 144
#line 144
#line 144
#line 144
allow vendor_init property_socket:sock_file write;
#line 144
allow vendor_init init:unix_stream_socket connectto;
#line 144
#line 144
allow vendor_init camera2_extensions_prop:property_service set;
#line 144
#line 144
allow vendor_init camera2_extensions_prop:file { getattr open read map };
#line 144
#line 144
#line 144
neverallow { domain -init -vendor_init } camera2_extensions_prop:property_service set;
#line 144
#line 145
#line 145
type camerax_extensions_prop, property_type, system_property_type, system_public_property_type;
#line 145
#line 145
#line 145
#line 145
allow vendor_init property_socket:sock_file write;
#line 145
allow vendor_init init:unix_stream_socket connectto;
#line 145
#line 145
allow vendor_init camerax_extensions_prop:property_service set;
#line 145
#line 145
allow vendor_init camerax_extensions_prop:file { getattr open read map };
#line 145
#line 145
#line 145
neverallow { domain -init -vendor_init } camerax_extensions_prop:property_service set;
#line 145
#line 146
#line 146
type charger_config_prop, property_type, system_property_type, system_public_property_type;
#line 146
#line 146
#line 146
#line 146
allow vendor_init property_socket:sock_file write;
#line 146
allow vendor_init init:unix_stream_socket connectto;
#line 146
#line 146
allow vendor_init charger_config_prop:property_service set;
#line 146
#line 146
allow vendor_init charger_config_prop:file { getattr open read map };
#line 146
#line 146
#line 146
neverallow { domain -init -vendor_init } charger_config_prop:property_service set;
#line 146
#line 147
#line 147
type codec2_config_prop, property_type, system_property_type, system_public_property_type;
#line 147
#line 147
#line 147
#line 147
allow vendor_init property_socket:sock_file write;
#line 147
allow vendor_init init:unix_stream_socket connectto;
#line 147
#line 147
allow vendor_init codec2_config_prop:property_service set;
#line 147
#line 147
allow vendor_init codec2_config_prop:file { getattr open read map };
#line 147
#line 147
#line 147
neverallow { domain -init -vendor_init } codec2_config_prop:property_service set;
#line 147
#line 148
#line 148
type composd_vm_vendor_prop, property_type, system_property_type, system_public_property_type;
#line 148
#line 148
#line 148
#line 148
allow vendor_init property_socket:sock_file write;
#line 148
allow vendor_init init:unix_stream_socket connectto;
#line 148
#line 148
allow vendor_init composd_vm_vendor_prop:property_service set;
#line 148
#line 148
allow vendor_init composd_vm_vendor_prop:file { getattr open read map };
#line 148
#line 148
#line 148
neverallow { domain -init -vendor_init } composd_vm_vendor_prop:property_service set;
#line 148
#line 149
#line 149
type cpu_variant_prop, property_type, system_property_type, system_public_property_type;
#line 149
#line 149
#line 149
#line 149
allow vendor_init property_socket:sock_file write;
#line 149
allow vendor_init init:unix_stream_socket connectto;
#line 149
#line 149
allow vendor_init cpu_variant_prop:property_service set;
#line 149
#line 149
allow vendor_init cpu_variant_prop:file { getattr open read map };
#line 149
#line 149
#line 149
neverallow { domain -init -vendor_init } cpu_variant_prop:property_service set;
#line 149
#line 150
#line 150
type debugfs_restriction_prop, property_type, system_property_type, system_public_property_type;
#line 150
#line 150
#line 150
#line 150
allow vendor_init property_socket:sock_file write;
#line 150
allow vendor_init init:unix_stream_socket connectto;
#line 150
#line 150
allow vendor_init debugfs_restriction_prop:property_service set;
#line 150
#line 150
allow vendor_init debugfs_restriction_prop:file { getattr open read map };
#line 150
#line 150
#line 150
neverallow { domain -init -vendor_init } debugfs_restriction_prop:property_service set;
#line 150
#line 151
#line 151
type drm_service_config_prop, property_type, system_property_type, system_public_property_type;
#line 151
#line 151
#line 151
#line 151
allow vendor_init property_socket:sock_file write;
#line 151
allow vendor_init init:unix_stream_socket connectto;
#line 151
#line 151
allow vendor_init drm_service_config_prop:property_service set;
#line 151
#line 151
allow vendor_init drm_service_config_prop:file { getattr open read map };
#line 151
#line 151
#line 151
neverallow { domain -init -vendor_init } drm_service_config_prop:property_service set;
#line 151
#line 152
#line 152
type exported_camera_prop, property_type, system_property_type, system_public_property_type;
#line 152
#line 152
#line 152
#line 152
allow vendor_init property_socket:sock_file write;
#line 152
allow vendor_init init:unix_stream_socket connectto;
#line 152
#line 152
allow vendor_init exported_camera_prop:property_service set;
#line 152
#line 152
allow vendor_init exported_camera_prop:file { getattr open read map };
#line 152
#line 152
#line 152
neverallow { domain -init -vendor_init } exported_camera_prop:property_service set;
#line 152
#line 153
#line 153
type exported_config_prop, property_type, system_property_type, system_public_property_type;
#line 153
#line 153
#line 153
#line 153
allow vendor_init property_socket:sock_file write;
#line 153
allow vendor_init init:unix_stream_socket connectto;
#line 153
#line 153
allow vendor_init exported_config_prop:property_service set;
#line 153
#line 153
allow vendor_init exported_config_prop:file { getattr open read map };
#line 153
#line 153
#line 153
neverallow { domain -init -vendor_init } exported_config_prop:property_service set;
#line 153
#line 154
#line 154
type exported_default_prop, property_type, system_property_type, system_public_property_type;
#line 154
#line 154
#line 154
#line 154
allow vendor_init property_socket:sock_file write;
#line 154
allow vendor_init init:unix_stream_socket connectto;
#line 154
#line 154
allow vendor_init exported_default_prop:property_service set;
#line 154
#line 154
allow vendor_init exported_default_prop:file { getattr open read map };
#line 154
#line 154
#line 154
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
#line 154
#line 155
#line 155
type ffs_config_prop, property_type, system_property_type, system_public_property_type;
#line 155
#line 155
#line 155
#line 155
allow vendor_init property_socket:sock_file write;
#line 155
allow vendor_init init:unix_stream_socket connectto;
#line 155
#line 155
allow vendor_init ffs_config_prop:property_service set;
#line 155
#line 155
allow vendor_init ffs_config_prop:file { getattr open read map };
#line 155
#line 155
#line 155
neverallow { domain -init -vendor_init } ffs_config_prop:property_service set;
#line 155
#line 156
#line 156
type framework_watchdog_config_prop, property_type, system_property_type, system_public_property_type;
#line 156
#line 156
#line 156
#line 156
allow vendor_init property_socket:sock_file write;
#line 156
allow vendor_init init:unix_stream_socket connectto;
#line 156
#line 156
allow vendor_init framework_watchdog_config_prop:property_service set;
#line 156
#line 156
allow vendor_init framework_watchdog_config_prop:file { getattr open read map };
#line 156
#line 156
#line 156
neverallow { domain -init -vendor_init } framework_watchdog_config_prop:property_service set;
#line 156
#line 157
#line 157
type graphics_config_prop, property_type, system_property_type, system_public_property_type;
#line 157
#line 157
#line 157
#line 157
allow vendor_init property_socket:sock_file write;
#line 157
allow vendor_init init:unix_stream_socket connectto;
#line 157
#line 157
allow vendor_init graphics_config_prop:property_service set;
#line 157
#line 157
allow vendor_init graphics_config_prop:file { getattr open read map };
#line 157
#line 157
#line 157
neverallow { domain -init -vendor_init } graphics_config_prop:property_service set;
#line 157
#line 158
#line 158
type hdmi_config_prop, property_type, system_property_type, system_public_property_type;
#line 158
#line 158
#line 158
#line 158
allow vendor_init property_socket:sock_file write;
#line 158
allow vendor_init init:unix_stream_socket connectto;
#line 158
#line 158
allow vendor_init hdmi_config_prop:property_service set;
#line 158
#line 158
allow vendor_init hdmi_config_prop:file { getattr open read map };
#line 158
#line 158
#line 158
neverallow { domain -init -vendor_init } hdmi_config_prop:property_service set;
#line 158
#line 159
#line 159
type hw_timeout_multiplier_prop, property_type, system_property_type, system_public_property_type;
#line 159
#line 159
#line 159
#line 159
allow vendor_init property_socket:sock_file write;
#line 159
allow vendor_init init:unix_stream_socket connectto;
#line 159
#line 159
allow vendor_init hw_timeout_multiplier_prop:property_service set;
#line 159
#line 159
allow vendor_init hw_timeout_multiplier_prop:file { getattr open read map };
#line 159
#line 159
#line 159
neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
#line 159
#line 160
#line 160
type hypervisor_prop, property_type, system_property_type, system_public_property_type;
#line 160
#line 160
#line 160
#line 160
allow vendor_init property_socket:sock_file write;
#line 160
allow vendor_init init:unix_stream_socket connectto;
#line 160
#line 160
allow vendor_init hypervisor_prop:property_service set;
#line 160
#line 160
allow vendor_init hypervisor_prop:file { getattr open read map };
#line 160
#line 160
#line 160
neverallow { domain -init -vendor_init } hypervisor_prop:property_service set;
#line 160
#line 161
#line 161
type hypervisor_restricted_prop, property_type, system_property_type, system_public_property_type;
#line 161
#line 161
#line 161
#line 161
allow vendor_init property_socket:sock_file write;
#line 161
allow vendor_init init:unix_stream_socket connectto;
#line 161
#line 161
allow vendor_init hypervisor_restricted_prop:property_service set;
#line 161
#line 161
allow vendor_init hypervisor_restricted_prop:file { getattr open read map };
#line 161
#line 161
#line 161
neverallow { domain -init -vendor_init } hypervisor_restricted_prop:property_service set;
#line 161
#line 162
#line 162
type incremental_prop, property_type, system_property_type, system_public_property_type;
#line 162
#line 162
#line 162
#line 162
allow vendor_init property_socket:sock_file write;
#line 162
allow vendor_init init:unix_stream_socket connectto;
#line 162
#line 162
allow vendor_init incremental_prop:property_service set;
#line 162
#line 162
allow vendor_init incremental_prop:file { getattr open read map };
#line 162
#line 162
#line 162
neverallow { domain -init -vendor_init } incremental_prop:property_service set;
#line 162
#line 163
#line 163
type input_device_config_prop, property_type, system_property_type, system_public_property_type;
#line 163
#line 163
#line 163
#line 163
allow vendor_init property_socket:sock_file write;
#line 163
allow vendor_init init:unix_stream_socket connectto;
#line 163
#line 163
allow vendor_init input_device_config_prop:property_service set;
#line 163
#line 163
allow vendor_init input_device_config_prop:file { getattr open read map };
#line 163
#line 163
#line 163
neverallow { domain -init -vendor_init } input_device_config_prop:property_service set;
#line 163
#line 164
#line 164
type keyguard_config_prop, property_type, system_property_type, system_public_property_type;
#line 164
#line 164
#line 164
#line 164
allow vendor_init property_socket:sock_file write;
#line 164
allow vendor_init init:unix_stream_socket connectto;
#line 164
#line 164
allow vendor_init keyguard_config_prop:property_service set;
#line 164
#line 164
allow vendor_init keyguard_config_prop:file { getattr open read map };
#line 164
#line 164
#line 164
neverallow { domain -init -vendor_init } keyguard_config_prop:property_service set;
#line 164
#line 165
#line 165
type keystore_config_prop, property_type, system_property_type, system_public_property_type;
#line 165
#line 165
#line 165
#line 165
allow vendor_init property_socket:sock_file write;
#line 165
allow vendor_init init:unix_stream_socket connectto;
#line 165
#line 165
allow vendor_init keystore_config_prop:property_service set;
#line 165
#line 165
allow vendor_init keystore_config_prop:file { getattr open read map };
#line 165
#line 165
#line 165
neverallow { domain -init -vendor_init } keystore_config_prop:property_service set;
#line 165
#line 166
#line 166
type lmkd_config_prop, property_type, system_property_type, system_public_property_type;
#line 166
#line 166
#line 166
#line 166
allow vendor_init property_socket:sock_file write;
#line 166
allow vendor_init init:unix_stream_socket connectto;
#line 166
#line 166
allow vendor_init lmkd_config_prop:property_service set;
#line 166
#line 166
allow vendor_init lmkd_config_prop:file { getattr open read map };
#line 166
#line 166
#line 166
neverallow { domain -init -vendor_init } lmkd_config_prop:property_service set;
#line 166
#line 167
#line 167
type media_config_prop, property_type, system_property_type, system_public_property_type;
#line 167
#line 167
#line 167
#line 167
allow vendor_init property_socket:sock_file write;
#line 167
allow vendor_init init:unix_stream_socket connectto;
#line 167
#line 167
allow vendor_init media_config_prop:property_service set;
#line 167
#line 167
allow vendor_init media_config_prop:file { getattr open read map };
#line 167
#line 167
#line 167
neverallow { domain -init -vendor_init } media_config_prop:property_service set;
#line 167
#line 168
#line 168
type media_variant_prop, property_type, system_property_type, system_public_property_type;
#line 168
#line 168
#line 168
#line 168
allow vendor_init property_socket:sock_file write;
#line 168
allow vendor_init init:unix_stream_socket connectto;
#line 168
#line 168
allow vendor_init media_variant_prop:property_service set;
#line 168
#line 168
allow vendor_init media_variant_prop:file { getattr open read map };
#line 168
#line 168
#line 168
neverallow { domain -init -vendor_init } media_variant_prop:property_service set;
#line 168
#line 169
#line 169
type mediadrm_config_prop, property_type, system_property_type, system_public_property_type;
#line 169
#line 169
#line 169
#line 169
allow vendor_init property_socket:sock_file write;
#line 169
allow vendor_init init:unix_stream_socket connectto;
#line 169
#line 169
allow vendor_init mediadrm_config_prop:property_service set;
#line 169
#line 169
allow vendor_init mediadrm_config_prop:file { getattr open read map };
#line 169
#line 169
#line 169
neverallow { domain -init -vendor_init } mediadrm_config_prop:property_service set;
#line 169
#line 170
#line 170
type mm_events_config_prop, property_type, system_property_type, system_public_property_type;
#line 170
#line 170
#line 170
#line 170
allow vendor_init property_socket:sock_file write;
#line 170
allow vendor_init init:unix_stream_socket connectto;
#line 170
#line 170
allow vendor_init mm_events_config_prop:property_service set;
#line 170
#line 170
allow vendor_init mm_events_config_prop:file { getattr open read map };
#line 170
#line 170
#line 170
neverallow { domain -init -vendor_init } mm_events_config_prop:property_service set;
#line 170
#line 171
#line 171
type oem_unlock_prop, property_type, system_property_type, system_public_property_type;
#line 171
#line 171
#line 171
#line 171
allow vendor_init property_socket:sock_file write;
#line 171
allow vendor_init init:unix_stream_socket connectto;
#line 171
#line 171
allow vendor_init oem_unlock_prop:property_service set;
#line 171
#line 171
allow vendor_init oem_unlock_prop:file { getattr open read map };
#line 171
#line 171
#line 171
neverallow { domain -init -vendor_init } oem_unlock_prop:property_service set;
#line 171
#line 172
#line 172
type ota_build_prop, property_type, system_property_type, system_public_property_type;
#line 172
#line 172
#line 172
#line 172
allow vendor_init property_socket:sock_file write;
#line 172
allow vendor_init init:unix_stream_socket connectto;
#line 172
#line 172
allow vendor_init ota_build_prop:property_service set;
#line 172
#line 172
allow vendor_init ota_build_prop:file { getattr open read map };
#line 172
#line 172
#line 172
neverallow { domain -init -vendor_init } ota_build_prop:property_service set;
#line 172
#line 173
#line 173
type packagemanager_config_prop, property_type, system_property_type, system_public_property_type;
#line 173
#line 173
#line 173
#line 173
allow vendor_init property_socket:sock_file write;
#line 173
allow vendor_init init:unix_stream_socket connectto;
#line 173
#line 173
allow vendor_init packagemanager_config_prop:property_service set;
#line 173
#line 173
allow vendor_init packagemanager_config_prop:file { getattr open read map };
#line 173
#line 173
#line 173
neverallow { domain -init -vendor_init } packagemanager_config_prop:property_service set;
#line 173
#line 174
#line 174
type quick_start_prop, property_type, system_property_type, system_public_property_type;
#line 174
#line 174
#line 174
#line 174
allow vendor_init property_socket:sock_file write;
#line 174
allow vendor_init init:unix_stream_socket connectto;
#line 174
#line 174
allow vendor_init quick_start_prop:property_service set;
#line 174
#line 174
allow vendor_init quick_start_prop:file { getattr open read map };
#line 174
#line 174
#line 174
neverallow { domain -init -vendor_init } quick_start_prop:property_service set;
#line 174
#line 175
#line 175
type recovery_config_prop, property_type, system_property_type, system_public_property_type;
#line 175
#line 175
#line 175
#line 175
allow vendor_init property_socket:sock_file write;
#line 175
allow vendor_init init:unix_stream_socket connectto;
#line 175
#line 175
allow vendor_init recovery_config_prop:property_service set;
#line 175
#line 175
allow vendor_init recovery_config_prop:file { getattr open read map };
#line 175
#line 175
#line 175
neverallow { domain -init -vendor_init } recovery_config_prop:property_service set;
#line 175
#line 176
#line 176
type recovery_usb_config_prop, property_type, system_property_type, system_public_property_type;
#line 176
#line 176
#line 176
#line 176
allow vendor_init property_socket:sock_file write;
#line 176
allow vendor_init init:unix_stream_socket connectto;
#line 176
#line 176
allow vendor_init recovery_usb_config_prop:property_service set;
#line 176
#line 176
allow vendor_init recovery_usb_config_prop:file { getattr open read map };
#line 176
#line 176
#line 176
neverallow { domain -init -vendor_init } recovery_usb_config_prop:property_service set;
#line 176
#line 177
#line 177
type sendbug_config_prop, property_type, system_property_type, system_public_property_type;
#line 177
#line 177
#line 177
#line 177
allow vendor_init property_socket:sock_file write;
#line 177
allow vendor_init init:unix_stream_socket connectto;
#line 177
#line 177
allow vendor_init sendbug_config_prop:property_service set;
#line 177
#line 177
allow vendor_init sendbug_config_prop:file { getattr open read map };
#line 177
#line 177
#line 177
neverallow { domain -init -vendor_init } sendbug_config_prop:property_service set;
#line 177
#line 178
#line 178
type soc_prop, property_type, system_property_type, system_public_property_type;
#line 178
#line 178
#line 178
#line 178
allow vendor_init property_socket:sock_file write;
#line 178
allow vendor_init init:unix_stream_socket connectto;
#line 178
#line 178
allow vendor_init soc_prop:property_service set;
#line 178
#line 178
allow vendor_init soc_prop:file { getattr open read map };
#line 178
#line 178
#line 178
neverallow { domain -init -vendor_init } soc_prop:property_service set;
#line 178
#line 179
#line 179
type storage_config_prop, property_type, system_property_type, system_public_property_type;
#line 179
#line 179
#line 179
#line 179
allow vendor_init property_socket:sock_file write;
#line 179
allow vendor_init init:unix_stream_socket connectto;
#line 179
#line 179
allow vendor_init storage_config_prop:property_service set;
#line 179
#line 179
allow vendor_init storage_config_prop:file { getattr open read map };
#line 179
#line 179
#line 179
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
#line 179
#line 180
#line 180
type storagemanager_config_prop, property_type, system_property_type, system_public_property_type;
#line 180
#line 180
#line 180
#line 180
allow vendor_init property_socket:sock_file write;
#line 180
allow vendor_init init:unix_stream_socket connectto;
#line 180
#line 180
allow vendor_init storagemanager_config_prop:property_service set;
#line 180
#line 180
allow vendor_init storagemanager_config_prop:file { getattr open read map };
#line 180
#line 180
#line 180
neverallow { domain -init -vendor_init } storagemanager_config_prop:property_service set;
#line 180
#line 181
#line 181
type surfaceflinger_prop, property_type, system_property_type, system_public_property_type;
#line 181
#line 181
#line 181
#line 181
allow vendor_init property_socket:sock_file write;
#line 181
allow vendor_init init:unix_stream_socket connectto;
#line 181
#line 181
allow vendor_init surfaceflinger_prop:property_service set;
#line 181
#line 181
allow vendor_init surfaceflinger_prop:file { getattr open read map };
#line 181
#line 181
#line 181
neverallow { domain -init -vendor_init } surfaceflinger_prop:property_service set;
#line 181
#line 182
#line 182
type suspend_prop, property_type, system_property_type, system_public_property_type;
#line 182
#line 182
#line 182
#line 182
allow vendor_init property_socket:sock_file write;
#line 182
allow vendor_init init:unix_stream_socket connectto;
#line 182
#line 182
allow vendor_init suspend_prop:property_service set;
#line 182
#line 182
allow vendor_init suspend_prop:file { getattr open read map };
#line 182
#line 182
#line 182
neverallow { domain -init -vendor_init } suspend_prop:property_service set;
#line 182
#line 183
#line 183
type systemsound_config_prop, property_type, system_property_type, system_public_property_type;
#line 183
#line 183
#line 183
#line 183
allow vendor_init property_socket:sock_file write;
#line 183
allow vendor_init init:unix_stream_socket connectto;
#line 183
#line 183
allow vendor_init systemsound_config_prop:property_service set;
#line 183
#line 183
allow vendor_init systemsound_config_prop:file { getattr open read map };
#line 183
#line 183
#line 183
neverallow { domain -init -vendor_init } systemsound_config_prop:property_service set;
#line 183
#line 184
#line 184
type telephony_config_prop, property_type, system_property_type, system_public_property_type;
#line 184
#line 184
#line 184
#line 184
allow vendor_init property_socket:sock_file write;
#line 184
allow vendor_init init:unix_stream_socket connectto;
#line 184
#line 184
allow vendor_init telephony_config_prop:property_service set;
#line 184
#line 184
allow vendor_init telephony_config_prop:file { getattr open read map };
#line 184
#line 184
#line 184
neverallow { domain -init -vendor_init } telephony_config_prop:property_service set;
#line 184
#line 185
#line 185
type threadnetwork_config_prop, property_type, system_property_type, system_public_property_type;
#line 185
#line 185
#line 185
#line 185
allow vendor_init property_socket:sock_file write;
#line 185
allow vendor_init init:unix_stream_socket connectto;
#line 185
#line 185
allow vendor_init threadnetwork_config_prop:property_service set;
#line 185
#line 185
allow vendor_init threadnetwork_config_prop:file { getattr open read map };
#line 185
#line 185
#line 185
neverallow { domain -init -vendor_init } threadnetwork_config_prop:property_service set;
#line 185
#line 186
#line 186
type tombstone_config_prop, property_type, system_property_type, system_public_property_type;
#line 186
#line 186
#line 186
#line 186
allow vendor_init property_socket:sock_file write;
#line 186
allow vendor_init init:unix_stream_socket connectto;
#line 186
#line 186
allow vendor_init tombstone_config_prop:property_service set;
#line 186
#line 186
allow vendor_init tombstone_config_prop:file { getattr open read map };
#line 186
#line 186
#line 186
neverallow { domain -init -vendor_init } tombstone_config_prop:property_service set;
#line 186
#line 187
#line 187
type usb_config_prop, property_type, system_property_type, system_public_property_type;
#line 187
#line 187
#line 187
#line 187
allow vendor_init property_socket:sock_file write;
#line 187
allow vendor_init init:unix_stream_socket connectto;
#line 187
#line 187
allow vendor_init usb_config_prop:property_service set;
#line 187
#line 187
allow vendor_init usb_config_prop:file { getattr open read map };
#line 187
#line 187
#line 187
neverallow { domain -init -vendor_init } usb_config_prop:property_service set;
#line 187
#line 188
#line 188
type userspace_reboot_config_prop, property_type, system_property_type, system_public_property_type;
#line 188
#line 188
#line 188
#line 188
allow vendor_init property_socket:sock_file write;
#line 188
allow vendor_init init:unix_stream_socket connectto;
#line 188
#line 188
allow vendor_init userspace_reboot_config_prop:property_service set;
#line 188
#line 188
allow vendor_init userspace_reboot_config_prop:file { getattr open read map };
#line 188
#line 188
#line 188
neverallow { domain -init -vendor_init } userspace_reboot_config_prop:property_service set;
#line 188
#line 189
#line 189
type vehicle_hal_prop, property_type, system_property_type, system_public_property_type;
#line 189
#line 189
#line 189
#line 189
allow vendor_init property_socket:sock_file write;
#line 189
allow vendor_init init:unix_stream_socket connectto;
#line 189
#line 189
allow vendor_init vehicle_hal_prop:property_service set;
#line 189
#line 189
allow vendor_init vehicle_hal_prop:file { getattr open read map };
#line 189
#line 189
#line 189
neverallow { domain -init -vendor_init } vehicle_hal_prop:property_service set;
#line 189
#line 190
#line 190
type vendor_security_patch_level_prop, property_type, system_property_type, system_public_property_type;
#line 190
#line 190
#line 190
#line 190
allow vendor_init property_socket:sock_file write;
#line 190
allow vendor_init init:unix_stream_socket connectto;
#line 190
#line 190
allow vendor_init vendor_security_patch_level_prop:property_service set;
#line 190
#line 190
allow vendor_init vendor_security_patch_level_prop:file { getattr open read map };
#line 190
#line 190
#line 190
neverallow { domain -init -vendor_init } vendor_security_patch_level_prop:property_service set;
#line 190
#line 191
#line 191
type vendor_socket_hook_prop, property_type, system_property_type, system_public_property_type;
#line 191
#line 191
#line 191
#line 191
allow vendor_init property_socket:sock_file write;
#line 191
allow vendor_init init:unix_stream_socket connectto;
#line 191
#line 191
allow vendor_init vendor_socket_hook_prop:property_service set;
#line 191
#line 191
allow vendor_init vendor_socket_hook_prop:file { getattr open read map };
#line 191
#line 191
#line 191
neverallow { domain -init -vendor_init } vendor_socket_hook_prop:property_service set;
#line 191
#line 192
#line 192
type virtual_ab_prop, property_type, system_property_type, system_public_property_type;
#line 192
#line 192
#line 192
#line 192
allow vendor_init property_socket:sock_file write;
#line 192
allow vendor_init init:unix_stream_socket connectto;
#line 192
#line 192
allow vendor_init virtual_ab_prop:property_service set;
#line 192
#line 192
allow vendor_init virtual_ab_prop:file { getattr open read map };
#line 192
#line 192
#line 192
neverallow { domain -init -vendor_init } virtual_ab_prop:property_service set;
#line 192
#line 193
#line 193
type vndk_prop, property_type, system_property_type, system_public_property_type;
#line 193
#line 193
#line 193
#line 193
allow vendor_init property_socket:sock_file write;
#line 193
allow vendor_init init:unix_stream_socket connectto;
#line 193
#line 193
allow vendor_init vndk_prop:property_service set;
#line 193
#line 193
allow vendor_init vndk_prop:file { getattr open read map };
#line 193
#line 193
#line 193
neverallow { domain -init -vendor_init } vndk_prop:property_service set;
#line 193
#line 194
#line 194
type vts_config_prop, property_type, system_property_type, system_public_property_type;
#line 194
#line 194
#line 194
#line 194
allow vendor_init property_socket:sock_file write;
#line 194
allow vendor_init init:unix_stream_socket connectto;
#line 194
#line 194
allow vendor_init vts_config_prop:property_service set;
#line 194
#line 194
allow vendor_init vts_config_prop:file { getattr open read map };
#line 194
#line 194
#line 194
neverallow { domain -init -vendor_init } vts_config_prop:property_service set;
#line 194
#line 195
#line 195
type vold_config_prop, property_type, system_property_type, system_public_property_type;
#line 195
#line 195
#line 195
#line 195
allow vendor_init property_socket:sock_file write;
#line 195
allow vendor_init init:unix_stream_socket connectto;
#line 195
#line 195
allow vendor_init vold_config_prop:property_service set;
#line 195
#line 195
allow vendor_init vold_config_prop:file { getattr open read map };
#line 195
#line 195
#line 195
neverallow { domain -init -vendor_init } vold_config_prop:property_service set;
#line 195
#line 196
#line 196
type wifi_config_prop, property_type, system_property_type, system_public_property_type;
#line 196
#line 196
#line 196
#line 196
allow vendor_init property_socket:sock_file write;
#line 196
allow vendor_init init:unix_stream_socket connectto;
#line 196
#line 196
allow vendor_init wifi_config_prop:property_service set;
#line 196
#line 196
allow vendor_init wifi_config_prop:file { getattr open read map };
#line 196
#line 196
#line 196
neverallow { domain -init -vendor_init } wifi_config_prop:property_service set;
#line 196
#line 197
#line 197
type zram_config_prop, property_type, system_property_type, system_public_property_type;
#line 197
#line 197
#line 197
#line 197
allow vendor_init property_socket:sock_file write;
#line 197
allow vendor_init init:unix_stream_socket connectto;
#line 197
#line 197
allow vendor_init zram_config_prop:property_service set;
#line 197
#line 197
allow vendor_init zram_config_prop:file { getattr open read map };
#line 197
#line 197
#line 197
neverallow { domain -init -vendor_init } zram_config_prop:property_service set;
#line 197
#line 198
#line 198
type zygote_config_prop, property_type, system_property_type, system_public_property_type;
#line 198
#line 198
#line 198
#line 198
allow vendor_init property_socket:sock_file write;
#line 198
allow vendor_init init:unix_stream_socket connectto;
#line 198
#line 198
allow vendor_init zygote_config_prop:property_service set;
#line 198
#line 198
allow vendor_init zygote_config_prop:file { getattr open read map };
#line 198
#line 198
#line 198
neverallow { domain -init -vendor_init } zygote_config_prop:property_service set;
#line 198
#line 199
#line 199
type dck_prop, property_type, system_property_type, system_public_property_type;
#line 199
#line 199
#line 199
#line 199
allow vendor_init property_socket:sock_file write;
#line 199
allow vendor_init init:unix_stream_socket connectto;
#line 199
#line 199
allow vendor_init dck_prop:property_service set;
#line 199
#line 199
allow vendor_init dck_prop:file { getattr open read map };
#line 199
#line 199
#line 199
neverallow { domain -init -vendor_init } dck_prop:property_service set;
#line 199
#line 200
#line 200
type tuner_config_prop, property_type, system_property_type, system_public_property_type;
#line 200
#line 200
#line 200
#line 200
allow vendor_init property_socket:sock_file write;
#line 200
allow vendor_init init:unix_stream_socket connectto;
#line 200
#line 200
allow vendor_init tuner_config_prop:property_service set;
#line 200
#line 200
allow vendor_init tuner_config_prop:file { getattr open read map };
#line 200
#line 200
#line 200
neverallow { domain -init -vendor_init } tuner_config_prop:property_service set;
#line 200
#line 201
#line 201
type usb_uvc_enabled_prop, property_type, system_property_type, system_public_property_type;
#line 201
#line 201
#line 201
#line 201
allow vendor_init property_socket:sock_file write;
#line 201
allow vendor_init init:unix_stream_socket connectto;
#line 201
#line 201
allow vendor_init usb_uvc_enabled_prop:property_service set;
#line 201
#line 201
allow vendor_init usb_uvc_enabled_prop:file { getattr open read map };
#line 201
#line 201
#line 201
neverallow { domain -init -vendor_init } usb_uvc_enabled_prop:property_service set;
#line 201
#line 202
#line 202
type setupwizard_mode_prop, property_type, system_property_type, system_public_property_type;
#line 202
#line 202
#line 202
#line 202
allow vendor_init property_socket:sock_file write;
#line 202
allow vendor_init init:unix_stream_socket connectto;
#line 202
#line 202
allow vendor_init setupwizard_mode_prop:property_service set;
#line 202
#line 202
allow vendor_init setupwizard_mode_prop:file { getattr open read map };
#line 202
#line 202
#line 202
neverallow { domain -init -vendor_init } setupwizard_mode_prop:property_service set;
#line 202
#line 203
#line 203
type pm_archiving_enabled_prop, property_type, system_property_type, system_public_property_type;
#line 203
#line 203
#line 203
#line 203
allow vendor_init property_socket:sock_file write;
#line 203
allow vendor_init init:unix_stream_socket connectto;
#line 203
#line 203
allow vendor_init pm_archiving_enabled_prop:property_service set;
#line 203
#line 203
allow vendor_init pm_archiving_enabled_prop:file { getattr open read map };
#line 203
#line 203
#line 203
neverallow { domain -init -vendor_init } pm_archiving_enabled_prop:property_service set;
#line 203
# Properties with no restrictions
#line 206
type adbd_config_prop, property_type, system_property_type, system_public_property_type;
#line 206
#line 207
type audio_prop, property_type, system_property_type, system_public_property_type;
#line 207
#line 208
type bluetooth_a2dp_offload_prop, property_type, system_property_type, system_public_property_type;
#line 208
#line 209
type bluetooth_audio_hal_prop, property_type, system_property_type, system_public_property_type;
#line 209
#line 210
type bluetooth_prop, property_type, system_property_type, system_public_property_type;
#line 210
#line 211
type bpf_progs_loaded_prop, property_type, system_property_type, system_public_property_type;
#line 211
#line 212
type charger_status_prop, property_type, system_property_type, system_public_property_type;
#line 212
#line 213
type ctl_default_prop, property_type, system_property_type, system_public_property_type;
#line 213
#line 214
type ctl_interface_start_prop, property_type, system_property_type, system_public_property_type;
#line 214
#line 215
type ctl_start_prop, property_type, system_property_type, system_public_property_type;
#line 215
#line 216
type ctl_stop_prop, property_type, system_property_type, system_public_property_type;
#line 216
#line 217
type dalvik_config_prop, property_type, system_property_type, system_public_property_type;
#line 217
#line 218
type dalvik_dynamic_config_prop, property_type, system_property_type, system_public_property_type;
#line 218
#line 219
type dalvik_runtime_prop, property_type, system_property_type, system_public_property_type;
#line 219
#line 220
type debug_prop, property_type, system_property_type, system_public_property_type;
#line 220
#line 221
type device_config_memory_safety_native_boot_prop, property_type, system_property_type, system_public_property_type;
#line 221
#line 222
type device_config_memory_safety_native_prop, property_type, system_property_type, system_public_property_type;
#line 222
#line 223
type dumpstate_options_prop, property_type, system_property_type, system_public_property_type;
#line 223
#line 224
type exported_system_prop, property_type, system_property_type, system_public_property_type;
#line 224
#line 225
type exported_bluetooth_prop, property_type, system_property_type, system_public_property_type;
#line 225
#line 226
type exported_overlay_prop, property_type, system_property_type, system_public_property_type;
#line 226
#line 227
type exported_pm_prop, property_type, system_property_type, system_public_property_type;
#line 227
#line 228
type future_pm_prop, property_type, system_property_type, system_public_property_type;
#line 228
#line 229
type ffs_control_prop, property_type, system_property_type, system_public_property_type;
#line 229
#line 230
type framework_status_prop, property_type, system_property_type, system_public_property_type;
#line 230
#line 231
type gesture_prop, property_type, system_property_type, system_public_property_type;
#line 231
#line 232
type graphics_config_writable_prop, property_type, system_property_type, system_public_property_type;
#line 232
#line 233
type hal_dumpstate_config_prop, property_type, system_property_type, system_public_property_type;
#line 233
#line 234
type sota_prop, property_type, system_property_type, system_public_property_type;
#line 234
#line 235
type hwservicemanager_prop, property_type, system_property_type, system_public_property_type;
#line 235
#line 236
type lmkd_prop, property_type, system_property_type, system_public_property_type;
#line 236
#line 237
type locale_prop, property_type, system_property_type, system_public_property_type;
#line 237
#line 238
type logd_prop, property_type, system_property_type, system_public_property_type;
#line 238
#line 239
type logpersistd_logging_prop, property_type, system_property_type, system_public_property_type;
#line 239
#line 240
type log_prop, property_type, system_property_type, system_public_property_type;
#line 240
#line 241
type log_tag_prop, property_type, system_property_type, system_public_property_type;
#line 241
#line 242
type lowpan_prop, property_type, system_property_type, system_public_property_type;
#line 242
#line 243
type nfc_prop, property_type, system_property_type, system_public_property_type;
#line 243
#line 244
type ota_prop, property_type, system_property_type, system_public_property_type;
#line 244
#line 245
type permissive_mte_prop, property_type, system_property_type, system_public_property_type;
#line 245
#line 246
type powerctl_prop, property_type, system_property_type, system_public_property_type;
#line 246
#line 247
type qemu_hw_prop, property_type, system_property_type, system_public_property_type;
#line 247
#line 248
type qemu_sf_lcd_density_prop, property_type, system_property_type, system_public_property_type;
#line 248
#line 249
type radio_control_prop, property_type, system_property_type, system_public_property_type;
#line 249
#line 250
type radio_prop, property_type, system_property_type, system_public_property_type;
#line 250
#line 251
type serialno_prop, property_type, system_property_type, system_public_property_type;
#line 251
#line 252
type surfaceflinger_color_prop, property_type, system_property_type, system_public_property_type;
#line 252
#line 253
type system_prop, property_type, system_property_type, system_public_property_type;
#line 253
#line 254
type system_user_mode_emulation_prop, property_type, system_property_type, system_public_property_type;
#line 254
#line 255
type telephony_status_prop, property_type, system_property_type, system_public_property_type;
#line 255
#line 256
type timezone_prop, property_type, system_property_type, system_public_property_type;
#line 256
#line 257
type usb_control_prop, property_type, system_property_type, system_public_property_type;
#line 257
#line 258
type vold_post_fs_data_prop, property_type, system_property_type, system_public_property_type;
#line 258
#line 259
type wifi_hal_prop, property_type, system_property_type, system_public_property_type;
#line 259
#line 260
type wifi_log_prop, property_type, system_property_type, system_public_property_type;
#line 260
#line 261
type wifi_prop, property_type, system_property_type, system_public_property_type;
#line 261
#line 262
type zram_control_prop, property_type, system_property_type, system_public_property_type;
#line 262
# Properties which don't have entries on property_contexts
#line 265
#line 265
type default_prop, property_type, system_property_type, system_internal_property_type;
#line 265
#line 265
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 265
#line 265
neverallow { domain -coredomain } default_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 265
#line 265
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 265
#line 265
# Properties used in default HAL implementations
#line 268
#line 268
type rebootescrow_hal_prop, property_type, vendor_property_type, vendor_internal_property_type;
#line 268
#line 268
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 268
#line 268
# init and dumpstate are in coredomain, but should be able to read all props.
#line 268
neverallow { coredomain -init -dumpstate } rebootescrow_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 268
#line 268
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 268
#line 268
# Properties used in the default Face HAL implementations
#line 271
#line 271
type virtual_face_hal_prop, property_type, vendor_property_type, vendor_internal_property_type;
#line 271
#line 271
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 271
#line 271
# init and dumpstate are in coredomain, but should be able to read all props.
#line 271
neverallow { coredomain -init -dumpstate } virtual_face_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 271
#line 271
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 271
#line 271
# Properties used in the default Fingerprint HAL implementations
#line 274
#line 274
type virtual_fingerprint_hal_prop, property_type, vendor_property_type, vendor_internal_property_type;
#line 274
#line 274
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 274
#line 274
# init and dumpstate are in coredomain, but should be able to read all props.
#line 274
neverallow { coredomain -init -dumpstate } virtual_fingerprint_hal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 274
#line 274
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 274
#line 274
#line 276
type persist_vendor_debug_wifi_prop, property_type, vendor_property_type, vendor_public_property_type;
#line 276
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
#line 280
# DO NOT ADD ANY PROPERTIES HERE
#line 280
#line 280
type boottime_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type charger_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type cold_boot_done_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_adbd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_apexd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_bootanim_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_bugreport_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_console_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_dumpstate_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_fuse_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_gsid_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_interface_restart_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_interface_stop_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_mdnsd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_restart_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_rildaemon_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type ctl_sigstop_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type dynamic_system_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type heapprofd_enabled_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type llkd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type lpdumpd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type mmc_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type mock_ota_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type net_dns_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type overlay_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type persistent_properties_ready_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type safemode_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type system_lmk_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type system_trace_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type test_boot_reason_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type time_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type traced_enabled_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type traced_lazy_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
#line 280
type config_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type cppreopt_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type dalvik_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type debuggerd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type device_logging_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type dhcp_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type dumpstate_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type exported3_system_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type exported_dumpstate_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type exported_secure_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type heapprofd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type net_radio_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type pan_result_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type persist_debug_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type shell_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type test_harness_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type theme_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type use_memfd_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 280
#line 280
type vold_prop, property_type, system_property_type, system_public_property_type;
#line 280
#line 335
#line 337
#line 337
type vendor_default_prop, property_type, vendor_property_type, vendor_public_property_type;
#line 337
#line 339
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 341
#line 341
#line 341
#line 341
type vendor_default_prop, property_type, vendor_property_type, vendor_internal_property_type;
#line 341
#line 341
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 341
#line 341
# init and dumpstate are in coredomain, but should be able to read all props.
#line 341
neverallow { coredomain -init -dumpstate } vendor_default_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 341
#line 341
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 341
#line 341
#line 341
#line 341
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 343
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
typeattribute wifi_log_prop log_property_type;
allow property_type tmpfs:filesystem associate;
# core_property_type should not be used for new properties or
# device specific properties. Properties with this attribute
# are readable to everyone, which is overly broad and should
# be avoided.
# New properties should have appropriate read / write access
# control rules written.
typeattribute audio_prop core_property_type;
typeattribute config_prop core_property_type;
typeattribute cppreopt_prop core_property_type;
typeattribute dalvik_prop core_property_type;
typeattribute debuggerd_prop core_property_type;
typeattribute debug_prop core_property_type;
typeattribute dhcp_prop core_property_type;
typeattribute dumpstate_prop core_property_type;
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
typeattribute ota_prop core_property_type;
typeattribute pan_result_prop core_property_type;
typeattribute persist_debug_prop core_property_type;
typeattribute powerctl_prop core_property_type;
typeattribute radio_prop core_property_type;
typeattribute restorecon_prop core_property_type;
typeattribute shell_prop core_property_type;
typeattribute system_prop core_property_type;
typeattribute usb_prop core_property_type;
typeattribute vold_prop core_property_type;
typeattribute dalvik_config_prop dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
#line 1 "system/sepolicy/public/radio.te"
# phone subsystem
type radio, domain, mlstrustedsubject;
#line 4
typeattribute radio netdomain;
#line 4
#line 5
typeattribute radio bluetoothdomain;
#line 5
#line 6
typeattribute radio binderservicedomain;
#line 6
# Talks to hal_telephony_server via the rild socket only for devices without full treble
#line 9
allow radio rild_socket:sock_file write;
#line 9
allow radio hal_telephony_server:unix_stream_socket connectto;
#line 9
# Data file accesses.
allow radio radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow radio radio_core_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow radio radio_core_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow radio net_data_file:dir search;
allow radio net_data_file:file { getattr open read ioctl lock map watch watch_reads };
#line 20
allow radio radio_service:service_manager { add find };
#line 20
neverallow { domain -radio } radio_service:service_manager add;
#line 20
#line 20
# On debug builds with root, allow binder services to use binder over TCP.
#line 20
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 20
#line 20
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
#line 32
# Call the hwservicemanager and transfer references to it.
#line 32
allow radio hwservicemanager:binder { call transfer };
#line 32
# Allow hwservicemanager to send out callbacks
#line 32
allow hwservicemanager radio:binder { call transfer };
#line 32
# hwservicemanager performs getpidcon on clients.
#line 32
allow hwservicemanager radio:dir search;
#line 32
allow hwservicemanager radio:file { read open map };
#line 32
allow hwservicemanager radio:process getattr;
#line 32
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 32
# all domains in domain.te.
#line 32
#line 33
typeattribute radio halclientdomain;
#line 33
typeattribute radio hal_telephony_client;
#line 33
#line 33
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 33
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 33
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 33
#line 33
typeattribute radio hal_telephony;
#line 33
# Find passthrough HAL implementations
#line 33
allow hal_telephony system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow hal_telephony vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow hal_telephony vendor_file:file { read open getattr execute map };
#line 33
#line 33
# Used by TelephonyManager
allow radio proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/recovery.te"
# recovery console (used in recovery init.rc for /sbin/recovery)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
#line 144
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
}:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
}:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
#line 1 "system/sepolicy/public/recovery_persist.te"
# android recovery persistent log manager
type recovery_persist, domain;
type recovery_persist_exec, system_file_type, exec_type, file_type;
allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file { getattr open read ioctl lock map watch watch_reads };
allow recovery_persist recovery_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow recovery_persist recovery_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow recovery_persist cache_file:dir search;
allow recovery_persist cache_file:lnk_file read;
allow recovery_persist cache_recovery_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow recovery_persist cache_recovery_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
###
### Neverallow rules
###
### recovery_persist should NEVER do any of this
# Block device access.
neverallow recovery_persist dev_type:blk_file { read write };
# ptrace any other app
neverallow recovery_persist domain:process ptrace;
# Write to /system.
neverallow recovery_persist system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Write to files in /data/data
neverallow recovery_persist { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
#line 1 "system/sepolicy/public/recovery_refresh.te"
# android recovery refresh log manager
type recovery_refresh, domain;
type recovery_refresh_exec, system_file_type, exec_type, file_type;
allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file { getattr open read ioctl lock map watch watch_reads };
# NB: domain inherits write_logd which hands us write to pmsg_device
###
### Neverallow rules
###
### recovery_refresh should NEVER do any of this
# Block device access.
neverallow recovery_refresh dev_type:blk_file { read write };
# ptrace any other app
neverallow recovery_refresh domain:process ptrace;
# Write to /system.
neverallow recovery_refresh system_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
# Write to files in /data/data or system files on /data
neverallow recovery_refresh { app_data_file_type system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
#line 1 "system/sepolicy/public/remote_provisioning_service_server.te"
# This service is hosted by system server, and provides a stable aidl
# front-end for a mainline module that is loaded into system server.
#line 3
allow remote_provisioning_service_server remote_provisioning_service:service_manager { add find };
#line 3
neverallow { domain -remote_provisioning_service_server } remote_provisioning_service:service_manager add;
#line 3
#line 3
# On debug builds with root, allow binder services to use binder over TCP.
#line 3
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 3
#line 3
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow remote_provisioning_service_server servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager remote_provisioning_service_server:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager remote_provisioning_service_server:dir search;
#line 5
allow servicemanager remote_provisioning_service_server:file { read open };
#line 5
allow servicemanager remote_provisioning_service_server:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 1 "system/sepolicy/public/rkpd_app.te"
###
### A domain for sandboxing the remote key provisioning daemon
### app that is shipped via mainline.
###
type rkpdapp, domain;
#line 1 "system/sepolicy/public/rootdisk_sysdev.te"
allow rootdisk_sysdev sysfs:filesystem associate;
#line 1 "system/sepolicy/public/rs.te"
type rs, domain, coredomain;
type rs_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/public/rss_hwm_reset.te"
# rss_hwm_reset resets RSS high-water mark counters for all procesess.
type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
#line 1 "system/sepolicy/public/runas.te"
type runas, domain, mlstrustedsubject;
type runas_exec, system_file_type, exec_type, file_type;
allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
allow runas devpts:chr_file { read write ioctl };
allow runas shell_data_file:file { read write };
# run-as reads package information.
allow runas system_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow runas system_data_file:lnk_file getattr;
allow runas packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# The app's data dir may be accessed through a symlink.
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
dontaudit runas self:{ capability cap_userns } { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
allow runas self:{ capability cap_userns } { setuid setgid };
# run-as switches to the app security context.
#line 29
#line 29
allow runas selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow runas selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 29
#line 29
allow runas selinuxfs:file { open append write lock map };
#line 29
allow runas kernel:security check_context;
#line 29
# validate context
allow runas self:process setcurrent;
allow runas { appdomain -system_app }:process dyntransition; # setcon
# runas/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
allow runas seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
###
### neverallow rules
###
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow runas self:{ capability cap_userns } ~{ setuid setgid };
neverallow runas self:{ capability2 cap2_userns } *;
#line 1 "system/sepolicy/public/runas_app.te"
type runas_app, domain;
#line 1 "system/sepolicy/public/scheduler_service_server.te"
#line 1
allow scheduler_service_server fwk_scheduler_hwservice:hwservice_manager { add find };
#line 1
allow scheduler_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
neverallow { domain -scheduler_service_server } fwk_scheduler_hwservice:hwservice_manager add;
#line 1
#line 1 "system/sepolicy/public/sdcardd.te"
type sdcardd, domain;
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow sdcardd cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
allow sdcardd tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
allow sdcardd mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads };
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
allow sdcardd self:{ capability cap_userns } { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow sdcardd { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow sdcardd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow sdcardd media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read /data/system/packages.list.
allow sdcardd system_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow sdcardd packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Read /data/misc/installd/layout_version
allow sdcardd install_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow sdcardd install_data_file:dir search;
# Allow stdin/out back to vold
allow sdcardd vold:fd use;
allow sdcardd vold:fifo_file { read write getattr };
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
# access /proc/filesystems
allow sdcardd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
###
### neverallow rules
###
# The sdcard daemon should no longer be started from init
neverallow init sdcardd_exec:file execute;
neverallow init sdcardd:process { transition dyntransition };
#line 1 "system/sepolicy/public/secure_element.te"
# secure_element subsystem
type secure_element, domain;
#line 1 "system/sepolicy/public/sensor_service_server.te"
#line 1
allow sensor_service_server fwk_sensor_hwservice:hwservice_manager { add find };
#line 1
allow sensor_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
neverallow { domain -sensor_service_server } fwk_sensor_hwservice:hwservice_manager add;
#line 1
#line 1 "system/sepolicy/public/service.te"
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
type artd_pre_reboot_service, service_manager_type;
type audioserver_service, service_manager_type, isolated_compute_allowed_service;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type, isolated_compute_allowed_service;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
type dexopt_chroot_setup_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type evsmanagerd_service, service_manager_type;
type fingerprintd_service, service_manager_type;
type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
type keystore_maintenance_service, service_manager_type;
type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type, isolated_compute_allowed_service;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type ot_daemon_service, service_manager_type;
type profiling_service, app_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_net_netd_service, service_manager_type;
type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
type virtualization_service, service_manager_type;
type virtual_camera_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type archive_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type contextual_search_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type cpu_monitor_service, system_server_service, service_manager_type;
type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type;
type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
type devicelock_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, app_api_service, system_server_service, service_manager_type;
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
type fwk_vibrator_control_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
type healthconnect_service, app_api_service, system_server_service, service_manager_type;
type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type locale_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_time_zone_manager_service, system_server_service, service_manager_type;
type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type nearby_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_stack_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type remote_auth_service, app_api_service, system_server_service, service_manager_type;
type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type slice_service, app_api_service, system_server_service, service_manager_type;
type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type tare_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type threadnetwork_service, app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wifinl80211_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
###
### HAL Services
###
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
type hal_face_service, protected_service, hal_service_type, service_manager_type;
type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
type hal_ir_service, protected_service, hal_service_type, service_manager_type;
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
type hal_oemlock_service, protected_service, hal_service_type, service_manager_type;
type hal_power_service, protected_service, hal_service_type, service_manager_type;
type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_threadnetwork_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
###
# servicemanager handles registering or looking up named services.
# It does not make sense to register or lookup something which is not a service.
# Trigger a compile error if this occurs.
neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
#line 1 "system/sepolicy/public/servicemanager.te"
# servicemanager - the Binder context manager
type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, system_file_type, exec_type, file_type;
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager {
domain
-init
-vendor_init
-hwservicemanager
-vndservicemanager
}:binder transfer;
allow servicemanager service_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow servicemanager vendor_service_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# nonplat_service_contexts only accessible on non full-treble devices
allow servicemanager vendor_service_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
#line 27
allow servicemanager service_manager_service:service_manager { add find };
#line 27
neverallow { domain -servicemanager } service_manager_service:service_manager add;
#line 27
#line 27
# On debug builds with root, allow binder services to use binder over TCP.
#line 27
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 27
#line 27
allow servicemanager dumpstate:fd use;
allow servicemanager dumpstate:fifo_file write;
# Check SELinux permissions.
#line 32
#line 32
allow servicemanager selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 32
allow servicemanager selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 32
#line 32
allow servicemanager selinuxfs:file { open append write lock map };
#line 32
allow servicemanager kernel:security compute_av;
#line 32
allow servicemanager self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 32
allow servicemanager kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 39
#line 1 "system/sepolicy/public/sgdisk.te"
# sgdisk called from vold
type sgdisk, domain;
type sgdisk_exec, system_file_type, exec_type, file_type;
# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# HDIO_GETGEO needed to get the number of disk heads
# on vold_device. How quaint.
allowxperm sgdisk vold_device:blk_file ioctl { 0x00000301 };
# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
# is granted to all block device users in domain.te, so
# no need to mention it here. sgdisk should not be
# using the BLKGETSIZE ioctl as it is useless for devices over
# 2T in size, but we allow it for now and hope that sgdisk
# will fix their bug.
allowxperm sgdisk vold_device:blk_file ioctl { 0x00001260 };
# Force a re-read of the partition table.
allowxperm sgdisk vold_device:blk_file ioctl { 0x0000125f };
# Allow reading of the physical block size.
allowxperm sgdisk vold_device:blk_file ioctl { 0x0000127b };
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
allow sgdisk self:{ capability cap_userns } sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
#line 1 "system/sepolicy/public/shared_relro.te"
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
#line 1 "system/sepolicy/public/shell.te"
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
# Create and use network sockets.
#line 6
typeattribute shell netdomain;
#line 6
# logcat
#line 9
allow shell logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 9
#line 9
allow shell logdr_socket:sock_file write;
#line 9
allow shell logd:unix_stream_socket connectto;
#line 9
#line 9
#line 10
# Group AID_LOG checked by filesystem & logd
#line 10
# to permit control commands
#line 10
#line 10
allow shell logd_socket:sock_file write;
#line 10
allow shell logd:unix_stream_socket connectto;
#line 10
#line 10
#line 11
allow shell logd_prop:file { getattr open read map };
#line 11
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file { getattr open read ioctl lock map watch watch_reads };
# Root fs.
allow shell rootfs:dir { open getattr read search ioctl lock watch watch_reads };
# read files in /data/anr
allow shell anr_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow shell anr_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Access /data/local/tmp.
allow shell shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow shell shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow shell shell_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow shell shell_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access /data/local/tests.
allow shell shell_test_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow shell shell_test_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow shell shell_test_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow shell shell_test_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow shell shell_test_data_file:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow shell trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } remove_name write };
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { write remove_name { open getattr read search ioctl lock watch watch_reads } };
allow shell profman_dump_data_file:file { unlink { getattr open read ioctl lock map watch watch_reads } };
# Read/execute files in /data/nativetest
#line 48
# adb bugreport
#line 51
allow shell dumpstate_socket:sock_file write;
#line 51
allow shell dumpstate:unix_stream_socket connectto;
#line 51
allow shell devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow shell tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow shell console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow shell input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow shell input_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 60
allow shell system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 60
allow shell system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 60
allow shell system_file:file { getattr execute execute_no_trans map };
allow shell toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow shell shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow shell zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 70
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
service_manager_type
-apex_service
-dnsresolver_service
-gatekeeper_service
-hal_keymint_service
-hal_secureclock_service
-hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
#line 99
# Call the hwservicemanager and transfer references to it.
#line 99
allow shell hwservicemanager:binder { call transfer };
#line 99
# Allow hwservicemanager to send out callbacks
#line 99
allow hwservicemanager shell:binder { call transfer };
#line 99
# hwservicemanager performs getpidcon on clients.
#line 99
allow hwservicemanager shell:dir search;
#line 99
allow hwservicemanager shell:file { read open map };
#line 99
allow hwservicemanager shell:process getattr;
#line 99
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 99
# all domains in domain.te.
#line 99
allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
#line 103
allow shell proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 103
allow shell proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 103
allow shell {
proc_asound
proc_filesystems
proc_interrupts
proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
proc_slabinfo
proc_stat
proc_timer
proc_uptime
proc_version
proc_vmstat
proc_zoneinfo
}:file { getattr open read ioctl lock map watch watch_reads };
# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir { open getattr read search ioctl lock watch watch_reads };
#line 125
allow shell cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 125
allow shell cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 125
allow shell cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell cgroup_desc_api_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell vendor_cgroup_desc_file:file { getattr open read ioctl lock map watch watch_reads };
#line 129
allow shell cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 129
allow shell cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 129
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
allow shell selinuxfs:file { getattr open read ioctl lock map watch watch_reads };
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow shell bootchart_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;
# allow shell to get battery info
allow shell sysfs:dir { open getattr read search ioctl lock watch watch_reads };
allow shell sysfs_batteryinfo:dir { open getattr read search ioctl lock watch watch_reads };
allow shell sysfs_batteryinfo:file { getattr open read ioctl lock map watch watch_reads };
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir { open getattr read search ioctl lock watch watch_reads };
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;
# read selinux policy files
allow shell file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell property_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell service_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell sepolicy_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
#line 194
###
### Neverallow rules
###
# Do not allow shell to talk directly to security HAL services other than
# hal_remotelyprovisionedcomponent_service
neverallow shell {
hal_keymint_service
hal_secureclock_service
hal_sharedsecret_service
}:service_manager find;
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 217
{
#line 217
# qualcomm rmnet ioctls
#line 217
0x00006900 0x00006902
#line 217
# socket ioctls
#line 217
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 217
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 217
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 217
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 217
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 217
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 217
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 217
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 217
0x00008991 0x00008992 0x00008993 0x00008994
#line 217
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 217
# device and protocol specific ioctls
#line 217
0x000089f0-0x000089ff
#line 217
0x000089e0-0x000089ef
#line 217
# Wireless extension ioctls
#line 217
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 217
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 217
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 217
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 217
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 217
0x00008b34 0x00008b35 0x00008b36
#line 217
# Dev private ioctl i.e. hardware specific ioctls
#line 217
0x00008be0-0x00008bff
#line 217
};
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
port_device
}:chr_file ~getattr;
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
# b/30861057: Shell access to existing input devices is an abuse
# vector. The shell user can inject events that look like they
# originate from the touchscreen etc.
# Everyone should have already moved to UiAutomation#injectInputEvent
# if they are running instrumentation tests (i.e. CTS), Monkey for
# their stress tests, and the input command (adb shell input ...) for
# injecting swipes and things.
neverallow shell input_device:chr_file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/public/simpleperf.te"
type simpleperf, domain;
#line 1 "system/sepolicy/public/simpleperf_app_runner.te"
type simpleperf_app_runner, domain, mlstrustedsubject;
type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/public/slideshow.te"
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type slideshow, domain;
allow slideshow kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 6
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 6
# deprecated.
#line 6
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 6
allow slideshow sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 6
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 6
allow slideshow self:{ capability2 cap2_userns } block_suspend;
#line 6
# system_suspend permissions
#line 6
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow slideshow system_suspend_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow system_suspend_server slideshow:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow slideshow system_suspend_server:fd use;
#line 6
#line 6
allow slideshow system_suspend_hwservice:hwservice_manager find;
#line 6
# halclientdomain permissions
#line 6
#line 6
# Call the hwservicemanager and transfer references to it.
#line 6
allow slideshow hwservicemanager:binder { call transfer };
#line 6
# Allow hwservicemanager to send out callbacks
#line 6
allow hwservicemanager slideshow:binder { call transfer };
#line 6
# hwservicemanager performs getpidcon on clients.
#line 6
allow hwservicemanager slideshow:dir search;
#line 6
allow hwservicemanager slideshow:file { read open map };
#line 6
allow hwservicemanager slideshow:process getattr;
#line 6
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 6
#line 6
allow slideshow hwservicemanager_prop:file { getattr open read map };
#line 6
#line 6
allow slideshow hidl_manager_hwservice:hwservice_manager find;
#line 6
# AIDL suspend hal permissions
#line 6
allow slideshow hal_system_suspend_service:service_manager find;
#line 6
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow slideshow servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager slideshow:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager slideshow:dir search;
#line 6
allow servicemanager slideshow:file { read open };
#line 6
allow servicemanager slideshow:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 6
allow slideshow device:dir { open getattr read search ioctl lock watch watch_reads };
allow slideshow self:{ capability cap_userns } sys_tty_config;
allow slideshow graphics_device:dir { open getattr read search ioctl lock watch watch_reads };
allow slideshow graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow slideshow input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow slideshow input_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow slideshow tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/stats_service_server.te"
#line 1
allow stats_service_server fwk_stats_hwservice:hwservice_manager { add find };
#line 1
allow stats_service_server hidl_base_hwservice:hwservice_manager add;
#line 1
neverallow { domain -stats_service_server } fwk_stats_hwservice:hwservice_manager add;
#line 1
#line 2
allow stats_service_server fwk_stats_service:service_manager { add find };
#line 2
neverallow { domain -stats_service_server } fwk_stats_service:service_manager add;
#line 2
#line 2
# On debug builds with root, allow binder services to use binder over TCP.
#line 2
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 2
#line 2
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow stats_service_server servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager stats_service_server:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager stats_service_server:dir search;
#line 4
allow servicemanager stats_service_server:file { read open };
#line 4
allow servicemanager stats_service_server:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 1 "system/sepolicy/public/statsd.te"
type statsd, domain, mlstrustedsubject;
type statsd_exec, system_file_type, exec_type, file_type;
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow statsd servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager statsd:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager statsd:dir search;
#line 4
allow servicemanager statsd:file { read open };
#line 4
allow servicemanager statsd:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
# Allow statsd to scan through /proc/pid for all processes.
#line 7
allow statsd domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow statsd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 7
# Allow executing files on system, such as running a shell or running:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow statsd devpts:chr_file { getattr ioctl read write };
allow statsd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 20
# Create, read, and write into
# /data/misc/stats-active-metric
# /data/misc/stats-data
# /data/misc/stats-metadata
# /data/misc/stats-service
# /data/misc/train-info
allow statsd stats_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow statsd stats_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow statsd stats_config_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow statsd stats_config_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow statsd to make binder calls to any binder service.
#line 34
# Call the server domain and optionally transfer references to it.
#line 34
allow statsd appdomain:binder { call transfer };
#line 34
# Allow the serverdomain to transfer references to the client on the reply.
#line 34
allow appdomain statsd:binder transfer;
#line 34
# Receive and use open files from the server.
#line 34
allow statsd appdomain:fd use;
#line 34
#line 35
# Call the server domain and optionally transfer references to it.
#line 35
allow statsd incidentd:binder { call transfer };
#line 35
# Allow the serverdomain to transfer references to the client on the reply.
#line 35
allow incidentd statsd:binder transfer;
#line 35
# Receive and use open files from the server.
#line 35
allow statsd incidentd:fd use;
#line 35
#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow statsd system_server:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow system_server statsd:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow statsd system_server:fd use;
#line 36
#line 37
# Call the server domain and optionally transfer references to it.
#line 37
allow statsd traced_probes:binder { call transfer };
#line 37
# Allow the serverdomain to transfer references to the client on the reply.
#line 37
allow traced_probes statsd:binder transfer;
#line 37
# Receive and use open files from the server.
#line 37
allow statsd traced_probes:fd use;
#line 37
# Allow statsd to interact with gpuservice
allow statsd gpu_service:service_manager find;
#line 41
# Call the server domain and optionally transfer references to it.
#line 41
allow statsd gpuservice:binder { call transfer };
#line 41
# Allow the serverdomain to transfer references to the client on the reply.
#line 41
allow gpuservice statsd:binder transfer;
#line 41
# Receive and use open files from the server.
#line 41
allow statsd gpuservice:fd use;
#line 41
# Allow statsd to interact with keystore to pull atoms
allow statsd keystore_service:service_manager find;
#line 45
# Call the server domain and optionally transfer references to it.
#line 45
allow statsd keystore:binder { call transfer };
#line 45
# Allow the serverdomain to transfer references to the client on the reply.
#line 45
allow keystore statsd:binder transfer;
#line 45
# Receive and use open files from the server.
#line 45
allow statsd keystore:fd use;
#line 45
# Allow statsd to interact with mediametrics
allow statsd mediametrics_service:service_manager find;
#line 49
# Call the server domain and optionally transfer references to it.
#line 49
allow statsd mediametrics:binder { call transfer };
#line 49
# Allow the serverdomain to transfer references to the client on the reply.
#line 49
allow mediametrics statsd:binder transfer;
#line 49
# Receive and use open files from the server.
#line 49
allow statsd mediametrics:fd use;
#line 49
# Allow statsd to interact with mediametrics
allow statsd mediaserver_service:service_manager find;
#line 53
# Call the server domain and optionally transfer references to it.
#line 53
allow statsd mediaserver:binder { call transfer };
#line 53
# Allow the serverdomain to transfer references to the client on the reply.
#line 53
allow mediaserver statsd:binder transfer;
#line 53
# Receive and use open files from the server.
#line 53
allow statsd mediaserver:fd use;
#line 53
# Allow logd access.
#line 56
allow statsd logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 56
#line 56
allow statsd logdr_socket:sock_file write;
#line 56
allow statsd logd:unix_stream_socket connectto;
#line 56
#line 56
#line 57
# Group AID_LOG checked by filesystem & logd
#line 57
# to permit control commands
#line 57
#line 57
allow statsd logd_socket:sock_file write;
#line 57
allow statsd logd:unix_stream_socket connectto;
#line 57
#line 57
# Grant statsd with permissions to register the services.
allow statsd {
app_api_service
incident_service
system_api_service
}:service_manager find;
# Grant statsd to access health hal to access battery metrics.
allow statsd hal_health_hwservice:hwservice_manager find;
# Allow statsd to send dump info to dumpstate
allow statsd dumpstate:fd use;
allow statsd dumpstate:fifo_file { getattr write };
# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };
#line 75
typeattribute statsd halclientdomain;
#line 75
typeattribute statsd hal_health_client;
#line 75
#line 75
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 75
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 75
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 75
#line 75
typeattribute statsd hal_health;
#line 75
# Find passthrough HAL implementations
#line 75
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 75
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 75
allow hal_health vendor_file:file { read open getattr execute map };
#line 75
#line 75
#line 76
typeattribute statsd halclientdomain;
#line 76
typeattribute statsd hal_power_client;
#line 76
#line 76
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 76
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 76
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 76
#line 76
typeattribute statsd hal_power;
#line 76
# Find passthrough HAL implementations
#line 76
allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_power vendor_file:file { read open getattr execute map };
#line 76
#line 76
#line 77
typeattribute statsd halclientdomain;
#line 77
typeattribute statsd hal_power_stats_client;
#line 77
#line 77
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 77
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 77
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 77
#line 77
typeattribute statsd hal_power_stats;
#line 77
# Find passthrough HAL implementations
#line 77
allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 77
allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 77
allow hal_power_stats vendor_file:file { read open getattr execute map };
#line 77
#line 77
#line 78
typeattribute statsd halclientdomain;
#line 78
typeattribute statsd hal_thermal_client;
#line 78
#line 78
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 78
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 78
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 78
#line 78
typeattribute statsd hal_thermal;
#line 78
# Find passthrough HAL implementations
#line 78
allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 78
allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 78
allow hal_thermal vendor_file:file { read open getattr execute map };
#line 78
#line 78
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };
#line 85
allow statsd statsdw_socket:sock_file write;
#line 85
allow statsd statsd:unix_dgram_socket sendto;
#line 85
###
### neverallow rules
###
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
neverallow { domain -statsd -init -vold } stats_data_file:file *;
neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
# Limited access to the directory itself.
neverallow { domain -statsd -init -vold } stats_data_file:dir *;
neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
#line 1 "system/sepolicy/public/su.te"
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
#line 112
#line 1 "system/sepolicy/public/surfaceflinger.te"
# surfaceflinger - display compositor service
type surfaceflinger, domain;
type surfaceflinger_tmpfs, file_type;
#line 1 "system/sepolicy/public/system_app.te"
###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings. These are not as privileged as the system
### server.
###
type system_app, domain;
#line 1 "system/sepolicy/public/system_server.te"
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
# Power controls for debugging/diagnostics
#line 9
allow system_server power_debug_prop:file { getattr open read map };
#line 9
#line 10
#line 10
allow system_server property_socket:sock_file write;
#line 10
allow system_server init:unix_stream_socket connectto;
#line 10
#line 10
allow system_server power_debug_prop:property_service set;
#line 10
#line 10
allow system_server power_debug_prop:file { getattr open read map };
#line 10
#line 10
neverallow {
domain
-init
-vendor_init
-system_server
-shell
} power_debug_prop:property_service set;
#line 1 "system/sepolicy/public/system_suspend_internal_server.te"
# To serve ISuspendControlServiceInternal.
#line 2
allow system_suspend_internal_server system_suspend_control_internal_service:service_manager { add find };
#line 2
neverallow { domain -system_suspend_internal_server } system_suspend_control_internal_service:service_manager add;
#line 2
#line 2
# On debug builds with root, allow binder services to use binder over TCP.
#line 2
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 2
#line 2
neverallow {
domain
-atrace # tracing
-dumpstate # bug reports
-system_suspend_internal_server # implements system_suspend_control_internal_service
-system_server # configures system_suspend via ISuspendControlServiceInternal
-traceur_app # tracing
} system_suspend_control_internal_service:service_manager find;
#line 1 "system/sepolicy/public/system_suspend_server.te"
# Required to export a HIDL interface.
#line 2
# Call the hwservicemanager and transfer references to it.
#line 2
allow system_suspend_server hwservicemanager:binder { call transfer };
#line 2
# Allow hwservicemanager to send out callbacks
#line 2
allow hwservicemanager system_suspend_server:binder { call transfer };
#line 2
# hwservicemanager performs getpidcon on clients.
#line 2
allow hwservicemanager system_suspend_server:dir search;
#line 2
allow hwservicemanager system_suspend_server:file { read open map };
#line 2
allow hwservicemanager system_suspend_server:process getattr;
#line 2
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 2
# all domains in domain.te.
#line 2
#line 3
allow system_suspend_server hwservicemanager_prop:file { getattr open read map };
#line 3
# To serve ISystemSuspend.hal.
#line 6
allow system_suspend_server system_suspend_hwservice:hwservice_manager { add find };
#line 6
allow system_suspend_server hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -system_suspend_server } system_suspend_hwservice:hwservice_manager add;
#line 6
#line 1 "system/sepolicy/public/tee.te"
##
# trusted execution environment (tee) daemon
#
type tee, domain;
# Device(s) for communicating with the TEE
type tee_device, dev_type;
allow tee fingerprint_vendor_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow tee fingerprint_vendor_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/public/tombstoned.te"
# debugger interface
type tombstoned, domain, mlstrustedsubject;
type tombstoned_exec, system_file_type, exec_type, file_type;
# Write to arbitrary pipes given to us.
allow tombstoned domain:fd use;
allow tombstoned domain:fifo_file write;
allow tombstoned domain:dir { open getattr read search ioctl lock watch watch_reads };
allow tombstoned domain:file { getattr open read ioctl lock map watch watch_reads };
allow tombstoned tombstone_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow tombstoned tombstone_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link };
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow tombstoned anr_data_file:file { append create getattr open link unlink };
#line 1 "system/sepolicy/public/toolbox.te"
# Any toolbox command run by init.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow toolbox devpts:chr_file { read write getattr ioctl };
# mkswap-specific.
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
allow toolbox block_device:dir search;
allow toolbox swap_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
# rm -rf /data/per_boot
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow toolbox system_data_file:file { getattr unlink };
# chattr +F /data/media in init
allow toolbox media_userdir_file:dir { { open getattr read search ioctl lock watch watch_reads } setattr };
allowxperm toolbox media_userdir_file:dir ioctl { 0x40086602 0x80086601 };
#line 1 "system/sepolicy/public/traced.te"
type traced, domain, coredomain, mlstrustedsubject;
type traced_tmpfs, file_type;
#line 1 "system/sepolicy/public/traced_perf.te"
type traced_perf, domain;
#line 1 "system/sepolicy/public/traced_probes.te"
type traced_probes, domain, coredomain, mlstrustedsubject;
#line 1 "system/sepolicy/public/traceur_app.te"
type traceur_app, domain;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
allow traceur_app {
service_manager_type
-apex_service
-dnsresolver_service
-gatekeeper_service
-incident_service
-installd_service
-lpdump_service
-mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
-default_android_service
}:service_manager find;
# Allow traceur_app to use atrace HAL
#line 22
typeattribute traceur_app halclientdomain;
#line 22
typeattribute traceur_app hal_atrace_client;
#line 22
#line 22
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 22
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 22
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 22
#line 22
typeattribute traceur_app hal_atrace;
#line 22
# Find passthrough HAL implementations
#line 22
allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_atrace vendor_file:file { read open getattr execute map };
#line 22
#line 22
dontaudit traceur_app service_manager_type:service_manager find;
dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
#line 1 "system/sepolicy/public/ueventd.te"
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow ueventd self:{ capability cap_userns } { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 12
allow ueventd rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow ueventd rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file { open append write lock map };
#line 16
allow ueventd sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow ueventd sysfs_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 16
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow ueventd dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow ueventd efs_file:dir search;
allow ueventd efs_file:file { getattr open read ioctl lock map watch watch_reads };
# Get SELinux enforcing status.
#line 29
allow ueventd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow ueventd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 29
# Access for /vendor/ueventd.rc and /vendor/firmware
#line 32
allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:dir { open getattr read search ioctl lock watch watch_reads };
#line 32
allow ueventd { vendor_file_type -vendor_app_file -vendor_overlay_file }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 32
# Access for /apex/*/firmware
allow ueventd apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
allow ueventd proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads };
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
#line 51
# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;
# ueventd loads modules in response to modalias events.
allow ueventd self:{ capability cap_userns } sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
#line 63
allow ueventd system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 63
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
#line 63
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
# Query device-mapper to extract name/uuid in response to uevents.
allow ueventd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow ueventd self:capability sys_admin;
# Allow ueventd to read apexd property
#line 73
allow ueventd apexd_prop:file { getattr open read map };
#line 73
#####
##### neverallow rules
#####
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
# ueventd should never execute a program without changing to another domain.
neverallow ueventd { file_type fs_type }:file execute_no_trans;
#line 1 "system/sepolicy/public/uncrypt.te"
# uncrypt
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;
allow uncrypt self:{ capability cap_userns } { dac_override dac_read_search };
#line 10
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow uncrypt cache_recovery_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir { open getattr read search ioctl lock watch watch_reads };
allow uncrypt ota_package_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Write to /dev/socket/uncrypt
#line 23
allow uncrypt uncrypt_socket:sock_file write;
#line 23
allow uncrypt uncrypt:unix_stream_socket connectto;
#line 23
# Raw writes to block device
allow uncrypt self:{ capability cap_userns } sys_rawio;
allow uncrypt misc_block_device:blk_file { open append write lock map };
allow uncrypt block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file { open append write lock map };
#line 33
allow uncrypt rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow uncrypt rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
# Access to bootconfig is needed when calling ReadDefaultFstab.
allow uncrypt {
proc_bootconfig
proc_cmdline
}:file { getattr open read ioctl lock map watch watch_reads };
# Read files in /sys
#line 43
allow uncrypt sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
#line 43
allow uncrypt sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 43
# Allow ReadDefaultFstab().
#line 46
allow uncrypt { metadata_file gsi_metadata_file_type }:dir search;
#line 46
allow uncrypt gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 46
allow uncrypt { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 46
#line 1 "system/sepolicy/public/untrusted_app.te"
###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
# This file defines the rules for untrusted apps running with
# targetSdkVersion >= 34.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
# 31 < targetSdkVersion <= 33.
type untrusted_app_32, domain;
# This file defines the rules for untrusted apps running with
# 29 < targetSdkVersion <= 31.
type untrusted_app_30, domain;
# This file defines the rules for untrusted apps running with
# targetSdkVersion = 29.
type untrusted_app_29, domain;
# This file defines the rules for untrusted apps running with
# 25 < targetSdkVersion <= 28.
type untrusted_app_27, domain;
# This file defines the rules for untrusted apps running with
# targetSdkVersion <= 25.
type untrusted_app_25, domain;
#line 1 "system/sepolicy/public/update_engine.te"
# Domain for update_engine daemon.
type update_engine, domain, update_engine_common;
type update_engine_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute update_engine netdomain;
#line 5
;
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:{ capability cap_userns } { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
dontaudit update_engine self:{ capability cap_userns } fsetid;
allow update_engine kmsg_device:chr_file { getattr { open append write lock map } };
allow update_engine update_engine_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 18
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 18
# deprecated.
#line 18
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 18
allow update_engine sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 18
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 18
allow update_engine self:{ capability2 cap2_userns } block_suspend;
#line 18
# system_suspend permissions
#line 18
#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow update_engine system_suspend_server:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow system_suspend_server update_engine:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow update_engine system_suspend_server:fd use;
#line 18
#line 18
allow update_engine system_suspend_hwservice:hwservice_manager find;
#line 18
# halclientdomain permissions
#line 18
#line 18
# Call the hwservicemanager and transfer references to it.
#line 18
allow update_engine hwservicemanager:binder { call transfer };
#line 18
# Allow hwservicemanager to send out callbacks
#line 18
allow hwservicemanager update_engine:binder { call transfer };
#line 18
# hwservicemanager performs getpidcon on clients.
#line 18
allow hwservicemanager update_engine:dir search;
#line 18
allow hwservicemanager update_engine:file { read open map };
#line 18
allow hwservicemanager update_engine:process getattr;
#line 18
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18
#line 18
#line 18
allow update_engine hwservicemanager_prop:file { getattr open read map };
#line 18
#line 18
allow update_engine hidl_manager_hwservice:hwservice_manager find;
#line 18
# AIDL suspend hal permissions
#line 18
allow update_engine hal_system_suspend_service:service_manager find;
#line 18
#line 18
# Call the servicemanager and transfer references to it.
#line 18
allow update_engine servicemanager:binder { call transfer };
#line 18
# Allow servicemanager to send out callbacks
#line 18
allow servicemanager update_engine:binder { call transfer };
#line 18
# servicemanager performs getpidcon on clients.
#line 18
allow servicemanager update_engine:dir search;
#line 18
allow servicemanager update_engine:file { read open };
#line 18
allow servicemanager update_engine:process getattr;
#line 18
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18
#line 18
;
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
dontaudit update_engine self:{ capability cap_userns } sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow update_engine update_engine_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow using persistent storage in /data/misc/update_engine_log.
allow update_engine update_engine_log_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow update_engine update_engine_log_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Register the service to perform Binder IPC.
#line 33
# Call the servicemanager and transfer references to it.
#line 33
allow update_engine servicemanager:binder { call transfer };
#line 33
# Allow servicemanager to send out callbacks
#line 33
allow servicemanager update_engine:binder { call transfer };
#line 33
# servicemanager performs getpidcon on clients.
#line 33
allow servicemanager update_engine:dir search;
#line 33
allow servicemanager update_engine:file { read open };
#line 33
allow servicemanager update_engine:process getattr;
#line 33
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 33
# all domains in domain.te.
#line 33
#line 34
allow update_engine update_engine_service:service_manager { add find };
#line 34
neverallow { domain -update_engine } update_engine_service:service_manager add;
#line 34
#line 34
# On debug builds with root, allow binder services to use binder over TCP.
#line 34
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 34
#line 34
#line 35
allow update_engine update_engine_stable_service:service_manager { add find };
#line 35
neverallow { domain -update_engine } update_engine_stable_service:service_manager add;
#line 35
#line 35
# On debug builds with root, allow binder services to use binder over TCP.
#line 35
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 35
#line 35
# Allow update_engine to call the callback function provided by priv_app/GMS core.
#line 38
# Call the server domain and optionally transfer references to it.
#line 38
allow update_engine priv_app:binder { call transfer };
#line 38
# Allow the serverdomain to transfer references to the client on the reply.
#line 38
allow priv_app update_engine:binder transfer;
#line 38
# Receive and use open files from the server.
#line 38
allow update_engine priv_app:fd use;
#line 38
# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
#line 44
#line 46
# Call the server domain and optionally transfer references to it.
#line 46
allow update_engine gmscore_app:binder { call transfer };
#line 46
# Allow the serverdomain to transfer references to the client on the reply.
#line 46
allow gmscore_app update_engine:binder transfer;
#line 46
# Receive and use open files from the server.
#line 46
allow update_engine gmscore_app:fd use;
#line 46
# Allow update_engine to call the callback function provided by system_server.
#line 49
# Call the server domain and optionally transfer references to it.
#line 49
allow update_engine system_server:binder { call transfer };
#line 49
# Allow the serverdomain to transfer references to the client on the reply.
#line 49
allow system_server update_engine:binder transfer;
#line 49
# Receive and use open files from the server.
#line 49
allow update_engine system_server:fd use;
#line 49
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file { getattr open read ioctl lock map watch watch_reads };
allow update_engine ota_package_file:dir { open getattr read search ioctl lock watch watch_reads };
# Use Boot Control HAL
#line 56
typeattribute update_engine halclientdomain;
#line 56
typeattribute update_engine hal_bootctl_client;
#line 56
#line 56
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 56
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 56
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 56
#line 56
typeattribute update_engine hal_bootctl;
#line 56
# Find passthrough HAL implementations
#line 56
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 56
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 56
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 56
#line 56
# access /proc/misc
allow update_engine proc_misc:file { getattr open read ioctl lock map watch watch_reads };
# read directories on /system and /vendor
allow update_engine system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow ReadDefaultFstab().
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device.
#line 68
allow update_engine { metadata_file gsi_metadata_file_type }:dir search;
#line 68
allow update_engine gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 68
allow update_engine { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 68
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
#line 75
# Allow determining filesystems available on system.
# Needed for checking if overlayfs is enabled
allow update_engine proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/public/update_engine_common.te"
# update_engine payload application permissions. These are shared between the
# background daemon and the recovery tool to sideload an update.
# Allow update_engine to reach block devices in /dev/block.
allow update_engine_common block_device:dir search;
# Allow read/write on system and boot partitions.
allow update_engine_common boot_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow update_engine_common system_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Where ioctls are granted via standard allow rules to block devices,
# automatically allow common ioctls that are generally needed by
# update_engine.
allowxperm update_engine_common dev_type:blk_file ioctl {
0x00001277
0x0000127c
0x0000125e
0x0000125d
0x0000127d
0x0000127f
};
# Allow to set recovery options in the BCB. Used to trigger factory reset when
# the update to an older version (channel change) or incompatible version
# requires it.
allow update_engine_common misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# read fstab
allow update_engine_common rootfs:dir getattr;
allow update_engine_common rootfs:file { getattr open read ioctl lock map watch watch_reads };
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow update_engine_common postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow update_engine_common postinstall_file:dir { open getattr read search ioctl lock watch watch_reads };
# install update.zip from cache
#line 44
allow update_engine_common cache_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 44
allow update_engine_common cache_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 44
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine_common shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
# access /proc/cmdline
allow update_engine_common proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
# Read files in /sys/firmware/devicetree/base/firmware/android/
#line 57
allow update_engine_common sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
#line 57
allow update_engine_common sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 57
# Needed because libdm reads sysfs to validate when a dm path is ready.
#line 60
allow update_engine_common sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
#line 60
allow update_engine_common sysfs_dm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 60
# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
allow update_engine_common sysfs:dir { open getattr read search ioctl lock watch watch_reads };
allow update_engine_common sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads };
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir { open getattr read search ioctl lock watch watch_reads };
allow update_engine dm_user_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# ioctl on super device to get block device alignment and alignment offset
allowxperm update_engine_common super_block_device_type:blk_file ioctl { 0x00001278 0x0000127a };
# get physical block device to map logical partitions on device mapper
allow update_engine_common block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow update_engine_common to write to statsd socket.
#line 87
allow update_engine_common statsdw_socket:sock_file write;
#line 87
allow update_engine_common statsd:unix_dgram_socket sendto;
#line 87
# Allow to read Virtual A/B feature flags.
#line 90
allow update_engine_common virtual_ab_prop:file { getattr open read map };
#line 90
# Allow to read GKI related flags.
#line 93
allow update_engine_common ab_update_gki_prop:file { getattr open read map };
#line 93
#line 94
allow update_engine_common build_bootimage_prop:file { getattr open read map };
#line 94
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow update_engine_common ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/public/update_verifier.te"
# update_verifier
type update_verifier, domain;
type update_verifier_exec, system_file_type, exec_type, file_type;
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
# Read care map in /data/ota_package/.
allow update_verifier ota_package_file:dir { open getattr read search ioctl lock watch watch_reads };
allow update_verifier ota_package_file:file { getattr open read ioctl lock map watch watch_reads };
# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
allow update_verifier sysfs:dir { open getattr read search ioctl lock watch watch_reads };
# Read /sys/block/dm-X/dm/name (which is a symlink to
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
# dm-X and system/vendor partitions.
allow update_verifier sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
allow update_verifier sysfs_dm:file { getattr open read ioctl lock map watch watch_reads };
# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# Write to kernel message.
allow update_verifier kmsg_device:chr_file { getattr { open append write lock map } };
# Use Boot Control HAL
#line 28
typeattribute update_verifier halclientdomain;
#line 28
typeattribute update_verifier hal_bootctl_client;
#line 28
#line 28
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 28
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 28
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 28
#line 28
typeattribute update_verifier hal_bootctl;
#line 28
# Find passthrough HAL implementations
#line 28
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 28
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 28
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 28
#line 28
# Access Checkpoint commands over binder
allow update_verifier vold_service:service_manager find;
#line 32
# Call the server domain and optionally transfer references to it.
#line 32
allow update_verifier servicemanager:binder { call transfer };
#line 32
# Allow the serverdomain to transfer references to the client on the reply.
#line 32
allow servicemanager update_verifier:binder transfer;
#line 32
# Receive and use open files from the server.
#line 32
allow update_verifier servicemanager:fd use;
#line 32
#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow update_verifier vold:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow vold update_verifier:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow update_verifier vold:fd use;
#line 33
#line 1 "system/sepolicy/public/usbd.te"
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
#line 4
# Call the server domain and optionally transfer references to it.
#line 4
allow usbd servicemanager:binder { call transfer };
#line 4
# Allow the serverdomain to transfer references to the client on the reply.
#line 4
allow servicemanager usbd:binder transfer;
#line 4
# Receive and use open files from the server.
#line 4
allow usbd servicemanager:fd use;
#line 4
#line 1 "system/sepolicy/public/userdata_sysdev.te"
allow userdata_sysdev sysfs:filesystem associate;
#line 1 "system/sepolicy/public/vdc.te"
# vdc is a helper program for making Binder calls to vold. It is spawned from
# init for various reasons, such as initializing file-based encryption and
# metadata encryption, and managing userdata checkpointing.
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
type vdc, domain;
type vdc_exec, system_file_type, exec_type, file_type;
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file { getattr { open append write lock map } };
# vdc talks to vold over Binder
#line 18
# Call the servicemanager and transfer references to it.
#line 18
allow vdc servicemanager:binder { call transfer };
#line 18
# Allow servicemanager to send out callbacks
#line 18
allow servicemanager vdc:binder { call transfer };
#line 18
# servicemanager performs getpidcon on clients.
#line 18
allow servicemanager vdc:dir search;
#line 18
allow servicemanager vdc:file { read open };
#line 18
allow servicemanager vdc:process getattr;
#line 18
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow vdc vold:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow vold vdc:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow vdc vold:fd use;
#line 19
allow vdc vold_service:service_manager find;
#line 1 "system/sepolicy/public/vendor_init.te"
# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open getattr write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vendor_init cgroup:file { open append write lock map };
allow vendor_init cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vendor_init cgroup_v2:file { open append write lock map };
# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vendor_init configfs:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:{ capability cap_userns } { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:{ capability cap_userns } { chown fowner fsetid };
# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
allow vendor_init unencrypted_data_file:dir search;
allow vendor_init unencrypted_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Set encryption policy on dirs in /data
allowxperm vendor_init data_file_type:dir ioctl {
0x400c6615
0x800c6613
};
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-system_dlkm_file_type
-system_file_type
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir { file lnk_file sock_file fifo_file } } { getattr relabelfrom };
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
-ota_metadata_file
-runtime_event_log_tags_file
-system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 90
-debugfs_type
#line 90
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 90
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
-ota_metadata_file
-system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-apex_mnt_dir
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
-ota_metadata_file
-system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
allow vendor_init dev_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vendor_init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file { open append write lock map };
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-bpffs_type
-contextmount_type
-keychord_device
-sdcard_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 169
-debugfs_type
#line 169
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 169
}:file { open read setattr map };
allow vendor_init tracefs_type:file { open read setattr map };
allow vendor_init {
fs_type
-bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
#line 189
allow vendor_init proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 189
allow vendor_init proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 189
allow vendor_init proc_net_type:file { open append write lock map };
allow vendor_init self:{ capability cap_userns } net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file { open append write lock map };
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };
#line 204
allow vendor_init vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 204
allow vendor_init vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 204
# Vendor init can read properties
allow vendor_init serialno_prop:file { getattr open read map };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:{ capability cap_userns } sys_admin;
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file { open append write lock map };
# vendor_init is using bootstrap bionic
#line 216
allow vendor_init system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 216
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
#line 216
# allow filesystem tuning
allow vendor_init userdata_sysdev:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
#line 225
#line 227
#line 227
#line 227
allow vendor_init property_socket:sock_file write;
#line 227
allow vendor_init init:unix_stream_socket connectto;
#line 227
#line 227
allow vendor_init {
#line 227
property_type
#line 227
-system_internal_property_type
#line 227
-system_restricted_property_type
#line 227
}:property_service set;
#line 227
#line 227
allow vendor_init {
#line 227
property_type
#line 227
-system_internal_property_type
#line 227
-system_restricted_property_type
#line 227
}:file { getattr open read map };
#line 227
#line 227
#line 233
# Get file context
allow vendor_init file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow vendor_init to (re)set nice
allow vendor_init self:capability sys_nice;
#line 241
#line 241
allow vendor_init property_socket:sock_file write;
#line 241
allow vendor_init init:unix_stream_socket connectto;
#line 241
#line 241
allow vendor_init apk_verity_prop:property_service set;
#line 241
#line 241
allow vendor_init apk_verity_prop:file { getattr open read map };
#line 241
#line 241
#line 242
#line 242
allow vendor_init property_socket:sock_file write;
#line 242
allow vendor_init init:unix_stream_socket connectto;
#line 242
#line 242
allow vendor_init bluetooth_a2dp_offload_prop:property_service set;
#line 242
#line 242
allow vendor_init bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 242
#line 242
#line 243
#line 243
allow vendor_init property_socket:sock_file write;
#line 243
allow vendor_init init:unix_stream_socket connectto;
#line 243
#line 243
allow vendor_init bluetooth_audio_hal_prop:property_service set;
#line 243
#line 243
allow vendor_init bluetooth_audio_hal_prop:file { getattr open read map };
#line 243
#line 243
#line 244
#line 244
allow vendor_init property_socket:sock_file write;
#line 244
allow vendor_init init:unix_stream_socket connectto;
#line 244
#line 244
allow vendor_init bluetooth_config_prop:property_service set;
#line 244
#line 244
allow vendor_init bluetooth_config_prop:file { getattr open read map };
#line 244
#line 244
#line 245
#line 245
allow vendor_init property_socket:sock_file write;
#line 245
allow vendor_init init:unix_stream_socket connectto;
#line 245
#line 245
allow vendor_init camera2_extensions_prop:property_service set;
#line 245
#line 245
allow vendor_init camera2_extensions_prop:file { getattr open read map };
#line 245
#line 245
#line 246
#line 246
allow vendor_init property_socket:sock_file write;
#line 246
allow vendor_init init:unix_stream_socket connectto;
#line 246
#line 246
allow vendor_init camerax_extensions_prop:property_service set;
#line 246
#line 246
allow vendor_init camerax_extensions_prop:file { getattr open read map };
#line 246
#line 246
#line 247
#line 247
allow vendor_init property_socket:sock_file write;
#line 247
allow vendor_init init:unix_stream_socket connectto;
#line 247
#line 247
allow vendor_init cpu_variant_prop:property_service set;
#line 247
#line 247
allow vendor_init cpu_variant_prop:file { getattr open read map };
#line 247
#line 247
#line 248
#line 248
allow vendor_init property_socket:sock_file write;
#line 248
allow vendor_init init:unix_stream_socket connectto;
#line 248
#line 248
allow vendor_init dalvik_config_prop:property_service set;
#line 248
#line 248
allow vendor_init dalvik_config_prop:file { getattr open read map };
#line 248
#line 248
#line 249
#line 249
allow vendor_init property_socket:sock_file write;
#line 249
allow vendor_init init:unix_stream_socket connectto;
#line 249
#line 249
allow vendor_init dalvik_dynamic_config_prop:property_service set;
#line 249
#line 249
allow vendor_init dalvik_dynamic_config_prop:file { getattr open read map };
#line 249
#line 249
#line 250
#line 250
allow vendor_init property_socket:sock_file write;
#line 250
allow vendor_init init:unix_stream_socket connectto;
#line 250
#line 250
allow vendor_init dalvik_runtime_prop:property_service set;
#line 250
#line 250
allow vendor_init dalvik_runtime_prop:file { getattr open read map };
#line 250
#line 250
#line 251
#line 251
allow vendor_init property_socket:sock_file write;
#line 251
allow vendor_init init:unix_stream_socket connectto;
#line 251
#line 251
allow vendor_init debug_prop:property_service set;
#line 251
#line 251
allow vendor_init debug_prop:file { getattr open read map };
#line 251
#line 251
#line 252
#line 252
allow vendor_init property_socket:sock_file write;
#line 252
allow vendor_init init:unix_stream_socket connectto;
#line 252
#line 252
allow vendor_init exported_bluetooth_prop:property_service set;
#line 252
#line 252
allow vendor_init exported_bluetooth_prop:file { getattr open read map };
#line 252
#line 252
#line 253
#line 253
allow vendor_init property_socket:sock_file write;
#line 253
allow vendor_init init:unix_stream_socket connectto;
#line 253
#line 253
allow vendor_init exported_camera_prop:property_service set;
#line 253
#line 253
allow vendor_init exported_camera_prop:file { getattr open read map };
#line 253
#line 253
#line 254
#line 254
allow vendor_init property_socket:sock_file write;
#line 254
allow vendor_init init:unix_stream_socket connectto;
#line 254
#line 254
allow vendor_init exported_config_prop:property_service set;
#line 254
#line 254
allow vendor_init exported_config_prop:file { getattr open read map };
#line 254
#line 254
#line 255
#line 255
allow vendor_init property_socket:sock_file write;
#line 255
allow vendor_init init:unix_stream_socket connectto;
#line 255
#line 255
allow vendor_init exported_default_prop:property_service set;
#line 255
#line 255
allow vendor_init exported_default_prop:file { getattr open read map };
#line 255
#line 255
#line 256
#line 256
allow vendor_init property_socket:sock_file write;
#line 256
allow vendor_init init:unix_stream_socket connectto;
#line 256
#line 256
allow vendor_init exported_overlay_prop:property_service set;
#line 256
#line 256
allow vendor_init exported_overlay_prop:file { getattr open read map };
#line 256
#line 256
#line 257
#line 257
allow vendor_init property_socket:sock_file write;
#line 257
allow vendor_init init:unix_stream_socket connectto;
#line 257
#line 257
allow vendor_init exported_pm_prop:property_service set;
#line 257
#line 257
allow vendor_init exported_pm_prop:file { getattr open read map };
#line 257
#line 257
#line 258
#line 258
allow vendor_init property_socket:sock_file write;
#line 258
allow vendor_init init:unix_stream_socket connectto;
#line 258
#line 258
allow vendor_init ffs_control_prop:property_service set;
#line 258
#line 258
allow vendor_init ffs_control_prop:file { getattr open read map };
#line 258
#line 258
#line 259
#line 259
allow vendor_init property_socket:sock_file write;
#line 259
allow vendor_init init:unix_stream_socket connectto;
#line 259
#line 259
allow vendor_init hw_timeout_multiplier_prop:property_service set;
#line 259
#line 259
allow vendor_init hw_timeout_multiplier_prop:file { getattr open read map };
#line 259
#line 259
#line 260
#line 260
allow vendor_init property_socket:sock_file write;
#line 260
allow vendor_init init:unix_stream_socket connectto;
#line 260
#line 260
allow vendor_init incremental_prop:property_service set;
#line 260
#line 260
allow vendor_init incremental_prop:file { getattr open read map };
#line 260
#line 260
#line 261
#line 261
allow vendor_init property_socket:sock_file write;
#line 261
allow vendor_init init:unix_stream_socket connectto;
#line 261
#line 261
allow vendor_init lmkd_prop:property_service set;
#line 261
#line 261
allow vendor_init lmkd_prop:file { getattr open read map };
#line 261
#line 261
#line 262
#line 262
allow vendor_init property_socket:sock_file write;
#line 262
allow vendor_init init:unix_stream_socket connectto;
#line 262
#line 262
allow vendor_init logd_prop:property_service set;
#line 262
#line 262
allow vendor_init logd_prop:file { getattr open read map };
#line 262
#line 262
#line 263
#line 263
allow vendor_init property_socket:sock_file write;
#line 263
allow vendor_init init:unix_stream_socket connectto;
#line 263
#line 263
allow vendor_init log_tag_prop:property_service set;
#line 263
#line 263
allow vendor_init log_tag_prop:file { getattr open read map };
#line 263
#line 263
#line 264
#line 264
allow vendor_init property_socket:sock_file write;
#line 264
allow vendor_init init:unix_stream_socket connectto;
#line 264
#line 264
allow vendor_init log_prop:property_service set;
#line 264
#line 264
allow vendor_init log_prop:file { getattr open read map };
#line 264
#line 264
#line 265
#line 265
allow vendor_init property_socket:sock_file write;
#line 265
allow vendor_init init:unix_stream_socket connectto;
#line 265
#line 265
allow vendor_init graphics_config_writable_prop:property_service set;
#line 265
#line 265
allow vendor_init graphics_config_writable_prop:file { getattr open read map };
#line 265
#line 265
#line 266
#line 266
allow vendor_init property_socket:sock_file write;
#line 266
allow vendor_init init:unix_stream_socket connectto;
#line 266
#line 266
allow vendor_init qemu_hw_prop:property_service set;
#line 266
#line 266
allow vendor_init qemu_hw_prop:file { getattr open read map };
#line 266
#line 266
#line 267
#line 267
allow vendor_init property_socket:sock_file write;
#line 267
allow vendor_init init:unix_stream_socket connectto;
#line 267
#line 267
allow vendor_init radio_control_prop:property_service set;
#line 267
#line 267
allow vendor_init radio_control_prop:file { getattr open read map };
#line 267
#line 267
#line 268
#line 268
allow vendor_init property_socket:sock_file write;
#line 268
allow vendor_init init:unix_stream_socket connectto;
#line 268
#line 268
allow vendor_init rebootescrow_hal_prop:property_service set;
#line 268
#line 268
allow vendor_init rebootescrow_hal_prop:file { getattr open read map };
#line 268
#line 268
#line 269
#line 269
allow vendor_init property_socket:sock_file write;
#line 269
allow vendor_init init:unix_stream_socket connectto;
#line 269
#line 269
allow vendor_init serialno_prop:property_service set;
#line 269
#line 269
allow vendor_init serialno_prop:file { getattr open read map };
#line 269
#line 269
#line 270
#line 270
allow vendor_init property_socket:sock_file write;
#line 270
allow vendor_init init:unix_stream_socket connectto;
#line 270
#line 270
allow vendor_init soc_prop:property_service set;
#line 270
#line 270
allow vendor_init soc_prop:file { getattr open read map };
#line 270
#line 270
#line 271
#line 271
allow vendor_init property_socket:sock_file write;
#line 271
allow vendor_init init:unix_stream_socket connectto;
#line 271
#line 271
allow vendor_init surfaceflinger_color_prop:property_service set;
#line 271
#line 271
allow vendor_init surfaceflinger_color_prop:file { getattr open read map };
#line 271
#line 271
#line 272
#line 272
allow vendor_init property_socket:sock_file write;
#line 272
allow vendor_init init:unix_stream_socket connectto;
#line 272
#line 272
allow vendor_init usb_control_prop:property_service set;
#line 272
#line 272
allow vendor_init usb_control_prop:file { getattr open read map };
#line 272
#line 272
#line 273
#line 273
allow vendor_init property_socket:sock_file write;
#line 273
allow vendor_init init:unix_stream_socket connectto;
#line 273
#line 273
allow vendor_init userspace_reboot_config_prop:property_service set;
#line 273
#line 273
allow vendor_init userspace_reboot_config_prop:file { getattr open read map };
#line 273
#line 273
#line 274
#line 274
allow vendor_init property_socket:sock_file write;
#line 274
allow vendor_init init:unix_stream_socket connectto;
#line 274
#line 274
allow vendor_init vehicle_hal_prop:property_service set;
#line 274
#line 274
allow vendor_init vehicle_hal_prop:file { getattr open read map };
#line 274
#line 274
#line 275
#line 275
allow vendor_init property_socket:sock_file write;
#line 275
allow vendor_init init:unix_stream_socket connectto;
#line 275
#line 275
allow vendor_init vendor_default_prop:property_service set;
#line 275
#line 275
allow vendor_init vendor_default_prop:file { getattr open read map };
#line 275
#line 275
#line 276
#line 276
allow vendor_init property_socket:sock_file write;
#line 276
allow vendor_init init:unix_stream_socket connectto;
#line 276
#line 276
allow vendor_init keystore_config_prop:property_service set;
#line 276
#line 276
allow vendor_init keystore_config_prop:file { getattr open read map };
#line 276
#line 276
#line 277
#line 277
allow vendor_init property_socket:sock_file write;
#line 277
allow vendor_init init:unix_stream_socket connectto;
#line 277
#line 277
allow vendor_init vendor_security_patch_level_prop:property_service set;
#line 277
#line 277
allow vendor_init vendor_security_patch_level_prop:file { getattr open read map };
#line 277
#line 277
#line 278
#line 278
allow vendor_init property_socket:sock_file write;
#line 278
allow vendor_init init:unix_stream_socket connectto;
#line 278
#line 278
allow vendor_init vndk_prop:property_service set;
#line 278
#line 278
allow vendor_init vndk_prop:file { getattr open read map };
#line 278
#line 278
#line 279
#line 279
allow vendor_init property_socket:sock_file write;
#line 279
allow vendor_init init:unix_stream_socket connectto;
#line 279
#line 279
allow vendor_init virtual_ab_prop:property_service set;
#line 279
#line 279
allow vendor_init virtual_ab_prop:file { getattr open read map };
#line 279
#line 279
#line 280
#line 280
allow vendor_init property_socket:sock_file write;
#line 280
allow vendor_init init:unix_stream_socket connectto;
#line 280
#line 280
allow vendor_init vold_post_fs_data_prop:property_service set;
#line 280
#line 280
allow vendor_init vold_post_fs_data_prop:file { getattr open read map };
#line 280
#line 280
#line 281
#line 281
allow vendor_init property_socket:sock_file write;
#line 281
allow vendor_init init:unix_stream_socket connectto;
#line 281
#line 281
allow vendor_init wifi_hal_prop:property_service set;
#line 281
#line 281
allow vendor_init wifi_hal_prop:file { getattr open read map };
#line 281
#line 281
#line 282
#line 282
allow vendor_init property_socket:sock_file write;
#line 282
allow vendor_init init:unix_stream_socket connectto;
#line 282
#line 282
allow vendor_init wifi_log_prop:property_service set;
#line 282
#line 282
allow vendor_init wifi_log_prop:file { getattr open read map };
#line 282
#line 282
#line 283
#line 283
allow vendor_init property_socket:sock_file write;
#line 283
allow vendor_init init:unix_stream_socket connectto;
#line 283
#line 283
allow vendor_init zram_control_prop:property_service set;
#line 283
#line 283
allow vendor_init zram_control_prop:file { getattr open read map };
#line 283
#line 283
#line 285
allow vendor_init boot_status_prop:file { getattr open read map };
#line 285
#line 286
allow vendor_init exported3_system_prop:file { getattr open read map };
#line 286
#line 287
allow vendor_init ota_prop:file { getattr open read map };
#line 287
#line 288
allow vendor_init power_debug_prop:file { getattr open read map };
#line 288
#line 289
allow vendor_init provisioned_prop:file { getattr open read map };
#line 289
#line 290
allow vendor_init retaildemo_prop:file { getattr open read map };
#line 290
#line 291
allow vendor_init surfaceflinger_display_prop:file { getattr open read map };
#line 291
#line 292
allow vendor_init test_harness_prop:file { getattr open read map };
#line 292
#line 293
allow vendor_init theme_prop:file { getattr open read map };
#line 293
#line 294
#line 294
allow vendor_init property_socket:sock_file write;
#line 294
allow vendor_init init:unix_stream_socket connectto;
#line 294
#line 294
allow vendor_init dck_prop:property_service set;
#line 294
#line 294
allow vendor_init dck_prop:file { getattr open read map };
#line 294
#line 294
# Allow vendor_init to read vendor_system_native device config changes
#line 297
allow vendor_init device_config_vendor_system_native_prop:file { getattr open read map };
#line 297
#line 298
allow vendor_init device_config_vendor_system_native_boot_prop:file { getattr open read map };
#line 298
###
### neverallow rules
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
#line 305
neverallow vendor_init {
#line 305
domain -init -logd -prng_seeder -su -vendor_init }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 305
neverallow vendor_init {
#line 305
domain -init -logd -prng_seeder -su -vendor_init }:unix_stream_socket connectto;
;
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
neverallow domain vendor_init:process dyntransition;
neverallow { domain -init } vendor_init:process transition;
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow vendor_init app_data_file_type:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
# init should never execute a program without changing to another domain.
neverallow vendor_init { file_type fs_type }:file execute_no_trans;
# Init never adds or uses services via service_manager.
neverallow vendor_init service_manager_type:service_manager { add find };
neverallow vendor_init servicemanager:service_manager list;
# vendor_init should never be ptraced
neverallow * vendor_init:process ptrace;
#line 1 "system/sepolicy/public/vendor_misc_writer.te"
# vendor_misc_writer
type vendor_misc_writer, domain;
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
# Raw writes to misc_block_device
allow vendor_misc_writer misc_block_device:blk_file { open append write lock map };
allow vendor_misc_writer block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
dontaudit vendor_misc_writer proc_bootconfig:file { getattr open read ioctl lock map watch watch_reads };
# Allow ReadDefaultFstab().
#line 16
allow vendor_misc_writer { metadata_file gsi_metadata_file_type }:dir search;
#line 16
allow vendor_misc_writer gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 16
allow vendor_misc_writer { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 16
#line 1 "system/sepolicy/public/vendor_modprobe.te"
type vendor_modprobe, domain;
#line 1 "system/sepolicy/public/vendor_shell.te"
type vendor_shell, domain;
type vendor_shell_exec, exec_type, vendor_file_type, file_type;
allow vendor_shell vendor_shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow vendor_shell vendor_toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Use fd from shell when vendor_shell is started from shell
allow vendor_shell shell:fd use;
# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
allow vendor_shell adbd:fd use;
allow vendor_shell adbd:process sigchld;
allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
allow vendor_shell devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vendor_shell tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vendor_shell console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vendor_shell input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow vendor_shell input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/vendor_toolbox.te"
# Toolbox installation for vendor binaries / scripts
# Non-vendor processes are not allowed to execute the binary
# and is always executed without transition.
type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
# Do not allow domains to transition to vendor toolbox
# or read, execute the vendor_toolbox file.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 8
#line 8
# Do not allow non-vendor domains to transition
#line 8
# to vendor toolbox except for the allowlisted domains.
#line 8
neverallow {
#line 8
coredomain
#line 8
-init
#line 8
-modprobe
#line 8
} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
#line 8
#line 8
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 16
#line 1 "system/sepolicy/public/virtual_touchpad.te"
type virtual_touchpad, domain;
type virtual_touchpad_exec, system_file_type, exec_type, file_type;
#line 4
# Call the servicemanager and transfer references to it.
#line 4
allow virtual_touchpad servicemanager:binder { call transfer };
#line 4
# Allow servicemanager to send out callbacks
#line 4
allow servicemanager virtual_touchpad:binder { call transfer };
#line 4
# servicemanager performs getpidcon on clients.
#line 4
allow servicemanager virtual_touchpad:dir search;
#line 4
allow servicemanager virtual_touchpad:file { read open };
#line 4
allow servicemanager virtual_touchpad:process getattr;
#line 4
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 4
# all domains in domain.te.
#line 4
#line 5
typeattribute virtual_touchpad binderservicedomain;
#line 5
#line 6
allow virtual_touchpad virtual_touchpad_service:service_manager { add find };
#line 6
neverallow { domain -virtual_touchpad } virtual_touchpad_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
# Needed to check app permissions.
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow virtual_touchpad system_server:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow system_server virtual_touchpad:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow virtual_touchpad system_server:fd use;
#line 9
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { { open append write lock map } ioctl };
# Requires access to the permission service to validate that clients have the
# appropriate VR permissions.
allow virtual_touchpad permission_service:service_manager find;
#line 1 "system/sepolicy/public/vndservice.te"
type service_manager_vndservice, vndservice_manager_type;
type default_android_vndservice, vndservice_manager_type;
#line 1 "system/sepolicy/public/vndservicemanager.te"
# vndservicemanager - the Binder context manager for vendor processes
type vndservicemanager, domain;
#line 1 "system/sepolicy/public/vold.te"
# volume manager
type vold, domain;
type vold_exec, exec_type, file_type, system_file_type;
# Read already opened /cache files.
allow vold cache_file:dir { open getattr read search ioctl lock watch watch_reads };
allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
#line 10
allow vold { sysfs_type -sysfs_batteryinfo }:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow vold { sysfs_type -sysfs_batteryinfo }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
# XXX Label sysfs files with a specific type?
allow vold {
sysfs # writing to /sys/*/uevent during coldboot.
sysfs_devices_block
sysfs_dm
sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
sysfs_usb
sysfs_zram_uevent
sysfs_fs_f2fs
}:file { open append write lock map };
#line 22
allow vold rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow vold rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
#line 23
allow vold metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow vold metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 23
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_bootconfig
proc_cmdline
proc_drop_caches
proc_filesystems
proc_meminfo
proc_mounts
}:file { getattr open read ioctl lock map watch watch_reads };
#Get file contexts
allow vold file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
# For formatting adoptable storage devices
allow vold e2fs_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Run fstrim on mounted partitions
# allowxperm still requires the ioctl permission for the individual type
allowxperm vold { fs_type file_type }:dir ioctl 0xc0185879;
# Get/set file-based encryption policies on dirs in /data and adoptable storage,
# and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl {
0x400c6615
0x800c6613
0xc0506617
0xc0406618
0xc080661a
};
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain
-vold
-init
-vendor_init
} data_file_type:dir ioctl { 0x800c6613 };
# Only vold should ever add/remove file-based encryption keys.
neverallowxperm {
domain
-vold
} data_file_type:dir ioctl { 0xc0506617 0xc0406618 0xc080661a };
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
# location of the file's blocks on the raw block device to erase.
allowxperm vold {
vold_data_file
vold_metadata_file
}:file ioctl {
0xf514
0xc020660b
};
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file { getattr execute execute_no_trans map };
allow vold vendor_file:file { getattr execute execute_no_trans map };
allow vold block_device:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold device:dir write;
allow vold devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold rootfs:dir mounton;
allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
# Manage locations where storage is mounted
allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
# Allow setting project quota IDs and enabling project ID inheritance on
# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
allowxperm vold media_rw_data_file:{ dir file } ioctl {
0x801c581f
0x401c5820
0x80086601
0x40086602
};
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
# Manage per-user primary symlinks
allow vold mnt_user_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow vold mnt_user_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow vold mnt_user_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage per-user pass_through primary symlinks
allow vold mnt_pass_through_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow vold mnt_pass_through_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
allow vold system_userdir_file:dir { create getattr setattr };
allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
# Needed to set the casefold flag on /mnt/expand/$volume/media
allowxperm vold media_userdir_file:dir ioctl { 0x80086601 0x40086602 };
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Allow to create and write files in /data/incremental
allow vold apk_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink };
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton { open getattr read search ioctl lock watch watch_reads } };
# Allow to read incremental control file and call selinux restorecon on it
allow vold incremental_control_file:file { { getattr open read ioctl lock map watch watch_reads } relabelto };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold tmpfs:dir mounton;
allow vold self:{ capability cap_userns } { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow vold loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold loop_device:blk_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allowxperm vold loop_device:blk_file ioctl {
0x00004c01
0x00004c82
0x00004c05
0x00004c00
0x00004c04
};
allow vold vold_device:blk_file { create setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allowxperm vold vold_device:blk_file ioctl { 0x00001277 0x00001260 };
allow vold dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm vold dm_device:blk_file ioctl { 0x00001277 0x0000127d 0xc0101282 0x40101283 };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir { open getattr read search ioctl lock watch watch_reads };
allow vold domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
allow vold domain:process { signal sigkill };
allow vold self:{ capability cap_userns } { sys_ptrace kill };
allow vold kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Run fsck in the fsck domain.
allow vold fsck_exec:file { { getattr open read ioctl lock map watch watch_reads } execute };
# Log fsck results
allow vold fscklogs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow vold fscklogs:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Mount and unmount filesystems.
allow vold labeledfs:filesystem { mount unmount remount };
# Create and mount on /data/tmp_mnt and management of expansion mounts
#
# Also rename per-user encrypted directories such as /data/user/10 from their
# temporary name ("10.new") to their final name ("10").
allow vold {
system_data_file
system_data_root_file
}:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+
allow vold vendor_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# for secdiscard
allow vold system_data_file:file read;
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# ASEC
allow vold asec_image_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow vold asec_image_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow vold asec_apk_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { { getattr open read ioctl lock map watch watch_reads } setattr relabelfrom relabelto };
allow vold asec_public_file:file { relabelto setattr };
# restorecon files in asec containers created on 4.2 or earlier.
allow vold unlabeled:dir { { open getattr read search ioctl lock watch watch_reads } setattr relabelfrom };
allow vold unlabeled:file { { getattr open read ioctl lock map watch watch_reads } setattr relabelfrom };
# Access to FUSE control filesystem to hard-abort FUSE mounts
allow vold fusectlfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold fusectlfs:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
#line 214
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 214
# deprecated.
#line 214
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 214
allow vold sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 214
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 214
allow vold self:{ capability2 cap2_userns } block_suspend;
#line 214
# system_suspend permissions
#line 214
#line 214
# Call the server domain and optionally transfer references to it.
#line 214
allow vold system_suspend_server:binder { call transfer };
#line 214
# Allow the serverdomain to transfer references to the client on the reply.
#line 214
allow system_suspend_server vold:binder transfer;
#line 214
# Receive and use open files from the server.
#line 214
allow vold system_suspend_server:fd use;
#line 214
#line 214
allow vold system_suspend_hwservice:hwservice_manager find;
#line 214
# halclientdomain permissions
#line 214
#line 214
# Call the hwservicemanager and transfer references to it.
#line 214
allow vold hwservicemanager:binder { call transfer };
#line 214
# Allow hwservicemanager to send out callbacks
#line 214
allow hwservicemanager vold:binder { call transfer };
#line 214
# hwservicemanager performs getpidcon on clients.
#line 214
allow hwservicemanager vold:dir search;
#line 214
allow hwservicemanager vold:file { read open map };
#line 214
allow hwservicemanager vold:process getattr;
#line 214
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 214
# all domains in domain.te.
#line 214
#line 214
#line 214
allow vold hwservicemanager_prop:file { getattr open read map };
#line 214
#line 214
allow vold hidl_manager_hwservice:hwservice_manager find;
#line 214
# AIDL suspend hal permissions
#line 214
allow vold hal_system_suspend_service:service_manager find;
#line 214
#line 214
# Call the servicemanager and transfer references to it.
#line 214
allow vold servicemanager:binder { call transfer };
#line 214
# Allow servicemanager to send out callbacks
#line 214
allow servicemanager vold:binder { call transfer };
#line 214
# servicemanager performs getpidcon on clients.
#line 214
allow servicemanager vold:dir search;
#line 214
allow servicemanager vold:file { read open };
#line 214
allow servicemanager vold:process getattr;
#line 214
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 214
# all domains in domain.te.
#line 214
#line 214
# Allow vold to publish a binder service and make binder calls.
#line 217
# Call the servicemanager and transfer references to it.
#line 217
allow vold servicemanager:binder { call transfer };
#line 217
# Allow servicemanager to send out callbacks
#line 217
allow servicemanager vold:binder { call transfer };
#line 217
# servicemanager performs getpidcon on clients.
#line 217
allow servicemanager vold:dir search;
#line 217
allow servicemanager vold:file { read open };
#line 217
allow servicemanager vold:process getattr;
#line 217
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 217
# all domains in domain.te.
#line 217
#line 218
allow vold vold_service:service_manager { add find };
#line 218
neverallow { domain -vold } vold_service:service_manager add;
#line 218
#line 218
# On debug builds with root, allow binder services to use binder over TCP.
#line 218
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 218
#line 218
# Allow vold to call into the system server so it can check permissions.
#line 221
# Call the server domain and optionally transfer references to it.
#line 221
allow vold system_server:binder { call transfer };
#line 221
# Allow the serverdomain to transfer references to the client on the reply.
#line 221
allow system_server vold:binder transfer;
#line 221
# Receive and use open files from the server.
#line 221
allow vold system_server:fd use;
#line 221
allow vold permission_service:service_manager find;
# talk to health storage HAL
#line 225
typeattribute vold halclientdomain;
#line 225
typeattribute vold hal_health_storage_client;
#line 225
#line 225
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 225
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 225
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 225
#line 225
typeattribute vold hal_health_storage;
#line 225
# Find passthrough HAL implementations
#line 225
allow hal_health_storage system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 225
allow hal_health_storage vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 225
allow hal_health_storage vendor_file:file { read open getattr execute map };
#line 225
#line 225
# talk to bootloader HAL
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 228
#line 228
typeattribute vold halclientdomain;
#line 228
typeattribute vold hal_bootctl_client;
#line 228
#line 228
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 228
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 228
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 228
#line 228
typeattribute vold hal_bootctl;
#line 228
# Find passthrough HAL implementations
#line 228
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 228
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 228
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 228
#line 228
#line 228
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 228
# Access userdata block device.
allow vold userdata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm vold userdata_block_device:blk_file ioctl 0x0000127d;
# Access zoned block device.
allow vold zoned_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm vold metadata_block_device:blk_file ioctl 0x0000127d;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow vold unencrypted_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Write to /proc/sys/vm/drop_caches
allow vold proc_drop_caches:file { open append write lock map };
# Give vold a place where only vold can store files; everyone else is off limits
allow vold vold_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold vold_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# And a similar place in the metadata partition
allow vold vold_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow vold vold_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
allow vold self:{ capability cap_userns } sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
allow vold self:{ capability cap_userns } sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.
allow vold fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
allow vold app_fuse_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow vold app_fuse_file:file { read write open getattr append };
# MoveStorage.cpp executes cp and rm
allow vold toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Prepare profile dir for users.
allow vold { user_profile_data_file user_profile_root_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Raw writes to misc block device
allow vold misc_block_device:blk_file { open append write lock map };
# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;
dontaudit vold self:{ capability cap_userns } sys_resource;
# Allow ReadDefaultFstab().
#line 290
allow vold { metadata_file gsi_metadata_file_type }:dir search;
#line 290
allow vold gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 290
allow vold { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 290
# vold might need to search loopback apex files
allow vold vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads };
neverallow {
domain
-vold
-vold_prepare_subdirs
} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
neverallow {
domain
-init
-vold
-vold_prepare_subdirs
} vold_data_file:dir *;
neverallow {
domain
-init
-vold
} vold_metadata_file:dir *;
neverallow {
domain
-kernel
-vold
-vold_prepare_subdirs
} vold_data_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };
neverallow {
domain
-init
-vold
-vold_prepare_subdirs
} vold_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };
neverallow {
domain
-init
-kernel
-vold
-vold_prepare_subdirs
} { vold_data_file vold_metadata_file }:{ file lnk_file sock_file fifo_file } *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow vold {
domain
-hal_health_storage_server
-hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
-keystore
-servicemanager
-system_server
}:binder call;
neverallow vold fsck_exec:file execute_no_trans;
neverallow { domain -init } vold:process { transition dyntransition };
neverallow vold *:process ptrace;
neverallow vold *:rawip_socket *;
#line 1 "system/sepolicy/public/vold_prepare_subdirs.te"
# SELinux directory creation and labelling for vold-managed directories
type vold_prepare_subdirs, domain;
type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
typeattribute vold_prepare_subdirs coredomain;
#line 1 "system/sepolicy/public/watchdogd.te"
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
type watchdogd_exec, system_file_type, exec_type, file_type;
allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow watchdogd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/public/webview_zygote.te"
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
type webview_zygote_tmpfs, file_type;
#line 1 "system/sepolicy/public/wificond.te"
# wificond
type wificond, domain;
type wificond_exec, system_file_type, exec_type, file_type;
#line 5
# Call the servicemanager and transfer references to it.
#line 5
allow wificond servicemanager:binder { call transfer };
#line 5
# Allow servicemanager to send out callbacks
#line 5
allow servicemanager wificond:binder { call transfer };
#line 5
# servicemanager performs getpidcon on clients.
#line 5
allow servicemanager wificond:dir search;
#line 5
allow servicemanager wificond:file { read open };
#line 5
allow servicemanager wificond:process getattr;
#line 5
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 5
# all domains in domain.te.
#line 5
#line 6
# Call the server domain and optionally transfer references to it.
#line 6
allow wificond system_server:binder { call transfer };
#line 6
# Allow the serverdomain to transfer references to the client on the reply.
#line 6
allow system_server wificond:binder transfer;
#line 6
# Receive and use open files from the server.
#line 6
allow wificond system_server:fd use;
#line 6
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow wificond keystore:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow keystore wificond:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow wificond keystore:fd use;
#line 7
#line 9
allow wificond wifinl80211_service:service_manager { add find };
#line 9
neverallow { domain -wificond } wifinl80211_service:service_manager add;
#line 9
#line 9
# On debug builds with root, allow binder services to use binder over TCP.
#line 9
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 9
#line 9
#line 10
typeattribute wificond halclientdomain;
#line 10
typeattribute wificond hal_nlinterceptor_client;
#line 10
#line 10
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 10
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 10
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 10
#line 10
typeattribute wificond hal_nlinterceptor;
#line 10
# Find passthrough HAL implementations
#line 10
allow hal_nlinterceptor system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow hal_nlinterceptor vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow hal_nlinterceptor vendor_file:file { read open getattr execute map };
#line 10
#line 10
# create sockets to set interfaces up and down
allow wificond self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { 0x00008914 0x00008924 };
allow wificond self:{ capability cap_userns } { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
#line 22
allow wificond proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow wificond proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
#### Offer the Wifi Keystore HwBinder service ###
#line 32
# Call the hwservicemanager and transfer references to it.
#line 32
allow wificond hwservicemanager:binder { call transfer };
#line 32
# Allow hwservicemanager to send out callbacks
#line 32
allow hwservicemanager wificond:binder { call transfer };
#line 32
# hwservicemanager performs getpidcon on clients.
#line 32
allow hwservicemanager wificond:dir search;
#line 32
allow hwservicemanager wificond:file { read open map };
#line 32
allow hwservicemanager wificond:process getattr;
#line 32
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 32
# all domains in domain.te.
#line 32
typeattribute wificond wifi_keystore_service_server;
#line 34
allow wificond system_wifi_keystore_hwservice:hwservice_manager { add find };
#line 34
allow wificond hidl_base_hwservice:hwservice_manager add;
#line 34
neverallow { domain -wificond } system_wifi_keystore_hwservice:hwservice_manager add;
#line 34
# Allow keystore2 binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use
};
#line 1 "system/sepolicy/public/zygote.te"
# zygote
type zygote, domain;
type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/private/attributes"
#line 1
attribute hal_lazy_test;
#line 1
expandattribute hal_lazy_test true;
#line 1
attribute hal_lazy_test_client;
#line 1
expandattribute hal_lazy_test_client true;
#line 1
attribute hal_lazy_test_server;
#line 1
expandattribute hal_lazy_test_server false;
#line 1
#line 1
neverallow { hal_lazy_test_server -halserverdomain } domain:process fork;
#line 1
# hal_*_client and halclientdomain attributes are always expanded for
#line 1
# performance reasons. Neverallow rules targeting expanded attributes can not be
#line 1
# verified by CTS since these attributes are already expanded by that time.
#line 1
#line 1
;
# This is applied to apps on vendor images with SDK <=30 only,
# to exempt them from recent mls changes. It must not be applied
# to any domain on newer system or vendor image.
attribute mlsvendorcompat;
# Attributes for property types having both system_property_type
# and vendor_property_type. Such types are ill-formed because
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;
#line 1 "system/sepolicy/private/aconfigd.te"
# aconfigd -- manager for aconfig flags
type aconfigd, domain;
type aconfigd_exec, exec_type, file_type, system_file_type;
typeattribute aconfigd coredomain;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init aconfigd_exec:file { getattr open read execute map };
#line 7
allow init aconfigd:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow aconfigd aconfigd_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init aconfigd:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init aconfigd:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init aconfigd_exec:process aconfigd;
#line 7
#line 7
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;
allow aconfigd metadata_file:dir search;
allow aconfigd {
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
}:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow aconfigd {
aconfig_storage_metadata_file
aconfig_storage_flags_metadata_file
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow aconfigd aconfigd_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file { open append write lock map };
# allow aconfigd to read system/system_ext/product partition storage files
allow aconfigd system_aconfig_storage_file:file { getattr open read ioctl lock map watch watch_reads };
allow aconfigd system_aconfig_storage_file:dir { open getattr read search ioctl lock watch watch_reads };
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file { getattr open read ioctl lock map watch watch_reads };
allow aconfigd vendor_aconfig_storage_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/private/adbd.te"
### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init adbd_exec:file { getattr open read execute map };
#line 6
allow init adbd:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow adbd adbd_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init adbd:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init adbd:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init adbd_exec:process adbd;
#line 6
#line 6
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow adbd shell_exec:file { getattr open read execute map };
#line 8
allow adbd shell:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow shell shell_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
allow shell adbd:process sigchld;
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit adbd shell:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow adbd shell:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition adbd shell_exec:process shell;
#line 8
#line 13
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
#line 24
# Control Perfetto traced and obtain traces from it.
# Needed to allow port forwarding directly to traced.
#line 28
allow adbd traced_consumer_socket:sock_file write;
#line 28
allow adbd traced:unix_stream_socket connectto;
#line 28
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:{ capability cap_userns } { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:{ capability cap_userns } setpcap;
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:{ capability cap_userns } sys_resource;
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
# Allow adbd inside vm to forward vm's vsock.
allow adbd self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept };
# Create and use network sockets.
#line 51
typeattribute adbd netdomain;
#line 51
# Connect to mdnsd via mdnsd socket.
#line 53
allow adbd mdnsd_socket:sock_file write;
#line 53
allow adbd mdnsd:unix_stream_socket connectto;
#line 53
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm adbd functionfs:file ioctl {
0x80096782
0x00006703
};
# Use a pseudo tty.
allow adbd devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow adbd shell_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd trace_data_file:file { getattr open read ioctl lock map watch watch_reads };
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd profman_dump_data_file:file { getattr open read ioctl lock map watch watch_reads };
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; # /sdcard symlink
allow adbd tmpfs:lnk_file { getattr open read ioctl lock map watch watch_reads }; # /mnt/sdcard symlink
allow adbd { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow adbd { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd anr_data_file:file { getattr open read ioctl lock map watch watch_reads };
# adb pull /vendor/framework/*
allow adbd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd vendor_framework_file:file { getattr open read ioctl lock map watch watch_reads };
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
#line 94
#line 94
allow adbd property_socket:sock_file write;
#line 94
allow adbd init:unix_stream_socket connectto;
#line 94
#line 94
allow adbd shell_prop:property_service set;
#line 94
#line 94
allow adbd shell_prop:file { getattr open read map };
#line 94
#line 94
#line 95
#line 95
allow adbd property_socket:sock_file write;
#line 95
allow adbd init:unix_stream_socket connectto;
#line 95
#line 95
allow adbd powerctl_prop:property_service set;
#line 95
#line 95
allow adbd powerctl_prop:file { getattr open read map };
#line 95
#line 95
#line 96
allow adbd ffs_config_prop:file { getattr open read map };
#line 96
#line 97
#line 97
allow adbd property_socket:sock_file write;
#line 97
allow adbd init:unix_stream_socket connectto;
#line 97
#line 97
allow adbd ffs_control_prop:property_service set;
#line 97
#line 97
allow adbd ffs_control_prop:file { getattr open read map };
#line 97
#line 97
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
#line 100
#line 100
allow adbd property_socket:sock_file write;
#line 100
allow adbd init:unix_stream_socket connectto;
#line 100
#line 100
allow adbd adbd_prop:property_service set;
#line 100
#line 100
allow adbd adbd_prop:file { getattr open read map };
#line 100
#line 100
#line 101
#line 101
allow adbd property_socket:sock_file write;
#line 101
allow adbd init:unix_stream_socket connectto;
#line 101
#line 101
allow adbd adbd_config_prop:property_service set;
#line 101
#line 101
allow adbd adbd_config_prop:file { getattr open read map };
#line 101
#line 101
# Allow adbd start/stop mdnsd via ctl.start
#line 104
#line 104
allow adbd property_socket:sock_file write;
#line 104
allow adbd init:unix_stream_socket connectto;
#line 104
#line 104
allow adbd ctl_mdnsd_prop:property_service set;
#line 104
#line 104
allow adbd ctl_mdnsd_prop:file { getattr open read map };
#line 104
#line 104
# Access device logging gating property
#line 107
allow adbd device_logging_prop:file { getattr open read map };
#line 107
# Read device's serial number from system properties
#line 110
allow adbd serialno_prop:file { getattr open read map };
#line 110
# Read whether or not Test Harness Mode is enabled
#line 113
allow adbd test_harness_prop:file { getattr open read map };
#line 113
# Read persist.adb.tls_server.enable property
#line 116
allow adbd system_adbd_prop:file { getattr open read map };
#line 116
# Read device's overlayfs related properties and files
#line 122
# Run /system/bin/bu
allow adbd system_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
#line 129
# Call the servicemanager and transfer references to it.
#line 129
allow adbd servicemanager:binder { call transfer };
#line 129
# Allow servicemanager to send out callbacks
#line 129
allow servicemanager adbd:binder { call transfer };
#line 129
# servicemanager performs getpidcon on clients.
#line 129
allow servicemanager adbd:dir search;
#line 129
allow servicemanager adbd:file { read open };
#line 129
allow servicemanager adbd:process getattr;
#line 129
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 129
# all domains in domain.te.
#line 129
#line 130
# Call the server domain and optionally transfer references to it.
#line 130
allow adbd surfaceflinger:binder { call transfer };
#line 130
# Allow the serverdomain to transfer references to the client on the reply.
#line 130
allow surfaceflinger adbd:binder transfer;
#line 130
# Receive and use open files from the server.
#line 130
allow adbd surfaceflinger:fd use;
#line 130
#line 131
# Call the server domain and optionally transfer references to it.
#line 131
allow adbd gpuservice:binder { call transfer };
#line 131
# Allow the serverdomain to transfer references to the client on the reply.
#line 131
allow gpuservice adbd:binder transfer;
#line 131
# Receive and use open files from the server.
#line 131
allow adbd gpuservice:fd use;
#line 131
# b/13188914
allow adbd gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow adbd gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd ion_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 136
allow adbd system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 136
allow adbd system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 136
# Needed for various screenshots
#line 139
typeattribute adbd halclientdomain;
#line 139
typeattribute adbd hal_graphics_allocator_client;
#line 139
#line 139
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 139
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 139
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 139
#line 139
typeattribute adbd hal_graphics_allocator;
#line 139
# Find passthrough HAL implementations
#line 139
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 139
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 139
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 139
#line 139
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file { getattr open read ioctl lock map watch watch_reads };
#line 151
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file { getattr open read ioctl lock map watch watch_reads };
allow adbd system_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd selinuxfs:file { getattr open read ioctl lock map watch watch_reads };
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow adbd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow adbd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow adbd property_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow adbd sepolicy_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file { getattr open read ioctl lock map watch watch_reads };
# For CTS listening ports test.
allow adbd proc_net_tcp_udp:file { getattr open read ioctl lock map watch watch_reads };
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd storage_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow adbd mnt_user_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd mnt_user_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow adbd media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 196
allow adbd apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 196
allow adbd apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 196
allow adbd rootfs:dir { open getattr read search ioctl lock watch watch_reads };
# Allow killing child "perfetto" binary processes, which auto-transition to
# their own domain. Allows propagating termination of "adb shell perfetto ..."
# invocations.
allow adbd perfetto:process signal;
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow adbd perfetto_traces_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow to push and manage configs in /data/misc/perfetto-configs.
allow adbd perfetto_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow adbd perfetto_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
# Allow pull /vendor/apex files for CTS tests
allow adbd vendor_apex_file:dir search;
allow adbd vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
allow adbd apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# allow reading tombstones. users can already use bugreports to get those.
allow adbd tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow adbd tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads };
###
### Neverallow rules
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain }:process dyntransition;
#line 5 "system/sepolicy/private/aidl_lazy_test_server.te"
#line 1 "system/sepolicy/private/apex_test_prepostinstall.te"
# APEX pre- & post-install test.
#
# Allow to run pre- and post-install hooks for APEX test modules
# in debuggable builds.
type apex_test_prepostinstall, domain, coredomain;
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
#line 20
#line 1 "system/sepolicy/private/apexd.te"
typeattribute apexd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init apexd_exec:file { getattr open read execute map };
#line 3
allow init apexd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow apexd apexd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init apexd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init apexd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init apexd_exec:process apexd;
#line 3
#line 3
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow apexd apex_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow relabeling file created in /data/apex/decompressed
allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow apexd apex_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow apexd apex_ota_reserved_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow apexd to create files and directories for snapshots of apex data
allow apexd apex_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow apexd apex_data_file_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelto };
allow apexd apex_module_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow apexd apex_module_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom };
allow apexd apex_rollback_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow apexd apex_rollback_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow apexd to read /data/misc_de and the directories under it, in order to
# snapshot and restore apex data for all users.
allow apexd {
system_userdir_file
system_data_file
}:dir { open getattr read search ioctl lock watch watch_reads };
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# allow apexd to access loop devices
allow apexd loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm apexd loop_device:blk_file ioctl {
0x00004c05
0x00004c04
0x00004c00
0x00004c09
0x00004c08
0x00004c01
0x00001261
0x00004c0a
};
# Allow apexd to access /dev/block
allow apexd dev_type:dir { open getattr read search ioctl lock watch watch_reads };
allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow apexd dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# sys_admin is required to access the device-mapper and mount
# dac_override, chown, and fowner are needed for snapshot and restore
allow apexd self:{ capability cap_userns } { sys_admin chown dac_override dac_read_search fowner };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for apexd to operate.
dontaudit apexd self:{ capability cap_userns } fsetid;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow apexd staging_data_file:file { { getattr open read ioctl lock map watch watch_reads } link };
# # Allow relabeling file created in /data/apex/decompressed
allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
#line 97
allow apexd vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 97
allow apexd vendor_apex_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 97
#line 98
allow apexd vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 98
allow apexd vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 98
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
# Access to /sys/class/block
allow apexd sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
allow apexd sysfs_type:file { getattr open read ioctl lock map watch watch_reads };
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
allow apexd sysfs_dm:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# for loopX
allow apexd sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads };
allow apexd sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file { open append write lock map };
# Allow apexd to reboot device. Required for rollbacks of apexes that are
# not covered by rollback manager.
#line 121
#line 121
allow apexd property_socket:sock_file write;
#line 121
allow apexd init:unix_stream_socket connectto;
#line 121
#line 121
allow apexd powerctl_prop:property_service set;
#line 121
#line 121
allow apexd powerctl_prop:file { getattr open read map };
#line 121
#line 121
# Allow apexd to stop itself
#line 124
#line 124
allow apexd property_socket:sock_file write;
#line 124
allow apexd init:unix_stream_socket connectto;
#line 124
#line 124
allow apexd ctl_apexd_prop:property_service set;
#line 124
#line 124
allow apexd ctl_apexd_prop:file { getattr open read map };
#line 124
#line 124
# Allow apexd to send control messages to load/unload apex from init
#line 127
#line 127
allow apexd property_socket:sock_file write;
#line 127
allow apexd init:unix_stream_socket connectto;
#line 127
#line 127
allow apexd ctl_apex_load_prop:property_service set;
#line 127
#line 127
allow apexd ctl_apex_load_prop:file { getattr open read map };
#line 127
#line 127
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
#line 131
# Call the server domain and optionally transfer references to it.
#line 131
allow apexd vold:binder { call transfer };
#line 131
# Allow the serverdomain to transfer references to the client on the reply.
#line 131
allow vold apexd:binder transfer;
#line 131
# Receive and use open files from the server.
#line 131
allow apexd vold:fd use;
#line 131
# apexd is using bootstrap bionic
#line 134
allow apexd system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 134
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
#line 134
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
# other processes
#line 141
# Each domain gets a unique devpts type.
#line 141
type apexd_devpts, fs_type;
#line 141
# Label the pty with the unique type when created.
#line 141
type_transition apexd devpts:chr_file apexd_devpts;
#line 141
# Allow use of the pty after creation.
#line 141
allow apexd apexd_devpts:chr_file { open getattr read write ioctl };
#line 141
allowxperm apexd apexd_devpts:chr_file ioctl {
#line 141
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 141
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 141
};
#line 141
# TIOCSTI is only ever used for exploits. Block it.
#line 141
# b/33073072, b/7530569
#line 141
# http://www.openwall.com/lists/oss-security/2016/09/26/14
#line 141
neverallowxperm * apexd_devpts:chr_file ioctl 0x00005412;
#line 141
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
#line 141
# allowed to everyone via domain.te.
#line 141
# Allow apexd to read file contexts when performing restorecon of snapshots.
allow apexd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow apexd to execute toybox for snapshot & restore
allow apexd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
allowxperm apexd staging_data_file:file ioctl {
0x80086601
0xf512
};
# Allow apexd to read ro.cold_boot_done prop.
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
#line 157
allow apexd cold_boot_done_prop:file { getattr open read map };
#line 157
# Allow apexd to read per-device configuration properties.
#line 160
allow apexd apexd_config_prop:file { getattr open read map };
#line 160
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
#line 164
allow apexd apexd_select_prop:file { getattr open read map };
#line 164
#
# Allow apexd to read apexd_payload_metadata_prop
#line 167
allow apexd apexd_payload_metadata_prop:file { getattr open read map };
#line 167
neverallow { domain -apexd -init } apex_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -apexd -init } apex_metadata_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -apexd -init -kernel } apex_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -apexd -init -kernel } apex_metadata_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -apexd } apex_mnt_dir:lnk_file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file { append create link unlink relabelfrom rename setattr write };
# only apexd can set apexd sysprop
#line 182
#line 182
allow apexd property_socket:sock_file write;
#line 182
allow apexd init:unix_stream_socket connectto;
#line 182
#line 182
allow apexd apexd_prop:property_service set;
#line 182
#line 182
allow apexd apexd_prop:file { getattr open read map };
#line 182
#line 182
neverallow { domain -apexd -init } apexd_prop:property_service set;
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file { append create link unlink relabelfrom rename setattr write };
# Only apexd and init should be allowed to manage /apex mounts
# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow apexd postinstall_apex_mnt_dir:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
# Allow calling derive_classpath to gather BCP information for staged sessions
#line 203
# Allow the necessary permissions.
#line 203
#line 203
# Old domain may exec the file and transition to the new domain.
#line 203
allow apexd derive_classpath_exec:file { getattr open read execute map };
#line 203
allow apexd apexd_derive_classpath:process transition;
#line 203
# New domain is entered by executing the file.
#line 203
allow apexd_derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map };
#line 203
# New domain can send SIGCHLD to its caller.
#line 203
allow apexd_derive_classpath apexd:process sigchld;
#line 203
# Enable AT_SECURE, i.e. libc secure mode.
#line 203
dontaudit apexd apexd_derive_classpath:process noatsecure;
#line 203
# XXX dontaudit candidate but requires further study.
#line 203
allow apexd apexd_derive_classpath:process { siginh rlimitinh };
#line 203
#line 203
# Make the transition occur by default.
#line 203
type_transition apexd derive_classpath_exec:process apexd_derive_classpath;
#line 203
;
# Allow set apex ready property
#line 206
#line 206
allow apexd property_socket:sock_file write;
#line 206
allow apexd init:unix_stream_socket connectto;
#line 206
#line 206
allow apexd apex_ready_prop:property_service set;
#line 206
#line 206
allow apexd apex_ready_prop:file { getattr open read map };
#line 206
#line 206
#line 1 "system/sepolicy/private/apexd_derive_classpath.te"
# Exclusive domain for apexd calling into derive_classpath binary
type apexd_derive_classpath, domain, coredomain;
# Allow the binary to write into output file at location /apex/derive_classpath_temp
allow apexd_derive_classpath apexd:fd use;
allow apexd_derive_classpath apex_mnt_dir:file { write open };
# Allow the binary to log using logwrap
allow apexd_derive_classpath apexd_devpts:chr_file { read write };
#line 1 "system/sepolicy/private/app.te"
# /proc/net access.
# TODO(b/9496886) Audit access for removal.
# proc_net access for the negated domains below is granted (or not) in their
# individual .te files.
#line 5
allow {
#line 5
appdomain
#line 5
-ephemeral_app
#line 5
-isolated_app_all
#line 5
-platform_app
#line 5
-priv_app
#line 5
-shell
#line 5
-sdk_sandbox_all
#line 5
-system_app
#line 5
-untrusted_app_all
#line 5
} proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 5
allow {
#line 5
appdomain
#line 5
-ephemeral_app
#line 5
-isolated_app_all
#line 5
-platform_app
#line 5
-priv_app
#line 5
-shell
#line 5
-sdk_sandbox_all
#line 5
-system_app
#line 5
-untrusted_app_all
#line 5
} proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
# audit access for all these non-core app domains.
#line 30
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
#line 34
allow appdomain test_harness_prop:file { getattr open read map };
#line 34
#line 36
allow appdomain boot_status_prop:file { getattr open read map };
#line 36
#line 37
allow appdomain dalvik_config_prop_type:file { getattr open read map };
#line 37
#line 38
allow appdomain media_config_prop:file { getattr open read map };
#line 38
#line 39
allow appdomain packagemanager_config_prop:file { getattr open read map };
#line 39
#line 40
allow appdomain radio_control_prop:file { getattr open read map };
#line 40
#line 41
allow appdomain surfaceflinger_color_prop:file { getattr open read map };
#line 41
#line 42
allow appdomain systemsound_config_prop:file { getattr open read map };
#line 42
#line 43
allow appdomain telephony_config_prop:file { getattr open read map };
#line 43
#line 44
allow appdomain userspace_reboot_config_prop:file { getattr open read map };
#line 44
#line 45
allow appdomain vold_config_prop:file { getattr open read map };
#line 45
#line 46
allow appdomain adbd_config_prop:file { getattr open read map };
#line 46
#line 47
allow appdomain dck_prop:file { getattr open read map };
#line 47
#line 48
allow appdomain persist_wm_debug_prop:file { getattr open read map };
#line 48
#line 49
allow appdomain persist_sysui_builder_extras_prop:file { getattr open read map };
#line 49
#line 50
allow appdomain persist_sysui_ranking_update_prop:file { getattr open read map };
#line 50
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
#line 53
allow appdomain traced_oome_heap_session_count_prop:file { getattr open read map };
#line 53
# Allow to read ro.vendor.camera.extensions.enabled
#line 56
allow appdomain camera2_extensions_prop:file { getattr open read map };
#line 56
# Allow to ro.camerax.extensions.enabled
#line 59
allow appdomain camerax_extensions_prop:file { getattr open read map };
#line 59
# Prevent apps from causing presubmit failures.
# Apps can cause selinux denials by accessing CE storage
# and/or external storage. In either case, the selinux denial is
# not the cause of the failure, but just a symptom that
# storage isn't ready. Many apps handle the failure appropriately.
#
# Apps cannot access external storage before it becomes available.
dontaudit appdomain storage_stub_file:dir getattr;
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
# allowed to write to CE storage before it's available.
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow appdomain system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell }
{ domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell }
{ domain -appdomain }:process { dyntransition };
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Don't allow apps reading /system/etc/font_fallback.xml
dontaudit appdomain system_font_fallback_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow appdomain system_font_fallback_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow to read sendbug.preferred.domain
#line 110
allow appdomain sendbug_config_prop:file { getattr open read map };
#line 110
# Allow to read graphics related properties.
#line 113
allow appdomain graphics_config_prop:file { getattr open read map };
#line 113
# Allow to read persist.config.calibration_fac
#line 116
allow appdomain camera_calibration_prop:file { getattr open read map };
#line 116
# Allow to read db.log.detailed, db.log.slow_query_threshold*
#line 119
allow appdomain sqlite_log_prop:file { getattr open read map };
#line 119
# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java
# Allow font file read by apps.
allow appdomain font_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow appdomain font_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Enter /data/misc/apexdata/
allow appdomain apex_module_data_file:dir search;
# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
allow appdomain apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow appdomain apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow access to tombstones if an fd to one is given to you.
# An app cannot open the tombstone itself because it lacks `open`.
allow appdomain tombstone_data_file:file { getattr read };
neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file { getattr execute execute_no_trans map };
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
#line 146
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 146
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 146
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Allow apps to read microdroid related files in vendor partition for CTS purpose.
#line 150
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 150
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 150
# Perform binder IPC to sdk sandbox.
#line 153
# Call the server domain and optionally transfer references to it.
#line 153
allow appdomain sdk_sandbox_all:binder { call transfer };
#line 153
# Allow the serverdomain to transfer references to the client on the reply.
#line 153
allow sdk_sandbox_all appdomain:binder transfer;
#line 153
# Receive and use open files from the server.
#line 153
allow appdomain sdk_sandbox_all:fd use;
#line 153
# Allow apps to communicate via binder with virtual camera service.
#line 156
# Call the server domain and optionally transfer references to it.
#line 156
allow appdomain virtual_camera:binder { call transfer };
#line 156
# Allow the serverdomain to transfer references to the client on the reply.
#line 156
allow virtual_camera appdomain:binder transfer;
#line 156
# Receive and use open files from the server.
#line 156
allow appdomain virtual_camera:fd use;
#line 156
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir { open getattr read search ioctl lock watch watch_reads };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir { open getattr read search ioctl lock watch watch_reads };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Read/write visible storage
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
#line 182
# Group AID_LOG checked by filesystem & logd
#line 182
# to permit control commands
#line 182
#line 182
allow { appdomain -ephemeral_app -sdk_sandbox_all } logd_socket:sock_file write;
#line 182
allow { appdomain -ephemeral_app -sdk_sandbox_all } logd:unix_stream_socket connectto;
#line 182
#line 182
# application inherit logd write socket (urge is to deprecate this long term)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:dir search;
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:file { read open };
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:process getattr;
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } apc_service:service_manager find;
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_service:service_manager find;
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } legacykeystore_service:service_manager find;
#line 189
#line 189
# Call the server domain and optionally transfer references to it.
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:binder { call transfer };
#line 189
# Allow the serverdomain to transfer references to the client on the reply.
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder transfer;
#line 189
# Receive and use open files from the server.
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:fd use;
#line 189
#line 189
#line 189
# Call the server domain and optionally transfer references to it.
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder { call transfer };
#line 189
# Allow the serverdomain to transfer references to the client on the reply.
#line 189
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:binder transfer;
#line 189
# Receive and use open files from the server.
#line 189
allow keystore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 189
#line 189
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:dir search;
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:file { read open };
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:process getattr;
#line 191
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore_service:service_manager find;
#line 191
#line 191
# Call the server domain and optionally transfer references to it.
#line 191
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:binder { call transfer };
#line 191
# Allow the serverdomain to transfer references to the client on the reply.
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder transfer;
#line 191
# Receive and use open files from the server.
#line 191
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:fd use;
#line 191
#line 191
#line 191
# Call the server domain and optionally transfer references to it.
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:binder { call transfer };
#line 191
# Allow the serverdomain to transfer references to the client on the reply.
#line 191
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } credstore:binder transfer;
#line 191
# Receive and use open files from the server.
#line 191
allow credstore { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 191
#line 191
# For app fuse.
#line 194
#line 194
# Allow client to open the service endpoint file.
#line 194
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 194
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 194
# Allow the client to connect to endpoint socket.
#line 194
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 194
#line 194
#line 194
# Allow the client to use the PDX channel socket.
#line 194
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 194
# than we need (e.g. we don"t need "bind" or "connect").
#line 194
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 194
# Client needs to use an channel event fd from the server.
#line 194
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_client_server_type:fd use;
#line 194
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 194
# This could be tightened on a per-server basis, but keeping track of service
#line 194
# clients is error prone.
#line 194
allow pdx_display_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 194
#line 194
#line 195
#line 195
# Allow client to open the service endpoint file.
#line 195
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 195
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 195
# Allow the client to connect to endpoint socket.
#line 195
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 195
#line 195
#line 195
# Allow the client to use the PDX channel socket.
#line 195
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 195
# than we need (e.g. we don"t need "bind" or "connect").
#line 195
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 195
# Client needs to use an channel event fd from the server.
#line 195
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_manager_server_type:fd use;
#line 195
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 195
# This could be tightened on a per-server basis, but keeping track of service
#line 195
# clients is error prone.
#line 195
allow pdx_display_manager_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 195
#line 195
#line 196
#line 196
# Allow client to open the service endpoint file.
#line 196
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 196
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 196
# Allow the client to connect to endpoint socket.
#line 196
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 196
#line 196
#line 196
# Allow the client to use the PDX channel socket.
#line 196
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 196
# than we need (e.g. we don"t need "bind" or "connect").
#line 196
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 196
# Client needs to use an channel event fd from the server.
#line 196
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_display_vsync_server_type:fd use;
#line 196
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 196
# This could be tightened on a per-server basis, but keeping track of service
#line 196
# clients is error prone.
#line 196
allow pdx_display_vsync_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 196
#line 196
#line 197
#line 197
# Allow client to open the service endpoint file.
#line 197
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 197
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 197
# Allow the client to connect to endpoint socket.
#line 197
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 197
#line 197
#line 197
# Allow the client to use the PDX channel socket.
#line 197
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 197
# than we need (e.g. we don"t need "bind" or "connect").
#line 197
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 197
# Client needs to use an channel event fd from the server.
#line 197
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_performance_client_server_type:fd use;
#line 197
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 197
# This could be tightened on a per-server basis, but keeping track of service
#line 197
# clients is error prone.
#line 197
allow pdx_performance_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 197
#line 197
# Apps do not directly open the IPC socket for bufferhubd.
#line 199
# Allow the client to use the PDX channel socket.
#line 199
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 199
# than we need (e.g. we don"t need "bind" or "connect").
#line 199
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_bufferhub_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 199
# Client needs to use an channel event fd from the server.
#line 199
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } pdx_bufferhub_client_server_type:fd use;
#line 199
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 199
# This could be tightened on a per-server basis, but keeping track of service
#line 199
# clients is error prone.
#line 199
allow pdx_bufferhub_client_server_type { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:fd use;
#line 199
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl 0x800454d2;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
# Receive and use open file descriptors inherited from app zygote.
allow appdomain app_zygote:fd use;
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Notify zygote of death;
allow appdomain zygote:process sigchld;
# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Read the /sdcard and /mnt/sdcard symlinks
allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Search /storage/emulated tmpfs mount.
allow { appdomain -sdk_sandbox_all } tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
#line 243
# Notify shell and adbd of death when spawned via runas for ndk-gdb.
allow appdomain shell:process sigchld;
allow appdomain adbd:process sigchld;
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
# For AppFuse.
allow appdomain vold:fd use;
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl 0x6686;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Access open fds from SDK sandbox
allow appdomain sdk_sandbox_data_file:file { getattr read };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads };
# Keychain and user-trusted credentials
#line 282
allow appdomain keychain_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 282
allow appdomain keychain_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 282
allow appdomain misc_user_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow appdomain misc_user_data_file:file { getattr open read ioctl lock map watch watch_reads };
# TextClassifier
#line 287
allow { appdomain -isolated_app_all } textclassifier_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 287
allow { appdomain -isolated_app_all } textclassifier_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 287
# Access to OEM provided data and apps
allow appdomain oemfs:dir { open getattr read search ioctl lock watch watch_reads };
allow appdomain oemfs:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow appdomain system_file:file { getattr execute execute_no_trans map };
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir { open getattr read search ioctl lock watch watch_reads };
allow appdomain system_file:lnk_file { getattr open read };
# Renderscript specific permissions to open /system/vendor/lib64.
#line 299
allow appdomain vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 299
allow appdomain vendor_file_type:lnk_file { getattr open read };
#line 302
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 304
#line 304
# For looking up Renderscript vendor drivers
#line 304
allow { appdomain -isolated_app_all } vendor_file:dir { open read };
#line 304
#line 304
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 307
# Allow apps access to /vendor/overlay
#line 310
allow appdomain vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 310
allow appdomain vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 310
# Allow apps access to /vendor/framework
# for vendor provided libraries.
#line 314
allow appdomain vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 314
allow appdomain vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 314
# Allow apps read / execute access to vendor public libraries.
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir { open getattr read search ioctl lock watch watch_reads };
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
# TODO: All of these permissions except for anr_data_file:file append can be
# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
# New stack dumping scheme : request an output FD from tombstoned via a unix
# domain socket.
#
# Allow apps to connect and write to the tombstoned java trace socket in
# order to dump their traces. Also allow them to append traces to pipes
# created by dumptrace. (Also see the rules below where they are given
# additional permissions to dumpstate pipes for other aspects of bug report
# creation).
#line 348
allow appdomain tombstoned_java_trace_socket:sock_file write;
#line 348
allow appdomain tombstoned:unix_stream_socket connectto;
#line 348
allow appdomain tombstoned:fd use;
allow appdomain dumpstate:fifo_file append;
allow appdomain incidentd:fifo_file append;
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };
# Allow apps to send dump information to incidentd
allow appdomain incidentd:fd use;
allow appdomain incidentd:fifo_file { write getattr };
# Allow apps to send information to statsd socket.
#line 364
allow appdomain statsdw_socket:sock_file write;
#line 364
allow appdomain statsd:unix_dgram_socket sendto;
#line 364
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { open search write add_name remove_name lock };
allow appdomain user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow writing performance tracing data into the perfetto traced daemon.
# Needed for java heap graph ART plugin (perfetto_hprof).
# The perfetto profiling daemon will check for the specific application's
# opt-in/opt-out.
#line 375
allow appdomain traced:fd use;
#line 375
allow appdomain traced_tmpfs:file { read write getattr map };
#line 375
#line 375
allow appdomain traced_producer_socket:sock_file write;
#line 375
allow appdomain traced:unix_stream_socket connectto;
#line 375
#line 375
#line 375
# Also allow the service to use the producer file descriptors. This is
#line 375
# necessary when the producer is creating the shared memory, as it will be
#line 375
# passed to the service as a file descriptor (obtained from memfd_create).
#line 375
allow traced appdomain:fd use;
#line 375
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
# debuggable builds only.
#line 383
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow { appdomain -isolated_app_all } gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow { appdomain -isolated_app_all } gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow { appdomain -isolated_app_all } sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads };
# Use the Binder.
#line 393
# Call the servicemanager and transfer references to it.
#line 393
allow appdomain servicemanager:binder { call transfer };
#line 393
# Allow servicemanager to send out callbacks
#line 393
allow servicemanager appdomain:binder { call transfer };
#line 393
# servicemanager performs getpidcon on clients.
#line 393
allow servicemanager appdomain:dir search;
#line 393
allow servicemanager appdomain:file { read open };
#line 393
allow servicemanager appdomain:process getattr;
#line 393
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 393
# all domains in domain.te.
#line 393
# Perform binder IPC to binder services.
#line 395
# Call the server domain and optionally transfer references to it.
#line 395
allow appdomain binderservicedomain:binder { call transfer };
#line 395
# Allow the serverdomain to transfer references to the client on the reply.
#line 395
allow binderservicedomain appdomain:binder transfer;
#line 395
# Receive and use open files from the server.
#line 395
allow appdomain binderservicedomain:fd use;
#line 395
# Perform binder IPC to other apps.
#line 397
# Call the server domain and optionally transfer references to it.
#line 397
allow appdomain appdomain:binder { call transfer };
#line 397
# Allow the serverdomain to transfer references to the client on the reply.
#line 397
allow appdomain appdomain:binder transfer;
#line 397
# Receive and use open files from the server.
#line 397
allow appdomain appdomain:fd use;
#line 397
# Perform binder IPC to ephemeral apps.
#line 399
# Call the server domain and optionally transfer references to it.
#line 399
allow appdomain ephemeral_app:binder { call transfer };
#line 399
# Allow the serverdomain to transfer references to the client on the reply.
#line 399
allow ephemeral_app appdomain:binder transfer;
#line 399
# Receive and use open files from the server.
#line 399
allow appdomain ephemeral_app:fd use;
#line 399
# Perform binder IPC to gpuservice.
#line 401
# Call the server domain and optionally transfer references to it.
#line 401
allow { appdomain -isolated_app_all } gpuservice:binder { call transfer };
#line 401
# Allow the serverdomain to transfer references to the client on the reply.
#line 401
allow gpuservice { appdomain -isolated_app_all }:binder transfer;
#line 401
# Receive and use open files from the server.
#line 401
allow { appdomain -isolated_app_all } gpuservice:fd use;
#line 401
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow appdomain backup_data_file:file { read write getattr map };
allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
allow appdomain dalvikcache_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Allow any app to read shared RELRO files.
allow appdomain shared_relro_file:dir search;
allow appdomain shared_relro_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
allow appdomain apk_data_file:file { getattr open read ioctl lock map { getattr execute execute_no_trans map } };
# /data/resource-cache
allow appdomain resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow appdomain resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# logd access
#line 444
allow appdomain logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 444
#line 444
allow appdomain logdr_socket:sock_file write;
#line 444
allow appdomain logd:unix_stream_socket connectto;
#line 444
#line 444
allow appdomain zygote:unix_dgram_socket write;
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl {
#line 452
{
#line 452
# Socket ioctls for gathering information about the interface
#line 452
0x00008906 0x00008907
#line 452
0x00008910 0x00008912 0x00008913 0x00008915 0x00008917 0x00008919
#line 452
0x0000891b 0x00008921 0x00008933 0x00008938 0x00008942
#line 452
# Wireless extension ioctls. Primarily get functions.
#line 452
0x00008b01 0x00008b05 0x00008b07 0x00008b09 0x00008b0b 0x00008b0d
#line 452
0x00008b0f 0x00008b11 0x00008b12 0x00008b13 0x00008b21 0x00008b23
#line 452
0x00008b25 0x00008b27 0x00008b29 0x00008b2d
#line 452
} {
#line 452
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 452
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 452
} };
allow { appdomain -isolated_app_all } ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app_all } hal_audio:fd use;
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app_all } hal_camera:fd use;
# Allow apps to access shared memory file descriptor from the tuner HAL
allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write map };
###
### CTS-specific rules
###
# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
# testRunAsHasCorrectCapabilities
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
allow appdomain cache_file:dir getattr;
# Allow apps to run with asanwrapper.
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
# Read tmpfs types from these processes.
allow appdomain audioserver_tmpfs:file { getattr map read write };
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
# from read-only locations.
neverallow {
bluetooth
isolated_app_all
nfc
radio
shared_relro
sdk_sandbox_all
system_app
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file { execute execute_no_trans };
# Don't allow apps access to any of the following character devices.
neverallow appdomain {
audio_device
camera_device
dm_device
radio_device
rpmsg_device
}:chr_file { read write };
# Block video device access for all apps except the DeviceAsWebcam Service which
# needs access to /dev/video* for interfacing with the host
neverallow {
appdomain
-device_as_webcam
} video_device:chr_file { read write };
# Prevent calling inotify on APKs. This can be used as a side channel
# to observer app launches, so it must be disallowed. b/231587164
# Gate by targetSdkVersion to avoid breaking existing apps.
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:dir { watch watch_reads };
neverallow {
appdomain
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} apk_data_file:file { watch watch_reads };
#line 1 "system/sepolicy/private/app_neverallows.te"
###
### neverallow rules for untrusted app domains
###
#line 18
# Receive or send uevent messages.
neverallow {
#line 20
ephemeral_app
#line 20
isolated_app
#line 20
isolated_app_all
#line 20
isolated_compute_app
#line 20
mediaprovider
#line 20
mediaprovider_app
#line 20
untrusted_app
#line 20
untrusted_app_25
#line 20
untrusted_app_27
#line 20
untrusted_app_29
#line 20
untrusted_app_30
#line 20
untrusted_app_all
#line 20
} domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow {
#line 23
ephemeral_app
#line 23
isolated_app
#line 23
isolated_app_all
#line 23
isolated_compute_app
#line 23
mediaprovider
#line 23
mediaprovider_app
#line 23
untrusted_app
#line 23
untrusted_app_25
#line 23
untrusted_app_27
#line 23
untrusted_app_29
#line 23
untrusted_app_30
#line 23
untrusted_app_all
#line 23
} domain:netlink_socket *;
# Read or write kernel printk buffer
neverallow {
#line 26
ephemeral_app
#line 26
isolated_app
#line 26
isolated_app_all
#line 26
isolated_compute_app
#line 26
mediaprovider
#line 26
mediaprovider_app
#line 26
untrusted_app
#line 26
untrusted_app_25
#line 26
untrusted_app_27
#line 26
untrusted_app_29
#line 26
untrusted_app_30
#line 26
untrusted_app_all
#line 26
} kmsg_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow {
#line 30
ephemeral_app
#line 30
isolated_app
#line 30
isolated_app_all
#line 30
isolated_compute_app
#line 30
mediaprovider
#line 30
mediaprovider_app
#line 30
untrusted_app
#line 30
untrusted_app_25
#line 30
untrusted_app_27
#line 30
untrusted_app_29
#line 30
untrusted_app_30
#line 30
untrusted_app_all
#line 30
} { debugfs_type -debugfs_kcov }:file read;
neverallow {{
#line 31
ephemeral_app
#line 31
isolated_app
#line 31
isolated_app_all
#line 31
isolated_compute_app
#line 31
mediaprovider
#line 31
mediaprovider_app
#line 31
untrusted_app
#line 31
untrusted_app_25
#line 31
untrusted_app_27
#line 31
untrusted_app_29
#line 31
untrusted_app_30
#line 31
untrusted_app_all
#line 31
} } debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow {
#line 36
ephemeral_app
#line 36
isolated_app
#line 36
isolated_app_all
#line 36
isolated_compute_app
#line 36
mediaprovider
#line 36
mediaprovider_app
#line 36
untrusted_app
#line 36
untrusted_app_25
#line 36
untrusted_app_27
#line 36
untrusted_app_29
#line 36
untrusted_app_30
#line 36
untrusted_app_all
#line 36
} service_manager_type:service_manager add;
# Do not allow untrusted apps to use VendorBinder
neverallow {
#line 39
ephemeral_app
#line 39
isolated_app
#line 39
isolated_app_all
#line 39
isolated_compute_app
#line 39
mediaprovider
#line 39
mediaprovider_app
#line 39
untrusted_app
#line 39
untrusted_app_25
#line 39
untrusted_app_27
#line 39
untrusted_app_29
#line 39
untrusted_app_30
#line 39
untrusted_app_all
#line 39
} vndbinder_device:chr_file *;
neverallow {
#line 40
ephemeral_app
#line 40
isolated_app
#line 40
isolated_app_all
#line 40
isolated_compute_app
#line 40
mediaprovider
#line 40
mediaprovider_app
#line 40
untrusted_app
#line 40
untrusted_app_25
#line 40
untrusted_app_27
#line 40
untrusted_app_29
#line 40
untrusted_app_30
#line 40
untrusted_app_all
#line 40
} vndservice_manager_type:service_manager *;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { {
#line 44
ephemeral_app
#line 44
isolated_app
#line 44
isolated_app_all
#line 44
isolated_compute_app
#line 44
mediaprovider
#line 44
mediaprovider_app
#line 44
untrusted_app
#line 44
untrusted_app_25
#line 44
untrusted_app_27
#line 44
untrusted_app_29
#line 44
untrusted_app_30
#line 44
untrusted_app_all
#line 44
} -mediaprovider } property_socket:sock_file write;
neverallow { {
#line 45
ephemeral_app
#line 45
isolated_app
#line 45
isolated_app_all
#line 45
isolated_compute_app
#line 45
mediaprovider
#line 45
mediaprovider_app
#line 45
untrusted_app
#line 45
untrusted_app_25
#line 45
untrusted_app_27
#line 45
untrusted_app_29
#line 45
untrusted_app_30
#line 45
untrusted_app_all
#line 45
} -mediaprovider } init:unix_stream_socket connectto;
neverallow { {
#line 46
ephemeral_app
#line 46
isolated_app
#line 46
isolated_app_all
#line 46
isolated_compute_app
#line 46
mediaprovider
#line 46
mediaprovider_app
#line 46
untrusted_app
#line 46
untrusted_app_25
#line 46
untrusted_app_27
#line 46
untrusted_app_29
#line 46
untrusted_app_30
#line 46
untrusted_app_all
#line 46
} -mediaprovider } property_type:property_service set;
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { {
#line 49
ephemeral_app
#line 49
isolated_app
#line 49
isolated_app_all
#line 49
isolated_compute_app
#line 49
mediaprovider
#line 49
mediaprovider_app
#line 49
untrusted_app
#line 49
untrusted_app_25
#line 49
untrusted_app_27
#line 49
untrusted_app_29
#line 49
untrusted_app_30
#line 49
untrusted_app_all
#line 49
} } net_dns_prop:file read;
# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { {
#line 52
ephemeral_app
#line 52
isolated_app
#line 52
isolated_app_all
#line 52
isolated_compute_app
#line 52
mediaprovider
#line 52
mediaprovider_app
#line 52
untrusted_app
#line 52
untrusted_app_25
#line 52
untrusted_app_27
#line 52
untrusted_app_29
#line 52
untrusted_app_30
#line 52
untrusted_app_all
#line 52
} } radio_cdma_ecm_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
neverallow {
#line 57
ephemeral_app
#line 57
isolated_app
#line 57
isolated_app_all
#line 57
isolated_compute_app
#line 57
mediaprovider
#line 57
mediaprovider_app
#line 57
untrusted_app
#line 57
untrusted_app_25
#line 57
untrusted_app_27
#line 57
untrusted_app_29
#line 57
untrusted_app_30
#line 57
untrusted_app_all
#line 57
} app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
{
#line 65
ephemeral_app
#line 65
isolated_app
#line 65
isolated_app_all
#line 65
isolated_compute_app
#line 65
mediaprovider
#line 65
mediaprovider_app
#line 65
untrusted_app
#line 65
untrusted_app_25
#line 65
untrusted_app_27
#line 65
untrusted_app_29
#line 65
untrusted_app_30
#line 65
untrusted_app_all
#line 65
}
-untrusted_app_25
-untrusted_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
{
#line 75
ephemeral_app
#line 75
isolated_app
#line 75
isolated_app_all
#line 75
isolated_compute_app
#line 75
mediaprovider
#line 75
mediaprovider_app
#line 75
untrusted_app
#line 75
untrusted_app_25
#line 75
untrusted_app_27
#line 75
untrusted_app_29
#line 75
untrusted_app_30
#line 75
untrusted_app_all
#line 75
}
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file { execute execute_no_trans };
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow {
#line 88
ephemeral_app
#line 88
isolated_app
#line 88
isolated_app_all
#line 88
isolated_compute_app
#line 88
mediaprovider
#line 88
mediaprovider_app
#line 88
untrusted_app
#line 88
untrusted_app_25
#line 88
untrusted_app_27
#line 88
untrusted_app_29
#line 88
untrusted_app_30
#line 88
untrusted_app_all
#line 88
} mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow {
#line 96
ephemeral_app
#line 96
isolated_app
#line 96
isolated_app_all
#line 96
isolated_compute_app
#line 96
mediaprovider
#line 96
mediaprovider_app
#line 96
untrusted_app
#line 96
untrusted_app_25
#line 96
untrusted_app_27
#line 96
untrusted_app_29
#line 96
untrusted_app_30
#line 96
untrusted_app_all
#line 96
} file_type:file link;
# Do not allow untrusted apps to access network MAC address file
neverallow {
#line 99
ephemeral_app
#line 99
isolated_app
#line 99
isolated_app_all
#line 99
isolated_compute_app
#line 99
mediaprovider
#line 99
mediaprovider_app
#line 99
untrusted_app
#line 99
untrusted_app_25
#line 99
untrusted_app_27
#line 99
untrusted_app_29
#line 99
untrusted_app_30
#line 99
untrusted_app_all
#line 99
} sysfs_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Do not allow any write access to files in /sys
neverallow {
#line 102
ephemeral_app
#line 102
isolated_app
#line 102
isolated_app_all
#line 102
isolated_compute_app
#line 102
mediaprovider
#line 102
mediaprovider_app
#line 102
untrusted_app
#line 102
untrusted_app_25
#line 102
untrusted_app_27
#line 102
untrusted_app_29
#line 102
untrusted_app_30
#line 102
untrusted_app_all
#line 102
} sysfs_type:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } };
# Apps may never access the default sysfs label.
neverallow {
#line 105
ephemeral_app
#line 105
isolated_app
#line 105
isolated_app_all
#line 105
isolated_compute_app
#line 105
mediaprovider
#line 105
mediaprovider_app
#line 105
untrusted_app
#line 105
untrusted_app_25
#line 105
untrusted_app_27
#line 105
untrusted_app_29
#line 105
untrusted_app_30
#line 105
untrusted_app_all
#line 105
} sysfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm {
#line 109
ephemeral_app
#line 109
isolated_app
#line 109
isolated_app_all
#line 109
isolated_compute_app
#line 109
mediaprovider
#line 109
mediaprovider_app
#line 109
untrusted_app
#line 109
untrusted_app_25
#line 109
untrusted_app_27
#line 109
untrusted_app_29
#line 109
untrusted_app_30
#line 109
untrusted_app_all
#line 109
} domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl
#line 109
{
#line 109
# qualcomm rmnet ioctls
#line 109
0x00006900 0x00006902
#line 109
# socket ioctls
#line 109
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 109
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 109
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 109
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 109
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 109
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 109
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 109
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 109
0x00008991 0x00008992 0x00008993 0x00008994
#line 109
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 109
# device and protocol specific ioctls
#line 109
0x000089f0-0x000089ff
#line 109
0x000089e0-0x000089ef
#line 109
# Wireless extension ioctls
#line 109
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 109
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 109
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 109
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 109
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 109
0x00008b34 0x00008b35 0x00008b36
#line 109
# Dev private ioctl i.e. hardware specific ioctls
#line 109
0x00008be0-0x00008bff
#line 109
};
neverallow {
#line 110
ephemeral_app
#line 110
isolated_app
#line 110
isolated_app_all
#line 110
isolated_compute_app
#line 110
mediaprovider
#line 110
mediaprovider_app
#line 110
untrusted_app
#line 110
untrusted_app_25
#line 110
untrusted_app_27
#line 110
untrusted_app_29
#line 110
untrusted_app_30
#line 110
untrusted_app_all
#line 110
} *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow {
#line 111
ephemeral_app
#line 111
isolated_app
#line 111
isolated_app_all
#line 111
isolated_compute_app
#line 111
mediaprovider
#line 111
mediaprovider_app
#line 111
untrusted_app
#line 111
untrusted_app_25
#line 111
untrusted_app_27
#line 111
untrusted_app_29
#line 111
untrusted_app_30
#line 111
untrusted_app_all
#line 111
} *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
neverallow {
#line 128
ephemeral_app
#line 128
isolated_app
#line 128
isolated_app_all
#line 128
isolated_compute_app
#line 128
mediaprovider
#line 128
mediaprovider_app
#line 128
untrusted_app
#line 128
untrusted_app_25
#line 128
untrusted_app_27
#line 128
untrusted_app_29
#line 128
untrusted_app_30
#line 128
untrusted_app_all
#line 128
} *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow {
#line 131
ephemeral_app
#line 131
isolated_app
#line 131
isolated_app_all
#line 131
isolated_compute_app
#line 131
mediaprovider
#line 131
mediaprovider_app
#line 131
untrusted_app
#line 131
untrusted_app_25
#line 131
untrusted_app_27
#line 131
untrusted_app_29
#line 131
untrusted_app_30
#line 131
untrusted_app_all
#line 131
} domain:netlink_route_socket { bind nlmsg_readpriv };
neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
{
#line 136
ephemeral_app
#line 136
isolated_app
#line 136
isolated_app_all
#line 136
isolated_compute_app
#line 136
mediaprovider
#line 136
mediaprovider_app
#line 136
untrusted_app
#line 136
untrusted_app_25
#line 136
untrusted_app_27
#line 136
untrusted_app_29
#line 136
untrusted_app_30
#line 136
untrusted_app_all
#line 136
}
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
} domain:netlink_route_socket nlmsg_getneigh;
# Do not allow untrusted apps access to /cache
neverallow { {
#line 144
ephemeral_app
#line 144
isolated_app
#line 144
isolated_app_all
#line 144
isolated_compute_app
#line 144
mediaprovider
#line 144
mediaprovider_app
#line 144
untrusted_app
#line 144
untrusted_app_25
#line 144
untrusted_app_27
#line 144
untrusted_app_29
#line 144
untrusted_app_30
#line 144
untrusted_app_all
#line 144
} -mediaprovider } { cache_file cache_recovery_file }:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
neverallow { {
#line 145
ephemeral_app
#line 145
isolated_app
#line 145
isolated_app_all
#line 145
isolated_compute_app
#line 145
mediaprovider
#line 145
mediaprovider_app
#line 145
untrusted_app
#line 145
untrusted_app_25
#line 145
untrusted_app_27
#line 145
untrusted_app_29
#line 145
untrusted_app_30
#line 145
untrusted_app_all
#line 145
} -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { {
#line 152
ephemeral_app
#line 152
isolated_app
#line 152
isolated_app_all
#line 152
isolated_compute_app
#line 152
mediaprovider
#line 152
mediaprovider_app
#line 152
untrusted_app
#line 152
untrusted_app_25
#line 152
untrusted_app_27
#line 152
untrusted_app_29
#line 152
untrusted_app_30
#line 152
untrusted_app_all
#line 152
} -mediaprovider } {
fs_type
-sdcard_type
-fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
#line 167
}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink };
# No untrusted component except mediaprovider_app should be touching /dev/fuse
neverallow { {
#line 170
ephemeral_app
#line 170
isolated_app
#line 170
isolated_app_all
#line 170
isolated_compute_app
#line 170
mediaprovider
#line 170
mediaprovider_app
#line 170
untrusted_app
#line 170
untrusted_app_25
#line 170
untrusted_app_27
#line 170
untrusted_app_29
#line 170
untrusted_app_30
#line 170
untrusted_app_all
#line 170
} -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow {
#line 173
ephemeral_app
#line 173
isolated_app
#line 173
isolated_app_all
#line 173
isolated_compute_app
#line 173
mediaprovider
#line 173
mediaprovider_app
#line 173
untrusted_app
#line 173
untrusted_app_25
#line 173
untrusted_app_27
#line 173
untrusted_app_29
#line 173
untrusted_app_30
#line 173
untrusted_app_all
#line 173
} tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm {
#line 177
ephemeral_app
#line 177
isolated_app
#line 177
isolated_app_all
#line 177
isolated_compute_app
#line 177
mediaprovider
#line 177
mediaprovider_app
#line 177
untrusted_app
#line 177
untrusted_app_25
#line 177
untrusted_app_27
#line 177
untrusted_app_29
#line 177
untrusted_app_30
#line 177
untrusted_app_all
#line 177
} tun_device:chr_file ioctl ~{ 0x00005451 0x00005450 0x800454d2 };
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow {
#line 180
ephemeral_app
#line 180
isolated_app
#line 180
isolated_app_all
#line 180
isolated_compute_app
#line 180
mediaprovider
#line 180
mediaprovider_app
#line 180
untrusted_app
#line 180
untrusted_app_25
#line 180
untrusted_app_27
#line 180
untrusted_app_29
#line 180
untrusted_app_30
#line 180
untrusted_app_all
#line 180
} anr_data_file:file ~{ open append };
neverallow {
#line 181
ephemeral_app
#line 181
isolated_app
#line 181
isolated_app_all
#line 181
isolated_compute_app
#line 181
mediaprovider
#line 181
mediaprovider_app
#line 181
untrusted_app
#line 181
untrusted_app_25
#line 181
untrusted_app_27
#line 181
untrusted_app_29
#line 181
untrusted_app_30
#line 181
untrusted_app_all
#line 181
} anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow {
#line 185
ephemeral_app
#line 185
isolated_app
#line 185
isolated_app_all
#line 185
isolated_compute_app
#line 185
mediaprovider
#line 185
mediaprovider_app
#line 185
untrusted_app
#line 185
untrusted_app_25
#line 185
untrusted_app_27
#line 185
untrusted_app_29
#line 185
untrusted_app_30
#line 185
untrusted_app_all
#line 185
} {
proc
proc_asound
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
proc_slabinfo
proc_stat
proc_swaps
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat
}:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } };
# /proc/filesystems is accessible to mediaprovider_app only since it handles
# external storage
neverallow { {
#line 203
ephemeral_app
#line 203
isolated_app
#line 203
isolated_app_all
#line 203
isolated_compute_app
#line 203
mediaprovider
#line 203
mediaprovider_app
#line 203
untrusted_app
#line 203
untrusted_app_25
#line 203
untrusted_app_27
#line 203
untrusted_app_29
#line 203
untrusted_app_30
#line 203
untrusted_app_all
#line 203
} - mediaprovider_app } proc_filesystems:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } };
# Avoid all access to kernel configuration
neverallow {
#line 206
ephemeral_app
#line 206
isolated_app
#line 206
isolated_app_all
#line 206
isolated_compute_app
#line 206
mediaprovider
#line 206
mediaprovider_app
#line 206
untrusted_app
#line 206
untrusted_app_25
#line 206
untrusted_app_27
#line 206
untrusted_app_29
#line 206
untrusted_app_30
#line 206
untrusted_app_all
#line 206
} config_gz:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } };
# Do not allow untrusted apps access to preloads data files
neverallow {
#line 209
ephemeral_app
#line 209
isolated_app
#line 209
isolated_app_all
#line 209
isolated_compute_app
#line 209
mediaprovider
#line 209
mediaprovider_app
#line 209
untrusted_app
#line 209
untrusted_app_25
#line 209
untrusted_app_27
#line 209
untrusted_app_29
#line 209
untrusted_app_30
#line 209
untrusted_app_all
#line 209
} preloads_data_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow {
#line 213
ephemeral_app
#line 213
isolated_app
#line 213
isolated_app_all
#line 213
isolated_compute_app
#line 213
mediaprovider
#line 213
mediaprovider_app
#line 213
untrusted_app
#line 213
untrusted_app_25
#line 213
untrusted_app_27
#line 213
untrusted_app_29
#line 213
untrusted_app_30
#line 213
untrusted_app_all
#line 213
} system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow {
#line 217
ephemeral_app
#line 217
isolated_app
#line 217
isolated_app_all
#line 217
isolated_compute_app
#line 217
mediaprovider
#line 217
mediaprovider_app
#line 217
untrusted_app
#line 217
untrusted_app_25
#line 217
untrusted_app_27
#line 217
untrusted_app_29
#line 217
untrusted_app_30
#line 217
untrusted_app_all
#line 217
} *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to the protected services
# The two main reasons for this are:
# 1. Protected HwBinder servers do not perform client authentication because
# vendor code does not have a way to understand apps or their relation to
# caller UID information and, even if it did, those services either operate
# at a level below that of apps (e.g., HALs) or must not rely on app identity
# for authorization. Thus, to be safe, the default assumption for all added
# vendor services is that they treat all their clients as equally authorized
# to perform operations offered by the service.
# 2. HAL servers contain code with higher incidence rate of security issues
# than system/core components and have access to lower layes of the stack
# (all the way down to hardware) thus increasing opportunities for bypassing
# the Android security model.
neverallow {
#line 232
ephemeral_app
#line 232
isolated_app
#line 232
isolated_app_all
#line 232
isolated_compute_app
#line 232
mediaprovider
#line 232
mediaprovider_app
#line 232
untrusted_app
#line 232
untrusted_app_25
#line 232
untrusted_app_27
#line 232
untrusted_app_29
#line 232
untrusted_app_30
#line 232
untrusted_app_all
#line 232
} protected_hwservice:hwservice_manager find;
neverallow {
#line 233
ephemeral_app
#line 233
isolated_app
#line 233
isolated_app_all
#line 233
isolated_compute_app
#line 233
mediaprovider
#line 233
mediaprovider_app
#line 233
untrusted_app
#line 233
untrusted_app_25
#line 233
untrusted_app_27
#line 233
untrusted_app_29
#line 233
untrusted_app_30
#line 233
untrusted_app_all
#line 233
} protected_service:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow {
#line 236
ephemeral_app
#line 236
isolated_app
#line 236
isolated_app_all
#line 236
isolated_compute_app
#line 236
mediaprovider
#line 236
mediaprovider_app
#line 236
untrusted_app
#line 236
untrusted_app_25
#line 236
untrusted_app_27
#line 236
untrusted_app_29
#line 236
untrusted_app_30
#line 236
untrusted_app_all
#line 236
} selinuxfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { {
#line 243
ephemeral_app
#line 243
isolated_app
#line 243
isolated_app_all
#line 243
isolated_compute_app
#line 243
mediaprovider
#line 243
mediaprovider_app
#line 243
untrusted_app
#line 243
untrusted_app_25
#line 243
untrusted_app_27
#line 243
untrusted_app_29
#line 243
untrusted_app_30
#line 243
untrusted_app_all
#line 243
} -untrusted_app_25 } proc_tty_drivers:file { getattr open read ioctl lock map watch watch_reads };
neverallow {
#line 244
ephemeral_app
#line 244
isolated_app
#line 244
isolated_app_all
#line 244
isolated_compute_app
#line 244
mediaprovider
#line 244
mediaprovider_app
#line 244
untrusted_app
#line 244
untrusted_app_25
#line 244
untrusted_app_27
#line 244
untrusted_app_29
#line 244
untrusted_app_30
#line 244
untrusted_app_all
#line 244
} proc_tty_drivers:file ~{ getattr open read ioctl lock map watch watch_reads };
# Untrusted apps are not allowed to use cgroups.
neverallow {
#line 247
ephemeral_app
#line 247
isolated_app
#line 247
isolated_app_all
#line 247
isolated_compute_app
#line 247
mediaprovider
#line 247
mediaprovider_app
#line 247
untrusted_app
#line 247
untrusted_app_25
#line 247
untrusted_app_27
#line 247
untrusted_app_29
#line 247
untrusted_app_30
#line 247
untrusted_app_all
#line 247
} cgroup:file *;
neverallow {
#line 248
ephemeral_app
#line 248
isolated_app
#line 248
isolated_app_all
#line 248
isolated_compute_app
#line 248
mediaprovider
#line 248
mediaprovider_app
#line 248
untrusted_app
#line 248
untrusted_app_25
#line 248
untrusted_app_27
#line 248
untrusted_app_29
#line 248
untrusted_app_30
#line 248
untrusted_app_all
#line 248
} cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
{
#line 253
ephemeral_app
#line 253
isolated_app
#line 253
isolated_app_all
#line 253
isolated_compute_app
#line 253
mediaprovider
#line 253
mediaprovider_app
#line 253
untrusted_app
#line 253
untrusted_app_25
#line 253
untrusted_app_27
#line 253
untrusted_app_29
#line 253
untrusted_app_30
#line 253
untrusted_app_all
#line 253
}
-untrusted_app_25
-untrusted_app_27
} mnt_sdcard_file:lnk_file *;
# Only privileged apps may find the incident service
neverallow {
#line 259
ephemeral_app
#line 259
isolated_app
#line 259
isolated_app_all
#line 259
isolated_compute_app
#line 259
mediaprovider
#line 259
mediaprovider_app
#line 259
untrusted_app
#line 259
untrusted_app_25
#line 259
untrusted_app_27
#line 259
untrusted_app_29
#line 259
untrusted_app_30
#line 259
untrusted_app_all
#line 259
} incident_service:service_manager find;
# Only privileged apps may find stats service
neverallow {
#line 262
ephemeral_app
#line 262
isolated_app
#line 262
isolated_app_all
#line 262
isolated_compute_app
#line 262
mediaprovider
#line 262
mediaprovider_app
#line 262
untrusted_app
#line 262
untrusted_app_25
#line 262
untrusted_app_27
#line 262
untrusted_app_29
#line 262
untrusted_app_30
#line 262
untrusted_app_all
#line 262
} stats_service:service_manager find;
# Do not allow untrusted app to read hidden system proprerties.
# We do not include in the exclusions other normally untrusted applications such as mediaprovider
# due to the specific logging use cases.
# Context: b/193912100
neverallow {
{
#line 269
ephemeral_app
#line 269
isolated_app
#line 269
isolated_app_all
#line 269
isolated_compute_app
#line 269
mediaprovider
#line 269
mediaprovider_app
#line 269
untrusted_app
#line 269
untrusted_app_25
#line 269
untrusted_app_27
#line 269
untrusted_app_29
#line 269
untrusted_app_30
#line 269
untrusted_app_all
#line 269
}
-mediaprovider
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
# used to communicate to the mdnsd responder. The mdnsd responder will be
# replaced by a java implementation which is integrated into the system server.
# For untrusted apps running with API level 33-, they still have access to
# /dev/socket/mdnsd for backward compatibility.
neverallow {
{
#line 280
ephemeral_app
#line 280
isolated_app
#line 280
isolated_app_all
#line 280
isolated_compute_app
#line 280
mediaprovider
#line 280
mediaprovider_app
#line 280
untrusted_app
#line 280
untrusted_app_25
#line 280
untrusted_app_27
#line 280
untrusted_app_29
#line 280
untrusted_app_30
#line 280
untrusted_app_all
#line 280
}
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd_socket:sock_file write;
neverallow {
{
#line 288
ephemeral_app
#line 288
isolated_app
#line 288
isolated_app_all
#line 288
isolated_compute_app
#line 288
mediaprovider
#line 288
mediaprovider_app
#line 288
untrusted_app
#line 288
untrusted_app_25
#line 288
untrusted_app_27
#line 288
untrusted_app_29
#line 288
untrusted_app_30
#line 288
untrusted_app_all
#line 288
}
-untrusted_app_25
-untrusted_app_27
-untrusted_app_29
-untrusted_app_30
-untrusted_app_32
} mdnsd:unix_stream_socket connectto;
# Do not allow untrusted apps to use anonymous inodes. At the moment,
# type transitions are the only way to distinguish between different
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow {
#line 300
ephemeral_app
#line 300
isolated_app
#line 300
isolated_app_all
#line 300
isolated_compute_app
#line 300
mediaprovider
#line 300
mediaprovider_app
#line 300
untrusted_app
#line 300
untrusted_app_25
#line 300
untrusted_app_27
#line 300
untrusted_app_29
#line 300
untrusted_app_30
#line 300
untrusted_app_all
#line 300
} domain:anon_inode *;
# Do not allow untrusted app access to hidraw devices.
neverallow {
#line 303
ephemeral_app
#line 303
isolated_app
#line 303
isolated_app_all
#line 303
isolated_compute_app
#line 303
mediaprovider
#line 303
mediaprovider_app
#line 303
untrusted_app
#line 303
untrusted_app_25
#line 303
untrusted_app_27
#line 303
untrusted_app_29
#line 303
untrusted_app_30
#line 303
untrusted_app_all
#line 303
} hidraw_device:chr_file *;
#line 1 "system/sepolicy/private/app_zygote.te"
typeattribute app_zygote coredomain;
######
###### Policy below is different from regular zygote-spawned apps
######
# Allow access to temporary files, which is normally permitted through
# a domain macro.
#line 9
type_transition app_zygote tmpfs:file app_zygote_tmpfs;
#line 9
allow app_zygote app_zygote_tmpfs:file { read write getattr map };
#line 9
;
# Set the UID/GID of the process.
# This will be further limited to a range of isolated UIDs with seccomp.
allow app_zygote self:{ capability cap_userns } { setgid setuid };
# Drop capabilities from bounding set.
allow app_zygote self:{ capability cap_userns } setpcap;
# Switch SELinux context to isolated app domain.
allow app_zygote self:process setcurrent;
allow app_zygote isolated_app:process dyntransition;
# For JIT
allow app_zygote self:process execmem;
# Allow exec mapping from tmpfs (memfds) for binary translation
allow app_zygote app_zygote_tmpfs:file execute;
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow app_zygote debugfs_trace_marker:file getattr;
# get system_server process group
allow app_zygote system_server:process getpgid;
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
# Get seapp_contexts
allow app_zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Check validity of SELinux context before use.
#line 43
#line 43
allow app_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 43
allow app_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 43
#line 43
allow app_zygote selinuxfs:file { open append write lock map };
#line 43
allow app_zygote kernel:security check_context;
#line 43
# Check SELinux permissions.
#line 45
#line 45
allow app_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 45
allow app_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 45
#line 45
allow app_zygote selinuxfs:file { open append write lock map };
#line 45
allow app_zygote kernel:security compute_av;
#line 45
allow app_zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 45
# Read and inspect temporary files managed by zygote.
allow app_zygote zygote_tmpfs:file { read getattr };
######
###### Policy below is shared with regular zygote-spawned apps
######
# Child of zygote.
allow app_zygote zygote:fd use;
allow app_zygote zygote:process sigchld;
# For ART (read /data/dalvik-cache).
#line 59
allow app_zygote dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 59
allow app_zygote dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 59
;
allow app_zygote dalvikcache_data_file:file execute;
# For ART (allow userfaultfd and related ioctls)
#line 63
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 63
type app_zygote_userfaultfd;
#line 63
type_transition app_zygote app_zygote:anon_inode app_zygote_userfaultfd "[userfaultfd]";
#line 63
# Allow domain to create/use userfaultfd anon_inode.
#line 63
allow app_zygote app_zygote_userfaultfd:anon_inode { create ioctl read };
#line 63
# Suppress errors generate during bugreport
#line 63
dontaudit su app_zygote_userfaultfd:anon_inode *;
#line 63
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 63
neverallow { domain -app_zygote } app_zygote_userfaultfd:anon_inode *;
#line 63
# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
allow app_zygote apex_module_data_file:dir search;
# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
#line 68
allow app_zygote apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 68
allow app_zygote apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 68
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow app_zygote apk_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# /oem accesses.
allow app_zygote oemfs:dir search;
# Allow app_zygote access to /vendor/overlay
#line 79
allow app_zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 79
allow app_zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 79
# Allow app_zygote to read vendor_overlay_file from vendor apex as well
allow app_zygote vendor_apex_metadata_file:dir { getattr search };
allow app_zygote system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow app_zygote system_data_file:file { getattr read map };
# Send unsolicited message to system_server
#line 87
allow app_zygote system_unsolzygote_socket:sock_file write;
#line 87
allow app_zygote system_server:unix_dgram_socket sendto;
#line 87
# Allow the app_zygote to access the runtime feature flag properties.
#line 90
allow app_zygote device_config_runtime_native_prop:file { getattr open read map };
#line 90
#line 91
allow app_zygote device_config_runtime_native_boot_prop:file { getattr open read map };
#line 91
# Allow app_zygote to access odsign verification status
#line 94
allow app_zygote odsign_prop:file { getattr open read map };
#line 94
# /data/resource-cache
allow app_zygote resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow app_zygote resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow app_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow app_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow app_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# app_zygote child.
neverallow { domain -zygote } app_zygote:process dyntransition;
# Disallow write access to properties.
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
neverallow app_zygote app_data_file_type:file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } };
neverallow app_zygote {
service_manager_type
-activity_service
-webviewupdate_service
}:service_manager find;
# Isolated apps should not be able to access the driver directly.
neverallow app_zygote gpu_device:chr_file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } };
# Do not allow app_zygote access to /cache.
neverallow app_zygote cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
neverallow app_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow app_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Only allow app_zygote to talk to the logd socket, and su on eng/userdebug.
# This is because cap_setuid/cap_setgid allow to forge uid/gid in
# SCM_CREDENTIALS. Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
-system_server
}:unix_dgram_socket *;
neverallow app_zygote {
domain
-app_zygote
-prng_seeder
}:unix_stream_socket *;
# Never allow ptrace
neverallow app_zygote *:process ptrace;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/private/art_boot.te"
# ART boot oneshot service
type art_boot, domain, coredomain;
type art_boot_exec, exec_type, file_type, system_file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init art_boot_exec:file { getattr open read execute map };
#line 5
allow init art_boot:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow art_boot art_boot_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init art_boot:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init art_boot:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init art_boot_exec:process art_boot;
#line 5
#line 5
# Allow query of device config properties, typically experiment flags.
#line 8
allow art_boot device_config_runtime_native_boot_prop:file { getattr open read map };
#line 8
#line 9
allow art_boot device_config_runtime_native_prop:file { getattr open read map };
#line 9
# Allow ART to set its config properties at boot, mainly to be able to propagate
# experiment flags to properties that only may change at boot.
#line 13
#line 13
allow art_boot property_socket:sock_file write;
#line 13
allow art_boot init:unix_stream_socket connectto;
#line 13
#line 13
allow art_boot dalvik_config_prop_type:property_service set;
#line 13
#line 13
allow art_boot dalvik_config_prop_type:file { getattr open read map };
#line 13
#line 13
#line 1 "system/sepolicy/private/artd.te"
# ART service daemon.
typeattribute artd coredomain;
typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
#line 8
# Call the servicemanager and transfer references to it.
#line 8
allow artd servicemanager:binder { call transfer };
#line 8
# Allow servicemanager to send out callbacks
#line 8
allow servicemanager artd:binder { call transfer };
#line 8
# servicemanager performs getpidcon on clients.
#line 8
allow servicemanager artd:dir search;
#line 8
allow servicemanager artd:file { read open };
#line 8
allow servicemanager artd:process getattr;
#line 8
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 8
# all domains in domain.te.
#line 8
#line 9
allow artd artd_service:service_manager { add find };
#line 9
neverallow { domain -artd } artd_service:service_manager add;
#line 9
#line 9
# On debug builds with root, allow binder services to use binder over TCP.
#line 9
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 9
#line 9
#line 10
allow artd artd_pre_reboot_service:service_manager { add find };
#line 10
neverallow { domain -artd } artd_pre_reboot_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
#line 14
#line 14
# Allow the necessary permissions.
#line 14
#line 14
# Old domain may exec the file and transition to the new domain.
#line 14
allow init artd_exec:file { getattr open read execute map };
#line 14
allow init artd:process transition;
#line 14
# New domain is entered by executing the file.
#line 14
allow artd artd_exec:file { entrypoint open read execute getattr map };
#line 14
# New domain can send SIGCHLD to its caller.
#line 14
#line 14
# Enable AT_SECURE, i.e. libc secure mode.
#line 14
dontaudit init artd:process noatsecure;
#line 14
# XXX dontaudit candidate but requires further study.
#line 14
allow init artd:process { siginh rlimitinh };
#line 14
#line 14
# Make the transition occur by default.
#line 14
type_transition init artd_exec:process artd;
#line 14
#line 14
# Allow query ART device config properties
#line 17
allow artd device_config_runtime_native_prop:file { getattr open read map };
#line 17
#line 18
allow artd device_config_runtime_native_boot_prop:file { getattr open read map };
#line 18
# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
#line 22
allow artd odsign_prop:file { getattr open read map };
#line 22
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
#line 29
type_transition artd tmpfs:file artd_tmpfs;
#line 29
allow artd artd_tmpfs:file { read write getattr map };
#line 29
# Allow testing userfaultfd support.
#line 32
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 32
type artd_userfaultfd;
#line 32
type_transition artd artd:anon_inode artd_userfaultfd "[userfaultfd]";
#line 32
# Allow domain to create/use userfaultfd anon_inode.
#line 32
allow artd artd_userfaultfd:anon_inode { create ioctl read };
#line 32
# Suppress errors generate during bugreport
#line 32
dontaudit su artd_userfaultfd:anon_inode *;
#line 32
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 32
neverallow { domain -artd } artd_userfaultfd:anon_inode *;
#line 32
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
# Also allow creating the "oat" directory before restorecon.
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } create setattr relabelfrom };
allow artd apk_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
#line 42
allow artd vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 42
allow artd vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 42
# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
allow artd oemfs:dir { getattr search };
#line 46
allow artd vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 46
allow artd vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 46
# Vendor overlay can be found in vendor apex
allow artd vendor_apex_metadata_file:dir { getattr search };
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
#line 51
allow artd vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 51
allow artd vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 51
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow artd dalvikcache_data_file:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelto };
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
#line 61
allow artd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 61
allow artd apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 61
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
# - reading secondary dex'es in app data directories (reading primary dex'es
# doesn't need root capabilities)
# - managing (CRUD) compilation artifacts in both APK directories for primary
# dex'es and in app data directories for secondary dex'es
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
# - "chown" is for transferring the ownership of compilation artifacts and
# profile files to the system or apps.
allow artd self:{ capability cap_userns } { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
allow artd user_profile_root_file:dir { open getattr read search ioctl lock watch watch_reads };
allow artd user_profile_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow artd user_profile_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read/write access to secondary dex files, their profiles, and their
# compilation artifacts
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
allow artd app_data_file_type:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom relabelto };
allow artd app_data_file_type:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } relabelfrom relabelto };
# Allow symlinks for secondary dex files. This has be to restricted because
# symlinks can cause various security issues. We allow "privapp_data_file" just
# for GMS because so far we only see GMS using symlinks.
allow artd privapp_data_file:lnk_file { getattr read };
# Read access to SELinux context files, for restorecon.
allow artd file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow artd seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Check validity of SELinux context, for restorecon.
#line 102
#line 102
allow artd selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 102
allow artd selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 102
#line 102
allow artd selinuxfs:file { open append write lock map };
#line 102
allow artd kernel:security check_context;
#line 102
# Allow scanning /, for cleaning up obsolete managed files.
allow artd rootfs:dir { open getattr read search ioctl lock watch watch_reads };
# Allow scanning /data, for cleaning up obsolete managed files.
allow artd system_data_root_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow scanning /mnt, for cleaning up obsolete managed files.
allow artd tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
allow artd mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
# up obsolete managed files.
allow artd system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
allow artd system_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
allow artd art_exec_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow running other binaries in their own domains.
#line 131
# Allow the necessary permissions.
#line 131
#line 131
# Old domain may exec the file and transition to the new domain.
#line 131
allow artd profman_exec:file { getattr open read execute map };
#line 131
allow artd profman:process transition;
#line 131
# New domain is entered by executing the file.
#line 131
allow profman profman_exec:file { entrypoint open read execute getattr map };
#line 131
# New domain can send SIGCHLD to its caller.
#line 131
allow profman artd:process sigchld;
#line 131
# Enable AT_SECURE, i.e. libc secure mode.
#line 131
dontaudit artd profman:process noatsecure;
#line 131
# XXX dontaudit candidate but requires further study.
#line 131
allow artd profman:process { siginh rlimitinh };
#line 131
#line 131
# Make the transition occur by default.
#line 131
type_transition artd profman_exec:process profman;
#line 131
#line 132
# Allow the necessary permissions.
#line 132
#line 132
# Old domain may exec the file and transition to the new domain.
#line 132
allow artd dex2oat_exec:file { getattr open read execute map };
#line 132
allow artd dex2oat:process transition;
#line 132
# New domain is entered by executing the file.
#line 132
allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map };
#line 132
# New domain can send SIGCHLD to its caller.
#line 132
allow dex2oat artd:process sigchld;
#line 132
# Enable AT_SECURE, i.e. libc secure mode.
#line 132
dontaudit artd dex2oat:process noatsecure;
#line 132
# XXX dontaudit candidate but requires further study.
#line 132
allow artd dex2oat:process { siginh rlimitinh };
#line 132
#line 132
# Make the transition occur by default.
#line 132
type_transition artd dex2oat_exec:process dex2oat;
#line 132
# Allow sending sigkill to subprocesses.
allow artd { profman dex2oat }:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
#line 139
allow artd profman:dir { open getattr read search ioctl lock watch watch_reads };
#line 139
allow artd profman:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 139
;
#line 140
allow artd dex2oat:dir { open getattr read search ioctl lock watch watch_reads };
#line 140
allow artd dex2oat:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 140
;
# Allow artd to reopen its own memfd.
# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
# that don't have write permissions on memfds.
allow artd artd_tmpfs:file open;
#line 1 "system/sepolicy/private/asan_extract.te"
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
#line 11
#line 1 "system/sepolicy/private/atrace.te"
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads };
allow atrace debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow atrace debugfs_trace_marker:file getattr;
# Allow atrace to write data when a pipe is used for stdout/stderr.
# This is used by Perfetto to capture atrace stdout/stderr.
allow atrace traced_probes:fd use;
allow atrace traced_probes:fifo_file { getattr write };
# atrace sets debug.atrace.* properties
#line 21
#line 21
allow atrace property_socket:sock_file write;
#line 21
allow atrace init:unix_stream_socket connectto;
#line 21
#line 21
allow atrace debug_prop:property_service set;
#line 21
#line 21
allow atrace debug_prop:file { getattr open read map };
#line 21
#line 21
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
-dnsresolver_service
-dumpstate_service
-incident_service
-installd_service
-lpdump_service
-mdns_service
-netd_service
-stats_service
-tracingproxy_service
-vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
#line 46
# Call the servicemanager and transfer references to it.
#line 46
allow atrace servicemanager:binder { call transfer };
#line 46
# Allow servicemanager to send out callbacks
#line 46
allow servicemanager atrace:binder { call transfer };
#line 46
# servicemanager performs getpidcon on clients.
#line 46
allow servicemanager atrace:dir search;
#line 46
allow servicemanager atrace:file { read open };
#line 46
allow servicemanager atrace:process getattr;
#line 46
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 46
# all domains in domain.te.
#line 46
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
# Similarly, on debug builds, allow specific HALs to be notified that
# trace-related system properties have changed.
#line 59
# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
# atrace can call atrace HAL
#line 67
typeattribute atrace halclientdomain;
#line 67
typeattribute atrace hal_atrace_client;
#line 67
#line 67
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 67
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 67
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 67
#line 67
typeattribute atrace hal_atrace;
#line 67
# Find passthrough HAL implementations
#line 67
allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 67
allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 67
allow hal_atrace vendor_file:file { read open getattr execute map };
#line 67
#line 67
#line 69
allow atrace hwservicemanager_prop:file { getattr open read map };
#line 69
#line 79
dontaudit atrace debugfs_tracing_debug:file audit_access;
#line 1 "system/sepolicy/private/audioserver.te"
# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type, system_file_type;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init audioserver_exec:file { getattr open read execute map };
#line 6
allow init audioserver:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow audioserver audioserver_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init audioserver:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init audioserver:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init audioserver_exec:process audioserver;
#line 6
#line 6
#line 7
type_transition audioserver tmpfs:file audioserver_tmpfs;
#line 7
allow audioserver audioserver_tmpfs:file { read write getattr map };
#line 7
#line 9
allow audioserver sdcard_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow audioserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 9
#line 10
allow audioserver fuse:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow audioserver fuse:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
#line 12
# Call the servicemanager and transfer references to it.
#line 12
allow audioserver servicemanager:binder { call transfer };
#line 12
# Allow servicemanager to send out callbacks
#line 12
allow servicemanager audioserver:binder { call transfer };
#line 12
# servicemanager performs getpidcon on clients.
#line 12
allow servicemanager audioserver:dir search;
#line 12
allow servicemanager audioserver:file { read open };
#line 12
allow servicemanager audioserver:process getattr;
#line 12
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 12
# all domains in domain.te.
#line 12
#line 13
# Call the server domain and optionally transfer references to it.
#line 13
allow audioserver binderservicedomain:binder { call transfer };
#line 13
# Allow the serverdomain to transfer references to the client on the reply.
#line 13
allow binderservicedomain audioserver:binder transfer;
#line 13
# Receive and use open files from the server.
#line 13
allow audioserver binderservicedomain:fd use;
#line 13
#line 14
# Call the server domain and optionally transfer references to it.
#line 14
allow audioserver appdomain:binder { call transfer };
#line 14
# Allow the serverdomain to transfer references to the client on the reply.
#line 14
allow appdomain audioserver:binder transfer;
#line 14
# Receive and use open files from the server.
#line 14
allow audioserver appdomain:fd use;
#line 14
#line 15
typeattribute audioserver binderservicedomain;
#line 15
#line 17
typeattribute audioserver halclientdomain;
#line 17
typeattribute audioserver hal_allocator_client;
#line 17
#line 17
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 17
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 17
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 17
#line 17
typeattribute audioserver hal_allocator;
#line 17
# Find passthrough HAL implementations
#line 17
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 17
#line 17
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
#line 19
allow audioserver system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow audioserver system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 19
#line 21
typeattribute audioserver halclientdomain;
#line 21
typeattribute audioserver hal_audio_client;
#line 21
#line 21
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 21
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 21
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 21
#line 21
typeattribute audioserver hal_audio;
#line 21
# Find passthrough HAL implementations
#line 21
allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_audio vendor_file:file { read open getattr execute map };
#line 21
#line 21
#line 31
#line 33
allow audioserver audioserver_service:service_manager { add find };
#line 33
neverallow { domain -audioserver } audioserver_service:service_manager add;
#line 33
#line 33
# On debug builds with root, allow binder services to use binder over TCP.
#line 33
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 33
#line 33
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
#line 49
#line 49
allow audioserver property_socket:sock_file write;
#line 49
allow audioserver init:unix_stream_socket connectto;
#line 49
#line 49
allow audioserver bluetooth_a2dp_offload_prop:property_service set;
#line 49
#line 49
allow audioserver bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 49
#line 49
#line 50
#line 50
allow audioserver property_socket:sock_file write;
#line 50
allow audioserver init:unix_stream_socket connectto;
#line 50
#line 50
allow audioserver bluetooth_audio_hal_prop:property_service set;
#line 50
#line 50
allow audioserver bluetooth_audio_hal_prop:file { getattr open read map };
#line 50
#line 50
#line 51
#line 51
allow audioserver property_socket:sock_file write;
#line 51
allow audioserver init:unix_stream_socket connectto;
#line 51
#line 51
allow audioserver bluetooth_prop:property_service set;
#line 51
#line 51
allow audioserver bluetooth_prop:file { getattr open read map };
#line 51
#line 51
#line 52
#line 52
allow audioserver property_socket:sock_file write;
#line 52
allow audioserver init:unix_stream_socket connectto;
#line 52
#line 52
allow audioserver exported_bluetooth_prop:property_service set;
#line 52
#line 52
allow audioserver exported_bluetooth_prop:file { getattr open read map };
#line 52
#line 52
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write };
allow audioserver audio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
allow audioserver audio_device:dir { open getattr read search ioctl lock watch watch_reads };
allow audioserver audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# For A2DP bridge which is loaded directly into audioserver
#line 65
allow audioserver bluetooth_socket:sock_file write;
#line 65
allow audioserver bluetooth:unix_stream_socket connectto;
#line 65
# Allow shell commands from ADB and shell for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
allow audioserver shell:fifo_file { read write };
# Allow shell commands from ADB for CTS testing/dumping
#line 77
# Allow write access to log tag property
#line 80
#line 80
allow audioserver property_socket:sock_file write;
#line 80
allow audioserver init:unix_stream_socket connectto;
#line 80
#line 80
allow audioserver log_tag_prop:property_service set;
#line 80
#line 80
allow audioserver log_tag_prop:file { getattr open read map };
#line 80
#line 80
;
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ udp_socket rawip_socket } *;
neverallow audioserver { domain }:tcp_socket *;
# Allow using wake locks
#line 104
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 104
# deprecated.
#line 104
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 104
allow audioserver sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 104
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 104
allow audioserver self:{ capability2 cap2_userns } block_suspend;
#line 104
# system_suspend permissions
#line 104
#line 104
# Call the server domain and optionally transfer references to it.
#line 104
allow audioserver system_suspend_server:binder { call transfer };
#line 104
# Allow the serverdomain to transfer references to the client on the reply.
#line 104
allow system_suspend_server audioserver:binder transfer;
#line 104
# Receive and use open files from the server.
#line 104
allow audioserver system_suspend_server:fd use;
#line 104
#line 104
allow audioserver system_suspend_hwservice:hwservice_manager find;
#line 104
# halclientdomain permissions
#line 104
#line 104
# Call the hwservicemanager and transfer references to it.
#line 104
allow audioserver hwservicemanager:binder { call transfer };
#line 104
# Allow hwservicemanager to send out callbacks
#line 104
allow hwservicemanager audioserver:binder { call transfer };
#line 104
# hwservicemanager performs getpidcon on clients.
#line 104
allow hwservicemanager audioserver:dir search;
#line 104
allow hwservicemanager audioserver:file { read open map };
#line 104
allow hwservicemanager audioserver:process getattr;
#line 104
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 104
# all domains in domain.te.
#line 104
#line 104
#line 104
allow audioserver hwservicemanager_prop:file { getattr open read map };
#line 104
#line 104
allow audioserver hidl_manager_hwservice:hwservice_manager find;
#line 104
# AIDL suspend hal permissions
#line 104
allow audioserver hal_system_suspend_service:service_manager find;
#line 104
#line 104
# Call the servicemanager and transfer references to it.
#line 104
allow audioserver servicemanager:binder { call transfer };
#line 104
# Allow servicemanager to send out callbacks
#line 104
allow servicemanager audioserver:binder { call transfer };
#line 104
# servicemanager performs getpidcon on clients.
#line 104
allow servicemanager audioserver:dir search;
#line 104
allow servicemanager audioserver:file { read open };
#line 104
allow servicemanager audioserver:process getattr;
#line 104
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 104
# all domains in domain.te.
#line 104
#line 104
# Allow reading audio config props, e.g. af.fast_track_multiplier
#line 107
allow audioserver audio_config_prop:file { getattr open read map };
#line 107
#line 108
allow audioserver system_audio_config_prop:file { getattr open read map };
#line 108
#line 1 "system/sepolicy/private/auditctl.te"
#
# /system/bin/auditctl executed for logd
#
# Performs maintenance of the kernel auditing system, including
# setting rate limits on SELinux denials.
#
type auditctl, domain, coredomain;
type auditctl_exec, file_type, system_file_type, exec_type;
# Uncomment the line below to put this domain into permissive
# mode. This helps speed SELinux policy development.
# userdebug_or_eng(`permissive auditctl;')
#line 15
#line 15
# Allow the necessary permissions.
#line 15
#line 15
# Old domain may exec the file and transition to the new domain.
#line 15
allow init auditctl_exec:file { getattr open read execute map };
#line 15
allow init auditctl:process transition;
#line 15
# New domain is entered by executing the file.
#line 15
allow auditctl auditctl_exec:file { entrypoint open read execute getattr map };
#line 15
# New domain can send SIGCHLD to its caller.
#line 15
#line 15
# Enable AT_SECURE, i.e. libc secure mode.
#line 15
dontaudit init auditctl:process noatsecure;
#line 15
# XXX dontaudit candidate but requires further study.
#line 15
allow init auditctl:process { siginh rlimitinh };
#line 15
#line 15
# Make the transition occur by default.
#line 15
type_transition init auditctl_exec:process auditctl;
#line 15
#line 15
allow auditctl self:{ capability cap_userns } audit_control;
allow auditctl self:netlink_audit_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write };
#line 1 "system/sepolicy/private/automotive_display_service.te"
# Display proxy service for Automotive
type automotive_display_service, domain, coredomain;
type automotive_display_service_exec, system_file_type, exec_type, file_type;
typeattribute automotive_display_service automotive_display_service_server;
# Allow to add a display service to the hwservicemanager
#line 8
allow automotive_display_service fwk_automotive_display_hwservice:hwservice_manager { add find };
#line 8
allow automotive_display_service hidl_base_hwservice:hwservice_manager add;
#line 8
neverallow { domain -automotive_display_service } fwk_automotive_display_hwservice:hwservice_manager add;
#line 8
;
# Allow init to launch automotive display service
#line 11
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow init automotive_display_service_exec:file { getattr open read execute map };
#line 11
allow init automotive_display_service:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow automotive_display_service automotive_display_service_exec:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit init automotive_display_service:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow init automotive_display_service:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition init automotive_display_service_exec:process automotive_display_service;
#line 11
#line 11
# Allow to use Binder IPC for SurfaceFlinger.
#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow automotive_display_service servicemanager:binder { call transfer };
#line 14
# Allow servicemanager to send out callbacks
#line 14
allow servicemanager automotive_display_service:binder { call transfer };
#line 14
# servicemanager performs getpidcon on clients.
#line 14
allow servicemanager automotive_display_service:dir search;
#line 14
allow servicemanager automotive_display_service:file { read open };
#line 14
allow servicemanager automotive_display_service:process getattr;
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14
# Allow to use HwBinder IPC for HAL implementations.
#line 17
# Call the hwservicemanager and transfer references to it.
#line 17
allow automotive_display_service hwservicemanager:binder { call transfer };
#line 17
# Allow hwservicemanager to send out callbacks
#line 17
allow hwservicemanager automotive_display_service:binder { call transfer };
#line 17
# hwservicemanager performs getpidcon on clients.
#line 17
allow hwservicemanager automotive_display_service:dir search;
#line 17
allow hwservicemanager automotive_display_service:file { read open map };
#line 17
allow hwservicemanager automotive_display_service:process getattr;
#line 17
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 17
# all domains in domain.te.
#line 17
#line 18
typeattribute automotive_display_service halclientdomain;
#line 18
typeattribute automotive_display_service hal_graphics_composer_client;
#line 18
#line 18
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 18
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 18
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 18
#line 18
typeattribute automotive_display_service hal_graphics_composer;
#line 18
# Find passthrough HAL implementations
#line 18
allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_graphics_composer vendor_file:file { read open getattr execute map };
#line 18
#line 18
#line 19
typeattribute automotive_display_service halclientdomain;
#line 19
typeattribute automotive_display_service hal_graphics_allocator_client;
#line 19
#line 19
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 19
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 19
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 19
#line 19
typeattribute automotive_display_service hal_graphics_allocator;
#line 19
# Find passthrough HAL implementations
#line 19
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 19
#line 19
# Allow to read the target property.
#line 22
allow automotive_display_service hwservicemanager_prop:file { getattr open read map };
#line 22
# Allow to find SurfaceFlinger.
allow automotive_display_service surfaceflinger_service:service_manager find;
# Allow client domain to do binder IPC to serverdomain.
#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow automotive_display_service surfaceflinger:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow surfaceflinger automotive_display_service:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow automotive_display_service surfaceflinger:fd use;
#line 28
# Allow to use a graphics mapper
allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
# Allow to use hidl token service
allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow automotive_display_service gpu_device:dir search;
# Allow to add a service to the servicemanager
#line 41
allow automotive_display_service fwk_automotive_display_service:service_manager { add find };
#line 41
neverallow { domain -automotive_display_service } fwk_automotive_display_service:service_manager add;
#line 41
#line 41
# On debug builds with root, allow binder services to use binder over TCP.
#line 41
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 41
#line 41
;
# Allow to communicate with EVS services
#line 44
# Call the server domain and optionally transfer references to it.
#line 44
allow automotive_display_service hal_evs:binder { call transfer };
#line 44
# Allow the serverdomain to transfer references to the client on the reply.
#line 44
allow hal_evs automotive_display_service:binder transfer;
#line 44
# Receive and use open files from the server.
#line 44
allow automotive_display_service hal_evs:fd use;
#line 44
#line 1 "system/sepolicy/private/binderservicedomain.te"
# Rules common to some specific binder service domains.
# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow binderservicedomain console_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
#line 23
allow keystore binderservicedomain:dir search;
#line 23
allow keystore binderservicedomain:file { read open };
#line 23
allow keystore binderservicedomain:process getattr;
#line 23
allow binderservicedomain apc_service:service_manager find;
#line 23
allow binderservicedomain keystore_service:service_manager find;
#line 23
allow binderservicedomain legacykeystore_service:service_manager find;
#line 23
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow binderservicedomain keystore:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow keystore binderservicedomain:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow binderservicedomain keystore:fd use;
#line 23
#line 23
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow keystore binderservicedomain:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow binderservicedomain keystore:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow keystore binderservicedomain:fd use;
#line 23
#line 23
# binderservicedomain is using apex_info via libvintf
#line 25
allow binderservicedomain apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
#line 25
allow binderservicedomain apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 25
#line 25
allow binderservicedomain vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 25
allow binderservicedomain vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 25
#line 25
#line 1 "system/sepolicy/private/blank_screen.te"
type blank_screen, domain, coredomain;
type blank_screen_exec, exec_type, file_type, system_file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init blank_screen_exec:file { getattr open read execute map };
#line 4
allow init blank_screen:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow blank_screen blank_screen_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init blank_screen:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init blank_screen:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init blank_screen_exec:process blank_screen;
#line 4
#line 4
# hal_light_client has access to hal_light_server
#line 7
typeattribute blank_screen halclientdomain;
#line 7
typeattribute blank_screen hal_light_client;
#line 7
#line 7
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 7
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 7
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 7
#line 7
typeattribute blank_screen hal_light;
#line 7
# Find passthrough HAL implementations
#line 7
allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_light vendor_file:file { read open getattr execute map };
#line 7
#line 7
#line 1 "system/sepolicy/private/blkid.te"
# blkid called from vold
typeattribute blkid coredomain;
type blkid_exec, system_file_type, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file { getattr open read ioctl lock map watch watch_reads };
allow blkid dm_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
#line 1 "system/sepolicy/private/blkid_untrusted.te"
# blkid for untrusted block devices
typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
#line 1 "system/sepolicy/private/bluetooth.te"
# bluetooth app
typeattribute bluetooth coredomain, mlstrustedsubject;
#line 5
typeattribute bluetooth appdomain;
#line 5
# Label tmpfs objects for all apps.
#line 5
type_transition bluetooth tmpfs:file appdomain_tmpfs;
#line 5
#line 5
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 5
type bluetooth_userfaultfd;
#line 5
type_transition bluetooth bluetooth:anon_inode bluetooth_userfaultfd "[userfaultfd]";
#line 5
# Allow domain to create/use userfaultfd anon_inode.
#line 5
allow bluetooth bluetooth_userfaultfd:anon_inode { create ioctl read };
#line 5
# Suppress errors generate during bugreport
#line 5
dontaudit su bluetooth_userfaultfd:anon_inode *;
#line 5
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 5
neverallow { domain -bluetooth } bluetooth_userfaultfd:anon_inode *;
#line 5
#line 5
allow bluetooth appdomain_tmpfs:file { execute getattr map read write };
#line 5
neverallow { bluetooth -runas_app -shell -simpleperf } { domain -bluetooth }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 5
neverallow { appdomain -runas_app -shell -simpleperf -bluetooth } bluetooth:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 5
# The Android security model guarantees the confidentiality and integrity
#line 5
# of application data and execution state. Ptrace bypasses those
#line 5
# confidentiality guarantees. Disallow ptrace access from system components to
#line 5
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 5
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 5
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 5
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 5
# live lock conditions.
#line 5
neverallow { domain -bluetooth -crash_dump -runas_app -simpleperf } bluetooth:process ptrace;
#line 5
#line 6
typeattribute bluetooth netdomain;
#line 6
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl
#line 12
{
#line 12
# qualcomm rmnet ioctls
#line 12
0x00006900 0x00006902
#line 12
# socket ioctls
#line 12
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 12
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 12
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 12
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 12
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 12
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 12
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 12
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 12
0x00008991 0x00008992 0x00008993 0x00008994
#line 12
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 12
# device and protocol specific ioctls
#line 12
0x000089f0-0x000089ff
#line 12
0x000089e0-0x000089ef
#line 12
# Wireless extension ioctls
#line 12
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 12
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 12
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 12
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 12
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 12
0x00008b34 0x00008b35 0x00008b36
#line 12
# Dev private ioctl i.e. hardware specific ioctls
#line 12
0x00008be0-0x00008bff
#line 12
};
#line 14
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 14
# deprecated.
#line 14
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 14
allow bluetooth sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 14
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 14
allow bluetooth self:{ capability2 cap2_userns } block_suspend;
#line 14
# system_suspend permissions
#line 14
#line 14
# Call the server domain and optionally transfer references to it.
#line 14
allow bluetooth system_suspend_server:binder { call transfer };
#line 14
# Allow the serverdomain to transfer references to the client on the reply.
#line 14
allow system_suspend_server bluetooth:binder transfer;
#line 14
# Receive and use open files from the server.
#line 14
allow bluetooth system_suspend_server:fd use;
#line 14
#line 14
allow bluetooth system_suspend_hwservice:hwservice_manager find;
#line 14
# halclientdomain permissions
#line 14
#line 14
# Call the hwservicemanager and transfer references to it.
#line 14
allow bluetooth hwservicemanager:binder { call transfer };
#line 14
# Allow hwservicemanager to send out callbacks
#line 14
allow hwservicemanager bluetooth:binder { call transfer };
#line 14
# hwservicemanager performs getpidcon on clients.
#line 14
allow hwservicemanager bluetooth:dir search;
#line 14
allow hwservicemanager bluetooth:file { read open map };
#line 14
allow hwservicemanager bluetooth:process getattr;
#line 14
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14
#line 14
#line 14
allow bluetooth hwservicemanager_prop:file { getattr open read map };
#line 14
#line 14
allow bluetooth hidl_manager_hwservice:hwservice_manager find;
#line 14
# AIDL suspend hal permissions
#line 14
allow bluetooth hal_system_suspend_service:service_manager find;
#line 14
#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow bluetooth servicemanager:binder { call transfer };
#line 14
# Allow servicemanager to send out callbacks
#line 14
allow servicemanager bluetooth:binder { call transfer };
#line 14
# servicemanager performs getpidcon on clients.
#line 14
allow servicemanager bluetooth:dir search;
#line 14
allow servicemanager bluetooth:file { read open };
#line 14
allow servicemanager bluetooth:process getattr;
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14
#line 14
;
# Data file accesses.
allow bluetooth bluetooth_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link };
allow bluetooth bluetooth_logs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow bluetooth bluetooth_logs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow bluetooth self:{ capability cap_userns } net_admin;
allow bluetooth self:{ capability2 cap2_userns } wake_alarm;
# tethering
allow bluetooth self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow bluetooth self:{ capability cap_userns } { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow bluetooth tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm bluetooth tun_device:chr_file ioctl { 0x800454d2 0x400454ca };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow bluetooth gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow bluetooth gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
# proc access.
allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# For Bluetooth to check what profile are available
allow bluetooth proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
#line 47
allow bluetooth incremental_prop:file { getattr open read map };
#line 47
# For Bluetooth to check security logging state
#line 50
allow bluetooth device_logging_prop:file { getattr open read map };
#line 50
# Allow write access to bluetooth specific properties
#line 53
#line 53
allow bluetooth property_socket:sock_file write;
#line 53
allow bluetooth init:unix_stream_socket connectto;
#line 53
#line 53
allow bluetooth binder_cache_bluetooth_server_prop:property_service set;
#line 53
#line 53
allow bluetooth binder_cache_bluetooth_server_prop:file { getattr open read map };
#line 53
#line 53
;
neverallow { domain -bluetooth -init }
binder_cache_bluetooth_server_prop:property_service set;
#line 56
#line 56
allow bluetooth property_socket:sock_file write;
#line 56
allow bluetooth init:unix_stream_socket connectto;
#line 56
#line 56
allow bluetooth bluetooth_a2dp_offload_prop:property_service set;
#line 56
#line 56
allow bluetooth bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 56
#line 56
#line 57
#line 57
allow bluetooth property_socket:sock_file write;
#line 57
allow bluetooth init:unix_stream_socket connectto;
#line 57
#line 57
allow bluetooth bluetooth_audio_hal_prop:property_service set;
#line 57
#line 57
allow bluetooth bluetooth_audio_hal_prop:file { getattr open read map };
#line 57
#line 57
#line 58
#line 58
allow bluetooth property_socket:sock_file write;
#line 58
allow bluetooth init:unix_stream_socket connectto;
#line 58
#line 58
allow bluetooth bluetooth_prop:property_service set;
#line 58
#line 58
allow bluetooth bluetooth_prop:file { getattr open read map };
#line 58
#line 58
#line 59
#line 59
allow bluetooth property_socket:sock_file write;
#line 59
allow bluetooth init:unix_stream_socket connectto;
#line 59
#line 59
allow bluetooth exported_bluetooth_prop:property_service set;
#line 59
#line 59
allow bluetooth exported_bluetooth_prop:file { getattr open read map };
#line 59
#line 59
#line 60
#line 60
allow bluetooth property_socket:sock_file write;
#line 60
allow bluetooth init:unix_stream_socket connectto;
#line 60
#line 60
allow bluetooth pan_result_prop:property_service set;
#line 60
#line 60
allow bluetooth pan_result_prop:file { getattr open read map };
#line 60
#line 60
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
allow bluetooth system_suspend_control_service:service_manager find;
allow bluetooth hal_audio_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
allow bluetooth self:{ capability cap_userns } sys_nice;
#line 81
typeattribute bluetooth halclientdomain;
#line 81
typeattribute bluetooth hal_bluetooth_client;
#line 81
#line 81
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 81
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 81
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 81
#line 81
typeattribute bluetooth hal_bluetooth;
#line 81
# Find passthrough HAL implementations
#line 81
allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 81
allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 81
allow hal_bluetooth vendor_file:file { read open getattr execute map };
#line 81
#line 81
#line 82
typeattribute bluetooth halclientdomain;
#line 82
typeattribute bluetooth hal_telephony_client;
#line 82
#line 82
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 82
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 82
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 82
#line 82
typeattribute bluetooth hal_telephony;
#line 82
# Find passthrough HAL implementations
#line 82
allow hal_telephony system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 82
allow hal_telephony vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 82
allow hal_telephony vendor_file:file { read open getattr execute map };
#line 82
#line 82
# Bluetooth A2DP offload requires binding with audio HAL
#line 85
typeattribute bluetooth halclientdomain;
#line 85
typeattribute bluetooth hal_audio_client;
#line 85
#line 85
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 85
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 85
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 85
#line 85
typeattribute bluetooth hal_audio;
#line 85
# Find passthrough HAL implementations
#line 85
allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 85
allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 85
allow hal_audio vendor_file:file { read open getattr execute map };
#line 85
#line 85
#line 87
allow bluetooth runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 87
###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
neverallow bluetooth self:{ capability cap_userns } ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:{ capability2 cap2_userns } ~{ wake_alarm block_suspend };
#line 1 "system/sepolicy/private/bluetoothdomain.te"
# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
#line 1 "system/sepolicy/private/bootanim.te"
typeattribute bootanim coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init bootanim_exec:file { getattr open read execute map };
#line 3
allow init bootanim:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow bootanim bootanim_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init bootanim:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init bootanim:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init bootanim_exec:process bootanim;
#line 3
#line 3
# b/68864350
dontaudit bootanim unlabeled:dir search;
# Bootanim should not be reading default vendor-defined properties.
dontaudit bootanim vendor_default_prop:file read;
# Read ro.boot.bootreason b/30654343
#line 12
allow bootanim bootloader_boot_reason_prop:file { getattr open read map };
#line 12
#line 14
allow bootanim bootanim_config_prop:file { getattr open read map };
#line 14
# Allow updating boot animation status.
#line 17
#line 17
allow bootanim property_socket:sock_file write;
#line 17
allow bootanim init:unix_stream_socket connectto;
#line 17
#line 17
allow bootanim bootanim_system_prop:property_service set;
#line 17
#line 17
allow bootanim bootanim_system_prop:file { getattr open read map };
#line 17
#line 17
# Allow accessing /data/misc/bootanim
#line 20
allow bootanim bootanim_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow bootanim bootanim_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
# Allow accessing vendor apex for EGL/GLES
allow bootanim vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/private/bootstat.te"
typeattribute bootstat coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init bootstat_exec:file { getattr open read execute map };
#line 3
allow init bootstat:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow bootstat bootstat_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init bootstat:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init bootstat:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init bootstat_exec:process bootstat;
#line 3
#line 3
# Collect metrics on boot time created by init
#line 6
allow bootstat boottime_prop:file { getattr open read map };
#line 6
# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
#line 9
#line 9
allow bootstat property_socket:sock_file write;
#line 9
allow bootstat init:unix_stream_socket connectto;
#line 9
#line 9
allow bootstat bootloader_boot_reason_prop:property_service set;
#line 9
#line 9
allow bootstat bootloader_boot_reason_prop:file { getattr open read map };
#line 9
#line 9
#line 10
#line 10
allow bootstat property_socket:sock_file write;
#line 10
allow bootstat init:unix_stream_socket connectto;
#line 10
#line 10
allow bootstat system_boot_reason_prop:property_service set;
#line 10
#line 10
allow bootstat system_boot_reason_prop:file { getattr open read map };
#line 10
#line 10
#line 11
#line 11
allow bootstat property_socket:sock_file write;
#line 11
allow bootstat init:unix_stream_socket connectto;
#line 11
#line 11
allow bootstat last_boot_reason_prop:property_service set;
#line 11
#line 11
allow bootstat last_boot_reason_prop:file { getattr open read map };
#line 11
#line 11
neverallow {
domain
-bootanim
-bootstat
-dumpstate
-init
-platform_app
-recovery
-shell
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:file { getattr open read ioctl lock map watch watch_reads };
# ... and refine, as these components should not set the last boot reason
neverallow { bootanim recovery } last_boot_reason_prop:file { getattr open read ioctl lock map watch watch_reads };
neverallow {
domain
-bootstat
-init
-system_server
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
# ... and refine ... for a ro propertly no less ... keep this _tight_
neverallow system_server bootloader_boot_reason_prop:property_service set;
#line 1 "system/sepolicy/private/boringssl_self_test.te"
# System and vendor domains for BoringSSL self test binaries.
#
# For FIPS compliance, all processes linked against libcrypto perform a startup
# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
#
# The KATs are expensive, and to ensure they are run as few times as possible, they
# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
# the hash of the BCM that was computed earlier. The files are zero length and their contents
# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
# to create these marker files, there are dedicated self test binaries which this policy
# gives access to and which are run during early-init.
#
# Due to build skew, the version of libcrypto in /vendor may have a different hash than
# the system one. To cater for this there are vendor variants of the self test binaries
# which also have permission to write to the same files in /dev/boringssl. In the case where
# vendor and system libcrypto have the same hash, there will be a race to create the file,
# but this is harmless.
#
# If the self tests fail, then the device should reboot into firmware and for this reason
# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
# reboot. However every binary linked against the vendor libcrypto will abort on startup,
# so in practice the device will crash anyway in this unlikely scenario.
# System boringssl_self_test domain
type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
# Vendor boringssl_self_test domain
type vendor_boringssl_self_test, domain;
type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
#line 35
#line 35
# Allow the necessary permissions.
#line 35
#line 35
# Old domain may exec the file and transition to the new domain.
#line 35
allow init boringssl_self_test_exec:file { getattr open read execute map };
#line 35
allow init boringssl_self_test:process transition;
#line 35
# New domain is entered by executing the file.
#line 35
allow boringssl_self_test boringssl_self_test_exec:file { entrypoint open read execute getattr map };
#line 35
# New domain can send SIGCHLD to its caller.
#line 35
#line 35
# Enable AT_SECURE, i.e. libc secure mode.
#line 35
dontaudit init boringssl_self_test:process noatsecure;
#line 35
# XXX dontaudit candidate but requires further study.
#line 35
allow init boringssl_self_test:process { siginh rlimitinh };
#line 35
#line 35
# Make the transition occur by default.
#line 35
type_transition init boringssl_self_test_exec:process boringssl_self_test;
#line 35
#line 35
# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
#line 38
#line 38
# Allow the necessary permissions.
#line 38
#line 38
# Old domain may exec the file and transition to the new domain.
#line 38
allow init vendor_boringssl_self_test_exec:file { getattr open read execute map };
#line 38
allow init vendor_boringssl_self_test:process transition;
#line 38
# New domain is entered by executing the file.
#line 38
allow vendor_boringssl_self_test vendor_boringssl_self_test_exec:file { entrypoint open read execute getattr map };
#line 38
# New domain can send SIGCHLD to its caller.
#line 38
#line 38
# Enable AT_SECURE, i.e. libc secure mode.
#line 38
dontaudit init vendor_boringssl_self_test:process noatsecure;
#line 38
# XXX dontaudit candidate but requires further study.
#line 38
allow init vendor_boringssl_self_test:process { siginh rlimitinh };
#line 38
#line 38
# Make the transition occur by default.
#line 38
type_transition init vendor_boringssl_self_test_exec:process vendor_boringssl_self_test;
#line 38
#line 38
# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
#
# The files are zero length so there is no issue if both vendor and system code
# try to create the same file simultaneously. One will succeed and the other will fail
# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
# system domain e.g. when system and APEX copies of libcrypto are identical.
type boringssl_self_test_marker, file_type;
# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
allow { boringssl_self_test vendor_boringssl_self_test }
boringssl_self_test_marker:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow { boringssl_self_test vendor_boringssl_self_test }
boringssl_self_test_marker:dir { { open getattr read search ioctl lock watch watch_reads } add_name write };
# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
allow { boringssl_self_test vendor_boringssl_self_test }
kmsg_debug_device:chr_file { { open append write lock map } getattr ioctl };
# No other process should be able to create marker files because their existence causes the
# boringssl KAT to be skipped.
neverallow {
domain
-vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
} boringssl_self_test_marker:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
} boringssl_self_test_marker:dir write;
#line 1 "system/sepolicy/private/bpfdomain.te"
# platform should have ownership of network attachpoints for BPF
neverallow {
bpfdomain
-bpfloader
-netd
-netutils_wrapper
-network_stack
-system_server
} self:{ capability cap_userns } { net_admin net_raw };
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
# genfscon doesn't seem to trigger during symlink creation,
# and thus any created symlinks end up as 'fs_bpf:lnk_type',
# however this feels like a kernel bug / missing feature,
# so let's allow all bpffs_type's instead,
# this will keep things working even if this is fixed.
allow bpfdomain bpffs_type:lnk_file read;
# Needed for //frameworks/libs/net:
# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
#line 25
allow bpfdomain bpf_progs_loaded_prop:file { getattr open read map };
#line 25
#line 1 "system/sepolicy/private/bpfloader.te"
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader bpfdomain;
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file { open append write lock map };
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin net_admin };
allow bpfloader sysfs_fs_fuse_bpf:file { getattr open read ioctl lock map watch watch_reads };
allow bpfloader proc_bpf:file { open append write lock map };
#line 23
#line 23
allow bpfloader property_socket:sock_file write;
#line 23
allow bpfloader init:unix_stream_socket connectto;
#line 23
#line 23
allow bpfloader bpf_progs_loaded_prop:property_service set;
#line 23
#line 23
allow bpfloader bpf_progs_loaded_prop:file { getattr open read map };
#line 23
#line 23
allow bpfloader bpfloader_exec:file execute_no_trans;
###
### Neverallow rules
###
# Note: we don't care about getattr/mounton/search
neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
neverallow {
domain
-bpfloader
-gpuservice
-hal_health_server
-mediaprovider_app
-netd
-netutils_wrapper
-network_stack
-system_server
-uprobestats
} *:bpf prog_run;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain } bpfloader:process ptrace;
neverallow { domain -bpfloader } proc_bpf:file write;
#line 1 "system/sepolicy/private/bufferhubd.te"
typeattribute bufferhubd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init bufferhubd_exec:file { getattr open read execute map };
#line 3
allow init bufferhubd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow bufferhubd bufferhubd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init bufferhubd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init bufferhubd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init bufferhubd_exec:process bufferhubd;
#line 3
#line 3
#line 1 "system/sepolicy/private/cameraserver.te"
typeattribute cameraserver coredomain;
typeattribute cameraserver camera_service_server;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init cameraserver_exec:file { getattr open read execute map };
#line 5
allow init cameraserver:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow cameraserver cameraserver_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init cameraserver:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init cameraserver:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init cameraserver_exec:process cameraserver;
#line 5
#line 5
#line 6
type_transition cameraserver tmpfs:file cameraserver_tmpfs;
#line 6
allow cameraserver cameraserver_tmpfs:file { read write getattr map };
#line 6
allow cameraserver gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow cameraserver gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow cameraserver virtual_camera:binder call;
#line 1 "system/sepolicy/private/canhalconfigurator.te"
type canhalconfigurator, domain, coredomain;
type canhalconfigurator_exec, exec_type, system_file_type, file_type;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init canhalconfigurator_exec:file { getattr open read execute map };
#line 3
allow init canhalconfigurator:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow canhalconfigurator canhalconfigurator_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init canhalconfigurator:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init canhalconfigurator:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init canhalconfigurator_exec:process canhalconfigurator;
#line 3
#line 3
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
#line 7
typeattribute canhalconfigurator halclientdomain;
#line 7
typeattribute canhalconfigurator hal_can_controller_client;
#line 7
#line 7
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 7
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 7
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 7
#line 7
typeattribute canhalconfigurator hal_can_controller;
#line 7
# Find passthrough HAL implementations
#line 7
allow hal_can_controller system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_can_controller vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow hal_can_controller vendor_file:file { read open getattr execute map };
#line 7
#line 7
#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow canhalconfigurator servicemanager:binder { call transfer };
#line 9
# Allow servicemanager to send out callbacks
#line 9
allow servicemanager canhalconfigurator:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager canhalconfigurator:dir search;
#line 9
allow servicemanager canhalconfigurator:file { read open };
#line 9
allow servicemanager canhalconfigurator:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow hal_can_controller canhalconfigurator:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow canhalconfigurator hal_can_controller:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow hal_can_controller canhalconfigurator:fd use;
#line 10
#line 1 "system/sepolicy/private/charger.te"
typeattribute charger coredomain;
# charger needs to tell init to continue the boot
# process when running in charger mode.
# The system charger needs to be allowed to set these properties on legacy devices.
#line 6
#line 6
allow charger property_socket:sock_file write;
#line 6
allow charger init:unix_stream_socket connectto;
#line 6
#line 6
allow charger system_prop:property_service set;
#line 6
#line 6
allow charger system_prop:file { getattr open read map };
#line 6
#line 6
#line 7
#line 7
allow charger property_socket:sock_file write;
#line 7
allow charger init:unix_stream_socket connectto;
#line 7
#line 7
allow charger exported_system_prop:property_service set;
#line 7
#line 7
allow charger exported_system_prop:file { getattr open read map };
#line 7
#line 7
#line 8
#line 8
allow charger property_socket:sock_file write;
#line 8
allow charger init:unix_stream_socket connectto;
#line 8
#line 8
allow charger exported3_system_prop:property_service set;
#line 8
#line 8
allow charger exported3_system_prop:file { getattr open read map };
#line 8
#line 8
# The system charger can read ro.charger.*
#line 11
allow charger charger_prop:file { getattr open read map };
#line 11
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 13
#line 13
neverallow {
#line 13
domain
#line 13
-init
#line 13
-dumpstate
#line 13
-charger
#line 13
} charger_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
#line 13
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 20
#line 1 "system/sepolicy/private/charger_type.te"
# charger needs to tell init to continue the boot
# process when running in charger mode.
#line 3
#line 3
allow charger_type property_socket:sock_file write;
#line 3
allow charger_type init:unix_stream_socket connectto;
#line 3
#line 3
allow charger_type charger_status_prop:property_service set;
#line 3
#line 3
allow charger_type charger_status_prop:file { getattr open read map };
#line 3
#line 3
#line 4
allow charger_type charger_config_prop:file { getattr open read map };
#line 4
# get minui properties
#line 7
allow charger_type recovery_config_prop:file { getattr open read map };
#line 7
### Neverallow rules for charger properties
# charger_config_prop: Only init and vendor_init is allowed to set it
neverallow {
domain
-init
-vendor_init
} charger_config_prop:property_service set;
# charger_status_prop: Only init, vendor_init, charger, and charger_vendor
# are allowed to set it
neverallow {
domain
-init
-vendor_init
-charger
-charger_vendor
} charger_status_prop:property_service set;
# Both charger_config_prop and charger_status_prop:
# Only init, vendor_init, dumpstate, charger, and charger_vendor
# are allowed to read it
neverallow {
domain
-init
-dumpstate
-vendor_init
-charger
-charger_vendor
} { charger_config_prop charger_status_prop }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 1 "system/sepolicy/private/clatd.te"
# 464xlat daemon
type clatd, domain, coredomain;
type clatd_exec, system_file_type, exec_type, file_type;
#line 5
typeattribute clatd netdomain;
#line 5
# Access objects inherited from system_server.
allow clatd system_server:fd use;
allow clatd system_server:packet_socket { read write };
allow clatd system_server:rawip_socket { read write };
allow clatd tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/private/compos_fd_server.te"
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
# Allow creating new files and directories in the staging directory.
allow compos_fd_server apex_art_staging_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow compos_fd_server apex_art_staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow creating new files and directories in the artifacts directory.
allow compos_fd_server apex_art_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow compos_fd_server apex_art_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Use a pipe to signal readiness
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept };
# Only composd can enter the domain via exec
neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
#line 1 "system/sepolicy/private/compos_verify.te"
# Run by odsign to verify a CompOS signature
type compos_verify, domain, coredomain;
type compos_verify_exec, exec_type, file_type, system_file_type;
# Start a VM
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow compos_verify servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager compos_verify:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager compos_verify:dir search;
#line 6
allow servicemanager compos_verify:file { read open };
#line 6
allow servicemanager compos_verify:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
;
#line 7
# Transition to virtualizationmanager when the client executes it.
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow compos_verify virtualizationmanager_exec:file { getattr open read execute map };
#line 7
allow compos_verify virtualizationmanager:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
allow virtualizationmanager compos_verify:process sigchld;
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit compos_verify virtualizationmanager:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow compos_verify virtualizationmanager:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition compos_verify virtualizationmanager_exec:process virtualizationmanager;
#line 7
#line 7
# Allow virtualizationmanager to communicate over UDS with the client.
#line 7
allow { virtualizationmanager crosvm } compos_verify:unix_stream_socket { ioctl getattr read write };
#line 7
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 7
allow { virtualizationmanager crosvm } compos_verify:fd use;
#line 7
# Let the client use file descriptors created by virtualizationmanager.
#line 7
allow compos_verify virtualizationmanager:fd use;
#line 7
# Allow piping console log to the client
#line 7
allow { virtualizationmanager crosvm } compos_verify:fifo_file { ioctl getattr read write };
#line 7
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 7
# that it created. Notice that we do not grant permission to create a vsock;
#line 7
# the client can only connect to VMs that it owns.
#line 7
allow compos_verify virtualizationmanager:vsock_socket { getattr getopt read write };
#line 7
# Allow client to inspect hypervisor capabilities
#line 7
#line 7
allow compos_verify hypervisor_prop:file { getattr open read map };
#line 7
#line 7
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 7
allow compos_verify virtualizationservice_data_file:file { getattr read };
#line 7
;
# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
allow compos_verify apex_compos_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow compos_verify apex_compos_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;
allow compos_verify apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow odsign to redirect our stdout/stderr to log
allow compos_verify odsign:fd use;
allow compos_verify odsign_devpts:chr_file { read write };
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify:process transition;
neverallow * compos_verify:process dyntransition;
#line 1 "system/sepolicy/private/composd.te"
type composd, domain, coredomain;
type composd_exec, system_file_type, exec_type, file_type;
# Host dynamic AIDL services
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init composd_exec:file { getattr open read execute map };
#line 5
allow init composd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow composd composd_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init composd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init composd:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init composd_exec:process composd;
#line 5
#line 5
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow composd servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager composd:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager composd:dir search;
#line 6
allow servicemanager composd:file { read open };
#line 6
allow servicemanager composd:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
allow composd compos_service:service_manager { add find };
#line 7
neverallow { domain -composd } compos_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
# Call back into system server
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow composd system_server:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow system_server composd:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow composd system_server:fd use;
#line 10
# Start a VM
#line 13
# Transition to virtualizationmanager when the client executes it.
#line 13
#line 13
# Allow the necessary permissions.
#line 13
#line 13
# Old domain may exec the file and transition to the new domain.
#line 13
allow composd virtualizationmanager_exec:file { getattr open read execute map };
#line 13
allow composd virtualizationmanager:process transition;
#line 13
# New domain is entered by executing the file.
#line 13
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 13
# New domain can send SIGCHLD to its caller.
#line 13
allow virtualizationmanager composd:process sigchld;
#line 13
# Enable AT_SECURE, i.e. libc secure mode.
#line 13
dontaudit composd virtualizationmanager:process noatsecure;
#line 13
# XXX dontaudit candidate but requires further study.
#line 13
allow composd virtualizationmanager:process { siginh rlimitinh };
#line 13
#line 13
# Make the transition occur by default.
#line 13
type_transition composd virtualizationmanager_exec:process virtualizationmanager;
#line 13
#line 13
# Allow virtualizationmanager to communicate over UDS with the client.
#line 13
allow { virtualizationmanager crosvm } composd:unix_stream_socket { ioctl getattr read write };
#line 13
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 13
allow { virtualizationmanager crosvm } composd:fd use;
#line 13
# Let the client use file descriptors created by virtualizationmanager.
#line 13
allow composd virtualizationmanager:fd use;
#line 13
# Allow piping console log to the client
#line 13
allow { virtualizationmanager crosvm } composd:fifo_file { ioctl getattr read write };
#line 13
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 13
# that it created. Notice that we do not grant permission to create a vsock;
#line 13
# the client can only connect to VMs that it owns.
#line 13
allow composd virtualizationmanager:vsock_socket { getattr getopt read write };
#line 13
# Allow client to inspect hypervisor capabilities
#line 13
#line 13
allow composd hypervisor_prop:file { getattr open read map };
#line 13
#line 13
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 13
allow composd virtualizationservice_data_file:file { getattr read };
#line 13
# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow composd apex_art_staging_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow composd apex_art_staging_data_file:file { getattr unlink };
# Delete files or enable fs-verity in the odrefresh target directory
allow composd apex_art_data_file:file { open ioctl read unlink write };
allowxperm composd apex_art_data_file:file ioctl 0x6685;
# Access our APEX data files
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow composd apex_compos_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Run fd_server in its own domain, and send SIGTERM when finished.
#line 30
# Allow the necessary permissions.
#line 30
#line 30
# Old domain may exec the file and transition to the new domain.
#line 30
allow composd fd_server_exec:file { getattr open read execute map };
#line 30
allow composd compos_fd_server:process transition;
#line 30
# New domain is entered by executing the file.
#line 30
allow compos_fd_server fd_server_exec:file { entrypoint open read execute getattr map };
#line 30
# New domain can send SIGCHLD to its caller.
#line 30
allow compos_fd_server composd:process sigchld;
#line 30
# Enable AT_SECURE, i.e. libc secure mode.
#line 30
dontaudit composd compos_fd_server:process noatsecure;
#line 30
# XXX dontaudit candidate but requires further study.
#line 30
allow composd compos_fd_server:process { siginh rlimitinh };
#line 30
#line 30
# Make the transition occur by default.
#line 30
type_transition composd fd_server_exec:process compos_fd_server;
#line 30
allow composd compos_fd_server:process signal;
# Read properties used to configure the CompOS VM
#line 34
allow composd composd_vm_art_prop:file { getattr open read map };
#line 34
#line 35
allow composd composd_vm_vendor_prop:file { getattr open read map };
#line 35
# Read ART's properties
#line 38
allow composd dalvik_config_prop_type:file { getattr open read map };
#line 38
#line 39
allow composd device_config_runtime_native_boot_prop:file { getattr open read map };
#line 39
# We never create any artifact files directly
neverallow composd apex_art_data_file:file create;
# ART sets these properties via init script, nothing else should
neverallow { domain -init } composd_vm_art_prop:property_service set;
#line 1 "system/sepolicy/private/coredomain.te"
#line 1
allow coredomain apex_ready_prop:file { getattr open read map };
#line 1
#line 2
allow coredomain boot_status_prop:file { getattr open read map };
#line 2
#line 3
allow coredomain camera_config_prop:file { getattr open read map };
#line 3
#line 4
allow coredomain dalvik_config_prop_type:file { getattr open read map };
#line 4
#line 5
allow coredomain dalvik_runtime_prop:file { getattr open read map };
#line 5
#line 6
allow coredomain exported_pm_prop:file { getattr open read map };
#line 6
#line 7
allow coredomain ffs_config_prop:file { getattr open read map };
#line 7
#line 8
allow coredomain graphics_config_prop:file { getattr open read map };
#line 8
#line 9
allow coredomain graphics_config_writable_prop:file { getattr open read map };
#line 9
#line 10
allow coredomain hdmi_config_prop:file { getattr open read map };
#line 10
#line 11
allow coredomain init_service_status_private_prop:file { getattr open read map };
#line 11
#line 12
allow coredomain lmkd_config_prop:file { getattr open read map };
#line 12
#line 13
allow coredomain localization_prop:file { getattr open read map };
#line 13
#line 14
allow coredomain pm_prop:file { getattr open read map };
#line 14
#line 15
allow coredomain radio_control_prop:file { getattr open read map };
#line 15
#line 16
allow coredomain rollback_test_prop:file { getattr open read map };
#line 16
#line 17
allow coredomain setupwizard_prop:file { getattr open read map };
#line 17
#line 18
allow coredomain setupwizard_mode_prop:file { getattr open read map };
#line 18
#line 19
allow coredomain sqlite_log_prop:file { getattr open read map };
#line 19
#line 20
allow coredomain storagemanager_config_prop:file { getattr open read map };
#line 20
#line 21
allow coredomain surfaceflinger_color_prop:file { getattr open read map };
#line 21
#line 22
allow coredomain systemsound_config_prop:file { getattr open read map };
#line 22
#line 23
allow coredomain telephony_config_prop:file { getattr open read map };
#line 23
#line 24
allow coredomain usb_config_prop:file { getattr open read map };
#line 24
#line 25
allow coredomain usb_control_prop:file { getattr open read map };
#line 25
#line 26
allow coredomain userspace_reboot_config_prop:file { getattr open read map };
#line 26
#line 27
allow coredomain vold_config_prop:file { getattr open read map };
#line 27
#line 28
allow coredomain vts_status_prop:file { getattr open read map };
#line 28
#line 29
allow coredomain zygote_config_prop:file { getattr open read map };
#line 29
#line 30
allow coredomain zygote_wrap_prop:file { getattr open read map };
#line 30
# TODO(b/170590987): remove this after cleaning up default_prop
#line 33
allow coredomain default_prop:file { getattr open read map };
#line 33
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 35
#line 35
neverallow {
#line 35
coredomain
#line 35
#line 35
# for chowning
#line 35
-init
#line 35
#line 35
# generic access to sysfs_type
#line 35
-apexd
#line 35
-ueventd
#line 35
-vold
#line 35
} sysfs_leds:file *;
#line 35
#line 35
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 47
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few allowlisted coredomains to keep system/vendor separation.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 51
#line 51
# Limit access to /vendor/app
#line 51
neverallow {
#line 51
coredomain
#line 51
-appdomain
#line 51
-artd
#line 51
-dex2oat
#line 51
-dexoptanalyzer
#line 51
-idmap
#line 51
-init
#line 51
-installd
#line 51
-heapprofd
#line 51
-postinstall_dexopt
#line 51
-rs # spawned by appdomain, so carryover the exception above
#line 51
-system_server
#line 51
-traced_perf
#line 51
} vendor_app_file:dir { open read getattr search };
#line 51
#line 51
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 68
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 70
#line 70
neverallow {
#line 70
coredomain
#line 70
-appdomain
#line 70
-artd
#line 70
-dex2oat
#line 70
-dexoptanalyzer
#line 70
-idmap
#line 70
-init
#line 70
-installd
#line 70
-heapprofd
#line 70
#line 70
-postinstall_dexopt
#line 70
-profman
#line 70
-rs # spawned by appdomain, so carryover the exception above
#line 70
#line 70
-system_server
#line 70
-traced_perf
#line 70
-mediaserver
#line 70
} vendor_app_file:file { getattr open read ioctl lock map watch watch_reads };
#line 70
#line 70
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 90
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 92
#line 92
# Limit access to /vendor/overlay
#line 92
neverallow {
#line 92
coredomain
#line 92
-appdomain
#line 92
-artd
#line 92
-dex2oat
#line 92
-dexoptanalyzer
#line 92
-idmap
#line 92
-init
#line 92
-installd
#line 92
-postinstall_dexopt
#line 92
-rs # spawned by appdomain, so carryover the exception above
#line 92
-system_server
#line 92
-traced_perf
#line 92
-app_zygote
#line 92
-webview_zygote
#line 92
-zygote
#line 92
-heapprofd
#line 92
} vendor_overlay_file:dir { getattr open read search };
#line 92
#line 92
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 112
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 114
#line 114
neverallow {
#line 114
coredomain
#line 114
-appdomain
#line 114
-artd
#line 114
-dex2oat
#line 114
-dexoptanalyzer
#line 114
-idmap
#line 114
-init
#line 114
-installd
#line 114
-postinstall_dexopt
#line 114
-rs # spawned by appdomain, so carryover the exception above
#line 114
-system_server
#line 114
-traced_perf
#line 114
-app_zygote
#line 114
-webview_zygote
#line 114
-zygote
#line 114
-heapprofd
#line 114
#line 114
#line 114
} vendor_overlay_file:file open;
#line 114
#line 114
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 135
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 140
#line 140
# /proc
#line 140
neverallow {
#line 140
coredomain
#line 140
-init
#line 140
-vold
#line 140
} proc:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# /sys
#line 140
neverallow {
#line 140
coredomain
#line 140
-apexd
#line 140
-init
#line 140
-ueventd
#line 140
#line 140
-vold
#line 140
} sysfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# /dev
#line 140
neverallow {
#line 140
coredomain
#line 140
-apexd
#line 140
-fsck
#line 140
-init
#line 140
-ueventd
#line 140
} device:{ blk_file file } { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# debugfs
#line 140
neverallow {
#line 140
coredomain
#line 140
#line 140
-dumpstate
#line 140
-init
#line 140
-system_server
#line 140
#line 140
} debugfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# tracefs
#line 140
neverallow {
#line 140
coredomain
#line 140
-atrace
#line 140
-dumpstate
#line 140
-gpuservice
#line 140
-init
#line 140
-traced_perf
#line 140
-traced_probes
#line 140
-shell
#line 140
-system_server
#line 140
-traceur_app
#line 140
#line 140
#line 140
} debugfs_tracing:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# inotifyfs
#line 140
neverallow {
#line 140
coredomain
#line 140
-init
#line 140
} inotify:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# pstorefs
#line 140
neverallow {
#line 140
coredomain
#line 140
-bootstat
#line 140
-charger
#line 140
-dumpstate
#line 140
#line 140
-init
#line 140
-logd
#line 140
-logpersist
#line 140
-recovery_persist
#line 140
-recovery_refresh
#line 140
-shell
#line 140
-system_server
#line 140
} pstorefs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# configfs
#line 140
neverallow {
#line 140
coredomain
#line 140
-init
#line 140
-system_server
#line 140
} configfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# functionfs
#line 140
neverallow {
#line 140
coredomain
#line 140
-adbd
#line 140
-init
#line 140
-mediaprovider
#line 140
-system_server
#line 140
} functionfs:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# usbfs and binfmt_miscfs
#line 140
neverallow {
#line 140
coredomain
#line 140
-init
#line 140
}{ usbfs binfmt_miscfs }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# dmabuf heaps
#line 140
neverallow {
#line 140
coredomain
#line 140
-init
#line 140
-ueventd
#line 140
}{
#line 140
dmabuf_heap_device_type
#line 140
-dmabuf_system_heap_device
#line 140
-dmabuf_system_secure_heap_device
#line 140
}:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 140
#line 140
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 247
# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
iio_device
radio_device
}:chr_file { open read append write ioctl };
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 258
#line 258
neverallow coredomain tee_device:chr_file { open read append write ioctl };
#line 258
#line 258
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 260
#line 1 "system/sepolicy/private/cppreopts.te"
# cppreopts
#
# This command copies preopted files from the system_b partition to the data
# partition. This domain ensures that we are only copying into specific
# directories.
type cppreopts, domain, mlstrustedsubject, coredomain;
type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
#line 12
#line 12
# Allow the necessary permissions.
#line 12
#line 12
# Old domain may exec the file and transition to the new domain.
#line 12
allow init cppreopts_exec:file { getattr open read execute map };
#line 12
allow init cppreopts:process transition;
#line 12
# New domain is entered by executing the file.
#line 12
allow cppreopts cppreopts_exec:file { entrypoint open read execute getattr map };
#line 12
# New domain can send SIGCHLD to its caller.
#line 12
#line 12
# Enable AT_SECURE, i.e. libc secure mode.
#line 12
dontaudit init cppreopts:process noatsecure;
#line 12
# XXX dontaudit candidate but requires further study.
#line 12
allow init cppreopts:process { siginh rlimitinh };
#line 12
#line 12
# Make the transition occur by default.
#line 12
type_transition init cppreopts_exec:process cppreopts;
#line 12
#line 12
#line 13
# Allow the necessary permissions.
#line 13
#line 13
# Old domain may exec the file and transition to the new domain.
#line 13
allow cppreopts preopt2cachename_exec:file { getattr open read execute map };
#line 13
allow cppreopts preopt2cachename:process transition;
#line 13
# New domain is entered by executing the file.
#line 13
allow preopt2cachename preopt2cachename_exec:file { entrypoint open read execute getattr map };
#line 13
# New domain can send SIGCHLD to its caller.
#line 13
allow preopt2cachename cppreopts:process sigchld;
#line 13
# Enable AT_SECURE, i.e. libc secure mode.
#line 13
dontaudit cppreopts preopt2cachename:process noatsecure;
#line 13
# XXX dontaudit candidate but requires further study.
#line 13
allow cppreopts preopt2cachename:process { siginh rlimitinh };
#line 13
#line 13
# Make the transition occur by default.
#line 13
type_transition cppreopts preopt2cachename_exec:process preopt2cachename;
#line 13
;
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow us to run find on /postinstall
allow cppreopts system_file:dir { open read };
# Allow running the cp command using cppreopts permissions. Needed so we can
# write into dalvik-cache
allow cppreopts toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Silence the denial when /postinstall cannot be mounted, e.g., system_other
# is wiped, but cppreopts.sh still runs.
dontaudit cppreopts postinstall_mnt_dir:dir search;
#line 1 "system/sepolicy/private/crash_dump.te"
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
-apexd
-bpfloader
-crash_dump
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
#line 29
# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow crash dump to read bootstrap libraries
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
allow crash_dump system_bootstrap_lib_file:file { getattr open read ioctl lock map watch watch_reads };
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
###
### neverallow assertions
###
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
apexd
bpfloader
init
kernel
keystore
llkd
logd
ueventd
vendor_init
vold
}:process { ptrace signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
#line 1 "system/sepolicy/private/credstore.te"
typeattribute credstore coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init credstore_exec:file { getattr open read execute map };
#line 3
allow init credstore:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow credstore credstore_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init credstore:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init credstore:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init credstore_exec:process credstore;
#line 3
#line 3
# talk to Identity Credential
#line 6
typeattribute credstore halclientdomain;
#line 6
typeattribute credstore hal_identity_client;
#line 6
#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6
#line 6
typeattribute credstore hal_identity;
#line 6
# Find passthrough HAL implementations
#line 6
allow hal_identity system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_identity vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_identity vendor_file:file { read open getattr execute map };
#line 6
#line 6
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
#line 9
typeattribute credstore halclientdomain;
#line 9
typeattribute credstore hal_keymint_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute credstore hal_keymint;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_keymint vendor_file:file { read open getattr execute map };
#line 9
#line 9
# credstore needs to get keys from the RKPD
#line 12
allow credstore remote_prov_prop:file { getattr open read map };
#line 12
allow credstore remote_provisioning_service:service_manager find;
#line 1 "system/sepolicy/private/crosvm.te"
type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ 0x0000ae03 };
# Most other domains shouldn't access other vm managers either.
# These restrictions need to be slightly looser than for kvm_device to allow
# for different implementations.
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
# Let crosvm create temporary files.
#line 20
type_transition crosvm tmpfs:file crosvm_tmpfs;
#line 20
allow crosvm crosvm_tmpfs:file { read write getattr map };
#line 20
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
apex_compos_data_file
apex_virt_data_file
shell_data_file
vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
#line 52
# Allow crosvm to tune for performance.
allow crosvm self:{ capability cap_userns } sys_nice;
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
#line 67
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
privapp_data_file
apex_compos_data_file
apex_virt_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
allow crosvm port:tcp_socket name_bind;
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
# Allow crosvm to interact to VFIO device
allow crosvm vfio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow crosvm vfio_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
}:file open;
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 128
#line 128
neverallow crosvm {
#line 128
vendor_file_type
#line 128
-vendor_vm_file
#line 128
-vendor_vm_data_file
#line 128
# These types are not required for crosvm, but the access is granted to globally in domain.te
#line 128
# thus should be exempted here.
#line 128
-vendor_configs_file
#line 128
-vendor_microdroid_file
#line 128
-vndk_sp_file
#line 128
-vendor_task_profiles_file
#line 128
}:file *;
#line 128
#line 128
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 140
# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
-privapp_data_file
-shell_data_file
}:file read;
# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
-virtualizationmanager
} crosvm_exec:file { execute execute_no_trans };
#line 1 "system/sepolicy/private/derive_classpath.te"
# Domain for derive_classpath
type derive_classpath, domain, coredomain;
type derive_classpath_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init derive_classpath_exec:file { getattr open read execute map };
#line 5
allow init derive_classpath:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init derive_classpath:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init derive_classpath:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init derive_classpath_exec:process derive_classpath;
#line 5
#line 5
# Read /apex
allow derive_classpath apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
allow derive_classpath vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow derive_classpath environ_system_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search;
# Allow derive_classpath to write the classpath into ota dexopt
# - Read the ota's apex dir
allow derive_classpath postinstall_apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
# - Report the BCP to the ota's dexopt
allow derive_classpath postinstall_dexopt:dir search;
allow derive_classpath postinstall_dexopt:fd use;
allow derive_classpath postinstall_dexopt:file read;
allow derive_classpath postinstall_dexopt:lnk_file read;
allow derive_classpath postinstall_dexopt_tmpfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/private/derive_sdk.te"
# Domain for derive_sdk
type derive_sdk, domain, coredomain;
type derive_sdk_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init derive_sdk_exec:file { getattr open read execute map };
#line 5
allow init derive_sdk:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow derive_sdk derive_sdk_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init derive_sdk:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init derive_sdk:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init derive_sdk_exec:process derive_sdk;
#line 5
#line 5
# Read /apex
allow derive_sdk apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
allow derive_sdk vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
#line 12
#line 12
allow derive_sdk property_socket:sock_file write;
#line 12
allow derive_sdk init:unix_stream_socket connectto;
#line 12
#line 12
allow derive_sdk module_sdkextensions_prop:property_service set;
#line 12
#line 12
allow derive_sdk module_sdkextensions_prop:file { getattr open read map };
#line 12
#line 12
neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
# The shell_data_file permissions are needed when a bugreport is taken:
# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
# this makes derive_sdk append to that file.
allow derive_sdk dumpstate:fd use;
allow derive_sdk dumpstate:unix_stream_socket { read write };
allow derive_sdk shell_data_file:file { getattr append read write };
#line 1 "system/sepolicy/private/device_as_webcam.te"
# Domain for DeviceAsWebcam Service
type device_as_webcam, domain, coredomain, mlstrustedsubject;
#line 4
typeattribute device_as_webcam appdomain;
#line 4
# Label tmpfs objects for all apps.
#line 4
type_transition device_as_webcam tmpfs:file appdomain_tmpfs;
#line 4
#line 4
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 4
type device_as_webcam_userfaultfd;
#line 4
type_transition device_as_webcam device_as_webcam:anon_inode device_as_webcam_userfaultfd "[userfaultfd]";
#line 4
# Allow domain to create/use userfaultfd anon_inode.
#line 4
allow device_as_webcam device_as_webcam_userfaultfd:anon_inode { create ioctl read };
#line 4
# Suppress errors generate during bugreport
#line 4
dontaudit su device_as_webcam_userfaultfd:anon_inode *;
#line 4
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 4
neverallow { domain -device_as_webcam } device_as_webcam_userfaultfd:anon_inode *;
#line 4
#line 4
allow device_as_webcam appdomain_tmpfs:file { execute getattr map read write };
#line 4
neverallow { device_as_webcam -runas_app -shell -simpleperf } { domain -device_as_webcam }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 4
neverallow { appdomain -runas_app -shell -simpleperf -device_as_webcam } device_as_webcam:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 4
# The Android security model guarantees the confidentiality and integrity
#line 4
# of application data and execution state. Ptrace bypasses those
#line 4
# confidentiality guarantees. Disallow ptrace access from system components to
#line 4
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 4
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 4
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 4
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 4
# live lock conditions.
#line 4
neverallow { domain -device_as_webcam -crash_dump -runas_app -simpleperf } device_as_webcam:process ptrace;
#line 4
allow device_as_webcam system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow device_as_webcam system_app_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
# enale/disable itself
#line 13
allow device_as_webcam usb_uvc_enabled_prop:file { getattr open read map };
#line 13
# need to access /dev to list all devices
allow device_as_webcam device:dir { open getattr read search ioctl lock watch watch_reads };
# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
# be accessed by the DeviceAsWebcam Service.
allow device_as_webcam video_device:dir { open getattr read search ioctl lock watch watch_reads };
allow device_as_webcam video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/private/dex2oat.te"
# dex2oat
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
#line 5
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 5
type dex2oat_userfaultfd;
#line 5
type_transition dex2oat dex2oat:anon_inode dex2oat_userfaultfd "[userfaultfd]";
#line 5
# Allow domain to create/use userfaultfd anon_inode.
#line 5
allow dex2oat dex2oat_userfaultfd:anon_inode { create ioctl read };
#line 5
# Suppress errors generate during bugreport
#line 5
dontaudit su dex2oat_userfaultfd:anon_inode *;
#line 5
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 5
neverallow { domain -dex2oat } dex2oat_userfaultfd:anon_inode *;
#line 5
#line 7
allow dex2oat apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 7
allow dex2oat apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 7
# Access to /vendor/app
#line 9
allow dex2oat vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow dex2oat vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 9
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
#line 14
allow dex2oat vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow dex2oat vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 14
;
# Vendor overlay can be found in vendor apex
allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };
#line 20
allow dex2oat dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow dex2oat dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
allow dex2oat dalvikcache_data_file:file write;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
allow dex2oat asec_apk_file:file { read map };
allow dex2oat unlabeled:file { read map };
allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file { getattr open read ioctl lock map watch watch_reads };
allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
# Allow dex2oat to read artifacts from odrefresh.
allow dex2oat apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dex2oat apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow dex2oat to read runtime native flag properties.
#line 57
allow dex2oat device_config_runtime_native_prop:file { getattr open read map };
#line 57
#line 58
allow dex2oat device_config_runtime_native_boot_prop:file { getattr open read map };
#line 58
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow dex2oat to use file descriptors passed from privileged programs.
allow dex2oat { artd installd odrefresh odsign }:fd use;
# Allow dex2oat to read the /proc filesystem for CPU features, etc.
allow dex2oat proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
##################
# A/B OTA Dexopt #
##################
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:dir { open getattr read search ioctl lock watch watch_reads };
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write };
allow dex2oat ota_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
# where the oat file is symlinked to the original file in /system.
allow dex2oat ota_data_file:lnk_file { create read };
# It would be nice to tie this down, but currently, because of how images are written, we can't
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
# create them itself (and make them world-readable).
allow dex2oat ota_data_file:file { create { open append write lock map } setattr };
###############
# APEX Update #
###############
# /dev/zero is inherited.
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
##############
# Neverallow #
##############
neverallow dex2oat app_data_file_type:{ file lnk_file sock_file fifo_file } open;
#line 1 "system/sepolicy/private/dexopt_chroot_setup.te"
type dexopt_chroot_setup, domain, coredomain;
type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
type dexopt_chroot_setup_tmpfs, file_type;
# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow dexopt_chroot_setup servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager dexopt_chroot_setup:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager dexopt_chroot_setup:dir search;
#line 6
allow servicemanager dexopt_chroot_setup:file { read open };
#line 6
allow servicemanager dexopt_chroot_setup:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
allow dexopt_chroot_setup dexopt_chroot_setup_service:service_manager { add find };
#line 7
neverallow { domain -dexopt_chroot_setup } dexopt_chroot_setup_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
allow dexopt_chroot_setup dumpstate:fd use;
#line 11
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow init dexopt_chroot_setup_exec:file { getattr open read execute map };
#line 11
allow init dexopt_chroot_setup:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow dexopt_chroot_setup dexopt_chroot_setup_exec:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit init dexopt_chroot_setup:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow init dexopt_chroot_setup:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition init dexopt_chroot_setup_exec:process dexopt_chroot_setup;
#line 11
#line 11
# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
# processes.
#line 17
type_transition dexopt_chroot_setup tmpfs:file dexopt_chroot_setup_tmpfs;
#line 17
allow dexopt_chroot_setup dexopt_chroot_setup_tmpfs:file { read write getattr map };
#line 17
# libart (mark_compact.cc) has some intialization code that touches the cache
# info file and userfaultfd.
allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
#line 22
allow dexopt_chroot_setup apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow dexopt_chroot_setup apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
#line 23
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 23
type dexopt_chroot_setup_userfaultfd;
#line 23
type_transition dexopt_chroot_setup dexopt_chroot_setup:anon_inode dexopt_chroot_setup_userfaultfd "[userfaultfd]";
#line 23
# Allow domain to create/use userfaultfd anon_inode.
#line 23
allow dexopt_chroot_setup dexopt_chroot_setup_userfaultfd:anon_inode { create ioctl read };
#line 23
# Suppress errors generate during bugreport
#line 23
dontaudit su dexopt_chroot_setup_userfaultfd:anon_inode *;
#line 23
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 23
neverallow { domain -dexopt_chroot_setup } dexopt_chroot_setup_userfaultfd:anon_inode *;
#line 23
#line 1 "system/sepolicy/private/dexoptanalyzer.te"
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
#line 6
allow dexoptanalyzer apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow dexoptanalyzer apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 6
# Access to /vendor/app
#line 8
allow dexoptanalyzer vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow dexoptanalyzer vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 8
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
# processes.
#line 15
type_transition dexoptanalyzer tmpfs:file dexoptanalyzer_tmpfs;
#line 15
allow dexoptanalyzer dexoptanalyzer_tmpfs:file { read write getattr map };
#line 15
#line 17
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 17
type dexoptanalyzer_userfaultfd;
#line 17
type_transition dexoptanalyzer dexoptanalyzer:anon_inode dexoptanalyzer_userfaultfd "[userfaultfd]";
#line 17
# Allow domain to create/use userfaultfd anon_inode.
#line 17
allow dexoptanalyzer dexoptanalyzer_userfaultfd:anon_inode { create ioctl read };
#line 17
# Suppress errors generate during bugreport
#line 17
dontaudit su dexoptanalyzer_userfaultfd:anon_inode *;
#line 17
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 17
neverallow { domain -dexoptanalyzer } dexoptanalyzer_userfaultfd:anon_inode *;
#line 17
# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
# Allow dexoptanalyzer to read files in the ART APEX data directory.
allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
allow dexoptanalyzer apex_art_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow dexoptanalyzer to use file descriptors from odrefresh.
allow dexoptanalyzer odrefresh:fd use;
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow dexoptanalyzer odsign:fd use;
allow dexoptanalyzer odsign_devpts:chr_file { read write };
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
# Acquire advisory lock on /system/framework/arm/*
allow dexoptanalyzer system_file:file lock;
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer checks the DM files next to dex files. We don't need this check
# for secondary dex files, but it's not harmful. Just deny it and ignore it.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
# Allow query ART device config properties
#line 56
allow dexoptanalyzer device_config_runtime_native_prop:file { getattr open read map };
#line 56
#line 57
allow dexoptanalyzer device_config_runtime_native_boot_prop:file { getattr open read map };
#line 57
# Allow dexoptanalyzer to read /apex/apex-info-list.xml
allow dexoptanalyzer apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/private/dhcp.te"
typeattribute dhcp coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init dhcp_exec:file { getattr open read execute map };
#line 3
allow init dhcp:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow dhcp dhcp_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init dhcp:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init dhcp:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init dhcp_exec:process dhcp;
#line 3
#line 3
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
#line 6
#line 6
allow dhcp property_socket:sock_file write;
#line 6
allow dhcp init:unix_stream_socket connectto;
#line 6
#line 6
allow dhcp dhcp_prop:property_service set;
#line 6
#line 6
allow dhcp dhcp_prop:file { getattr open read map };
#line 6
#line 6
#line 7
#line 7
allow dhcp property_socket:sock_file write;
#line 7
allow dhcp init:unix_stream_socket connectto;
#line 7
#line 7
allow dhcp pan_result_prop:property_service set;
#line 7
#line 7
allow dhcp pan_result_prop:file { getattr open read map };
#line 7
#line 7
#line 1 "system/sepolicy/private/dmesgd.te"
type dmesgd, domain, coredomain;
type dmesgd_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init dmesgd_exec:file { getattr open read execute map };
#line 4
allow init dmesgd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow dmesgd dmesgd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init dmesgd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init dmesgd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init dmesgd_exec:process dmesgd;
#line 4
#line 4
allow dmesgd dmesgd_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow dmesgd dmesgd_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow dmesgd kernel:system syslog_read;
allow dmesgd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow dmesgd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 12
# Call the servicemanager and transfer references to it.
#line 12
allow dmesgd servicemanager:binder { call transfer };
#line 12
# Allow servicemanager to send out callbacks
#line 12
allow servicemanager dmesgd:binder { call transfer };
#line 12
# servicemanager performs getpidcon on clients.
#line 12
allow servicemanager dmesgd:dir search;
#line 12
allow servicemanager dmesgd:file { read open };
#line 12
allow servicemanager dmesgd:process getattr;
#line 12
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 12
# all domains in domain.te.
#line 12
#line 13
# Call the server domain and optionally transfer references to it.
#line 13
allow dmesgd system_server:binder { call transfer };
#line 13
# Allow the serverdomain to transfer references to the client on the reply.
#line 13
allow system_server dmesgd:binder transfer;
#line 13
# Receive and use open files from the server.
#line 13
allow dmesgd system_server:fd use;
#line 13
allow dmesgd dropbox_service:service_manager find;
allow dmesgd proc_version:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/private/dnsmasq.te"
typeattribute dnsmasq coredomain;
#line 1 "system/sepolicy/private/domain.te"
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow { domain } crash_dump_exec:file { getattr open read execute map };
#line 5
allow { domain } crash_dump:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow crash_dump crash_dump_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow crash_dump { domain }:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit { domain } crash_dump:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow { domain } crash_dump:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition { domain } crash_dump_exec:process crash_dump;
#line 5
;
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
#line 12
allow domain heapprofd_prop:file { getattr open read map };
#line 12
;
# See private/crash_dump.te
#line 29
# Allow heap profiling by heapprofd.
# Zygotes are excluded due to potential issues with holding open file
# descriptors or other state across forks. Other exclusions conflict with
# neverallows, and are not considered important to profile.
#line 35
# Allow central daemon to send signal for client initialization.
#line 35
allow heapprofd {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
}:process signal;
#line 35
# Allow connecting to the daemon.
#line 35
#line 35
allow {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
} heapprofd_socket:sock_file write;
#line 35
allow {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
} heapprofd:unix_stream_socket connectto;
#line 35
#line 35
# Allow daemon to use the passed fds.
#line 35
allow heapprofd {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
}:fd use;
#line 35
# Allow to read and write to heapprofd shmem.
#line 35
# The client needs to read the read and write pointers in order to write.
#line 35
allow {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
} heapprofd_tmpfs:file { read write getattr map };
#line 35
# Use shared memory received over the unix socket.
#line 35
allow {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
} heapprofd:fd use;
#line 35
#line 35
# To read and write from the received file descriptors.
#line 35
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
#line 35
# process they relate to.
#line 35
# We need to write to /proc/$PID/page_idle to find idle allocations.
#line 35
# The client only opens /proc/self/page_idle with RDWR, everything else
#line 35
# with RDONLY.
#line 35
# heapprofd cannot open /proc/$PID/mem itself, as it does not have
#line 35
# sys_ptrace.
#line 35
allow heapprofd {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
}:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 35
# Allow searching the /proc/[pid] directory for cmdline.
#line 35
allow heapprofd {
#line 35
{
#line 35
domain
#line 35
-apexd
#line 35
-bpfloader
#line 35
-crash_dump
#line 35
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 35
-init
#line 35
-kernel
#line 35
-keystore
#line 35
-llkd
#line 35
-logd
#line 35
-ueventd
#line 35
-vendor_init
#line 35
-vold
#line 35
}
#line 35
-app_zygote
#line 35
-hal_configstore_server
#line 35
-logpersist
#line 35
-recovery
#line 35
-recovery_persist
#line 35
-recovery_refresh
#line 35
-webview_zygote
#line 35
-zygote
#line 35
}:dir { open getattr read search ioctl lock watch watch_reads };
#line 45
# Allow profiling using perf_event_open by traced_perf.
#line 48
# Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
#line 48
# reads /proc/[pid]/cmdline.
#line 48
allow traced_perf {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
}:file { getattr open read ioctl lock map watch watch_reads };
#line 48
allow traced_perf {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
}:dir { open getattr read search ioctl lock watch watch_reads };
#line 48
#line 48
# Allow central daemon to send signal to request /proc/[pid]/maps and
#line 48
# /proc/[pid]/mem fds from this process.
#line 48
allow traced_perf {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
}:process signal;
#line 48
#line 48
# Allow connecting to the daemon.
#line 48
#line 48
allow {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
} traced_perf_socket:sock_file write;
#line 48
allow {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
} traced_perf:unix_stream_socket connectto;
#line 48
#line 48
# Allow daemon to use the passed fds.
#line 48
allow traced_perf {
#line 48
{
#line 48
domain
#line 48
-apexd
#line 48
-bpfloader
#line 48
-crash_dump
#line 48
-crosvm # TODO(b/236672526): Remove exception for crosvm
#line 48
-init
#line 48
-kernel
#line 48
-keystore
#line 48
-llkd
#line 48
-logd
#line 48
-ueventd
#line 48
-vendor_init
#line 48
-vold
#line 48
}
#line 48
-app_zygote
#line 48
-hal_configstore_server
#line 48
-webview_zygote
#line 48
-zygote
#line 48
}:fd use;
#line 54
# Everyone can access the IncFS list of features.
#line 57
allow domain sysfs_fs_incfs_features:dir { open getattr read search ioctl lock watch watch_reads };
#line 57
allow domain sysfs_fs_incfs_features:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 57
;
# Everyone can access the fuse list of features.
#line 60
allow domain sysfs_fs_fuse_features:dir { open getattr read search ioctl lock watch watch_reads };
#line 60
allow domain sysfs_fs_fuse_features:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 60
;
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir { open search write add_name remove_name lock };
allow { domain -appdomain -rs } cgroup:file { open append write lock map };
allow domain cgroup_v2:dir search;
allow { domain -appdomain -rs } cgroup_v2:dir { open search write add_name remove_name lock };
allow { domain -appdomain -rs } cgroup_v2:file { open append write lock map };
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain task_profiles_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain task_profiles_api_file:file { getattr open read ioctl lock map watch watch_reads };
allow domain vendor_task_profiles_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
#line 79
allow domain use_memfd_prop:file { getattr open read map };
#line 79
;
# Read access to sdkextensions props
#line 82
allow domain module_sdkextensions_prop:file { getattr open read map };
#line 82
# Read access to bq configuration values
#line 85
allow domain bq_config_prop:file { getattr open read map };
#line 85
;
# Allow all domains to check whether MTE is set to permissive mode.
#line 88
allow domain permissive_mte_prop:file { getattr open read map };
#line 88
;
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process), and MTE bootloader override to be
# observed by everything
#line 93
allow domain device_config_memory_safety_native_boot_prop:file { getattr open read map };
#line 93
;
#line 94
allow domain device_config_memory_safety_native_prop:file { getattr open read map };
#line 94
;
#line 95
allow domain device_config_runtime_native_boot_prop:file { getattr open read map };
#line 95
;
#line 96
allow domain device_config_runtime_native_prop:file { getattr open read map };
#line 96
;
# For now, everyone can access core property files
# Device specific properties are not granted by default
#line 100
# DO NOT ADD ANY PROPERTIES HERE
#line 100
#line 100
allow domain core_property_type:file { getattr open read map };
#line 100
#line 100
#line 100
allow domain exported3_system_prop:file { getattr open read map };
#line 100
#line 100
#line 100
allow domain vendor_default_prop:file { getattr open read map };
#line 100
#line 105
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 106
#line 106
# DO NOT ADD ANY PROPERTIES HERE
#line 106
#line 106
allow {coredomain appdomain shell} core_property_type:file { getattr open read map };
#line 106
#line 106
#line 106
allow {coredomain appdomain shell} exported3_system_prop:file { getattr open read map };
#line 106
#line 106
#line 106
allow {coredomain appdomain shell} exported_camera_prop:file { getattr open read map };
#line 106
#line 106
#line 106
allow {coredomain shell} userspace_reboot_exported_prop:file { getattr open read map };
#line 106
#line 106
#line 106
allow {coredomain shell} userspace_reboot_log_prop:file { getattr open read map };
#line 106
#line 106
#line 106
allow {coredomain shell} userspace_reboot_test_prop:file { getattr open read map };
#line 106
#line 106
#line 106
allow {domain -coredomain -appdomain} vendor_default_prop:file { getattr open read map };
#line 106
#line 106
#line 106
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 115
# Public readable properties
#line 118
allow domain aaudio_config_prop:file { getattr open read map };
#line 118
#line 119
allow domain apexd_select_prop:file { getattr open read map };
#line 119
#line 120
allow domain arm64_memtag_prop:file { getattr open read map };
#line 120
#line 121
allow domain bluetooth_config_prop:file { getattr open read map };
#line 121
#line 122
allow domain bootloader_prop:file { getattr open read map };
#line 122
#line 123
allow domain build_odm_prop:file { getattr open read map };
#line 123
#line 124
allow domain build_prop:file { getattr open read map };
#line 124
#line 125
allow domain build_vendor_prop:file { getattr open read map };
#line 125
#line 126
allow domain debug_prop:file { getattr open read map };
#line 126
#line 127
allow domain exported_config_prop:file { getattr open read map };
#line 127
#line 128
allow domain exported_default_prop:file { getattr open read map };
#line 128
#line 129
allow domain exported_dumpstate_prop:file { getattr open read map };
#line 129
#line 130
allow domain exported_secure_prop:file { getattr open read map };
#line 130
#line 131
allow domain exported_system_prop:file { getattr open read map };
#line 131
#line 132
allow domain fingerprint_prop:file { getattr open read map };
#line 132
#line 133
allow domain framework_status_prop:file { getattr open read map };
#line 133
#line 134
allow domain gwp_asan_prop:file { getattr open read map };
#line 134
#line 135
allow domain hal_instrumentation_prop:file { getattr open read map };
#line 135
#line 136
allow domain hw_timeout_multiplier_prop:file { getattr open read map };
#line 136
#line 137
allow domain init_service_status_prop:file { getattr open read map };
#line 137
#line 138
allow domain libc_debug_prop:file { getattr open read map };
#line 138
#line 139
allow domain locale_prop:file { getattr open read map };
#line 139
#line 140
allow domain logd_prop:file { getattr open read map };
#line 140
#line 141
allow domain mediadrm_config_prop:file { getattr open read map };
#line 141
#line 142
allow domain property_service_version_prop:file { getattr open read map };
#line 142
#line 143
allow domain soc_prop:file { getattr open read map };
#line 143
#line 144
allow domain socket_hook_prop:file { getattr open read map };
#line 144
#line 145
allow domain surfaceflinger_prop:file { getattr open read map };
#line 145
#line 146
allow domain telephony_status_prop:file { getattr open read map };
#line 146
#line 147
allow domain timezone_prop:file { getattr open read map };
#line 147
#line 148
allow {domain -untrusted_app_all -isolated_app_all -ephemeral_app } userdebug_or_eng_prop:file { getattr open read map };
#line 148
#line 149
allow domain vendor_socket_hook_prop:file { getattr open read map };
#line 149
#line 150
allow domain vndk_prop:file { getattr open read map };
#line 150
#line 151
allow domain vold_status_prop:file { getattr open read map };
#line 151
#line 152
allow domain vts_config_prop:file { getattr open read map };
#line 152
# Binder cache properties are world-readable
#line 155
allow domain binder_cache_bluetooth_server_prop:file { getattr open read map };
#line 155
#line 156
allow domain binder_cache_system_server_prop:file { getattr open read map };
#line 156
#line 157
allow domain binder_cache_telephony_server_prop:file { getattr open read map };
#line 157
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
#line 166
# Allow access to linkerconfig file
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
# Allow all processes to read the file_logger property that liblog uses to check if file_logger
# should be used.
#line 177
allow domain log_file_logger_prop:file { getattr open read map };
#line 177
# Allow all processes to connect to PRNG seeder daemon.
#line 180
allow domain prng_seeder_socket:sock_file write;
#line 180
allow domain prng_seeder:unix_stream_socket connectto;
#line 180
# Allow calls to system(3), popen(3), ...
allow {
domain
# Except domains that explicitly neverallow it.
-kernel
-init
-vendor_init
-app_zygote
-webview_zygote
-system_server
-artd
-audioserver
-cameraserver
-mediadrmserver
-mediaextractor
-mediametrics
-mediaserver
-mediatuner
-mediatranscoding
-ueventd
-hal_audio_server
-hal_camera_server
-hal_cas_server
-hal_codec2_server
-hal_configstore_server
-hal_drm_server
-hal_omx_server
} {shell_exec toolbox_exec}:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
# this partition for testing purposes.
neverallow {
domain
# exclude debuggable builds
-fastbootd
-hal_bootctl_server
-init
-uncrypt
-update_engine
-vendor_init
-vendor_misc_writer
-vold
-recovery
-ueventd
-mtectrl
-misctrl
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
-dumpstate
-storaged
-system_server
} self:{ capability cap_userns } sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
-init
-vendor_init
} debugfs_tracing_debug:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow {
domain
-init
-system_server
} dropbox_data_file:dir *;
neverallow {
domain
-init
-system_server
} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-app_zygote
-artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~{ open getattr read search ioctl lock watch watch_reads };
neverallow {
domain
-appdomain
-app_zygote
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } open;
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink };
neverallow {
domain
-artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { relabelfrom relabelto };
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow {
domain
-init
-system_server
-apexd
-installd
-priv_app
-virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
-init
-system_app
-system_server
-apexd
-adbd
-kernel
-installd
-priv_app
-shell
-virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create relabelfrom rename setattr write { execute execute_no_trans } };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
-shell
-system_server_startup # for memfd backed executable regions
-app_zygote
-webview_zygote
-zygote
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file { append create link unlink relabelfrom rename setattr write };
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
-artd
} dalvikcache_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
-artd
} dalvikcache_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow {
domain
# art-related processes
-composd
-compos_fd_server
-odrefresh
-odsign
# others
-apexd
-init
-vold_prepare_subdirs
} apex_art_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-appdomain
} {
data_file_type
-apex_art_data_file
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file { execute execute_no_trans };
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
#line 498
neverallow ~{
#line 499
apexd
#line 499
artd
#line 499
dnsmasq
#line 499
dumpstate
#line 499
init
#line 499
installd
#line 499
#line 499
lmkd
#line 499
migrate_legacy_obb_data
#line 499
netd
#line 499
postinstall_dexopt
#line 499
recovery
#line 499
rss_hwm_reset
#line 499
sdcardd
#line 499
tee
#line 499
ueventd
#line 499
uncrypt
#line 499
vendor_init
#line 499
vold
#line 499
vold_prepare_subdirs
#line 499
zygote
#line 499
} self:{ capability cap_userns } dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
{
#line 505
apexd
#line 505
artd
#line 505
dnsmasq
#line 505
dumpstate
#line 505
init
#line 505
installd
#line 505
#line 505
lmkd
#line 505
migrate_legacy_obb_data
#line 505
netd
#line 505
postinstall_dexopt
#line 505
recovery
#line 505
rss_hwm_reset
#line 505
sdcardd
#line 505
tee
#line 505
ueventd
#line 505
uncrypt
#line 505
vendor_init
#line 505
vold
#line 505
vold_prepare_subdirs
#line 505
zygote
#line 505
}
traced_perf
traced_probes
heapprofd
} self:{ capability cap_userns } dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type
-sdcard_type
-fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 530
#line 530
neverallow {
#line 530
domain
#line 530
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
#line 530
#line 530
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 534
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
-kernel
-gsid
-init
-recovery
-ueventd
-uncrypt
-tee
-hal_bootctl_server
-fastbootd
} self:{ capability cap_userns } sys_rawio;
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-fsck
-init
-installd
-zygote
} mirror_data_file:dir *;
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file { getattr open read ioctl lock map watch watch_reads };
# Allow ART to set its config properties in its oneshot boot service, in
# addition to the common init and vendor_init access.
neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
# On TREBLE devices, most coredomains should not access vendor_files.
# TODO(b/71553434): Remove exceptions here.
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 580
#line 580
neverallow {
#line 580
coredomain
#line 580
-appdomain
#line 580
-bootanim
#line 580
-crash_dump
#line 580
-heapprofd
#line 580
#line 580
-init
#line 580
-kernel
#line 580
#line 580
-traced_perf
#line 580
-ueventd
#line 580
} vendor_file:file { { append create link unlink relabelfrom rename setattr write } { execute execute_no_trans } open };
#line 580
#line 580
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 594
# Vendor domains are not permitted to initiate communications to core domain sockets
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 597
#line 597
#line 597
neverallow {
#line 597
domain
#line 597
-coredomain
#line 597
-appdomain
#line 597
-socket_between_core_and_vendor_violators
#line 597
} {
#line 597
coredomain
#line 597
-logd # Logging by writing to logd Unix domain socket is public API
#line 597
-netd # netdomain needs this
#line 597
-mdnsd # netdomain needs this
#line 597
-prng_seeder # Any process using libcrypto needs this
#line 597
# communications with su are permitted only on userdebug or eng builds
#line 597
-init
#line 597
-tombstoned # linker to tombstoned
#line 597
-heapprofd
#line 597
-traced
#line 597
-traced_perf
#line 597
}:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } { connect sendto };
#line 597
neverallow {
#line 597
domain
#line 597
-coredomain
#line 597
-appdomain
#line 597
-socket_between_core_and_vendor_violators
#line 597
} {
#line 597
coredomain
#line 597
-logd # Logging by writing to logd Unix domain socket is public API
#line 597
-netd # netdomain needs this
#line 597
-mdnsd # netdomain needs this
#line 597
-prng_seeder # Any process using libcrypto needs this
#line 597
# communications with su are permitted only on userdebug or eng builds
#line 597
-init
#line 597
-tombstoned # linker to tombstoned
#line 597
-heapprofd
#line 597
-traced
#line 597
-traced_perf
#line 597
}:unix_stream_socket connectto;
#line 597
;
#line 597
#line 597
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 616
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 618
#line 618
# Do not allow system components access to /vendor files except for the
#line 618
# ones allowed here.
#line 618
neverallow {
#line 618
coredomain
#line 618
# TODO(b/37168747): clean up fwk access to /vendor
#line 618
-crash_dump
#line 618
-crosvm # loads vendor-specific disk images
#line 618
-init # starts vendor executables
#line 618
-kernel # loads /vendor/firmware
#line 618
-heapprofd
#line 618
#line 618
-shell
#line 618
#line 618
-system_executes_vendor_violators
#line 618
-traced_perf # library/binary access for symbolization
#line 618
-ueventd # reads /vendor/ueventd.rc
#line 618
-vold # loads incremental fs driver
#line 618
} {
#line 618
vendor_file_type
#line 618
-same_process_hal_file
#line 618
-vendor_app_file
#line 618
-vendor_apex_file
#line 618
-vendor_apex_metadata_file
#line 618
-vendor_configs_file
#line 618
-vendor_microdroid_file
#line 618
-vendor_service_contexts_file
#line 618
-vendor_framework_file
#line 618
-vendor_idc_file
#line 618
-vendor_keychars_file
#line 618
-vendor_keylayout_file
#line 618
-vendor_overlay_file
#line 618
-vendor_public_framework_file
#line 618
-vendor_public_lib_file
#line 618
-vendor_task_profiles_file
#line 618
-vendor_uuid_mapping_config_file
#line 618
-vndk_sp_file
#line 618
-vendor_aconfig_storage_file
#line 618
}:file *;
#line 618
#line 618
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 657
# mlsvendorcompat is only for compatibility support for older vendor
# images, and should not be granted to any domain in current policy.
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
neverallow {
domain
-init
-vendor_init
-dumpstate
} mm_events_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
-vendor_init
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
# vendor_modprobe is also exempted since the kernel modules it loads may create
# debugfs files in its context.
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 695
#line 695
neverallow {
#line 695
domain
#line 695
-vendor_modprobe
#line 695
#line 695
} { debugfs_type
#line 695
#line 695
-tracefs_type
#line 695
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 695
#line 695
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 708
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file { append create link unlink relabelfrom rename setattr write };
# Restrict CAP_PERFMON.
neverallow {
domain
-init
-vendor_modprobe
-kernel
-uprobestats
} self:capability2 perfmon;
# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-installd
} shell_data_file:file open;
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
# artd doesn't need to access /data/local/tmp, but it needs to access
# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
# dex files.
neverallow {
domain
-adbd
-artd
-dumpstate
-installd
-init
-shell
-vold
} shell_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
} shell_data_file:dir open;
neverallow {
domain
-adbd
-appdomain
-artd
-dumpstate
-init
-installd
-simpleperf_app_runner
-system_server # why?
} shell_data_file:dir search;
# respect system_app sandboxes
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
} system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open };
neverallow {
isolated_app_all
ephemeral_app
priv_app
sdk_sandbox_all
untrusted_app_all
} system_app_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
# Do not allow write access to aconfig flag value files except init and aconfigd
neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/private/drmserver.te"
typeattribute drmserver coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init drmserver_exec:file { getattr open read execute map };
#line 3
allow init drmserver:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow drmserver drmserver_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init drmserver:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init drmserver:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init drmserver_exec:process drmserver;
#line 3
#line 3
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;
#line 9
allow drmserver drm_service_config_prop:file { getattr open read map };
#line 9
#line 1 "system/sepolicy/private/dumpstate.te"
typeattribute dumpstate coredomain;
type dumpstate_tmpfs, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init dumpstate_exec:file { getattr open read execute map };
#line 4
allow init dumpstate:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow dumpstate dumpstate_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init dumpstate:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init dumpstate:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init dumpstate_exec:process dumpstate;
#line 4
#line 4
# Execute and transition to the vdc domain
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow dumpstate vdc_exec:file { getattr open read execute map };
#line 7
allow dumpstate vdc:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow vdc vdc_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
allow vdc dumpstate:process sigchld;
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit dumpstate vdc:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow dumpstate vdc:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition dumpstate vdc_exec:process vdc;
#line 7
# Create tmpfs files for using memfd descriptors to get output from child
# processes.
#line 11
type_transition dumpstate tmpfs:file dumpstate_tmpfs;
#line 11
allow dumpstate dumpstate_tmpfs:file { read write getattr map };
#line 11
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
allow dumpstate storaged_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# /data/misc/a11ytrace for accessibility traces
#line 22
# /data/misc/wmtrace for wm traces
#line 28
# /data/system/dropbox for dropbox entries
#line 34
# Allow dumpstate to make binder calls to incidentd
#line 37
# Call the server domain and optionally transfer references to it.
#line 37
allow dumpstate incidentd:binder { call transfer };
#line 37
# Allow the serverdomain to transfer references to the client on the reply.
#line 37
allow incidentd dumpstate:binder transfer;
#line 37
# Receive and use open files from the server.
#line 37
allow dumpstate incidentd:fd use;
#line 37
# Kill incident in case of a timeout
allow dumpstate incident:process { signal sigkill };
# Allow dumpstate to make binder calls to storaged service
#line 43
# Call the server domain and optionally transfer references to it.
#line 43
allow dumpstate storaged:binder { call transfer };
#line 43
# Allow the serverdomain to transfer references to the client on the reply.
#line 43
allow storaged dumpstate:binder transfer;
#line 43
# Receive and use open files from the server.
#line 43
allow dumpstate storaged:fd use;
#line 43
# Allow dumpstate to make binder calls to statsd
#line 46
# Call the server domain and optionally transfer references to it.
#line 46
allow dumpstate statsd:binder { call transfer };
#line 46
# Allow the serverdomain to transfer references to the client on the reply.
#line 46
allow statsd dumpstate:binder transfer;
#line 46
# Receive and use open files from the server.
#line 46
allow dumpstate statsd:fd use;
#line 46
# Allow dumpstate to talk to gpuservice over binder
#line 49
# Call the server domain and optionally transfer references to it.
#line 49
allow dumpstate gpuservice:binder { call transfer };
#line 49
# Allow the serverdomain to transfer references to the client on the reply.
#line 49
allow gpuservice dumpstate:binder transfer;
#line 49
# Receive and use open files from the server.
#line 49
allow dumpstate gpuservice:fd use;
#line 49
;
# Allow dumpstate to talk to idmap over binder
#line 52
# Call the server domain and optionally transfer references to it.
#line 52
allow dumpstate idmap:binder { call transfer };
#line 52
# Allow the serverdomain to transfer references to the client on the reply.
#line 52
allow idmap dumpstate:binder transfer;
#line 52
# Receive and use open files from the server.
#line 52
allow dumpstate idmap:fd use;
#line 52
;
# Allow dumpstate to talk to profcollectd over binder
#line 57
# Allow dumpstate to talk to automotive_display_service over binder
#line 60
# Call the server domain and optionally transfer references to it.
#line 60
allow dumpstate automotive_display_service:binder { call transfer };
#line 60
# Allow the serverdomain to transfer references to the client on the reply.
#line 60
allow automotive_display_service dumpstate:binder transfer;
#line 60
# Receive and use open files from the server.
#line 60
allow dumpstate automotive_display_service:fd use;
#line 60
# Allow dumpstate to talk to virtual_camera service over binder
#line 63
# Call the server domain and optionally transfer references to it.
#line 63
allow dumpstate virtual_camera:binder { call transfer };
#line 63
# Allow the serverdomain to transfer references to the client on the reply.
#line 63
allow virtual_camera dumpstate:binder transfer;
#line 63
# Receive and use open files from the server.
#line 63
allow dumpstate virtual_camera:fd use;
#line 63
# Allow dumpstate to talk to ot_daemon service over binder
#line 66
# Call the server domain and optionally transfer references to it.
#line 66
allow dumpstate ot_daemon:binder { call transfer };
#line 66
# Allow the serverdomain to transfer references to the client on the reply.
#line 66
allow ot_daemon dumpstate:binder transfer;
#line 66
# Receive and use open files from the server.
#line 66
allow dumpstate ot_daemon:fd use;
#line 66
# Collect metrics on boot time created by init
#line 69
allow dumpstate boottime_prop:file { getattr open read map };
#line 69
#line 71
allow dumpstate misctrl_prop:file { getattr open read map };
#line 71
# Signal native processes to dump their stack.
allow dumpstate {
mediatranscoding
statsd
netd
virtual_camera
ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
#line 85
dontaudit dumpstate keystore:process { signal };
# For collecting bugreports.
#line 89
allow dumpstate debugfs_wakeup_sources:file { getattr open read ioctl lock map watch watch_reads };
#line 91
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file { getattr open read ioctl lock map watch watch_reads };
dontaudit dumpstate update_engine:binder call;
# Read files in /proc
allow dumpstate {
config_gz
proc_net_tcp_udp
proc_pid_max
}:file { getattr open read ioctl lock map watch watch_reads };
# For comminucating with the system process to do confirmation ui.
#line 106
# Call the server domain and optionally transfer references to it.
#line 106
allow dumpstate incidentcompanion_service:binder { call transfer };
#line 106
# Allow the serverdomain to transfer references to the client on the reply.
#line 106
allow incidentcompanion_service dumpstate:binder transfer;
#line 106
# Receive and use open files from the server.
#line 106
allow dumpstate incidentcompanion_service:fd use;
#line 106
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
#line 110
#line 110
allow dumpstate property_socket:sock_file write;
#line 110
allow dumpstate init:unix_stream_socket connectto;
#line 110
#line 110
allow dumpstate dumpstate_prop:property_service set;
#line 110
#line 110
allow dumpstate dumpstate_prop:file { getattr open read map };
#line 110
#line 110
#line 111
#line 111
allow dumpstate property_socket:sock_file write;
#line 111
allow dumpstate init:unix_stream_socket connectto;
#line 111
#line 111
allow dumpstate exported_dumpstate_prop:property_service set;
#line 111
#line 111
allow dumpstate exported_dumpstate_prop:file { getattr open read map };
#line 111
#line 111
# dumpstate_options_prop is used to pass extra command-line args.
#line 114
#line 114
allow dumpstate property_socket:sock_file write;
#line 114
allow dumpstate init:unix_stream_socket connectto;
#line 114
#line 114
allow dumpstate dumpstate_options_prop:property_service set;
#line 114
#line 114
allow dumpstate dumpstate_options_prop:file { getattr open read map };
#line 114
#line 114
# Allow dumpstate to kill vendor dumpstate service by init
#line 117
#line 117
allow dumpstate property_socket:sock_file write;
#line 117
allow dumpstate init:unix_stream_socket connectto;
#line 117
#line 117
allow dumpstate ctl_dumpstate_prop:property_service set;
#line 117
#line 117
allow dumpstate ctl_dumpstate_prop:file { getattr open read map };
#line 117
#line 117
# For dumping dynamic partition information.
#line 120
#line 120
allow dumpstate property_socket:sock_file write;
#line 120
allow dumpstate init:unix_stream_socket connectto;
#line 120
#line 120
allow dumpstate lpdumpd_prop:property_service set;
#line 120
#line 120
allow dumpstate lpdumpd_prop:file { getattr open read map };
#line 120
#line 120
#line 121
# Call the server domain and optionally transfer references to it.
#line 121
allow dumpstate lpdumpd:binder { call transfer };
#line 121
# Allow the serverdomain to transfer references to the client on the reply.
#line 121
allow lpdumpd dumpstate:binder transfer;
#line 121
# Receive and use open files from the server.
#line 121
allow dumpstate lpdumpd:fd use;
#line 121
# For dumping hypervisor information.
#line 124
allow dumpstate hypervisor_prop:file { getattr open read map };
#line 124
# For dumping device-mapper and snapshot information.
allow dumpstate gsid_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 128
#line 128
allow dumpstate property_socket:sock_file write;
#line 128
allow dumpstate init:unix_stream_socket connectto;
#line 128
#line 128
allow dumpstate ctl_gsid_prop:property_service set;
#line 128
#line 128
allow dumpstate ctl_gsid_prop:file { getattr open read map };
#line 128
#line 128
#line 129
# Call the server domain and optionally transfer references to it.
#line 129
allow dumpstate gsid:binder { call transfer };
#line 129
# Allow the serverdomain to transfer references to the client on the reply.
#line 129
allow gsid dumpstate:binder transfer;
#line 129
# Receive and use open files from the server.
#line 129
allow dumpstate gsid:fd use;
#line 129
#line 131
allow dumpstate ota_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 131
allow dumpstate ota_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 131
# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
# is being recorded, the command above will serialize it into
# /data/misc/perfetto-traces/bugreport/*.pftrace .
#line 136
# Allow the necessary permissions.
#line 136
#line 136
# Old domain may exec the file and transition to the new domain.
#line 136
allow dumpstate perfetto_exec:file { getattr open read execute map };
#line 136
allow dumpstate perfetto:process transition;
#line 136
# New domain is entered by executing the file.
#line 136
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 136
# New domain can send SIGCHLD to its caller.
#line 136
allow perfetto dumpstate:process sigchld;
#line 136
# Enable AT_SECURE, i.e. libc secure mode.
#line 136
dontaudit dumpstate perfetto:process noatsecure;
#line 136
# XXX dontaudit candidate but requires further study.
#line 136
allow dumpstate perfetto:process { siginh rlimitinh };
#line 136
#line 136
# Make the transition occur by default.
#line 136
type_transition dumpstate perfetto_exec:process perfetto;
#line 136
allow dumpstate perfetto:process signal;
allow dumpstate perfetto_traces_data_file:dir { search };
allow dumpstate perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow dumpstate perfetto_traces_bugreport_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
# zip file. These rules are to allow perfetto.te to inherit dumpstate's
# /dev/null.
allow perfetto dumpstate_tmpfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow perfetto dumpstate:fd use;
# system_dlkm_file for /system_dlkm partition
allow dumpstate system_dlkm_file:dir getattr;
# Allow dumpstate to execute derive_sdk in its own domain
#line 153
# Allow the necessary permissions.
#line 153
#line 153
# Old domain may exec the file and transition to the new domain.
#line 153
allow dumpstate derive_sdk_exec:file { getattr open read execute map };
#line 153
allow dumpstate derive_sdk:process transition;
#line 153
# New domain is entered by executing the file.
#line 153
allow derive_sdk derive_sdk_exec:file { entrypoint open read execute getattr map };
#line 153
# New domain can send SIGCHLD to its caller.
#line 153
allow derive_sdk dumpstate:process sigchld;
#line 153
# Enable AT_SECURE, i.e. libc secure mode.
#line 153
dontaudit dumpstate derive_sdk:process noatsecure;
#line 153
# XXX dontaudit candidate but requires further study.
#line 153
allow dumpstate derive_sdk:process { siginh rlimitinh };
#line 153
#line 153
# Make the transition occur by default.
#line 153
type_transition dumpstate derive_sdk_exec:process derive_sdk;
#line 153
#line 1 "system/sepolicy/private/ephemeral_app.te"
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
typeattribute ephemeral_app coredomain;
#line 16
typeattribute ephemeral_app netdomain;
#line 16
#line 17
typeattribute ephemeral_app appdomain;
#line 17
# Label tmpfs objects for all apps.
#line 17
type_transition ephemeral_app tmpfs:file appdomain_tmpfs;
#line 17
#line 17
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 17
type ephemeral_app_userfaultfd;
#line 17
type_transition ephemeral_app ephemeral_app:anon_inode ephemeral_app_userfaultfd "[userfaultfd]";
#line 17
# Allow domain to create/use userfaultfd anon_inode.
#line 17
allow ephemeral_app ephemeral_app_userfaultfd:anon_inode { create ioctl read };
#line 17
# Suppress errors generate during bugreport
#line 17
dontaudit su ephemeral_app_userfaultfd:anon_inode *;
#line 17
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 17
neverallow { domain -ephemeral_app } ephemeral_app_userfaultfd:anon_inode *;
#line 17
#line 17
allow ephemeral_app appdomain_tmpfs:file { execute getattr map read write };
#line 17
neverallow { ephemeral_app -runas_app -shell -simpleperf } { domain -ephemeral_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 17
neverallow { appdomain -runas_app -shell -simpleperf -ephemeral_app } ephemeral_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 17
# The Android security model guarantees the confidentiality and integrity
#line 17
# of application data and execution state. Ptrace bypasses those
#line 17
# confidentiality guarantees. Disallow ptrace access from system components to
#line 17
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 17
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 17
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 17
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 17
# live lock conditions.
#line 17
neverallow { domain -ephemeral_app -crash_dump -runas_app -simpleperf } ephemeral_app:process ptrace;
#line 17
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
allow ephemeral_app app_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# Follow priv-app symlinks. This is used for dynamite functionality.
allow ephemeral_app privapp_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Allow the renderscript compiler to be run.
#line 31
# Allow the necessary permissions.
#line 31
#line 31
# Old domain may exec the file and transition to the new domain.
#line 31
allow ephemeral_app rs_exec:file { getattr open read execute map };
#line 31
allow ephemeral_app rs:process transition;
#line 31
# New domain is entered by executing the file.
#line 31
allow rs rs_exec:file { entrypoint open read execute getattr map };
#line 31
# New domain can send SIGCHLD to its caller.
#line 31
allow rs ephemeral_app:process sigchld;
#line 31
# Enable AT_SECURE, i.e. libc secure mode.
#line 31
dontaudit ephemeral_app rs:process noatsecure;
#line 31
# XXX dontaudit candidate but requires further study.
#line 31
allow ephemeral_app rs:process { siginh rlimitinh };
#line 31
#line 31
# Make the transition occur by default.
#line 31
type_transition ephemeral_app rs_exec:process rs;
#line 31
# Allow loading and deleting shared libraries created by trusted system
# components within an application home directory.
allow ephemeral_app app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
allow ephemeral_app ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
###
### neverallow rules
###
neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } };
# Directly access external storage
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow ephemeral_app proc_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 1 "system/sepolicy/private/evsmanagerd.te"
# evsmanager
typeattribute evsmanagerd coredomain;
typeattribute evsmanagerd evsmanager_service_server;
type evsmanagerd_exec, system_file_type, exec_type, file_type;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init evsmanagerd_exec:file { getattr open read execute map };
#line 7
allow init evsmanagerd:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow evsmanagerd evsmanagerd_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init evsmanagerd:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init evsmanagerd:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init evsmanagerd_exec:process evsmanagerd;
#line 7
#line 7
;
# Declares as a binder service
#line 10
typeattribute evsmanagerd binderservicedomain;
#line 10
# Allows to add a service to service_manager
#line 13
allow evsmanagerd evsmanagerd_service:service_manager { add find };
#line 13
neverallow { domain -evsmanagerd } evsmanagerd_service:service_manager add;
#line 13
#line 13
# On debug builds with root, allow binder services to use binder over TCP.
#line 13
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 13
#line 13
# Allows to use the binder IPC
#line 16
# Call the servicemanager and transfer references to it.
#line 16
allow evsmanagerd servicemanager:binder { call transfer };
#line 16
# Allow servicemanager to send out callbacks
#line 16
allow servicemanager evsmanagerd:binder { call transfer };
#line 16
# servicemanager performs getpidcon on clients.
#line 16
allow servicemanager evsmanagerd:dir search;
#line 16
allow servicemanager evsmanagerd:file { read open };
#line 16
allow servicemanager evsmanagerd:process getattr;
#line 16
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 16
# all domains in domain.te.
#line 16
# Allows binder IPCs to the various system services
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow evsmanagerd system_server:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow system_server evsmanagerd:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow evsmanagerd system_server:fd use;
#line 19
# Allows to use EVS HAL implementations
#line 22
typeattribute evsmanagerd halclientdomain;
#line 22
typeattribute evsmanagerd hal_evs_client;
#line 22
#line 22
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 22
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 22
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 22
#line 22
typeattribute evsmanagerd hal_evs;
#line 22
# Find passthrough HAL implementations
#line 22
allow hal_evs system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_evs vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_evs vendor_file:file { read open getattr execute map };
#line 22
#line 22
# Allows to write messages to the shell
allow evsmanagerd shell:fd use;
allow evsmanagerd shell:fifo_file write;
# Allows to use the graphics allocator
allow evsmanagerd hal_graphics_allocator:fd use;
# Allows to use a bootstrap statsd
allow evsmanagerd statsbootstrap_service:service_manager find;
# Allows binder IPCs to the CarService
#line 35
# Call the server domain and optionally transfer references to it.
#line 35
allow evsmanagerd appdomain:binder { call transfer };
#line 35
# Allow the serverdomain to transfer references to the client on the reply.
#line 35
allow appdomain evsmanagerd:binder transfer;
#line 35
# Receive and use open files from the server.
#line 35
allow evsmanagerd appdomain:fd use;
#line 35
# For HIDL evs manager implementation
allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
#line 1 "system/sepolicy/private/extra_free_kbytes.te"
typeattribute extra_free_kbytes coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init extra_free_kbytes_exec:file { getattr open read execute map };
#line 3
allow init extra_free_kbytes:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow extra_free_kbytes extra_free_kbytes_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init extra_free_kbytes:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init extra_free_kbytes:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init extra_free_kbytes_exec:process extra_free_kbytes;
#line 3
#line 3
# Only extra_free_kbytes script is allowed to store these properties
#line 6
#line 6
allow extra_free_kbytes property_socket:sock_file write;
#line 6
allow extra_free_kbytes init:unix_stream_socket connectto;
#line 6
#line 6
allow extra_free_kbytes init_storage_prop:property_service set;
#line 6
#line 6
allow extra_free_kbytes init_storage_prop:file { getattr open read map };
#line 6
#line 6
#line 1 "system/sepolicy/private/fastbootd.te"
typeattribute fastbootd coredomain;
# The allow rules are only included in the recovery policy.
# Otherwise fastbootd is only allowed the domain rules.
#line 52
# This capability allows fastbootd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
#line 57
# Set up a type_transition to "io_uring" named anonymous inode object.
#line 57
type fastbootd_iouring;
#line 57
type_transition fastbootd fastbootd:anon_inode fastbootd_iouring "[io_uring]";
#line 57
# Allow domain to create/use io_uring anon_inode.
#line 57
allow fastbootd fastbootd_iouring:anon_inode { create map read write };
#line 57
allow fastbootd self:io_uring sqpoll;
#line 57
# Other domains may not use iouring anon_inodes created by this domain.
#line 57
neverallow { domain -fastbootd } fastbootd_iouring:anon_inode *;
#line 57
# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
#line 57
# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
#line 57
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
#line 57
dontaudit fastbootd self:{ capability cap_userns } ipc_lock;
#line 57
#line 1 "system/sepolicy/private/file.te"
# /proc/config.gz
type config_gz, fs_type, proc_type;
# /sys/fs/bpf/<dir> for mainline tethering use
# TODO: move S+ fs_bpf_tethering here from public/file.te
type fs_bpf_net_private, fs_type, bpffs_type;
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/a11ytrace for accessibility traces
type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/uprobestats-configs for uprobestats configs
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
# /apex/com.android.art/bin/oatdump
type oatdump_exec, system_file_type, exec_type, file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
# App executable files in /data/data directories
type app_exec_data_file, file_type, data_file_type, core_data_file_type;
typealias app_exec_data_file alias rs_data_file;
# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_ce/checkin for checkin apps.
type checkin_data_file, file_type, data_file_type, core_data_file_type;
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
# /data/gsi_persistent_data
type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/emergencynumberdb
type emergency_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art
type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.virt
type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.tethering
type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dmesgd
type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odrefresh
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/odsign_metrics
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
# The type needs to be mlstrustedobject to allow for being accessed from
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/bootanim
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
# The type needs to be mlstrustedobject to allow for being accessed from
# crosvm, which runs at a more constrained MLS level.
type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
# /apex/com.android.compos/bin/compsvc
type compos_exec, exec_type, file_type, system_file_type;
# /apex/com.android.compos/bin/compos_key_helper
type compos_key_helper_exec, exec_type, file_type, system_file_type;
# /apex/com.android.art/bin/art_exec
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
type art_exec_exec, system_file_type, exec_type, file_type;
# Filesystem entry for for PRNG seeder socket. Processes require
# write permission on this to connect, and needs to be mlstrustedobject
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
# Type for /sys/devices/uprobe.
type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
#line 1 "system/sepolicy/private/fingerprintd.te"
typeattribute fingerprintd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init fingerprintd_exec:file { getattr open read execute map };
#line 3
allow init fingerprintd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow fingerprintd fingerprintd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init fingerprintd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init fingerprintd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init fingerprintd_exec:process fingerprintd;
#line 3
#line 3
#line 1 "system/sepolicy/private/flags_health_check.te"
typeattribute flags_health_check coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init flags_health_check_exec:file { getattr open read execute map };
#line 3
allow init flags_health_check:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow flags_health_check flags_health_check_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init flags_health_check:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init flags_health_check:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init flags_health_check_exec:process flags_health_check;
#line 3
#line 3
#line 5
#line 5
allow flags_health_check property_socket:sock_file write;
#line 5
allow flags_health_check init:unix_stream_socket connectto;
#line 5
#line 5
allow flags_health_check device_config_boot_count_prop:property_service set;
#line 5
#line 5
allow flags_health_check device_config_boot_count_prop:file { getattr open read map };
#line 5
#line 5
#line 6
#line 6
allow flags_health_check property_socket:sock_file write;
#line 6
allow flags_health_check init:unix_stream_socket connectto;
#line 6
#line 6
allow flags_health_check device_config_core_experiments_team_internal_prop:property_service set;
#line 6
#line 6
allow flags_health_check device_config_core_experiments_team_internal_prop:file { getattr open read map };
#line 6
#line 6
#line 7
#line 7
allow flags_health_check property_socket:sock_file write;
#line 7
allow flags_health_check init:unix_stream_socket connectto;
#line 7
#line 7
allow flags_health_check device_config_edgetpu_native_prop:property_service set;
#line 7
#line 7
allow flags_health_check device_config_edgetpu_native_prop:file { getattr open read map };
#line 7
#line 7
#line 8
#line 8
allow flags_health_check property_socket:sock_file write;
#line 8
allow flags_health_check init:unix_stream_socket connectto;
#line 8
#line 8
allow flags_health_check device_config_reset_performed_prop:property_service set;
#line 8
#line 8
allow flags_health_check device_config_reset_performed_prop:file { getattr open read map };
#line 8
#line 8
#line 9
#line 9
allow flags_health_check property_socket:sock_file write;
#line 9
allow flags_health_check init:unix_stream_socket connectto;
#line 9
#line 9
allow flags_health_check device_config_runtime_native_boot_prop:property_service set;
#line 9
#line 9
allow flags_health_check device_config_runtime_native_boot_prop:file { getattr open read map };
#line 9
#line 9
#line 10
#line 10
allow flags_health_check property_socket:sock_file write;
#line 10
allow flags_health_check init:unix_stream_socket connectto;
#line 10
#line 10
allow flags_health_check device_config_runtime_native_prop:property_service set;
#line 10
#line 10
allow flags_health_check device_config_runtime_native_prop:file { getattr open read map };
#line 10
#line 10
#line 11
#line 11
allow flags_health_check property_socket:sock_file write;
#line 11
allow flags_health_check init:unix_stream_socket connectto;
#line 11
#line 11
allow flags_health_check device_config_input_native_boot_prop:property_service set;
#line 11
#line 11
allow flags_health_check device_config_input_native_boot_prop:file { getattr open read map };
#line 11
#line 11
#line 12
#line 12
allow flags_health_check property_socket:sock_file write;
#line 12
allow flags_health_check init:unix_stream_socket connectto;
#line 12
#line 12
allow flags_health_check device_config_lmkd_native_prop:property_service set;
#line 12
#line 12
allow flags_health_check device_config_lmkd_native_prop:file { getattr open read map };
#line 12
#line 12
#line 13
#line 13
allow flags_health_check property_socket:sock_file write;
#line 13
allow flags_health_check init:unix_stream_socket connectto;
#line 13
#line 13
allow flags_health_check device_config_netd_native_prop:property_service set;
#line 13
#line 13
allow flags_health_check device_config_netd_native_prop:file { getattr open read map };
#line 13
#line 13
#line 14
#line 14
allow flags_health_check property_socket:sock_file write;
#line 14
allow flags_health_check init:unix_stream_socket connectto;
#line 14
#line 14
allow flags_health_check device_config_nnapi_native_prop:property_service set;
#line 14
#line 14
allow flags_health_check device_config_nnapi_native_prop:file { getattr open read map };
#line 14
#line 14
#line 15
#line 15
allow flags_health_check property_socket:sock_file write;
#line 15
allow flags_health_check init:unix_stream_socket connectto;
#line 15
#line 15
allow flags_health_check device_config_activity_manager_native_boot_prop:property_service set;
#line 15
#line 15
allow flags_health_check device_config_activity_manager_native_boot_prop:file { getattr open read map };
#line 15
#line 15
#line 16
#line 16
allow flags_health_check property_socket:sock_file write;
#line 16
allow flags_health_check init:unix_stream_socket connectto;
#line 16
#line 16
allow flags_health_check device_config_media_native_prop:property_service set;
#line 16
#line 16
allow flags_health_check device_config_media_native_prop:file { getattr open read map };
#line 16
#line 16
#line 17
#line 17
allow flags_health_check property_socket:sock_file write;
#line 17
allow flags_health_check init:unix_stream_socket connectto;
#line 17
#line 17
allow flags_health_check device_config_mglru_native_prop:property_service set;
#line 17
#line 17
allow flags_health_check device_config_mglru_native_prop:file { getattr open read map };
#line 17
#line 17
#line 18
#line 18
allow flags_health_check property_socket:sock_file write;
#line 18
allow flags_health_check init:unix_stream_socket connectto;
#line 18
#line 18
allow flags_health_check device_config_profcollect_native_boot_prop:property_service set;
#line 18
#line 18
allow flags_health_check device_config_profcollect_native_boot_prop:file { getattr open read map };
#line 18
#line 18
#line 19
#line 19
allow flags_health_check property_socket:sock_file write;
#line 19
allow flags_health_check init:unix_stream_socket connectto;
#line 19
#line 19
allow flags_health_check device_config_statsd_native_prop:property_service set;
#line 19
#line 19
allow flags_health_check device_config_statsd_native_prop:file { getattr open read map };
#line 19
#line 19
#line 20
#line 20
allow flags_health_check property_socket:sock_file write;
#line 20
allow flags_health_check init:unix_stream_socket connectto;
#line 20
#line 20
allow flags_health_check device_config_statsd_native_boot_prop:property_service set;
#line 20
#line 20
allow flags_health_check device_config_statsd_native_boot_prop:file { getattr open read map };
#line 20
#line 20
#line 21
#line 21
allow flags_health_check property_socket:sock_file write;
#line 21
allow flags_health_check init:unix_stream_socket connectto;
#line 21
#line 21
allow flags_health_check device_config_storage_native_boot_prop:property_service set;
#line 21
#line 21
allow flags_health_check device_config_storage_native_boot_prop:file { getattr open read map };
#line 21
#line 21
#line 22
#line 22
allow flags_health_check property_socket:sock_file write;
#line 22
allow flags_health_check init:unix_stream_socket connectto;
#line 22
#line 22
allow flags_health_check device_config_swcodec_native_prop:property_service set;
#line 22
#line 22
allow flags_health_check device_config_swcodec_native_prop:file { getattr open read map };
#line 22
#line 22
#line 23
#line 23
allow flags_health_check property_socket:sock_file write;
#line 23
allow flags_health_check init:unix_stream_socket connectto;
#line 23
#line 23
allow flags_health_check device_config_sys_traced_prop:property_service set;
#line 23
#line 23
allow flags_health_check device_config_sys_traced_prop:file { getattr open read map };
#line 23
#line 23
#line 24
#line 24
allow flags_health_check property_socket:sock_file write;
#line 24
allow flags_health_check init:unix_stream_socket connectto;
#line 24
#line 24
allow flags_health_check device_config_window_manager_native_boot_prop:property_service set;
#line 24
#line 24
allow flags_health_check device_config_window_manager_native_boot_prop:file { getattr open read map };
#line 24
#line 24
#line 25
#line 25
allow flags_health_check property_socket:sock_file write;
#line 25
allow flags_health_check init:unix_stream_socket connectto;
#line 25
#line 25
allow flags_health_check device_config_configuration_prop:property_service set;
#line 25
#line 25
allow flags_health_check device_config_configuration_prop:file { getattr open read map };
#line 25
#line 25
#line 26
#line 26
allow flags_health_check property_socket:sock_file write;
#line 26
allow flags_health_check init:unix_stream_socket connectto;
#line 26
#line 26
allow flags_health_check device_config_connectivity_prop:property_service set;
#line 26
#line 26
allow flags_health_check device_config_connectivity_prop:file { getattr open read map };
#line 26
#line 26
#line 27
#line 27
allow flags_health_check property_socket:sock_file write;
#line 27
allow flags_health_check init:unix_stream_socket connectto;
#line 27
#line 27
allow flags_health_check device_config_surface_flinger_native_boot_prop:property_service set;
#line 27
#line 27
allow flags_health_check device_config_surface_flinger_native_boot_prop:file { getattr open read map };
#line 27
#line 27
#line 28
#line 28
allow flags_health_check property_socket:sock_file write;
#line 28
allow flags_health_check init:unix_stream_socket connectto;
#line 28
#line 28
allow flags_health_check device_config_aconfig_flags_prop:property_service set;
#line 28
#line 28
allow flags_health_check device_config_aconfig_flags_prop:file { getattr open read map };
#line 28
#line 28
#line 29
#line 29
allow flags_health_check property_socket:sock_file write;
#line 29
allow flags_health_check init:unix_stream_socket connectto;
#line 29
#line 29
allow flags_health_check device_config_vendor_system_native_prop:property_service set;
#line 29
#line 29
allow flags_health_check device_config_vendor_system_native_prop:file { getattr open read map };
#line 29
#line 29
#line 30
#line 30
allow flags_health_check property_socket:sock_file write;
#line 30
allow flags_health_check init:unix_stream_socket connectto;
#line 30
#line 30
allow flags_health_check device_config_vendor_system_native_boot_prop:property_service set;
#line 30
#line 30
allow flags_health_check device_config_vendor_system_native_boot_prop:file { getattr open read map };
#line 30
#line 30
#line 31
#line 31
allow flags_health_check property_socket:sock_file write;
#line 31
allow flags_health_check init:unix_stream_socket connectto;
#line 31
#line 31
allow flags_health_check device_config_virtualization_framework_native_prop:property_service set;
#line 31
#line 31
allow flags_health_check device_config_virtualization_framework_native_prop:file { getattr open read map };
#line 31
#line 31
#line 32
#line 32
allow flags_health_check property_socket:sock_file write;
#line 32
allow flags_health_check init:unix_stream_socket connectto;
#line 32
#line 32
allow flags_health_check device_config_memory_safety_native_boot_prop:property_service set;
#line 32
#line 32
allow flags_health_check device_config_memory_safety_native_boot_prop:file { getattr open read map };
#line 32
#line 32
#line 33
#line 33
allow flags_health_check property_socket:sock_file write;
#line 33
allow flags_health_check init:unix_stream_socket connectto;
#line 33
#line 33
allow flags_health_check device_config_memory_safety_native_prop:property_service set;
#line 33
#line 33
allow flags_health_check device_config_memory_safety_native_prop:file { getattr open read map };
#line 33
#line 33
#line 34
#line 34
allow flags_health_check property_socket:sock_file write;
#line 34
allow flags_health_check init:unix_stream_socket connectto;
#line 34
#line 34
allow flags_health_check device_config_remote_key_provisioning_native_prop:property_service set;
#line 34
#line 34
allow flags_health_check device_config_remote_key_provisioning_native_prop:file { getattr open read map };
#line 34
#line 34
#line 35
#line 35
allow flags_health_check property_socket:sock_file write;
#line 35
allow flags_health_check init:unix_stream_socket connectto;
#line 35
#line 35
allow flags_health_check device_config_camera_native_prop:property_service set;
#line 35
#line 35
allow flags_health_check device_config_camera_native_prop:file { getattr open read map };
#line 35
#line 35
#line 36
#line 36
allow flags_health_check property_socket:sock_file write;
#line 36
allow flags_health_check init:unix_stream_socket connectto;
#line 36
#line 36
allow flags_health_check device_config_tethering_u_or_later_native_prop:property_service set;
#line 36
#line 36
allow flags_health_check device_config_tethering_u_or_later_native_prop:file { getattr open read map };
#line 36
#line 36
#line 37
#line 37
allow flags_health_check property_socket:sock_file write;
#line 37
allow flags_health_check init:unix_stream_socket connectto;
#line 37
#line 37
allow flags_health_check next_boot_prop:property_service set;
#line 37
#line 37
allow flags_health_check next_boot_prop:file { getattr open read map };
#line 37
#line 37
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
# system property device_config_reset_performed_prop is used for indicating whether server
# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
#line 1 "system/sepolicy/private/fsck.te"
typeattribute fsck coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init fsck_exec:file { getattr open read execute map };
#line 3
allow init fsck:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow fsck fsck_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init fsck:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init fsck:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init fsck_exec:process fsck;
#line 3
#line 3
allow fsck metadata_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/private/fsck_untrusted.te"
typeattribute fsck_untrusted coredomain;
#line 1 "system/sepolicy/private/fsverity_init.te"
type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init fsverity_init_exec:file { getattr open read execute map };
#line 4
allow init fsverity_init:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow fsverity_init fsverity_init_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init fsverity_init:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init fsverity_init:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init fsverity_init_exec:process fsverity_init;
#line 4
#line 4
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file { getattr open read ioctl lock map watch watch_reads };
# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
#line 1 "system/sepolicy/private/fuseblkd.te"
# Compartmentalized domain specifically for mounting fuseblk filesystems.
# We need this to not grant fuseblkd_untrusted sys_admin permissions.
type fuseblkd_exec, system_file_type, exec_type, file_type;
type fuseblkd, domain;
typeattribute fuseblkd coredomain;
# Required for mount and unmounting. We can't minimize this permission,
# even though we only allow mount/unmount.
allow fuseblkd self:{ capability cap_userns } sys_admin;
# Permissions for the fuseblk filesystem.
allow fuseblkd fuse_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow fuseblkd fuseblk:filesystem { mount unmount };
allow fuseblkd fuseblkd_untrusted:fd use;
# Look through block devices to find the correct one.
allow fuseblkd block_device:dir search;
# Permissions to mount on the media_rw directory for USB drives.
allow fuseblkd mnt_media_rw_file:dir search;
allow fuseblkd mnt_media_rw_stub_file:dir mounton;
###
### neverallow rules
###
# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
neverallow * fuseblkd:process dyntransition;
neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;
#line 1 "system/sepolicy/private/fuseblkd_untrusted.te"
# Fuseblk is a Filesystem in USErspace for block device. It should only be used
# to mount untrusted blocks like USB drives.
type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type;
type fuseblkd_untrusted, domain;
typeattribute fuseblkd_untrusted coredomain;
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow fuseblkd_untrusted fuseblkd_exec:file { getattr open read execute map };
#line 8
allow fuseblkd_untrusted fuseblkd:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow fuseblkd fuseblkd_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
allow fuseblkd fuseblkd_untrusted:process sigchld;
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit fuseblkd_untrusted fuseblkd:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow fuseblkd_untrusted fuseblkd:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition fuseblkd_untrusted fuseblkd_exec:process fuseblkd;
#line 8
;
# Allow stdin/out back to vold.
allow fuseblkd_untrusted vold:fd use;
# Allows fuseblk to read block devices.
allow fuseblkd_untrusted block_device:dir search;
# Permissions to read dynamic partitions blocks.
allow fuseblkd_untrusted super_block_device:blk_file getattr;
# Permissions to access FUSE character devices.
allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write };
# Permissions to access /mnt/media_rw/.
allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search };
allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr;
# Permissions to read device mappers.
allow fuseblkd_untrusted sysfs_dm:dir search;
allow fuseblkd_untrusted sysfs_dm:file { getattr open read };
allow fuseblkd_untrusted dm_device:blk_file getattr;
# Permissions to read links in tmpfs.
allow fuseblkd_untrusted tmpfs:lnk_file read;
# Permissions to read loop device blocks.
allow fuseblkd_untrusted loop_device:blk_file getattr;
# Permissions to access the /proc/filesystems file.
allow fuseblkd_untrusted proc_filesystems:file { open read getattr };
###
### dontaudit rules
###
# ntfs-3g wants this permission to read a fork return code, for some reason.
# It's unclear why, because it still reads the fork return code correctly,
# and nothing breaks. If enforce is set to permissive, the audit goes away.
dontaudit fuseblkd_untrusted self:capability sys_admin;
###
### neverallow rules
###
# Fuseblk should never be run on block devices holding sensitive data.
neverallow fuseblkd_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries.
neverallow { domain -vold } fuseblkd_untrusted:process transition;
neverallow * fuseblkd_untrusted:process dyntransition;
neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint;
# Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be
# given sys_admin access. They are fundementally untrusted, insecure filesystems.
# The correct solution here is to compartmentalize permissions correctly so that
# a smaller binary can get the required permissions. See fuseblkd.te.
# Similar to above, we don't need setgid or setuid permissions.
neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin };
neverallow fuseblkd_untrusted self:{ capability cap_userns } { setgid setuid sys_admin };
# Since we can't have sys_admin permissions, we definitely can't have mount/unmount
# permissions, since we won't be able to use them. Same with relabel permissions.
neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom};
#line 1 "system/sepolicy/private/fwk_bufferhub.te"
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
#line 4
typeattribute fwk_bufferhub halclientdomain;
#line 4
typeattribute fwk_bufferhub hal_graphics_allocator_client;
#line 4
#line 4
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 4
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 4
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 4
#line 4
typeattribute fwk_bufferhub hal_graphics_allocator;
#line 4
# Find passthrough HAL implementations
#line 4
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 4
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 4
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 4
#line 4
allow fwk_bufferhub ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init fwk_bufferhub_exec:file { getattr open read execute map };
#line 7
allow init fwk_bufferhub:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow fwk_bufferhub fwk_bufferhub_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init fwk_bufferhub:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init fwk_bufferhub:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init fwk_bufferhub_exec:process fwk_bufferhub;
#line 7
#line 7
#line 1 "system/sepolicy/private/gatekeeperd.te"
typeattribute gatekeeperd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init gatekeeperd_exec:file { getattr open read execute map };
#line 3
allow init gatekeeperd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow gatekeeperd gatekeeperd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init gatekeeperd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init gatekeeperd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init gatekeeperd_exec:process gatekeeperd;
#line 3
#line 3
# For checking whether GSI is running
#line 6
allow gatekeeperd gsid_prop:file { getattr open read map };
#line 6
#line 1 "system/sepolicy/private/gki_apex_prepostinstall.te"
# GKI pre- & post-install hooks.
#
# Allow to run pre- and post-install hooks for GKI APEXes
type gki_apex_prepostinstall, domain, coredomain;
type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
# Execute /system/bin/sh.
allow gki_apex_prepostinstall shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Execute various toolsbox utilities.
allow gki_apex_prepostinstall toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow preinstall.sh to execute update_engine_stable_client binary.
allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
# Allow preinstall hook to communicate with update_engine to execute update.
#line 18
# Call the servicemanager and transfer references to it.
#line 18
allow gki_apex_prepostinstall servicemanager:binder { call transfer };
#line 18
# Allow servicemanager to send out callbacks
#line 18
allow servicemanager gki_apex_prepostinstall:binder { call transfer };
#line 18
# servicemanager performs getpidcon on clients.
#line 18
allow servicemanager gki_apex_prepostinstall:dir search;
#line 18
allow servicemanager gki_apex_prepostinstall:file { read open };
#line 18
allow servicemanager gki_apex_prepostinstall:process getattr;
#line 18
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 18
# all domains in domain.te.
#line 18
allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
#line 20
# Call the server domain and optionally transfer references to it.
#line 20
allow gki_apex_prepostinstall update_engine:binder { call transfer };
#line 20
# Allow the serverdomain to transfer references to the client on the reply.
#line 20
allow update_engine gki_apex_prepostinstall:binder transfer;
#line 20
# Receive and use open files from the server.
#line 20
allow gki_apex_prepostinstall update_engine:fd use;
#line 20
# /dev/zero is inherited although it is not used. See b/126787589.
allow gki_apex_prepostinstall apexd:fd use;
#line 1 "system/sepolicy/private/gmscore_app.te"
###
### A domain for further sandboxing the PrebuiltGMSCore app.
###
typeattribute gmscore_app coredomain;
#line 6
typeattribute gmscore_app appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition gmscore_app tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type gmscore_app_userfaultfd;
#line 6
type_transition gmscore_app gmscore_app:anon_inode gmscore_app_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow gmscore_app gmscore_app_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su gmscore_app_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -gmscore_app } gmscore_app_userfaultfd:anon_inode *;
#line 6
#line 6
allow gmscore_app appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { gmscore_app -runas_app -shell -simpleperf } { domain -gmscore_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -gmscore_app } gmscore_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -gmscore_app -crash_dump -runas_app -simpleperf } gmscore_app:process ptrace;
#line 6
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
#line 10
allow gmscore_app sysfs_zram:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow gmscore_app sysfs_zram:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
#line 12
allow gmscore_app rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow gmscore_app rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
# Allow GMS core to open kernel config for OTA matching through libvintf
allow gmscore_app config_gz:file { open read getattr };
# Allow GMS core to communicate with update_engine for A/B update.
#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow gmscore_app update_engine:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow update_engine gmscore_app:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow gmscore_app update_engine:fd use;
#line 18
allow gmscore_app update_engine_service:service_manager find;
# Allow GMS core to communicate with dumpsys storaged.
#line 22
# Call the server domain and optionally transfer references to it.
#line 22
allow gmscore_app storaged:binder { call transfer };
#line 22
# Allow the serverdomain to transfer references to the client on the reply.
#line 22
allow storaged gmscore_app:binder transfer;
#line 22
# Receive and use open files from the server.
#line 22
allow gmscore_app storaged:fd use;
#line 22
allow gmscore_app storaged_service:service_manager find;
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow gmscore_app system_update_service:service_manager find;
# Allow GMS core to communicate with statsd.
#line 30
# Call the server domain and optionally transfer references to it.
#line 30
allow gmscore_app statsd:binder { call transfer };
#line 30
# Allow the serverdomain to transfer references to the client on the reply.
#line 30
allow statsd gmscore_app:binder transfer;
#line 30
# Receive and use open files from the server.
#line 30
allow gmscore_app statsd:fd use;
#line 30
# Allow GMS core to receive Perfetto traces through the framework
# (i.e. TracingServiceProxy) and sendfile them into its private directory
# for reporting when network and battery conditions are appropriate.
allow gmscore_app perfetto:fd use;
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file { getattr open read ioctl lock map watch watch_reads };
# suppress denials for non-API accesses.
dontaudit gmscore_app exec_type:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app device:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit gmscore_app fs_bpf:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc_interrupts:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc_modules:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc_net:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc_stat:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app proc_version:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit gmscore_app sysfs:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs_android_usb:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs_dm:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs_loop:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs_net:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app sysfs_net:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file { getattr open read ioctl lock map watch watch_reads };
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
# Access the network
#line 68
typeattribute gmscore_app netdomain;
#line 68
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow gmscore_app self:process ptrace;
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow gmscore_app system_linker_exec:file execute_no_trans;
allow gmscore_app privapp_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# /proc access
allow gmscore_app proc_vmstat:file { getattr open read ioctl lock map watch watch_reads };
# Allow interaction with gpuservice
#line 94
# Call the server domain and optionally transfer references to it.
#line 94
allow gmscore_app gpuservice:binder { call transfer };
#line 94
# Allow the serverdomain to transfer references to the client on the reply.
#line 94
allow gpuservice gmscore_app:binder transfer;
#line 94
# Receive and use open files from the server.
#line 94
allow gmscore_app gpuservice:fd use;
#line 94
allow gmscore_app gpu_service:service_manager find;
# find services that expose both @SystemAPI and normal APIs.
allow gmscore_app app_api_service:service_manager find;
allow gmscore_app system_api_service:service_manager find;
allow gmscore_app audioserver_service:service_manager find;
allow gmscore_app cameraserver_service:service_manager find;
allow gmscore_app drmserver_service:service_manager find;
allow gmscore_app mediadrmserver_service:service_manager find;
allow gmscore_app mediaextractor_service:service_manager find;
allow gmscore_app mediametrics_service:service_manager find;
allow gmscore_app mediaserver_service:service_manager find;
allow gmscore_app network_watchlist_service:service_manager find;
allow gmscore_app nfc_service:service_manager find;
allow gmscore_app oem_lock_service:service_manager find;
allow gmscore_app persistent_data_block_service:service_manager find;
allow gmscore_app radio_service:service_manager find;
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow gmscore_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Write to /cache.
allow gmscore_app { cache_file cache_recovery_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow gmscore_app { cache_file cache_recovery_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow gmscore_app cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Write to /data/ota_package for OTA packages.
allow gmscore_app ota_package_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow gmscore_app ota_package_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Write the checkin metadata to /data/misc_ce/<userid>/checkin
allow gmscore_app checkin_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow gmscore_app checkin_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow gmscore_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file { getattr open read ioctl lock map watch watch_reads };
# b/148974132: com.android.vending needs this
allow gmscore_app priv_app:tcp_socket { read write };
# b/168059475 Allow GMSCore to read Virtual AB properties to determine
# if device supports VAB.
#line 147
allow gmscore_app virtual_ab_prop:file { getattr open read map };
#line 147
# b/186488185: Allow GMSCore to read dck properties
#line 150
allow gmscore_app dck_prop:file { getattr open read map };
#line 150
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
#line 153
allow gmscore_app remote_prov_prop:file { getattr open read map };
#line 153
# Allow GmsCore to read Quick Start properties and prevent access from other
# policies.
#line 157
allow gmscore_app quick_start_prop:file { getattr open read map };
#line 157
neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl
#line 165
{
#line 165
# qualcomm rmnet ioctls
#line 165
0x00006900 0x00006902
#line 165
# socket ioctls
#line 165
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 165
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 165
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 165
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 165
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 165
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 165
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 165
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 165
0x00008991 0x00008992 0x00008993 0x00008994
#line 165
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 165
# device and protocol specific ioctls
#line 165
0x000089f0-0x000089ff
#line 165
0x000089e0-0x000089ef
#line 165
# Wireless extension ioctls
#line 165
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 165
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 165
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 165
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 165
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 165
0x00008b34 0x00008b35 0x00008b36
#line 165
# Dev private ioctl i.e. hardware specific ioctls
#line 165
0x00008be0-0x00008bff
#line 165
};
neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow gmscore_app *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
#line 1 "system/sepolicy/private/gpuservice.te"
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
typeattribute gpuservice bpfdomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init gpuservice_exec:file { getattr open read execute map };
#line 7
allow init gpuservice:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow gpuservice gpuservice_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init gpuservice:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init gpuservice:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init gpuservice_exec:process gpuservice;
#line 7
#line 7
#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow gpuservice adbd:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow adbd gpuservice:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow gpuservice adbd:fd use;
#line 9
#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow gpuservice shell:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow shell gpuservice:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow gpuservice shell:fd use;
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow gpuservice system_server:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow system_server gpuservice:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow gpuservice system_server:fd use;
#line 11
#line 12
# Call the servicemanager and transfer references to it.
#line 12
allow gpuservice servicemanager:binder { call transfer };
#line 12
# Allow servicemanager to send out callbacks
#line 12
allow servicemanager gpuservice:binder { call transfer };
#line 12
# servicemanager performs getpidcon on clients.
#line 12
allow servicemanager gpuservice:dir search;
#line 12
allow servicemanager gpuservice:file { read open };
#line 12
allow servicemanager gpuservice:process getattr;
#line 12
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 12
# all domains in domain.te.
#line 12
# Access the GPU.
allow gpuservice gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 21
allow gpuservice hwservicemanager_prop:file { getattr open read map };
#line 21
#line 22
# Call the hwservicemanager and transfer references to it.
#line 22
allow gpuservice hwservicemanager:binder { call transfer };
#line 22
# Allow hwservicemanager to send out callbacks
#line 22
allow hwservicemanager gpuservice:binder { call transfer };
#line 22
# hwservicemanager performs getpidcon on clients.
#line 22
allow hwservicemanager gpuservice:dir search;
#line 22
allow hwservicemanager gpuservice:file { read open map };
#line 22
allow hwservicemanager gpuservice:process getattr;
#line 22
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 22
# all domains in domain.te.
#line 22
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow shell access
allow gpuservice adbd:fd use;
allow gpuservice adbd:unix_stream_socket { getattr read write };
allow gpuservice shell:fifo_file { getattr read write };
# Needed for perfetto producer.
#line 34
allow gpuservice traced:fd use;
#line 34
allow gpuservice traced_tmpfs:file { read write getattr map };
#line 34
#line 34
allow gpuservice traced_producer_socket:sock_file write;
#line 34
allow gpuservice traced:unix_stream_socket connectto;
#line 34
#line 34
#line 34
# Also allow the service to use the producer file descriptors. This is
#line 34
# necessary when the producer is creating the shared memory, as it will be
#line 34
# passed to the service as a file descriptor (obtained from memfd_create).
#line 34
allow traced gpuservice:fd use;
#line 34
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
allow gpuservice statsmanager_service:service_manager find;
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
#line 47
# Call the server domain and optionally transfer references to it.
#line 47
allow gpuservice statsd:binder { call transfer };
#line 47
# Allow the serverdomain to transfer references to the client on the reply.
#line 47
allow statsd gpuservice:binder transfer;
#line 47
# Receive and use open files from the server.
#line 47
allow gpuservice statsd:fd use;
#line 47
;
# Needed for reading tracepoint ids in order to attach bpf programs.
allow gpuservice debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads };
allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
#line 61
allow gpuservice gpu_service:service_manager { add find };
#line 61
neverallow { domain -gpuservice } gpu_service:service_manager add;
#line 61
#line 61
# On debug builds with root, allow binder services to use binder over TCP.
#line 61
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 61
#line 61
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
#line 64
#line 64
allow gpuservice property_socket:sock_file write;
#line 64
allow gpuservice init:unix_stream_socket connectto;
#line 64
#line 64
allow gpuservice graphics_config_writable_prop:property_service set;
#line 64
#line 64
allow gpuservice graphics_config_writable_prop:file { getattr open read map };
#line 64
#line 64
neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
#line 1 "system/sepolicy/private/gsid.te"
# gsid - Manager for GSI Installation
type gsid, domain;
type gsid_exec, exec_type, file_type, system_file_type;
typeattribute gsid coredomain;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init gsid_exec:file { getattr open read execute map };
#line 7
allow init gsid:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow gsid gsid_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init gsid:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init gsid:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init gsid_exec:process gsid;
#line 7
#line 7
#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow gsid servicemanager:binder { call transfer };
#line 9
# Allow servicemanager to send out callbacks
#line 9
allow servicemanager gsid:binder { call transfer };
#line 9
# servicemanager performs getpidcon on clients.
#line 9
allow servicemanager gsid:dir search;
#line 9
allow servicemanager gsid:file { read open };
#line 9
allow servicemanager gsid:process getattr;
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9
#line 10
typeattribute gsid binderservicedomain;
#line 10
#line 11
allow gsid gsi_service:service_manager { add find };
#line 11
neverallow { domain -gsid } gsi_service:service_manager add;
#line 11
#line 11
# On debug builds with root, allow binder services to use binder over TCP.
#line 11
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 11
#line 11
# Manage DSU metadata encryption key through vold.
allow gsid vold_service:service_manager find;
#line 15
# Call the server domain and optionally transfer references to it.
#line 15
allow gsid vold:binder { call transfer };
#line 15
# Allow the serverdomain to transfer references to the client on the reply.
#line 15
allow vold gsid:binder transfer;
#line 15
# Receive and use open files from the server.
#line 15
allow gsid vold:fd use;
#line 15
#line 17
#line 17
allow gsid property_socket:sock_file write;
#line 17
allow gsid init:unix_stream_socket connectto;
#line 17
#line 17
allow gsid gsid_prop:property_service set;
#line 17
#line 17
allow gsid gsid_prop:file { getattr open read map };
#line 17
#line 17
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow gsid dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow gsid self:{ capability cap_userns } sys_admin;
dontaudit gsid self:{ capability cap_userns } dac_override;
# On FBE devices (not using dm-default-key), gsid will use loop devices to map
# images rather than device-mapper.
allow gsid loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow gsid loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm gsid loop_device:blk_file ioctl {
0x00004c05
0x00004c04
0x00004c00
0x00004c09
0x00004c08
0x00004c01
0x00001261
};
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
#line 42
allow gsid sysfs_dm:dir { open getattr read search ioctl lock watch watch_reads };
#line 42
allow gsid sysfs_dm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 42
# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
# whether pin_file support is enabled.
#line 46
allow gsid sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads };
#line 46
allow gsid sysfs_fs_f2fs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 46
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
#line 51
allow gsid { metadata_file gsi_metadata_file_type }:dir search;
#line 51
allow gsid gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 51
allow gsid { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 51
allow gsid sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
allow gsid sysfs_dt_firmware_android:file { getattr open read ioctl lock map watch watch_reads };
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow querying the size of super_block_device_type.
allow gsid super_block_device_type:blk_file { getattr open read ioctl lock map watch watch_reads };
# liblp queries these block alignment properties.
allowxperm gsid {
userdata_block_device
sdcard_block_device
super_block_device_type
}:blk_file ioctl {
0x00001278
0x0000127a
};
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads };
allow gsid mnt_media_rw_stub_file:dir { open getattr read search ioctl lock watch watch_reads };
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
allow gsid vfat:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow gsid vfat:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow gsid sdcard_block_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:{ capability cap_userns } sys_rawio;
# Allow rules for gsi_tool.
#line 95
neverallow {
domain
-gsid
-init
-update_engine_common
-recovery
-fastbootd
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
#
# 1. fallocate a file large enough to hold the signed GSI
# 2. extract its block layout with FIEMAP
# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
# 4. write system_gsi into that dm device
#
# To make this process work, we need to unwrap the device-mapper stacking for
# userdata to reach the underlying block device. To verify the result we use
# stat(), which requires read access.
allow gsid userdata_block_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
# init. It cannot use userdata since data cannot be decrypted during this
# stage.
#
# gsid uses /metadata/gsi to store three files:
# install_status - A short string indicating whether a GSI image is bootable.
# lp_metadata - LpMetadata blob describing the block ranges on userdata
# where system_gsi resides.
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file_type
}:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow gsid {
ota_metadata_file
}:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow gsid {
gsi_metadata_file_type
ota_metadata_file
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow restorecon to fix context of gsi_public_metadata_file.
allow gsid file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow gsid gsi_metadata_file:file relabelfrom;
allow gsid gsi_public_metadata_file:file relabelto;
allow gsid {
gsi_data_file
ota_image_data_file
}:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow gsid {
gsi_data_file
ota_image_data_file
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allowxperm gsid {
gsi_data_file
ota_image_data_file
}:file ioctl {
0xc020660b
0x80086601
};
allow gsid system_server:binder call;
# Prevent most processes from writing to gsi_metadata_file_type, but allow
# adding rules for path resolution of gsi_public_metadata_file and reading
# gsi_public_metadata_file.
neverallow {
domain
-init
-gsid
-fastbootd
} gsi_metadata_file_type:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow {
domain
-init
-gsid
-fastbootd
} { gsi_metadata_file_type -gsi_public_metadata_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } *;
neverallow {
domain
-init
-gsid
-fastbootd
} gsi_public_metadata_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ { getattr open read ioctl lock map watch watch_reads } };
# Prevent apps from accessing gsi_metadata_file_type.
neverallow {
appdomain
-shell
} gsi_metadata_file_type:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *;
neverallow {
domain
-init
-gsid
} gsi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } *;
neverallow {
domain
-gsid
} gsi_data_file:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ relabelto getattr };
#line 1 "system/sepolicy/private/hal_allocator_default.te"
type hal_allocator_default, domain, coredomain;
#line 2
typeattribute hal_allocator_default halserverdomain;
#line 2
typeattribute hal_allocator_default hal_allocator_server;
#line 2
typeattribute hal_allocator_default hal_allocator;
#line 2
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init hal_allocator_default_exec:file { getattr open read execute map };
#line 5
allow init hal_allocator_default:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow hal_allocator_default hal_allocator_default_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init hal_allocator_default:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init hal_allocator_default:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init hal_allocator_default_exec:process hal_allocator_default;
#line 5
#line 5
# to force stop the service when it's not supported
#line 8
#line 8
allow hal_allocator_default property_socket:sock_file write;
#line 8
allow hal_allocator_default init:unix_stream_socket connectto;
#line 8
#line 8
allow hal_allocator_default hidl_memory_prop:property_service set;
#line 8
#line 8
allow hal_allocator_default hidl_memory_prop:file { getattr open read map };
#line 8
#line 8
#line 3 "system/sepolicy/private/hal_lazy_test.te"
#line 1 "system/sepolicy/private/halclientdomain.te"
###
### Rules for all domains which are clients of a HAL
###
# Find out whether a HAL in passthrough/in-process mode or
# binderized/out-of-process mode
#line 7
# Call the hwservicemanager and transfer references to it.
#line 7
allow halclientdomain hwservicemanager:binder { call transfer };
#line 7
# Allow hwservicemanager to send out callbacks
#line 7
allow hwservicemanager halclientdomain:binder { call transfer };
#line 7
# hwservicemanager performs getpidcon on clients.
#line 7
allow hwservicemanager halclientdomain:dir search;
#line 7
allow hwservicemanager halclientdomain:file { read open map };
#line 7
allow hwservicemanager halclientdomain:process getattr;
#line 7
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
# Used to wait for hwservicemanager
#line 10
allow halclientdomain hwservicemanager_prop:file { getattr open read map };
#line 10
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
#line 1 "system/sepolicy/private/halserverdomain.te"
###
### Rules for all domains which offer a HAL service over HwBinder
###
# Register the HAL service with hwservicemanager
#line 6
# Call the hwservicemanager and transfer references to it.
#line 6
allow halserverdomain hwservicemanager:binder { call transfer };
#line 6
# Allow hwservicemanager to send out callbacks
#line 6
allow hwservicemanager halserverdomain:binder { call transfer };
#line 6
# hwservicemanager performs getpidcon on clients.
#line 6
allow hwservicemanager halserverdomain:dir search;
#line 6
allow hwservicemanager halserverdomain:file { read open map };
#line 6
allow hwservicemanager halserverdomain:process getattr;
#line 6
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
# Find HAL implementations
allow halserverdomain system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Used to wait for hwservicemanager
#line 12
allow halserverdomain hwservicemanager_prop:file { getattr open read map };
#line 12
#line 1 "system/sepolicy/private/healthd.te"
typeattribute healthd coredomain;
#line 1 "system/sepolicy/private/heapprofd.te"
# Android heap profiling daemon. go/heapprofd.
type heapprofd_exec, exec_type, file_type, system_file_type;
type heapprofd_tmpfs, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init heapprofd_exec:file { getattr open read execute map };
#line 5
allow init heapprofd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow heapprofd heapprofd_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init heapprofd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init heapprofd:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init heapprofd_exec:process heapprofd;
#line 5
#line 5
#line 6
type_transition heapprofd tmpfs:file heapprofd_tmpfs;
#line 6
allow heapprofd heapprofd_tmpfs:file { read write getattr map };
#line 6
# Allow apps in other MLS contexts (for multi-user) to access
# shared memory buffers created by heapprofd.
typeattribute heapprofd_tmpfs mlstrustedobject;
#line 12
#line 12
allow heapprofd property_socket:sock_file write;
#line 12
allow heapprofd init:unix_stream_socket connectto;
#line 12
#line 12
allow heapprofd heapprofd_prop:property_service set;
#line 12
#line 12
allow heapprofd heapprofd_prop:file { getattr open read map };
#line 12
#line 12
;
# Necessary for /proc/[pid]/cmdline access & sending signals.
typeattribute heapprofd mlstrustedsubject;
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
# SIGCHLD, which are controlled by separate permissions.
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
#line 28
allow heapprofd traced:fd use;
#line 28
allow heapprofd traced_tmpfs:file { read write getattr map };
#line 28
#line 28
allow heapprofd traced_producer_socket:sock_file write;
#line 28
allow heapprofd traced:unix_stream_socket connectto;
#line 28
#line 28
#line 28
# Also allow the service to use the producer file descriptors. This is
#line 28
# necessary when the producer is creating the shared memory, as it will be
#line 28
# passed to the service as a file descriptor (obtained from memfd_create).
#line 28
allow traced heapprofd:fd use;
#line 28
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
#line 32
allow heapprofd nativetest_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 32
allow heapprofd nativetest_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 32
#line 33
allow heapprofd system_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow heapprofd system_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
#line 34
allow heapprofd apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 34
allow heapprofd apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 34
#line 35
allow heapprofd dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow heapprofd dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 35
#line 36
allow heapprofd vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 36
allow heapprofd vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 36
#line 37
allow heapprofd shell_test_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 37
allow heapprofd shell_test_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 37
# ART apex files and directory access to the containing /data/misc/apexdata.
#line 39
allow heapprofd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 39
allow heapprofd apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 39
allow heapprofd apex_module_data_file:dir { getattr search };
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:{ capability cap_userns } dac_read_search;
# For checking profileability.
allow heapprofd packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
#line 51
neverallow heapprofd {
#line 51
apexd
#line 51
app_zygote
#line 51
bpfloader
#line 51
hal_configstore_server
#line 51
init
#line 51
kernel
#line 51
keystore
#line 51
llkd
#line 51
logd
#line 51
logpersist
#line 51
recovery
#line 51
recovery_persist
#line 51
recovery_refresh
#line 51
ueventd
#line 51
vendor_init
#line 51
vold
#line 51
webview_zygote
#line 51
zygote
#line 51
}:file read;
#line 51
neverallow heapprofd {
#line 51
apexd
#line 51
app_zygote
#line 51
bpfloader
#line 51
hal_configstore_server
#line 51
init
#line 51
kernel
#line 51
keystore
#line 51
llkd
#line 51
logd
#line 51
logpersist
#line 51
recovery
#line 51
recovery_persist
#line 51
recovery_refresh
#line 51
ueventd
#line 51
vendor_init
#line 51
vold
#line 51
webview_zygote
#line 51
zygote
#line 51
}:process signal;
#line 70
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 72
#line 72
neverallow heapprofd vendor_file_type:file { append create link unlink relabelfrom rename setattr write };
#line 72
neverallow heapprofd { vendor_file_type -vndk_sp_file }:file { execute execute_no_trans };
#line 72
#line 72
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
#line 75
#line 1 "system/sepolicy/private/hidl_lazy_test_server.te"
type hidl_lazy_test_server, domain;
type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
#line 8
#line 1 "system/sepolicy/private/hwservice.te"
type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
#line 1 "system/sepolicy/private/hwservicemanager.te"
typeattribute hwservicemanager coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init hwservicemanager_exec:file { getattr open read execute map };
#line 3
allow init hwservicemanager:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow hwservicemanager hwservicemanager_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init hwservicemanager:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init hwservicemanager:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init hwservicemanager_exec:process hwservicemanager;
#line 3
#line 3
#line 5
allow hwservicemanager hidl_manager_hwservice:hwservice_manager { add find };
#line 5
allow hwservicemanager hidl_base_hwservice:hwservice_manager add;
#line 5
neverallow { domain -hwservicemanager } hidl_manager_hwservice:hwservice_manager add;
#line 5
#line 6
allow hwservicemanager hidl_token_hwservice:hwservice_manager { add find };
#line 6
allow hwservicemanager hidl_base_hwservice:hwservice_manager add;
#line 6
neverallow { domain -hwservicemanager } hidl_token_hwservice:hwservice_manager add;
#line 6
#line 8
#line 8
allow hwservicemanager property_socket:sock_file write;
#line 8
allow hwservicemanager init:unix_stream_socket connectto;
#line 8
#line 8
allow hwservicemanager ctl_interface_start_prop:property_service set;
#line 8
#line 8
allow hwservicemanager ctl_interface_start_prop:file { getattr open read map };
#line 8
#line 8
#line 9
#line 9
allow hwservicemanager property_socket:sock_file write;
#line 9
allow hwservicemanager init:unix_stream_socket connectto;
#line 9
#line 9
allow hwservicemanager hwservicemanager_prop:property_service set;
#line 9
#line 9
allow hwservicemanager hwservicemanager_prop:file { getattr open read map };
#line 9
#line 9
# hwservicemanager is using bootstrap bionic
#line 12
allow hwservicemanager system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hwservicemanager system_bootstrap_lib_file:file { execute read open getattr map };
#line 12
# hwservicemanager is using apex_info via libvintf
#line 15
allow hwservicemanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hwservicemanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 15
#line 15
allow hwservicemanager vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hwservicemanager vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 15
#line 15
#line 1 "system/sepolicy/private/idmap.te"
typeattribute idmap coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init idmap_exec:file { getattr open read execute map };
#line 3
allow init idmap:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow idmap idmap_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init idmap:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init idmap:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init idmap_exec:process idmap;
#line 3
#line 3
#line 1 "system/sepolicy/private/incident.te"
typeattribute incident coredomain;
type incident_exec, system_file_type, exec_type, file_type;
# switch to incident domain for incident command
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow shell incident_exec:file { getattr open read execute map };
#line 6
allow shell incident:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow incident incident_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow incident shell:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit shell incident:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow shell incident:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition shell incident_exec:process incident;
#line 6
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow dumpstate incident_exec:file { getattr open read execute map };
#line 7
allow dumpstate incident:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow incident incident_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
allow incident dumpstate:process sigchld;
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit dumpstate incident:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow dumpstate incident:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition dumpstate incident_exec:process incident;
#line 7
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
# allow incident to communicate with dumpstate, and write incident report to
# /data/data/com.android.shell/files/bugreports/tmp_incident_report
allow incident dumpstate:fd use;
allow incident dumpstate:unix_stream_socket { read write };
allow incident shell_data_file:file write;
# allow incident be able to output data for CTS to fetch.
allow incident devpts:chr_file { read write };
# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
allow incident adbd:unix_stream_socket { read write };
# allow adbd to reap incident
allow incident adbd:process { sigchld };
# Allow the incident command to talk to the incidentd over the binder, and get
# back the incident report data from a ParcelFileDescriptor.
#line 31
# Call the servicemanager and transfer references to it.
#line 31
allow incident servicemanager:binder { call transfer };
#line 31
# Allow servicemanager to send out callbacks
#line 31
allow servicemanager incident:binder { call transfer };
#line 31
# servicemanager performs getpidcon on clients.
#line 31
allow servicemanager incident:dir search;
#line 31
allow servicemanager incident:file { read open };
#line 31
allow servicemanager incident:process getattr;
#line 31
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 31
# all domains in domain.te.
#line 31
allow incident incident_service:service_manager find;
#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow incident incidentd:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow incidentd incident:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow incident incidentd:fd use;
#line 33
allow incident incidentd:fifo_file write;
# only allow incident being called by shell or dumpstate
neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
#line 1 "system/sepolicy/private/incident_helper.te"
typeattribute incident_helper coredomain;
type incident_helper_exec, system_file_type, exec_type, file_type;
# switch to incident_helper domain for incident_helper command
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow incidentd incident_helper_exec:file { getattr open read execute map };
#line 6
allow incidentd incident_helper:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow incident_helper incident_helper_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow incident_helper incidentd:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit incidentd incident_helper:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow incidentd incident_helper:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition incidentd incident_helper_exec:process incident_helper;
#line 6
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd dumpstate }:fd use;
allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
#line 1 "system/sepolicy/private/incidentd.te"
typeattribute incidentd coredomain;
typeattribute incidentd mlstrustedsubject;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init incidentd_exec:file { getattr open read execute map };
#line 4
allow init incidentd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow incidentd incidentd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init incidentd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init incidentd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init incidentd_exec:process incidentd;
#line 4
#line 4
type incidentd_exec, system_file_type, exec_type, file_type;
#line 6
# Call the servicemanager and transfer references to it.
#line 6
allow incidentd servicemanager:binder { call transfer };
#line 6
# Allow servicemanager to send out callbacks
#line 6
allow servicemanager incidentd:binder { call transfer };
#line 6
# servicemanager performs getpidcon on clients.
#line 6
allow servicemanager incidentd:dir search;
#line 6
allow servicemanager incidentd:file { read open };
#line 6
allow servicemanager incidentd:process getattr;
#line 6
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 6
# all domains in domain.te.
#line 6
#line 7
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 7
# deprecated.
#line 7
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 7
allow incidentd sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 7
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 7
allow incidentd self:{ capability2 cap2_userns } block_suspend;
#line 7
# system_suspend permissions
#line 7
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow incidentd system_suspend_server:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow system_suspend_server incidentd:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow incidentd system_suspend_server:fd use;
#line 7
#line 7
allow incidentd system_suspend_hwservice:hwservice_manager find;
#line 7
# halclientdomain permissions
#line 7
#line 7
# Call the hwservicemanager and transfer references to it.
#line 7
allow incidentd hwservicemanager:binder { call transfer };
#line 7
# Allow hwservicemanager to send out callbacks
#line 7
allow hwservicemanager incidentd:binder { call transfer };
#line 7
# hwservicemanager performs getpidcon on clients.
#line 7
allow hwservicemanager incidentd:dir search;
#line 7
allow hwservicemanager incidentd:file { read open map };
#line 7
allow hwservicemanager incidentd:process getattr;
#line 7
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 7
#line 7
allow incidentd hwservicemanager_prop:file { getattr open read map };
#line 7
#line 7
allow incidentd hidl_manager_hwservice:hwservice_manager find;
#line 7
# AIDL suspend hal permissions
#line 7
allow incidentd hal_system_suspend_service:service_manager find;
#line 7
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow incidentd servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager incidentd:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager incidentd:dir search;
#line 7
allow servicemanager incidentd:file { read open };
#line 7
allow servicemanager incidentd:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 7
# Allow incidentd to scan through /proc/pid for all processes
#line 10
allow incidentd domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow incidentd domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 10
# Allow incidentd to kill incident_helper when timeout
allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file { getattr open read ioctl lock map watch watch_reads };
# section id 1116, allow accessing statsd socket
#line 26
allow incidentd statsdw_socket:sock_file write;
#line 26
allow incidentd statsd:unix_dgram_socket sendto;
#line 26
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file { getattr open read ioctl lock map watch watch_reads };
# section id 2002, allow reading /d/wakeup_sources
;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file { getattr open read ioctl lock map watch watch_reads };
# section id 2005, allow reading ps dump in full
allow incidentd domain:process getattr;
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file { getattr open read ioctl lock map watch watch_reads };
# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
;
;
# section id 3023, allow obtaining stats report
allow incidentd stats_service:service_manager find;
#line 53
# Call the server domain and optionally transfer references to it.
#line 53
allow incidentd statsd:binder { call transfer };
#line 53
# Allow the serverdomain to transfer references to the client on the reply.
#line 53
allow statsd incidentd:binder transfer;
#line 53
# Receive and use open files from the server.
#line 53
allow incidentd statsd:fd use;
#line 53
# section id 3026, allow reading /data/misc/perfetto-traces.
allow incidentd perfetto_traces_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow incidentd perfetto_traces_data_file:file { getattr open read ioctl lock map watch watch_reads };
# section id 3052, allow accessing nfc_service
allow incidentd nfc_service:service_manager find;
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow incidentd incident_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Enable incidentd to get stack traces.
#line 67
# Call the servicemanager and transfer references to it.
#line 67
allow incidentd servicemanager:binder { call transfer };
#line 67
# Allow servicemanager to send out callbacks
#line 67
allow servicemanager incidentd:binder { call transfer };
#line 67
# servicemanager performs getpidcon on clients.
#line 67
allow servicemanager incidentd:dir search;
#line 67
allow servicemanager incidentd:file { read open };
#line 67
allow servicemanager incidentd:process getattr;
#line 67
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 67
# all domains in domain.te.
#line 67
#line 68
# Call the hwservicemanager and transfer references to it.
#line 68
allow incidentd hwservicemanager:binder { call transfer };
#line 68
# Allow hwservicemanager to send out callbacks
#line 68
allow hwservicemanager incidentd:binder { call transfer };
#line 68
# hwservicemanager performs getpidcon on clients.
#line 68
allow hwservicemanager incidentd:dir search;
#line 68
allow hwservicemanager incidentd:file { read open map };
#line 68
allow hwservicemanager incidentd:process getattr;
#line 68
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 68
# all domains in domain.te.
#line 68
allow incidentd hwservicemanager:hwservice_manager { list };
#line 70
allow incidentd hwservicemanager_prop:file { getattr open read map };
#line 70
allow incidentd hidl_manager_hwservice:hwservice_manager { find };
# Read files in /proc
allow incidentd {
proc_cmdline
proc_pid_max
proc_pipe_conf
proc_stat
}:file { getattr open read ioctl lock map watch watch_reads };
# Signal java processes to dump their stack and get the results
allow incidentd { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in incidentd/utils.c
allow incidentd {
# This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
sdcardd
statsd
surfaceflinger
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
}:process signal;
# Allow incidentd to make binder calls to any binder service
#line 115
# Call the server domain and optionally transfer references to it.
#line 115
allow incidentd system_server:binder { call transfer };
#line 115
# Allow the serverdomain to transfer references to the client on the reply.
#line 115
allow system_server incidentd:binder transfer;
#line 115
# Receive and use open files from the server.
#line 115
allow incidentd system_server:fd use;
#line 115
#line 116
# Call the server domain and optionally transfer references to it.
#line 116
allow incidentd appdomain:binder { call transfer };
#line 116
# Allow the serverdomain to transfer references to the client on the reply.
#line 116
allow appdomain incidentd:binder transfer;
#line 116
# Receive and use open files from the server.
#line 116
allow incidentd appdomain:fd use;
#line 116
# Reading /proc/PID/maps of other processes
;
# incidentd has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow incidentd *:process ptrace;
allow incidentd self:{ capability cap_userns } {
# Send signals to processes
kill
};
# Connect to tombstoned to intercept dumps.
#line 130
allow incidentd tombstoned_intercept_socket:sock_file write;
#line 130
allow incidentd tombstoned:unix_stream_socket connectto;
#line 130
# Run a shell.
allow incidentd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } } };
# Access the runtime feature flag properties.
#line 139
allow incidentd device_config_runtime_native_prop:file { getattr open read map };
#line 139
#line 140
allow incidentd device_config_runtime_native_boot_prop:file { getattr open read map };
#line 140
# Access odsign verification status.
#line 142
allow incidentd odsign_prop:file { getattr open read map };
#line 142
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit incidentd apex_module_data_file:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit incidentd apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit incidentd tmpfs:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } };
# Allow incidentd to read /apex/apex-info-list.xml
allow incidentd apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# logd access - work to be done is a PII safe log (possibly an event log?)
# TODO control_logd(incidentd)
# Access /data/misc/logd
#line 159
allow incidentd misc_logd_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 159
allow incidentd misc_logd_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 159
# Allow incidentd to find these standard groups of services.
# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
system_api_service
-tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
#line 171
allow incidentd incident_service:service_manager { add find };
#line 171
neverallow { domain -incidentd } incident_service:service_manager add;
#line 171
#line 171
# On debug builds with root, allow binder services to use binder over TCP.
#line 171
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 171
#line 171
# Allow pipes only from dumpstate and incident
allow incidentd { dumpstate incident }:fd use;
allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
#line 178
# Call the server domain and optionally transfer references to it.
#line 178
allow incidentd incident:binder { call transfer };
#line 178
# Allow the serverdomain to transfer references to the client on the reply.
#line 178
allow incident incidentd:binder transfer;
#line 178
# Receive and use open files from the server.
#line 178
allow incidentd incident:fd use;
#line 178
# Read device serial number from system properties
# This is used to track reports from lab testing devices
#line 184
# Read ro.boot.bootreason, persist.sys.boot.bootreason
# This is used to track reports from lab testing devices
#line 192
# Allow incident to read the build properties for attestation feature
#line 195
allow incidentd build_attestation_prop:file { getattr open read map };
#line 195
;
###
### neverallow rules
###
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
#
# write, execute, append are forbidden almost everywhere
neverallow { domain -incidentd -init -vold } incident_data_file:file {
{ open append write lock map }
{ getattr execute execute_no_trans map }
create
rename
setattr
unlink
append
};
# read is also allowed by system_server, for when the file is handed to dropbox
neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file { getattr open read ioctl lock map watch watch_reads };
# limited access to the directory itself
neverallow { domain -incidentd -init -vold } incident_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
#line 1 "system/sepolicy/private/init.te"
typeattribute init coredomain;
#line 3
type_transition init tmpfs:file init_tmpfs;
#line 3
allow init init_tmpfs:file { read write getattr map };
#line 3
# Transitions to seclabel processes in init.rc
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init rootfs:file { getattr open read execute map };
#line 6
allow init slideshow:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow slideshow rootfs:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init slideshow:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init slideshow:process { siginh rlimitinh };
#line 6
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init charger_exec:file { getattr open read execute map };
#line 7
allow init charger:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow charger charger_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init charger:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init charger:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init charger_exec:process charger;
#line 7
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow init e2fs_exec:file { getattr open read execute map };
#line 8
allow init e2fs:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow e2fs e2fs_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit init e2fs:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow init e2fs:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition init e2fs_exec:process e2fs;
#line 8
#line 9
# Allow the necessary permissions.
#line 9
#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow init bpfloader_exec:file { getattr open read execute map };
#line 9
allow init bpfloader:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow bpfloader bpfloader_exec:file { entrypoint open read execute getattr map };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit init bpfloader:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow init bpfloader:process { siginh rlimitinh };
#line 9
#line 9
# Make the transition occur by default.
#line 9
type_transition init bpfloader_exec:process bpfloader;
#line 9
#line 23
#line 24
# Old domain may exec the file and transition to the new domain.
#line 24
allow init shell_exec:file { getattr open read execute map };
#line 24
allow init shell:process transition;
#line 24
# New domain is entered by executing the file.
#line 24
allow shell shell_exec:file { entrypoint open read execute getattr map };
#line 24
# New domain can send SIGCHLD to its caller.
#line 24
#line 24
# Enable AT_SECURE, i.e. libc secure mode.
#line 24
dontaudit init shell:process noatsecure;
#line 24
# XXX dontaudit candidate but requires further study.
#line 24
allow init shell:process { siginh rlimitinh };
#line 24
#line 25
# Old domain may exec the file and transition to the new domain.
#line 25
allow init init_exec:file { getattr open read execute map };
#line 25
allow init ueventd:process transition;
#line 25
# New domain is entered by executing the file.
#line 25
allow ueventd init_exec:file { entrypoint open read execute getattr map };
#line 25
# New domain can send SIGCHLD to its caller.
#line 25
#line 25
# Enable AT_SECURE, i.e. libc secure mode.
#line 25
dontaudit init ueventd:process noatsecure;
#line 25
# XXX dontaudit candidate but requires further study.
#line 25
allow init ueventd:process { siginh rlimitinh };
#line 25
#line 26
# Old domain may exec the file and transition to the new domain.
#line 26
allow init init_exec:file { getattr open read execute map };
#line 26
allow init vendor_init:process transition;
#line 26
# New domain is entered by executing the file.
#line 26
allow vendor_init init_exec:file { entrypoint open read execute getattr map };
#line 26
# New domain can send SIGCHLD to its caller.
#line 26
#line 26
# Enable AT_SECURE, i.e. libc secure mode.
#line 26
dontaudit init vendor_init:process noatsecure;
#line 26
# XXX dontaudit candidate but requires further study.
#line 26
allow init vendor_init:process { siginh rlimitinh };
#line 26
#line 27
# Old domain may exec the file and transition to the new domain.
#line 27
allow init { rootfs toolbox_exec }:file { getattr open read execute map };
#line 27
allow init modprobe:process transition;
#line 27
# New domain is entered by executing the file.
#line 27
allow modprobe { rootfs toolbox_exec }:file { entrypoint open read execute getattr map };
#line 27
# New domain can send SIGCHLD to its caller.
#line 27
#line 27
# Enable AT_SECURE, i.e. libc secure mode.
#line 27
dontaudit init modprobe:process noatsecure;
#line 27
# XXX dontaudit candidate but requires further study.
#line 27
allow init modprobe:process { siginh rlimitinh };
#line 27
#line 36
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
# that userdata is mounted onto.
allow init sysfs_dm:file read;
# Allow init to modify the properties of loop devices.
allow init sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads };
allow init sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow init to examine the properties of block devices.
allow init sysfs_type:file { getattr read };
# Allow init get the attributes of block devices in /dev/block.
allow init dev_type:dir { open getattr read search ioctl lock watch watch_reads };
allow init dev_type:blk_file getattr;
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow the BoringSSL self test to request a reboot upon failure
#line 58
#line 58
allow init property_socket:sock_file write;
#line 58
allow init init:unix_stream_socket connectto;
#line 58
#line 58
allow init powerctl_prop:property_service set;
#line 58
#line 58
allow init powerctl_prop:file { getattr open read map };
#line 58
#line 58
# Only init is allowed to set userspace reboot related properties.
#line 61
#line 61
allow init property_socket:sock_file write;
#line 61
allow init init:unix_stream_socket connectto;
#line 61
#line 61
allow init userspace_reboot_exported_prop:property_service set;
#line 61
#line 61
allow init userspace_reboot_exported_prop:file { getattr open read map };
#line 61
#line 61
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
# TODO(b/137092007): this can be removed once the platform stops supporting
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
allow init self:{ capability2 cap2_userns } perfmon;
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
allow init snapuserd:unix_stream_socket connectto;
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
#line 88
#line 88
allow init property_socket:sock_file write;
#line 88
allow init init:unix_stream_socket connectto;
#line 88
#line 88
allow init init_perf_lsm_hooks_prop:property_service set;
#line 88
#line 88
allow init init_perf_lsm_hooks_prop:file { getattr open read map };
#line 88
#line 88
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
# Only init can write vts.native_server.on
#line 92
#line 92
allow init property_socket:sock_file write;
#line 92
allow init init:unix_stream_socket connectto;
#line 92
#line 92
allow init vts_status_prop:property_service set;
#line 92
#line 92
allow init vts_status_prop:file { getattr open read map };
#line 92
#line 92
neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
neverallow { domain -init } property_service_version_prop:property_service set;
# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file { open append write lock map };
# PRNG seeder daemon socket is created and listened on by init before forking.
allow init prng_seeder:unix_stream_socket { create bind listen };
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
dontaudit init debugfs_tracing_debug:dir { write add_name };
# chown/chmod on devices.
allow init {
dev_type
-hw_random_device
-keychord_device
-vm_manager_device_type
-port_device
}:chr_file setattr;
#line 1 "system/sepolicy/private/inputflinger.te"
typeattribute inputflinger coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init inputflinger_exec:file { getattr open read execute map };
#line 3
allow init inputflinger:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow inputflinger inputflinger_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init inputflinger:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init inputflinger:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init inputflinger_exec:process inputflinger;
#line 3
#line 3
#line 1 "system/sepolicy/private/installd.te"
typeattribute installd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init installd_exec:file { getattr open read execute map };
#line 3
allow init installd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow installd installd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init installd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init installd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init installd_exec:process installd;
#line 3
#line 3
# Run migrate_legacy_obb_data.sh in its own sandbox.
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow installd migrate_legacy_obb_data_exec:file { getattr open read execute map };
#line 6
allow installd migrate_legacy_obb_data:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow migrate_legacy_obb_data migrate_legacy_obb_data_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow migrate_legacy_obb_data installd:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit installd migrate_legacy_obb_data:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow installd migrate_legacy_obb_data:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition installd migrate_legacy_obb_data_exec:process migrate_legacy_obb_data;
#line 6
allow installd shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Run dex2oat in its own sandbox.
#line 10
# Allow the necessary permissions.
#line 10
#line 10
# Old domain may exec the file and transition to the new domain.
#line 10
allow installd dex2oat_exec:file { getattr open read execute map };
#line 10
allow installd dex2oat:process transition;
#line 10
# New domain is entered by executing the file.
#line 10
allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map };
#line 10
# New domain can send SIGCHLD to its caller.
#line 10
allow dex2oat installd:process sigchld;
#line 10
# Enable AT_SECURE, i.e. libc secure mode.
#line 10
dontaudit installd dex2oat:process noatsecure;
#line 10
# XXX dontaudit candidate but requires further study.
#line 10
allow installd dex2oat:process { siginh rlimitinh };
#line 10
#line 10
# Make the transition occur by default.
#line 10
type_transition installd dex2oat_exec:process dex2oat;
#line 10
# Run dexoptanalyzer in its own sandbox.
#line 13
# Allow the necessary permissions.
#line 13
#line 13
# Old domain may exec the file and transition to the new domain.
#line 13
allow installd dexoptanalyzer_exec:file { getattr open read execute map };
#line 13
allow installd dexoptanalyzer:process transition;
#line 13
# New domain is entered by executing the file.
#line 13
allow dexoptanalyzer dexoptanalyzer_exec:file { entrypoint open read execute getattr map };
#line 13
# New domain can send SIGCHLD to its caller.
#line 13
allow dexoptanalyzer installd:process sigchld;
#line 13
# Enable AT_SECURE, i.e. libc secure mode.
#line 13
dontaudit installd dexoptanalyzer:process noatsecure;
#line 13
# XXX dontaudit candidate but requires further study.
#line 13
allow installd dexoptanalyzer:process { siginh rlimitinh };
#line 13
#line 13
# Make the transition occur by default.
#line 13
type_transition installd dexoptanalyzer_exec:process dexoptanalyzer;
#line 13
# Run viewcompiler in its own sandbox.
#line 16
# Allow the necessary permissions.
#line 16
#line 16
# Old domain may exec the file and transition to the new domain.
#line 16
allow installd viewcompiler_exec:file { getattr open read execute map };
#line 16
allow installd viewcompiler:process transition;
#line 16
# New domain is entered by executing the file.
#line 16
allow viewcompiler viewcompiler_exec:file { entrypoint open read execute getattr map };
#line 16
# New domain can send SIGCHLD to its caller.
#line 16
allow viewcompiler installd:process sigchld;
#line 16
# Enable AT_SECURE, i.e. libc secure mode.
#line 16
dontaudit installd viewcompiler:process noatsecure;
#line 16
# XXX dontaudit candidate but requires further study.
#line 16
allow installd viewcompiler:process { siginh rlimitinh };
#line 16
#line 16
# Make the transition occur by default.
#line 16
type_transition installd viewcompiler_exec:process viewcompiler;
#line 16
# Run profman in its own sandbox.
#line 19
# Allow the necessary permissions.
#line 19
#line 19
# Old domain may exec the file and transition to the new domain.
#line 19
allow installd profman_exec:file { getattr open read execute map };
#line 19
allow installd profman:process transition;
#line 19
# New domain is entered by executing the file.
#line 19
allow profman profman_exec:file { entrypoint open read execute getattr map };
#line 19
# New domain can send SIGCHLD to its caller.
#line 19
allow profman installd:process sigchld;
#line 19
# Enable AT_SECURE, i.e. libc secure mode.
#line 19
dontaudit installd profman:process noatsecure;
#line 19
# XXX dontaudit candidate but requires further study.
#line 19
allow installd profman:process { siginh rlimitinh };
#line 19
#line 19
# Make the transition occur by default.
#line 19
type_transition installd profman_exec:process profman;
#line 19
# Run idmap in its own sandbox.
#line 22
# Allow the necessary permissions.
#line 22
#line 22
# Old domain may exec the file and transition to the new domain.
#line 22
allow installd idmap_exec:file { getattr open read execute map };
#line 22
allow installd idmap:process transition;
#line 22
# New domain is entered by executing the file.
#line 22
allow idmap idmap_exec:file { entrypoint open read execute getattr map };
#line 22
# New domain can send SIGCHLD to its caller.
#line 22
allow idmap installd:process sigchld;
#line 22
# Enable AT_SECURE, i.e. libc secure mode.
#line 22
dontaudit installd idmap:process noatsecure;
#line 22
# XXX dontaudit candidate but requires further study.
#line 22
allow installd idmap:process { siginh rlimitinh };
#line 22
#line 22
# Make the transition occur by default.
#line 22
type_transition installd idmap_exec:process idmap;
#line 22
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file { getattr open read ioctl lock map watch watch_reads };
# Delete /system/bin/bcc generated artifacts
allow installd app_exec_data_file:file unlink;
# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
# subsequently restore them.
allow installd rollback_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow installd rollback_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow installd to access the runtime feature flag properties.
#line 37
allow installd device_config_runtime_native_prop:file { getattr open read map };
#line 37
#line 38
allow installd device_config_runtime_native_boot_prop:file { getattr open read map };
#line 38
# Allow installd to access apk verity feature flag (for legacy case).
#line 41
allow installd apk_verity_prop:file { getattr open read map };
#line 41
# Allow installd to access odsign verification status
#line 44
allow installd odsign_prop:file { getattr open read map };
#line 44
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
allow installd { dex2oat dexoptanalyzer }:process signal;
# installd kills subprocesses if they time out.
allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
# Allow installd to enable fs-verity for app file passed as FD;
allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
allowxperm installd app_data_file_type:file ioctl 0x6685;
#line 1 "system/sepolicy/private/isolated_app.te"
###
### isolated_apps.
###
### This file defines the rules for isolated apps that does not wish to use
### service managers and does not require extra computational resources.
###
typeattribute isolated_app coredomain;
#line 10
typeattribute isolated_app appdomain;
#line 10
# Label tmpfs objects for all apps.
#line 10
type_transition isolated_app tmpfs:file appdomain_tmpfs;
#line 10
#line 10
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 10
type isolated_app_userfaultfd;
#line 10
type_transition isolated_app isolated_app:anon_inode isolated_app_userfaultfd "[userfaultfd]";
#line 10
# Allow domain to create/use userfaultfd anon_inode.
#line 10
allow isolated_app isolated_app_userfaultfd:anon_inode { create ioctl read };
#line 10
# Suppress errors generate during bugreport
#line 10
dontaudit su isolated_app_userfaultfd:anon_inode *;
#line 10
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 10
neverallow { domain -isolated_app } isolated_app_userfaultfd:anon_inode *;
#line 10
#line 10
allow isolated_app appdomain_tmpfs:file { execute getattr map read write };
#line 10
neverallow { isolated_app -runas_app -shell -simpleperf } { domain -isolated_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 10
neverallow { appdomain -runas_app -shell -simpleperf -isolated_app } isolated_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 10
# The Android security model guarantees the confidentiality and integrity
#line 10
# of application data and execution state. Ptrace bypasses those
#line 10
# confidentiality guarantees. Disallow ptrace access from system components to
#line 10
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 10
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 10
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 10
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 10
# live lock conditions.
#line 10
neverallow { domain -isolated_app -crash_dump -runas_app -simpleperf } isolated_app:process ptrace;
#line 10
#line 11
typeattribute isolated_app isolated_app_all;
#line 11
allow isolated_app webviewupdate_service:service_manager find;
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules in isolated_app_all attribute.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
#line 1 "system/sepolicy/private/isolated_app_all.te"
###
### isolated_app_all.
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules shared by all isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
allow isolated_app_all activity_service:service_manager find;
allow isolated_app_all display_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app_all self:process ptrace;
# Inherit FDs from the app_zygote.
allow isolated_app_all app_zygote:fd use;
# Notify app_zygote of child death.
allow isolated_app_all app_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app_all app_zygote:unix_dgram_socket write;
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
# Allow to read (but not open) staged apks.
allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
#####
##### Neverallow
#####
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app_all app_data_file_type:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app_all anr_data_file:file ~{ open append };
neverallow isolated_app_all anr_data_file:dir ~search;
# Isolated apps must not be permitted to use HwBinder
neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
# Isolated apps must not be permitted to use VndBinder
neverallow isolated_app_all vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services allowlisted below.
neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service, webviewupdate_service.
neverallow { isolated_app_all -isolated_compute_app } {
service_manager_type
-activity_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app_all gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
neverallow isolated_app_all cache_file:file ~{ read getattr };
# Do not allow isolated_app_all to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app_all { storage_file mnt_user_file }:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } *;
neverallow isolated_app_all { sdcard_type fuse }:{ { chr_file blk_file } lnk_file sock_file fifo_file } *;
neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app_all webview_zygote:sock_file write;
# Limit the /sys files which isolated_app_all can access. This is important
# for controlling isolated_app_all attack surface.
# TODO (b/266555480): The permission should be guarded by compliance test.
# Remove the negation for member domains when refactorization is done.
neverallow { isolated_app_all -isolated_compute_app } {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
-sysfs_fs_fuse_features
-sysfs_fs_incfs_features
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# No creation of sockets families other than AF_UNIX sockets.
# List taken from system/sepolicy/public/global_macros - socket_class_set
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket xdp_socket
} create;
#line 1 "system/sepolicy/private/isolated_compute_app.te"
###
### isolated_compute_apps.
###
### This file defines the rules for isolated apps that requires the permission
### to gather data with service manager and require computational resources to
### improve the performance to process data under a sandbox. This
### isolated_compute_app restricts data egress to protect the privacy.
###
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
###
typeattribute isolated_compute_app coredomain;
#line 14
typeattribute isolated_compute_app appdomain;
#line 14
# Label tmpfs objects for all apps.
#line 14
type_transition isolated_compute_app tmpfs:file appdomain_tmpfs;
#line 14
#line 14
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 14
type isolated_compute_app_userfaultfd;
#line 14
type_transition isolated_compute_app isolated_compute_app:anon_inode isolated_compute_app_userfaultfd "[userfaultfd]";
#line 14
# Allow domain to create/use userfaultfd anon_inode.
#line 14
allow isolated_compute_app isolated_compute_app_userfaultfd:anon_inode { create ioctl read };
#line 14
# Suppress errors generate during bugreport
#line 14
dontaudit su isolated_compute_app_userfaultfd:anon_inode *;
#line 14
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 14
neverallow { domain -isolated_compute_app } isolated_compute_app_userfaultfd:anon_inode *;
#line 14
#line 14
allow isolated_compute_app appdomain_tmpfs:file { execute getattr map read write };
#line 14
neverallow { isolated_compute_app -runas_app -shell -simpleperf } { domain -isolated_compute_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 14
neverallow { appdomain -runas_app -shell -simpleperf -isolated_compute_app } isolated_compute_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 14
# The Android security model guarantees the confidentiality and integrity
#line 14
# of application data and execution state. Ptrace bypasses those
#line 14
# confidentiality guarantees. Disallow ptrace access from system components to
#line 14
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 14
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 14
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 14
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 14
# live lock conditions.
#line 14
neverallow { domain -isolated_compute_app -crash_dump -runas_app -simpleperf } isolated_compute_app:process ptrace;
#line 14
#line 15
typeattribute isolated_compute_app isolated_app_all;
#line 15
allow isolated_compute_app isolated_compute_allowed_service:service_manager find;
allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map };
# Enable access to hardware services for camera functionalilites
#line 21
typeattribute isolated_compute_app halclientdomain;
#line 21
typeattribute isolated_compute_app hal_allocator_client;
#line 21
#line 21
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 21
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 21
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 21
#line 21
typeattribute isolated_compute_app hal_allocator;
#line 21
# Find passthrough HAL implementations
#line 21
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 21
#line 21
#line 22
# Call the hwservicemanager and transfer references to it.
#line 22
allow isolated_compute_app hwservicemanager:binder { call transfer };
#line 22
# Allow hwservicemanager to send out callbacks
#line 22
allow hwservicemanager isolated_compute_app:binder { call transfer };
#line 22
# hwservicemanager performs getpidcon on clients.
#line 22
allow hwservicemanager isolated_compute_app:dir search;
#line 22
allow hwservicemanager isolated_compute_app:file { read open map };
#line 22
allow hwservicemanager isolated_compute_app:process getattr;
#line 22
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 22
# all domains in domain.te.
#line 22
#line 24
typeattribute isolated_compute_app halclientdomain;
#line 24
typeattribute isolated_compute_app hal_codec2_client;
#line 24
#line 24
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 24
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 24
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 24
#line 24
typeattribute isolated_compute_app hal_codec2;
#line 24
# Find passthrough HAL implementations
#line 24
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 24
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 24
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 24
#line 24
allow isolated_compute_app dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Allow access to the toybox: b/275024392
allow isolated_compute_app toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#####
##### Neverallow
#####
# Do not allow isolated_compute_app to access hardware service except for the
# ones necessary for camera service.
# TODO (b/266555480): The permission should be guarded by compliance test.
# Remove the negation for member domains when refactorization is done.
# neverallow isolated_compute_app {
# hwservice_manager_type
# -hal_graphics_allocator_hwservice
# -hal_graphics_mapper_hwservice
# -hidl_allocator_hwservice
# -hidl_manager_hwservice
# -hidl_memory_hwservice
# }:hwservice_manager *;
#line 1 "system/sepolicy/private/iw.te"
type iw, domain, coredomain;
type iw_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init iw_exec:file { getattr open read execute map };
#line 4
allow init iw:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow iw iw_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init iw:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init iw:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init iw_exec:process iw;
#line 4
#line 4
#line 1 "system/sepolicy/private/kernel.te"
typeattribute kernel coredomain;
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow kernel init_exec:file { getattr open read execute map };
#line 3
allow kernel init:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow init init_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
allow init kernel:process sigchld;
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit kernel init:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow kernel init:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition kernel init_exec:process init;
#line 3
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow kernel snapuserd_exec:file { getattr open read execute map };
#line 4
allow kernel snapuserd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow snapuserd snapuserd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
allow snapuserd kernel:process sigchld;
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit kernel snapuserd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow kernel snapuserd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition kernel snapuserd_exec:process snapuserd;
#line 4
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
# The following sections are for the transition period during a Virtual A/B
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
# context, and with properly labelled devices. This must be done before
# enabling enforcement, eg, in permissive mode while still in the kernel
# context.
allow kernel tmpfs:blk_file { getattr relabelfrom };
allow kernel tmpfs:chr_file { getattr relabelfrom };
allow kernel tmpfs:lnk_file { getattr relabelfrom };
allow kernel tmpfs:dir { open read relabelfrom };
allow kernel block_device:blk_file relabelto;
allow kernel block_device:lnk_file relabelto;
allow kernel dm_device:chr_file relabelto;
allow kernel dm_device:blk_file relabelto;
allow kernel dm_user_device:dir { read open search relabelto };
allow kernel dm_user_device:chr_file relabelto;
allow kernel kmsg_device:chr_file relabelto;
allow kernel null_device:chr_file relabelto;
allow kernel random_device:chr_file relabelto;
allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
dontaudit kernel sysfs:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit kernel sysfs:file { open read write };
dontaudit kernel sysfs:chr_file { open read write };
dontaudit kernel dm_device:chr_file ioctl;
dontaudit kernel self:capability { sys_admin setgid mknod };
dontaudit kernel dm_user_device:dir { write add_name };
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
#line 1 "system/sepolicy/private/keystore.te"
typeattribute keystore coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init keystore_exec:file { getattr open read execute map };
#line 3
allow init keystore:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow keystore keystore_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init keystore:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init keystore:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init keystore_exec:process keystore;
#line 3
#line 3
# talk to keymaster
#line 6
typeattribute keystore halclientdomain;
#line 6
typeattribute keystore hal_keymaster_client;
#line 6
#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6
#line 6
typeattribute keystore hal_keymaster;
#line 6
# Find passthrough HAL implementations
#line 6
allow hal_keymaster system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_keymaster vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_keymaster vendor_file:file { read open getattr execute map };
#line 6
#line 6
# talk to confirmationui
#line 9
typeattribute keystore halclientdomain;
#line 9
typeattribute keystore hal_confirmationui_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute keystore hal_confirmationui;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_confirmationui system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_confirmationui vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_confirmationui vendor_file:file { read open getattr execute map };
#line 9
#line 9
# talk to keymint
#line 12
typeattribute keystore halclientdomain;
#line 12
typeattribute keystore hal_keymint_client;
#line 12
#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12
#line 12
typeattribute keystore hal_keymint;
#line 12
# Find passthrough HAL implementations
#line 12
allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_keymint vendor_file:file { read open getattr execute map };
#line 12
#line 12
# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
# access it.
# TODO(b/312427637): Investigate the reason and fix the denial.
dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
# Allow to check whether security logging is enabled.
#line 23
allow keystore device_logging_prop:file { getattr open read map };
#line 23
# Allow keystore to check if the system is rkp only.
#line 26
allow keystore remote_prov_prop:file { getattr open read map };
#line 26
# Allow keystore to check rkpd feature flags
#line 29
allow keystore device_config_remote_key_provisioning_native_prop:file { getattr open read map };
#line 29
# Allow keystore to write to statsd.
#line 32
allow keystore statsdw_socket:sock_file write;
#line 32
allow keystore statsd:unix_dgram_socket sendto;
#line 32
# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow keystore to listen to changing boot levels
#line 38
allow keystore keystore_listen_prop:file { getattr open read map };
#line 38
# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
#line 46
#line 46
allow keystore property_socket:sock_file write;
#line 46
allow keystore init:unix_stream_socket connectto;
#line 46
#line 46
allow keystore keystore_crash_prop:property_service set;
#line 46
#line 46
allow keystore keystore_crash_prop:file { getattr open read map };
#line 46
#line 46
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
# keystore is using apex_info via libvintf
#line 50
allow keystore apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
#line 50
allow keystore apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 50
#line 50
allow keystore vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 50
allow keystore vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 50
#line 50
#line 1 "system/sepolicy/private/keystore_keys.te"
# Specify keystore2_key namespaces in this file.
# Please keep the names in alphabetical order and comment each new entry.
# A keystore2_key namespace for the shell domain. Mainly used for native tests.
type shell_key, keystore2_key_type;
# A keystore2 namespace for the su domain. Mainly used for native tests.
type su_key, keystore2_key_type;
# A keystore2 namespace for vold. Vold need special permission to handle
# its own Keymint blobs.
type vold_key, keystore2_key_type;
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
# A keystore2 namespace for LockSettingsService.
type locksettings_key, keystore2_key_type;
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
#line 1 "system/sepolicy/private/linkerconfig.te"
type linkerconfig, domain, coredomain;
type linkerconfig_exec, exec_type, file_type, system_file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init linkerconfig_exec:file { getattr open read execute map };
#line 4
allow init linkerconfig:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow linkerconfig linkerconfig_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init linkerconfig:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init linkerconfig:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init linkerconfig_exec:process linkerconfig;
#line 4
#line 4
## Read and write linkerconfig subdirectory.
allow linkerconfig linkerconfig_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow linkerconfig linkerconfig_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow linkerconfig to log to the kernel.
allow linkerconfig kmsg_device:chr_file { open append write lock map };
# Allow linkerconfig to be invoked with logwrapper from init.
allow linkerconfig devpts:chr_file { getattr ioctl read write };
# Allow linkerconfig to scan for apex modules
allow linkerconfig apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
#line 23
allow linkerconfig vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow linkerconfig vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 23
# Allow linkerconfig to be called in the otapreopt_chroot
allow linkerconfig otapreopt_chroot:fd use;
allow linkerconfig postinstall_apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
allow linkerconfig postinstall_apex_mnt_dir:file { getattr open read ioctl lock map watch watch_reads };
neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file { execute execute_no_trans };
#line 1 "system/sepolicy/private/llkd.te"
# llkd Live LocK Daemon
typeattribute llkd coredomain;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init llkd_exec:file { getattr open read execute map };
#line 4
allow init llkd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow llkd llkd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init llkd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init llkd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init llkd_exec:process llkd;
#line 4
#line 4
#line 6
allow llkd llkd_prop:file { getattr open read map };
#line 6
allow llkd self:{ capability cap_userns } kill;
#line 12
# llkd optionally locks itself in memory, to prevent it from being
# swapped out and unable to discover a kernel in live-lock state.
allow llkd self:{ capability cap_userns } ipc_lock;
# Send kill signals to _anyone_ suffering from Live Lock
allow llkd domain:process sigkill;
# read stack to check for Live Lock
#line 33
# live lock watchdog process allowed to look through /proc/
allow llkd domain:dir { open getattr read search ioctl lock watch watch_reads };
allow llkd domain:file { getattr open read ioctl lock map watch watch_reads };
allow llkd domain:lnk_file read;
# Set /proc/sys/kernel/hung_task_*
allow llkd proc_hung_task:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow llkd proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow llkd kmsg_device:chr_file { open append write lock map };
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
neverallow { domain } llkd:process ptrace;
# never honor LD_PRELOAD
neverallow * llkd:process noatsecure;
#line 1 "system/sepolicy/private/lmkd.te"
typeattribute lmkd coredomain;
typeattribute lmkd bpfdomain;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init lmkd_exec:file { getattr open read execute map };
#line 4
allow init lmkd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow lmkd lmkd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init lmkd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init lmkd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init lmkd_exec:process lmkd;
#line 4
#line 4
# Set sys.lmk.* properties.
#line 7
#line 7
allow lmkd property_socket:sock_file write;
#line 7
allow lmkd init:unix_stream_socket connectto;
#line 7
#line 7
allow lmkd system_lmk_prop:property_service set;
#line 7
#line 7
allow lmkd system_lmk_prop:file { getattr open read map };
#line 7
#line 7
# Set lmkd.* properties.
#line 10
#line 10
allow lmkd property_socket:sock_file write;
#line 10
allow lmkd init:unix_stream_socket connectto;
#line 10
#line 10
allow lmkd lmkd_prop:property_service set;
#line 10
#line 10
allow lmkd lmkd_prop:file { getattr open read map };
#line 10
#line 10
# Get persist.device_config.lmk_native.* properties.
#line 13
allow lmkd device_config_lmkd_native_prop:file { getattr open read map };
#line 13
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
#line 1 "system/sepolicy/private/logd.te"
typeattribute logd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init logd_exec:file { getattr open read execute map };
#line 3
allow init logd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow logd logd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init logd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init logd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init logd_exec:process logd;
#line 3
#line 3
# Access device logging gating property
#line 6
allow logd device_logging_prop:file { getattr open read map };
#line 6
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
neverallow logd {
file_type
-runtime_event_log_tags_file
# shell_data_file access is needed to dump bugreports
-shell_data_file
}:file { create write append };
# protect the event-log-tags file
neverallow {
domain
-appdomain # covered below
-bootstat
-dumpstate
-init
-logd
-servicemanager
-system_server
-surfaceflinger
-zygote
} runtime_event_log_tags_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
appdomain
-bluetooth
-platform_app
-priv_app
-radio
-shell
-system_app
} runtime_event_log_tags_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only binder communication between logd and system_server is allowed
#line 46
# Call the servicemanager and transfer references to it.
#line 46
allow logd servicemanager:binder { call transfer };
#line 46
# Allow servicemanager to send out callbacks
#line 46
allow servicemanager logd:binder { call transfer };
#line 46
# servicemanager performs getpidcon on clients.
#line 46
allow servicemanager logd:dir search;
#line 46
allow servicemanager logd:file { read open };
#line 46
allow servicemanager logd:process getattr;
#line 46
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 46
# all domains in domain.te.
#line 46
#line 47
typeattribute logd binderservicedomain;
#line 47
#line 48
# Call the server domain and optionally transfer references to it.
#line 48
allow logd system_server:binder { call transfer };
#line 48
# Allow the serverdomain to transfer references to the client on the reply.
#line 48
allow system_server logd:binder transfer;
#line 48
# Receive and use open files from the server.
#line 48
allow logd system_server:fd use;
#line 48
#line 50
allow logd logd_service:service_manager { add find };
#line 50
neverallow { domain -logd } logd_service:service_manager add;
#line 50
#line 50
# On debug builds with root, allow binder services to use binder over TCP.
#line 50
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 50
#line 50
allow logd logcat_service:service_manager find;
#line 1 "system/sepolicy/private/logpersist.te"
typeattribute logpersist coredomain;
# android debug log storage in logpersist domains (eng and userdebug only)
#line 21
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist {
file_type
}:file { create write append };
neverallow { domain -init -dumpstate -incidentd } misc_logd_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow { domain -init } misc_logd_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -init } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
#line 1 "system/sepolicy/private/lpdumpd.te"
type lpdumpd, domain, coredomain;
type lpdumpd_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init lpdumpd_exec:file { getattr open read execute map };
#line 4
allow init lpdumpd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow lpdumpd lpdumpd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init lpdumpd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init lpdumpd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init lpdumpd_exec:process lpdumpd;
#line 4
#line 4
# Allow lpdumpd to register itself as a service.
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow lpdumpd servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager lpdumpd:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager lpdumpd:dir search;
#line 7
allow servicemanager lpdumpd:file { read open };
#line 7
allow servicemanager lpdumpd:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 8
allow lpdumpd lpdump_service:service_manager { add find };
#line 8
neverallow { domain -lpdumpd } lpdump_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
# Allow lpdumpd to find the super partition block device.
allow lpdumpd block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow lpdumpd to read super partition metadata.
allow lpdumpd super_block_device_type:blk_file { getattr open read ioctl lock map watch watch_reads };
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
allow lpdumpd sysfs_dt_firmware_android:file { getattr open read ioctl lock map watch watch_reads };
#line 19
allow lpdumpd { metadata_file gsi_metadata_file_type }:dir search;
#line 19
allow lpdumpd gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 19
allow lpdumpd { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 19
# Allow to get A/B slot suffix from device tree or kernel cmdline.
#line 22
allow lpdumpd sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow lpdumpd sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
;
allow lpdumpd proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
# Allow reading Virtual A/B status information.
#line 26
allow lpdumpd virtual_ab_prop:file { getattr open read map };
#line 26
allow lpdumpd metadata_file:dir search;
allow lpdumpd ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } lock };
allow lpdumpd ota_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
### Neverallow rules
# Disallow other domains to get lpdump_service and call lpdumpd.
neverallow {
domain
-dumpstate
-lpdumpd
-shell
} lpdump_service:service_manager find;
neverallow {
domain
-dumpstate
-lpdumpd
-shell
-servicemanager
} lpdumpd:binder call;
#line 1 "system/sepolicy/private/mdnsd.te"
# mdns daemon
typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
type mdnsd_exec, system_file_type, exec_type, file_type;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init mdnsd_exec:file { getattr open read execute map };
#line 7
allow init mdnsd:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow mdnsd mdnsd_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init mdnsd:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init mdnsd:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init mdnsd_exec:process mdnsd;
#line 7
#line 7
#line 9
typeattribute mdnsd netdomain;
#line 9
# Read from /proc/net
#line 12
allow mdnsd proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow mdnsd proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 12
#line 1 "system/sepolicy/private/mediadrmserver.te"
typeattribute mediadrmserver coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init mediadrmserver_exec:file { getattr open read execute map };
#line 3
allow init mediadrmserver:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow mediadrmserver mediadrmserver_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init mediadrmserver:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init mediadrmserver:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init mediadrmserver_exec:process mediadrmserver;
#line 3
#line 3
# allocate and use graphic buffers
#line 6
typeattribute mediadrmserver halclientdomain;
#line 6
typeattribute mediadrmserver hal_graphics_allocator_client;
#line 6
#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6
#line 6
typeattribute mediadrmserver hal_graphics_allocator;
#line 6
# Find passthrough HAL implementations
#line 6
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 6
#line 6
auditallow mediadrmserver hal_graphics_allocator_server:binder call;
#line 1 "system/sepolicy/private/mediaextractor.te"
typeattribute mediaextractor coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init mediaextractor_exec:file { getattr open read execute map };
#line 3
allow init mediaextractor:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow mediaextractor mediaextractor_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init mediaextractor:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init mediaextractor:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init mediaextractor_exec:process mediaextractor;
#line 3
#line 3
#line 4
type_transition mediaextractor tmpfs:file mediaextractor_tmpfs;
#line 4
allow mediaextractor mediaextractor_tmpfs:file { read write getattr map };
#line 4
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };
#line 9
allow mediaextractor device_config_media_native_prop:file { getattr open read map };
#line 9
#line 10
allow mediaextractor device_config_swcodec_native_prop:file { getattr open read map };
#line 10
#line 1 "system/sepolicy/private/mediametrics.te"
typeattribute mediametrics coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init mediametrics_exec:file { getattr open read execute map };
#line 3
allow init mediametrics:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow mediametrics mediametrics_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init mediametrics:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init mediametrics:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init mediametrics_exec:process mediametrics;
#line 3
#line 3
# Needed for stats callback registration to statsd.
allow mediametrics stats_service:service_manager find;
allow mediametrics statsmanager_service:service_manager find;
#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow mediametrics statsd:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow statsd mediametrics:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow mediametrics statsd:fd use;
#line 8
#line 1 "system/sepolicy/private/mediaprovider.te"
###
### A domain for android.process.media, which contains both
### MediaProvider and DownloadProvider and associated services.
###
typeattribute mediaprovider coredomain;
#line 7
typeattribute mediaprovider appdomain;
#line 7
# Label tmpfs objects for all apps.
#line 7
type_transition mediaprovider tmpfs:file appdomain_tmpfs;
#line 7
#line 7
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 7
type mediaprovider_userfaultfd;
#line 7
type_transition mediaprovider mediaprovider:anon_inode mediaprovider_userfaultfd "[userfaultfd]";
#line 7
# Allow domain to create/use userfaultfd anon_inode.
#line 7
allow mediaprovider mediaprovider_userfaultfd:anon_inode { create ioctl read };
#line 7
# Suppress errors generate during bugreport
#line 7
dontaudit su mediaprovider_userfaultfd:anon_inode *;
#line 7
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 7
neverallow { domain -mediaprovider } mediaprovider_userfaultfd:anon_inode *;
#line 7
#line 7
allow mediaprovider appdomain_tmpfs:file { execute getattr map read write };
#line 7
neverallow { mediaprovider -runas_app -shell -simpleperf } { domain -mediaprovider }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
neverallow { appdomain -runas_app -shell -simpleperf -mediaprovider } mediaprovider:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
# The Android security model guarantees the confidentiality and integrity
#line 7
# of application data and execution state. Ptrace bypasses those
#line 7
# confidentiality guarantees. Disallow ptrace access from system components to
#line 7
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 7
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 7
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 7
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 7
# live lock conditions.
#line 7
neverallow { domain -mediaprovider -crash_dump -runas_app -simpleperf } mediaprovider:process ptrace;
#line 7
# DownloadProvider accesses the network.
#line 10
typeattribute mediaprovider netdomain;
#line 10
# DownloadProvider uses /cache.
allow mediaprovider cache_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow mediaprovider cache_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow mediaprovider cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# mediaprovider searches through /cache looking for orphans
# Ignore denials to /cache/recovery and /cache/backup.
dontaudit mediaprovider cache_private_backup_file:dir getattr;
dontaudit mediaprovider cache_recovery_file:dir getattr;
# Access external sdcards through /mnt/media_rw
allow mediaprovider { mnt_media_rw_file }:dir search;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm mediaprovider functionfs:file ioctl 0x80096782;
allowxperm mediaprovider functionfs:file ioctl 0x000067e7;
# MtpServer sets sys.usb.ffs.mtp.ready
#line 45
allow mediaprovider ffs_config_prop:file { getattr open read map };
#line 45
#line 46
#line 46
allow mediaprovider property_socket:sock_file write;
#line 46
allow mediaprovider init:unix_stream_socket connectto;
#line 46
#line 46
allow mediaprovider ffs_control_prop:property_service set;
#line 46
#line 46
allow mediaprovider ffs_control_prop:file { getattr open read map };
#line 46
#line 46
# DownloadManager may retrieve DRM status
#line 49
allow mediaprovider drm_service_config_prop:file { getattr open read map };
#line 49
#line 1 "system/sepolicy/private/mediaprovider_app.te"
###
### A domain for further sandboxing the MediaProvider mainline module.
###
type mediaprovider_app, domain, coredomain, bpfdomain;
#line 6
typeattribute mediaprovider_app appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition mediaprovider_app tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type mediaprovider_app_userfaultfd;
#line 6
type_transition mediaprovider_app mediaprovider_app:anon_inode mediaprovider_app_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow mediaprovider_app mediaprovider_app_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su mediaprovider_app_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -mediaprovider_app } mediaprovider_app_userfaultfd:anon_inode *;
#line 6
#line 6
allow mediaprovider_app appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { mediaprovider_app -runas_app -shell -simpleperf } { domain -mediaprovider_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -mediaprovider_app } mediaprovider_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -mediaprovider_app -crash_dump -runas_app -simpleperf } mediaprovider_app:process ptrace;
#line 6
# Access to /mnt/pass_through.
#line 9
allow mediaprovider_app mnt_pass_through_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow mediaprovider_app mnt_pass_through_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 9
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to access fuseblk devices for external storage.
allow mediaprovider_app fuseblk:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow mediaprovider_app fuseblk:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_userdir_file:dir { open getattr read search ioctl lock watch watch_reads };
allow mediaprovider_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow mediaprovider_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Talk to the DRM service
allow mediaprovider_app drmserver_service:service_manager find;
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
# Talk to the AudioServer service
allow mediaprovider_app audioserver_service:service_manager find;
# Talk to the MediaCodec APIs that log media metrics
allow mediaprovider_app mediametrics_service:service_manager find;
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
# Talk to the GPU service
#line 39
# Call the server domain and optionally transfer references to it.
#line 39
allow mediaprovider_app gpuservice:binder { call transfer };
#line 39
# Allow the serverdomain to transfer references to the client on the reply.
#line 39
allow gpuservice mediaprovider_app:binder transfer;
#line 39
# Receive and use open files from the server.
#line 39
allow mediaprovider_app gpuservice:fd use;
#line 39
# Talk to statsd
allow mediaprovider_app statsmanager_service:service_manager find;
#line 43
# Call the server domain and optionally transfer references to it.
#line 43
allow mediaprovider_app statsd:binder { call transfer };
#line 43
# Allow the serverdomain to transfer references to the client on the reply.
#line 43
allow statsd mediaprovider_app:binder transfer;
#line 43
# Receive and use open files from the server.
#line 43
allow mediaprovider_app statsd:fd use;
#line 43
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file { getattr open read ioctl lock map watch watch_reads };
# Allow MediaProvider to set extended attributes (such as quota project ID)
# on media files.
allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
0x801c581f
0x401c5820
0x80086601
0x40086602
};
# Access external sdcards through /mnt/media_rw
allow mediaprovider_app { mnt_media_rw_file }:dir search;
allow mediaprovider_app proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
#Allow MediaProvider to see if sdcardfs is in use
#line 63
allow mediaprovider_app storage_config_prop:file { getattr open read map };
#line 63
#line 65
allow mediaprovider_app drm_service_config_prop:file { getattr open read map };
#line 65
allow mediaprovider_app gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow mediaprovider_app gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:file { open append write lock map };
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
# boot animations on oem are stored with specific label
allow mediaprovider_app bootanim_oem_file:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/private/mediaserver.te"
typeattribute mediaserver coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init mediaserver_exec:file { getattr open read execute map };
#line 3
allow init mediaserver:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow mediaserver mediaserver_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init mediaserver:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init mediaserver:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init mediaserver_exec:process mediaserver;
#line 3
#line 3
#line 4
type_transition mediaserver tmpfs:file mediaserver_tmpfs;
#line 4
allow mediaserver mediaserver_tmpfs:file { read write getattr map };
#line 4
allow mediaserver appdomain_tmpfs:file { getattr map read write };
# allocate and use graphic buffers
#line 8
typeattribute mediaserver halclientdomain;
#line 8
typeattribute mediaserver hal_graphics_allocator_client;
#line 8
#line 8
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 8
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 8
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 8
#line 8
typeattribute mediaserver hal_graphics_allocator;
#line 8
# Find passthrough HAL implementations
#line 8
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 8
#line 8
#line 9
typeattribute mediaserver halclientdomain;
#line 9
typeattribute mediaserver hal_configstore_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute mediaserver hal_configstore;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_configstore vendor_file:file { read open getattr execute map };
#line 9
#line 9
#line 10
typeattribute mediaserver halclientdomain;
#line 10
typeattribute mediaserver hal_drm_client;
#line 10
#line 10
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 10
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 10
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 10
#line 10
typeattribute mediaserver hal_drm;
#line 10
# Find passthrough HAL implementations
#line 10
allow hal_drm system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow hal_drm vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 10
allow hal_drm vendor_file:file { read open getattr execute map };
#line 10
#line 10
#line 11
typeattribute mediaserver halclientdomain;
#line 11
typeattribute mediaserver hal_omx_client;
#line 11
#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11
#line 11
typeattribute mediaserver hal_omx;
#line 11
# Find passthrough HAL implementations
#line 11
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_omx vendor_file:file { read open getattr execute map };
#line 11
#line 11
#line 12
typeattribute mediaserver halclientdomain;
#line 12
typeattribute mediaserver hal_codec2_client;
#line 12
#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12
#line 12
typeattribute mediaserver hal_codec2;
#line 12
# Find passthrough HAL implementations
#line 12
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 12
#line 12
#line 14
#line 14
allow mediaserver property_socket:sock_file write;
#line 14
allow mediaserver init:unix_stream_socket connectto;
#line 14
#line 14
allow mediaserver audio_prop:property_service set;
#line 14
#line 14
allow mediaserver audio_prop:file { getattr open read map };
#line 14
#line 14
#line 16
allow mediaserver drm_service_config_prop:file { getattr open read map };
#line 16
#line 17
allow mediaserver media_config_prop:file { getattr open read map };
#line 17
# Allow MediaCodec running on mediaserver to read media_native flags
#line 20
allow mediaserver device_config_media_native_prop:file { getattr open read map };
#line 20
# Allow mediaserver to start media.transcoding service via ctl.start.
#line 23
#line 23
allow mediaserver property_socket:sock_file write;
#line 23
allow mediaserver init:unix_stream_socket connectto;
#line 23
#line 23
allow mediaserver ctl_mediatranscoding_prop:property_service set;
#line 23
#line 23
allow mediaserver ctl_mediatranscoding_prop:file { getattr open read map };
#line 23
#line 23
;
# Allow mediaserver to read SDK sandbox data files
allow mediaserver sdk_sandbox_data_file:file { getattr read };
# Needed for stats callback registration to statsd.
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
#line 31
# Call the server domain and optionally transfer references to it.
#line 31
allow mediaserver statsd:binder { call transfer };
#line 31
# Allow the serverdomain to transfer references to the client on the reply.
#line 31
allow statsd mediaserver:binder transfer;
#line 31
# Receive and use open files from the server.
#line 31
allow mediaserver statsd:fd use;
#line 31
# Allow mediaserver to communicate with Surface provided
# by virtual camera.
#line 35
# Call the server domain and optionally transfer references to it.
#line 35
allow mediaserver virtual_camera:binder { call transfer };
#line 35
# Allow the serverdomain to transfer references to the client on the reply.
#line 35
allow virtual_camera mediaserver:binder transfer;
#line 35
# Receive and use open files from the server.
#line 35
allow mediaserver virtual_camera:fd use;
#line 35
#line 1 "system/sepolicy/private/mediaswcodec.te"
typeattribute mediaswcodec coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init mediaswcodec_exec:file { getattr open read execute map };
#line 3
allow init mediaswcodec:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow mediaswcodec mediaswcodec_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init mediaswcodec:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init mediaswcodec:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init mediaswcodec_exec:process mediaswcodec;
#line 3
#line 3
#line 5
allow mediaswcodec device_config_media_native_prop:file { getattr open read map };
#line 5
#line 6
allow mediaswcodec device_config_swcodec_native_prop:file { getattr open read map };
#line 6
#line 1 "system/sepolicy/private/mediatranscoding.te"
# mediatranscoding - daemon for transcoding video and image.
type mediatranscoding_exec, system_file_type, exec_type, file_type;
type mediatranscoding_tmpfs, file_type;
typeattribute mediatranscoding coredomain;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init mediatranscoding_exec:file { getattr open read execute map };
#line 6
allow init mediatranscoding:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow mediatranscoding mediatranscoding_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init mediatranscoding:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init mediatranscoding:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init mediatranscoding_exec:process mediatranscoding;
#line 6
#line 6
#line 7
type_transition mediatranscoding tmpfs:file mediatranscoding_tmpfs;
#line 7
allow mediatranscoding mediatranscoding_tmpfs:file { read write getattr map };
#line 7
allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow mediatranscoding servicemanager:binder { call transfer };
#line 10
# Allow servicemanager to send out callbacks
#line 10
allow servicemanager mediatranscoding:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager mediatranscoding:dir search;
#line 10
allow servicemanager mediatranscoding:file { read open };
#line 10
allow servicemanager mediatranscoding:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow mediatranscoding binderservicedomain:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow binderservicedomain mediatranscoding:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow mediatranscoding binderservicedomain:fd use;
#line 11
#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow mediatranscoding appdomain:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow appdomain mediatranscoding:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow mediatranscoding appdomain:fd use;
#line 12
#line 13
typeattribute mediatranscoding binderservicedomain;
#line 13
#line 15
allow mediatranscoding mediatranscoding_service:service_manager { add find };
#line 15
neverallow { domain -mediatranscoding } mediatranscoding_service:service_manager add;
#line 15
#line 15
# On debug builds with root, allow binder services to use binder over TCP.
#line 15
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 15
#line 15
#line 17
typeattribute mediatranscoding halclientdomain;
#line 17
typeattribute mediatranscoding hal_graphics_allocator_client;
#line 17
#line 17
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 17
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 17
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 17
#line 17
typeattribute mediatranscoding hal_graphics_allocator;
#line 17
# Find passthrough HAL implementations
#line 17
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 17
#line 17
#line 18
typeattribute mediatranscoding halclientdomain;
#line 18
typeattribute mediatranscoding hal_configstore_client;
#line 18
#line 18
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 18
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 18
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 18
#line 18
typeattribute mediatranscoding hal_configstore;
#line 18
# Find passthrough HAL implementations
#line 18
allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_configstore vendor_file:file { read open getattr execute map };
#line 18
#line 18
#line 19
typeattribute mediatranscoding halclientdomain;
#line 19
typeattribute mediatranscoding hal_omx_client;
#line 19
#line 19
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 19
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 19
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 19
#line 19
typeattribute mediatranscoding hal_omx;
#line 19
# Find passthrough HAL implementations
#line 19
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_omx vendor_file:file { read open getattr execute map };
#line 19
#line 19
#line 20
typeattribute mediatranscoding halclientdomain;
#line 20
typeattribute mediatranscoding hal_codec2_client;
#line 20
#line 20
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 20
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 20
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 20
#line 20
typeattribute mediatranscoding hal_codec2;
#line 20
# Find passthrough HAL implementations
#line 20
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 20
#line 20
#line 21
typeattribute mediatranscoding halclientdomain;
#line 21
typeattribute mediatranscoding hal_allocator_client;
#line 21
#line 21
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 21
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 21
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 21
#line 21
typeattribute mediatranscoding hal_allocator;
#line 21
# Find passthrough HAL implementations
#line 21
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 21
#line 21
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
allow mediatranscoding mediaextractor_service:service_manager find;
allow mediatranscoding package_native_service:service_manager find;
allow mediatranscoding thermal_service:service_manager find;
allow mediatranscoding system_server:fd use;
allow mediatranscoding activity_service:service_manager find;
# allow mediatranscoding service read/write permissions for file sources
allow mediatranscoding sdcardfs:file { getattr read write };
allow mediatranscoding media_rw_data_file:file { getattr read write };
allow mediatranscoding apk_data_file:file { getattr read };
allow mediatranscoding app_data_file:file { getattr read write };
allow mediatranscoding shell_data_file:file { getattr read write };
# allow mediatranscoding service write permission to statsd socket
#line 40
allow mediatranscoding statsdw_socket:sock_file write;
#line 40
allow mediatranscoding statsd:unix_dgram_socket sendto;
#line 40
# Allow mediatranscoding to access the DMA-BUF system heap
allow mediatranscoding dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow mediatranscoding gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow mediatranscoding gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow mediatranscoding service to access media-related system properties
#line 49
allow mediatranscoding media_config_prop:file { getattr open read map };
#line 49
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
neverallow mediatranscoding { domain }:tcp_socket *;
#line 1 "system/sepolicy/private/mediatuner.te"
# mediatuner - mediatuner daemon
type mediatuner, domain;
type mediatuner_exec, system_file_type, exec_type, file_type;
typeattribute mediatuner coredomain;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init mediatuner_exec:file { getattr open read execute map };
#line 7
allow init mediatuner:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow mediatuner mediatuner_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init mediatuner:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init mediatuner:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init mediatuner_exec:process mediatuner;
#line 7
#line 7
#line 8
typeattribute mediatuner halclientdomain;
#line 8
typeattribute mediatuner hal_tv_tuner_client;
#line 8
#line 8
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 8
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 8
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 8
#line 8
typeattribute mediatuner hal_tv_tuner;
#line 8
# Find passthrough HAL implementations
#line 8
allow hal_tv_tuner system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_tv_tuner vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow hal_tv_tuner vendor_file:file { read open getattr execute map };
#line 8
#line 8
#line 10
# Call the servicemanager and transfer references to it.
#line 10
allow mediatuner servicemanager:binder { call transfer };
#line 10
# Allow servicemanager to send out callbacks
#line 10
allow servicemanager mediatuner:binder { call transfer };
#line 10
# servicemanager performs getpidcon on clients.
#line 10
allow servicemanager mediatuner:dir search;
#line 10
allow servicemanager mediatuner:file { read open };
#line 10
allow servicemanager mediatuner:process getattr;
#line 10
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 10
# all domains in domain.te.
#line 10
#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow mediatuner appdomain:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow appdomain mediatuner:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow mediatuner appdomain:fd use;
#line 11
#line 12
typeattribute mediatuner binderservicedomain;
#line 12
#line 14
allow mediatuner mediatuner_service:service_manager { add find };
#line 14
neverallow { domain -mediatuner } mediatuner_service:service_manager add;
#line 14
#line 14
# On debug builds with root, allow binder services to use binder over TCP.
#line 14
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 14
#line 14
allow mediatuner system_server:fd use;
allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
allow mediatuner package_native_service:service_manager find;
#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow mediatuner system_server:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow system_server mediatuner:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow mediatuner system_server:fd use;
#line 18
# Read ro.tuner.lazyhal
#line 21
allow mediatuner tuner_config_prop:file { getattr open read map };
#line 21
# Read tuner.server.enable
#line 24
allow mediatuner tuner_server_ctl_prop:file { getattr open read map };
#line 24
###
### neverallow rules
###
# mediatuner should never execute any executable without a
# domain transition
neverallow mediatuner { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl
#line 35
{
#line 35
# qualcomm rmnet ioctls
#line 35
0x00006900 0x00006902
#line 35
# socket ioctls
#line 35
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 35
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 35
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 35
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 35
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 35
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 35
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 35
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 35
0x00008991 0x00008992 0x00008993 0x00008994
#line 35
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 35
# device and protocol specific ioctls
#line 35
0x000089f0-0x000089ff
#line 35
0x000089e0-0x000089ef
#line 35
# Wireless extension ioctls
#line 35
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 35
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 35
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 35
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 35
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 35
0x00008b34 0x00008b35 0x00008b36
#line 35
# Dev private ioctl i.e. hardware specific ioctls
#line 35
0x00008be0-0x00008bff
#line 35
};
#line 1 "system/sepolicy/private/migrate_legacy_obb_data.te"
type migrate_legacy_obb_data, domain, coredomain;
type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
allow migrate_legacy_obb_data media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow migrate_legacy_obb_data media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow migrate_legacy_obb_data shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow migrate_legacy_obb_data toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
allow migrate_legacy_obb_data mnt_user_file:dir search;
allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
allow migrate_legacy_obb_data storage_file:dir search;
allow migrate_legacy_obb_data storage_file:lnk_file read;
allow migrate_legacy_obb_data sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow migrate_legacy_obb_data sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# TODO: This should not be necessary. We don't deliberately hand over
# any open file descriptors to this domain, so anything that triggers this
# should be a candidate for O_CLOEXEC.
allow migrate_legacy_obb_data installd:fd use;
# This rule is required to let this process read /proc/{parent_pid}/mount.
# TODO: Why is this required ?
allow migrate_legacy_obb_data installd:file read;
#line 1 "system/sepolicy/private/misctrl.te"
# binary for generic misc partition management
type misctrl, domain, coredomain;
type misctrl_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init misctrl_exec:file { getattr open read execute map };
#line 5
allow init misctrl:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow misctrl misctrl_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init misctrl:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init misctrl:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init misctrl_exec:process misctrl;
#line 5
#line 5
allow misctrl misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow misctrl block_device:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow misctrl { metadata_file gsi_metadata_file_type }:dir search;
#line 9
allow misctrl gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 9
allow misctrl { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 9
#line 11
#line 11
allow misctrl property_socket:sock_file write;
#line 11
allow misctrl init:unix_stream_socket connectto;
#line 11
#line 11
allow misctrl misctrl_prop:property_service set;
#line 11
#line 11
allow misctrl misctrl_prop:file { getattr open read map };
#line 11
#line 11
# bootloader_message tries to find the fstab in the device config path first,
# but because we've already booted up we can use the ro.boot properties instead,
# so we can just ignore the SELinux denial.
dontaudit misctrl sysfs_dt_firmware_android:dir search;
dontaudit misctrl vendor_property_type:file read;
#line 1 "system/sepolicy/private/mlstrustedsubject.te"
# MLS override can't be used to access private app data.
# Apps should not normally be mlstrustedsubject, but if they must be
# they cannot use this to access app private data files; their own app
# data files must use a different label.
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
-system_server
-adbd
-runas
-zygote
} { app_data_file privapp_data_file }:dir { read getattr search };
#line 1 "system/sepolicy/private/mm_events.te"
type mm_events, domain, coredomain;
type mm_events_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init mm_events_exec:file { getattr open read execute map };
#line 4
allow init mm_events:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow mm_events mm_events_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init mm_events:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init mm_events:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init mm_events_exec:process mm_events;
#line 4
#line 4
allow mm_events shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow running the sleep command to rate limit attempts
# to arm mm_events on failure.
allow mm_events toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow mm_events perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 14
# Allow the necessary permissions.
#line 14
#line 14
# Old domain may exec the file and transition to the new domain.
#line 14
allow mm_events perfetto_exec:file { getattr open read execute map };
#line 14
allow mm_events perfetto:process transition;
#line 14
# New domain is entered by executing the file.
#line 14
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 14
# New domain can send SIGCHLD to its caller.
#line 14
allow perfetto mm_events:process sigchld;
#line 14
# Enable AT_SECURE, i.e. libc secure mode.
#line 14
dontaudit mm_events perfetto:process noatsecure;
#line 14
# XXX dontaudit candidate but requires further study.
#line 14
allow mm_events perfetto:process { siginh rlimitinh };
#line 14
#line 14
# Make the transition occur by default.
#line 14
type_transition mm_events perfetto_exec:process perfetto;
#line 14
#line 1 "system/sepolicy/private/modprobe.te"
typeattribute modprobe coredomain;
#line 1 "system/sepolicy/private/mtectrl.te"
# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
type mtectrl, domain, coredomain;
type mtectrl_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init mtectrl_exec:file { getattr open read execute map };
#line 5
allow init mtectrl:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow mtectrl mtectrl_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init mtectrl:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init mtectrl:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init mtectrl_exec:process mtectrl;
#line 5
#line 5
# to set the sys prop to match the bootloader message state.
#line 8
#line 8
allow mtectrl property_socket:sock_file write;
#line 8
allow mtectrl init:unix_stream_socket connectto;
#line 8
#line 8
allow mtectrl arm64_memtag_prop:property_service set;
#line 8
#line 8
allow mtectrl arm64_memtag_prop:file { getattr open read map };
#line 8
#line 8
# mtectrl communicates the request to the bootloader via the misc partition.
# needs to write to update the request in misc partition, and read to sync
# back to the property.
allow mtectrl misc_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow mtectrl block_device:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow mtectrl { metadata_file gsi_metadata_file_type }:dir search;
#line 15
allow mtectrl gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 15
allow mtectrl { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 15
# bootloader_message tries to find the fstab in the device config path first,
# but because we've already booted up we can use the ro.boot properties instead,
# so we can just ignore the SELinux denial.
dontaudit mtectrl sysfs_dt_firmware_android:dir search;
dontaudit mtectrl vendor_property_type:file read;
#line 1 "system/sepolicy/private/net.te"
# Bind to ports.
allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
-mediaprovider
-priv_app
-sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
#line 1 "system/sepolicy/private/netd.te"
typeattribute netd coredomain;
typeattribute netd bpfdomain;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init netd_exec:file { getattr open read execute map };
#line 4
allow init netd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow netd netd_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init netd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init netd:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init netd_exec:process netd;
#line 4
#line 4
# Allow netd to spawn dnsmasq in it's own domain
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow netd dnsmasq_exec:file { getattr open read execute map };
#line 7
allow netd dnsmasq:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow dnsmasq dnsmasq_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
allow dnsmasq netd:process sigchld;
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit netd dnsmasq:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow netd dnsmasq:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition netd dnsmasq_exec:process dnsmasq;
#line 7
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
#line 22
#line 22
allow netd property_socket:sock_file write;
#line 22
allow netd init:unix_stream_socket connectto;
#line 22
#line 22
allow netd ctl_mdnsd_prop:property_service set;
#line 22
#line 22
allow netd ctl_mdnsd_prop:file { getattr open read map };
#line 22
#line 22
#line 23
#line 23
allow netd property_socket:sock_file write;
#line 23
allow netd init:unix_stream_socket connectto;
#line 23
#line 23
allow netd netd_stable_secret_prop:property_service set;
#line 23
#line 23
allow netd netd_stable_secret_prop:file { getattr open read map };
#line 23
#line 23
#line 25
allow netd adbd_config_prop:file { getattr open read map };
#line 25
#line 26
allow netd hwservicemanager_prop:file { getattr open read map };
#line 26
#line 27
allow netd device_config_netd_native_prop:file { getattr open read map };
#line 27
# Allow netd to write to statsd.
#line 30
allow netd statsdw_socket:sock_file write;
#line 30
allow netd statsd:unix_dgram_socket sendto;
#line 30
# Allow netd to send callbacks to network_stack
#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow netd network_stack:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow network_stack netd:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow netd network_stack:fd use;
#line 33
# Allow netd to send dump info to dumpstate
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file { getattr open read ioctl lock map watch watch_reads };
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
#line 1 "system/sepolicy/private/netutils_wrapper.te"
typeattribute netutils_wrapper coredomain;
typeattribute netutils_wrapper bpfdomain;
#line 4
allow netutils_wrapper system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 4
allow netutils_wrapper system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 4
;
# For netutils (ip, iptables, tc)
allow netutils_wrapper self:{ capability cap_userns } net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net_type:file { open read getattr };
allow netutils_wrapper self:rawip_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netutils_wrapper self:udp_socket { create { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow netutils_wrapper self:{ capability cap_userns } net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
allow netutils_wrapper mdns_service:service_manager find;
#line 22
# Call the servicemanager and transfer references to it.
#line 22
allow netutils_wrapper servicemanager:binder { call transfer };
#line 22
# Allow servicemanager to send out callbacks
#line 22
allow servicemanager netutils_wrapper:binder { call transfer };
#line 22
# servicemanager performs getpidcon on clients.
#line 22
allow servicemanager netutils_wrapper:dir search;
#line 22
allow servicemanager netutils_wrapper:file { read open };
#line 22
allow servicemanager netutils_wrapper:process getattr;
#line 22
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 22
# all domains in domain.te.
#line 22
;
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow netutils_wrapper netd:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow netd netutils_wrapper:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow netutils_wrapper netd:fd use;
#line 23
;
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
#line 34
allow netutils_wrapper net_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 34
allow netutils_wrapper net_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 34
#line 36
# Allow the necessary permissions.
#line 36
#line 36
# Old domain may exec the file and transition to the new domain.
#line 36
allow {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
} netutils_wrapper_exec:file { getattr open read execute map };
#line 36
allow {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
} netutils_wrapper:process transition;
#line 36
# New domain is entered by executing the file.
#line 36
allow netutils_wrapper netutils_wrapper_exec:file { entrypoint open read execute getattr map };
#line 36
# New domain can send SIGCHLD to its caller.
#line 36
allow netutils_wrapper {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
}:process sigchld;
#line 36
# Enable AT_SECURE, i.e. libc secure mode.
#line 36
dontaudit {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
} netutils_wrapper:process noatsecure;
#line 36
# XXX dontaudit candidate but requires further study.
#line 36
allow {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
} netutils_wrapper:process { siginh rlimitinh };
#line 36
#line 36
# Make the transition occur by default.
#line 36
type_transition {
#line 36
domain
#line 36
-coredomain
#line 36
-appdomain
#line 36
} netutils_wrapper_exec:process netutils_wrapper;
#line 40
# suppress spurious denials
dontaudit netutils_wrapper self:{ capability cap_userns } sys_resource;
dontaudit netutils_wrapper sysfs_type:file read;
# netutils wrapper may only use the following capabilities.
neverallow netutils_wrapper self:{ capability cap_userns } ~{ net_admin net_raw };
#line 1 "system/sepolicy/private/network_stack.te"
# Networking service app
typeattribute network_stack coredomain;
typeattribute network_stack mlstrustedsubject;
typeattribute network_stack bpfdomain;
#line 6
typeattribute network_stack appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition network_stack tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type network_stack_userfaultfd;
#line 6
type_transition network_stack network_stack:anon_inode network_stack_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow network_stack network_stack_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su network_stack_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -network_stack } network_stack_userfaultfd:anon_inode *;
#line 6
#line 6
allow network_stack appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { network_stack -runas_app -shell -simpleperf } { domain -network_stack }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -network_stack } network_stack:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -network_stack -crash_dump -runas_app -simpleperf } network_stack:process ptrace;
#line 6
;
#line 7
typeattribute network_stack netdomain;
#line 7
;
allow network_stack self:{ capability cap_userns } {
net_admin
net_bind_service
net_broadcast
net_raw
};
allow network_stack self:{ capability2 cap2_userns } wake_alarm;
# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
allowxperm network_stack self:udp_socket ioctl
#line 19
{
#line 19
# qualcomm rmnet ioctls
#line 19
0x00006900 0x00006902
#line 19
# socket ioctls
#line 19
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 19
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 19
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 19
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 19
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 19
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 19
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 19
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 19
0x00008991 0x00008992 0x00008993 0x00008994
#line 19
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 19
# device and protocol specific ioctls
#line 19
0x000089f0-0x000089ff
#line 19
0x000089e0-0x000089ef
#line 19
# Wireless extension ioctls
#line 19
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 19
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 19
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 19
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 19
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 19
0x00008b34 0x00008b35 0x00008b36
#line 19
# Dev private ioctl i.e. hardware specific ioctls
#line 19
0x00008be0-0x00008bff
#line 19
};
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
# Use netlink uevent sockets.
allow network_stack self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# give network_stack the same netlink permissions as netd
allow network_stack self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow network_stack self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow network_stack self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow network_stack radio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 45
# Call the server domain and optionally transfer references to it.
#line 45
allow network_stack netd:binder { call transfer };
#line 45
# Allow the serverdomain to transfer references to the client on the reply.
#line 45
allow netd network_stack:binder transfer;
#line 45
# Receive and use open files from the server.
#line 45
allow network_stack netd:fd use;
#line 45
;
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit network_stack self:key_socket getopt;
# Grant read permission of connectivity namespace system property prefix.
#line 54
allow network_stack device_config_connectivity_prop:file { getattr open read map };
#line 54
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
#line 59
typeattribute network_stack halclientdomain;
#line 59
typeattribute network_stack hal_tetheroffload_client;
#line 59
#line 59
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 59
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 59
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 59
#line 59
typeattribute network_stack hal_tetheroffload;
#line 59
# Find passthrough HAL implementations
#line 59
allow hal_tetheroffload system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 59
allow hal_tetheroffload vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 59
allow hal_tetheroffload vendor_file:file { read open getattr execute map };
#line 59
#line 59
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
#line 68
allow network_stack device_config_tethering_u_or_later_native_prop:file { getattr open read map };
#line 68
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read };
# tun device used for 3rd party vpn apps and test network manager
allow network_stack tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm network_stack tun_device:chr_file ioctl { 0x800454d2 0x400454ca 0x400454cd 0x400454e2 };
############### NEVER ALLOW RULES
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
#line 1 "system/sepolicy/private/nfc.te"
# nfc subsystem
typeattribute nfc coredomain, mlstrustedsubject;
#line 3
typeattribute nfc appdomain;
#line 3
# Label tmpfs objects for all apps.
#line 3
type_transition nfc tmpfs:file appdomain_tmpfs;
#line 3
#line 3
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 3
type nfc_userfaultfd;
#line 3
type_transition nfc nfc:anon_inode nfc_userfaultfd "[userfaultfd]";
#line 3
# Allow domain to create/use userfaultfd anon_inode.
#line 3
allow nfc nfc_userfaultfd:anon_inode { create ioctl read };
#line 3
# Suppress errors generate during bugreport
#line 3
dontaudit su nfc_userfaultfd:anon_inode *;
#line 3
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 3
neverallow { domain -nfc } nfc_userfaultfd:anon_inode *;
#line 3
#line 3
allow nfc appdomain_tmpfs:file { execute getattr map read write };
#line 3
neverallow { nfc -runas_app -shell -simpleperf } { domain -nfc }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
neverallow { appdomain -runas_app -shell -simpleperf -nfc } nfc:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
# The Android security model guarantees the confidentiality and integrity
#line 3
# of application data and execution state. Ptrace bypasses those
#line 3
# confidentiality guarantees. Disallow ptrace access from system components to
#line 3
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 3
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 3
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 3
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 3
# live lock conditions.
#line 3
neverallow { domain -nfc -crash_dump -runas_app -simpleperf } nfc:process ptrace;
#line 3
#line 4
typeattribute nfc netdomain;
#line 4
#line 6
typeattribute nfc binderservicedomain;
#line 6
#line 7
allow nfc nfc_service:service_manager { add find };
#line 7
neverallow { domain -nfc } nfc_service:service_manager add;
#line 7
#line 7
# On debug builds with root, allow binder services to use binder over TCP.
#line 7
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 7
#line 7
#line 9
typeattribute nfc halclientdomain;
#line 9
typeattribute nfc hal_nfc_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute nfc hal_nfc;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_nfc system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_nfc vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_nfc vendor_file:file { read open getattr execute map };
#line 9
#line 9
# Data file accesses.
allow nfc nfc_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow nfc nfc_logs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow nfc nfc_logs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
allow nfc mediametrics_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
allow nfc radio_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
allow nfc secure_element_service:service_manager find;
#line 30
#line 30
allow nfc property_socket:sock_file write;
#line 30
allow nfc init:unix_stream_socket connectto;
#line 30
#line 30
allow nfc nfc_prop:property_service set;
#line 30
#line 30
allow nfc nfc_prop:file { getattr open read map };
#line 30
#line 30
;
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow nfc shell_data_file:file read;
#line 1 "system/sepolicy/private/odrefresh.te"
# odrefresh
type odrefresh, domain, coredomain;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelfrom };
allow odrefresh apex_art_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow odrefresh to create data files (typically for metrics before statsd starts).
allow odrefresh odrefresh_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow odrefresh odrefresh_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 14
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 14
type odrefresh_userfaultfd;
#line 14
type_transition odrefresh odrefresh:anon_inode odrefresh_userfaultfd "[userfaultfd]";
#line 14
# Allow domain to create/use userfaultfd anon_inode.
#line 14
allow odrefresh odrefresh_userfaultfd:anon_inode { create ioctl read };
#line 14
# Suppress errors generate during bugreport
#line 14
dontaudit su odrefresh_userfaultfd:anon_inode *;
#line 14
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 14
neverallow { domain -odrefresh } odrefresh_userfaultfd:anon_inode *;
#line 14
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
allow odrefresh apex_art_staging_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow odrefresh apex_art_staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Run dex2oat in its own sandbox.
#line 22
# Allow the necessary permissions.
#line 22
#line 22
# Old domain may exec the file and transition to the new domain.
#line 22
allow odrefresh dex2oat_exec:file { getattr open read execute map };
#line 22
allow odrefresh dex2oat:process transition;
#line 22
# New domain is entered by executing the file.
#line 22
allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map };
#line 22
# New domain can send SIGCHLD to its caller.
#line 22
allow dex2oat odrefresh:process sigchld;
#line 22
# Enable AT_SECURE, i.e. libc secure mode.
#line 22
dontaudit odrefresh dex2oat:process noatsecure;
#line 22
# XXX dontaudit candidate but requires further study.
#line 22
allow odrefresh dex2oat:process { siginh rlimitinh };
#line 22
#line 22
# Make the transition occur by default.
#line 22
type_transition odrefresh dex2oat_exec:process dex2oat;
#line 22
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
# Run dexoptanalyzer in its own sandbox.
#line 28
# Allow the necessary permissions.
#line 28
#line 28
# Old domain may exec the file and transition to the new domain.
#line 28
allow odrefresh dexoptanalyzer_exec:file { getattr open read execute map };
#line 28
allow odrefresh dexoptanalyzer:process transition;
#line 28
# New domain is entered by executing the file.
#line 28
allow dexoptanalyzer dexoptanalyzer_exec:file { entrypoint open read execute getattr map };
#line 28
# New domain can send SIGCHLD to its caller.
#line 28
allow dexoptanalyzer odrefresh:process sigchld;
#line 28
# Enable AT_SECURE, i.e. libc secure mode.
#line 28
dontaudit odrefresh dexoptanalyzer:process noatsecure;
#line 28
# XXX dontaudit candidate but requires further study.
#line 28
allow odrefresh dexoptanalyzer:process { siginh rlimitinh };
#line 28
#line 28
# Make the transition occur by default.
#line 28
type_transition odrefresh dexoptanalyzer_exec:process dexoptanalyzer;
#line 28
# Allow odrefresh to kill dexoptanalyzer if analysis times out.
allow odrefresh dexoptanalyzer:process sigkill;
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
# Allow odrefresh to read /apex/apex-info-list.xml to determine
# whether current apex is in /system or /data.
allow odrefresh apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow updating boot animation status.
#line 42
#line 42
allow odrefresh property_socket:sock_file write;
#line 42
allow odrefresh init:unix_stream_socket connectto;
#line 42
#line 42
allow odrefresh bootanim_system_prop:property_service set;
#line 42
#line 42
allow odrefresh bootanim_system_prop:file { getattr open read map };
#line 42
#line 42
# Allow query ART device config properties
#line 45
allow odrefresh device_config_runtime_native_prop:file { getattr open read map };
#line 45
#line 46
allow odrefresh device_config_runtime_native_boot_prop:file { getattr open read map };
#line 46
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
# No processes other than init, odrefresh and system_server access
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
#line 1 "system/sepolicy/private/odsign.te"
# odsign - on-device signing.
type odsign, domain;
# odsign - Binary for signing ART artifacts.
typeattribute odsign coredomain;
type odsign_exec, exec_type, file_type, system_file_type;
# Allow init to start odsign
#line 10
#line 10
# Allow the necessary permissions.
#line 10
#line 10
# Old domain may exec the file and transition to the new domain.
#line 10
allow init odsign_exec:file { getattr open read execute map };
#line 10
allow init odsign:process transition;
#line 10
# New domain is entered by executing the file.
#line 10
allow odsign odsign_exec:file { entrypoint open read execute getattr map };
#line 10
# New domain can send SIGCHLD to its caller.
#line 10
#line 10
# Enable AT_SECURE, i.e. libc secure mode.
#line 10
dontaudit init odsign:process noatsecure;
#line 10
# XXX dontaudit candidate but requires further study.
#line 10
allow init odsign:process { siginh rlimitinh };
#line 10
#line 10
# Make the transition occur by default.
#line 10
type_transition init odsign_exec:process odsign;
#line 10
#line 10
# Allow using persistent storage in /data/odsign
allow odsign odsign_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow odsign odsign_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow using persistent storage in /data/odsign/metrics - to add metrics related files
allow odsign odsign_metrics_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow odsign odsign_metrics_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Create and use pty created by android_fork_execvp().
#line 21
# Each domain gets a unique devpts type.
#line 21
type odsign_devpts, fs_type;
#line 21
# Label the pty with the unique type when created.
#line 21
type_transition odsign devpts:chr_file odsign_devpts;
#line 21
# Allow use of the pty after creation.
#line 21
allow odsign odsign_devpts:chr_file { open getattr read write ioctl };
#line 21
allowxperm odsign odsign_devpts:chr_file ioctl {
#line 21
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 21
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 21
};
#line 21
# TIOCSTI is only ever used for exploits. Block it.
#line 21
# b/33073072, b/7530569
#line 21
# http://www.openwall.com/lists/oss-security/2016/09/26/14
#line 21
neverallowxperm * odsign_devpts:chr_file ioctl 0x00005412;
#line 21
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
#line 21
# allowed to everyone via domain.te.
#line 21
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
allowxperm odsign apex_art_data_file:file ioctl {
0x6685 0x6686 0x80086601
};
# talk to binder services (for keystore)
#line 29
# Call the servicemanager and transfer references to it.
#line 29
allow odsign servicemanager:binder { call transfer };
#line 29
# Allow servicemanager to send out callbacks
#line 29
allow servicemanager odsign:binder { call transfer };
#line 29
# servicemanager performs getpidcon on clients.
#line 29
allow servicemanager odsign:dir search;
#line 29
allow servicemanager odsign:file { read open };
#line 29
allow servicemanager odsign:process getattr;
#line 29
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 29
# all domains in domain.te.
#line 29
;
# talk to keystore specifically
#line 32
allow keystore odsign:dir search;
#line 32
allow keystore odsign:file { read open };
#line 32
allow keystore odsign:process getattr;
#line 32
allow odsign apc_service:service_manager find;
#line 32
allow odsign keystore_service:service_manager find;
#line 32
allow odsign legacykeystore_service:service_manager find;
#line 32
#line 32
# Call the server domain and optionally transfer references to it.
#line 32
allow odsign keystore:binder { call transfer };
#line 32
# Allow the serverdomain to transfer references to the client on the reply.
#line 32
allow keystore odsign:binder transfer;
#line 32
# Receive and use open files from the server.
#line 32
allow odsign keystore:fd use;
#line 32
#line 32
#line 32
# Call the server domain and optionally transfer references to it.
#line 32
allow keystore odsign:binder { call transfer };
#line 32
# Allow the serverdomain to transfer references to the client on the reply.
#line 32
allow odsign keystore:binder transfer;
#line 32
# Receive and use open files from the server.
#line 32
allow keystore odsign:fd use;
#line 32
#line 32
;
# Use our dedicated keystore key
allow odsign odsign_key:keystore2_key {
delete
get_info
rebind
use
};
# talk to keymaster
#line 43
typeattribute odsign halclientdomain;
#line 43
typeattribute odsign hal_keymaster_client;
#line 43
#line 43
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 43
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 43
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 43
#line 43
typeattribute odsign hal_keymaster;
#line 43
# Find passthrough HAL implementations
#line 43
allow hal_keymaster system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 43
allow hal_keymaster vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 43
allow hal_keymaster vendor_file:file { read open getattr execute map };
#line 43
#line 43
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
allow odsign apex_art_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rmdir rename };
allow odsign apex_art_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink };
# Run odrefresh to refresh ART artifacts
#line 52
# Allow the necessary permissions.
#line 52
#line 52
# Old domain may exec the file and transition to the new domain.
#line 52
allow odsign odrefresh_exec:file { getattr open read execute map };
#line 52
allow odsign odrefresh:process transition;
#line 52
# New domain is entered by executing the file.
#line 52
allow odrefresh odrefresh_exec:file { entrypoint open read execute getattr map };
#line 52
# New domain can send SIGCHLD to its caller.
#line 52
allow odrefresh odsign:process sigchld;
#line 52
# Enable AT_SECURE, i.e. libc secure mode.
#line 52
dontaudit odsign odrefresh:process noatsecure;
#line 52
# XXX dontaudit candidate but requires further study.
#line 52
allow odsign odrefresh:process { siginh rlimitinh };
#line 52
#line 52
# Make the transition occur by default.
#line 52
type_transition odsign odrefresh_exec:process odrefresh;
#line 52
# Run fsverity_init to add key to fsverity keyring
#line 55
# Allow the necessary permissions.
#line 55
#line 55
# Old domain may exec the file and transition to the new domain.
#line 55
allow odsign fsverity_init_exec:file { getattr open read execute map };
#line 55
allow odsign fsverity_init:process transition;
#line 55
# New domain is entered by executing the file.
#line 55
allow fsverity_init fsverity_init_exec:file { entrypoint open read execute getattr map };
#line 55
# New domain can send SIGCHLD to its caller.
#line 55
allow fsverity_init odsign:process sigchld;
#line 55
# Enable AT_SECURE, i.e. libc secure mode.
#line 55
dontaudit odsign fsverity_init:process noatsecure;
#line 55
# XXX dontaudit candidate but requires further study.
#line 55
allow odsign fsverity_init:process { siginh rlimitinh };
#line 55
#line 55
# Make the transition occur by default.
#line 55
type_transition odsign fsverity_init_exec:process fsverity_init;
#line 55
# Run compos_verify to verify CompOs signatures
#line 58
# Allow the necessary permissions.
#line 58
#line 58
# Old domain may exec the file and transition to the new domain.
#line 58
allow odsign compos_verify_exec:file { getattr open read execute map };
#line 58
allow odsign compos_verify:process transition;
#line 58
# New domain is entered by executing the file.
#line 58
allow compos_verify compos_verify_exec:file { entrypoint open read execute getattr map };
#line 58
# New domain can send SIGCHLD to its caller.
#line 58
allow compos_verify odsign:process sigchld;
#line 58
# Enable AT_SECURE, i.e. libc secure mode.
#line 58
dontaudit odsign compos_verify:process noatsecure;
#line 58
# XXX dontaudit candidate but requires further study.
#line 58
allow odsign compos_verify:process { siginh rlimitinh };
#line 58
#line 58
# Make the transition occur by default.
#line 58
type_transition odsign compos_verify_exec:process compos_verify;
#line 58
# only odsign can set odsign sysprop
#line 61
#line 61
allow odsign property_socket:sock_file write;
#line 61
allow odsign init:unix_stream_socket connectto;
#line 61
#line 61
allow odsign odsign_prop:property_service set;
#line 61
#line 61
allow odsign odsign_prop:file { getattr open read map };
#line 61
#line 61
neverallow { domain -odsign -init } odsign_prop:property_service set;
# Allow odsign to stop itself
#line 65
#line 65
allow odsign property_socket:sock_file write;
#line 65
allow odsign init:unix_stream_socket connectto;
#line 65
#line 65
allow odsign ctl_odsign_prop:property_service set;
#line 65
#line 65
allow odsign ctl_odsign_prop:file { getattr open read map };
#line 65
#line 65
# Neverallows
neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
#line 1 "system/sepolicy/private/ot_daemon.te"
#
# ot_daemon is the native Thread network stack on the host (Android) side.
# Refer to https://www.threadgroup.org for Thread network knowledge.
#
# ot_daemon
type ot_daemon, domain, coredomain;
type ot_daemon_exec, exec_type, file_type, system_file_type;
# Allow init ot_daemon
#line 11
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow init ot_daemon_exec:file { getattr open read execute map };
#line 11
allow init ot_daemon:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow ot_daemon ot_daemon_exec:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit init ot_daemon:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow init ot_daemon:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition init ot_daemon_exec:process ot_daemon;
#line 11
#line 11
# Allow the ot_daemon to use the net domain.
#line 13
typeattribute ot_daemon netdomain;
#line 13
# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
allow ot_daemon apex_module_data_file:dir search;
# Allow the ot_daemon to access files and subdirectories under
# /data/misc/apexdata/com\.android\.tethering
allow ot_daemon apex_tethering_data_file:dir {create { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } }};
allow ot_daemon apex_tethering_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket { read getattr write setattr lock append bind connect getopt setopt shutdown map };
#line 29
typeattribute ot_daemon halclientdomain;
#line 29
typeattribute ot_daemon hal_threadnetwork_client;
#line 29
#line 29
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 29
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 29
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 29
#line 29
typeattribute ot_daemon hal_threadnetwork;
#line 29
# Find passthrough HAL implementations
#line 29
allow hal_threadnetwork system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow hal_threadnetwork vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow hal_threadnetwork vendor_file:file { read open getattr execute map };
#line 29
#line 29
# Only ot_daemon can publish the binder service
#line 32
# Call the servicemanager and transfer references to it.
#line 32
allow ot_daemon servicemanager:binder { call transfer };
#line 32
# Allow servicemanager to send out callbacks
#line 32
allow servicemanager ot_daemon:binder { call transfer };
#line 32
# servicemanager performs getpidcon on clients.
#line 32
allow servicemanager ot_daemon:dir search;
#line 32
allow servicemanager ot_daemon:file { read open };
#line 32
allow servicemanager ot_daemon:process getattr;
#line 32
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 32
# all domains in domain.te.
#line 32
#line 33
allow ot_daemon ot_daemon_service:service_manager { add find };
#line 33
neverallow { domain -ot_daemon } ot_daemon_service:service_manager add;
#line 33
#line 33
# On debug builds with root, allow binder services to use binder over TCP.
#line 33
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 33
#line 33
#line 34
# Call the server domain and optionally transfer references to it.
#line 34
allow ot_daemon system_server:binder { call transfer };
#line 34
# Allow the serverdomain to transfer references to the client on the reply.
#line 34
allow system_server ot_daemon:binder transfer;
#line 34
# Receive and use open files from the server.
#line 34
allow ot_daemon system_server:fd use;
#line 34
# Allow OT daemon to write to statsd
#line 37
allow ot_daemon statsdw_socket:sock_file write;
#line 37
allow ot_daemon statsd:unix_dgram_socket sendto;
#line 37
# For collecting bugreports.
allow ot_daemon dumpstate:fd use;
allow ot_daemon dumpstate:fifo_file write;
#line 1 "system/sepolicy/private/otapreopt_chroot.te"
# otapreopt_chroot executable
typeattribute otapreopt_chroot coredomain;
type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot apex_mnt_dir:dir mounton;
allow otapreopt_chroot device:dir mounton;
allow otapreopt_chroot linkerconfig_file:dir mounton;
allow otapreopt_chroot rootfs:dir mounton;
allow otapreopt_chroot sysfs:dir mounton;
allow otapreopt_chroot system_data_root_file:dir mounton;
allow otapreopt_chroot system_file:dir mounton;
allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:{ capability cap_userns } { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
# APEX packages in /postinstall/apex.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
# This is required for dynamic partitions.
allow otapreopt_chroot dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# This is required to unmount flattened APEX packages under
# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
allow otapreopt_chroot postinstall_file:filesystem unmount;
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
# Allow otapreopt_chroot to read SELinux policy files.
allow otapreopt_chroot file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
allow otapreopt_chroot postinstall_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
#line 37
allow otapreopt_chroot apexd_prop:file { getattr open read map };
#line 37
# Allow otapreopt to use file descriptors from update-engine and the postinstall
# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
#line 47
# Allow the necessary permissions.
#line 47
#line 47
# Old domain may exec the file and transition to the new domain.
#line 47
allow otapreopt_chroot postinstall_dexopt_exec:file { getattr open read execute map };
#line 47
allow otapreopt_chroot postinstall_dexopt:process transition;
#line 47
# New domain is entered by executing the file.
#line 47
allow postinstall_dexopt postinstall_dexopt_exec:file { entrypoint open read execute getattr map };
#line 47
# New domain can send SIGCHLD to its caller.
#line 47
allow postinstall_dexopt otapreopt_chroot:process sigchld;
#line 47
# Enable AT_SECURE, i.e. libc secure mode.
#line 47
dontaudit otapreopt_chroot postinstall_dexopt:process noatsecure;
#line 47
# XXX dontaudit candidate but requires further study.
#line 47
allow otapreopt_chroot postinstall_dexopt:process { siginh rlimitinh };
#line 47
#line 47
# Make the transition occur by default.
#line 47
type_transition otapreopt_chroot postinstall_dexopt_exec:process postinstall_dexopt;
#line 47
#line 48
# Allow the necessary permissions.
#line 48
#line 48
# Old domain may exec the file and transition to the new domain.
#line 48
allow otapreopt_chroot linkerconfig_exec:file { getattr open read execute map };
#line 48
allow otapreopt_chroot linkerconfig:process transition;
#line 48
# New domain is entered by executing the file.
#line 48
allow linkerconfig linkerconfig_exec:file { entrypoint open read execute getattr map };
#line 48
# New domain can send SIGCHLD to its caller.
#line 48
allow linkerconfig otapreopt_chroot:process sigchld;
#line 48
# Enable AT_SECURE, i.e. libc secure mode.
#line 48
dontaudit otapreopt_chroot linkerconfig:process noatsecure;
#line 48
# XXX dontaudit candidate but requires further study.
#line 48
allow otapreopt_chroot linkerconfig:process { siginh rlimitinh };
#line 48
#line 48
# Make the transition occur by default.
#line 48
type_transition otapreopt_chroot linkerconfig_exec:process linkerconfig;
#line 48
#line 49
# Allow the necessary permissions.
#line 49
#line 49
# Old domain may exec the file and transition to the new domain.
#line 49
allow otapreopt_chroot apexd_exec:file { getattr open read execute map };
#line 49
allow otapreopt_chroot apexd:process transition;
#line 49
# New domain is entered by executing the file.
#line 49
allow apexd apexd_exec:file { entrypoint open read execute getattr map };
#line 49
# New domain can send SIGCHLD to its caller.
#line 49
allow apexd otapreopt_chroot:process sigchld;
#line 49
# Enable AT_SECURE, i.e. libc secure mode.
#line 49
dontaudit otapreopt_chroot apexd:process noatsecure;
#line 49
# XXX dontaudit candidate but requires further study.
#line 49
allow otapreopt_chroot apexd:process { siginh rlimitinh };
#line 49
#line 49
# Make the transition occur by default.
#line 49
type_transition otapreopt_chroot apexd_exec:process apexd;
#line 49
# Allow otapreopt_chroot to control linkerconfig
allow otapreopt_chroot linkerconfig_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow otapreopt_chroot linkerconfig_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
0x00004c0a
0x00004c05
0x00004c04
0x00004c00
0x00004c09
0x00004c08
0x00004c01
0x00001261
};
# Allow otapreopt_chroot to configure read-ahead of loop devices.
allow otapreopt_chroot sysfs_loop:dir { open getattr read search ioctl lock watch watch_reads };
allow otapreopt_chroot sysfs_loop:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
allow otapreopt_chroot tmpfs:dir relabelfrom;
allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow otapreopt_chroot postinstall_apex_mnt_dir:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow to access the linker through the symlink.
allow otapreopt_chroot postinstall_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Allow otapreopt_chroot to read ro.cold_boot_done prop.
# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
#line 96
allow otapreopt_chroot cold_boot_done_prop:file { getattr open read map };
#line 96
# allow otapreopt_chroot to run the linkerconfig from the new image.
allow otapreopt_chroot linkerconfig_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 1 "system/sepolicy/private/otapreopt_slot.te"
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.
type otapreopt_slot, domain, mlstrustedsubject, coredomain;
type otapreopt_slot_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
#line 9
#line 9
# Allow the necessary permissions.
#line 9
#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow init otapreopt_slot_exec:file { getattr open read execute map };
#line 9
allow init otapreopt_slot:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow otapreopt_slot otapreopt_slot_exec:file { entrypoint open read execute getattr map };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit init otapreopt_slot:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow init otapreopt_slot:process { siginh rlimitinh };
#line 9
#line 9
# Make the transition occur by default.
#line 9
type_transition init otapreopt_slot_exec:process otapreopt_slot;
#line 9
#line 9
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } rename reparent rmdir };
allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
# (du follows symlinks)
allow otapreopt_slot ota_data_file:lnk_file read;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow otapreopt_slot shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
allow otapreopt_slot toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 1 "system/sepolicy/private/perfetto.te"
# Perfetto command-line client. Can be used only from the domains that are
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
type perfetto_exec, system_file_type, exec_type, file_type;
type perfetto_tmpfs, file_type;
#line 9
type_transition perfetto tmpfs:file perfetto_tmpfs;
#line 9
allow perfetto perfetto_tmpfs:file { read write getattr map };
#line 9
;
# Allow init to start a trace (for perfetto_boottrace).
#line 12
#line 12
# Allow the necessary permissions.
#line 12
#line 12
# Old domain may exec the file and transition to the new domain.
#line 12
allow init perfetto_exec:file { getattr open read execute map };
#line 12
allow init perfetto:process transition;
#line 12
# New domain is entered by executing the file.
#line 12
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 12
# New domain can send SIGCHLD to its caller.
#line 12
#line 12
# Enable AT_SECURE, i.e. libc secure mode.
#line 12
dontaudit init perfetto:process noatsecure;
#line 12
# XXX dontaudit candidate but requires further study.
#line 12
allow init perfetto:process { siginh rlimitinh };
#line 12
#line 12
# Make the transition occur by default.
#line 12
type_transition init perfetto_exec:process perfetto;
#line 12
#line 12
# Allow to access traced's privileged consumer socket.
#line 15
allow perfetto traced_consumer_socket:sock_file write;
#line 15
allow perfetto traced:unix_stream_socket connectto;
#line 15
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
#line 19
allow perfetto traced:fd use;
#line 19
allow perfetto traced_tmpfs:file { read write getattr map };
#line 19
#line 19
allow perfetto traced_producer_socket:sock_file write;
#line 19
allow perfetto traced:unix_stream_socket connectto;
#line 19
#line 19
#line 19
# Also allow the service to use the producer file descriptors. This is
#line 19
# necessary when the producer is creating the shared memory, as it will be
#line 19
# passed to the service as a file descriptor (obtained from memfd_create).
#line 19
allow traced perfetto:fd use;
#line 19
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow perfetto perfetto_traces_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
allow perfetto perfetto_traces_bugreport_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow perfetto perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
allow perfetto perfetto_traces_profiling_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow perfetto perfetto_traces_profiling_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
#line 35
# Call the servicemanager and transfer references to it.
#line 35
allow perfetto servicemanager:binder { call transfer };
#line 35
# Allow servicemanager to send out callbacks
#line 35
allow servicemanager perfetto:binder { call transfer };
#line 35
# servicemanager performs getpidcon on clients.
#line 35
allow servicemanager perfetto:dir search;
#line 35
allow servicemanager perfetto:file { read open };
#line 35
allow servicemanager perfetto:process getattr;
#line 35
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 35
# all domains in domain.te.
#line 35
#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow perfetto system_server:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow system_server perfetto:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow perfetto system_server:fd use;
#line 36
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
allow perfetto perfetto_configs_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow perfetto perfetto_configs_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
allow perfetto { statsd mm_events shell su }:fd use;
allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
# Allow adbd to reap perfetto.
allow perfetto adbd:process { sigchld };
# Allow perfetto to write to statsd.
#line 57
allow perfetto statsdw_socket:sock_file write;
#line 57
allow perfetto statsd:unix_dgram_socket sendto;
#line 57
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow perfetto to ask incidentd to start a report.
# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
#line 65
# Call the server domain and optionally transfer references to it.
#line 65
allow perfetto incidentd:binder { call transfer };
#line 65
# Allow the serverdomain to transfer references to the client on the reply.
#line 65
allow incidentd perfetto:binder transfer;
#line 65
# Receive and use open files from the server.
#line 65
allow perfetto incidentd:fd use;
#line 65
# perfetto log formatter calls isatty() on its stderr. Denial when running
# under adbd is harmless. Avoid generating denial logs.
dontaudit perfetto adbd:unix_stream_socket getattr;
dontauditxperm perfetto adbd:unix_stream_socket ioctl {
#line 70
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 70
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 70
};
# As above, when adbd is running in "su" domain (only the ioctl is denied in
# practice).
dontauditxperm perfetto su:unix_stream_socket ioctl {
#line 73
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 73
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 73
};
# Similarly, CTS tests end up hitting a denial on shell pipes.
dontauditxperm perfetto shell:fifo_file ioctl {
#line 75
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 75
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 75
};
###
### Neverallow rules
###
# Disallow anyone else from being able to handle traces except selected system
# components.
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
-system_server # For accessing traces started by profiling apis.
} perfetto_traces_data_file:dir *;
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
} perfetto_traces_data_file:file ~{ getattr read };
### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;
# Block device access.
neverallow perfetto dev_type:blk_file { read write };
# ptrace any other process
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
neverallow perfetto {
data_file_type
-system_data_file
-system_data_root_file
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
}:dir *;
neverallow perfetto {
system_data_file
-perfetto_traces_data_file
-perfetto_traces_profiling_data_file
}:dir ~{ getattr search };
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
}:file ~write;
#line 1 "system/sepolicy/private/performanced.te"
typeattribute performanced coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init performanced_exec:file { getattr open read execute map };
#line 3
allow init performanced:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow performanced performanced_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init performanced:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init performanced:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init performanced_exec:process performanced;
#line 3
#line 3
#line 1 "system/sepolicy/private/permissioncontroller_app.te"
###
### A domain for further sandboxing the GooglePermissionController app.
###
type permissioncontroller_app, domain, coredomain;
#line 6
typeattribute permissioncontroller_app appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition permissioncontroller_app tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type permissioncontroller_app_userfaultfd;
#line 6
type_transition permissioncontroller_app permissioncontroller_app:anon_inode permissioncontroller_app_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow permissioncontroller_app permissioncontroller_app_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su permissioncontroller_app_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -permissioncontroller_app } permissioncontroller_app_userfaultfd:anon_inode *;
#line 6
#line 6
allow permissioncontroller_app appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { permissioncontroller_app -runas_app -shell -simpleperf } { domain -permissioncontroller_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -permissioncontroller_app } permissioncontroller_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -permissioncontroller_app -crash_dump -runas_app -simpleperf } permissioncontroller_app:process ptrace;
#line 6
allow permissioncontroller_app app_api_service:service_manager find;
allow permissioncontroller_app system_api_service:service_manager find;
# Allow interaction with gpuservice
#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow permissioncontroller_app gpuservice:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow gpuservice permissioncontroller_app:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow permissioncontroller_app gpuservice:fd use;
#line 12
allow permissioncontroller_app radio_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow permissioncontroller_app incident_service:service_manager find;
#line 19
# Call the server domain and optionally transfer references to it.
#line 19
allow permissioncontroller_app incidentd:binder { call transfer };
#line 19
# Allow the serverdomain to transfer references to the client on the reply.
#line 19
allow incidentd permissioncontroller_app:binder transfer;
#line 19
# Receive and use open files from the server.
#line 19
allow permissioncontroller_app incidentd:fd use;
#line 19
allow permissioncontroller_app incidentd:fifo_file { read write };
allow permissioncontroller_app gpu_device:dir search;
#line 1 "system/sepolicy/private/platform_app.te"
###
### Apps signed with the platform key.
###
typeattribute platform_app coredomain;
#line 7
typeattribute platform_app appdomain;
#line 7
# Label tmpfs objects for all apps.
#line 7
type_transition platform_app tmpfs:file appdomain_tmpfs;
#line 7
#line 7
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 7
type platform_app_userfaultfd;
#line 7
type_transition platform_app platform_app:anon_inode platform_app_userfaultfd "[userfaultfd]";
#line 7
# Allow domain to create/use userfaultfd anon_inode.
#line 7
allow platform_app platform_app_userfaultfd:anon_inode { create ioctl read };
#line 7
# Suppress errors generate during bugreport
#line 7
dontaudit su platform_app_userfaultfd:anon_inode *;
#line 7
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 7
neverallow { domain -platform_app } platform_app_userfaultfd:anon_inode *;
#line 7
#line 7
allow platform_app appdomain_tmpfs:file { execute getattr map read write };
#line 7
neverallow { platform_app -runas_app -shell -simpleperf } { domain -platform_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
neverallow { appdomain -runas_app -shell -simpleperf -platform_app } platform_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
# The Android security model guarantees the confidentiality and integrity
#line 7
# of application data and execution state. Ptrace bypasses those
#line 7
# confidentiality guarantees. Disallow ptrace access from system components to
#line 7
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 7
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 7
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 7
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 7
# live lock conditions.
#line 7
neverallow { domain -platform_app -crash_dump -runas_app -simpleperf } platform_app:process ptrace;
#line 7
# Access the network.
#line 10
typeattribute platform_app netdomain;
#line 10
# Access bluetooth.
#line 12
typeattribute platform_app bluetoothdomain;
#line 12
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow platform_app asec_apk_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access to /data/media.
allow platform_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow platform_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Write to /cache.
allow platform_app cache_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow platform_app cache_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir { open getattr read search ioctl lock watch watch_reads };
allow platform_app sdcard_type:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow platform_app sdcard_type:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# com.android.systemui
allow platform_app rootfs:dir getattr;
#line 42
allow platform_app radio_cdma_ecm_prop:file { getattr open read map };
#line 42
#line 45
neverallow { domain -init -dumpstate } persist_wm_debug_prop:property_service set;
#line 50
#line 53
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
proc_vmstat
}:file { getattr open read ioctl lock map watch watch_reads };
# /proc/net access.
# TODO(b/9496886) Audit access for removal.
#line 62
allow platform_app proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 62
allow platform_app proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 62
#line 65
# Allow writing and removing wmshell protolog in /data/misc/wmtrace.
#line 71
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
allow platform_app stats_service:service_manager find;
# Allow platform apps to log via statsd.
#line 89
# Call the server domain and optionally transfer references to it.
#line 89
allow platform_app statsd:binder { call transfer };
#line 89
# Allow the serverdomain to transfer references to the client on the reply.
#line 89
allow statsd platform_app:binder transfer;
#line 89
# Receive and use open files from the server.
#line 89
allow platform_app statsd:fd use;
#line 89
# Allow platform applications to find and call artd for testing
#line 95
# Access to /data/preloads
allow platform_app preloads_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow platform_app preloads_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow platform_app preloads_media_file:file { getattr open read ioctl lock map watch watch_reads };
allow platform_app preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 103
allow platform_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 103
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow platform_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow platform apps to connect to the property service
#line 111
#line 111
allow platform_app property_socket:sock_file write;
#line 111
allow platform_app init:unix_stream_socket connectto;
#line 111
#line 111
allow platform_app test_boot_reason_prop:property_service set;
#line 111
#line 111
allow platform_app test_boot_reason_prop:file { getattr open read map };
#line 111
#line 111
# allow platform apps to read keyguard.no_require_sim
#line 114
allow platform_app keyguard_config_prop:file { getattr open read map };
#line 114
# allow platform apps to read qemu.hw.mainkeys
#line 117
allow platform_app qemu_hw_prop:file { getattr open read map };
#line 117
# allow platform apps to read sys.boot.reason.last
#line 120
allow platform_app last_boot_reason_prop:file { getattr open read map };
#line 120
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow platform apps to create VMs
#line 129
# Transition to virtualizationmanager when the client executes it.
#line 129
#line 129
# Allow the necessary permissions.
#line 129
#line 129
# Old domain may exec the file and transition to the new domain.
#line 129
allow platform_app virtualizationmanager_exec:file { getattr open read execute map };
#line 129
allow platform_app virtualizationmanager:process transition;
#line 129
# New domain is entered by executing the file.
#line 129
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 129
# New domain can send SIGCHLD to its caller.
#line 129
allow virtualizationmanager platform_app:process sigchld;
#line 129
# Enable AT_SECURE, i.e. libc secure mode.
#line 129
dontaudit platform_app virtualizationmanager:process noatsecure;
#line 129
# XXX dontaudit candidate but requires further study.
#line 129
allow platform_app virtualizationmanager:process { siginh rlimitinh };
#line 129
#line 129
# Make the transition occur by default.
#line 129
type_transition platform_app virtualizationmanager_exec:process virtualizationmanager;
#line 129
#line 129
# Allow virtualizationmanager to communicate over UDS with the client.
#line 129
allow { virtualizationmanager crosvm } platform_app:unix_stream_socket { ioctl getattr read write };
#line 129
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 129
allow { virtualizationmanager crosvm } platform_app:fd use;
#line 129
# Let the client use file descriptors created by virtualizationmanager.
#line 129
allow platform_app virtualizationmanager:fd use;
#line 129
# Allow piping console log to the client
#line 129
allow { virtualizationmanager crosvm } platform_app:fifo_file { ioctl getattr read write };
#line 129
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 129
# that it created. Notice that we do not grant permission to create a vsock;
#line 129
# the client can only connect to VMs that it owns.
#line 129
allow platform_app virtualizationmanager:vsock_socket { getattr getopt read write };
#line 129
# Allow client to inspect hypervisor capabilities
#line 129
#line 129
allow platform_app hypervisor_prop:file { getattr open read map };
#line 129
#line 129
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 129
allow platform_app virtualizationservice_data_file:file { getattr read };
#line 129
###
### Neverallow rules
###
neverallow { domain -init } persist_sysui_builder_extras_prop:property_service set;
# app domains which access /dev/fuse should not run as platform_app
neverallow platform_app fuse_device:chr_file *;
#line 1 "system/sepolicy/private/postinstall.te"
typeattribute postinstall coredomain;
type postinstall_exec, system_file_type, exec_type, file_type;
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow postinstall otapreopt_chroot_exec:file { getattr open read execute map };
#line 3
allow postinstall otapreopt_chroot:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow otapreopt_chroot otapreopt_chroot_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
allow otapreopt_chroot postinstall:process sigchld;
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit postinstall otapreopt_chroot:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow postinstall otapreopt_chroot:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition postinstall otapreopt_chroot_exec:process otapreopt_chroot;
#line 3
allow postinstall rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 1 "system/sepolicy/private/postinstall_dexopt.te"
# Domain for the otapreopt executable, running under postinstall_dexopt
#
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
# - Case where dex2oat is in a non-flattened APEX, which has retained
# the correct type (`dex2oat_exec`).
#line 14
# Allow the necessary permissions.
#line 14
#line 14
# Old domain may exec the file and transition to the new domain.
#line 14
allow postinstall_dexopt dex2oat_exec:file { getattr open read execute map };
#line 14
allow postinstall_dexopt dex2oat:process transition;
#line 14
# New domain is entered by executing the file.
#line 14
allow dex2oat dex2oat_exec:file { entrypoint open read execute getattr map };
#line 14
# New domain can send SIGCHLD to its caller.
#line 14
allow dex2oat postinstall_dexopt:process sigchld;
#line 14
# Enable AT_SECURE, i.e. libc secure mode.
#line 14
dontaudit postinstall_dexopt dex2oat:process noatsecure;
#line 14
# XXX dontaudit candidate but requires further study.
#line 14
allow postinstall_dexopt dex2oat:process { siginh rlimitinh };
#line 14
#line 14
# Make the transition occur by default.
#line 14
type_transition postinstall_dexopt dex2oat_exec:process dex2oat;
#line 14
# - Case where dex2oat is in a flattened APEX, which has been tagged
# with the `postinstall_file` type by update_engine.
#line 17
# Allow the necessary permissions.
#line 17
#line 17
# Old domain may exec the file and transition to the new domain.
#line 17
allow postinstall_dexopt postinstall_file:file { getattr open read execute map };
#line 17
allow postinstall_dexopt dex2oat:process transition;
#line 17
# New domain is entered by executing the file.
#line 17
allow dex2oat postinstall_file:file { entrypoint open read execute getattr map };
#line 17
# New domain can send SIGCHLD to its caller.
#line 17
allow dex2oat postinstall_dexopt:process sigchld;
#line 17
# Enable AT_SECURE, i.e. libc secure mode.
#line 17
dontaudit postinstall_dexopt dex2oat:process noatsecure;
#line 17
# XXX dontaudit candidate but requires further study.
#line 17
allow postinstall_dexopt dex2oat:process { siginh rlimitinh };
#line 17
#line 17
# Make the transition occur by default.
#line 17
type_transition postinstall_dexopt postinstall_file:process dex2oat;
#line 17
# Run derive_classpath to get the current BCP.
#line 20
# Allow the necessary permissions.
#line 20
#line 20
# Old domain may exec the file and transition to the new domain.
#line 20
allow postinstall_dexopt derive_classpath_exec:file { getattr open read execute map };
#line 20
allow postinstall_dexopt derive_classpath:process transition;
#line 20
# New domain is entered by executing the file.
#line 20
allow derive_classpath derive_classpath_exec:file { entrypoint open read execute getattr map };
#line 20
# New domain can send SIGCHLD to its caller.
#line 20
allow derive_classpath postinstall_dexopt:process sigchld;
#line 20
# Enable AT_SECURE, i.e. libc secure mode.
#line 20
dontaudit postinstall_dexopt derive_classpath:process noatsecure;
#line 20
# XXX dontaudit candidate but requires further study.
#line 20
allow postinstall_dexopt derive_classpath:process { siginh rlimitinh };
#line 20
#line 20
# Make the transition occur by default.
#line 20
type_transition postinstall_dexopt derive_classpath_exec:process derive_classpath;
#line 20
# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
#line 22
type_transition postinstall_dexopt tmpfs:file postinstall_dexopt_tmpfs;
#line 22
allow postinstall_dexopt postinstall_dexopt_tmpfs:file { read write getattr map };
#line 22
;
allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
allow postinstall_dexopt self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt rootfs:file { getattr open read ioctl lock map watch watch_reads };
allow postinstall_dexopt tmpfs:file read;
# Allow access odsign verification status
#line 36
allow postinstall_dexopt odsign_prop:file { getattr open read map };
#line 36
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
# Read app data (APKs) as input to dex2oat.
#line 45
allow postinstall_dexopt apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 45
allow postinstall_dexopt apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 45
# Read vendor app data (APKs) as input to dex2oat.
#line 47
allow postinstall_dexopt vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 47
allow postinstall_dexopt vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 47
# Read vendor overlay files (APKs) as input to dex2oat.
#line 49
allow postinstall_dexopt vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 49
allow postinstall_dexopt vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 49
# Vendor overlay can be found in vendor apex
allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
# Access to app oat directory.
#line 53
allow postinstall_dexopt dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 53
allow postinstall_dexopt dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 53
# Read profile data.
allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow postinstall_dexopt ota_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow postinstall_dexopt ota_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
# TODO: See whether we can apply ota_data_file?
allow postinstall_dexopt dalvikcache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow postinstall_dexopt dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
# Check validity of SELinux context before use.
#line 77
#line 77
allow postinstall_dexopt selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 77
allow postinstall_dexopt selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 77
#line 77
allow postinstall_dexopt selinuxfs:file { open append write lock map };
#line 77
allow postinstall_dexopt kernel:security check_context;
#line 77
#line 78
#line 78
allow postinstall_dexopt selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 78
allow postinstall_dexopt selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 78
#line 78
allow postinstall_dexopt selinuxfs:file { open append write lock map };
#line 78
allow postinstall_dexopt kernel:security compute_av;
#line 78
allow postinstall_dexopt self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 78
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
# Allow postinstall_dexopt to access the runtime feature flag properties.
#line 89
allow postinstall_dexopt device_config_runtime_native_prop:file { getattr open read map };
#line 89
#line 90
allow postinstall_dexopt device_config_runtime_native_boot_prop:file { getattr open read map };
#line 90
#line 1 "system/sepolicy/private/preloads_copy.te"
type preloads_copy, domain, coredomain;
type preloads_copy_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init preloads_copy_exec:file { getattr open read execute map };
#line 4
allow init preloads_copy:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow preloads_copy preloads_copy_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init preloads_copy:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init preloads_copy:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init preloads_copy_exec:process preloads_copy;
#line 4
#line 4
allow preloads_copy shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow preloads_copy toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow preloads_copy preloads_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow preloads_copy preloads_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow preloads_copy preloads_media_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow preloads_copy preloads_media_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow to copy from /postinstall
allow preloads_copy system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Silence the denial when /postinstall cannot be mounted, e.g., system_other
# is wiped, but preloads_copy.sh still runs.
dontaudit preloads_copy postinstall_mnt_dir:dir search;
#line 1 "system/sepolicy/private/preopt2cachename.te"
# preopt2cachename executable
#
# This executable translates names from the preopted versions the build system
# creates to the names the runtime expects in the data directory.
type preopt2cachename, domain, coredomain;
type preopt2cachename_exec, system_file_type, exec_type, file_type;
# Allow write to stdout.
allow preopt2cachename cppreopts:fd use;
allow preopt2cachename cppreopts:fifo_file { getattr read write };
# Allow write to logcat.
allow preopt2cachename proc_net_type:file { getattr open read ioctl lock map watch watch_reads };
#line 17
#line 1 "system/sepolicy/private/priv_app.te"
###
### A domain for further sandboxing privileged apps.
###
typeattribute priv_app coredomain;
#line 6
typeattribute priv_app appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition priv_app tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type priv_app_userfaultfd;
#line 6
type_transition priv_app priv_app:anon_inode priv_app_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow priv_app priv_app_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su priv_app_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -priv_app } priv_app_userfaultfd:anon_inode *;
#line 6
#line 6
allow priv_app appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { priv_app -runas_app -shell -simpleperf } { domain -priv_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -priv_app } priv_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -priv_app -crash_dump -runas_app -simpleperf } priv_app:process ptrace;
#line 6
# Access the network.
#line 9
typeattribute priv_app netdomain;
#line 9
# Access bluetooth.
#line 11
typeattribute priv_app bluetoothdomain;
#line 11
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
#line 15
# Each domain gets a unique devpts type.
#line 15
type priv_app_devpts, fs_type;
#line 15
# Label the pty with the unique type when created.
#line 15
type_transition priv_app devpts:chr_file priv_app_devpts;
#line 15
# Allow use of the pty after creation.
#line 15
allow priv_app priv_app_devpts:chr_file { open getattr read write ioctl };
#line 15
allowxperm priv_app priv_app_devpts:chr_file ioctl {
#line 15
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 15
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 15
};
#line 15
# TIOCSTI is only ever used for exploits. Block it.
#line 15
# b/33073072, b/7530569
#line 15
# http://www.openwall.com/lists/oss-security/2016/09/26/14
#line 15
neverallowxperm * priv_app_devpts:chr_file ioctl 0x00005412;
#line 15
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
#line 15
# allowed to everyone via domain.te.
#line 15
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
# 1) com.android.opengl.shaders_cache
# 2) com.android.skia.shaders_cache
# 3) com.android.renderscript.cache
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow priv_app system_linker_exec:file execute_no_trans;
allow priv_app privapp_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Priv apps can find services that expose both @SystemAPI and normal APIs.
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediametrics_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app music_recognition_service:service_manager find;
allow priv_app network_watchlist_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow priv_app { cache_file cache_recovery_file }:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow priv_app cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Access to /data/media.
allow priv_app media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow priv_app media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow priv_app shell_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
# Allow betterbug to read profile reports generated by profcollect.
#line 75
# Allow the bug reporting frontend to read the presence and timestamp of the
# trace attached to the bugreport (but not its contents, which will go in the
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
# the bugreport will contain a system trace or not while the bugreport is still
# in progress.
allow priv_app wm_trace_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow priv_app wm_trace_data_file:file getattr;
allow priv_app perfetto_traces_bugreport_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
# the framework (i.e. TracingServiceProxy) and sendfile them into their private
# directories for reporting when network and battery conditions are
# appropriate.
allow priv_app perfetto:fd use;
allow priv_app perfetto_traces_data_file:file { read getattr };
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir { open getattr read search ioctl lock watch watch_reads };
allow priv_app { apk_tmp_file apk_private_tmp_file }:file { getattr open read ioctl lock map watch watch_reads };
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
# /proc access
allow priv_app {
proc_vmstat
}:file { getattr open read ioctl lock map watch watch_reads };
allow priv_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
#line 111
allow priv_app sysfs_zram:dir { open getattr read search ioctl lock watch watch_reads };
#line 111
allow priv_app sysfs_zram:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 111
#line 113
allow priv_app rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 113
allow priv_app rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 113
# Allow com.android.vending to communicate with statsd.
#line 116
# Call the server domain and optionally transfer references to it.
#line 116
allow priv_app statsd:binder { call transfer };
#line 116
# Allow the serverdomain to transfer references to the client on the reply.
#line 116
allow statsd priv_app:binder transfer;
#line 116
# Receive and use open files from the server.
#line 116
allow priv_app statsd:fd use;
#line 116
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
# Access to /data/preloads
allow priv_app preloads_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow priv_app preloads_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow priv_app preloads_media_file:file { getattr open read ioctl lock map watch watch_reads };
allow priv_app preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 127
allow priv_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 127
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow priv_app incident_service:service_manager find;
#line 132
# Call the server domain and optionally transfer references to it.
#line 132
allow priv_app incidentd:binder { call transfer };
#line 132
# Allow the serverdomain to transfer references to the client on the reply.
#line 132
allow incidentd priv_app:binder transfer;
#line 132
# Receive and use open files from the server.
#line 132
allow priv_app incidentd:fd use;
#line 132
allow priv_app incidentd:fifo_file { read write };
# Allow priv_apps to check whether Dynamic System Update is enabled
#line 136
allow priv_app dynamic_system_prop:file { getattr open read map };
#line 136
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
dontaudit priv_app fs_bpf:dir search;
dontaudit priv_app net_dns_prop:file read;
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
dontaudit priv_app proc_net:file read;
dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app sysfs:dir read;
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file { getattr open read ioctl lock map watch watch_reads };
dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
0x0000671f
0x00006720
0x00006724
0x00006722
};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
allow priv_app incremental_control_file:file { read getattr ioctl };
# allow apps like Phonesky to request permission to fill blocks of an apk file
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl 0x00006721;
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
#line 177
allow priv_app incremental_prop:file { getattr open read map };
#line 177
# allow privileged apps to read the device config flags.
#line 180
allow priv_app device_config_aconfig_flags_prop:file { getattr open read map };
#line 180
# allow privileged apps to read boot reason property
#line 183
allow priv_app system_boot_reason_prop:file { getattr open read map };
#line 183
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Required for Phonesky to be able to read staged files under /data/app-staging.
allow priv_app staging_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow com.android.vending to access files under vendor/apex as well as system apex files.
# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
allow priv_app vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads };
allow priv_app vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads };
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
# Allow the renderscript compiler to be run.
#line 200
# Allow the necessary permissions.
#line 200
#line 200
# Old domain may exec the file and transition to the new domain.
#line 200
allow priv_app rs_exec:file { getattr open read execute map };
#line 200
allow priv_app rs:process transition;
#line 200
# New domain is entered by executing the file.
#line 200
allow rs rs_exec:file { entrypoint open read execute getattr map };
#line 200
# New domain can send SIGCHLD to its caller.
#line 200
allow rs priv_app:process sigchld;
#line 200
# Enable AT_SECURE, i.e. libc secure mode.
#line 200
dontaudit priv_app rs:process noatsecure;
#line 200
# XXX dontaudit candidate but requires further study.
#line 200
allow priv_app rs:process { siginh rlimitinh };
#line 200
#line 200
# Make the transition occur by default.
#line 200
type_transition priv_app rs_exec:process rs;
#line 200
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink };
# Allow privileged apps to create a VM. Note that access is still
# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
# permission.
#line 210
# Transition to virtualizationmanager when the client executes it.
#line 210
#line 210
# Allow the necessary permissions.
#line 210
#line 210
# Old domain may exec the file and transition to the new domain.
#line 210
allow priv_app virtualizationmanager_exec:file { getattr open read execute map };
#line 210
allow priv_app virtualizationmanager:process transition;
#line 210
# New domain is entered by executing the file.
#line 210
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 210
# New domain can send SIGCHLD to its caller.
#line 210
allow virtualizationmanager priv_app:process sigchld;
#line 210
# Enable AT_SECURE, i.e. libc secure mode.
#line 210
dontaudit priv_app virtualizationmanager:process noatsecure;
#line 210
# XXX dontaudit candidate but requires further study.
#line 210
allow priv_app virtualizationmanager:process { siginh rlimitinh };
#line 210
#line 210
# Make the transition occur by default.
#line 210
type_transition priv_app virtualizationmanager_exec:process virtualizationmanager;
#line 210
#line 210
# Allow virtualizationmanager to communicate over UDS with the client.
#line 210
allow { virtualizationmanager crosvm } priv_app:unix_stream_socket { ioctl getattr read write };
#line 210
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 210
allow { virtualizationmanager crosvm } priv_app:fd use;
#line 210
# Let the client use file descriptors created by virtualizationmanager.
#line 210
allow priv_app virtualizationmanager:fd use;
#line 210
# Allow piping console log to the client
#line 210
allow { virtualizationmanager crosvm } priv_app:fifo_file { ioctl getattr read write };
#line 210
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 210
# that it created. Notice that we do not grant permission to create a vsock;
#line 210
# the client can only connect to VMs that it owns.
#line 210
allow priv_app virtualizationmanager:vsock_socket { getattr getopt read write };
#line 210
# Allow client to inspect hypervisor capabilities
#line 210
#line 210
allow priv_app hypervisor_prop:file { getattr open read map };
#line 210
#line 210
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 210
allow priv_app virtualizationservice_data_file:file { getattr read };
#line 210
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow priv_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
# Read or write kernel printk buffer
neverallow priv_app kmsg_device:chr_file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs_type:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow priv_app service_manager_type:service_manager add;
# Do not allow privileged apps to connect to the property service
# or set properties. b/10243159
neverallow priv_app property_socket:sock_file write;
neverallow priv_app init:unix_stream_socket connectto;
neverallow priv_app property_type:property_service set;
# Do not allow priv_app to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and priv_app is allowed fork permission to itself.
neverallow priv_app mlstrustedsubject:process fork;
# Do not allow priv_app to hard link to any files.
# In particular, if priv_app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure priv_app never has this
# capability.
neverallow priv_app file_type:file link;
# priv apps should not be able to open trace data files, they should depend
# upon traceur to pass a file descriptor which they can then read
neverallow priv_app trace_data_file:dir *;
neverallow priv_app trace_data_file:file { { append create link unlink relabelfrom rename setattr write } open };
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app { app_data_file_type -privapp_data_file }:file { execute execute_no_trans };
# Do not follow any app provided symlinks
neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
# Do not allow getting permission-protected network information from sysfs.
neverallow priv_app sysfs_net:file *;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl
#line 281
{
#line 281
# qualcomm rmnet ioctls
#line 281
0x00006900 0x00006902
#line 281
# socket ioctls
#line 281
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 281
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 281
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 281
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 281
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 281
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 281
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 281
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 281
0x00008991 0x00008992 0x00008993 0x00008994
#line 281
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 281
# device and protocol specific ioctls
#line 281
0x000089f0-0x000089ff
#line 281
0x000089e0-0x000089ef
#line 281
# Wireless extension ioctls
#line 281
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 281
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 281
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 281
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 281
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 281
0x00008b34 0x00008b35 0x00008b36
#line 281
# Dev private ioctl i.e. hardware specific ioctls
#line 281
0x00008be0-0x00008bff
#line 281
};
neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow priv_app *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Allow priv apps to report off body events to keystore2.
allow priv_app keystore:keystore2 report_off_body;
# Allow priv_apps to check if archiving is enabled
#line 301
allow priv_app pm_archiving_enabled_prop:file { getattr open read map };
#line 301
#line 1 "system/sepolicy/private/prng_seeder.te"
# PRNG seeder daemon
# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
# fixed size block of entropy then disconnect. No other IO is performed.
typeattribute prng_seeder coredomain;
# mlstrustedsubject required in order to allow connections from trusted app domains.
typeattribute prng_seeder mlstrustedsubject;
type prng_seeder_exec, system_file_type, exec_type, file_type;
#line 12
#line 12
# Allow the necessary permissions.
#line 12
#line 12
# Old domain may exec the file and transition to the new domain.
#line 12
allow init prng_seeder_exec:file { getattr open read execute map };
#line 12
allow init prng_seeder:process transition;
#line 12
# New domain is entered by executing the file.
#line 12
allow prng_seeder prng_seeder_exec:file { entrypoint open read execute getattr map };
#line 12
# New domain can send SIGCHLD to its caller.
#line 12
#line 12
# Enable AT_SECURE, i.e. libc secure mode.
#line 12
dontaudit init prng_seeder:process noatsecure;
#line 12
# XXX dontaudit candidate but requires further study.
#line 12
allow init prng_seeder:process { siginh rlimitinh };
#line 12
#line 12
# Make the transition occur by default.
#line 12
type_transition init prng_seeder_exec:process prng_seeder;
#line 12
#line 12
# Socket open and listen are performed by init.
allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
allow prng_seeder hw_random_device:chr_file { read open };
allow prng_seeder kmsg_debug_device:chr_file { { open append write lock map } getattr ioctl };
#line 1 "system/sepolicy/private/profcollectd.te"
# profcollectd - hardware profile collection daemon
type profcollectd, domain, coredomain, mlstrustedsubject;
type profcollectd_exec, system_file_type, exec_type, file_type;
#line 66
#line 1 "system/sepolicy/private/profman.te"
typeattribute profman coredomain;
# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.
allow profman {
system_file
apk_data_file
vendor_app_file
}:file { getattr read map lock };
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
# Allow profman to read from memfd created by artd.
# profman needs to read the embedded profile that artd extracts from an APK,
# which is passed by a memfd.
allow profman artd_tmpfs:file { getattr read map lock };
#line 1 "system/sepolicy/private/property.te"
# Properties used only in /system
#line 2
#line 2
type adbd_prop, property_type, system_property_type, system_internal_property_type;
#line 2
#line 2
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 2
#line 2
neverallow { domain -coredomain } adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 2
#line 2
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 2
#line 2
#line 3
#line 3
type apexd_payload_metadata_prop, property_type, system_property_type, system_internal_property_type;
#line 3
#line 3
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 3
#line 3
neverallow { domain -coredomain } apexd_payload_metadata_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
#line 3
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 3
#line 3
#line 4
#line 4
type ctl_snapuserd_prop, property_type, system_property_type, system_internal_property_type;
#line 4
#line 4
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 4
#line 4
neverallow { domain -coredomain } ctl_snapuserd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 4
#line 4
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 4
#line 4
#line 5
#line 5
type crashrecovery_prop, property_type, system_property_type, system_internal_property_type;
#line 5
#line 5
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 5
#line 5
neverallow { domain -coredomain } crashrecovery_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 5
#line 5
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 5
#line 5
#line 6
#line 6
type device_config_core_experiments_team_internal_prop, property_type, system_property_type, system_internal_property_type;
#line 6
#line 6
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 6
#line 6
neverallow { domain -coredomain } device_config_core_experiments_team_internal_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
#line 6
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 6
#line 6
#line 7
#line 7
type device_config_lmkd_native_prop, property_type, system_property_type, system_internal_property_type;
#line 7
#line 7
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 7
#line 7
neverallow { domain -coredomain } device_config_lmkd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
#line 7
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 7
#line 7
#line 8
#line 8
type device_config_mglru_native_prop, property_type, system_property_type, system_internal_property_type;
#line 8
#line 8
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 8
#line 8
neverallow { domain -coredomain } device_config_mglru_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 8
#line 8
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 8
#line 8
#line 9
#line 9
type device_config_profcollect_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 9
#line 9
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 9
#line 9
neverallow { domain -coredomain } device_config_profcollect_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
#line 9
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 9
#line 9
#line 10
#line 10
type device_config_remote_key_provisioning_native_prop, property_type, system_property_type, system_internal_property_type;
#line 10
#line 10
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 10
#line 10
neverallow { domain -coredomain } device_config_remote_key_provisioning_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 10
#line 10
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 10
#line 10
#line 11
#line 11
type device_config_statsd_native_prop, property_type, system_property_type, system_internal_property_type;
#line 11
#line 11
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 11
#line 11
neverallow { domain -coredomain } device_config_statsd_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 11
#line 11
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 11
#line 11
#line 12
#line 12
type device_config_statsd_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 12
#line 12
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 12
#line 12
neverallow { domain -coredomain } device_config_statsd_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 12
#line 12
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 12
#line 12
#line 13
#line 13
type device_config_storage_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 13
#line 13
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 13
#line 13
neverallow { domain -coredomain } device_config_storage_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
#line 13
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 13
#line 13
#line 14
#line 14
type device_config_sys_traced_prop, property_type, system_property_type, system_internal_property_type;
#line 14
#line 14
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 14
#line 14
neverallow { domain -coredomain } device_config_sys_traced_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 14
#line 14
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 14
#line 14
#line 15
#line 15
type device_config_window_manager_native_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 15
#line 15
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
neverallow { domain -coredomain } device_config_window_manager_native_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
#line 15
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 15
#line 15
#line 16
#line 16
type device_config_configuration_prop, property_type, system_property_type, system_internal_property_type;
#line 16
#line 16
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 16
#line 16
neverallow { domain -coredomain } device_config_configuration_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 16
#line 16
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 16
#line 16
#line 17
#line 17
type device_config_connectivity_prop, property_type, system_property_type, system_internal_property_type;
#line 17
#line 17
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 17
#line 17
neverallow { domain -coredomain } device_config_connectivity_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 17
#line 17
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 17
#line 17
#line 18
#line 18
type device_config_swcodec_native_prop, property_type, system_property_type, system_internal_property_type;
#line 18
#line 18
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 18
#line 18
neverallow { domain -coredomain } device_config_swcodec_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 18
#line 18
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 18
#line 18
#line 19
#line 19
type device_config_tethering_u_or_later_native_prop, property_type, system_property_type, system_internal_property_type;
#line 19
#line 19
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 19
#line 19
neverallow { domain -coredomain } device_config_tethering_u_or_later_native_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 19
#line 19
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 19
#line 19
#line 20
#line 20
type dmesgd_start_prop, property_type, system_property_type, system_internal_property_type;
#line 20
#line 20
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 20
#line 20
neverallow { domain -coredomain } dmesgd_start_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 20
#line 20
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 20
#line 20
#line 21
#line 21
type fastbootd_protocol_prop, property_type, system_property_type, system_internal_property_type;
#line 21
#line 21
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 21
#line 21
neverallow { domain -coredomain } fastbootd_protocol_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 21
#line 21
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 21
#line 21
#line 22
#line 22
type gsid_prop, property_type, system_property_type, system_internal_property_type;
#line 22
#line 22
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 22
#line 22
neverallow { domain -coredomain } gsid_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 22
#line 22
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 22
#line 22
#line 23
#line 23
type init_perf_lsm_hooks_prop, property_type, system_property_type, system_internal_property_type;
#line 23
#line 23
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 23
#line 23
neverallow { domain -coredomain } init_perf_lsm_hooks_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 23
#line 23
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 23
#line 23
#line 24
#line 24
type init_service_status_private_prop, property_type, system_property_type, system_internal_property_type;
#line 24
#line 24
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 24
#line 24
neverallow { domain -coredomain } init_service_status_private_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 24
#line 24
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 24
#line 24
#line 25
#line 25
type init_storage_prop, property_type, system_property_type, system_internal_property_type;
#line 25
#line 25
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 25
#line 25
neverallow { domain -coredomain } init_storage_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 25
#line 25
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 25
#line 25
#line 26
#line 26
type init_svc_debug_prop, property_type, system_property_type, system_internal_property_type;
#line 26
#line 26
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 26
#line 26
neverallow { domain -coredomain } init_svc_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 26
#line 26
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 26
#line 26
#line 27
#line 27
type keystore_crash_prop, property_type, system_property_type, system_internal_property_type;
#line 27
#line 27
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 27
#line 27
neverallow { domain -coredomain } keystore_crash_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 27
#line 27
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 27
#line 27
#line 28
#line 28
type keystore_listen_prop, property_type, system_property_type, system_internal_property_type;
#line 28
#line 28
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 28
#line 28
neverallow { domain -coredomain } keystore_listen_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 28
#line 28
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 28
#line 28
#line 29
#line 29
type last_boot_reason_prop, property_type, system_property_type, system_internal_property_type;
#line 29
#line 29
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 29
#line 29
neverallow { domain -coredomain } last_boot_reason_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 29
#line 29
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 29
#line 29
#line 30
#line 30
type localization_prop, property_type, system_property_type, system_internal_property_type;
#line 30
#line 30
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 30
#line 30
neverallow { domain -coredomain } localization_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 30
#line 30
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 30
#line 30
#line 31
#line 31
type logd_auditrate_prop, property_type, system_property_type, system_internal_property_type;
#line 31
#line 31
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 31
#line 31
neverallow { domain -coredomain } logd_auditrate_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 31
#line 31
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 31
#line 31
#line 32
#line 32
type lower_kptr_restrict_prop, property_type, system_property_type, system_internal_property_type;
#line 32
#line 32
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 32
#line 32
neverallow { domain -coredomain } lower_kptr_restrict_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 32
#line 32
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 32
#line 32
#line 33
#line 33
type net_464xlat_fromvendor_prop, property_type, system_property_type, system_internal_property_type;
#line 33
#line 33
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 33
#line 33
neverallow { domain -coredomain } net_464xlat_fromvendor_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 33
#line 33
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 33
#line 33
#line 34
#line 34
type net_connectivity_prop, property_type, system_property_type, system_internal_property_type;
#line 34
#line 34
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 34
#line 34
neverallow { domain -coredomain } net_connectivity_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 34
#line 34
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 34
#line 34
#line 35
#line 35
type netd_stable_secret_prop, property_type, system_property_type, system_internal_property_type;
#line 35
#line 35
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 35
#line 35
neverallow { domain -coredomain } netd_stable_secret_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 35
#line 35
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 35
#line 35
#line 36
#line 36
type next_boot_prop, property_type, system_property_type, system_internal_property_type;
#line 36
#line 36
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 36
#line 36
neverallow { domain -coredomain } next_boot_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 36
#line 36
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 36
#line 36
#line 37
#line 37
type odsign_prop, property_type, system_property_type, system_internal_property_type;
#line 37
#line 37
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 37
#line 37
neverallow { domain -coredomain } odsign_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 37
#line 37
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 37
#line 37
#line 38
#line 38
type misctrl_prop, property_type, system_property_type, system_internal_property_type;
#line 38
#line 38
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 38
#line 38
neverallow { domain -coredomain } misctrl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 38
#line 38
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 38
#line 38
#line 39
#line 39
type perf_drop_caches_prop, property_type, system_property_type, system_internal_property_type;
#line 39
#line 39
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 39
#line 39
neverallow { domain -coredomain } perf_drop_caches_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 39
#line 39
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 39
#line 39
#line 40
#line 40
type pm_prop, property_type, system_property_type, system_internal_property_type;
#line 40
#line 40
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 40
#line 40
neverallow { domain -coredomain } pm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 40
#line 40
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 40
#line 40
#line 41
#line 41
type profcollectd_node_id_prop, property_type, system_property_type, system_internal_property_type;
#line 41
#line 41
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 41
#line 41
neverallow { domain -coredomain } profcollectd_node_id_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 41
#line 41
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 41
#line 41
#line 42
#line 42
type radio_cdma_ecm_prop, property_type, system_property_type, system_internal_property_type;
#line 42
#line 42
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 42
#line 42
neverallow { domain -coredomain } radio_cdma_ecm_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 42
#line 42
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 42
#line 42
#line 43
#line 43
type remote_prov_prop, property_type, system_property_type, system_internal_property_type;
#line 43
#line 43
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 43
#line 43
neverallow { domain -coredomain } remote_prov_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 43
#line 43
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 43
#line 43
#line 44
#line 44
type rollback_test_prop, property_type, system_property_type, system_internal_property_type;
#line 44
#line 44
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 44
#line 44
neverallow { domain -coredomain } rollback_test_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 44
#line 44
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 44
#line 44
#line 45
#line 45
type setupwizard_prop, property_type, system_property_type, system_internal_property_type;
#line 45
#line 45
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 45
#line 45
neverallow { domain -coredomain } setupwizard_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 45
#line 45
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 45
#line 45
#line 46
#line 46
type snapuserd_prop, property_type, system_property_type, system_internal_property_type;
#line 46
#line 46
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 46
#line 46
neverallow { domain -coredomain } snapuserd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 46
#line 46
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 46
#line 46
#line 47
#line 47
type system_adbd_prop, property_type, system_property_type, system_internal_property_type;
#line 47
#line 47
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 47
#line 47
neverallow { domain -coredomain } system_adbd_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 47
#line 47
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 47
#line 47
#line 48
#line 48
type system_audio_config_prop, property_type, system_property_type, system_internal_property_type;
#line 48
#line 48
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 48
#line 48
neverallow { domain -coredomain } system_audio_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 48
#line 48
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 48
#line 48
#line 49
#line 49
type timezone_metadata_prop, property_type, system_property_type, system_internal_property_type;
#line 49
#line 49
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 49
#line 49
neverallow { domain -coredomain } timezone_metadata_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 49
#line 49
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 49
#line 49
#line 50
#line 50
type traced_perf_enabled_prop, property_type, system_property_type, system_internal_property_type;
#line 50
#line 50
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 50
#line 50
neverallow { domain -coredomain } traced_perf_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 50
#line 50
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 50
#line 50
#line 51
#line 51
type uprobestats_start_with_config_prop, property_type, system_property_type, system_internal_property_type;
#line 51
#line 51
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 51
#line 51
neverallow { domain -coredomain } uprobestats_start_with_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 51
#line 51
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 51
#line 51
#line 52
#line 52
type tuner_server_ctl_prop, property_type, system_property_type, system_internal_property_type;
#line 52
#line 52
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 52
#line 52
neverallow { domain -coredomain } tuner_server_ctl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 52
#line 52
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 52
#line 52
#line 53
#line 53
type userspace_reboot_log_prop, property_type, system_property_type, system_internal_property_type;
#line 53
#line 53
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 53
#line 53
neverallow { domain -coredomain } userspace_reboot_log_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 53
#line 53
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 53
#line 53
#line 54
#line 54
type userspace_reboot_test_prop, property_type, system_property_type, system_internal_property_type;
#line 54
#line 54
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 54
#line 54
neverallow { domain -coredomain } userspace_reboot_test_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 54
#line 54
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 54
#line 54
#line 55
#line 55
type verity_status_prop, property_type, system_property_type, system_internal_property_type;
#line 55
#line 55
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 55
#line 55
neverallow { domain -coredomain } verity_status_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 55
#line 55
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 55
#line 55
#line 56
#line 56
type zygote_wrap_prop, property_type, system_property_type, system_internal_property_type;
#line 56
#line 56
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 56
#line 56
neverallow { domain -coredomain } zygote_wrap_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 56
#line 56
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 56
#line 56
#line 57
#line 57
type ctl_mediatranscoding_prop, property_type, system_property_type, system_internal_property_type;
#line 57
#line 57
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 57
#line 57
neverallow { domain -coredomain } ctl_mediatranscoding_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 57
#line 57
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 57
#line 57
#line 58
#line 58
type ctl_odsign_prop, property_type, system_property_type, system_internal_property_type;
#line 58
#line 58
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 58
#line 58
neverallow { domain -coredomain } ctl_odsign_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 58
#line 58
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 58
#line 58
#line 59
#line 59
type virtualizationservice_prop, property_type, system_property_type, system_internal_property_type;
#line 59
#line 59
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 59
#line 59
neverallow { domain -coredomain } virtualizationservice_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 59
#line 59
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 59
#line 59
#line 60
#line 60
type ctl_apex_load_prop, property_type, system_property_type, system_internal_property_type;
#line 60
#line 60
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 60
#line 60
neverallow { domain -coredomain } ctl_apex_load_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 60
#line 60
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 60
#line 60
#line 61
#line 61
type enable_16k_pages_prop, property_type, system_property_type, system_internal_property_type;
#line 61
#line 61
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 61
#line 61
neverallow { domain -coredomain } enable_16k_pages_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 61
#line 61
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 61
#line 61
#line 62
#line 62
type sensors_config_prop, property_type, system_property_type, system_internal_property_type;
#line 62
#line 62
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 62
#line 62
neverallow { domain -coredomain } sensors_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 62
#line 62
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 62
#line 62
#line 63
#line 63
type hypervisor_pvmfw_prop, property_type, system_property_type, system_internal_property_type;
#line 63
#line 63
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 63
#line 63
neverallow { domain -coredomain } hypervisor_pvmfw_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 63
#line 63
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 63
#line 63
#line 64
#line 64
type hypervisor_virtualizationmanager_prop, property_type, system_property_type, system_internal_property_type;
#line 64
#line 64
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 64
#line 64
neverallow { domain -coredomain } hypervisor_virtualizationmanager_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 64
#line 64
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 64
#line 64
#line 65
#line 65
type game_manager_config_prop, property_type, system_property_type, system_internal_property_type;
#line 65
#line 65
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 65
#line 65
neverallow { domain -coredomain } game_manager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 65
#line 65
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 65
#line 65
#line 66
#line 66
type hidl_memory_prop, property_type, system_property_type, system_internal_property_type;
#line 66
#line 66
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 66
#line 66
neverallow { domain -coredomain } hidl_memory_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 66
#line 66
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 66
#line 66
#line 67
#line 67
type suspend_debug_prop, property_type, system_property_type, system_internal_property_type;
#line 67
#line 67
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 67
#line 67
neverallow { domain -coredomain } suspend_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 67
#line 67
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 67
#line 67
# Properties which can't be written outside system
#line 70
#line 70
type device_config_virtualization_framework_native_prop, property_type, system_property_type, system_restricted_property_type;
#line 70
#line 70
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 70
#line 70
neverallow { domain -coredomain } device_config_virtualization_framework_native_prop:property_service set;
#line 70
#line 70
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 70
#line 70
#line 71
#line 71
type log_file_logger_prop, property_type, system_property_type, system_restricted_property_type;
#line 71
#line 71
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 71
#line 71
neverallow { domain -coredomain } log_file_logger_prop:property_service set;
#line 71
#line 71
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 71
#line 71
#line 72
#line 72
type persist_sysui_builder_extras_prop, property_type, system_property_type, system_restricted_property_type;
#line 72
#line 72
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 72
#line 72
neverallow { domain -coredomain } persist_sysui_builder_extras_prop:property_service set;
#line 72
#line 72
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 72
#line 72
#line 73
#line 73
type persist_sysui_ranking_update_prop, property_type, system_property_type, system_restricted_property_type;
#line 73
#line 73
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 73
#line 73
neverallow { domain -coredomain } persist_sysui_ranking_update_prop:property_service set;
#line 73
#line 73
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 73
#line 73
###
### Neverallow rules
###
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 79
#line 79
#line 79
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 79
#line 79
neverallow domain {
#line 79
property_type
#line 79
-system_property_type
#line 79
-system_property_type
#line 79
-vendor_property_type
#line 79
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 79
#line 79
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
#line 79
#line 79
#line 79
neverallow { domain -coredomain } {
#line 79
system_property_type
#line 79
system_internal_property_type
#line 79
-system_restricted_property_type
#line 79
-system_public_property_type
#line 79
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 79
#line 79
neverallow { domain -coredomain } {
#line 79
system_property_type
#line 79
-system_public_property_type
#line 79
}:property_service set;
#line 79
#line 79
# init is in coredomain, but should be able to read/write all props.
#line 79
# dumpstate is also in coredomain, but should be able to read all props.
#line 79
neverallow { coredomain -init -dumpstate } {
#line 79
vendor_property_type
#line 79
vendor_internal_property_type
#line 79
-vendor_restricted_property_type
#line 79
-vendor_public_property_type
#line 79
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 79
#line 79
neverallow { coredomain -init } {
#line 79
vendor_property_type
#line 79
-vendor_public_property_type
#line 79
}:property_service set;
#line 79
#line 79
#line 79
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
#line 116
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
# the get_prop() macro.
neverallow domain property_type:file { ioctl lock };
neverallow * {
core_property_type
-audio_prop
-config_prop
-cppreopt_prop
-dalvik_prop
-debuggerd_prop
-debug_prop
-dhcp_prop
-dumpstate_prop
-fingerprint_prop
-logd_prop
-net_radio_prop
-nfc_prop
-ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
-radio_prop
-restorecon_prop
-shell_prop
-system_prop
-usb_prop
-vold_prop
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# sigstop property is only used for debugging; should only be set by su which is permissive
# for userdebug/eng
neverallow {
domain
-init
-vendor_init
} ctl_sigstop_prop:property_service set;
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
ctl_bootanim_prop
ctl_bugreport_prop
ctl_console_prop
ctl_default_prop
ctl_dumpstate_prop
ctl_fuse_prop
ctl_mdnsd_prop
ctl_rildaemon_prop
}:property_service set;
neverallow {
domain
-init
-extra_free_kbytes
} init_storage_prop:property_service set;
neverallow {
domain
-init
} init_svc_debug_prop:property_service set;
neverallow {
domain
-init
-dumpstate
} init_svc_debug_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# DO NOT ADD: compat risk
neverallow {
domain
-init
-dumpstate
-misctrl
} misctrl_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-misctrl
} misctrl_prop:property_service set;
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 204
#line 204
# Prevent properties from being set
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-vendor_init
#line 204
} {
#line 204
core_property_type
#line 204
extended_core_property_type
#line 204
exported_config_prop
#line 204
exported_default_prop
#line 204
exported_dumpstate_prop
#line 204
exported_system_prop
#line 204
exported3_system_prop
#line 204
usb_control_prop
#line 204
-nfc_prop
#line 204
-powerctl_prop
#line 204
-radio_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-hal_nfc_server
#line 204
} {
#line 204
nfc_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-hal_telephony_server
#line 204
-vendor_init
#line 204
} {
#line 204
radio_control_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-hal_telephony_server
#line 204
} {
#line 204
radio_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-bluetooth
#line 204
-hal_bluetooth_server
#line 204
} {
#line 204
bluetooth_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-bluetooth
#line 204
-hal_bluetooth_server
#line 204
-vendor_init
#line 204
} {
#line 204
exported_bluetooth_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-hal_camera_server
#line 204
-cameraserver
#line 204
-vendor_init
#line 204
} {
#line 204
exported_camera_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-hal_wifi_server
#line 204
-wificond
#line 204
} {
#line 204
wifi_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-init
#line 204
-dumpstate
#line 204
-hal_wifi_server
#line 204
-wificond
#line 204
-vendor_init
#line 204
} {
#line 204
wifi_hal_prop
#line 204
}:property_service set;
#line 204
#line 204
# Prevent properties from being read
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-vendor_init
#line 204
} {
#line 204
core_property_type
#line 204
dalvik_config_prop_type
#line 204
extended_core_property_type
#line 204
exported3_system_prop
#line 204
systemsound_config_prop
#line 204
-debug_prop
#line 204
-logd_prop
#line 204
-nfc_prop
#line 204
-powerctl_prop
#line 204
-radio_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-hal_nfc_server
#line 204
} {
#line 204
nfc_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-appdomain
#line 204
-hal_telephony_server
#line 204
} {
#line 204
radio_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-bluetooth
#line 204
-hal_bluetooth_server
#line 204
} {
#line 204
bluetooth_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-hal_wifi_server
#line 204
-wificond
#line 204
} {
#line 204
wifi_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-coredomain
#line 204
-vendor_init
#line 204
} {
#line 204
suspend_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-init
#line 204
} {
#line 204
suspend_debug_prop
#line 204
}:property_service set;
#line 204
#line 204
neverallow {
#line 204
domain
#line 204
-init
#line 204
-dumpstate
#line 204
#line 204
} {
#line 204
suspend_debug_prop
#line 204
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 204
#line 204
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 380
dontaudit system_suspend suspend_debug_prop:file { getattr open read ioctl lock map watch watch_reads };
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 384
#line 384
# Neverallow coredomain to set vendor properties
#line 384
neverallow {
#line 384
coredomain
#line 384
-init
#line 384
-system_writes_vendor_properties_violators
#line 384
} {
#line 384
property_type
#line 384
-system_property_type
#line 384
-extended_core_property_type
#line 384
}:property_service set;
#line 384
#line 384
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
#line 395
neverallow {
domain
-coredomain
-vendor_init
} {
ffs_config_prop
ffs_control_prop
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-system_server
} {
userspace_reboot_log_prop
}:property_service set;
neverallow {
# Only allow init and system_server to set system_adbd_prop
domain
-init
-system_server
} {
system_adbd_prop
}:property_service set;
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
domain
-init
-vendor_init
-adbd
-system_server
} {
adbd_config_prop
}:property_service set;
neverallow {
# Only allow init and adbd to set adbd_prop
domain
-init
-adbd
} {
adbd_prop
}:property_service set;
neverallow {
# Only allow init to set apexd_payload_metadata_prop
domain
-init
} {
apexd_payload_metadata_prop
}:property_service set;
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
-shell
} {
userspace_reboot_test_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} {
surfaceflinger_color_prop
}:property_service set;
neverallow {
domain
-init
} {
libc_debug_prop
}:property_service set;
# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
# shell access can control the settings on their device. Allow system apps to
# set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
-system_app
-system_server
-mtectrl
} {
arm64_memtag_prop
gwp_asan_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
usb_config_prop
usb_control_prop
}:property_service set;
neverallow {
domain
-init
-system_server
} {
provisioned_prop
retaildemo_prop
}:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
provisioned_prop
retaildemo_prop
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
} {
init_service_status_private_prop
init_service_status_prop
}:property_service set;
neverallow {
domain
-init
-radio
-appdomain
-hal_telephony_server
-vendor_init
} telephony_status_prop:property_service set;
neverallow {
domain
-init
-vendor_init
} {
graphics_config_prop
}:property_service set;
neverallow {
domain
-init
-surfaceflinger
} {
surfaceflinger_display_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-coredomain
-vendor_init
} keyguard_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
} {
localization_prop
}:property_service set;
neverallow {
domain
-init
-vendor_init
-dumpstate
-system_app
} oem_unlock_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-coredomain
-vendor_init
} storagemanager_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} sendbug_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} camera_calibration_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-dumpstate
-hal_dumpstate_server
-vendor_init
} hal_dumpstate_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
} {
lower_kptr_restrict_prop
}:property_service set;
neverallow {
domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
domain
-init
} verity_status_prop:property_service set;
neverallow {
domain
-init
-vendor_init
} setupwizard_mode_prop:property_service set;
neverallow {
domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
domain
-init
-dumpstate
-vendor_init
} build_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
domain
-coredomain
-appdomain
} sqlite_log_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
} default_prop:property_service set;
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
domain
-init
-shell
-rkpdapp
} remote_prov_prop:property_service set;
neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
-shell
} rollback_test_prop:property_service set;
neverallow {
domain
-init
-apexd
} ctl_apex_load_prop:property_service set;
neverallow {
domain
-coredomain
-init
-dumpstate
-apexd
} ctl_apex_load_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-apexd
} apex_ready_prop:property_service set;
neverallow {
domain
-coredomain
-dumpstate
-apexd
-vendor_init
} apex_ready_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
-dumpstate
-profcollectd
} profcollectd_node_id_prop:file { getattr open read ioctl lock map watch watch_reads };
neverallow {
domain
-init
} log_file_logger_prop:property_service set;
neverallow {
domain
-init
-vendor_init
} usb_uvc_enabled_prop:property_service set;
# Disallow non system apps from reading ro.usb.uvc.enabled
neverallow {
appdomain
-system_app
-device_as_webcam
} usb_uvc_enabled_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow {
domain
-init
-vendor_init
} pm_archiving_enabled_prop:property_service set;
#line 1 "system/sepolicy/private/radio.te"
typeattribute radio coredomain, mlstrustedsubject;
#line 3
typeattribute radio appdomain;
#line 3
# Label tmpfs objects for all apps.
#line 3
type_transition radio tmpfs:file appdomain_tmpfs;
#line 3
#line 3
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 3
type radio_userfaultfd;
#line 3
type_transition radio radio:anon_inode radio_userfaultfd "[userfaultfd]";
#line 3
# Allow domain to create/use userfaultfd anon_inode.
#line 3
allow radio radio_userfaultfd:anon_inode { create ioctl read };
#line 3
# Suppress errors generate during bugreport
#line 3
dontaudit su radio_userfaultfd:anon_inode *;
#line 3
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 3
neverallow { domain -radio } radio_userfaultfd:anon_inode *;
#line 3
#line 3
allow radio appdomain_tmpfs:file { execute getattr map read write };
#line 3
neverallow { radio -runas_app -shell -simpleperf } { domain -radio }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
neverallow { appdomain -runas_app -shell -simpleperf -radio } radio:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
# The Android security model guarantees the confidentiality and integrity
#line 3
# of application data and execution state. Ptrace bypasses those
#line 3
# confidentiality guarantees. Disallow ptrace access from system components to
#line 3
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 3
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 3
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 3
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 3
# live lock conditions.
#line 3
neverallow { domain -radio -crash_dump -runas_app -simpleperf } radio:process ptrace;
#line 3
#line 5
allow radio runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 5
# Property service
#line 8
#line 8
allow radio property_socket:sock_file write;
#line 8
allow radio init:unix_stream_socket connectto;
#line 8
#line 8
allow radio radio_control_prop:property_service set;
#line 8
#line 8
allow radio radio_control_prop:file { getattr open read map };
#line 8
#line 8
#line 9
#line 9
allow radio property_socket:sock_file write;
#line 9
allow radio init:unix_stream_socket connectto;
#line 9
#line 9
allow radio radio_prop:property_service set;
#line 9
#line 9
allow radio radio_prop:file { getattr open read map };
#line 9
#line 9
#line 10
#line 10
allow radio property_socket:sock_file write;
#line 10
allow radio init:unix_stream_socket connectto;
#line 10
#line 10
allow radio net_radio_prop:property_service set;
#line 10
#line 10
allow radio net_radio_prop:file { getattr open read map };
#line 10
#line 10
#line 11
#line 11
allow radio property_socket:sock_file write;
#line 11
allow radio init:unix_stream_socket connectto;
#line 11
#line 11
allow radio telephony_status_prop:property_service set;
#line 11
#line 11
allow radio telephony_status_prop:file { getattr open read map };
#line 11
#line 11
#line 12
#line 12
allow radio property_socket:sock_file write;
#line 12
allow radio init:unix_stream_socket connectto;
#line 12
#line 12
allow radio radio_cdma_ecm_prop:property_service set;
#line 12
#line 12
allow radio radio_cdma_ecm_prop:file { getattr open read map };
#line 12
#line 12
# ctl interface
#line 15
#line 15
allow radio property_socket:sock_file write;
#line 15
allow radio init:unix_stream_socket connectto;
#line 15
#line 15
allow radio ctl_rildaemon_prop:property_service set;
#line 15
#line 15
allow radio ctl_rildaemon_prop:file { getattr open read map };
#line 15
#line 15
# Telephony code contains time / time zone detection logic so it reads the associated properties.
#line 18
allow radio time_prop:file { getattr open read map };
#line 18
# allow telephony to access platform compat to log permission denials
allow radio platform_compat_service:service_manager find;
allow radio uce_service:service_manager find;
# Manage /data/misc/emergencynumberdb
allow radio emergency_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow radio emergency_data_file:file { getattr open read ioctl lock map watch watch_reads };
# allow telephony to access related cache properties
#line 30
#line 30
allow radio property_socket:sock_file write;
#line 30
allow radio init:unix_stream_socket connectto;
#line 30
#line 30
allow radio binder_cache_telephony_server_prop:property_service set;
#line 30
#line 30
allow radio binder_cache_telephony_server_prop:file { getattr open read map };
#line 30
#line 30
;
neverallow { domain -radio -init }
binder_cache_telephony_server_prop:property_service set;
# allow sending pulled atoms to statsd
#line 35
# Call the server domain and optionally transfer references to it.
#line 35
allow radio statsd:binder { call transfer };
#line 35
# Allow the serverdomain to transfer references to the client on the reply.
#line 35
allow statsd radio:binder transfer;
#line 35
# Receive and use open files from the server.
#line 35
allow radio statsd:fd use;
#line 35
#line 1 "system/sepolicy/private/recovery.te"
typeattribute recovery coredomain;
# The allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
#line 50
#line 1 "system/sepolicy/private/recovery_persist.te"
typeattribute recovery_persist coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init recovery_persist_exec:file { getattr open read execute map };
#line 3
allow init recovery_persist:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow recovery_persist recovery_persist_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init recovery_persist:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init recovery_persist:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init recovery_persist_exec:process recovery_persist;
#line 3
#line 3
# recovery_persist is not allowed to write anywhere other than recovery_data_file
neverallow recovery_persist {
file_type
-recovery_data_file
}:file write;
#line 1 "system/sepolicy/private/recovery_refresh.te"
typeattribute recovery_refresh coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init recovery_refresh_exec:file { getattr open read execute map };
#line 3
allow init recovery_refresh:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow recovery_refresh recovery_refresh_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init recovery_refresh:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init recovery_refresh:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init recovery_refresh_exec:process recovery_refresh;
#line 3
#line 3
# recovery_refresh is not allowed to write anywhere
neverallow recovery_refresh {
file_type
}:file write;
#line 1 "system/sepolicy/private/remount.te"
type remount, domain, coredomain;
type remount_exec, system_file_type, exec_type, file_type;
#line 25
#line 1 "system/sepolicy/private/rkpd.te"
# Policies for Remote Key Provisioning Daemon (rkpd)
type rkpd, domain;
type rkpd_exec, system_file_type, exec_type, file_type;
typeattribute rkpd coredomain;
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow rkpd servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager rkpd:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager rkpd:dir search;
#line 7
allow servicemanager rkpd:file { read open };
#line 7
allow servicemanager rkpd:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 8
typeattribute rkpd binderservicedomain;
#line 8
#line 10
#line 10
# Allow the necessary permissions.
#line 10
#line 10
# Old domain may exec the file and transition to the new domain.
#line 10
allow init rkpd_exec:file { getattr open read execute map };
#line 10
allow init rkpd:process transition;
#line 10
# New domain is entered by executing the file.
#line 10
allow rkpd rkpd_exec:file { entrypoint open read execute getattr map };
#line 10
# New domain can send SIGCHLD to its caller.
#line 10
#line 10
# Enable AT_SECURE, i.e. libc secure mode.
#line 10
dontaudit init rkpd:process noatsecure;
#line 10
# XXX dontaudit candidate but requires further study.
#line 10
allow init rkpd:process { siginh rlimitinh };
#line 10
#line 10
# Make the transition occur by default.
#line 10
type_transition init rkpd_exec:process rkpd;
#line 10
#line 10
#line 12
allow rkpd rkpd_registrar_service:service_manager { add find };
#line 12
neverallow { domain -rkpd } rkpd_registrar_service:service_manager add;
#line 12
#line 12
# On debug builds with root, allow binder services to use binder over TCP.
#line 12
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 12
#line 12
#line 13
allow rkpd rkpd_refresh_service:service_manager { add find };
#line 13
neverallow { domain -rkpd } rkpd_refresh_service:service_manager add;
#line 13
#line 13
# On debug builds with root, allow binder services to use binder over TCP.
#line 13
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 13
#line 13
#line 15
allow rkpd device_config_remote_key_provisioning_native_prop:file { getattr open read map };
#line 15
#line 1 "system/sepolicy/private/rkpd_app.te"
###
### A domain for sandboxing the remote key provisioning daemon
### app that is shipped via mainline.
###
typeattribute rkpdapp coredomain;
#line 7
typeattribute rkpdapp appdomain;
#line 7
# Label tmpfs objects for all apps.
#line 7
type_transition rkpdapp tmpfs:file appdomain_tmpfs;
#line 7
#line 7
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 7
type rkpdapp_userfaultfd;
#line 7
type_transition rkpdapp rkpdapp:anon_inode rkpdapp_userfaultfd "[userfaultfd]";
#line 7
# Allow domain to create/use userfaultfd anon_inode.
#line 7
allow rkpdapp rkpdapp_userfaultfd:anon_inode { create ioctl read };
#line 7
# Suppress errors generate during bugreport
#line 7
dontaudit su rkpdapp_userfaultfd:anon_inode *;
#line 7
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 7
neverallow { domain -rkpdapp } rkpdapp_userfaultfd:anon_inode *;
#line 7
#line 7
allow rkpdapp appdomain_tmpfs:file { execute getattr map read write };
#line 7
neverallow { rkpdapp -runas_app -shell -simpleperf } { domain -rkpdapp }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
neverallow { appdomain -runas_app -shell -simpleperf -rkpdapp } rkpdapp:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 7
# The Android security model guarantees the confidentiality and integrity
#line 7
# of application data and execution state. Ptrace bypasses those
#line 7
# confidentiality guarantees. Disallow ptrace access from system components to
#line 7
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 7
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 7
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 7
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 7
# live lock conditions.
#line 7
neverallow { domain -rkpdapp -crash_dump -runas_app -simpleperf } rkpdapp:process ptrace;
#line 7
#line 8
typeattribute rkpdapp netdomain;
#line 8
# RKPD needs to be able to call the remote provisioning HALs
#line 11
typeattribute rkpdapp halclientdomain;
#line 11
typeattribute rkpdapp hal_keymint_client;
#line 11
#line 11
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 11
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 11
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 11
#line 11
typeattribute rkpdapp hal_keymint;
#line 11
# Find passthrough HAL implementations
#line 11
allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow hal_keymint vendor_file:file { read open getattr execute map };
#line 11
#line 11
#line 12
typeattribute rkpdapp halclientdomain;
#line 12
typeattribute rkpdapp hal_remotelyprovisionedcomponent_avf_client;
#line 12
#line 12
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 12
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 12
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 12
#line 12
typeattribute rkpdapp hal_remotelyprovisionedcomponent_avf;
#line 12
# Find passthrough HAL implementations
#line 12
allow hal_remotelyprovisionedcomponent_avf system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_remotelyprovisionedcomponent_avf vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 12
allow hal_remotelyprovisionedcomponent_avf vendor_file:file { read open getattr execute map };
#line 12
#line 12
# Grant access to certain system properties related to RKP
#line 15
allow rkpdapp device_config_remote_key_provisioning_native_prop:file { getattr open read map };
#line 15
#line 16
#line 16
allow rkpdapp property_socket:sock_file write;
#line 16
allow rkpdapp init:unix_stream_socket connectto;
#line 16
#line 16
allow rkpdapp remote_prov_prop:property_service set;
#line 16
#line 16
allow rkpdapp remote_prov_prop:file { getattr open read map };
#line 16
#line 16
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
# Grant access to media.metrics service, needed for widevine. This
# access is granted to all other apps already (e.g. untrusted_app_all).
allow rkpdapp mediametrics_service:service_manager find;
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow rkpdapp statsd:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow statsd rkpdapp:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow rkpdapp statsd:fd use;
#line 27
#line 1 "system/sepolicy/private/rs.te"
# Any files which would have been created as app_data_file and
# privapp_data_file will be created as app_exec_data_file instead.
allow rs { app_data_file privapp_data_file }:dir { { open getattr read search ioctl lock watch watch_reads } add_name write };
allow rs app_exec_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
type_transition rs app_data_file:file app_exec_data_file;
type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
allow rs { app_data_file privapp_data_file }:file { getattr open read ioctl lock map watch watch_reads };
allow rs { app_data_file privapp_data_file }:dir { open getattr read search ioctl lock watch watch_reads };
# Cleanup app_exec_data_file files in the app home directory.
allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow rs vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow rs vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 20
#line 21
allow rs vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow rs vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 21
# Vendor overlay can be found in vendor apex
allow rs vendor_apex_metadata_file:dir { getattr search };
# Read contents of app apks
#line 26
allow rs apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 26
allow rs apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 26
allow rs gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow rs ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow rs same_process_hal_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
# renderscript usages shouldn't be popping up.
dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
neverallow rs rs:{ capability capability2 cap_userns cap2_userns } *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
neverallow rs app_data_file_type:{ { chr_file blk_file } { file lnk_file sock_file fifo_file } } ~{ getattr open read ioctl lock map watch watch_reads };
# rs should never use network sockets
neverallow rs *:{ icmp_socket rawip_socket tcp_socket udp_socket } *;
#line 1 "system/sepolicy/private/rss_hwm_reset.te"
type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
# Start rss_hwm_reset from init.
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init rss_hwm_reset_exec:file { getattr open read execute map };
#line 4
allow init rss_hwm_reset:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow rss_hwm_reset rss_hwm_reset_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init rss_hwm_reset:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init rss_hwm_reset:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init rss_hwm_reset_exec:process rss_hwm_reset;
#line 4
#line 4
# Search /proc/pid directories.
allow rss_hwm_reset domain:dir search;
# Write to /proc/pid/clear_refs of other processes.
# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
allow rss_hwm_reset self:{ capability cap_userns } { dac_override };
# Write to /prc/pid/clear_refs.
allow rss_hwm_reset domain:file { open append write lock map };
#line 1 "system/sepolicy/private/runas.te"
typeattribute runas coredomain;
# ndk-gdb invokes adb shell run-as.
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow shell runas_exec:file { getattr open read execute map };
#line 4
allow shell runas:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow runas runas_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
allow runas shell:process sigchld;
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit shell runas:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow shell runas:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition shell runas_exec:process runas;
#line 4
#line 1 "system/sepolicy/private/runas_app.te"
typeattribute runas_app coredomain;
#line 3
typeattribute runas_app appdomain;
#line 3
# Label tmpfs objects for all apps.
#line 3
type_transition runas_app tmpfs:file appdomain_tmpfs;
#line 3
#line 3
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 3
type runas_app_userfaultfd;
#line 3
type_transition runas_app runas_app:anon_inode runas_app_userfaultfd "[userfaultfd]";
#line 3
# Allow domain to create/use userfaultfd anon_inode.
#line 3
allow runas_app runas_app_userfaultfd:anon_inode { create ioctl read };
#line 3
# Suppress errors generate during bugreport
#line 3
dontaudit su runas_app_userfaultfd:anon_inode *;
#line 3
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 3
neverallow { domain -runas_app } runas_app_userfaultfd:anon_inode *;
#line 3
#line 3
allow runas_app appdomain_tmpfs:file { execute getattr map read write };
#line 3
neverallow { runas_app -runas_app -shell -simpleperf } { domain -runas_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
neverallow { appdomain -runas_app -shell -simpleperf -runas_app } runas_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
# The Android security model guarantees the confidentiality and integrity
#line 3
# of application data and execution state. Ptrace bypasses those
#line 3
# confidentiality guarantees. Disallow ptrace access from system components to
#line 3
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 3
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 3
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 3
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 3
# live lock conditions.
#line 3
neverallow { domain -runas_app -crash_dump -runas_app -simpleperf } runas_app:process ptrace;
#line 3
#line 4
typeattribute runas_app untrusted_app_all;
#line 4
#line 5
typeattribute runas_app netdomain;
#line 5
#line 6
typeattribute runas_app bluetoothdomain;
#line 6
# The ability to call exec() on files in the apps home directories
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;
# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
#line 14
allow runas_app untrusted_app_all:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow runas_app untrusted_app_all:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 14
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
# Allow executing system image simpleperf without a domain transition.
allow runas_app simpleperf_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective process, most of which this domain is not
# allowed to see.
dontaudit runas_app domain:dir search;
# Allow runas_app to call perf_event_open for profiling debuggable app
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
# Suppress bionic loader denial /data/local/tests directories.
dontaudit runas_app shell_test_data_file:dir search;
#line 1 "system/sepolicy/private/sdcardd.te"
typeattribute sdcardd coredomain;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
#line 1 "system/sepolicy/private/sdk_sandbox_34.te"
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
#line 8
typeattribute sdk_sandbox_34 netdomain;
#line 8
#line 9
typeattribute sdk_sandbox_34 appdomain;
#line 9
# Label tmpfs objects for all apps.
#line 9
type_transition sdk_sandbox_34 tmpfs:file appdomain_tmpfs;
#line 9
#line 9
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 9
type sdk_sandbox_34_userfaultfd;
#line 9
type_transition sdk_sandbox_34 sdk_sandbox_34:anon_inode sdk_sandbox_34_userfaultfd "[userfaultfd]";
#line 9
# Allow domain to create/use userfaultfd anon_inode.
#line 9
allow sdk_sandbox_34 sdk_sandbox_34_userfaultfd:anon_inode { create ioctl read };
#line 9
# Suppress errors generate during bugreport
#line 9
dontaudit su sdk_sandbox_34_userfaultfd:anon_inode *;
#line 9
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 9
neverallow { domain -sdk_sandbox_34 } sdk_sandbox_34_userfaultfd:anon_inode *;
#line 9
#line 9
allow sdk_sandbox_34 appdomain_tmpfs:file { execute getattr map read write };
#line 9
neverallow { sdk_sandbox_34 -runas_app -shell -simpleperf } { domain -sdk_sandbox_34 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_34 } sdk_sandbox_34:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
# The Android security model guarantees the confidentiality and integrity
#line 9
# of application data and execution state. Ptrace bypasses those
#line 9
# confidentiality guarantees. Disallow ptrace access from system components to
#line 9
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 9
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 9
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 9
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 9
# live lock conditions.
#line 9
neverallow { domain -sdk_sandbox_34 -crash_dump -runas_app -simpleperf } sdk_sandbox_34:process ptrace;
#line 9
#line 1 "system/sepolicy/private/sdk_sandbox_all.te"
###
### sdk_sandbox_all
###
### This file defines the rules shared by all sdk_sandbox_all domains.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The sdk_sandbox_all_all attribute is assigned to all default
### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
### value as determined from mac_permissions.xml.
allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox_all shell_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow sdk_sandbox_all shell_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox_all system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox_all sdk_sandbox_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow sdk_sandbox_all sdk_sandbox_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow apps to pass open fds to the sdk sandbox
allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
###
### neverallow rules
###
neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox_all domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox_all debugfs_type:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox_all sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox_all proc:file { { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads } { execute execute_no_trans } };
# Directly access external storage
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox_all proc_net:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
# TODO(b/280514080): shell_data_file shouldn't be allowed here
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow sdk_sandbox_all { media_rw_data_file }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow { sdk_sandbox_all } tmpfs:dir { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
neverallow sdk_sandbox_all hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
neverallow {
domain
-init
-installd
-sdk_sandbox_all
-system_server
-vold_prepare_subdirs
-zygote
} sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
# Only certain system components should have access to sdk_sandbox_all_system_data_file
# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
neverallow {
domain
-init
-installd
-sdk_sandbox_all
-system_server
-vold_prepare_subdirs
-zygote
} sdk_sandbox_system_data_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
#line 1 "system/sepolicy/private/sdk_sandbox_audit.te"
###
### SDK Sandbox process.
###
### This file defines the audit sdk sandbox security policy for
### the set of restrictions proposed for the next SDK level.
###
### The sdk_sandbox_audit domain has the same rules as the
### sdk_sandbox_current domain and additional auditing rules
### for the accesses we are considering forbidding in the upcoming
### sdk_sandbox_next domain.
type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
#line 13
typeattribute sdk_sandbox_audit netdomain;
#line 13
#line 14
typeattribute sdk_sandbox_audit appdomain;
#line 14
# Label tmpfs objects for all apps.
#line 14
type_transition sdk_sandbox_audit tmpfs:file appdomain_tmpfs;
#line 14
#line 14
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 14
type sdk_sandbox_audit_userfaultfd;
#line 14
type_transition sdk_sandbox_audit sdk_sandbox_audit:anon_inode sdk_sandbox_audit_userfaultfd "[userfaultfd]";
#line 14
# Allow domain to create/use userfaultfd anon_inode.
#line 14
allow sdk_sandbox_audit sdk_sandbox_audit_userfaultfd:anon_inode { create ioctl read };
#line 14
# Suppress errors generate during bugreport
#line 14
dontaudit su sdk_sandbox_audit_userfaultfd:anon_inode *;
#line 14
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 14
neverallow { domain -sdk_sandbox_audit } sdk_sandbox_audit_userfaultfd:anon_inode *;
#line 14
#line 14
allow sdk_sandbox_audit appdomain_tmpfs:file { execute getattr map read write };
#line 14
neverallow { sdk_sandbox_audit -runas_app -shell -simpleperf } { domain -sdk_sandbox_audit }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 14
neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_audit } sdk_sandbox_audit:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 14
# The Android security model guarantees the confidentiality and integrity
#line 14
# of application data and execution state. Ptrace bypasses those
#line 14
# confidentiality guarantees. Disallow ptrace access from system components to
#line 14
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 14
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 14
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 14
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 14
# live lock conditions.
#line 14
neverallow { domain -sdk_sandbox_audit -crash_dump -runas_app -simpleperf } sdk_sandbox_audit:process ptrace;
#line 14
# Auditallow rules for accesses that are currently allowed but we
# might remove in the future.
auditallow sdk_sandbox_audit {
cameraserver_service
ephemeral_app_api_service
mediadrmserver_service
radio_service
}:service_manager find;
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
#line 1 "system/sepolicy/private/sdk_sandbox_current.te"
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for the current SDK level.
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_current {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;
#line 1 "system/sepolicy/private/sdk_sandbox_next.te"
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for a test set of restrictions. These restrictions will be adapted
### with modifications, into the set of restrictions for the next SDK
### level.
type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
#line 10
typeattribute sdk_sandbox_next netdomain;
#line 10
#line 11
typeattribute sdk_sandbox_next appdomain;
#line 11
# Label tmpfs objects for all apps.
#line 11
type_transition sdk_sandbox_next tmpfs:file appdomain_tmpfs;
#line 11
#line 11
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 11
type sdk_sandbox_next_userfaultfd;
#line 11
type_transition sdk_sandbox_next sdk_sandbox_next:anon_inode sdk_sandbox_next_userfaultfd "[userfaultfd]";
#line 11
# Allow domain to create/use userfaultfd anon_inode.
#line 11
allow sdk_sandbox_next sdk_sandbox_next_userfaultfd:anon_inode { create ioctl read };
#line 11
# Suppress errors generate during bugreport
#line 11
dontaudit su sdk_sandbox_next_userfaultfd:anon_inode *;
#line 11
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 11
neverallow { domain -sdk_sandbox_next } sdk_sandbox_next_userfaultfd:anon_inode *;
#line 11
#line 11
allow sdk_sandbox_next appdomain_tmpfs:file { execute getattr map read write };
#line 11
neverallow { sdk_sandbox_next -runas_app -shell -simpleperf } { domain -sdk_sandbox_next }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 11
neverallow { appdomain -runas_app -shell -simpleperf -sdk_sandbox_next } sdk_sandbox_next:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 11
# The Android security model guarantees the confidentiality and integrity
#line 11
# of application data and execution state. Ptrace bypasses those
#line 11
# confidentiality guarantees. Disallow ptrace access from system components to
#line 11
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 11
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 11
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 11
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 11
# live lock conditions.
#line 11
neverallow { domain -sdk_sandbox_next -crash_dump -runas_app -simpleperf } sdk_sandbox_next:process ptrace;
#line 11
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_next {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;
#line 1 "system/sepolicy/private/secure_element.te"
# secure element subsystem
typeattribute secure_element coredomain;
#line 3
typeattribute secure_element appdomain;
#line 3
# Label tmpfs objects for all apps.
#line 3
type_transition secure_element tmpfs:file appdomain_tmpfs;
#line 3
#line 3
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 3
type secure_element_userfaultfd;
#line 3
type_transition secure_element secure_element:anon_inode secure_element_userfaultfd "[userfaultfd]";
#line 3
# Allow domain to create/use userfaultfd anon_inode.
#line 3
allow secure_element secure_element_userfaultfd:anon_inode { create ioctl read };
#line 3
# Suppress errors generate during bugreport
#line 3
dontaudit su secure_element_userfaultfd:anon_inode *;
#line 3
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 3
neverallow { domain -secure_element } secure_element_userfaultfd:anon_inode *;
#line 3
#line 3
allow secure_element appdomain_tmpfs:file { execute getattr map read write };
#line 3
neverallow { secure_element -runas_app -shell -simpleperf } { domain -secure_element }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
neverallow { appdomain -runas_app -shell -simpleperf -secure_element } secure_element:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
# The Android security model guarantees the confidentiality and integrity
#line 3
# of application data and execution state. Ptrace bypasses those
#line 3
# confidentiality guarantees. Disallow ptrace access from system components to
#line 3
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 3
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 3
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 3
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 3
# live lock conditions.
#line 3
neverallow { domain -secure_element -crash_dump -runas_app -simpleperf } secure_element:process ptrace;
#line 3
#line 5
typeattribute secure_element binderservicedomain;
#line 5
#line 6
allow secure_element secure_element_service:service_manager { add find };
#line 6
neverallow { domain -secure_element } secure_element_service:service_manager add;
#line 6
#line 6
# On debug builds with root, allow binder services to use binder over TCP.
#line 6
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 6
#line 6
allow secure_element app_api_service:service_manager find;
#line 9
typeattribute secure_element halclientdomain;
#line 9
typeattribute secure_element hal_secure_element_client;
#line 9
#line 9
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 9
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 9
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 9
#line 9
typeattribute secure_element hal_secure_element;
#line 9
# Find passthrough HAL implementations
#line 9
allow hal_secure_element system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_secure_element vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow hal_secure_element vendor_file:file { read open getattr execute map };
#line 9
#line 9
# already open bugreport file descriptors may be shared with
# the secure element process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow secure_element shell_data_file:file read;
allow secure_element vendor_uuid_mapping_config_file:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/private/service.te"
type adaptive_auth_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type feature_flags_service, app_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
type rkpd_refresh_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
#line 28
#line 31
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
#line 1 "system/sepolicy/private/servicemanager.te"
typeattribute servicemanager coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init servicemanager_exec:file { getattr open read execute map };
#line 3
allow init servicemanager:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow servicemanager servicemanager_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init servicemanager:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init servicemanager:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init servicemanager_exec:process servicemanager;
#line 3
#line 3
#line 5
allow servicemanager runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 5
#line 7
#line 7
allow servicemanager property_socket:sock_file write;
#line 7
allow servicemanager init:unix_stream_socket connectto;
#line 7
#line 7
allow servicemanager ctl_interface_start_prop:property_service set;
#line 7
#line 7
allow servicemanager ctl_interface_start_prop:file { getattr open read map };
#line 7
#line 7
#line 8
#line 8
allow servicemanager property_socket:sock_file write;
#line 8
allow servicemanager init:unix_stream_socket connectto;
#line 8
#line 8
allow servicemanager servicemanager_prop:property_service set;
#line 8
#line 8
allow servicemanager servicemanager_prop:file { getattr open read map };
#line 8
#line 8
# servicemanager is using bootstrap bionic
#line 11
allow servicemanager system_bootstrap_lib_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 11
allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map };
#line 11
# servicemanager is using apex_info via libvintf
#line 14
allow servicemanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow servicemanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
#line 14
#line 14
allow servicemanager vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 14
allow servicemanager vendor_apex_metadata_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 14
#line 14
#line 1 "system/sepolicy/private/sgdisk.te"
typeattribute sgdisk coredomain;
#line 1 "system/sepolicy/private/shared_relro.te"
typeattribute shared_relro coredomain;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
#line 5
typeattribute shared_relro appdomain;
#line 5
# Label tmpfs objects for all apps.
#line 5
type_transition shared_relro tmpfs:file appdomain_tmpfs;
#line 5
#line 5
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 5
type shared_relro_userfaultfd;
#line 5
type_transition shared_relro shared_relro:anon_inode shared_relro_userfaultfd "[userfaultfd]";
#line 5
# Allow domain to create/use userfaultfd anon_inode.
#line 5
allow shared_relro shared_relro_userfaultfd:anon_inode { create ioctl read };
#line 5
# Suppress errors generate during bugreport
#line 5
dontaudit su shared_relro_userfaultfd:anon_inode *;
#line 5
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 5
neverallow { domain -shared_relro } shared_relro_userfaultfd:anon_inode *;
#line 5
#line 5
allow shared_relro appdomain_tmpfs:file { execute getattr map read write };
#line 5
neverallow { shared_relro -runas_app -shell -simpleperf } { domain -shared_relro }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 5
neverallow { appdomain -runas_app -shell -simpleperf -shared_relro } shared_relro:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 5
# The Android security model guarantees the confidentiality and integrity
#line 5
# of application data and execution state. Ptrace bypasses those
#line 5
# confidentiality guarantees. Disallow ptrace access from system components to
#line 5
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 5
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 5
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 5
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 5
# live lock conditions.
#line 5
neverallow { domain -shared_relro -crash_dump -runas_app -simpleperf } shared_relro:process ptrace;
#line 5
allow shared_relro shared_relro_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow shared_relro shared_relro_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
allow shared_relro package_service:service_manager find;
# StrictMode may attempt to find this service, failure is harmless.
dontaudit shared_relro network_management_service:service_manager find;
#line 1 "system/sepolicy/private/shell.te"
typeattribute shell coredomain, mlstrustedsubject;
# allow shell input injection
allow shell uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# systrace support - allow atrace to run
allow shell debugfs_tracing_debug:dir { open getattr read search ioctl lock watch watch_reads };
allow shell debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads };
allow shell debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 15
# read config.gz for CTS purposes
allow shell config_gz:file { getattr open read ioctl lock map watch watch_reads };
# allow reading tombstones. users can already use bugreports to get those.
allow shell tombstone_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow shell tombstone_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Run app_process.
# XXX Transition into its own domain?
#line 26
typeattribute shell appdomain;
#line 26
# Label tmpfs objects for all apps.
#line 26
type_transition shell tmpfs:file appdomain_tmpfs;
#line 26
#line 26
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 26
type shell_userfaultfd;
#line 26
type_transition shell shell:anon_inode shell_userfaultfd "[userfaultfd]";
#line 26
# Allow domain to create/use userfaultfd anon_inode.
#line 26
allow shell shell_userfaultfd:anon_inode { create ioctl read };
#line 26
# Suppress errors generate during bugreport
#line 26
dontaudit su shell_userfaultfd:anon_inode *;
#line 26
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 26
neverallow { domain -shell } shell_userfaultfd:anon_inode *;
#line 26
#line 26
allow shell appdomain_tmpfs:file { execute getattr map read write };
#line 26
neverallow { shell -runas_app -shell -simpleperf } { domain -shell }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 26
neverallow { appdomain -runas_app -shell -simpleperf -shell } shell:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 26
# The Android security model guarantees the confidentiality and integrity
#line 26
# of application data and execution state. Ptrace bypasses those
#line 26
# confidentiality guarantees. Disallow ptrace access from system components to
#line 26
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 26
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 26
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 26
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 26
# live lock conditions.
#line 26
neverallow { domain -shell -crash_dump -runas_app -simpleperf } shell:process ptrace;
#line 26
# allow shell to call dumpsys storaged
#line 29
# Call the server domain and optionally transfer references to it.
#line 29
allow shell storaged:binder { call transfer };
#line 29
# Allow the serverdomain to transfer references to the client on the reply.
#line 29
allow storaged shell:binder transfer;
#line 29
# Receive and use open files from the server.
#line 29
allow shell storaged:fd use;
#line 29
# Perform SELinux access checks, needed for CTS
#line 32
#line 32
allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 32
allow shell selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 32
#line 32
allow shell selinuxfs:file { open append write lock map };
#line 32
allow shell kernel:security compute_av;
#line 32
allow shell self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 32
#line 33
#line 33
allow shell selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow shell selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
#line 33
allow shell selinuxfs:file { open append write lock map };
#line 33
allow shell kernel:security check_context;
#line 33
# Control Perfetto traced and obtain traces from it.
# Needed for Studio and debugging.
#line 37
allow shell traced_consumer_socket:sock_file write;
#line 37
allow shell traced:unix_stream_socket connectto;
#line 37
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
#line 41
allow shell traced:fd use;
#line 41
allow shell traced_tmpfs:file { read write getattr map };
#line 41
#line 41
allow shell traced_producer_socket:sock_file write;
#line 41
allow shell traced:unix_stream_socket connectto;
#line 41
#line 41
#line 41
# Also allow the service to use the producer file descriptors. This is
#line 41
# necessary when the producer is creating the shared memory, as it will be
#line 41
# passed to the service as a file descriptor (obtained from memfd_create).
#line 41
allow traced shell:fd use;
#line 41
#line 43
# Allow the necessary permissions.
#line 43
#line 43
# Old domain may exec the file and transition to the new domain.
#line 43
allow shell vendor_shell_exec:file { getattr open read execute map };
#line 43
allow shell vendor_shell:process transition;
#line 43
# New domain is entered by executing the file.
#line 43
allow vendor_shell vendor_shell_exec:file { entrypoint open read execute getattr map };
#line 43
# New domain can send SIGCHLD to its caller.
#line 43
allow vendor_shell shell:process sigchld;
#line 43
# Enable AT_SECURE, i.e. libc secure mode.
#line 43
dontaudit shell vendor_shell:process noatsecure;
#line 43
# XXX dontaudit candidate but requires further study.
#line 43
allow shell vendor_shell:process { siginh rlimitinh };
#line 43
#line 43
# Make the transition occur by default.
#line 43
type_transition shell vendor_shell_exec:process vendor_shell;
#line 43
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
#line 48
# Allow the necessary permissions.
#line 48
#line 48
# Old domain may exec the file and transition to the new domain.
#line 48
allow shell perfetto_exec:file { getattr open read execute map };
#line 48
allow shell perfetto:process transition;
#line 48
# New domain is entered by executing the file.
#line 48
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 48
# New domain can send SIGCHLD to its caller.
#line 48
allow perfetto shell:process sigchld;
#line 48
# Enable AT_SECURE, i.e. libc secure mode.
#line 48
dontaudit shell perfetto:process noatsecure;
#line 48
# XXX dontaudit candidate but requires further study.
#line 48
allow shell perfetto:process { siginh rlimitinh };
#line 48
#line 48
# Make the transition occur by default.
#line 48
type_transition shell perfetto_exec:process perfetto;
#line 48
# Allow to send SIGINT to perfetto when daemonized.
allow shell perfetto:process signal;
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
#line 53
# Call the server domain and optionally transfer references to it.
#line 53
allow shell statsd:binder { call transfer };
#line 53
# Allow the serverdomain to transfer references to the client on the reply.
#line 53
allow statsd shell:binder transfer;
#line 53
# Receive and use open files from the server.
#line 53
allow shell statsd:fd use;
#line 53
;
# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
#line 59
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow shell perfetto_traces_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
# ... and /data/misc/perfetto-traces/bugreport/ .
allow shell perfetto_traces_bugreport_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow shell perfetto_traces_bugreport_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow shell perfetto_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow shell to run adb shell cmd gpu commands.
#line 73
# Call the server domain and optionally transfer references to it.
#line 73
allow shell gpuservice:binder { call transfer };
#line 73
# Allow the serverdomain to transfer references to the client on the reply.
#line 73
allow gpuservice shell:binder transfer;
#line 73
# Receive and use open files from the server.
#line 73
allow shell gpuservice:fd use;
#line 73
;
# Allow shell to use atrace HAL
#line 76
typeattribute shell halclientdomain;
#line 76
typeattribute shell hal_atrace_client;
#line 76
#line 76
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 76
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 76
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 76
#line 76
typeattribute shell hal_atrace;
#line 76
# Find passthrough HAL implementations
#line 76
allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 76
allow hal_atrace vendor_file:file { read open getattr execute map };
#line 76
#line 76
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file { getattr open read ioctl lock map watch watch_reads };
# The dl.exec_linker* tests need to execute /system/bin/linker
# b/124789393
allow shell system_linker_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Renderscript host side tests depend on being able to execute
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow shell dex2oat_exec:lnk_file read;
# Allow shell to start and comminicate with lpdumpd.
#line 95
#line 95
allow shell property_socket:sock_file write;
#line 95
allow shell init:unix_stream_socket connectto;
#line 95
#line 95
allow shell lpdumpd_prop:property_service set;
#line 95
#line 95
allow shell lpdumpd_prop:file { getattr open read map };
#line 95
#line 95
;
#line 96
# Call the server domain and optionally transfer references to it.
#line 96
allow shell lpdumpd:binder { call transfer };
#line 96
# Allow the serverdomain to transfer references to the client on the reply.
#line 96
allow lpdumpd shell:binder transfer;
#line 96
# Receive and use open files from the server.
#line 96
allow shell lpdumpd:fd use;
#line 96
# Allow shell to set and read value of properties used for CTS tests of
# userspace reboot
#line 100
#line 100
allow shell property_socket:sock_file write;
#line 100
allow shell init:unix_stream_socket connectto;
#line 100
#line 100
allow shell userspace_reboot_test_prop:property_service set;
#line 100
#line 100
allow shell userspace_reboot_test_prop:file { getattr open read map };
#line 100
#line 100
# Allow shell to set this property to disable charging.
#line 103
#line 103
allow shell property_socket:sock_file write;
#line 103
allow shell init:unix_stream_socket connectto;
#line 103
#line 103
allow shell power_debug_prop:property_service set;
#line 103
#line 103
allow shell power_debug_prop:file { getattr open read map };
#line 103
#line 103
# Allow shell to set this property used for rollback tests
#line 106
#line 106
allow shell property_socket:sock_file write;
#line 106
allow shell init:unix_stream_socket connectto;
#line 106
#line 106
allow shell rollback_test_prop:property_service set;
#line 106
#line 106
allow shell rollback_test_prop:file { getattr open read map };
#line 106
#line 106
# Allow shell to set RKP properties for testing purposes
#line 109
#line 109
allow shell property_socket:sock_file write;
#line 109
allow shell init:unix_stream_socket connectto;
#line 109
#line 109
allow shell remote_prov_prop:property_service set;
#line 109
#line 109
allow shell remote_prov_prop:file { getattr open read map };
#line 109
#line 109
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
0x400c6615
0xc0096616
};
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 129
# Allow shell to run remount command.
allow shell remount_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
# Allow shell to read microdroid vendor image
#line 140
allow shell vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 140
allow shell vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 140
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads };
allow shell vendor_apex_file:dir { open getattr read search ioctl lock watch watch_reads };
allow shell vendor_apex_metadata_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search;
allow shell staging_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Set properties.
#line 153
#line 153
allow shell property_socket:sock_file write;
#line 153
allow shell init:unix_stream_socket connectto;
#line 153
#line 153
allow shell shell_prop:property_service set;
#line 153
#line 153
allow shell shell_prop:file { getattr open read map };
#line 153
#line 153
#line 154
#line 154
allow shell property_socket:sock_file write;
#line 154
allow shell init:unix_stream_socket connectto;
#line 154
#line 154
allow shell ctl_bugreport_prop:property_service set;
#line 154
#line 154
allow shell ctl_bugreport_prop:file { getattr open read map };
#line 154
#line 154
#line 155
#line 155
allow shell property_socket:sock_file write;
#line 155
allow shell init:unix_stream_socket connectto;
#line 155
#line 155
allow shell ctl_dumpstate_prop:property_service set;
#line 155
#line 155
allow shell ctl_dumpstate_prop:file { getattr open read map };
#line 155
#line 155
#line 156
#line 156
allow shell property_socket:sock_file write;
#line 156
allow shell init:unix_stream_socket connectto;
#line 156
#line 156
allow shell dumpstate_prop:property_service set;
#line 156
#line 156
allow shell dumpstate_prop:file { getattr open read map };
#line 156
#line 156
#line 157
#line 157
allow shell property_socket:sock_file write;
#line 157
allow shell init:unix_stream_socket connectto;
#line 157
#line 157
allow shell exported_dumpstate_prop:property_service set;
#line 157
#line 157
allow shell exported_dumpstate_prop:file { getattr open read map };
#line 157
#line 157
#line 158
#line 158
allow shell property_socket:sock_file write;
#line 158
allow shell init:unix_stream_socket connectto;
#line 158
#line 158
allow shell debug_prop:property_service set;
#line 158
#line 158
allow shell debug_prop:file { getattr open read map };
#line 158
#line 158
#line 159
#line 159
allow shell property_socket:sock_file write;
#line 159
allow shell init:unix_stream_socket connectto;
#line 159
#line 159
allow shell perf_drop_caches_prop:property_service set;
#line 159
#line 159
allow shell perf_drop_caches_prop:file { getattr open read map };
#line 159
#line 159
#line 160
#line 160
allow shell property_socket:sock_file write;
#line 160
allow shell init:unix_stream_socket connectto;
#line 160
#line 160
allow shell powerctl_prop:property_service set;
#line 160
#line 160
allow shell powerctl_prop:file { getattr open read map };
#line 160
#line 160
#line 161
#line 161
allow shell property_socket:sock_file write;
#line 161
allow shell init:unix_stream_socket connectto;
#line 161
#line 161
allow shell log_tag_prop:property_service set;
#line 161
#line 161
allow shell log_tag_prop:file { getattr open read map };
#line 161
#line 161
#line 162
#line 162
allow shell property_socket:sock_file write;
#line 162
allow shell init:unix_stream_socket connectto;
#line 162
#line 162
allow shell wifi_log_prop:property_service set;
#line 162
#line 162
allow shell wifi_log_prop:file { getattr open read map };
#line 162
#line 162
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
#line 165
#line 165
allow shell property_socket:sock_file write;
#line 165
allow shell init:unix_stream_socket connectto;
#line 165
#line 165
allow shell traced_enabled_prop:property_service set;
#line 165
#line 165
allow shell traced_enabled_prop:file { getattr open read map };
#line 165
#line 165
# adjust SELinux audit rates
#line 167
#line 167
allow shell property_socket:sock_file write;
#line 167
allow shell init:unix_stream_socket connectto;
#line 167
#line 167
allow shell logd_auditrate_prop:property_service set;
#line 167
#line 167
allow shell logd_auditrate_prop:file { getattr open read map };
#line 167
#line 167
# adjust is_loggable properties
# logpersist script
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
#line 174
#line 174
allow shell property_socket:sock_file write;
#line 174
allow shell init:unix_stream_socket connectto;
#line 174
#line 174
allow shell heapprofd_enabled_prop:property_service set;
#line 174
#line 174
allow shell heapprofd_enabled_prop:file { getattr open read map };
#line 174
#line 174
# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
# property.
#line 177
#line 177
allow shell property_socket:sock_file write;
#line 177
allow shell init:unix_stream_socket connectto;
#line 177
#line 177
allow shell traced_perf_enabled_prop:property_service set;
#line 177
#line 177
allow shell traced_perf_enabled_prop:file { getattr open read map };
#line 177
#line 177
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
#line 179
#line 179
allow shell property_socket:sock_file write;
#line 179
allow shell init:unix_stream_socket connectto;
#line 179
#line 179
allow shell ctl_gsid_prop:property_service set;
#line 179
#line 179
allow shell ctl_gsid_prop:file { getattr open read map };
#line 179
#line 179
#line 180
#line 180
allow shell property_socket:sock_file write;
#line 180
allow shell init:unix_stream_socket connectto;
#line 180
#line 180
allow shell ctl_snapuserd_prop:property_service set;
#line 180
#line 180
allow shell ctl_snapuserd_prop:file { getattr open read map };
#line 180
#line 180
# Allow shell to enable Dynamic System Update
#line 182
#line 182
allow shell property_socket:sock_file write;
#line 182
allow shell init:unix_stream_socket connectto;
#line 182
#line 182
allow shell dynamic_system_prop:property_service set;
#line 182
#line 182
allow shell dynamic_system_prop:file { getattr open read map };
#line 182
#line 182
# Allow shell to mock an OTA using persist.pm.mock-upgrade
#line 184
#line 184
allow shell property_socket:sock_file write;
#line 184
allow shell init:unix_stream_socket connectto;
#line 184
#line 184
allow shell mock_ota_prop:property_service set;
#line 184
#line 184
allow shell mock_ota_prop:file { getattr open read map };
#line 184
#line 184
# Read device's serial number from system properties
#line 187
allow shell serialno_prop:file { getattr open read map };
#line 187
# Allow shell to read the vendor security patch level for CTS
#line 190
allow shell vendor_security_patch_level_prop:file { getattr open read map };
#line 190
# Read state of logging-related properties
#line 193
allow shell device_logging_prop:file { getattr open read map };
#line 193
# Read state of boot reason properties
#line 196
allow shell bootloader_boot_reason_prop:file { getattr open read map };
#line 196
#line 197
allow shell last_boot_reason_prop:file { getattr open read map };
#line 197
#line 198
allow shell system_boot_reason_prop:file { getattr open read map };
#line 198
# Allow shell to execute the remote key provisioning factory tool
#line 201
# Call the server domain and optionally transfer references to it.
#line 201
allow shell hal_keymint:binder { call transfer };
#line 201
# Allow the serverdomain to transfer references to the client on the reply.
#line 201
allow hal_keymint shell:binder transfer;
#line 201
# Receive and use open files from the server.
#line 201
allow shell hal_keymint:fd use;
#line 201
# Allow reading the outcome of perf_event_open LSM support test for CTS.
#line 204
allow shell init_perf_lsm_hooks_prop:file { getattr open read map };
#line 204
# Allow shell to read boot image timestamps and fingerprints.
#line 207
allow shell build_bootimage_prop:file { getattr open read map };
#line 207
# Allow shell to read odsign verification properties
#line 210
allow shell odsign_prop:file { getattr open read map };
#line 210
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };
# Allow shell to open and execute memfd files for minijail unit tests.
#line 223
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
#line 226
#line 226
allow shell property_socket:sock_file write;
#line 226
allow shell init:unix_stream_socket connectto;
#line 226
#line 226
allow shell sqlite_log_prop:property_service set;
#line 226
#line 226
allow shell sqlite_log_prop:file { getattr open read map };
#line 226
#line 226
# Allow shell to write MTE properties even on user builds.
#line 229
#line 229
allow shell property_socket:sock_file write;
#line 229
allow shell init:unix_stream_socket connectto;
#line 229
#line 229
allow shell arm64_memtag_prop:property_service set;
#line 229
#line 229
allow shell arm64_memtag_prop:file { getattr open read map };
#line 229
#line 229
# Allow shell to read the dm-verity props on user builds.
#line 232
allow shell verity_status_prop:file { getattr open read map };
#line 232
# Allow shell to read Virtual A/B related properties
#line 235
allow shell virtual_ab_prop:file { getattr open read map };
#line 235
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
# Allow ReadDefaultFstab() for CTS.
#line 242
allow shell { metadata_file gsi_metadata_file_type }:dir search;
#line 242
allow shell gsi_public_metadata_file:file { getattr open read ioctl lock map watch watch_reads };
#line 242
allow shell { proc_bootconfig proc_cmdline }:file { getattr open read ioctl lock map watch watch_reads };
#line 242
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
#line 249
# Transition to virtualizationmanager when the client executes it.
#line 249
#line 249
# Allow the necessary permissions.
#line 249
#line 249
# Old domain may exec the file and transition to the new domain.
#line 249
allow shell virtualizationmanager_exec:file { getattr open read execute map };
#line 249
allow shell virtualizationmanager:process transition;
#line 249
# New domain is entered by executing the file.
#line 249
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 249
# New domain can send SIGCHLD to its caller.
#line 249
allow virtualizationmanager shell:process sigchld;
#line 249
# Enable AT_SECURE, i.e. libc secure mode.
#line 249
dontaudit shell virtualizationmanager:process noatsecure;
#line 249
# XXX dontaudit candidate but requires further study.
#line 249
allow shell virtualizationmanager:process { siginh rlimitinh };
#line 249
#line 249
# Make the transition occur by default.
#line 249
type_transition shell virtualizationmanager_exec:process virtualizationmanager;
#line 249
#line 249
# Allow virtualizationmanager to communicate over UDS with the client.
#line 249
allow { virtualizationmanager crosvm } shell:unix_stream_socket { ioctl getattr read write };
#line 249
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 249
allow { virtualizationmanager crosvm } shell:fd use;
#line 249
# Let the client use file descriptors created by virtualizationmanager.
#line 249
allow shell virtualizationmanager:fd use;
#line 249
# Allow piping console log to the client
#line 249
allow { virtualizationmanager crosvm } shell:fifo_file { ioctl getattr read write };
#line 249
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 249
# that it created. Notice that we do not grant permission to create a vsock;
#line 249
# the client can only connect to VMs that it owns.
#line 249
allow shell virtualizationmanager:vsock_socket { getattr getopt read write };
#line 249
# Allow client to inspect hypervisor capabilities
#line 249
#line 249
allow shell hypervisor_prop:file { getattr open read map };
#line 249
#line 249
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 249
allow shell virtualizationservice_data_file:file { getattr read };
#line 249
# Allow shell to set persist.wm.debug properties
# Allow shell to write GWP-ASan properties even on user builds.
#line 255
#line 255
allow shell property_socket:sock_file write;
#line 255
allow shell init:unix_stream_socket connectto;
#line 255
#line 255
allow shell gwp_asan_prop:property_service set;
#line 255
#line 255
allow shell gwp_asan_prop:file { getattr open read map };
#line 255
#line 255
# Allow shell to set persist.sysui.notification.builder_extras_override property
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
# Allow shell to read the build properties for attestation feature
#line 263
allow shell build_attestation_prop:file { getattr open read map };
#line 263
# Allow shell to execute oatdump.
allow shell oatdump_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 1 "system/sepolicy/private/simpleperf.te"
# Domain used when running /system/bin/simpleperf to profile a specific app.
# Entered either by the app itself exec-ing the binary, or through
# simpleperf_app_runner (with shell as its origin). Certain other domains
# (runas_app, shell) can also exec this binary without a domain transition.
typeattribute simpleperf coredomain;
type simpleperf_exec, system_file_type, exec_type, file_type;
# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
#line 15
#line 17
# Allow the necessary permissions.
#line 17
#line 17
# Old domain may exec the file and transition to the new domain.
#line 17
allow { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app } simpleperf_exec:file { getattr open read execute map };
#line 17
allow { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app } simpleperf:process transition;
#line 17
# New domain is entered by executing the file.
#line 17
allow simpleperf simpleperf_exec:file { entrypoint open read execute getattr map };
#line 17
# New domain can send SIGCHLD to its caller.
#line 17
allow simpleperf { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app }:process sigchld;
#line 17
# Enable AT_SECURE, i.e. libc secure mode.
#line 17
dontaudit { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app } simpleperf:process noatsecure;
#line 17
# XXX dontaudit candidate but requires further study.
#line 17
allow { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app } simpleperf:process { siginh rlimitinh };
#line 17
#line 17
# Make the transition occur by default.
#line 17
type_transition { {
#line 17
ephemeral_app
#line 17
isolated_app
#line 17
platform_app
#line 17
priv_app
#line 17
untrusted_app_all
#line 17
} -runas_app } simpleperf_exec:process simpleperf;
#line 17
# When running in this domain, simpleperf is scoped to profiling an individual
# app. The necessary MAC permissions for profiling are more maintainable and
# consistent if simpleperf is marked as an app domain as well (as, for example,
# it will then see the same set of system libraries as the app).
#line 23
typeattribute simpleperf appdomain;
#line 23
# Label tmpfs objects for all apps.
#line 23
type_transition simpleperf tmpfs:file appdomain_tmpfs;
#line 23
#line 23
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 23
type simpleperf_userfaultfd;
#line 23
type_transition simpleperf simpleperf:anon_inode simpleperf_userfaultfd "[userfaultfd]";
#line 23
# Allow domain to create/use userfaultfd anon_inode.
#line 23
allow simpleperf simpleperf_userfaultfd:anon_inode { create ioctl read };
#line 23
# Suppress errors generate during bugreport
#line 23
dontaudit su simpleperf_userfaultfd:anon_inode *;
#line 23
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 23
neverallow { domain -simpleperf } simpleperf_userfaultfd:anon_inode *;
#line 23
#line 23
allow simpleperf appdomain_tmpfs:file { execute getattr map read write };
#line 23
neverallow { simpleperf -runas_app -shell -simpleperf } { domain -simpleperf }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 23
neverallow { appdomain -runas_app -shell -simpleperf -simpleperf } simpleperf:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 23
# The Android security model guarantees the confidentiality and integrity
#line 23
# of application data and execution state. Ptrace bypasses those
#line 23
# confidentiality guarantees. Disallow ptrace access from system components to
#line 23
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 23
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 23
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 23
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 23
# live lock conditions.
#line 23
neverallow { domain -simpleperf -crash_dump -runas_app -simpleperf } simpleperf:process ptrace;
#line 23
#line 24
typeattribute simpleperf untrusted_app_all;
#line 24
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
allow simpleperf {
#line 28
ephemeral_app
#line 28
isolated_app
#line 28
platform_app
#line 28
priv_app
#line 28
untrusted_app_all
#line 28
}:process ptrace;
# Allow using perf_event_open syscall for profiling the target app.
allow simpleperf self:perf_event { open read write kernel };
# Allow /proc/<pid> access for the target app (for example, when trying to
# discover it by cmdline).
#line 35
allow simpleperf {
#line 35
ephemeral_app
#line 35
isolated_app
#line 35
platform_app
#line 35
priv_app
#line 35
untrusted_app_all
#line 35
}:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow simpleperf {
#line 35
ephemeral_app
#line 35
isolated_app
#line 35
platform_app
#line 35
priv_app
#line 35
untrusted_app_all
#line 35
}:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 35
# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
# profiler runs as when executed by the app. The signals are used to control
# the profiler (which would be profiling the app that is sending the signal).
allow {
#line 40
ephemeral_app
#line 40
isolated_app
#line 40
platform_app
#line 40
priv_app
#line 40
untrusted_app_all
#line 40
} simpleperf:process signal;
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective processes, most of which this domain is
# not allowed to see.
dontaudit simpleperf domain:dir search;
# Neverallows:
# Profiling must be confined to the scope of an individual app.
neverallow simpleperf self:perf_event ~{ open read write kernel };
#line 1 "system/sepolicy/private/simpleperf_app_runner.te"
typeattribute simpleperf_app_runner coredomain;
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow shell simpleperf_app_runner_exec:file { getattr open read execute map };
#line 3
allow shell simpleperf_app_runner:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow simpleperf_app_runner simpleperf_app_runner_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
allow simpleperf_app_runner shell:process sigchld;
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit shell simpleperf_app_runner:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow shell simpleperf_app_runner:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition shell simpleperf_app_runner_exec:process simpleperf_app_runner;
#line 3
# run simpleperf_app_runner in adb shell.
allow simpleperf_app_runner adbd:fd use;
allow simpleperf_app_runner shell:fd use;
allow simpleperf_app_runner devpts:chr_file { read write ioctl };
# simpleperf_app_runner reads package information.
allow simpleperf_app_runner system_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow simpleperf_app_runner system_data_file:lnk_file getattr;
allow simpleperf_app_runner packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# The app's data dir may be accessed through a symlink.
allow simpleperf_app_runner system_data_file:lnk_file read;
# simpleperf_app_runner switches to the app UID/GID.
allow simpleperf_app_runner self:{ capability cap_userns } { setuid setgid };
# simpleperf_app_runner switches to the app security context.
#line 22
#line 22
allow simpleperf_app_runner selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow simpleperf_app_runner selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 22
#line 22
allow simpleperf_app_runner selinuxfs:file { open append write lock map };
#line 22
allow simpleperf_app_runner kernel:security check_context;
#line 22
# validate context
allow simpleperf_app_runner self:process setcurrent;
allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
allow simpleperf_app_runner seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# simpleperf_app_runner passes pipe fds.
# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
allow simpleperf_app_runner shell:fifo_file { read write };
# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
allow simpleperf_app_runner shell_data_file:dir { getattr search };
allow simpleperf_app_runner shell_data_file:file { getattr write };
###
### neverallow rules
###
# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow simpleperf_app_runner self:{ capability cap_userns } ~{ setuid setgid };
neverallow simpleperf_app_runner self:{ capability2 cap2_userns } *;
#line 1 "system/sepolicy/private/simpleperf_boot.te"
# Domain used when running /system/bin/simpleperf to record boot-time profiles.
# It is started by init process. It's only available on userdebug/eng build.
type simpleperf_boot, domain, coredomain, mlstrustedsubject;
# /data/simpleperf_boot_data, used to store boot-time profiles.
type simpleperf_boot_data_file, file_type;
#line 59
#line 1 "system/sepolicy/private/slideshow.te"
typeattribute slideshow coredomain;
#line 1 "system/sepolicy/private/snapshotctl.te"
type snapshotctl, domain, coredomain;
type snapshotctl_exec, system_file_type, exec_type, file_type;
# Allow init to run snapshotctl and do auto domain transfer.
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init snapshotctl_exec:file { getattr open read execute map };
#line 5
allow init snapshotctl:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow snapshotctl snapshotctl_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init snapshotctl:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init snapshotctl:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init snapshotctl_exec:process snapshotctl;
#line 5
#line 5
;
# Allow to start gsid service.
#line 8
#line 8
allow snapshotctl property_socket:sock_file write;
#line 8
allow snapshotctl init:unix_stream_socket connectto;
#line 8
#line 8
allow snapshotctl ctl_gsid_prop:property_service set;
#line 8
#line 8
allow snapshotctl ctl_gsid_prop:file { getattr open read map };
#line 8
#line 8
# Allow to talk to gsid.
#line 11
# Call the servicemanager and transfer references to it.
#line 11
allow snapshotctl servicemanager:binder { call transfer };
#line 11
# Allow servicemanager to send out callbacks
#line 11
allow servicemanager snapshotctl:binder { call transfer };
#line 11
# servicemanager performs getpidcon on clients.
#line 11
allow servicemanager snapshotctl:dir search;
#line 11
allow servicemanager snapshotctl:file { read open };
#line 11
allow servicemanager snapshotctl:process getattr;
#line 11
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 11
# all domains in domain.te.
#line 11
allow snapshotctl gsi_service:service_manager find;
#line 13
# Call the server domain and optionally transfer references to it.
#line 13
allow snapshotctl gsid:binder { call transfer };
#line 13
# Allow the serverdomain to transfer references to the client on the reply.
#line 13
allow gsid snapshotctl:binder transfer;
#line 13
# Receive and use open files from the server.
#line 13
allow snapshotctl gsid:fd use;
#line 13
# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
allow snapshotctl metadata_file:dir search;
allow snapshotctl ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow snapshotctl ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow to get A/B slot suffix from device tree or kernel cmdline.
#line 21
allow snapshotctl sysfs_dt_firmware_android:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow snapshotctl sysfs_dt_firmware_android:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 21
;
allow snapshotctl proc_cmdline:file { getattr open read ioctl lock map watch watch_reads };
# Needed to (re-)map logical partitions.
allow snapshotctl block_device:dir { open getattr read search ioctl lock watch watch_reads };
allow snapshotctl super_block_device:blk_file { getattr open read ioctl lock map watch watch_reads };
# Interact with device-mapper to collapse snapshots.
allow snapshotctl dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Needed to mutate device-mapper nodes.
allow snapshotctl self:{ capability cap_userns } sys_admin;
# Snapshotctl talk to boot control HAL to set merge status.
#line 35
# Call the hwservicemanager and transfer references to it.
#line 35
allow snapshotctl hwservicemanager:binder { call transfer };
#line 35
# Allow hwservicemanager to send out callbacks
#line 35
allow hwservicemanager snapshotctl:binder { call transfer };
#line 35
# hwservicemanager performs getpidcon on clients.
#line 35
allow hwservicemanager snapshotctl:dir search;
#line 35
allow hwservicemanager snapshotctl:file { read open map };
#line 35
allow hwservicemanager snapshotctl:process getattr;
#line 35
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 35
# all domains in domain.te.
#line 35
#line 36
typeattribute snapshotctl halclientdomain;
#line 36
typeattribute snapshotctl hal_bootctl_client;
#line 36
#line 36
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 36
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 36
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 36
#line 36
typeattribute snapshotctl hal_bootctl;
#line 36
# Find passthrough HAL implementations
#line 36
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 36
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 36
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 36
#line 36
# Allow snapshotctl to write to statsd socket.
#line 39
allow snapshotctl statsdw_socket:sock_file write;
#line 39
allow snapshotctl statsd:unix_dgram_socket sendto;
#line 39
# Logging
#line 45
#line 1 "system/sepolicy/private/snapuserd.te"
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
type snapuserd, domain;
type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
#line 7
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow init snapuserd_exec:file { getattr open read execute map };
#line 7
allow init snapuserd:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow snapuserd snapuserd_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit init snapuserd:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow init snapuserd:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition init snapuserd_exec:process snapuserd;
#line 7
#line 7
allow snapuserd kmsg_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
allow snapuserd sysfs:dir { open read };
# Read /sys/block/dm-X/dm/name (which is a symlink to
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
# dm-X and dynamic partitions.
allow snapuserd sysfs_dm:dir { open read search };
allow snapuserd sysfs_dm:file { getattr open read ioctl lock map watch watch_reads };
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
allow snapuserd block_device:dir { open getattr read search ioctl lock watch watch_reads };
allow snapuserd dm_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow snapuserd dm_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Reading and writing to dm-user control nodes.
allow snapuserd dm_user_device:dir { open getattr read search ioctl lock watch watch_reads };
allow snapuserd dm_user_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
allow snapuserd snapuserd_proxy_socket:sock_file write;
# Required for setting GID to system while calling SetTaskProfile() API
allow snapuserd self:{ capability cap_userns } { setgid };
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
# snapuserd.* properties
#line 45
#line 45
allow snapuserd property_socket:sock_file write;
#line 45
allow snapuserd init:unix_stream_socket connectto;
#line 45
#line 45
allow snapuserd snapuserd_prop:property_service set;
#line 45
#line 45
allow snapuserd snapuserd_prop:file { getattr open read map };
#line 45
#line 45
#line 46
allow snapuserd virtual_ab_prop:file { getattr open read map };
#line 46
# For inotify watching for /dev/socket/snapuserd_proxy to appear.
allow snapuserd tmpfs:dir { read watch };
# Forbid anything other than snapuserd and init setting snapuserd properties.
neverallow {
domain
-snapuserd
-init
} snapuserd_prop:property_service set;
# Allow to read/write/create OTA metadata files
allow snapuserd metadata_file:dir search;
allow snapuserd ota_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow snapuserd ota_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# write to /data/misc/snapuserd_log
allow snapuserd snapuserd_log_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow snapuserd snapuserd_log_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read /proc/stat to determine boot time
allow snapuserd proc_stat:file { getattr open read ioctl lock map watch watch_reads };
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
#line 73
# Set up a type_transition to "io_uring" named anonymous inode object.
#line 73
type snapuserd_iouring;
#line 73
type_transition snapuserd snapuserd:anon_inode snapuserd_iouring "[io_uring]";
#line 73
# Allow domain to create/use io_uring anon_inode.
#line 73
allow snapuserd snapuserd_iouring:anon_inode { create map read write };
#line 73
allow snapuserd self:io_uring sqpoll;
#line 73
# Other domains may not use iouring anon_inodes created by this domain.
#line 73
neverallow { domain -snapuserd } snapuserd_iouring:anon_inode *;
#line 73
# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
#line 73
# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
#line 73
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
#line 73
dontaudit snapuserd self:{ capability cap_userns } ipc_lock;
#line 73
#line 1 "system/sepolicy/private/stats.te"
type stats, domain;
typeattribute stats coredomain;
type stats_exec, system_file_type, exec_type, file_type;
# switch to stats domain for stats command
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow shell stats_exec:file { getattr open read execute map };
#line 6
allow shell stats:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow stats stats_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow stats shell:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit shell stats:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow shell stats:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition shell stats_exec:process stats;
#line 6
# allow stats access to stdout from its parent shell.
allow stats shell:fd use;
# allow stats to communicate use, read and write over the adb
# connection.
allow stats adbd:fd use;
allow stats adbd:unix_stream_socket { read write };
# allow adbd to reap stats
allow stats adbd:process { sigchld };
# Allow the stats command to talk to the statsd over the binder, and get
# back the stats report data from a ParcelFileDescriptor.
#line 21
# Call the servicemanager and transfer references to it.
#line 21
allow stats servicemanager:binder { call transfer };
#line 21
# Allow servicemanager to send out callbacks
#line 21
allow servicemanager stats:binder { call transfer };
#line 21
# servicemanager performs getpidcon on clients.
#line 21
allow servicemanager stats:dir search;
#line 21
allow servicemanager stats:file { read open };
#line 21
allow servicemanager stats:process getattr;
#line 21
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 21
# all domains in domain.te.
#line 21
allow stats stats_service:service_manager find;
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow stats statsd:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow statsd stats:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow stats statsd:fd use;
#line 23
allow stats statsd:fifo_file write;
# Only statsd can publish the binder service.
#line 27
allow statsd stats_service:service_manager { add find };
#line 27
neverallow { domain -statsd } stats_service:service_manager add;
#line 27
#line 27
# On debug builds with root, allow binder services to use binder over TCP.
#line 27
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 27
#line 27
# Allow pipes from (and only from) stats.
allow statsd stats:fd use;
allow statsd stats:fifo_file write;
# Allow statsd to call back to stats with status updates.
#line 34
# Call the server domain and optionally transfer references to it.
#line 34
allow statsd stats:binder { call transfer };
#line 34
# Allow the serverdomain to transfer references to the client on the reply.
#line 34
allow stats statsd:binder transfer;
#line 34
# Receive and use open files from the server.
#line 34
allow statsd stats:fd use;
#line 34
#line 1 "system/sepolicy/private/statsd.te"
typeattribute statsd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init statsd_exec:file { getattr open read execute map };
#line 3
allow init statsd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow statsd statsd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init statsd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init statsd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init statsd_exec:process statsd;
#line 3
#line 3
# Allow to exec the perfetto cmdline client and pass it the trace config on
# stdint through a pipe. It allows statsd to capture traces and hand them
# to Android dropbox.
allow statsd perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 9
# Allow the necessary permissions.
#line 9
#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow statsd perfetto_exec:file { getattr open read execute map };
#line 9
allow statsd perfetto:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
allow perfetto statsd:process sigchld;
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit statsd perfetto:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow statsd perfetto:process { siginh rlimitinh };
#line 9
#line 9
# Make the transition occur by default.
#line 9
type_transition statsd perfetto_exec:process perfetto;
#line 9
# Grant statsd with permissions to register the services.
allow statsd {
statscompanion_service
}:service_manager find;
# Allow incidentd to obtain the statsd incident section.
allow statsd incidentd:fifo_file write;
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read write getattr };
# Allow Statsd to pipe data to privileged apps.
allow statsd priv_app:fifo_file { read write getattr };
# Allow statsd to retrieve SF statistics over binder
#line 26
# Call the server domain and optionally transfer references to it.
#line 26
allow statsd surfaceflinger:binder { call transfer };
#line 26
# Allow the serverdomain to transfer references to the client on the reply.
#line 26
allow surfaceflinger statsd:binder transfer;
#line 26
# Receive and use open files from the server.
#line 26
allow statsd surfaceflinger:fd use;
#line 26
;
# Allow statsd to read its system properties
#line 29
allow statsd device_config_statsd_native_prop:file { getattr open read map };
#line 29
#line 30
allow statsd device_config_statsd_native_boot_prop:file { getattr open read map };
#line 30
# Allow statsd to write uprobestats configs.
allow statsd uprobestats_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow statsd uprobestats_configs_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow statsd to trigger uprobestats via property.
#line 37
#line 37
allow statsd property_socket:sock_file write;
#line 37
allow statsd init:unix_stream_socket connectto;
#line 37
#line 37
allow statsd uprobestats_start_with_config_prop:property_service set;
#line 37
#line 37
allow statsd uprobestats_start_with_config_prop:file { getattr open read map };
#line 37
#line 37
;
#line 1 "system/sepolicy/private/storaged.te"
# storaged daemon
type storaged, domain, coredomain, mlstrustedsubject;
type storaged_exec, system_file_type, exec_type, file_type;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init storaged_exec:file { getattr open read execute map };
#line 5
allow init storaged:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow storaged storaged_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init storaged:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init storaged:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init storaged_exec:process storaged;
#line 5
#line 5
# Read access to pseudo filesystems
#line 8
allow storaged domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 8
allow storaged domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 8
# Read /proc/uid_io/stats
allow storaged proc_uid_io_stats:file { getattr open read ioctl lock map watch watch_reads };
# Read /data/system/packages.list
allow storaged system_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow storaged packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Store storaged proto file
allow storaged storaged_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow storaged storaged_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 21
#line 27
# Needed to provide debug dump output via dumpsys pipes.
allow storaged shell:fd use;
allow storaged shell:fifo_file write;
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
# Remove after no logs are seen for this rule.
#line 39
allow storaged gmscore_app:fd use;
allow storaged { privapp_data_file app_data_file }:file write;
allow storaged permission_service:service_manager find;
# Binder permissions
#line 45
allow storaged storaged_service:service_manager { add find };
#line 45
neverallow { domain -storaged } storaged_service:service_manager add;
#line 45
#line 45
# On debug builds with root, allow binder services to use binder over TCP.
#line 45
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 45
#line 45
#line 47
# Call the servicemanager and transfer references to it.
#line 47
allow storaged servicemanager:binder { call transfer };
#line 47
# Allow servicemanager to send out callbacks
#line 47
allow servicemanager storaged:binder { call transfer };
#line 47
# servicemanager performs getpidcon on clients.
#line 47
allow servicemanager storaged:dir search;
#line 47
allow servicemanager storaged:file { read open };
#line 47
allow servicemanager storaged:process getattr;
#line 47
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 47
# all domains in domain.te.
#line 47
#line 48
# Call the server domain and optionally transfer references to it.
#line 48
allow storaged system_server:binder { call transfer };
#line 48
# Allow the serverdomain to transfer references to the client on the reply.
#line 48
allow system_server storaged:binder transfer;
#line 48
# Receive and use open files from the server.
#line 48
allow storaged system_server:fd use;
#line 48
#line 50
typeattribute storaged halclientdomain;
#line 50
typeattribute storaged hal_health_client;
#line 50
#line 50
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 50
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 50
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 50
#line 50
typeattribute storaged hal_health;
#line 50
# Find passthrough HAL implementations
#line 50
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 50
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 50
allow hal_health vendor_file:file { read open getattr execute map };
#line 50
#line 50
# Implements a dumpsys interface.
allow storaged dumpstate:fd use;
# use a subset of the package manager service
allow storaged package_native_service:service_manager find;
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
dontaudit storaged self:{ capability cap_userns } { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
###
### neverallow
###
neverallow storaged domain:process ptrace;
neverallow storaged self:{ capability capability2 cap_userns cap2_userns } *;
#line 36 "system/sepolicy/private/su.te"
#line 1 "system/sepolicy/private/surfaceflinger.te"
# surfaceflinger - display compositor service
typeattribute surfaceflinger coredomain;
type surfaceflinger_exec, system_file_type, exec_type, file_type;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init surfaceflinger_exec:file { getattr open read execute map };
#line 6
allow init surfaceflinger:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow surfaceflinger surfaceflinger_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init surfaceflinger:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init surfaceflinger:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init surfaceflinger_exec:process surfaceflinger;
#line 6
#line 6
#line 7
type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs;
#line 7
allow surfaceflinger surfaceflinger_tmpfs:file { read write getattr map };
#line 7
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
#line 12
allow surfaceflinger runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 12
# Perform HwBinder IPC.
#line 15
typeattribute surfaceflinger halclientdomain;
#line 15
typeattribute surfaceflinger hal_graphics_allocator_client;
#line 15
#line 15
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 15
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 15
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 15
#line 15
typeattribute surfaceflinger hal_graphics_allocator;
#line 15
# Find passthrough HAL implementations
#line 15
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 15
#line 15
#line 16
typeattribute surfaceflinger halclientdomain;
#line 16
typeattribute surfaceflinger hal_graphics_composer_client;
#line 16
#line 16
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 16
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 16
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 16
#line 16
typeattribute surfaceflinger hal_graphics_composer;
#line 16
# Find passthrough HAL implementations
#line 16
allow hal_graphics_composer system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow hal_graphics_composer vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow hal_graphics_composer vendor_file:file { read open getattr execute map };
#line 16
#line 16
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
#line 18
typeattribute surfaceflinger halclientdomain;
#line 18
typeattribute surfaceflinger hal_codec2_client;
#line 18
#line 18
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 18
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 18
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 18
#line 18
typeattribute surfaceflinger hal_codec2;
#line 18
# Find passthrough HAL implementations
#line 18
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 18
#line 18
#line 19
typeattribute surfaceflinger halclientdomain;
#line 19
typeattribute surfaceflinger hal_omx_client;
#line 19
#line 19
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 19
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 19
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 19
#line 19
typeattribute surfaceflinger hal_omx;
#line 19
# Find passthrough HAL implementations
#line 19
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 19
allow hal_omx vendor_file:file { read open getattr execute map };
#line 19
#line 19
#line 20
typeattribute surfaceflinger halclientdomain;
#line 20
typeattribute surfaceflinger hal_configstore_client;
#line 20
#line 20
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 20
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 20
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 20
#line 20
typeattribute surfaceflinger hal_configstore;
#line 20
# Find passthrough HAL implementations
#line 20
allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 20
allow hal_configstore vendor_file:file { read open getattr execute map };
#line 20
#line 20
#line 21
typeattribute surfaceflinger halclientdomain;
#line 21
typeattribute surfaceflinger hal_power_client;
#line 21
#line 21
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 21
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 21
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 21
#line 21
typeattribute surfaceflinger hal_power;
#line 21
# Find passthrough HAL implementations
#line 21
allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 21
allow hal_power vendor_file:file { read open getattr execute map };
#line 21
#line 21
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
#line 25
# Call the servicemanager and transfer references to it.
#line 25
allow surfaceflinger servicemanager:binder { call transfer };
#line 25
# Allow servicemanager to send out callbacks
#line 25
allow servicemanager surfaceflinger:binder { call transfer };
#line 25
# servicemanager performs getpidcon on clients.
#line 25
allow servicemanager surfaceflinger:dir search;
#line 25
allow servicemanager surfaceflinger:file { read open };
#line 25
allow servicemanager surfaceflinger:process getattr;
#line 25
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 25
# all domains in domain.te.
#line 25
#line 26
# Call the server domain and optionally transfer references to it.
#line 26
allow surfaceflinger binderservicedomain:binder { call transfer };
#line 26
# Allow the serverdomain to transfer references to the client on the reply.
#line 26
allow binderservicedomain surfaceflinger:binder transfer;
#line 26
# Receive and use open files from the server.
#line 26
allow surfaceflinger binderservicedomain:fd use;
#line 26
#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow surfaceflinger appdomain:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow appdomain surfaceflinger:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow surfaceflinger appdomain:fd use;
#line 27
#line 28
# Call the server domain and optionally transfer references to it.
#line 28
allow surfaceflinger bootanim:binder { call transfer };
#line 28
# Allow the serverdomain to transfer references to the client on the reply.
#line 28
allow bootanim surfaceflinger:binder transfer;
#line 28
# Receive and use open files from the server.
#line 28
allow surfaceflinger bootanim:fd use;
#line 28
#line 29
# Call the server domain and optionally transfer references to it.
#line 29
allow surfaceflinger system_server:binder { call transfer };
#line 29
# Allow the serverdomain to transfer references to the client on the reply.
#line 29
allow system_server surfaceflinger:binder transfer;
#line 29
# Receive and use open files from the server.
#line 29
allow surfaceflinger system_server:fd use;
#line 29
;
#line 30
typeattribute surfaceflinger binderservicedomain;
#line 30
# Binder IPC to bu, presently runs in adbd domain.
#line 33
# Call the server domain and optionally transfer references to it.
#line 33
allow surfaceflinger adbd:binder { call transfer };
#line 33
# Allow the serverdomain to transfer references to the client on the reply.
#line 33
allow adbd surfaceflinger:binder transfer;
#line 33
# Receive and use open files from the server.
#line 33
allow surfaceflinger adbd:fd use;
#line 33
# Read /proc/pid files for Binder clients.
#line 36
allow surfaceflinger binderservicedomain:dir { open getattr read search ioctl lock watch watch_reads };
#line 36
allow surfaceflinger binderservicedomain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 36
#line 37
allow surfaceflinger appdomain:dir { open getattr read search ioctl lock watch watch_reads };
#line 37
allow surfaceflinger appdomain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 37
# Access the GPU.
allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow surfaceflinger gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow surfaceflinger sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads };
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access /dev/video1.
allow surfaceflinger video_device:dir { open getattr read search ioctl lock watch watch_reads };
allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access the secure heap.
allow surfaceflinger dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Set properties.
#line 59
#line 59
allow surfaceflinger property_socket:sock_file write;
#line 59
allow surfaceflinger init:unix_stream_socket connectto;
#line 59
#line 59
allow surfaceflinger system_prop:property_service set;
#line 59
#line 59
allow surfaceflinger system_prop:file { getattr open read map };
#line 59
#line 59
#line 60
#line 60
allow surfaceflinger property_socket:sock_file write;
#line 60
allow surfaceflinger init:unix_stream_socket connectto;
#line 60
#line 60
allow surfaceflinger bootanim_system_prop:property_service set;
#line 60
#line 60
allow surfaceflinger bootanim_system_prop:file { getattr open read map };
#line 60
#line 60
#line 61
#line 61
allow surfaceflinger property_socket:sock_file write;
#line 61
allow surfaceflinger init:unix_stream_socket connectto;
#line 61
#line 61
allow surfaceflinger exported_system_prop:property_service set;
#line 61
#line 61
allow surfaceflinger exported_system_prop:file { getattr open read map };
#line 61
#line 61
#line 62
#line 62
allow surfaceflinger property_socket:sock_file write;
#line 62
allow surfaceflinger init:unix_stream_socket connectto;
#line 62
#line 62
allow surfaceflinger exported3_system_prop:property_service set;
#line 62
#line 62
allow surfaceflinger exported3_system_prop:file { getattr open read map };
#line 62
#line 62
#line 63
#line 63
allow surfaceflinger property_socket:sock_file write;
#line 63
allow surfaceflinger init:unix_stream_socket connectto;
#line 63
#line 63
allow surfaceflinger ctl_bootanim_prop:property_service set;
#line 63
#line 63
allow surfaceflinger ctl_bootanim_prop:file { getattr open read map };
#line 63
#line 63
#line 64
#line 64
allow surfaceflinger property_socket:sock_file write;
#line 64
allow surfaceflinger init:unix_stream_socket connectto;
#line 64
#line 64
allow surfaceflinger locale_prop:property_service set;
#line 64
#line 64
allow surfaceflinger locale_prop:file { getattr open read map };
#line 64
#line 64
#line 65
#line 65
allow surfaceflinger property_socket:sock_file write;
#line 65
allow surfaceflinger init:unix_stream_socket connectto;
#line 65
#line 65
allow surfaceflinger surfaceflinger_display_prop:property_service set;
#line 65
#line 65
allow surfaceflinger surfaceflinger_display_prop:file { getattr open read map };
#line 65
#line 65
#line 66
#line 66
allow surfaceflinger property_socket:sock_file write;
#line 66
allow surfaceflinger init:unix_stream_socket connectto;
#line 66
#line 66
allow surfaceflinger timezone_prop:property_service set;
#line 66
#line 66
allow surfaceflinger timezone_prop:file { getattr open read map };
#line 66
#line 66
# Get properties.
#line 69
allow surfaceflinger qemu_sf_lcd_density_prop:file { getattr open read map };
#line 69
#line 70
allow surfaceflinger device_config_surface_flinger_native_boot_prop:file { getattr open read map };
#line 70
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
# Allow writing surface traces to /data/misc/wmtrace.
#line 80
# Needed to register as a Perfetto producer.
#line 83
allow surfaceflinger traced:fd use;
#line 83
allow surfaceflinger traced_tmpfs:file { read write getattr map };
#line 83
#line 83
allow surfaceflinger traced_producer_socket:sock_file write;
#line 83
allow surfaceflinger traced:unix_stream_socket connectto;
#line 83
#line 83
#line 83
# Also allow the service to use the producer file descriptors. This is
#line 83
# necessary when the producer is creating the shared memory, as it will be
#line 83
# passed to the service as a file descriptor (obtained from memfd_create).
#line 83
allow traced surfaceflinger:fd use;
#line 83
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
# Allow a dumpstate triggered screenshot
#line 89
# Call the server domain and optionally transfer references to it.
#line 89
allow surfaceflinger dumpstate:binder { call transfer };
#line 89
# Allow the serverdomain to transfer references to the client on the reply.
#line 89
allow dumpstate surfaceflinger:binder transfer;
#line 89
# Receive and use open files from the server.
#line 89
allow surfaceflinger dumpstate:fd use;
#line 89
#line 90
# Call the server domain and optionally transfer references to it.
#line 90
allow surfaceflinger shell:binder { call transfer };
#line 90
# Allow the serverdomain to transfer references to the client on the reply.
#line 90
allow shell surfaceflinger:binder transfer;
#line 90
# Receive and use open files from the server.
#line 90
allow surfaceflinger shell:fd use;
#line 90
#line 91
allow surfaceflinger dumpstate:dir { open getattr read search ioctl lock watch watch_reads };
#line 91
allow surfaceflinger dumpstate:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 91
# media.player service
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger vr_manager_service:service_manager find;
allow surfaceflinger window_service:service_manager find;
allow surfaceflinger inputflinger_service:service_manager find;
# allow self to set SCHED_FIFO
allow surfaceflinger self:{ capability cap_userns } sys_nice;
allow surfaceflinger proc_meminfo:file { getattr open read ioctl lock map watch watch_reads };
#line 111
allow surfaceflinger cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 111
allow surfaceflinger cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 111
#line 112
allow surfaceflinger cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 112
allow surfaceflinger cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 112
#line 113
allow surfaceflinger system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 113
allow surfaceflinger system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 113
allow surfaceflinger tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow surfaceflinger dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# pdx IPC
#line 121
# Mark the server domain as a PDX server.
#line 121
typeattribute surfaceflinger pdx_display_client_server_type;
#line 121
# Allow the init process to create the initial endpoint socket.
#line 121
allow init pdx_display_client_endpoint_socket_type:unix_stream_socket { create bind };
#line 121
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 121
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 121
# than we need (e.g. we don"t need "bind" or "connect").
#line 121
allow surfaceflinger pdx_display_client_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 121
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 121
allow surfaceflinger self:process setsockcreate;
#line 121
# Allow the server domain to create a client channel socket.
#line 121
allow surfaceflinger pdx_display_client_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 121
# Prevent other processes from claiming to be a server for the same service.
#line 121
neverallow {domain -surfaceflinger} pdx_display_client_endpoint_socket_type:unix_stream_socket { listen accept };
#line 121
#line 122
# Mark the server domain as a PDX server.
#line 122
typeattribute surfaceflinger pdx_display_manager_server_type;
#line 122
# Allow the init process to create the initial endpoint socket.
#line 122
allow init pdx_display_manager_endpoint_socket_type:unix_stream_socket { create bind };
#line 122
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 122
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 122
# than we need (e.g. we don"t need "bind" or "connect").
#line 122
allow surfaceflinger pdx_display_manager_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 122
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 122
allow surfaceflinger self:process setsockcreate;
#line 122
# Allow the server domain to create a client channel socket.
#line 122
allow surfaceflinger pdx_display_manager_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 122
# Prevent other processes from claiming to be a server for the same service.
#line 122
neverallow {domain -surfaceflinger} pdx_display_manager_endpoint_socket_type:unix_stream_socket { listen accept };
#line 122
#line 123
# Mark the server domain as a PDX server.
#line 123
typeattribute surfaceflinger pdx_display_screenshot_server_type;
#line 123
# Allow the init process to create the initial endpoint socket.
#line 123
allow init pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { create bind };
#line 123
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 123
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 123
# than we need (e.g. we don"t need "bind" or "connect").
#line 123
allow surfaceflinger pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 123
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 123
allow surfaceflinger self:process setsockcreate;
#line 123
# Allow the server domain to create a client channel socket.
#line 123
allow surfaceflinger pdx_display_screenshot_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 123
# Prevent other processes from claiming to be a server for the same service.
#line 123
neverallow {domain -surfaceflinger} pdx_display_screenshot_endpoint_socket_type:unix_stream_socket { listen accept };
#line 123
#line 124
# Mark the server domain as a PDX server.
#line 124
typeattribute surfaceflinger pdx_display_vsync_server_type;
#line 124
# Allow the init process to create the initial endpoint socket.
#line 124
allow init pdx_display_vsync_endpoint_socket_type:unix_stream_socket { create bind };
#line 124
# Allow the server domain to use the endpoint socket and accept connections on it.
#line 124
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 124
# than we need (e.g. we don"t need "bind" or "connect").
#line 124
allow surfaceflinger pdx_display_vsync_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
#line 124
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
#line 124
allow surfaceflinger self:process setsockcreate;
#line 124
# Allow the server domain to create a client channel socket.
#line 124
allow surfaceflinger pdx_display_vsync_channel_socket_type:unix_stream_socket { create { { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map } listen accept } };
#line 124
# Prevent other processes from claiming to be a server for the same service.
#line 124
neverallow {domain -surfaceflinger} pdx_display_vsync_endpoint_socket_type:unix_stream_socket { listen accept };
#line 124
#line 126
#line 126
# Allow client to open the service endpoint file.
#line 126
allow surfaceflinger pdx_bufferhub_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 126
allow surfaceflinger pdx_bufferhub_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 126
# Allow the client to connect to endpoint socket.
#line 126
allow surfaceflinger pdx_bufferhub_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 126
#line 126
#line 126
# Allow the client to use the PDX channel socket.
#line 126
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 126
# than we need (e.g. we don"t need "bind" or "connect").
#line 126
allow surfaceflinger pdx_bufferhub_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 126
# Client needs to use an channel event fd from the server.
#line 126
allow surfaceflinger pdx_bufferhub_client_server_type:fd use;
#line 126
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 126
# This could be tightened on a per-server basis, but keeping track of service
#line 126
# clients is error prone.
#line 126
allow pdx_bufferhub_client_server_type surfaceflinger:fd use;
#line 126
#line 126
#line 127
#line 127
# Allow client to open the service endpoint file.
#line 127
allow surfaceflinger pdx_performance_client_endpoint_dir_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 127
allow surfaceflinger pdx_performance_client_endpoint_socket_type:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 127
# Allow the client to connect to endpoint socket.
#line 127
allow surfaceflinger pdx_performance_client_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
#line 127
#line 127
#line 127
# Allow the client to use the PDX channel socket.
#line 127
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
#line 127
# than we need (e.g. we don"t need "bind" or "connect").
#line 127
allow surfaceflinger pdx_performance_client_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
#line 127
# Client needs to use an channel event fd from the server.
#line 127
allow surfaceflinger pdx_performance_client_server_type:fd use;
#line 127
# Servers may receive sync fences, gralloc buffers, etc, from clients.
#line 127
# This could be tightened on a per-server basis, but keeping track of service
#line 127
# clients is error prone.
#line 127
allow pdx_performance_client_server_type surfaceflinger:fd use;
#line 127
#line 127
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
allow surfaceflinger statsmanager_service:service_manager find;
# TODO(146461633): remove this once native pullers talk to StatsManagerService
#line 133
# Call the server domain and optionally transfer references to it.
#line 133
allow surfaceflinger statsd:binder { call transfer };
#line 133
# Allow the serverdomain to transfer references to the client on the reply.
#line 133
allow statsd surfaceflinger:binder transfer;
#line 133
# Receive and use open files from the server.
#line 133
allow surfaceflinger statsd:fd use;
#line 133
;
# Allow to use files supplied by hal_evs
allow surfaceflinger hal_evs:fd use;
# Allow to use release fence fds supplied by hal_camera
allow surfaceflinger hal_camera:fd use;
# Allow pushing jank event atoms to statsd
#line 144
# Surfaceflinger should not be reading default vendor-defined properties.
dontaudit surfaceflinger vendor_default_prop:file read;
###
### Neverallow rules
###
### surfaceflinger should NEVER do any of this
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
neverallow surfaceflinger { sdcard_type fuse }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
#line 1 "system/sepolicy/private/system_app.te"
###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings. These are not as privileged as the system
### server.
###
typeattribute system_app coredomain, mlstrustedsubject;
#line 9
typeattribute system_app appdomain;
#line 9
# Label tmpfs objects for all apps.
#line 9
type_transition system_app tmpfs:file appdomain_tmpfs;
#line 9
#line 9
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 9
type system_app_userfaultfd;
#line 9
type_transition system_app system_app:anon_inode system_app_userfaultfd "[userfaultfd]";
#line 9
# Allow domain to create/use userfaultfd anon_inode.
#line 9
allow system_app system_app_userfaultfd:anon_inode { create ioctl read };
#line 9
# Suppress errors generate during bugreport
#line 9
dontaudit su system_app_userfaultfd:anon_inode *;
#line 9
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 9
neverallow { domain -system_app } system_app_userfaultfd:anon_inode *;
#line 9
#line 9
allow system_app appdomain_tmpfs:file { execute getattr map read write };
#line 9
neverallow { system_app -runas_app -shell -simpleperf } { domain -system_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
neverallow { appdomain -runas_app -shell -simpleperf -system_app } system_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 9
# The Android security model guarantees the confidentiality and integrity
#line 9
# of application data and execution state. Ptrace bypasses those
#line 9
# confidentiality guarantees. Disallow ptrace access from system components to
#line 9
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 9
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 9
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 9
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 9
# live lock conditions.
#line 9
neverallow { domain -system_app -crash_dump -runas_app -simpleperf } system_app:process ptrace;
#line 9
#line 10
typeattribute system_app netdomain;
#line 10
#line 11
typeattribute system_app binderservicedomain;
#line 11
# android.ui and system.ui
allow system_app rootfs:dir getattr;
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_app system_app_data_file:{ file lnk_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_app misc_user_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
allow system_app apex_data_file:dir search;
allow system_app staging_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Read wallpaper file.
allow system_app wallpaper_file:file { getattr open read ioctl lock map watch watch_reads };
# Read icon file.
allow system_app icon_file:file { getattr open read ioctl lock map watch watch_reads };
# Write to properties
#line 37
#line 37
allow system_app property_socket:sock_file write;
#line 37
allow system_app init:unix_stream_socket connectto;
#line 37
#line 37
allow system_app adaptive_haptics_prop:property_service set;
#line 37
#line 37
allow system_app adaptive_haptics_prop:file { getattr open read map };
#line 37
#line 37
#line 38
#line 38
allow system_app property_socket:sock_file write;
#line 38
allow system_app init:unix_stream_socket connectto;
#line 38
#line 38
allow system_app arm64_memtag_prop:property_service set;
#line 38
#line 38
allow system_app arm64_memtag_prop:file { getattr open read map };
#line 38
#line 38
#line 39
#line 39
allow system_app property_socket:sock_file write;
#line 39
allow system_app init:unix_stream_socket connectto;
#line 39
#line 39
allow system_app bluetooth_a2dp_offload_prop:property_service set;
#line 39
#line 39
allow system_app bluetooth_a2dp_offload_prop:file { getattr open read map };
#line 39
#line 39
#line 40
#line 40
allow system_app property_socket:sock_file write;
#line 40
allow system_app init:unix_stream_socket connectto;
#line 40
#line 40
allow system_app bluetooth_audio_hal_prop:property_service set;
#line 40
#line 40
allow system_app bluetooth_audio_hal_prop:file { getattr open read map };
#line 40
#line 40
#line 41
#line 41
allow system_app property_socket:sock_file write;
#line 41
allow system_app init:unix_stream_socket connectto;
#line 41
#line 41
allow system_app bluetooth_prop:property_service set;
#line 41
#line 41
allow system_app bluetooth_prop:file { getattr open read map };
#line 41
#line 41
#line 42
#line 42
allow system_app property_socket:sock_file write;
#line 42
allow system_app init:unix_stream_socket connectto;
#line 42
#line 42
allow system_app debug_prop:property_service set;
#line 42
#line 42
allow system_app debug_prop:file { getattr open read map };
#line 42
#line 42
#line 43
#line 43
allow system_app property_socket:sock_file write;
#line 43
allow system_app init:unix_stream_socket connectto;
#line 43
#line 43
allow system_app system_prop:property_service set;
#line 43
#line 43
allow system_app system_prop:file { getattr open read map };
#line 43
#line 43
#line 44
#line 44
allow system_app property_socket:sock_file write;
#line 44
allow system_app init:unix_stream_socket connectto;
#line 44
#line 44
allow system_app exported_bluetooth_prop:property_service set;
#line 44
#line 44
allow system_app exported_bluetooth_prop:file { getattr open read map };
#line 44
#line 44
#line 45
#line 45
allow system_app property_socket:sock_file write;
#line 45
allow system_app init:unix_stream_socket connectto;
#line 45
#line 45
allow system_app exported_system_prop:property_service set;
#line 45
#line 45
allow system_app exported_system_prop:file { getattr open read map };
#line 45
#line 45
#line 46
#line 46
allow system_app property_socket:sock_file write;
#line 46
allow system_app init:unix_stream_socket connectto;
#line 46
#line 46
allow system_app exported3_system_prop:property_service set;
#line 46
#line 46
allow system_app exported3_system_prop:file { getattr open read map };
#line 46
#line 46
#line 47
#line 47
allow system_app property_socket:sock_file write;
#line 47
allow system_app init:unix_stream_socket connectto;
#line 47
#line 47
allow system_app gesture_prop:property_service set;
#line 47
#line 47
allow system_app gesture_prop:file { getattr open read map };
#line 47
#line 47
#line 48
#line 48
allow system_app property_socket:sock_file write;
#line 48
allow system_app init:unix_stream_socket connectto;
#line 48
#line 48
allow system_app locale_prop:property_service set;
#line 48
#line 48
allow system_app locale_prop:file { getattr open read map };
#line 48
#line 48
#line 49
#line 49
allow system_app property_socket:sock_file write;
#line 49
allow system_app init:unix_stream_socket connectto;
#line 49
#line 49
allow system_app logd_prop:property_service set;
#line 49
#line 49
allow system_app logd_prop:file { getattr open read map };
#line 49
#line 49
#line 50
#line 50
allow system_app property_socket:sock_file write;
#line 50
allow system_app init:unix_stream_socket connectto;
#line 50
#line 50
allow system_app net_radio_prop:property_service set;
#line 50
#line 50
allow system_app net_radio_prop:file { getattr open read map };
#line 50
#line 50
#line 51
#line 51
allow system_app property_socket:sock_file write;
#line 51
allow system_app init:unix_stream_socket connectto;
#line 51
#line 51
allow system_app timezone_prop:property_service set;
#line 51
#line 51
allow system_app timezone_prop:file { getattr open read map };
#line 51
#line 51
#line 52
#line 52
allow system_app property_socket:sock_file write;
#line 52
allow system_app init:unix_stream_socket connectto;
#line 52
#line 52
allow system_app usb_control_prop:property_service set;
#line 52
#line 52
allow system_app usb_control_prop:file { getattr open read map };
#line 52
#line 52
#line 53
#line 53
allow system_app property_socket:sock_file write;
#line 53
allow system_app init:unix_stream_socket connectto;
#line 53
#line 53
allow system_app usb_prop:property_service set;
#line 53
#line 53
allow system_app usb_prop:file { getattr open read map };
#line 53
#line 53
#line 54
#line 54
allow system_app property_socket:sock_file write;
#line 54
allow system_app init:unix_stream_socket connectto;
#line 54
#line 54
allow system_app log_tag_prop:property_service set;
#line 54
#line 54
allow system_app log_tag_prop:file { getattr open read map };
#line 54
#line 54
#line 55
#line 55
allow system_app property_socket:sock_file write;
#line 55
allow system_app init:unix_stream_socket connectto;
#line 55
#line 55
allow system_app drm_forcel3_prop:property_service set;
#line 55
#line 55
allow system_app drm_forcel3_prop:file { getattr open read map };
#line 55
#line 55
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
auditallow system_app usb_prop:property_service set;
# Allow Settings to enable Dynamic System Update
#line 61
#line 61
allow system_app property_socket:sock_file write;
#line 61
allow system_app init:unix_stream_socket connectto;
#line 61
#line 61
allow system_app dynamic_system_prop:property_service set;
#line 61
#line 61
allow system_app dynamic_system_prop:file { getattr open read map };
#line 61
#line 61
# ctl interface
#line 64
#line 64
allow system_app property_socket:sock_file write;
#line 64
allow system_app init:unix_stream_socket connectto;
#line 64
#line 64
allow system_app ctl_default_prop:property_service set;
#line 64
#line 64
allow system_app ctl_default_prop:file { getattr open read map };
#line 64
#line 64
#line 65
#line 65
allow system_app property_socket:sock_file write;
#line 65
allow system_app init:unix_stream_socket connectto;
#line 65
#line 65
allow system_app ctl_bugreport_prop:property_service set;
#line 65
#line 65
allow system_app ctl_bugreport_prop:file { getattr open read map };
#line 65
#line 65
# Allow developer settings to query gsid status
#line 68
allow system_app gsid_prop:file { getattr open read map };
#line 68
# Allow developer settings to check 16k pages boot option status
#line 71
allow system_app enable_16k_pages_prop:file { getattr open read map };
#line 71
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir { { open getattr read search ioctl lock watch watch_reads } add_name write };
allow system_app anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow system apps (like Settings) to interact with statsd
#line 81
# Call the server domain and optionally transfer references to it.
#line 81
allow system_app statsd:binder { call transfer };
#line 81
# Allow the serverdomain to transfer references to the client on the reply.
#line 81
allow statsd system_app:binder transfer;
#line 81
# Receive and use open files from the server.
#line 81
allow system_app statsd:fd use;
#line 81
# Allow system apps to interact with incidentd
#line 84
# Call the server domain and optionally transfer references to it.
#line 84
allow system_app incidentd:binder { call transfer };
#line 84
# Allow the serverdomain to transfer references to the client on the reply.
#line 84
allow incidentd system_app:binder transfer;
#line 84
# Receive and use open files from the server.
#line 84
allow system_app incidentd:fd use;
#line 84
# Allow system apps (Settings) to call into update_engine
# in order to apply update to switch from 4k kernel to 16K and vice-versa
#line 88
# Call the servicemanager and transfer references to it.
#line 88
allow system_app servicemanager:binder { call transfer };
#line 88
# Allow servicemanager to send out callbacks
#line 88
allow servicemanager system_app:binder { call transfer };
#line 88
# servicemanager performs getpidcon on clients.
#line 88
allow servicemanager system_app:dir search;
#line 88
allow servicemanager system_app:file { read open };
#line 88
allow servicemanager system_app:process getattr;
#line 88
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 88
# all domains in domain.te.
#line 88
allow system_app update_engine_stable_service:service_manager find;
#line 90
# Call the server domain and optionally transfer references to it.
#line 90
allow system_app update_engine:binder { call transfer };
#line 90
# Allow the serverdomain to transfer references to the client on the reply.
#line 90
allow update_engine system_app:binder transfer;
#line 90
# Receive and use open files from the server.
#line 90
allow system_app update_engine:fd use;
#line 90
# Allow system app to interact with Dumpstate HAL
#line 93
typeattribute system_app halclientdomain;
#line 93
typeattribute system_app hal_dumpstate_client;
#line 93
#line 93
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 93
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 93
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 93
#line 93
typeattribute system_app hal_dumpstate;
#line 93
# Find passthrough HAL implementations
#line 93
allow hal_dumpstate system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 93
allow hal_dumpstate vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 93
allow hal_dumpstate vendor_file:file { read open getattr execute map };
#line 93
#line 93
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
service_manager_type
-apex_service
-dnsresolver_service
-dumpstate_service
-installd_service
-lpdump_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
-tracingproxy_service
-virtual_touchpad_service
-vold_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
dnsresolver_service
dumpstate_service
installd_service
mdns_service
netd_service
virtual_touchpad_service
vold_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Ignore access to memory properties for Settings.
dontaudit system_app proc_pagetypeinfo:file { getattr open read ioctl lock map watch watch_reads };
dontaudit system_app sysfs_zram:dir search;
allow system_app keystore:keystore2_key {
delete
get_info
grant
rebind
update
use
};
# Allow Settings to manage WI-FI keys.
allow system_app wifi_key:keystore2_key {
delete
get_info
rebind
update
use
};
# settings app reads /proc/version
allow system_app {
proc_version
}:file { getattr open read ioctl lock map watch watch_reads };
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file { open append write lock map };
allow system_app cgroup_v2:file { open append write lock map };
allow system_app cgroup_v2:dir { open search write add_name remove_name lock };
#line 159
# Group AID_LOG checked by filesystem & logd
#line 159
# to permit control commands
#line 159
#line 159
allow system_app logd_socket:sock_file write;
#line 159
allow system_app logd:unix_stream_socket connectto;
#line 159
#line 159
#line 160
allow system_app runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 160
#line 161
allow system_app device_logging_prop:file { getattr open read map };
#line 161
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow system apps to read game manager related sysrops
#line 169
allow system_app game_manager_config_prop:file { getattr open read map };
#line 169
# Settings app reads ro.oem_unlock_supported
#line 172
allow system_app oem_unlock_prop:file { getattr open read map };
#line 172
# Settings app reads ro.usb.uvc.enabled
#line 175
allow system_app usb_uvc_enabled_prop:file { getattr open read map };
#line 175
# Settings and Launcher apps read pm.archiving.enabled
#line 178
allow system_app pm_archiving_enabled_prop:file { getattr open read map };
#line 178
###
### Neverallow rules
###
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
# Apps which run as UID=system should not rely on any attacker controlled
# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
# allow writes to files passed by file descriptor to support dumpstate and
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { { add_name create link relabelfrom remove_name rename reparent rmdir setattr write } open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
# system_app should be the only domain writing the adaptive haptics prop
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
#line 1 "system/sepolicy/private/system_server.te"
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
typeattribute system_server remote_provisioning_service_server;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
#line 15
type_transition system_server tmpfs:file system_server_tmpfs;
#line 15
allow system_server system_server_tmpfs:file { read write getattr map };
#line 15
#line 17
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 17
type system_server_userfaultfd;
#line 17
type_transition system_server system_server:anon_inode system_server_userfaultfd "[userfaultfd]";
#line 17
# Allow domain to create/use userfaultfd anon_inode.
#line 17
allow system_server system_server_userfaultfd:anon_inode { create ioctl read };
#line 17
# Suppress errors generate during bugreport
#line 17
dontaudit su system_server_userfaultfd:anon_inode *;
#line 17
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 17
neverallow { domain -system_server } system_server_userfaultfd:anon_inode *;
#line 17
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
# Create a socket for connections from zygotes.
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
allow system_server zygote_tmpfs:file { map read };
allow system_server appdomain_tmpfs:file { getattr map read write };
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl { getattr open read ioctl lock map watch watch_reads } };
allowxperm system_server incremental_control_file:file ioctl {
0x0000671e
0x00006723
0x00006721
0x00006725
0x00006726
0x00006727
};
# To get signature of an APK installed on Incremental File System, and fill in data
# blocks and get the filesystem state
allowxperm system_server apk_data_file:file ioctl {
0x0000671f
0x00006720
0x00006722
0x00006724
0xf50c
0xf511
0xf518
0xf517
0xf512
0xf513
0x40086602
0x80086601
};
allowxperm system_server apk_tmp_file:file ioctl {
0xf512
0x80086601
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file { getattr open read ioctl lock map watch watch_reads };
# For f2fs-compression support
allow system_server sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server sysfs_fs_f2fs:file { getattr open read ioctl lock map watch watch_reads };
# For SdkSandboxManagerService
allow system_server sdk_sandbox_system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server { apex_art_data_file dalvikcache_data_file }:file { getattr open read ioctl lock map watch watch_reads };
# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`.
# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a
# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks
# system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
dontaudit system_server apex_art_data_file:file execute;
# For release odex/vdex compress blocks
allowxperm system_server dalvikcache_data_file:file ioctl {
0xf512
0x80086601
};
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
# /data/resource-cache
allow system_server resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow system_server resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
# May kill zygote (or its child processes) on crashes.
allow system_server {
app_zygote
crash_dump
crosvm
virtualizationmanager
webview_zygote
zygote
}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file { getattr open read ioctl lock map watch watch_reads };
# Needed to close the zygote socket, which involves getopt / getattr
allow system_server zygote:unix_stream_socket { getopt getattr };
# system server gets network and bluetooth permissions.
#line 122
typeattribute system_server netdomain;
#line 122
# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl
#line 125
{
#line 125
# qualcomm rmnet ioctls
#line 125
0x00006900 0x00006902
#line 125
# socket ioctls
#line 125
0x0000890b 0x0000890c 0x0000890d 0x00008911 0x00008914 0x00008916
#line 125
0x00008918 0x0000891a 0x0000891c 0x0000891d 0x0000891e 0x0000891f
#line 125
0x00008920 0x00008922 0x00008923 0x00008924 0x00008925 0x00008926
#line 125
0x00008927 0x00008929 0x00008930 0x00008931 0x00008932
#line 125
0x00008934 0x00008935 0x00008936 0x00008937 0x00008939 0x00008940 0x00008941
#line 125
0x00008943 0x00008946 0x00008947 0x00008948 0x00008949 0x0000894a
#line 125
0x0000894b 0x00008953 0x00008954 0x00008955 0x00008960 0x00008961 0x00008962 0x00008970
#line 125
0x00008971 0x00008980 0x00008981 0x00008982 0x00008983 0x00008990
#line 125
0x00008991 0x00008992 0x00008993 0x00008994
#line 125
0x00008995 0x000089a0 0x000089a1 0x000089a2 0x000089a3 0x000089b0
#line 125
# device and protocol specific ioctls
#line 125
0x000089f0-0x000089ff
#line 125
0x000089e0-0x000089ef
#line 125
# Wireless extension ioctls
#line 125
0x00008b00 0x00008b02 0x00008b04 0x00008b06 0x00008b08 0x00008b0a
#line 125
0x00008b0c 0x00008b0e 0x00008b10 0x00008b14 0x00008b15 0x00008b16 0x00008b17
#line 125
0x00008b18 0x00008b19 0x00008b1a 0x00008b1b 0x00008b1c 0x00008b1d
#line 125
0x00008b20 0x00008b22 0x00008b24 0x00008b26 0x00008b28 0x00008b2a
#line 125
0x00008b2b 0x00008b2c 0x00008b30 0x00008b31 0x00008b32 0x00008b33
#line 125
0x00008b34 0x00008b35 0x00008b36
#line 125
# Dev private ioctl i.e. hardware specific ioctls
#line 125
0x00008be0-0x00008bff
#line 125
};
#line 126
typeattribute system_server bluetoothdomain;
#line 126
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:{ capability cap_userns } {
ipc_lock
kill
net_admin
net_bind_service
net_broadcast
net_raw
sys_boot
sys_nice
sys_ptrace
sys_time
sys_tty_config
};
# Allow alarmtimers to be set
allow system_server self:{ capability2 cap2_userns } wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
allow system_server self:netlink_tcpdiag_socket
{ { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow system_server self:netlink_nflog_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Use generic netlink sockets.
allow system_server self:netlink_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
allow system_server self:netlink_generic_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# libvintf reads the kernel config to verify vendor interface compatibility.
allow system_server config_gz:file { read open };
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# allowlisted.
allow system_server self:socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
# Use XFRM (IPsec) netlink sockets
allow system_server self:netlink_xfrm_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } nlmsg_write nlmsg_read };
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
allow system_server appdomain:process { signull };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
# Set scheduling info for psi monitor thread.
# TODO: delete this line b/131761776
allow system_server kernel:process { getsched setsched };
# Allow system_server to write to /proc/<pid>/*
allow system_server domain:file { open append write lock map };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
# all processes on the device. In addition, /proc/pid files access is needed
# for dumping stack traces of native processes.
#line 213
allow system_server domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 213
allow system_server domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 213
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { { open append write lock map } getattr };
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { { open append write lock map } getattr };
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Delete /data/misc/stats-service/ directories.
allow system_server stats_config_data_file:dir { open read remove_name search write };
allow system_server stats_config_data_file:file unlink;
# Read metric file & upload to statsd
allow system_server odsign_data_file:dir search;
allow system_server odsign_metrics_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name };
allow system_server odsign_metrics_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
# Read /sys/kernel/debug/wakeup_sources.
#line 234
allow system_server debugfs_wakeup_sources:file { getattr open read ioctl lock map watch watch_reads };
#line 236
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file { getattr open read ioctl lock map watch watch_reads };
# Read /sys/kernel/dma_heap/*.
allow system_server sysfs_dma_heap:file { getattr open read ioctl lock map watch watch_reads };
# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
allow system_server sysfs_dmabuf_stats:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server sysfs_dmabuf_stats:file { getattr open read ioctl lock map watch watch_reads };
# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
# for dumpsys meminfo
allow system_server dmabuf_heap_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow reading /proc/vmstat for the oom kill count
allow system_server proc_vmstat:file { getattr open read ioctl lock map watch watch_reads };
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } };
# Talk to init and various daemons via sockets.
#line 262
allow system_server lmkd_socket:sock_file write;
#line 262
allow system_server lmkd:unix_stream_socket connectto;
#line 262
#line 263
allow system_server zygote_socket:sock_file write;
#line 263
allow system_server zygote:unix_stream_socket connectto;
#line 263
#line 264
allow system_server uncrypt_socket:sock_file write;
#line 264
allow system_server uncrypt:unix_stream_socket connectto;
#line 264
# Allow system_server to write to statsd.
#line 267
allow system_server statsdw_socket:sock_file write;
#line 267
allow system_server statsd:unix_dgram_socket sendto;
#line 267
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
allow system_server gpuservice:unix_stream_socket { read write setopt };
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
# Communicate over a socket created by app_zygote.
allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
# Perform Binder IPC.
#line 281
# Call the servicemanager and transfer references to it.
#line 281
allow system_server servicemanager:binder { call transfer };
#line 281
# Allow servicemanager to send out callbacks
#line 281
allow servicemanager system_server:binder { call transfer };
#line 281
# servicemanager performs getpidcon on clients.
#line 281
allow servicemanager system_server:dir search;
#line 281
allow servicemanager system_server:file { read open };
#line 281
allow servicemanager system_server:process getattr;
#line 281
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 281
# all domains in domain.te.
#line 281
#line 282
# Call the server domain and optionally transfer references to it.
#line 282
allow system_server appdomain:binder { call transfer };
#line 282
# Allow the serverdomain to transfer references to the client on the reply.
#line 282
allow appdomain system_server:binder transfer;
#line 282
# Receive and use open files from the server.
#line 282
allow system_server appdomain:fd use;
#line 282
#line 283
# Call the server domain and optionally transfer references to it.
#line 283
allow system_server artd:binder { call transfer };
#line 283
# Allow the serverdomain to transfer references to the client on the reply.
#line 283
allow artd system_server:binder transfer;
#line 283
# Receive and use open files from the server.
#line 283
allow system_server artd:fd use;
#line 283
#line 284
# Call the server domain and optionally transfer references to it.
#line 284
allow system_server binderservicedomain:binder { call transfer };
#line 284
# Allow the serverdomain to transfer references to the client on the reply.
#line 284
allow binderservicedomain system_server:binder transfer;
#line 284
# Receive and use open files from the server.
#line 284
allow system_server binderservicedomain:fd use;
#line 284
#line 285
# Call the server domain and optionally transfer references to it.
#line 285
allow system_server composd:binder { call transfer };
#line 285
# Allow the serverdomain to transfer references to the client on the reply.
#line 285
allow composd system_server:binder transfer;
#line 285
# Receive and use open files from the server.
#line 285
allow system_server composd:fd use;
#line 285
#line 286
# Call the server domain and optionally transfer references to it.
#line 286
allow system_server dexopt_chroot_setup:binder { call transfer };
#line 286
# Allow the serverdomain to transfer references to the client on the reply.
#line 286
allow dexopt_chroot_setup system_server:binder transfer;
#line 286
# Receive and use open files from the server.
#line 286
allow system_server dexopt_chroot_setup:fd use;
#line 286
#line 287
# Call the server domain and optionally transfer references to it.
#line 287
allow system_server dumpstate:binder { call transfer };
#line 287
# Allow the serverdomain to transfer references to the client on the reply.
#line 287
allow dumpstate system_server:binder transfer;
#line 287
# Receive and use open files from the server.
#line 287
allow system_server dumpstate:fd use;
#line 287
#line 288
# Call the server domain and optionally transfer references to it.
#line 288
allow system_server fingerprintd:binder { call transfer };
#line 288
# Allow the serverdomain to transfer references to the client on the reply.
#line 288
allow fingerprintd system_server:binder transfer;
#line 288
# Receive and use open files from the server.
#line 288
allow system_server fingerprintd:fd use;
#line 288
#line 289
# Call the server domain and optionally transfer references to it.
#line 289
allow system_server gatekeeperd:binder { call transfer };
#line 289
# Allow the serverdomain to transfer references to the client on the reply.
#line 289
allow gatekeeperd system_server:binder transfer;
#line 289
# Receive and use open files from the server.
#line 289
allow system_server gatekeeperd:fd use;
#line 289
#line 290
# Call the server domain and optionally transfer references to it.
#line 290
allow system_server gpuservice:binder { call transfer };
#line 290
# Allow the serverdomain to transfer references to the client on the reply.
#line 290
allow gpuservice system_server:binder transfer;
#line 290
# Receive and use open files from the server.
#line 290
allow system_server gpuservice:fd use;
#line 290
#line 291
# Call the server domain and optionally transfer references to it.
#line 291
allow system_server idmap:binder { call transfer };
#line 291
# Allow the serverdomain to transfer references to the client on the reply.
#line 291
allow idmap system_server:binder transfer;
#line 291
# Receive and use open files from the server.
#line 291
allow system_server idmap:fd use;
#line 291
#line 292
# Call the server domain and optionally transfer references to it.
#line 292
allow system_server installd:binder { call transfer };
#line 292
# Allow the serverdomain to transfer references to the client on the reply.
#line 292
allow installd system_server:binder transfer;
#line 292
# Receive and use open files from the server.
#line 292
allow system_server installd:fd use;
#line 292
#line 293
# Call the server domain and optionally transfer references to it.
#line 293
allow system_server incidentd:binder { call transfer };
#line 293
# Allow the serverdomain to transfer references to the client on the reply.
#line 293
allow incidentd system_server:binder transfer;
#line 293
# Receive and use open files from the server.
#line 293
allow system_server incidentd:fd use;
#line 293
#line 294
# Call the server domain and optionally transfer references to it.
#line 294
allow system_server netd:binder { call transfer };
#line 294
# Allow the serverdomain to transfer references to the client on the reply.
#line 294
allow netd system_server:binder transfer;
#line 294
# Receive and use open files from the server.
#line 294
allow system_server netd:fd use;
#line 294
#line 295
# Call the server domain and optionally transfer references to it.
#line 295
allow system_server ot_daemon:binder { call transfer };
#line 295
# Allow the serverdomain to transfer references to the client on the reply.
#line 295
allow ot_daemon system_server:binder transfer;
#line 295
# Receive and use open files from the server.
#line 295
allow system_server ot_daemon:fd use;
#line 295
#line 297
# Call the server domain and optionally transfer references to it.
#line 297
allow system_server statsd:binder { call transfer };
#line 297
# Allow the serverdomain to transfer references to the client on the reply.
#line 297
allow statsd system_server:binder transfer;
#line 297
# Receive and use open files from the server.
#line 297
allow system_server statsd:fd use;
#line 297
#line 298
# Call the server domain and optionally transfer references to it.
#line 298
allow system_server storaged:binder { call transfer };
#line 298
# Allow the serverdomain to transfer references to the client on the reply.
#line 298
allow storaged system_server:binder transfer;
#line 298
# Receive and use open files from the server.
#line 298
allow system_server storaged:fd use;
#line 298
#line 299
# Call the server domain and optionally transfer references to it.
#line 299
allow system_server update_engine:binder { call transfer };
#line 299
# Allow the serverdomain to transfer references to the client on the reply.
#line 299
allow update_engine system_server:binder transfer;
#line 299
# Receive and use open files from the server.
#line 299
allow system_server update_engine:fd use;
#line 299
#line 300
# Call the server domain and optionally transfer references to it.
#line 300
allow system_server virtual_camera:binder { call transfer };
#line 300
# Allow the serverdomain to transfer references to the client on the reply.
#line 300
allow virtual_camera system_server:binder transfer;
#line 300
# Receive and use open files from the server.
#line 300
allow system_server virtual_camera:fd use;
#line 300
#line 301
# Call the server domain and optionally transfer references to it.
#line 301
allow system_server vold:binder { call transfer };
#line 301
# Allow the serverdomain to transfer references to the client on the reply.
#line 301
allow vold system_server:binder transfer;
#line 301
# Receive and use open files from the server.
#line 301
allow system_server vold:fd use;
#line 301
#line 302
# Call the server domain and optionally transfer references to it.
#line 302
allow system_server logd:binder { call transfer };
#line 302
# Allow the serverdomain to transfer references to the client on the reply.
#line 302
allow logd system_server:binder transfer;
#line 302
# Receive and use open files from the server.
#line 302
allow system_server logd:fd use;
#line 302
#line 303
# Call the server domain and optionally transfer references to it.
#line 303
allow system_server wificond:binder { call transfer };
#line 303
# Allow the serverdomain to transfer references to the client on the reply.
#line 303
allow wificond system_server:binder transfer;
#line 303
# Receive and use open files from the server.
#line 303
allow system_server wificond:fd use;
#line 303
#line 304
# Call the server domain and optionally transfer references to it.
#line 304
allow system_server uprobestats:binder { call transfer };
#line 304
# Allow the serverdomain to transfer references to the client on the reply.
#line 304
allow uprobestats system_server:binder transfer;
#line 304
# Receive and use open files from the server.
#line 304
allow system_server uprobestats:fd use;
#line 304
#line 305
typeattribute system_server binderservicedomain;
#line 305
# Use HALs
#line 308
typeattribute system_server halclientdomain;
#line 308
typeattribute system_server hal_allocator_client;
#line 308
#line 308
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 308
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 308
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 308
#line 308
typeattribute system_server hal_allocator;
#line 308
# Find passthrough HAL implementations
#line 308
allow hal_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 308
allow hal_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 308
allow hal_allocator vendor_file:file { read open getattr execute map };
#line 308
#line 308
#line 309
typeattribute system_server halclientdomain;
#line 309
typeattribute system_server hal_audio_client;
#line 309
#line 309
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 309
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 309
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 309
#line 309
typeattribute system_server hal_audio;
#line 309
# Find passthrough HAL implementations
#line 309
allow hal_audio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 309
allow hal_audio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 309
allow hal_audio vendor_file:file { read open getattr execute map };
#line 309
#line 309
#line 310
typeattribute system_server halclientdomain;
#line 310
typeattribute system_server hal_authgraph_client;
#line 310
#line 310
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 310
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 310
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 310
#line 310
typeattribute system_server hal_authgraph;
#line 310
# Find passthrough HAL implementations
#line 310
allow hal_authgraph system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 310
allow hal_authgraph vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 310
allow hal_authgraph vendor_file:file { read open getattr execute map };
#line 310
#line 310
#line 311
typeattribute system_server halclientdomain;
#line 311
typeattribute system_server hal_authsecret_client;
#line 311
#line 311
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 311
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 311
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 311
#line 311
typeattribute system_server hal_authsecret;
#line 311
# Find passthrough HAL implementations
#line 311
allow hal_authsecret system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 311
allow hal_authsecret vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 311
allow hal_authsecret vendor_file:file { read open getattr execute map };
#line 311
#line 311
#line 312
typeattribute system_server halclientdomain;
#line 312
typeattribute system_server hal_bluetooth_client;
#line 312
#line 312
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 312
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 312
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 312
#line 312
typeattribute system_server hal_bluetooth;
#line 312
# Find passthrough HAL implementations
#line 312
allow hal_bluetooth system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 312
allow hal_bluetooth vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 312
allow hal_bluetooth vendor_file:file { read open getattr execute map };
#line 312
#line 312
#line 313
typeattribute system_server halclientdomain;
#line 313
typeattribute system_server hal_broadcastradio_client;
#line 313
#line 313
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 313
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 313
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 313
#line 313
typeattribute system_server hal_broadcastradio;
#line 313
# Find passthrough HAL implementations
#line 313
allow hal_broadcastradio system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 313
allow hal_broadcastradio vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 313
allow hal_broadcastradio vendor_file:file { read open getattr execute map };
#line 313
#line 313
#line 314
typeattribute system_server halclientdomain;
#line 314
typeattribute system_server hal_codec2_client;
#line 314
#line 314
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 314
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 314
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 314
#line 314
typeattribute system_server hal_codec2;
#line 314
# Find passthrough HAL implementations
#line 314
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 314
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 314
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 314
#line 314
#line 315
typeattribute system_server halclientdomain;
#line 315
typeattribute system_server hal_configstore_client;
#line 315
#line 315
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 315
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 315
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 315
#line 315
typeattribute system_server hal_configstore;
#line 315
# Find passthrough HAL implementations
#line 315
allow hal_configstore system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 315
allow hal_configstore vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 315
allow hal_configstore vendor_file:file { read open getattr execute map };
#line 315
#line 315
#line 316
typeattribute system_server halclientdomain;
#line 316
typeattribute system_server hal_contexthub_client;
#line 316
#line 316
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 316
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 316
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 316
#line 316
typeattribute system_server hal_contexthub;
#line 316
# Find passthrough HAL implementations
#line 316
allow hal_contexthub system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 316
allow hal_contexthub vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 316
allow hal_contexthub vendor_file:file { read open getattr execute map };
#line 316
#line 316
#line 317
typeattribute system_server halclientdomain;
#line 317
typeattribute system_server hal_face_client;
#line 317
#line 317
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 317
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 317
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 317
#line 317
typeattribute system_server hal_face;
#line 317
# Find passthrough HAL implementations
#line 317
allow hal_face system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 317
allow hal_face vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 317
allow hal_face vendor_file:file { read open getattr execute map };
#line 317
#line 317
#line 318
typeattribute system_server halclientdomain;
#line 318
typeattribute system_server hal_fingerprint_client;
#line 318
#line 318
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 318
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 318
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 318
#line 318
typeattribute system_server hal_fingerprint;
#line 318
# Find passthrough HAL implementations
#line 318
allow hal_fingerprint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 318
allow hal_fingerprint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 318
allow hal_fingerprint vendor_file:file { read open getattr execute map };
#line 318
#line 318
#line 319
typeattribute system_server halclientdomain;
#line 319
typeattribute system_server hal_gnss_client;
#line 319
#line 319
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 319
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 319
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 319
#line 319
typeattribute system_server hal_gnss;
#line 319
# Find passthrough HAL implementations
#line 319
allow hal_gnss system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 319
allow hal_gnss vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 319
allow hal_gnss vendor_file:file { read open getattr execute map };
#line 319
#line 319
#line 320
typeattribute system_server halclientdomain;
#line 320
typeattribute system_server hal_graphics_allocator_client;
#line 320
#line 320
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 320
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 320
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 320
#line 320
typeattribute system_server hal_graphics_allocator;
#line 320
# Find passthrough HAL implementations
#line 320
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 320
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 320
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 320
#line 320
#line 321
typeattribute system_server halclientdomain;
#line 321
typeattribute system_server hal_health_client;
#line 321
#line 321
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 321
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 321
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 321
#line 321
typeattribute system_server hal_health;
#line 321
# Find passthrough HAL implementations
#line 321
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 321
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 321
allow hal_health vendor_file:file { read open getattr execute map };
#line 321
#line 321
#line 322
typeattribute system_server halclientdomain;
#line 322
typeattribute system_server hal_input_classifier_client;
#line 322
#line 322
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 322
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 322
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 322
#line 322
typeattribute system_server hal_input_classifier;
#line 322
# Find passthrough HAL implementations
#line 322
allow hal_input_classifier system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 322
allow hal_input_classifier vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 322
allow hal_input_classifier vendor_file:file { read open getattr execute map };
#line 322
#line 322
#line 323
typeattribute system_server halclientdomain;
#line 323
typeattribute system_server hal_input_processor_client;
#line 323
#line 323
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 323
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 323
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 323
#line 323
typeattribute system_server hal_input_processor;
#line 323
# Find passthrough HAL implementations
#line 323
allow hal_input_processor system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 323
allow hal_input_processor vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 323
allow hal_input_processor vendor_file:file { read open getattr execute map };
#line 323
#line 323
#line 324
typeattribute system_server halclientdomain;
#line 324
typeattribute system_server hal_ir_client;
#line 324
#line 324
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 324
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 324
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 324
#line 324
typeattribute system_server hal_ir;
#line 324
# Find passthrough HAL implementations
#line 324
allow hal_ir system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 324
allow hal_ir vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 324
allow hal_ir vendor_file:file { read open getattr execute map };
#line 324
#line 324
#line 325
typeattribute system_server halclientdomain;
#line 325
typeattribute system_server hal_keymint_client;
#line 325
#line 325
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 325
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 325
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 325
#line 325
typeattribute system_server hal_keymint;
#line 325
# Find passthrough HAL implementations
#line 325
allow hal_keymint system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 325
allow hal_keymint vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 325
allow hal_keymint vendor_file:file { read open getattr execute map };
#line 325
#line 325
#line 326
typeattribute system_server halclientdomain;
#line 326
typeattribute system_server hal_light_client;
#line 326
#line 326
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 326
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 326
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 326
#line 326
typeattribute system_server hal_light;
#line 326
# Find passthrough HAL implementations
#line 326
allow hal_light system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 326
allow hal_light vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 326
allow hal_light vendor_file:file { read open getattr execute map };
#line 326
#line 326
#line 327
typeattribute system_server halclientdomain;
#line 327
typeattribute system_server hal_memtrack_client;
#line 327
#line 327
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 327
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 327
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 327
#line 327
typeattribute system_server hal_memtrack;
#line 327
# Find passthrough HAL implementations
#line 327
allow hal_memtrack system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 327
allow hal_memtrack vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 327
allow hal_memtrack vendor_file:file { read open getattr execute map };
#line 327
#line 327
#line 328
typeattribute system_server halclientdomain;
#line 328
typeattribute system_server hal_neuralnetworks_client;
#line 328
#line 328
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 328
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 328
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 328
#line 328
typeattribute system_server hal_neuralnetworks;
#line 328
# Find passthrough HAL implementations
#line 328
allow hal_neuralnetworks system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 328
allow hal_neuralnetworks vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 328
allow hal_neuralnetworks vendor_file:file { read open getattr execute map };
#line 328
#line 328
#line 329
typeattribute system_server halclientdomain;
#line 329
typeattribute system_server hal_oemlock_client;
#line 329
#line 329
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 329
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 329
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 329
#line 329
typeattribute system_server hal_oemlock;
#line 329
# Find passthrough HAL implementations
#line 329
allow hal_oemlock system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 329
allow hal_oemlock vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 329
allow hal_oemlock vendor_file:file { read open getattr execute map };
#line 329
#line 329
#line 330
typeattribute system_server halclientdomain;
#line 330
typeattribute system_server hal_omx_client;
#line 330
#line 330
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 330
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 330
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 330
#line 330
typeattribute system_server hal_omx;
#line 330
# Find passthrough HAL implementations
#line 330
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 330
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 330
allow hal_omx vendor_file:file { read open getattr execute map };
#line 330
#line 330
#line 331
typeattribute system_server halclientdomain;
#line 331
typeattribute system_server hal_power_client;
#line 331
#line 331
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 331
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 331
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 331
#line 331
typeattribute system_server hal_power;
#line 331
# Find passthrough HAL implementations
#line 331
allow hal_power system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 331
allow hal_power vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 331
allow hal_power vendor_file:file { read open getattr execute map };
#line 331
#line 331
#line 332
typeattribute system_server halclientdomain;
#line 332
typeattribute system_server hal_power_stats_client;
#line 332
#line 332
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 332
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 332
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 332
#line 332
typeattribute system_server hal_power_stats;
#line 332
# Find passthrough HAL implementations
#line 332
allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 332
allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 332
allow hal_power_stats vendor_file:file { read open getattr execute map };
#line 332
#line 332
#line 333
typeattribute system_server halclientdomain;
#line 333
typeattribute system_server hal_rebootescrow_client;
#line 333
#line 333
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 333
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 333
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 333
#line 333
typeattribute system_server hal_rebootescrow;
#line 333
# Find passthrough HAL implementations
#line 333
allow hal_rebootescrow system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 333
allow hal_rebootescrow vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 333
allow hal_rebootescrow vendor_file:file { read open getattr execute map };
#line 333
#line 333
#line 334
typeattribute system_server halclientdomain;
#line 334
typeattribute system_server hal_remotelyprovisionedcomponent_avf_client;
#line 334
#line 334
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 334
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 334
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 334
#line 334
typeattribute system_server hal_remotelyprovisionedcomponent_avf;
#line 334
# Find passthrough HAL implementations
#line 334
allow hal_remotelyprovisionedcomponent_avf system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 334
allow hal_remotelyprovisionedcomponent_avf vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 334
allow hal_remotelyprovisionedcomponent_avf vendor_file:file { read open getattr execute map };
#line 334
#line 334
#line 335
typeattribute system_server halclientdomain;
#line 335
typeattribute system_server hal_sensors_client;
#line 335
#line 335
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 335
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 335
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 335
#line 335
typeattribute system_server hal_sensors;
#line 335
# Find passthrough HAL implementations
#line 335
allow hal_sensors system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 335
allow hal_sensors vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 335
allow hal_sensors vendor_file:file { read open getattr execute map };
#line 335
#line 335
#line 336
typeattribute system_server halclientdomain;
#line 336
typeattribute system_server hal_tetheroffload_client;
#line 336
#line 336
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 336
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 336
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 336
#line 336
typeattribute system_server hal_tetheroffload;
#line 336
# Find passthrough HAL implementations
#line 336
allow hal_tetheroffload system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 336
allow hal_tetheroffload vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 336
allow hal_tetheroffload vendor_file:file { read open getattr execute map };
#line 336
#line 336
#line 337
typeattribute system_server halclientdomain;
#line 337
typeattribute system_server hal_thermal_client;
#line 337
#line 337
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 337
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 337
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 337
#line 337
typeattribute system_server hal_thermal;
#line 337
# Find passthrough HAL implementations
#line 337
allow hal_thermal system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 337
allow hal_thermal vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 337
allow hal_thermal vendor_file:file { read open getattr execute map };
#line 337
#line 337
#line 338
typeattribute system_server halclientdomain;
#line 338
typeattribute system_server hal_threadnetwork_client;
#line 338
#line 338
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 338
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 338
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 338
#line 338
typeattribute system_server hal_threadnetwork;
#line 338
# Find passthrough HAL implementations
#line 338
allow hal_threadnetwork system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 338
allow hal_threadnetwork vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 338
allow hal_threadnetwork vendor_file:file { read open getattr execute map };
#line 338
#line 338
#line 339
typeattribute system_server halclientdomain;
#line 339
typeattribute system_server hal_tv_cec_client;
#line 339
#line 339
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 339
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 339
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 339
#line 339
typeattribute system_server hal_tv_cec;
#line 339
# Find passthrough HAL implementations
#line 339
allow hal_tv_cec system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 339
allow hal_tv_cec vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 339
allow hal_tv_cec vendor_file:file { read open getattr execute map };
#line 339
#line 339
#line 340
typeattribute system_server halclientdomain;
#line 340
typeattribute system_server hal_tv_hdmi_cec_client;
#line 340
#line 340
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 340
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 340
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 340
#line 340
typeattribute system_server hal_tv_hdmi_cec;
#line 340
# Find passthrough HAL implementations
#line 340
allow hal_tv_hdmi_cec system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 340
allow hal_tv_hdmi_cec vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 340
allow hal_tv_hdmi_cec vendor_file:file { read open getattr execute map };
#line 340
#line 340
#line 341
typeattribute system_server halclientdomain;
#line 341
typeattribute system_server hal_tv_hdmi_connection_client;
#line 341
#line 341
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 341
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 341
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 341
#line 341
typeattribute system_server hal_tv_hdmi_connection;
#line 341
# Find passthrough HAL implementations
#line 341
allow hal_tv_hdmi_connection system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 341
allow hal_tv_hdmi_connection vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 341
allow hal_tv_hdmi_connection vendor_file:file { read open getattr execute map };
#line 341
#line 341
#line 342
typeattribute system_server halclientdomain;
#line 342
typeattribute system_server hal_tv_hdmi_earc_client;
#line 342
#line 342
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 342
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 342
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 342
#line 342
typeattribute system_server hal_tv_hdmi_earc;
#line 342
# Find passthrough HAL implementations
#line 342
allow hal_tv_hdmi_earc system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 342
allow hal_tv_hdmi_earc vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 342
allow hal_tv_hdmi_earc vendor_file:file { read open getattr execute map };
#line 342
#line 342
#line 343
typeattribute system_server halclientdomain;
#line 343
typeattribute system_server hal_tv_input_client;
#line 343
#line 343
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 343
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 343
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 343
#line 343
typeattribute system_server hal_tv_input;
#line 343
# Find passthrough HAL implementations
#line 343
allow hal_tv_input system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 343
allow hal_tv_input vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 343
allow hal_tv_input vendor_file:file { read open getattr execute map };
#line 343
#line 343
#line 344
typeattribute system_server halclientdomain;
#line 344
typeattribute system_server hal_usb_client;
#line 344
#line 344
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 344
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 344
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 344
#line 344
typeattribute system_server hal_usb;
#line 344
# Find passthrough HAL implementations
#line 344
allow hal_usb system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 344
allow hal_usb vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 344
allow hal_usb vendor_file:file { read open getattr execute map };
#line 344
#line 344
#line 345
typeattribute system_server halclientdomain;
#line 345
typeattribute system_server hal_usb_gadget_client;
#line 345
#line 345
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 345
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 345
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 345
#line 345
typeattribute system_server hal_usb_gadget;
#line 345
# Find passthrough HAL implementations
#line 345
allow hal_usb_gadget system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 345
allow hal_usb_gadget vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 345
allow hal_usb_gadget vendor_file:file { read open getattr execute map };
#line 345
#line 345
#line 346
typeattribute system_server halclientdomain;
#line 346
typeattribute system_server hal_uwb_client;
#line 346
#line 346
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 346
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 346
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 346
#line 346
typeattribute system_server hal_uwb;
#line 346
# Find passthrough HAL implementations
#line 346
allow hal_uwb system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 346
allow hal_uwb vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 346
allow hal_uwb vendor_file:file { read open getattr execute map };
#line 346
#line 346
#line 347
typeattribute system_server halclientdomain;
#line 347
typeattribute system_server hal_vibrator_client;
#line 347
#line 347
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 347
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 347
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 347
#line 347
typeattribute system_server hal_vibrator;
#line 347
# Find passthrough HAL implementations
#line 347
allow hal_vibrator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 347
allow hal_vibrator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 347
allow hal_vibrator vendor_file:file { read open getattr execute map };
#line 347
#line 347
#line 348
typeattribute system_server halclientdomain;
#line 348
typeattribute system_server hal_vr_client;
#line 348
#line 348
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 348
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 348
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 348
#line 348
typeattribute system_server hal_vr;
#line 348
# Find passthrough HAL implementations
#line 348
allow hal_vr system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 348
allow hal_vr vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 348
allow hal_vr vendor_file:file { read open getattr execute map };
#line 348
#line 348
#line 349
typeattribute system_server halclientdomain;
#line 349
typeattribute system_server hal_weaver_client;
#line 349
#line 349
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 349
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 349
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 349
#line 349
typeattribute system_server hal_weaver;
#line 349
# Find passthrough HAL implementations
#line 349
allow hal_weaver system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 349
allow hal_weaver vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 349
allow hal_weaver vendor_file:file { read open getattr execute map };
#line 349
#line 349
#line 350
typeattribute system_server halclientdomain;
#line 350
typeattribute system_server hal_wifi_client;
#line 350
#line 350
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 350
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 350
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 350
#line 350
typeattribute system_server hal_wifi;
#line 350
# Find passthrough HAL implementations
#line 350
allow hal_wifi system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 350
allow hal_wifi vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 350
allow hal_wifi vendor_file:file { read open getattr execute map };
#line 350
#line 350
#line 351
typeattribute system_server halclientdomain;
#line 351
typeattribute system_server hal_wifi_hostapd_client;
#line 351
#line 351
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 351
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 351
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 351
#line 351
typeattribute system_server hal_wifi_hostapd;
#line 351
# Find passthrough HAL implementations
#line 351
allow hal_wifi_hostapd system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 351
allow hal_wifi_hostapd vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 351
allow hal_wifi_hostapd vendor_file:file { read open getattr execute map };
#line 351
#line 351
#line 352
typeattribute system_server halclientdomain;
#line 352
typeattribute system_server hal_wifi_supplicant_client;
#line 352
#line 352
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 352
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 352
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 352
#line 352
typeattribute system_server hal_wifi_supplicant;
#line 352
# Find passthrough HAL implementations
#line 352
allow hal_wifi_supplicant system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 352
allow hal_wifi_supplicant vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 352
allow hal_wifi_supplicant vendor_file:file { read open getattr execute map };
#line 352
#line 352
# The bootctl is a pass through HAL mode under recovery mode. So we skip the
# permission for recovery in order not to give system server the access to
# the low level block devices.
#line 356
typeattribute system_server halclientdomain;
#line 356
typeattribute system_server hal_bootctl_client;
#line 356
#line 356
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 356
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 356
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 356
#line 356
typeattribute system_server hal_bootctl;
#line 356
# Find passthrough HAL implementations
#line 356
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 356
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 356
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 356
#line 356
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
# Use RenderScript always-passthrough HAL
allow system_server hal_renderscript_hwservice:hwservice_manager find;
allow system_server same_process_hal_file:file { execute read open getattr map };
# Talk to tombstoned to get ANR traces.
#line 366
allow system_server tombstoned_intercept_socket:sock_file write;
#line 366
allow system_server tombstoned:unix_stream_socket connectto;
#line 366
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
artd
audioserver
cameraserver
drmserver
gpuservice
inputflinger
keystore
mediadrmserver
mediaextractor
mediametrics
mediaserver
mediaswcodec
mediatranscoding
mediatuner
netd
sdcardd
servicemanager
statsd
surfaceflinger
vold
# This list comes from HAL_INTERFACES_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_face_server
hal_fingerprint_server
hal_gnss_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
hal_power_stats_server
hal_sensors_server
hal_vibrator_server
hal_vr_server
system_suspend_server
}:process { signal };
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
allow system_server audioserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
allow system_server mediaserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
allow system_server mediaserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
# Use sockets received over binder from various services.
allow system_server mediadrmserver:tcp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
allow system_server mediadrmserver:udp_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map };
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
#line 434
allow system_server traced:fd use;
#line 434
allow system_server traced_tmpfs:file { read write getattr map };
#line 434
#line 434
allow system_server traced_producer_socket:sock_file write;
#line 434
allow system_server traced:unix_stream_socket connectto;
#line 434
#line 434
#line 434
# Also allow the service to use the producer file descriptors. This is
#line 434
# necessary when the producer is creating the shared memory, as it will be
#line 434
# passed to the service as a file descriptor (obtained from memfd_create).
#line 434
allow traced system_server:fd use;
#line 434
# Get file context
allow system_server file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# access for mac_permissions
allow system_server mac_perms_file: file { getattr open read ioctl lock map watch watch_reads };
# Check SELinux permissions.
#line 441
#line 441
allow system_server selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 441
allow system_server selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 441
#line 441
allow system_server selinuxfs:file { open append write lock map };
#line 441
allow system_server kernel:security compute_av;
#line 441
allow system_server self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 441
allow system_server sysfs_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 445
allow system_server sysfs_android_usb:dir { open getattr read search ioctl lock watch watch_reads };
#line 445
allow system_server sysfs_android_usb:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 445
allow system_server sysfs_android_usb:file { open append write lock map };
#line 448
allow system_server sysfs_extcon:dir { open getattr read search ioctl lock watch watch_reads };
#line 448
allow system_server sysfs_extcon:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 448
#line 450
allow system_server sysfs_ipv4:dir { open getattr read search ioctl lock watch watch_reads };
#line 450
allow system_server sysfs_ipv4:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 450
allow system_server sysfs_ipv4:file { open append write lock map };
#line 453
allow system_server sysfs_rtc:dir { open getattr read search ioctl lock watch watch_reads };
#line 453
allow system_server sysfs_rtc:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 453
#line 454
allow system_server sysfs_switch:dir { open getattr read search ioctl lock watch watch_reads };
#line 454
allow system_server sysfs_switch:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 454
allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file { getattr open read ioctl lock map watch watch_reads };
allow system_server sysfs_uhid:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server sysfs_uhid:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
# TODO: added to match above sysfs rule. Remove me?
allow system_server sysfs_usb:file { open append write lock map };
# Access devices.
allow system_server device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server mdns_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server sysfs_gpu:file { getattr open read ioctl lock map watch watch_reads };
allow system_server input_device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server input_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server tty_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server video_device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server video_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server adbd_socket:sock_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server rtc_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server audio_device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server uhid_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server hidraw_device:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server hidraw_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm system_server tun_device:chr_file ioctl { 0x800454d2 0x400454ca 0x400454cd 0x400454e2 };
# Manage data/ota_package
allow system_server ota_package_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server ota_package_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage system data files.
allow system_server system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server system_data_file:{ file lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server packages_list_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server game_mode_intervention_list_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server keychain_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server keychain_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server keychain_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Read the user parent directories like /data/user. Don't allow write access,
# as vold is responsible for creating and deleting the subdirectories.
allow system_server system_userdir_file:dir { open getattr read search ioctl lock watch watch_reads };
# Manage /data/app.
allow system_server apk_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apk_data_file:{ file lnk_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link };
allow system_server apk_tmp_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apk_tmp_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Access input configuration files in the /vendor directory
#line 520
allow system_server vendor_keylayout_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 520
allow system_server vendor_keylayout_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 520
#line 521
allow system_server vendor_keychars_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 521
allow system_server vendor_keychars_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 521
#line 522
allow system_server vendor_idc_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 522
allow system_server vendor_idc_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 522
#line 523
allow system_server input_device_config_prop:file { getattr open read map };
#line 523
# Access /vendor/{app,framework,overlay}
#line 526
allow system_server vendor_app_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 526
allow system_server vendor_app_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 526
#line 527
allow system_server vendor_framework_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 527
allow system_server vendor_framework_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 527
#line 528
allow system_server vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 528
allow system_server vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 528
# Manage /data/app-private.
allow system_server apk_private_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apk_private_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server apk_private_tmp_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apk_private_tmp_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage files within asec containers.
allow system_server asec_apk_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server asec_apk_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server asec_public_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/anr.
#
# TODO: Some of these permissions can be withdrawn once we've switched to the
# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
# the system_server should never need to create a new anr_data_file:file or write
# to one, but it will still need to read and append to existing files.
allow system_server anr_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server anr_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# New stack dumping scheme : request an output FD from tombstoned via a unix
# domain socket.
#
# Allow system_server to connect and write to the tombstoned java trace socket in
# order to dump its traces. Also allow the system server to write its traces to
# dumpstate during bugreport capture and incidentd during incident collection.
#line 556
allow system_server tombstoned_java_trace_socket:sock_file write;
#line 556
allow system_server tombstoned:unix_stream_socket connectto;
#line 556
allow system_server tombstoned:fd use;
allow system_server dumpstate:fifo_file append;
allow system_server incidentd:fifo_file append;
# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
#line 563
# Allow system_server to read pipes from incidentd (used to deliver incident reports
# to dropbox)
allow system_server incidentd:fifo_file read;
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
# Manage /data/misc/prereboot.
allow system_server prereboot_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server prereboot_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Allow system_server to exec the perfetto cmdline client and pass it a trace config
#line 583
# Allow the necessary permissions.
#line 583
#line 583
# Old domain may exec the file and transition to the new domain.
#line 583
allow system_server perfetto_exec:file { getattr open read execute map };
#line 583
allow system_server perfetto:process transition;
#line 583
# New domain is entered by executing the file.
#line 583
allow perfetto perfetto_exec:file { entrypoint open read execute getattr map };
#line 583
# New domain can send SIGCHLD to its caller.
#line 583
allow perfetto system_server:process sigchld;
#line 583
# Enable AT_SECURE, i.e. libc secure mode.
#line 583
dontaudit system_server perfetto:process noatsecure;
#line 583
# XXX dontaudit candidate but requires further study.
#line 583
allow system_server perfetto:process { siginh rlimitinh };
#line 583
#line 583
# Make the transition occur by default.
#line 583
type_transition system_server perfetto_exec:process perfetto;
#line 583
;
allow system_server perfetto:fifo_file { read write };
# Allow system server to manage perfetto traces for ProfilingService.
allow system_server perfetto_traces_profiling_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server perfetto_traces_profiling_data_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink };
allow system_server perfetto_traces_data_file:dir search;
# Manage /data/backup.
allow system_server backup_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server backup_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Write to /data/system/dropbox
allow system_server dropbox_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server dropbox_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Write to /data/system/heapdump
allow system_server heapdump_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server heapdump_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/adb.
allow system_server adb_keys_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server adb_keys_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/appcompat.
allow system_server appcompat_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server appcompat_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server emergency_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/network_watchlist
allow system_server network_watchlist_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server network_watchlist_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/sms.
# TODO: Split into a separate type?
allow system_server radio_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server radio_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/systemkeys.
allow system_server systemkeys_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server systemkeys_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/textclassifier.
allow system_server textclassifier_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server textclassifier_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/tombstones.
allow system_server tombstone_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server tombstone_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server vpn_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/misc/wifi.
allow system_server wifi_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server wifi_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/app-staging.
allow system_server staging_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server staging_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage /data/rollback.
allow system_server staging_data_file:{ file lnk_file } { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } link };
# Walk /data/data subdirectories.
allow system_server app_data_file_type:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir { open getattr read search ioctl lock watch watch_reads };
# Read pkg.apk file before it has been relabeled by vold.
allow system_server unlabeled:file { getattr open read ioctl lock map watch watch_reads };
# Populate com.android.providers.settings/databases/settings.db.
allow system_server system_app_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server system_app_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Receive and use open app data files passed over binder IPC.
allow system_server app_data_file_type:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
# Receive and use open /data/media files passed over binder IPC.
# Also used for measuring disk usage.
allow system_server media_rw_data_file:file { getattr read write append };
# System server needs to setfscreate to packages_list_file when writing
# /data/system/packages.list
allow system_server system_server:process setfscreate;
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
# Allow PackageManager to:
# 1. rename file from /data/app-staging folder to /data/app
# 2. relabel files (linked to /data/rollback) under /data/app-staging
# during staged apk/apex install.
allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } rename unlink };
# Backup of wallpaper imagery uses temporary hard links to avoid data churn
allow system_server { system_data_file wallpaper_file }:file link;
# ShortcutManager icons
allow system_server system_data_file:dir relabelfrom;
allow system_server shortcut_manager_icons:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow system_server shortcut_manager_icons:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage ringtones.
allow system_server ringtone_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow system_server ringtone_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Relabel icon file.
allow system_server icon_file:file relabelto;
allow system_server icon_file:file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } unlink };
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
# server_configurable_flags_data_file is used for storing server configurable flags which
# have been reset during current booting. system_server needs to read the data to perform related
# disaster recovery actions.
allow system_server server_configurable_flags_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server server_configurable_flags_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Property Service write
#line 718
#line 718
allow system_server property_socket:sock_file write;
#line 718
allow system_server init:unix_stream_socket connectto;
#line 718
#line 718
allow system_server system_prop:property_service set;
#line 718
#line 718
allow system_server system_prop:file { getattr open read map };
#line 718
#line 718
#line 719
#line 719
allow system_server property_socket:sock_file write;
#line 719
allow system_server init:unix_stream_socket connectto;
#line 719
#line 719
allow system_server bootanim_system_prop:property_service set;
#line 719
#line 719
allow system_server bootanim_system_prop:file { getattr open read map };
#line 719
#line 719
#line 720
#line 720
allow system_server property_socket:sock_file write;
#line 720
allow system_server init:unix_stream_socket connectto;
#line 720
#line 720
allow system_server bluetooth_prop:property_service set;
#line 720
#line 720
allow system_server bluetooth_prop:file { getattr open read map };
#line 720
#line 720
#line 721
#line 721
allow system_server property_socket:sock_file write;
#line 721
allow system_server init:unix_stream_socket connectto;
#line 721
#line 721
allow system_server exported_system_prop:property_service set;
#line 721
#line 721
allow system_server exported_system_prop:file { getattr open read map };
#line 721
#line 721
#line 722
#line 722
allow system_server property_socket:sock_file write;
#line 722
allow system_server init:unix_stream_socket connectto;
#line 722
#line 722
allow system_server exported3_system_prop:property_service set;
#line 722
#line 722
allow system_server exported3_system_prop:file { getattr open read map };
#line 722
#line 722
#line 723
#line 723
allow system_server property_socket:sock_file write;
#line 723
allow system_server init:unix_stream_socket connectto;
#line 723
#line 723
allow system_server safemode_prop:property_service set;
#line 723
#line 723
allow system_server safemode_prop:file { getattr open read map };
#line 723
#line 723
#line 724
#line 724
allow system_server property_socket:sock_file write;
#line 724
allow system_server init:unix_stream_socket connectto;
#line 724
#line 724
allow system_server theme_prop:property_service set;
#line 724
#line 724
allow system_server theme_prop:file { getattr open read map };
#line 724
#line 724
#line 725
#line 725
allow system_server property_socket:sock_file write;
#line 725
allow system_server init:unix_stream_socket connectto;
#line 725
#line 725
allow system_server dhcp_prop:property_service set;
#line 725
#line 725
allow system_server dhcp_prop:file { getattr open read map };
#line 725
#line 725
#line 726
#line 726
allow system_server property_socket:sock_file write;
#line 726
allow system_server init:unix_stream_socket connectto;
#line 726
#line 726
allow system_server net_connectivity_prop:property_service set;
#line 726
#line 726
allow system_server net_connectivity_prop:file { getattr open read map };
#line 726
#line 726
#line 727
#line 727
allow system_server property_socket:sock_file write;
#line 727
allow system_server init:unix_stream_socket connectto;
#line 727
#line 727
allow system_server net_radio_prop:property_service set;
#line 727
#line 727
allow system_server net_radio_prop:file { getattr open read map };
#line 727
#line 727
#line 728
#line 728
allow system_server property_socket:sock_file write;
#line 728
allow system_server init:unix_stream_socket connectto;
#line 728
#line 728
allow system_server net_dns_prop:property_service set;
#line 728
#line 728
allow system_server net_dns_prop:file { getattr open read map };
#line 728
#line 728
#line 729
#line 729
allow system_server property_socket:sock_file write;
#line 729
allow system_server init:unix_stream_socket connectto;
#line 729
#line 729
allow system_server usb_control_prop:property_service set;
#line 729
#line 729
allow system_server usb_control_prop:file { getattr open read map };
#line 729
#line 729
#line 730
#line 730
allow system_server property_socket:sock_file write;
#line 730
allow system_server init:unix_stream_socket connectto;
#line 730
#line 730
allow system_server usb_prop:property_service set;
#line 730
#line 730
allow system_server usb_prop:file { getattr open read map };
#line 730
#line 730
#line 731
#line 731
allow system_server property_socket:sock_file write;
#line 731
allow system_server init:unix_stream_socket connectto;
#line 731
#line 731
allow system_server debug_prop:property_service set;
#line 731
#line 731
allow system_server debug_prop:file { getattr open read map };
#line 731
#line 731
#line 732
#line 732
allow system_server property_socket:sock_file write;
#line 732
allow system_server init:unix_stream_socket connectto;
#line 732
#line 732
allow system_server powerctl_prop:property_service set;
#line 732
#line 732
allow system_server powerctl_prop:file { getattr open read map };
#line 732
#line 732
#line 733
#line 733
allow system_server property_socket:sock_file write;
#line 733
allow system_server init:unix_stream_socket connectto;
#line 733
#line 733
allow system_server fingerprint_prop:property_service set;
#line 733
#line 733
allow system_server fingerprint_prop:file { getattr open read map };
#line 733
#line 733
#line 734
#line 734
allow system_server property_socket:sock_file write;
#line 734
allow system_server init:unix_stream_socket connectto;
#line 734
#line 734
allow system_server device_logging_prop:property_service set;
#line 734
#line 734
allow system_server device_logging_prop:file { getattr open read map };
#line 734
#line 734
#line 735
#line 735
allow system_server property_socket:sock_file write;
#line 735
allow system_server init:unix_stream_socket connectto;
#line 735
#line 735
allow system_server dumpstate_options_prop:property_service set;
#line 735
#line 735
allow system_server dumpstate_options_prop:file { getattr open read map };
#line 735
#line 735
#line 736
#line 736
allow system_server property_socket:sock_file write;
#line 736
allow system_server init:unix_stream_socket connectto;
#line 736
#line 736
allow system_server overlay_prop:property_service set;
#line 736
#line 736
allow system_server overlay_prop:file { getattr open read map };
#line 736
#line 736
#line 737
#line 737
allow system_server property_socket:sock_file write;
#line 737
allow system_server init:unix_stream_socket connectto;
#line 737
#line 737
allow system_server exported_overlay_prop:property_service set;
#line 737
#line 737
allow system_server exported_overlay_prop:file { getattr open read map };
#line 737
#line 737
#line 738
#line 738
allow system_server property_socket:sock_file write;
#line 738
allow system_server init:unix_stream_socket connectto;
#line 738
#line 738
allow system_server pm_prop:property_service set;
#line 738
#line 738
allow system_server pm_prop:file { getattr open read map };
#line 738
#line 738
#line 739
#line 739
allow system_server property_socket:sock_file write;
#line 739
allow system_server init:unix_stream_socket connectto;
#line 739
#line 739
allow system_server exported_pm_prop:property_service set;
#line 739
#line 739
allow system_server exported_pm_prop:file { getattr open read map };
#line 739
#line 739
#line 740
#line 740
allow system_server property_socket:sock_file write;
#line 740
allow system_server init:unix_stream_socket connectto;
#line 740
#line 740
allow system_server socket_hook_prop:property_service set;
#line 740
#line 740
allow system_server socket_hook_prop:file { getattr open read map };
#line 740
#line 740
#line 741
#line 741
allow system_server property_socket:sock_file write;
#line 741
allow system_server init:unix_stream_socket connectto;
#line 741
#line 741
allow system_server audio_prop:property_service set;
#line 741
#line 741
allow system_server audio_prop:file { getattr open read map };
#line 741
#line 741
#line 742
#line 742
allow system_server property_socket:sock_file write;
#line 742
allow system_server init:unix_stream_socket connectto;
#line 742
#line 742
allow system_server boot_status_prop:property_service set;
#line 742
#line 742
allow system_server boot_status_prop:file { getattr open read map };
#line 742
#line 742
#line 743
#line 743
allow system_server property_socket:sock_file write;
#line 743
allow system_server init:unix_stream_socket connectto;
#line 743
#line 743
allow system_server surfaceflinger_color_prop:property_service set;
#line 743
#line 743
allow system_server surfaceflinger_color_prop:file { getattr open read map };
#line 743
#line 743
#line 744
#line 744
allow system_server property_socket:sock_file write;
#line 744
allow system_server init:unix_stream_socket connectto;
#line 744
#line 744
allow system_server provisioned_prop:property_service set;
#line 744
#line 744
allow system_server provisioned_prop:file { getattr open read map };
#line 744
#line 744
#line 745
#line 745
allow system_server property_socket:sock_file write;
#line 745
allow system_server init:unix_stream_socket connectto;
#line 745
#line 745
allow system_server retaildemo_prop:property_service set;
#line 745
#line 745
allow system_server retaildemo_prop:file { getattr open read map };
#line 745
#line 745
#line 746
#line 746
allow system_server property_socket:sock_file write;
#line 746
allow system_server init:unix_stream_socket connectto;
#line 746
#line 746
allow system_server dmesgd_start_prop:property_service set;
#line 746
#line 746
allow system_server dmesgd_start_prop:file { getattr open read map };
#line 746
#line 746
#line 747
#line 747
allow system_server property_socket:sock_file write;
#line 747
allow system_server init:unix_stream_socket connectto;
#line 747
#line 747
allow system_server locale_prop:property_service set;
#line 747
#line 747
allow system_server locale_prop:file { getattr open read map };
#line 747
#line 747
#line 748
#line 748
allow system_server property_socket:sock_file write;
#line 748
allow system_server init:unix_stream_socket connectto;
#line 748
#line 748
allow system_server timezone_metadata_prop:property_service set;
#line 748
#line 748
allow system_server timezone_metadata_prop:file { getattr open read map };
#line 748
#line 748
#line 749
#line 749
allow system_server property_socket:sock_file write;
#line 749
allow system_server init:unix_stream_socket connectto;
#line 749
#line 749
allow system_server timezone_prop:property_service set;
#line 749
#line 749
allow system_server timezone_prop:file { getattr open read map };
#line 749
#line 749
#line 750
#line 750
allow system_server property_socket:sock_file write;
#line 750
allow system_server init:unix_stream_socket connectto;
#line 750
#line 750
allow system_server crashrecovery_prop:property_service set;
#line 750
#line 750
allow system_server crashrecovery_prop:file { getattr open read map };
#line 750
#line 750
# ctl interface
#line 755
#line 755
allow system_server property_socket:sock_file write;
#line 755
allow system_server init:unix_stream_socket connectto;
#line 755
#line 755
allow system_server ctl_default_prop:property_service set;
#line 755
#line 755
allow system_server ctl_default_prop:file { getattr open read map };
#line 755
#line 755
#line 756
#line 756
allow system_server property_socket:sock_file write;
#line 756
allow system_server init:unix_stream_socket connectto;
#line 756
#line 756
allow system_server ctl_bugreport_prop:property_service set;
#line 756
#line 756
allow system_server ctl_bugreport_prop:file { getattr open read map };
#line 756
#line 756
#line 757
#line 757
allow system_server property_socket:sock_file write;
#line 757
allow system_server init:unix_stream_socket connectto;
#line 757
#line 757
allow system_server ctl_gsid_prop:property_service set;
#line 757
#line 757
allow system_server ctl_gsid_prop:file { getattr open read map };
#line 757
#line 757
# cppreopt property
#line 760
#line 760
allow system_server property_socket:sock_file write;
#line 760
allow system_server init:unix_stream_socket connectto;
#line 760
#line 760
allow system_server cppreopt_prop:property_service set;
#line 760
#line 760
allow system_server cppreopt_prop:file { getattr open read map };
#line 760
#line 760
# server configurable flags properties
#line 763
#line 763
allow system_server property_socket:sock_file write;
#line 763
allow system_server init:unix_stream_socket connectto;
#line 763
#line 763
allow system_server device_config_core_experiments_team_internal_prop:property_service set;
#line 763
#line 763
allow system_server device_config_core_experiments_team_internal_prop:file { getattr open read map };
#line 763
#line 763
#line 764
#line 764
allow system_server property_socket:sock_file write;
#line 764
allow system_server init:unix_stream_socket connectto;
#line 764
#line 764
allow system_server device_config_edgetpu_native_prop:property_service set;
#line 764
#line 764
allow system_server device_config_edgetpu_native_prop:file { getattr open read map };
#line 764
#line 764
#line 765
#line 765
allow system_server property_socket:sock_file write;
#line 765
allow system_server init:unix_stream_socket connectto;
#line 765
#line 765
allow system_server device_config_input_native_boot_prop:property_service set;
#line 765
#line 765
allow system_server device_config_input_native_boot_prop:file { getattr open read map };
#line 765
#line 765
#line 766
#line 766
allow system_server property_socket:sock_file write;
#line 766
allow system_server init:unix_stream_socket connectto;
#line 766
#line 766
allow system_server device_config_netd_native_prop:property_service set;
#line 766
#line 766
allow system_server device_config_netd_native_prop:file { getattr open read map };
#line 766
#line 766
#line 767
#line 767
allow system_server property_socket:sock_file write;
#line 767
allow system_server init:unix_stream_socket connectto;
#line 767
#line 767
allow system_server device_config_nnapi_native_prop:property_service set;
#line 767
#line 767
allow system_server device_config_nnapi_native_prop:file { getattr open read map };
#line 767
#line 767
#line 768
#line 768
allow system_server property_socket:sock_file write;
#line 768
allow system_server init:unix_stream_socket connectto;
#line 768
#line 768
allow system_server device_config_activity_manager_native_boot_prop:property_service set;
#line 768
#line 768
allow system_server device_config_activity_manager_native_boot_prop:file { getattr open read map };
#line 768
#line 768
#line 769
#line 769
allow system_server property_socket:sock_file write;
#line 769
allow system_server init:unix_stream_socket connectto;
#line 769
#line 769
allow system_server device_config_runtime_native_boot_prop:property_service set;
#line 769
#line 769
allow system_server device_config_runtime_native_boot_prop:file { getattr open read map };
#line 769
#line 769
#line 770
#line 770
allow system_server property_socket:sock_file write;
#line 770
allow system_server init:unix_stream_socket connectto;
#line 770
#line 770
allow system_server device_config_runtime_native_prop:property_service set;
#line 770
#line 770
allow system_server device_config_runtime_native_prop:file { getattr open read map };
#line 770
#line 770
#line 771
#line 771
allow system_server property_socket:sock_file write;
#line 771
allow system_server init:unix_stream_socket connectto;
#line 771
#line 771
allow system_server device_config_lmkd_native_prop:property_service set;
#line 771
#line 771
allow system_server device_config_lmkd_native_prop:file { getattr open read map };
#line 771
#line 771
#line 772
#line 772
allow system_server property_socket:sock_file write;
#line 772
allow system_server init:unix_stream_socket connectto;
#line 772
#line 772
allow system_server device_config_media_native_prop:property_service set;
#line 772
#line 772
allow system_server device_config_media_native_prop:file { getattr open read map };
#line 772
#line 772
#line 773
#line 773
allow system_server property_socket:sock_file write;
#line 773
allow system_server init:unix_stream_socket connectto;
#line 773
#line 773
allow system_server device_config_camera_native_prop:property_service set;
#line 773
#line 773
allow system_server device_config_camera_native_prop:file { getattr open read map };
#line 773
#line 773
#line 774
#line 774
allow system_server property_socket:sock_file write;
#line 774
allow system_server init:unix_stream_socket connectto;
#line 774
#line 774
allow system_server device_config_mglru_native_prop:property_service set;
#line 774
#line 774
allow system_server device_config_mglru_native_prop:file { getattr open read map };
#line 774
#line 774
#line 775
#line 775
allow system_server property_socket:sock_file write;
#line 775
allow system_server init:unix_stream_socket connectto;
#line 775
#line 775
allow system_server device_config_profcollect_native_boot_prop:property_service set;
#line 775
#line 775
allow system_server device_config_profcollect_native_boot_prop:file { getattr open read map };
#line 775
#line 775
#line 776
#line 776
allow system_server property_socket:sock_file write;
#line 776
allow system_server init:unix_stream_socket connectto;
#line 776
#line 776
allow system_server device_config_statsd_native_prop:property_service set;
#line 776
#line 776
allow system_server device_config_statsd_native_prop:file { getattr open read map };
#line 776
#line 776
#line 777
#line 777
allow system_server property_socket:sock_file write;
#line 777
allow system_server init:unix_stream_socket connectto;
#line 777
#line 777
allow system_server device_config_statsd_native_boot_prop:property_service set;
#line 777
#line 777
allow system_server device_config_statsd_native_boot_prop:file { getattr open read map };
#line 777
#line 777
#line 778
#line 778
allow system_server property_socket:sock_file write;
#line 778
allow system_server init:unix_stream_socket connectto;
#line 778
#line 778
allow system_server device_config_storage_native_boot_prop:property_service set;
#line 778
#line 778
allow system_server device_config_storage_native_boot_prop:file { getattr open read map };
#line 778
#line 778
#line 779
#line 779
allow system_server property_socket:sock_file write;
#line 779
allow system_server init:unix_stream_socket connectto;
#line 779
#line 779
allow system_server device_config_swcodec_native_prop:property_service set;
#line 779
#line 779
allow system_server device_config_swcodec_native_prop:file { getattr open read map };
#line 779
#line 779
#line 780
#line 780
allow system_server property_socket:sock_file write;
#line 780
allow system_server init:unix_stream_socket connectto;
#line 780
#line 780
allow system_server device_config_sys_traced_prop:property_service set;
#line 780
#line 780
allow system_server device_config_sys_traced_prop:file { getattr open read map };
#line 780
#line 780
#line 781
#line 781
allow system_server property_socket:sock_file write;
#line 781
allow system_server init:unix_stream_socket connectto;
#line 781
#line 781
allow system_server device_config_window_manager_native_boot_prop:property_service set;
#line 781
#line 781
allow system_server device_config_window_manager_native_boot_prop:file { getattr open read map };
#line 781
#line 781
#line 782
#line 782
allow system_server property_socket:sock_file write;
#line 782
allow system_server init:unix_stream_socket connectto;
#line 782
#line 782
allow system_server device_config_configuration_prop:property_service set;
#line 782
#line 782
allow system_server device_config_configuration_prop:file { getattr open read map };
#line 782
#line 782
#line 783
#line 783
allow system_server property_socket:sock_file write;
#line 783
allow system_server init:unix_stream_socket connectto;
#line 783
#line 783
allow system_server device_config_connectivity_prop:property_service set;
#line 783
#line 783
allow system_server device_config_connectivity_prop:file { getattr open read map };
#line 783
#line 783
#line 784
#line 784
allow system_server property_socket:sock_file write;
#line 784
allow system_server init:unix_stream_socket connectto;
#line 784
#line 784
allow system_server device_config_surface_flinger_native_boot_prop:property_service set;
#line 784
#line 784
allow system_server device_config_surface_flinger_native_boot_prop:file { getattr open read map };
#line 784
#line 784
#line 785
#line 785
allow system_server property_socket:sock_file write;
#line 785
allow system_server init:unix_stream_socket connectto;
#line 785
#line 785
allow system_server device_config_aconfig_flags_prop:property_service set;
#line 785
#line 785
allow system_server device_config_aconfig_flags_prop:file { getattr open read map };
#line 785
#line 785
#line 786
#line 786
allow system_server property_socket:sock_file write;
#line 786
allow system_server init:unix_stream_socket connectto;
#line 786
#line 786
allow system_server device_config_vendor_system_native_prop:property_service set;
#line 786
#line 786
allow system_server device_config_vendor_system_native_prop:file { getattr open read map };
#line 786
#line 786
#line 787
#line 787
allow system_server property_socket:sock_file write;
#line 787
allow system_server init:unix_stream_socket connectto;
#line 787
#line 787
allow system_server device_config_vendor_system_native_boot_prop:property_service set;
#line 787
#line 787
allow system_server device_config_vendor_system_native_boot_prop:file { getattr open read map };
#line 787
#line 787
#line 788
#line 788
allow system_server property_socket:sock_file write;
#line 788
allow system_server init:unix_stream_socket connectto;
#line 788
#line 788
allow system_server device_config_virtualization_framework_native_prop:property_service set;
#line 788
#line 788
allow system_server device_config_virtualization_framework_native_prop:file { getattr open read map };
#line 788
#line 788
#line 789
#line 789
allow system_server property_socket:sock_file write;
#line 789
allow system_server init:unix_stream_socket connectto;
#line 789
#line 789
allow system_server device_config_memory_safety_native_boot_prop:property_service set;
#line 789
#line 789
allow system_server device_config_memory_safety_native_boot_prop:file { getattr open read map };
#line 789
#line 789
#line 790
#line 790
allow system_server property_socket:sock_file write;
#line 790
allow system_server init:unix_stream_socket connectto;
#line 790
#line 790
allow system_server device_config_memory_safety_native_prop:property_service set;
#line 790
#line 790
allow system_server device_config_memory_safety_native_prop:file { getattr open read map };
#line 790
#line 790
#line 791
#line 791
allow system_server property_socket:sock_file write;
#line 791
allow system_server init:unix_stream_socket connectto;
#line 791
#line 791
allow system_server device_config_remote_key_provisioning_native_prop:property_service set;
#line 791
#line 791
allow system_server device_config_remote_key_provisioning_native_prop:file { getattr open read map };
#line 791
#line 791
#line 792
#line 792
allow system_server property_socket:sock_file write;
#line 792
allow system_server init:unix_stream_socket connectto;
#line 792
#line 792
allow system_server device_config_tethering_u_or_later_native_prop:property_service set;
#line 792
#line 792
allow system_server device_config_tethering_u_or_later_native_prop:file { getattr open read map };
#line 792
#line 792
#line 793
#line 793
allow system_server property_socket:sock_file write;
#line 793
allow system_server init:unix_stream_socket connectto;
#line 793
#line 793
allow system_server smart_idle_maint_enabled_prop:property_service set;
#line 793
#line 793
allow system_server smart_idle_maint_enabled_prop:file { getattr open read map };
#line 793
#line 793
#line 794
#line 794
allow system_server property_socket:sock_file write;
#line 794
allow system_server init:unix_stream_socket connectto;
#line 794
#line 794
allow system_server arm64_memtag_prop:property_service set;
#line 794
#line 794
allow system_server arm64_memtag_prop:file { getattr open read map };
#line 794
#line 794
# staged flag properties
#line 797
#line 797
allow system_server property_socket:sock_file write;
#line 797
allow system_server init:unix_stream_socket connectto;
#line 797
#line 797
allow system_server next_boot_prop:property_service set;
#line 797
#line 797
allow system_server next_boot_prop:file { getattr open read map };
#line 797
#line 797
# Allow query ART device config properties
#line 800
allow system_server device_config_runtime_native_boot_prop:file { getattr open read map };
#line 800
#line 801
allow system_server device_config_runtime_native_prop:file { getattr open read map };
#line 801
# BootReceiver to read ro.boot.bootreason
#line 804
allow system_server bootloader_boot_reason_prop:file { getattr open read map };
#line 804
# PowerManager to read sys.boot.reason
#line 806
allow system_server system_boot_reason_prop:file { getattr open read map };
#line 806
# Collect metrics on boot time created by init
#line 809
allow system_server boottime_prop:file { getattr open read map };
#line 809
# Read device's serial number from system properties
#line 812
allow system_server serialno_prop:file { getattr open read map };
#line 812
# Read/write the property which keeps track of whether this is the first start of system_server
#line 815
#line 815
allow system_server property_socket:sock_file write;
#line 815
allow system_server init:unix_stream_socket connectto;
#line 815
#line 815
allow system_server firstboot_prop:property_service set;
#line 815
#line 815
allow system_server firstboot_prop:file { getattr open read map };
#line 815
#line 815
# Audio service in system server can read audio config properties,
# such as camera shutter enforcement
#line 819
allow system_server audio_config_prop:file { getattr open read map };
#line 819
# StorageManager service reads media config while checking if transcoding is supported.
#line 822
allow system_server media_config_prop:file { getattr open read map };
#line 822
# system server reads this property to keep track of whether server configurable flags have been
# reset during current boot.
#line 826
allow system_server device_config_reset_performed_prop:file { getattr open read map };
#line 826
# Read/write the property that enables Test Harness Mode
#line 829
#line 829
allow system_server property_socket:sock_file write;
#line 829
allow system_server init:unix_stream_socket connectto;
#line 829
#line 829
allow system_server test_harness_prop:property_service set;
#line 829
#line 829
allow system_server test_harness_prop:file { getattr open read map };
#line 829
#line 829
# Read gsid.image_running.
#line 832
allow system_server gsid_prop:file { getattr open read map };
#line 832
# Read the property that mocks an OTA
#line 835
allow system_server mock_ota_prop:file { getattr open read map };
#line 835
# Read the property as feature flag for protecting apks with fs-verity.
#line 838
allow system_server apk_verity_prop:file { getattr open read map };
#line 838
# Read wifi.interface
#line 841
allow system_server wifi_prop:file { getattr open read map };
#line 841
# Read the vendor property that indicates if Incremental features is enabled
#line 844
allow system_server incremental_prop:file { getattr open read map };
#line 844
# Read ro.zram. properties
#line 847
allow system_server zram_config_prop:file { getattr open read map };
#line 847
# Read/write persist.sys.zram_enabled
#line 850
#line 850
allow system_server property_socket:sock_file write;
#line 850
allow system_server init:unix_stream_socket connectto;
#line 850
#line 850
allow system_server zram_control_prop:property_service set;
#line 850
#line 850
allow system_server zram_control_prop:file { getattr open read map };
#line 850
#line 850
# Read/write persist.sys.dalvik.vm.lib.2
#line 853
#line 853
allow system_server property_socket:sock_file write;
#line 853
allow system_server init:unix_stream_socket connectto;
#line 853
#line 853
allow system_server dalvik_runtime_prop:property_service set;
#line 853
#line 853
allow system_server dalvik_runtime_prop:file { getattr open read map };
#line 853
#line 853
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
#line 856
allow system_server packagemanager_config_prop:file { getattr open read map };
#line 856
# Read the net.464xlat.cellular.enabled property (written by init).
#line 859
allow system_server net_464xlat_fromvendor_prop:file { getattr open read map };
#line 859
# Read hypervisor capabilities ro.boot.hypervisor.*
#line 862
allow system_server hypervisor_prop:file { getattr open read map };
#line 862
# Read persist.wm.debug. properties
#line 865
allow system_server persist_wm_debug_prop:file { getattr open read map };
#line 865
# Read persist.sysui.notification.builder_extras_override property
#line 868
allow system_server persist_sysui_builder_extras_prop:file { getattr open read map };
#line 868
# Read persist.sysui.notification.ranking_update_ashmem property
#line 870
allow system_server persist_sysui_ranking_update_prop:file { getattr open read map };
#line 870
# Read ro.tuner.lazyhal
#line 873
allow system_server tuner_config_prop:file { getattr open read map };
#line 873
# Write tuner.server.enable
#line 875
#line 875
allow system_server property_socket:sock_file write;
#line 875
allow system_server init:unix_stream_socket connectto;
#line 875
#line 875
allow system_server tuner_server_ctl_prop:property_service set;
#line 875
#line 875
allow system_server tuner_server_ctl_prop:file { getattr open read map };
#line 875
#line 875
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
#line 878
allow system_server traced_oome_heap_session_count_prop:file { getattr open read map };
#line 878
# Allow the sensor service (running in the system service) to read sensor
# configuration properties
#line 882
allow system_server sensors_config_prop:file { getattr open read map };
#line 882
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Create a socket for connections from zygotes.
allow system_server system_unsolzygote_socket:sock_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Manage cache files.
allow system_server cache_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } };
allow system_server { cache_file cache_recovery_file }:fifo_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server system_file:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server system_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# ART locks profile files.
allow system_server system_file:file lock;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_control:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow system_server to use app-created sockets and pipes.
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server cache_backup_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# LocalTransport works inside /cache/backup
allow system_server cache_private_backup_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server cache_private_backup_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow system to talk to usb device
allow system_server usb_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_server usb_device:dir { open getattr read search ioctl lock watch watch_reads };
# Read and delete files under /dev/fscklogs.
#line 922
allow system_server fscklogs:dir { open getattr read search ioctl lock watch watch_reads };
#line 922
allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 922
allow system_server fscklogs:dir { write remove_name add_name };
allow system_server fscklogs:file rename;
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;
# Read from log daemon.
#line 931
allow system_server logcat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
#line 931
#line 931
allow system_server logdr_socket:sock_file write;
#line 931
allow system_server logd:unix_stream_socket connectto;
#line 931
#line 931
#line 932
allow system_server runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 932
# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
# /sys/module/lowmemorykiller/parameters/minfree
allow system_server sysfs_lowmemorykiller:file { getattr { open append write lock map } };
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow system_server pstorefs:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server pstorefs:file { getattr open read ioctl lock map watch watch_reads };
# /sys access
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read /sys/fs/selinux/policy
allow system_server kernel:security read_policy;
#line 952
allow system_server system_server_service:service_manager { add find };
#line 952
neverallow { domain -system_server } system_server_service:service_manager add;
#line 952
#line 952
# On debug builds with root, allow binder services to use binder over TCP.
#line 952
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 952
#line 952
;
allow system_server artd_service:service_manager find;
allow system_server artd_pre_reboot_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
allow system_server dexopt_chroot_setup_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
allow system_server gsi_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
allow system_server virtual_camera_service:service_manager find;
#line 993
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find;
#line 999
#line 1001
allow system_server batteryproperties_service:service_manager { add find };
#line 1001
neverallow { domain -system_server } batteryproperties_service:service_manager add;
#line 1001
#line 1001
# On debug builds with root, allow binder services to use binder over TCP.
#line 1001
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 1001
#line 1001
allow system_server keystore:keystore2 {
add_auth
change_password
change_user
clear_ns
clear_uid
get_last_auth_time
lock
pull_metrics
reset
unlock
};
allow system_server keystore:keystore2_key {
delete
use_dev_id
grant
get_info
rebind
update
use
};
# Allow Wifi module to manage Wi-Fi keys.
allow system_server wifi_key:keystore2_key {
delete
get_info
rebind
update
use
};
# Allow lock_settings service to manage RoR keys.
allow system_server resume_on_reboot_key:keystore2_key {
delete
get_info
rebind
update
use
};
# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
allow system_server locksettings_key:keystore2_key {
delete
get_info
rebind
update
use
};
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allowxperm system_server frp_block_device:blk_file ioctl { 0x0000127d 0x00001277 };
# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server cgroup:file setattr;
allow system_server cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server cgroup_v2:file { { getattr open read ioctl lock map watch watch_reads } setattr };
# /oem access
#line 1067
allow system_server oemfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 1067
allow system_server oemfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1067
# Allow resolving per-user storage symlinks
allow system_server { mnt_user_file storage_file }:dir { getattr search };
allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
allow system_server { sdcard_type fuse }:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow system process to relabel the fingerprint directory after mkdir
# and delete the directory and files when no longer needed
allow system_server fingerprintd_data_file:dir { { open getattr read search ioctl lock watch watch_reads } remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
#line 1100
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } };
allow system_server configfs:file { getattr open create unlink write };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto;
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Read service.adb.tls.port, persist.adb.wifi. properties
#line 1118
allow system_server adbd_prop:file { getattr open read map };
#line 1118
# Set persist.adb.tls_server.enable property
#line 1121
#line 1121
allow system_server property_socket:sock_file write;
#line 1121
allow system_server init:unix_stream_socket connectto;
#line 1121
#line 1121
allow system_server system_adbd_prop:property_service set;
#line 1121
#line 1121
allow system_server system_adbd_prop:file { getattr open read map };
#line 1121
#line 1121
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow system process to setup fs-verity
allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl 0x6685;
# Allow system process to measure fs-verity for apps, including those being installed
allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl 0x6686;
allowxperm system_server apk_tmp_file:file ioctl 0x40086602;
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
#line 1136
# Call the server domain and optionally transfer references to it.
#line 1136
allow system_server postinstall:binder { call transfer };
#line 1136
# Allow the serverdomain to transfer references to the client on the reply.
#line 1136
allow postinstall system_server:binder transfer;
#line 1136
# Receive and use open files from the server.
#line 1136
allow system_server postinstall:fd use;
#line 1136
allow system_server postinstall:fifo_file write;
allow system_server update_engine:fd use;
allow system_server update_engine:fifo_file write;
# Access to /data/preloads
allow system_server preloads_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow system_server preloads_data_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir };
allow system_server preloads_media_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
allow system_server preloads_media_file:dir { { open getattr read search ioctl lock watch watch_reads } write remove_name rmdir };
#line 1148
allow system_server cgroup:dir { open getattr read search ioctl lock watch watch_reads };
#line 1148
allow system_server cgroup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1148
#line 1149
allow system_server cgroup_v2:dir { open getattr read search ioctl lock watch watch_reads };
#line 1149
allow system_server cgroup_v2:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1149
allow system_server ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
# Access to /dev/dma_heap/system-secure
allow system_server dmabuf_system_secure_heap_device:chr_file { getattr open read ioctl lock map watch watch_reads };
#line 1157
allow system_server proc_asound:dir { open getattr read search ioctl lock watch watch_reads };
#line 1157
allow system_server proc_asound:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1157
#line 1158
allow system_server proc_net_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 1158
allow system_server proc_net_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1158
#line 1159
allow system_server proc_qtaguid_stat:dir { open getattr read search ioctl lock watch watch_reads };
#line 1159
allow system_server proc_qtaguid_stat:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1159
allow system_server {
proc_cmdline
proc_loadavg
proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
proc_stat
proc_uid_cputime_showstat
proc_uid_io_stats
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
proc_version
proc_vmallocinfo
}:file { getattr open read ioctl lock map watch watch_reads };
allow system_server proc_uid_time_in_state:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server proc_uid_cpupower:file { getattr open read ioctl lock map watch watch_reads };
#line 1180
allow system_server rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 1180
allow system_server rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 1180
# Allow WifiService to start, stop, and read wifi-specific trace events.
allow system_server debugfs_tracing_instances:dir search;
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Allow BootReceiver to watch trace error_report events.
allow system_server debugfs_bootreceiver_tracing:dir search;
allow system_server debugfs_bootreceiver_tracing:file { getattr open read ioctl lock map watch watch_reads };
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads };
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
#line 1200
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit system_server self:key_socket getopt;
# Allow system_server to start clatd in its own domain and kill it.
#line 1215
# Allow the necessary permissions.
#line 1215
#line 1215
# Old domain may exec the file and transition to the new domain.
#line 1215
allow system_server clatd_exec:file { getattr open read execute map };
#line 1215
allow system_server clatd:process transition;
#line 1215
# New domain is entered by executing the file.
#line 1215
allow clatd clatd_exec:file { entrypoint open read execute getattr map };
#line 1215
# New domain can send SIGCHLD to its caller.
#line 1215
allow clatd system_server:process sigchld;
#line 1215
# Enable AT_SECURE, i.e. libc secure mode.
#line 1215
dontaudit system_server clatd:process noatsecure;
#line 1215
# XXX dontaudit candidate but requires further study.
#line 1215
allow system_server clatd:process { siginh rlimitinh };
#line 1215
#line 1215
# Make the transition occur by default.
#line 1215
type_transition system_server clatd_exec:process clatd;
#line 1215
allow system_server clatd:process { sigkill signal };
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
# As such it needs to be able create files but it should never read from them.
# It also needs to stat the directory to check if it has the right permissions.
allow system_server profman_dump_data_file:file { create getattr setattr { open append write lock map }};
allow system_server profman_dump_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# On userdebug build we may profile system server. Allow it to write and create its own profile.
#line 1235
# Allow system server to load JVMTI agents under control of a property.
#line 1237
allow system_server system_jvmti_agent_prop:file { getattr open read map };
#line 1237
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# system_server contains time / time zone detection logic so reads the associated properties.
#line 1244
allow system_server time_prop:file { getattr open read map };
#line 1244
# system_server reads this property to know it should expect the lmkd sends notification to it
# on low memory kills.
#line 1248
allow system_server system_lmk_prop:file { getattr open read map };
#line 1248
#line 1250
allow system_server wifi_config_prop:file { getattr open read map };
#line 1250
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
allowxperm system_server binder_device:chr_file ioctl { 0x400c620e 0xc00c620f };
# Watchdog prints debugging log to /dev/kmsg_debug.
#line 1258
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
#line 1260
allow system_server framework_watchdog_config_prop:file { getattr open read map };
#line 1260
# Font files are written by system server
allow system_server font_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server font_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
# Allow system process to setup and measure fs-verity for font files
allowxperm system_server font_data_file:file ioctl { 0x6685 0x6686 };
# Read qemu.hw.mainkeys property
#line 1270
allow system_server qemu_hw_prop:file { getattr open read map };
#line 1270
# Allow system server to read profcollectd reports for upload.
###
### Neverallow rules
###
### system_server should NEVER do any of this
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
neverallow system_server { sdcard_type fuse }:dir { open read write };
neverallow system_server { sdcard_type fuse }:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Exclude those types that system_server needs to open directly.
neverallow system_server {
app_data_file_type
-system_app_data_file
-radio_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
neverallow system_server {
file_type
-toolbox_exec
-logcat_exec
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
neverallow system_server *:process dyntransition;
# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
neverallow system_server perfetto_traces_data_file:dir ~search;
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# Only allow zygotes to connect to system_unsolzygote_socket.
neverallow {
domain
-init
-system_server
-zygote
-app_zygote
-webview_zygote
} system_unsolzygote_socket:sock_file { open write };
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
-init
-system_server
-flags_health_check
} {
device_config_core_experiments_team_internal_prop
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
device_config_lmkd_native_prop
device_config_netd_native_prop
device_config_nnapi_native_prop
device_config_edgetpu_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
device_config_mglru_native_prop
device_config_remote_key_provisioning_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
device_config_swcodec_native_prop
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
neverallow {
domain
-system_server
-init
} tuner_server_ctl_prop:property_service set;
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
# want to allow.
neverallow system_server dex2oat_exec:file { execute execute_no_trans };
# system_server should never execute or load executable shared libraries
# in /data. Executable files in /data are a persistence vector.
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
neverallow system_server data_file_type:file { execute execute_no_trans };
# The only block device system_server should be writing to is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
# The system_server may need to read from vd_device if it uses
# block apexes.
neverallow system_server { dev_type -frp_block_device }:blk_file { append create link unlink relabelfrom rename setattr write };
neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file { getattr open read ioctl lock map watch watch_reads };
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
# in the section titled "A Short ROP Chain" for why.
# However, in emulator builds without OpenGL passthrough, we use software
# rendering via SwiftShader, which requires JIT support. These builds are
# never shipped to users.
neverallow system_server self:process execmem;
#line 1392
neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
# Resources handed off by system_server_startup
allow system_server system_server_startup:fd use;
allow system_server system_server_startup_tmpfs:file { read write map };
allow system_server system_server_startup:unix_dgram_socket write;
# Allow system server to communicate to apexd
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
# Allow system server to scan /apex for flattened APEXes
allow system_server apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
# Allow system server to read /apex/apex-info-list.xml
allow system_server apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
#line 1415
# Call the server domain and optionally transfer references to it.
#line 1415
allow system_server system_suspend:binder { call transfer };
#line 1415
# Allow the serverdomain to transfer references to the client on the reply.
#line 1415
allow system_suspend system_server:binder transfer;
#line 1415
# Receive and use open files from the server.
#line 1415
allow system_server system_suspend:fd use;
#line 1415
#line 1416
# Call the server domain and optionally transfer references to it.
#line 1416
allow system_suspend system_server:binder { call transfer };
#line 1416
# Allow the serverdomain to transfer references to the client on the reply.
#line 1416
allow system_server system_suspend:binder transfer;
#line 1416
# Receive and use open files from the server.
#line 1416
allow system_suspend system_server:fd use;
#line 1416
# Allow system server to communicate to system-suspend's wakelock interface
#line 1419
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
#line 1419
# deprecated.
#line 1419
# Access /sys/power/wake_lock and /sys/power/wake_unlock
#line 1419
allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1419
# Accessing these files requires CAP_BLOCK_SUSPEND
#line 1419
allow system_server self:{ capability2 cap2_userns } block_suspend;
#line 1419
# system_suspend permissions
#line 1419
#line 1419
# Call the server domain and optionally transfer references to it.
#line 1419
allow system_server system_suspend_server:binder { call transfer };
#line 1419
# Allow the serverdomain to transfer references to the client on the reply.
#line 1419
allow system_suspend_server system_server:binder transfer;
#line 1419
# Receive and use open files from the server.
#line 1419
allow system_server system_suspend_server:fd use;
#line 1419
#line 1419
allow system_server system_suspend_hwservice:hwservice_manager find;
#line 1419
# halclientdomain permissions
#line 1419
#line 1419
# Call the hwservicemanager and transfer references to it.
#line 1419
allow system_server hwservicemanager:binder { call transfer };
#line 1419
# Allow hwservicemanager to send out callbacks
#line 1419
allow hwservicemanager system_server:binder { call transfer };
#line 1419
# hwservicemanager performs getpidcon on clients.
#line 1419
allow hwservicemanager system_server:dir search;
#line 1419
allow hwservicemanager system_server:file { read open map };
#line 1419
allow hwservicemanager system_server:process getattr;
#line 1419
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 1419
# all domains in domain.te.
#line 1419
#line 1419
#line 1419
allow system_server hwservicemanager_prop:file { getattr open read map };
#line 1419
#line 1419
allow system_server hidl_manager_hwservice:hwservice_manager find;
#line 1419
# AIDL suspend hal permissions
#line 1419
allow system_server hal_system_suspend_service:service_manager find;
#line 1419
#line 1419
# Call the servicemanager and transfer references to it.
#line 1419
allow system_server servicemanager:binder { call transfer };
#line 1419
# Allow servicemanager to send out callbacks
#line 1419
allow servicemanager system_server:binder { call transfer };
#line 1419
# servicemanager performs getpidcon on clients.
#line 1419
allow servicemanager system_server:dir search;
#line 1419
allow servicemanager system_server:file { read open };
#line 1419
allow servicemanager system_server:process getattr;
#line 1419
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 1419
# all domains in domain.te.
#line 1419
#line 1419
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow the system server to read files under /vendor/apex. This is where
# vendor APEX packages might be installed and system_server needs to parse
# these packages to inspect the signatures and other metadata.
allow system_server vendor_apex_file:dir { getattr search };
allow system_server vendor_apex_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apex_system_server_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server apex_tethering_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server apex_tethering_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Legacy labels that we still need to support (b/217581286)
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
apex_wifi_data_file
}:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
apex_wifi_data_file
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
allow system_server password_slot_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server password_slot_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server userspace_reboot_metadata_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server userspace_reboot_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow system server rw access to files in /metadata/staged-install folder
allow system_server staged_install_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server staged_install_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server watchdog_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server watchdog_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server aconfig_storage_flags_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server aconfig_storage_flags_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server repair_mode_metadata_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server repair_mode_metadata_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow system_server gsi_persistent_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server gsi_persistent_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow system server read and remove files under /data/misc/odrefresh
allow system_server odrefresh_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow system_server odrefresh_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
allow system_server surfaceflinger_exec:file { getattr open read ioctl lock map watch watch_reads };
# Allow init to set sysprop used to compute stats about userspace reboot.
#line 1488
#line 1488
allow system_server property_socket:sock_file write;
#line 1488
allow system_server init:unix_stream_socket connectto;
#line 1488
#line 1488
allow system_server userspace_reboot_log_prop:property_service set;
#line 1488
#line 1488
allow system_server userspace_reboot_log_prop:file { getattr open read map };
#line 1488
#line 1488
# JVMTI agent settings are only readable from the system server.
neverallow {
domain
-system_server
-dumpstate
-init
-vendor_init
} {
system_jvmti_agent_prop
}:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Read /proc/pressure/cpu and /proc/pressure/io
allow system_server { proc_pressure_cpu proc_pressure_io }:file { getattr open read ioctl lock map watch watch_reads };
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file { execute execute_no_trans };
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:{ capability cap_userns } sys_resource;
# Only system_server/init should access /metadata/password_slots.
neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
neverallow {
domain
-init
-system_server
} password_slot_metadata_file:{ file lnk_file sock_file fifo_file } ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:{ file lnk_file sock_file fifo_file } *;
# Only system_server/init should access /metadata/userspacereboot.
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only system server should access /metadata/aconfig
neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow systemserver to read/write the invalidation property
#line 1535
#line 1535
allow system_server property_socket:sock_file write;
#line 1535
allow system_server init:unix_stream_socket connectto;
#line 1535
#line 1535
allow system_server binder_cache_system_server_prop:property_service set;
#line 1535
#line 1535
allow system_server binder_cache_system_server_prop:file { getattr open read map };
#line 1535
#line 1535
neverallow { domain -system_server -init }
binder_cache_system_server_prop:property_service set;
# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
# system_server cannot use this access to read perf event data like process stacks.
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };
# Allow writing files under /data/system/shutdown-checkpoints/
allow system_server shutdown_checkpoints_system_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow system_server shutdown_checkpoints_system_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
neverallow { domain -init -system_server } boot_status_prop:property_service set;
neverallow {
domain
-init
-vendor_init
-dumpstate
-system_server
} wifi_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Only allow system server to write uhid sysfs files
neverallow {
domain
-init
-system_server
-ueventd
-vendor_init
} sysfs_uhid:file { append create link unlink relabelfrom rename setattr write };
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
# interface
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { 0x400c620e 0xc00c620f };
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file { append create link unlink relabelfrom rename setattr write };
neverallow { domain -init -system_server } font_data_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
# Allow reading /system/etc/font_fallback.xml
allow system_server system_font_fallback_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow system server to set dynamic ART properties.
#line 1584
#line 1584
allow system_server property_socket:sock_file write;
#line 1584
allow system_server init:unix_stream_socket connectto;
#line 1584
#line 1584
allow system_server dalvik_dynamic_config_prop:property_service set;
#line 1584
#line 1584
allow system_server dalvik_dynamic_config_prop:file { getattr open read map };
#line 1584
#line 1584
# Allow system server to read binderfs
allow system_server binderfs_logs:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server binderfs_logs_stats:file { getattr open read ioctl lock map watch watch_reads };
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
#line 1591
#line 1591
allow system_server property_socket:sock_file write;
#line 1591
allow system_server init:unix_stream_socket connectto;
#line 1591
#line 1591
allow system_server game_manager_config_prop:property_service set;
#line 1591
#line 1591
allow system_server game_manager_config_prop:file { getattr open read map };
#line 1591
#line 1591
# ThreadNetworkService reads Thread Network properties
#line 1594
allow system_server threadnetwork_config_prop:file { getattr open read map };
#line 1594
# Do not allow any domain other than init and system server to set the property
neverallow {
domain
-init
-vendor_init
-dumpstate
-system_server
} threadnetwork_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow system server to read pm.archiving.enabled prop
# TODO(azilio): Remove system property after archiving testing is completed.
#line 1607
allow system_server pm_archiving_enabled_prop:file { getattr open read map };
#line 1607
# Do not allow any domain other than init or system server to get or set the property
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 1 "system/sepolicy/private/system_server_startup.te"
type system_server_startup, domain, coredomain;
type system_server_startup_tmpfs, file_type;
#line 4
type_transition system_server_startup tmpfs:file system_server_startup_tmpfs;
#line 4
allow system_server_startup system_server_startup_tmpfs:file { read write getattr map };
#line 4
# Create JIT memory
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
allow system_server_startup apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow system_server_startup apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
allow system_server_startup system_server:process dyntransition;
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
# Allow query ART device config properties
#line 23
allow system_server_startup device_config_runtime_native_boot_prop:file { getattr open read map };
#line 23
#line 24
allow system_server_startup device_config_runtime_native_prop:file { getattr open read map };
#line 24
#line 1 "system/sepolicy/private/system_suspend.te"
type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
type system_suspend_exec, system_file_type, exec_type, file_type;
#line 4
#line 4
# Allow the necessary permissions.
#line 4
#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init system_suspend_exec:file { getattr open read execute map };
#line 4
allow init system_suspend:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow system_suspend system_suspend_exec:file { entrypoint open read execute getattr map };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init system_suspend:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init system_suspend:process { siginh rlimitinh };
#line 4
#line 4
# Make the transition occur by default.
#line 4
type_transition init system_suspend_exec:process system_suspend;
#line 4
#line 4
# To serve ISuspendControlService.
#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow system_suspend servicemanager:binder { call transfer };
#line 7
# Allow servicemanager to send out callbacks
#line 7
allow servicemanager system_suspend:binder { call transfer };
#line 7
# servicemanager performs getpidcon on clients.
#line 7
allow servicemanager system_suspend:dir search;
#line 7
allow servicemanager system_suspend:file { read open };
#line 7
allow servicemanager system_suspend:process getattr;
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7
#line 8
allow system_suspend system_suspend_control_service:service_manager { add find };
#line 8
neverallow { domain -system_suspend } system_suspend_control_service:service_manager add;
#line 8
#line 8
# On debug builds with root, allow binder services to use binder over TCP.
#line 8
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 8
#line 8
#line 10
allow system_suspend hal_system_suspend_service:service_manager { add find };
#line 10
neverallow { domain -system_suspend } hal_system_suspend_service:service_manager add;
#line 10
#line 10
# On debug builds with root, allow binder services to use binder over TCP.
#line 10
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 10
#line 10
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# Access to wakeup, suspend stats, and wakeup reasons.
#line 16
allow system_suspend sysfs_suspend_stats:dir { open getattr read search ioctl lock watch watch_reads };
#line 16
allow system_suspend sysfs_suspend_stats:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 16
#line 17
allow system_suspend sysfs_wakeup:dir { open getattr read search ioctl lock watch watch_reads };
#line 17
allow system_suspend sysfs_wakeup:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 17
#line 18
allow system_suspend sysfs_wakeup_reasons:dir { open getattr read search ioctl lock watch watch_reads };
#line 18
allow system_suspend sysfs_wakeup_reasons:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 18
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
# Access to suspend_hal system properties
#line 23
allow system_suspend suspend_prop:file { getattr open read map };
#line 23
# Access to system_suspend debug system properties
#line 28
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
# For adding `dumpsys syspend_control` output to bugreport
allow system_suspend dumpstate:fd use;
allow system_suspend dumpstate:fifo_file write;
# Allow init to take kernel wakelock and system suspend to
# remove kenel wakelocks and the capability to access these
# files
allow init sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow init self:{ capability2 cap2_userns } block_suspend;
allow system_suspend sysfs_wake_lock:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow system_suspend self:{ capability2 cap2_userns } block_suspend;
# Allow init to set /sys/power/sync_on_suspend.
allow init sysfs_sync_on_suspend:file { open append write lock map };
neverallow {
domain
-atrace # tracing
-bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
-system_server # configures system_suspend via ISuspendControlService
-traceur_app # tracing
} system_suspend_control_service:service_manager find;
#line 1 "system/sepolicy/private/tombstoned.te"
typeattribute tombstoned coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init tombstoned_exec:file { getattr open read execute map };
#line 3
allow init tombstoned:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow tombstoned tombstoned_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init tombstoned:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init tombstoned:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init tombstoned_exec:process tombstoned;
#line 3
#line 3
#line 5
allow tombstoned tombstone_config_prop:file { getattr open read map };
#line 5
neverallow {
domain
-init
-vendor_init
-dumpstate
-tombstoned
} tombstone_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 1 "system/sepolicy/private/toolbox.te"
typeattribute toolbox coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init toolbox_exec:file { getattr open read execute map };
#line 3
allow init toolbox:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow toolbox toolbox_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init toolbox:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init toolbox:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init toolbox_exec:process toolbox;
#line 3
#line 3
# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow toolbox virtualizationservice_data_file:file { getattr unlink };
# If we can't remove these directories we try to chmod them. That
# doesn't work, but it doesn't matter as virtualizationservice itself
# will delete them when it starts. See b/235338094#comment39
dontaudit toolbox virtualizationservice_data_file:dir setattr;
#line 1 "system/sepolicy/private/traced.te"
# Perfetto user-space tracing daemon (unprivileged)
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init traced_exec:file { getattr open read execute map };
#line 5
allow init traced:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow traced traced_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init traced:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init traced:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init traced_exec:process traced;
#line 5
#line 5
#line 6
type_transition traced tmpfs:file traced_tmpfs;
#line 6
allow traced traced_tmpfs:file { read write getattr map };
#line 6
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
typeattribute traced_tmpfs mlstrustedobject;
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:{ capability cap_userns } { sys_nice };
# Allow to pass a file descriptor for the output trace from "perfetto" (the
# cmdline client) and other shell binaries to traced and let traced write
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
allow traced shell:fifo_file { read write };
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow traced perfetto_traces_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
# Allow perfetto to access the proxy service for notifying Traceur.
allow traced tracingproxy_service:service_manager find;
#line 35
# Call the servicemanager and transfer references to it.
#line 35
allow traced servicemanager:binder { call transfer };
#line 35
# Allow servicemanager to send out callbacks
#line 35
allow servicemanager traced:binder { call transfer };
#line 35
# servicemanager performs getpidcon on clients.
#line 35
allow servicemanager traced:dir search;
#line 35
allow servicemanager traced:file { read open };
#line 35
allow servicemanager traced:process getattr;
#line 35
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 35
# all domains in domain.te.
#line 35
;
#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow traced system_server:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow system_server traced:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow traced system_server:fd use;
#line 36
;
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
# creates the shared memory, that is then adopted by traced (after validating
# that it is appropriately sealed).
# This list has to replicate the tmpfs domains of all applicable domains that
# have perfetto_producer() macro applied to them.
# perfetto_tmpfs excluded as it should never need to use the producer-supplied
# shared memory scheme.
allow traced {
appdomain_tmpfs
heapprofd_tmpfs
surfaceflinger_tmpfs
traced_probes_tmpfs
}:file { getattr map read write };
# Allow setting debug properties which guard initialization of the Perfetto SDK
# in SurfaceFlinger and HWUI's copy of Skia.
# Required for the android.sdk_sysprop_guard data source.
# TODO(b/281329340): remove this when no longer needed.
#line 59
#line 59
allow traced property_socket:sock_file write;
#line 59
allow traced init:unix_stream_socket connectto;
#line 59
#line 59
allow traced debug_prop:property_service set;
#line 59
#line 59
allow traced debug_prop:file { getattr open read map };
#line 59
#line 59
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
#line 62
#line 62
allow traced property_socket:sock_file write;
#line 62
allow traced init:unix_stream_socket connectto;
#line 62
#line 62
allow traced system_trace_prop:property_service set;
#line 62
#line 62
allow traced system_trace_prop:file { getattr open read map };
#line 62
#line 62
# Allow to lazily start producers.
#line 64
#line 64
allow traced property_socket:sock_file write;
#line 64
allow traced init:unix_stream_socket connectto;
#line 64
#line 64
allow traced traced_lazy_prop:property_service set;
#line 64
#line 64
allow traced traced_lazy_prop:file { getattr open read map };
#line 64
#line 64
# Allow tracking the count of sessions intercepting Java OutOfMemoryError
# If there are such tracing sessions and an OutOfMemoryError is thrown by ART,
# the hprof plugin intercepts the error, lazily registers a data source to
# traced and collects a heap dump.
#line 69
#line 69
allow traced property_socket:sock_file write;
#line 69
allow traced init:unix_stream_socket connectto;
#line 69
#line 69
allow traced traced_oome_heap_session_count_prop:property_service set;
#line 69
#line 69
allow traced traced_oome_heap_session_count_prop:file { getattr open read map };
#line 69
#line 69
# Allow traced to talk to statsd for logging metrics.
#line 72
allow traced statsdw_socket:sock_file write;
#line 72
allow traced statsd:unix_dgram_socket sendto;
#line 72
###
### Neverallow rules
###
### traced should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;
# Block device access.
neverallow traced dev_type:blk_file { read write };
# ptrace any other process
neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced {
data_file_type
-perfetto_traces_data_file
-system_data_file
-system_data_root_file
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced {
data_file_type
-perfetto_traces_data_file
-trace_data_file
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
neverallow {
domain
-traced
-dumpstate
-traceur_app
-shell
-system_server
-perfetto
} tracingproxy_service:service_manager find;
#line 1 "system/sepolicy/private/traced_perf.te"
# Performance profiler, backed by perf_event_open(2).
# See go/perfetto-perf-android.
typeattribute traced_perf coredomain;
typeattribute traced_perf mlstrustedsubject;
type traced_perf_exec, system_file_type, exec_type, file_type;
#line 8
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow init traced_perf_exec:file { getattr open read execute map };
#line 8
allow init traced_perf:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow traced_perf traced_perf_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit init traced_perf:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow init traced_perf:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition init traced_perf_exec:process traced_perf;
#line 8
#line 8
#line 9
allow traced_perf traced:fd use;
#line 9
allow traced_perf traced_tmpfs:file { read write getattr map };
#line 9
#line 9
allow traced_perf traced_producer_socket:sock_file write;
#line 9
allow traced_perf traced:unix_stream_socket connectto;
#line 9
#line 9
#line 9
# Also allow the service to use the producer file descriptors. This is
#line 9
# necessary when the producer is creating the shared memory, as it will be
#line 9
# passed to the service as a file descriptor (obtained from memfd_create).
#line 9
allow traced traced_perf:fd use;
#line 9
# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
# profiling, but retain samples only for profileable processes.
# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
# check (which would require a process:attach SELinux allow-rule).
allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
# sampled stacks, which requires opening the backing libraries/executables (as
# symbols are usually not mapped into the process space). Not all such files
# are world-readable, e.g. odex files that included user profiles during
# profile-guided optimization.
allow traced_perf self:capability { kill dac_read_search };
# Allow reading /system/data/packages.list.
allow traced_perf packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow reading files for stack unwinding and symbolization.
#line 29
allow traced_perf nativetest_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 29
allow traced_perf nativetest_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 29
#line 30
allow traced_perf system_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 30
allow traced_perf system_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 30
#line 31
allow traced_perf apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 31
allow traced_perf apk_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 31
#line 32
allow traced_perf dalvikcache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 32
allow traced_perf dalvikcache_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 32
#line 33
allow traced_perf vendor_file_type:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow traced_perf vendor_file_type:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
# ART apex files and directory access to the containing /data/misc/apexdata.
#line 35
allow traced_perf apex_art_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow traced_perf apex_art_data_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 35
allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
allow traced_perf proc_kallsyms:file { getattr open read ioctl lock map watch watch_reads };
# Allow reading tracefs files to get the format and numeric ids of tracepoints.
allow traced_perf debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads };
allow traced_perf debugfs_tracing:file { getattr open read ioctl lock map watch watch_reads };
#line 49
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
# Do not audit failures to signal a process, as there are cases when this is
# expected (native processes on debug builds use the policy for enforcing which
# processes are profileable).
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
neverallow traced_perf app_data_file_type:file *;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
#line 65
neverallow traced_perf {
#line 65
apexd
#line 65
app_zygote
#line 65
bpfloader
#line 65
hal_configstore_server
#line 65
init
#line 65
kernel
#line 65
keystore
#line 65
llkd
#line 65
logd
#line 65
ueventd
#line 65
vendor_init
#line 65
vold
#line 65
webview_zygote
#line 65
zygote
#line 65
}:file read;
#line 65
neverallow traced_perf {
#line 65
apexd
#line 65
app_zygote
#line 65
bpfloader
#line 65
hal_configstore_server
#line 65
init
#line 65
kernel
#line 65
keystore
#line 65
llkd
#line 65
logd
#line 65
ueventd
#line 65
vendor_init
#line 65
vold
#line 65
webview_zygote
#line 65
zygote
#line 65
}:process signal;
#line 80
#line 1 "system/sepolicy/private/traced_probes.te"
# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
type traced_probes_tmpfs, file_type;
# Allow init to exec the daemon.
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init traced_probes_exec:file { getattr open read execute map };
#line 6
allow init traced_probes:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow traced_probes traced_probes_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init traced_probes:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init traced_probes:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init traced_probes_exec:process traced_probes;
#line 6
#line 6
#line 7
type_transition traced_probes tmpfs:file traced_probes_tmpfs;
#line 7
allow traced_probes traced_probes_tmpfs:file { read write getattr map };
#line 7
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
#line 11
allow traced_probes traced:fd use;
#line 11
allow traced_probes traced_tmpfs:file { read write getattr map };
#line 11
#line 11
allow traced_probes traced_producer_socket:sock_file write;
#line 11
allow traced_probes traced:unix_stream_socket connectto;
#line 11
#line 11
#line 11
# Also allow the service to use the producer file descriptors. This is
#line 11
# necessary when the producer is creating the shared memory, as it will be
#line 11
# passed to the service as a file descriptor (obtained from memfd_create).
#line 11
allow traced traced_probes:fd use;
#line 11
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir { open getattr read search ioctl lock watch watch_reads };
allow traced_probes debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow traced_probes debugfs_trace_marker:file getattr;
allow traced_probes debugfs_tracing_printk_formats:file { getattr open read ioctl lock map watch watch_reads };
# Allow traced_probes to access mm_events trace instance
allow traced_probes debugfs_tracing_instances:dir search;
allow traced_probes debugfs_mm_events_tracing:dir search;
allow traced_probes debugfs_mm_events_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
#line 29
# Allow traced_probes to start with a higher scheduling class and then downgrade
# itself.
allow traced_probes self:{ capability cap_userns } { sys_nice };
# Allow procfs access
#line 36
allow traced_probes domain:dir { open getattr read search ioctl lock watch watch_reads };
#line 36
allow traced_probes domain:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 36
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
allow traced_probes proc_kallsyms:file { getattr open read ioctl lock map watch watch_reads };
# Allow to read packages.list file.
allow traced_probes packages_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow to read game_mode_intervention.list file.
allow traced_probes game_mode_intervention_list_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
# Allow traced_probes to list some of the data partition.
allow traced_probes self:{ capability cap_userns } dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
#line 64
allow traced_probes system_app_data_file:dir { getattr open read search };
allow traced_probes backup_data_file:dir { getattr open read search };
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
#line 74
# Allow the necessary permissions.
#line 74
#line 74
# Old domain may exec the file and transition to the new domain.
#line 74
allow traced_probes atrace_exec:file { getattr open read execute map };
#line 74
allow traced_probes atrace:process transition;
#line 74
# New domain is entered by executing the file.
#line 74
allow atrace atrace_exec:file { entrypoint open read execute getattr map };
#line 74
# New domain can send SIGCHLD to its caller.
#line 74
allow atrace traced_probes:process sigchld;
#line 74
# Enable AT_SECURE, i.e. libc secure mode.
#line 74
dontaudit traced_probes atrace:process noatsecure;
#line 74
# XXX dontaudit candidate but requires further study.
#line 74
allow traced_probes atrace:process { siginh rlimitinh };
#line 74
#line 74
# Make the transition occur by default.
#line 74
type_transition traced_probes atrace_exec:process atrace;
#line 74
;
# Allow traced_probes to kill atrace on timeout.
allow traced_probes atrace:process sigkill;
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
# system apps that have access to the traced consumer socket.
allow traced_probes {
proc_meminfo
proc_vmstat
proc_stat
proc_buddyinfo
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
}:file { getattr open read ioctl lock map watch watch_reads };
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
allow traced_probes sysfs_devfreq_dir:dir { open getattr read search ioctl lock watch watch_reads };
allow traced_probes sysfs_devfreq_cur:file { getattr open read ioctl lock map watch watch_reads };
# Allow access to read /proc/diskstats for I/O profiling.
allow traced_probes proc_diskstats:file { getattr open read ioctl lock map watch watch_reads };
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
#line 100
typeattribute traced_probes halclientdomain;
#line 100
typeattribute traced_probes hal_health_client;
#line 100
#line 100
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 100
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 100
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 100
#line 100
typeattribute traced_probes hal_health;
#line 100
# Find passthrough HAL implementations
#line 100
allow hal_health system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 100
allow hal_health vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 100
allow hal_health vendor_file:file { read open getattr execute map };
#line 100
#line 100
#line 101
typeattribute traced_probes halclientdomain;
#line 101
typeattribute traced_probes hal_power_stats_client;
#line 101
#line 101
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 101
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 101
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 101
#line 101
typeattribute traced_probes hal_power_stats;
#line 101
# Find passthrough HAL implementations
#line 101
allow hal_power_stats system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 101
allow hal_power_stats vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 101
allow hal_power_stats vendor_file:file { read open getattr execute map };
#line 101
#line 101
# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
#line 104
typeattribute traced_probes halclientdomain;
#line 104
typeattribute traced_probes hal_atrace_client;
#line 104
#line 104
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 104
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 104
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 104
#line 104
typeattribute traced_probes hal_atrace;
#line 104
# Find passthrough HAL implementations
#line 104
allow hal_atrace system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 104
allow hal_atrace vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 104
allow hal_atrace vendor_file:file { read open getattr execute map };
#line 104
#line 104
# On debug builds allow to ingest system logs into the trace.
# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
#line 110
allow traced_probes statsdw_socket:sock_file write;
#line 110
allow traced_probes statsd:unix_dgram_socket sendto;
#line 110
#line 111
# Call the server domain and optionally transfer references to it.
#line 111
allow traced_probes statsd:binder { call transfer };
#line 111
# Allow the serverdomain to transfer references to the client on the reply.
#line 111
allow statsd traced_probes:binder transfer;
#line 111
# Receive and use open files from the server.
#line 111
allow traced_probes statsd:fd use;
#line 111
allow traced_probes stats_service:service_manager find;
###
### Neverallow rules
###
### traced_probes should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced_probes self:process execmem;
# Block device access.
neverallow traced_probes dev_type:blk_file { read write };
# ptrace any other app
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
-apex_module_data_file
-apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
-system_data_root_file
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
-user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr search };
neverallow traced_probes {
data_file_type
-packages_list_file
-game_mode_intervention_list_file
}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
#line 1 "system/sepolicy/private/traceur_app.te"
typeattribute traceur_app coredomain;
#line 3
typeattribute traceur_app appdomain;
#line 3
# Label tmpfs objects for all apps.
#line 3
type_transition traceur_app tmpfs:file appdomain_tmpfs;
#line 3
#line 3
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 3
type traceur_app_userfaultfd;
#line 3
type_transition traceur_app traceur_app:anon_inode traceur_app_userfaultfd "[userfaultfd]";
#line 3
# Allow domain to create/use userfaultfd anon_inode.
#line 3
allow traceur_app traceur_app_userfaultfd:anon_inode { create ioctl read };
#line 3
# Suppress errors generate during bugreport
#line 3
dontaudit su traceur_app_userfaultfd:anon_inode *;
#line 3
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 3
neverallow { domain -traceur_app } traceur_app_userfaultfd:anon_inode *;
#line 3
#line 3
allow traceur_app appdomain_tmpfs:file { execute getattr map read write };
#line 3
neverallow { traceur_app -runas_app -shell -simpleperf } { domain -traceur_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
neverallow { appdomain -runas_app -shell -simpleperf -traceur_app } traceur_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 3
# The Android security model guarantees the confidentiality and integrity
#line 3
# of application data and execution state. Ptrace bypasses those
#line 3
# confidentiality guarantees. Disallow ptrace access from system components to
#line 3
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 3
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 3
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 3
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 3
# live lock conditions.
#line 3
neverallow { domain -traceur_app -crash_dump -runas_app -simpleperf } traceur_app:process ptrace;
#line 3
;
allow traceur_app debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow traceur_app debugfs_tracing_debug:dir { open getattr read search ioctl lock watch watch_reads };
#line 9
allow traceur_app trace_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow traceur_app trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow traceur_app wm_trace_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow traceur_app wm_trace_data_file:file { getattr { getattr open read ioctl lock map watch watch_reads } unlink };
allow traceur_app atrace_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# To exec the perfetto cmdline client and pass it the trace config on
# stdint through a pipe.
allow traceur_app perfetto_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow to access traced's privileged consumer socket.
#line 22
allow traceur_app traced_consumer_socket:sock_file write;
#line 22
allow traceur_app traced:unix_stream_socket connectto;
#line 22
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
#line 26
#line 26
allow traceur_app property_socket:sock_file write;
#line 26
allow traceur_app init:unix_stream_socket connectto;
#line 26
#line 26
allow traceur_app debug_prop:property_service set;
#line 26
#line 26
allow traceur_app debug_prop:file { getattr open read map };
#line 26
#line 26
#line 1 "system/sepolicy/private/ueventd.te"
typeattribute ueventd coredomain;
#line 3
type_transition ueventd tmpfs:file ueventd_tmpfs;
#line 3
allow ueventd ueventd_tmpfs:file { read write getattr map };
#line 3
# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
# to init that cold boot has completed.
#line 7
#line 7
allow ueventd property_socket:sock_file write;
#line 7
allow ueventd init:unix_stream_socket connectto;
#line 7
#line 7
allow ueventd cold_boot_done_prop:property_service set;
#line 7
#line 7
allow ueventd cold_boot_done_prop:file { getattr open read map };
#line 7
#line 7
#line 1 "system/sepolicy/private/uncrypt.te"
typeattribute uncrypt coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init uncrypt_exec:file { getattr open read execute map };
#line 3
allow init uncrypt:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow uncrypt uncrypt_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init uncrypt:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init uncrypt:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init uncrypt_exec:process uncrypt;
#line 3
#line 3
# Set a property to reboot the device.
#line 6
#line 6
allow uncrypt property_socket:sock_file write;
#line 6
allow uncrypt init:unix_stream_socket connectto;
#line 6
#line 6
allow uncrypt powerctl_prop:property_service set;
#line 6
#line 6
allow uncrypt powerctl_prop:file { getattr open read map };
#line 6
#line 6
#line 1 "system/sepolicy/private/untrusted_app.te"
###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion >= 34.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
typeattribute untrusted_app coredomain;
#line 13
typeattribute untrusted_app appdomain;
#line 13
# Label tmpfs objects for all apps.
#line 13
type_transition untrusted_app tmpfs:file appdomain_tmpfs;
#line 13
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type untrusted_app_userfaultfd;
#line 13
type_transition untrusted_app untrusted_app:anon_inode untrusted_app_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow untrusted_app untrusted_app_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su untrusted_app_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -untrusted_app } untrusted_app_userfaultfd:anon_inode *;
#line 13
#line 13
allow untrusted_app appdomain_tmpfs:file { execute getattr map read write };
#line 13
neverallow { untrusted_app -runas_app -shell -simpleperf } { domain -untrusted_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app } untrusted_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
# The Android security model guarantees the confidentiality and integrity
#line 13
# of application data and execution state. Ptrace bypasses those
#line 13
# confidentiality guarantees. Disallow ptrace access from system components to
#line 13
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 13
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 13
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 13
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 13
# live lock conditions.
#line 13
neverallow { domain -untrusted_app -crash_dump -runas_app -simpleperf } untrusted_app:process ptrace;
#line 13
#line 14
typeattribute untrusted_app untrusted_app_all;
#line 14
#line 15
typeattribute untrusted_app netdomain;
#line 15
#line 16
typeattribute untrusted_app bluetoothdomain;
#line 16
# Allow webview to access fd shared by sdksandbox for experiments data
# TODO(b/229249719): Will not be supported in Android U
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
neverallow untrusted_app sdk_sandbox_data_file:file { open create };
#line 1 "system/sepolicy/private/untrusted_app_25.te"
###
### Untrusted_app_25
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
typeattribute untrusted_app_25 coredomain;
#line 13
typeattribute untrusted_app_25 appdomain;
#line 13
# Label tmpfs objects for all apps.
#line 13
type_transition untrusted_app_25 tmpfs:file appdomain_tmpfs;
#line 13
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type untrusted_app_25_userfaultfd;
#line 13
type_transition untrusted_app_25 untrusted_app_25:anon_inode untrusted_app_25_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow untrusted_app_25 untrusted_app_25_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su untrusted_app_25_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -untrusted_app_25 } untrusted_app_25_userfaultfd:anon_inode *;
#line 13
#line 13
allow untrusted_app_25 appdomain_tmpfs:file { execute getattr map read write };
#line 13
neverallow { untrusted_app_25 -runas_app -shell -simpleperf } { domain -untrusted_app_25 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_25 } untrusted_app_25:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
# The Android security model guarantees the confidentiality and integrity
#line 13
# of application data and execution state. Ptrace bypasses those
#line 13
# confidentiality guarantees. Disallow ptrace access from system components to
#line 13
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 13
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 13
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 13
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 13
# live lock conditions.
#line 13
neverallow { domain -untrusted_app_25 -crash_dump -runas_app -simpleperf } untrusted_app_25:process ptrace;
#line 13
#line 14
typeattribute untrusted_app_25 untrusted_app_all;
#line 14
#line 15
typeattribute untrusted_app_25 netdomain;
#line 15
#line 16
typeattribute untrusted_app_25 bluetoothdomain;
#line 16
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file { getattr open read ioctl lock map watch watch_reads };
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file { getattr open read ioctl lock map watch watch_reads };
# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
# The ability to call exec() on files in the apps home directories
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
auditallow untrusted_app_25 ashmem_device:chr_file open;
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
# Connect to mdnsd via mdnsd socket.
#line 57
allow untrusted_app_25 mdnsd_socket:sock_file write;
#line 57
allow untrusted_app_25 mdnsd:unix_stream_socket connectto;
#line 57
#line 61
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
allow untrusted_app_25 apk_data_file:file { watch watch_reads };
#line 70
#line 1 "system/sepolicy/private/untrusted_app_27.te"
###
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
typeattribute untrusted_app_27 coredomain;
#line 13
typeattribute untrusted_app_27 appdomain;
#line 13
# Label tmpfs objects for all apps.
#line 13
type_transition untrusted_app_27 tmpfs:file appdomain_tmpfs;
#line 13
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type untrusted_app_27_userfaultfd;
#line 13
type_transition untrusted_app_27 untrusted_app_27:anon_inode untrusted_app_27_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow untrusted_app_27 untrusted_app_27_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su untrusted_app_27_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -untrusted_app_27 } untrusted_app_27_userfaultfd:anon_inode *;
#line 13
#line 13
allow untrusted_app_27 appdomain_tmpfs:file { execute getattr map read write };
#line 13
neverallow { untrusted_app_27 -runas_app -shell -simpleperf } { domain -untrusted_app_27 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_27 } untrusted_app_27:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
# The Android security model guarantees the confidentiality and integrity
#line 13
# of application data and execution state. Ptrace bypasses those
#line 13
# confidentiality guarantees. Disallow ptrace access from system components to
#line 13
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 13
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 13
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 13
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 13
# live lock conditions.
#line 13
neverallow { domain -untrusted_app_27 -crash_dump -runas_app -simpleperf } untrusted_app_27:process ptrace;
#line 13
#line 14
typeattribute untrusted_app_27 untrusted_app_all;
#line 14
#line 15
typeattribute untrusted_app_27 netdomain;
#line 15
#line 16
typeattribute untrusted_app_27 bluetoothdomain;
#line 16
# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
auditallow untrusted_app_27 ashmem_device:chr_file open;
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
# Connect to mdnsd via mdnsd socket.
#line 45
allow untrusted_app_27 mdnsd_socket:sock_file write;
#line 45
allow untrusted_app_27 mdnsd:unix_stream_socket connectto;
#line 45
#line 49
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
allow untrusted_app_27 apk_data_file:file { watch watch_reads };
#line 58
#line 1 "system/sepolicy/private/untrusted_app_29.te"
###
### Untrusted_29.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion = 29.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
typeattribute untrusted_app_29 coredomain;
#line 13
typeattribute untrusted_app_29 appdomain;
#line 13
# Label tmpfs objects for all apps.
#line 13
type_transition untrusted_app_29 tmpfs:file appdomain_tmpfs;
#line 13
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type untrusted_app_29_userfaultfd;
#line 13
type_transition untrusted_app_29 untrusted_app_29:anon_inode untrusted_app_29_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow untrusted_app_29 untrusted_app_29_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su untrusted_app_29_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -untrusted_app_29 } untrusted_app_29_userfaultfd:anon_inode *;
#line 13
#line 13
allow untrusted_app_29 appdomain_tmpfs:file { execute getattr map read write };
#line 13
neverallow { untrusted_app_29 -runas_app -shell -simpleperf } { domain -untrusted_app_29 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_29 } untrusted_app_29:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
# The Android security model guarantees the confidentiality and integrity
#line 13
# of application data and execution state. Ptrace bypasses those
#line 13
# confidentiality guarantees. Disallow ptrace access from system components to
#line 13
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 13
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 13
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 13
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 13
# live lock conditions.
#line 13
neverallow { domain -untrusted_app_29 -crash_dump -runas_app -simpleperf } untrusted_app_29:process ptrace;
#line 13
#line 14
typeattribute untrusted_app_29 untrusted_app_all;
#line 14
#line 15
typeattribute untrusted_app_29 netdomain;
#line 15
#line 16
typeattribute untrusted_app_29 bluetoothdomain;
#line 16
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
# Connect to mdnsd via mdnsd socket.
#line 23
allow untrusted_app_29 mdnsd_socket:sock_file write;
#line 23
allow untrusted_app_29 mdnsd:unix_stream_socket connectto;
#line 23
#line 27
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
allow untrusted_app_29 apk_data_file:file { watch watch_reads };
#line 36
#line 1 "system/sepolicy/private/untrusted_app_30.te"
###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### 29 < targetSdkVersion <= 31.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
###
typeattribute untrusted_app_30 coredomain;
#line 15
typeattribute untrusted_app_30 appdomain;
#line 15
# Label tmpfs objects for all apps.
#line 15
type_transition untrusted_app_30 tmpfs:file appdomain_tmpfs;
#line 15
#line 15
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 15
type untrusted_app_30_userfaultfd;
#line 15
type_transition untrusted_app_30 untrusted_app_30:anon_inode untrusted_app_30_userfaultfd "[userfaultfd]";
#line 15
# Allow domain to create/use userfaultfd anon_inode.
#line 15
allow untrusted_app_30 untrusted_app_30_userfaultfd:anon_inode { create ioctl read };
#line 15
# Suppress errors generate during bugreport
#line 15
dontaudit su untrusted_app_30_userfaultfd:anon_inode *;
#line 15
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 15
neverallow { domain -untrusted_app_30 } untrusted_app_30_userfaultfd:anon_inode *;
#line 15
#line 15
allow untrusted_app_30 appdomain_tmpfs:file { execute getattr map read write };
#line 15
neverallow { untrusted_app_30 -runas_app -shell -simpleperf } { domain -untrusted_app_30 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_30 } untrusted_app_30:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 15
# The Android security model guarantees the confidentiality and integrity
#line 15
# of application data and execution state. Ptrace bypasses those
#line 15
# confidentiality guarantees. Disallow ptrace access from system components to
#line 15
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 15
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 15
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 15
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 15
# live lock conditions.
#line 15
neverallow { domain -untrusted_app_30 -crash_dump -runas_app -simpleperf } untrusted_app_30:process ptrace;
#line 15
#line 16
typeattribute untrusted_app_30 untrusted_app_all;
#line 16
#line 17
typeattribute untrusted_app_30 netdomain;
#line 17
#line 18
typeattribute untrusted_app_30 bluetoothdomain;
#line 18
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
# Connect to mdnsd via mdnsd socket.
#line 25
allow untrusted_app_30 mdnsd_socket:sock_file write;
#line 25
allow untrusted_app_30 mdnsd:unix_stream_socket connectto;
#line 25
#line 29
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
allow untrusted_app_30 apk_data_file:file { watch watch_reads };
#line 38
#line 1 "system/sepolicy/private/untrusted_app_32.te"
###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### 31 < targetSdkVersion <= 33.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###
typeattribute untrusted_app_32 coredomain;
#line 13
typeattribute untrusted_app_32 appdomain;
#line 13
# Label tmpfs objects for all apps.
#line 13
type_transition untrusted_app_32 tmpfs:file appdomain_tmpfs;
#line 13
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type untrusted_app_32_userfaultfd;
#line 13
type_transition untrusted_app_32 untrusted_app_32:anon_inode untrusted_app_32_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow untrusted_app_32 untrusted_app_32_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su untrusted_app_32_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -untrusted_app_32 } untrusted_app_32_userfaultfd:anon_inode *;
#line 13
#line 13
allow untrusted_app_32 appdomain_tmpfs:file { execute getattr map read write };
#line 13
neverallow { untrusted_app_32 -runas_app -shell -simpleperf } { domain -untrusted_app_32 }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
neverallow { appdomain -runas_app -shell -simpleperf -untrusted_app_32 } untrusted_app_32:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 13
# The Android security model guarantees the confidentiality and integrity
#line 13
# of application data and execution state. Ptrace bypasses those
#line 13
# confidentiality guarantees. Disallow ptrace access from system components to
#line 13
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 13
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 13
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 13
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 13
# live lock conditions.
#line 13
neverallow { domain -untrusted_app_32 -crash_dump -runas_app -simpleperf } untrusted_app_32:process ptrace;
#line 13
#line 14
typeattribute untrusted_app_32 untrusted_app_all;
#line 14
#line 15
typeattribute untrusted_app_32 netdomain;
#line 15
#line 16
typeattribute untrusted_app_32 bluetoothdomain;
#line 16
# Allow webview to access fd shared by sdksandbox for experiments data
# TODO(b/229249719): Will not be supported in Android U
allow untrusted_app_32 sdk_sandbox_data_file:fd use;
allow untrusted_app_32 sdk_sandbox_data_file:file write;
neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
# Connect to mdnsd via mdnsd socket.
#line 26
allow untrusted_app_32 mdnsd_socket:sock_file write;
#line 26
allow untrusted_app_32 mdnsd:unix_stream_socket connectto;
#line 26
#line 30
# Allow calling inotify on APKs for backwards compatibility. This is disallowed
# for targetSdkVersion>=34 to remove a sidechannel.
allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
allow untrusted_app_32 apk_data_file:file { watch watch_reads };
#line 39
#line 1 "system/sepolicy/private/untrusted_app_all.te"
###
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
### ephemeral_app for instant apps and isolated_app (which has a reduced
### permission set).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app_all attribute is assigned to all default
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### attribute is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
### Note that rules that should apply to all untrusted apps must be in app.te or also
### added to ephemeral_app.te.
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
allow untrusted_app_all app_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
auditallow untrusted_app_all app_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
allow untrusted_app_all system_linker_exec:file execute_no_trans;
# Follow priv-app symlinks. This is used for dynamite functionality.
allow untrusted_app_all privapp_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Allow handling of less common filesystem objects
allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow untrusted_app_all app_exec_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file { getattr open read ioctl lock map watch watch_reads };
allow untrusted_app_all asec_apk_file:dir { open getattr read search ioctl lock watch watch_reads };
# Execute libs in asec containers.
allow untrusted_app_all asec_public_file:file { execute };
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app_all shell_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow untrusted_app_all shell_data_file:dir { open getattr read search ioctl lock watch watch_reads };
# Allow traceur to pass file descriptors through a content provider to untrusted apps
# for the purpose of sharing files through e.g. gmail
allow untrusted_app_all trace_data_file:file { getattr read };
# untrusted apps should not be able to open trace data files, they should depend
# upon traceur to pass a file descriptor
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { { append create link unlink relabelfrom rename setattr write } open };
# neverallow untrusted apps accessing debugfs_tracing
neverallow untrusted_app_all debugfs_tracing:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
# Read and write system app data files passed over Binder.
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
# cropping or taking user photos.
allow untrusted_app_all system_app_data_file:file { read write getattr };
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
#
# Access to /data/media.
allow untrusted_app_all media_rw_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow untrusted_app_all media_rw_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
allow untrusted_app_all audioserver_service:service_manager find;
allow untrusted_app_all cameraserver_service:service_manager find;
allow untrusted_app_all drmserver_service:service_manager find;
allow untrusted_app_all mediaserver_service:service_manager find;
allow untrusted_app_all mediaextractor_service:service_manager find;
allow untrusted_app_all mediametrics_service:service_manager find;
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
# Android Studio Instant Run has the application connect to a
# runas_app socket listening in the abstract namespace.
# https://developer.android.com/studio/run/
# b/123297648
allow untrusted_app_all runas_app:unix_stream_socket connectto;
# Untrusted apps need to be able to send a SIGCHLD to runas_app
# when running under a debugger (b/123612207)
allow untrusted_app_all runas_app:process sigchld;
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file { getattr open read ioctl lock map watch watch_reads };
# Allow apps to view preloaded media content
allow untrusted_app_all preloads_media_file:dir { open getattr read search ioctl lock watch watch_reads };
allow untrusted_app_all preloads_media_file:file { getattr open read ioctl lock map watch watch_reads };
allow untrusted_app_all preloads_data_file:dir search;
# Allow untrusted apps read / execute access to /vendor/app for there can
# be pre-installed vendor apps that package a library within themselves.
# TODO (b/37784178) Consider creating a special type for /vendor/app installed
# apps.
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
allow untrusted_app_all vendor_app_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# Allow the renderscript compiler to be run.
#line 138
# Allow the necessary permissions.
#line 138
#line 138
# Old domain may exec the file and transition to the new domain.
#line 138
allow untrusted_app_all rs_exec:file { getattr open read execute map };
#line 138
allow untrusted_app_all rs:process transition;
#line 138
# New domain is entered by executing the file.
#line 138
allow rs rs_exec:file { entrypoint open read execute getattr map };
#line 138
# New domain can send SIGCHLD to its caller.
#line 138
allow rs untrusted_app_all:process sigchld;
#line 138
# Enable AT_SECURE, i.e. libc secure mode.
#line 138
dontaudit untrusted_app_all rs:process noatsecure;
#line 138
# XXX dontaudit candidate but requires further study.
#line 138
allow untrusted_app_all rs:process { siginh rlimitinh };
#line 138
#line 138
# Make the transition occur by default.
#line 138
type_transition untrusted_app_all rs_exec:process rs;
#line 138
# suppress denials caused by debugfs_tracing
dontaudit untrusted_app_all debugfs_tracing:file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
# These have been disallowed since Android O.
# For P, we assume that apps are safely handling the denial.
dontaudit untrusted_app_all {
proc_stat
proc_uptime
proc_vmstat
proc_zoneinfo
}:file read;
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
#line 157
# Each domain gets a unique devpts type.
#line 157
type untrusted_app_all_devpts, fs_type;
#line 157
# Label the pty with the unique type when created.
#line 157
type_transition untrusted_app_all devpts:chr_file untrusted_app_all_devpts;
#line 157
# Allow use of the pty after creation.
#line 157
allow untrusted_app_all untrusted_app_all_devpts:chr_file { open getattr read write ioctl };
#line 157
allowxperm untrusted_app_all untrusted_app_all_devpts:chr_file ioctl {
#line 157
0x00005411 0x00005451 0x00005450 0x00005401 0x00005402 0x00005403 0x00005404 0x00005413 0x00005414
#line 157
0x0000540e 0x0000540b 0x00005410 0x0000540f
#line 157
};
#line 157
# TIOCSTI is only ever used for exploits. Block it.
#line 157
# b/33073072, b/7530569
#line 157
# http://www.openwall.com/lists/oss-security/2016/09/26/14
#line 157
neverallowxperm * untrusted_app_all_devpts:chr_file ioctl 0x00005412;
#line 157
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
#line 157
# allowed to everyone via domain.te.
#line 157
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
#line 164
# Allow running a VM for test/demo purposes. Note that access to the
# service is still guarded with the
# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
# protection level of the permission is
# `signature|privileged|development` so that it can only be granted to
# either platform-key signed apps, privileged apps, or test-only apps
# having `android:testOnly="true"` in their manifest.
#line 173
# Transition to virtualizationmanager when the client executes it.
#line 173
#line 173
# Allow the necessary permissions.
#line 173
#line 173
# Old domain may exec the file and transition to the new domain.
#line 173
allow untrusted_app_all virtualizationmanager_exec:file { getattr open read execute map };
#line 173
allow untrusted_app_all virtualizationmanager:process transition;
#line 173
# New domain is entered by executing the file.
#line 173
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 173
# New domain can send SIGCHLD to its caller.
#line 173
allow virtualizationmanager untrusted_app_all:process sigchld;
#line 173
# Enable AT_SECURE, i.e. libc secure mode.
#line 173
dontaudit untrusted_app_all virtualizationmanager:process noatsecure;
#line 173
# XXX dontaudit candidate but requires further study.
#line 173
allow untrusted_app_all virtualizationmanager:process { siginh rlimitinh };
#line 173
#line 173
# Make the transition occur by default.
#line 173
type_transition untrusted_app_all virtualizationmanager_exec:process virtualizationmanager;
#line 173
#line 173
# Allow virtualizationmanager to communicate over UDS with the client.
#line 173
allow { virtualizationmanager crosvm } untrusted_app_all:unix_stream_socket { ioctl getattr read write };
#line 173
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 173
allow { virtualizationmanager crosvm } untrusted_app_all:fd use;
#line 173
# Let the client use file descriptors created by virtualizationmanager.
#line 173
allow untrusted_app_all virtualizationmanager:fd use;
#line 173
# Allow piping console log to the client
#line 173
allow { virtualizationmanager crosvm } untrusted_app_all:fifo_file { ioctl getattr read write };
#line 173
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 173
# that it created. Notice that we do not grant permission to create a vsock;
#line 173
# the client can only connect to VMs that it owns.
#line 173
allow untrusted_app_all virtualizationmanager:vsock_socket { getattr getopt read write };
#line 173
# Allow client to inspect hypervisor capabilities
#line 173
#line 173
allow untrusted_app_all hypervisor_prop:file { getattr open read map };
#line 173
#line 173
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 173
allow untrusted_app_all virtualizationservice_data_file:file { getattr read };
#line 173
#line 179
#line 1 "system/sepolicy/private/update_engine.te"
typeattribute update_engine coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init update_engine_exec:file { getattr open read execute map };
#line 3
allow init update_engine:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow update_engine update_engine_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init update_engine:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init update_engine:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init update_engine_exec:process update_engine;
#line 3
#line 3
;
# Allow to talk to gsid.
allow update_engine gsi_service:service_manager find;
#line 7
# Call the server domain and optionally transfer references to it.
#line 7
allow update_engine gsid:binder { call transfer };
#line 7
# Allow the serverdomain to transfer references to the client on the reply.
#line 7
allow gsid update_engine:binder transfer;
#line 7
# Receive and use open files from the server.
#line 7
allow update_engine gsid:fd use;
#line 7
# Allow to start gsid service.
#line 10
#line 10
allow update_engine property_socket:sock_file write;
#line 10
allow update_engine init:unix_stream_socket connectto;
#line 10
#line 10
allow update_engine ctl_gsid_prop:property_service set;
#line 10
#line 10
allow update_engine ctl_gsid_prop:file { getattr open read map };
#line 10
#line 10
# Allow to start snapuserd for dm-user communication.
#line 13
#line 13
allow update_engine property_socket:sock_file write;
#line 13
allow update_engine init:unix_stream_socket connectto;
#line 13
#line 13
allow update_engine ctl_snapuserd_prop:property_service set;
#line 13
#line 13
allow update_engine ctl_snapuserd_prop:file { getattr open read map };
#line 13
#line 13
# Allow to set the OTA related properties, e.g. ota.warm_reset.
#line 16
#line 16
allow update_engine property_socket:sock_file write;
#line 16
allow update_engine init:unix_stream_socket connectto;
#line 16
#line 16
allow update_engine ota_prop:property_service set;
#line 16
#line 16
allow update_engine ota_prop:file { getattr open read map };
#line 16
#line 16
#line 17
allow update_engine ota_build_prop:file { getattr open read map };
#line 17
# Allow to get the DSU status
#line 20
allow update_engine gsid_prop:file { getattr open read map };
#line 20
# Allow update_engine to call the callback function provided by GKI update hook.
#line 23
# Call the server domain and optionally transfer references to it.
#line 23
allow update_engine gki_apex_prepostinstall:binder { call transfer };
#line 23
# Allow the serverdomain to transfer references to the client on the reply.
#line 23
allow gki_apex_prepostinstall update_engine:binder transfer;
#line 23
# Receive and use open files from the server.
#line 23
allow update_engine gki_apex_prepostinstall:fd use;
#line 23
# Allow update_engine to call the callback function by settings app
# for the kernel update triggered using 16k developer option
#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow update_engine system_app:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow system_app update_engine:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow update_engine system_app:fd use;
#line 27
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
#line 32
allow update_engine snapuserd_prop:file { getattr open read map };
#line 32
# Allow to communicate with apexd for calculating and reserving space for
# capex decompression
allow update_engine apex_service:service_manager find;
#line 37
# Call the server domain and optionally transfer references to it.
#line 37
allow update_engine apexd:binder { call transfer };
#line 37
# Allow the serverdomain to transfer references to the client on the reply.
#line 37
allow apexd update_engine:binder transfer;
#line 37
# Receive and use open files from the server.
#line 37
allow update_engine apexd:fd use;
#line 37
# let this domain use the hal service
#line 40
# Call the servicemanager and transfer references to it.
#line 40
allow update_engine servicemanager:binder { call transfer };
#line 40
# Allow servicemanager to send out callbacks
#line 40
allow servicemanager update_engine:binder { call transfer };
#line 40
# servicemanager performs getpidcon on clients.
#line 40
allow servicemanager update_engine:dir search;
#line 40
allow servicemanager update_engine:file { read open };
#line 40
allow servicemanager update_engine:process getattr;
#line 40
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 40
# all domains in domain.te.
#line 40
#line 41
typeattribute update_engine halclientdomain;
#line 41
typeattribute update_engine hal_bootctl_client;
#line 41
#line 41
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 41
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 41
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 41
#line 41
typeattribute update_engine hal_bootctl;
#line 41
# Find passthrough HAL implementations
#line 41
allow hal_bootctl system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 41
allow hal_bootctl vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 41
allow hal_bootctl vendor_file:file { read open getattr execute map };
#line 41
#line 41
#line 1 "system/sepolicy/private/update_engine_common.te"
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# The postinstall program is run by update_engine_common and must be tagged
# with postinstall_exec in the new filesystem.
# TODO Have build system attempt to verify this
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow update_engine_common postinstall_exec:file { getattr open read execute map };
#line 6
allow update_engine_common postinstall:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow postinstall postinstall_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow postinstall update_engine_common:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit update_engine_common postinstall:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow update_engine_common postinstall:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition update_engine_common postinstall_exec:process postinstall;
#line 6
# Vendor directories can have the transition as well during OTA. This is caused
# by update_engine execing scripts in vendor to perform any update tasks needed
# there.
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow update_engine_common postinstall_file:file { getattr open read execute map };
#line 11
allow update_engine_common postinstall:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow postinstall postinstall_file:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
allow postinstall update_engine_common:process sigchld;
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit update_engine_common postinstall:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow update_engine_common postinstall:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition update_engine_common postinstall_file:process postinstall;
#line 11
allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
#line 1 "system/sepolicy/private/update_verifier.te"
typeattribute update_verifier coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init update_verifier_exec:file { getattr open read execute map };
#line 3
allow init update_verifier:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow update_verifier update_verifier_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init update_verifier:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init update_verifier:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init update_verifier_exec:process update_verifier;
#line 3
#line 3
# Allow update_verifier to reboot the device.
#line 6
#line 6
allow update_verifier property_socket:sock_file write;
#line 6
allow update_verifier init:unix_stream_socket connectto;
#line 6
#line 6
allow update_verifier powerctl_prop:property_service set;
#line 6
#line 6
allow update_verifier powerctl_prop:file { getattr open read map };
#line 6
#line 6
# Allow to set the OTA related properties e.g. ota.warm_reset.
#line 9
#line 9
allow update_verifier property_socket:sock_file write;
#line 9
allow update_verifier init:unix_stream_socket connectto;
#line 9
#line 9
allow update_verifier ota_prop:property_service set;
#line 9
#line 9
allow update_verifier ota_prop:file { getattr open read map };
#line 9
#line 9
# allow update_verifier to connect to snapuserd daemon
allow update_verifier snapuserd_socket:sock_file write;
allow update_verifier snapuserd:unix_stream_socket connectto;
# virtual a/b properties
#line 16
allow update_verifier virtual_ab_prop:file { getattr open read map };
#line 16
#line 1 "system/sepolicy/private/uprobestats.te"
type uprobestats, domain, coredomain;
typeattribute uprobestats bpfdomain;
type uprobestats_exec, system_file_type, exec_type, file_type;
# Allow init to start uprobestats.
#line 8
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow init uprobestats_exec:file { getattr open read execute map };
#line 8
allow init uprobestats:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow uprobestats uprobestats_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit init uprobestats:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow init uprobestats:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition init uprobestats_exec:process uprobestats;
#line 8
#line 8
allow uprobestats fs_bpf_uprobestats:file { read write };
allow uprobestats fs_bpf_uprobestats:dir search;
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
allow uprobestats self:capability2 perfmon;
allow uprobestats self:perf_event { cpu open write };
allow uprobestats sysfs_uprobe:file { open read };
allow uprobestats sysfs_uprobe:dir { search };
# Allow uprobestats to popen oatdump.
allow uprobestats oatdump_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow uprobestats to write atoms to statsd
#line 22
allow uprobestats statsdw_socket:sock_file write;
#line 22
allow uprobestats statsd:unix_dgram_socket sendto;
#line 22
# For registration with system server as a process observer.
#line 25
# Call the servicemanager and transfer references to it.
#line 25
allow uprobestats servicemanager:binder { call transfer };
#line 25
# Allow servicemanager to send out callbacks
#line 25
allow servicemanager uprobestats:binder { call transfer };
#line 25
# servicemanager performs getpidcon on clients.
#line 25
allow servicemanager uprobestats:dir search;
#line 25
allow servicemanager uprobestats:file { read open };
#line 25
allow servicemanager uprobestats:process getattr;
#line 25
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 25
# all domains in domain.te.
#line 25
allow uprobestats activity_service:service_manager find;
#line 27
# Call the server domain and optionally transfer references to it.
#line 27
allow uprobestats system_server:binder { call transfer };
#line 27
# Allow the serverdomain to transfer references to the client on the reply.
#line 27
allow system_server uprobestats:binder transfer;
#line 27
# Receive and use open files from the server.
#line 27
allow uprobestats system_server:fd use;
#line 27
;
# Allow uprobestats to talk to native package manager
allow uprobestats package_native_service:service_manager find;
# Allow uprobestats to scan /proc/<pid>/cmdline.
#line 33
allow uprobestats { domain -appdomain }:dir { open getattr read search ioctl lock watch watch_reads };
#line 33
allow uprobestats { domain -appdomain }:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 33
# Allow uprobestats to manage its own config files.
allow uprobestats uprobestats_configs_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow uprobestats uprobestats_configs_data_file:file { { getattr open read ioctl lock map watch watch_reads } unlink };
#line 1 "system/sepolicy/private/usbd.te"
typeattribute usbd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init usbd_exec:file { getattr open read execute map };
#line 3
allow init usbd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow usbd usbd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init usbd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init usbd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init usbd_exec:process usbd;
#line 3
#line 3
# Access usb gadget hal
#line 6
typeattribute usbd halclientdomain;
#line 6
typeattribute usbd hal_usb_gadget_client;
#line 6
#line 6
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 6
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 6
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 6
#line 6
typeattribute usbd hal_usb_gadget;
#line 6
# Find passthrough HAL implementations
#line 6
allow hal_usb_gadget system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_usb_gadget vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 6
allow hal_usb_gadget vendor_file:file { read open getattr execute map };
#line 6
#line 6
# Access persist.sys.usb.config
#line 9
allow usbd system_prop:file { getattr open read map };
#line 9
# start adbd during boot if adb is enabled
#line 12
#line 12
allow usbd property_socket:sock_file write;
#line 12
allow usbd init:unix_stream_socket connectto;
#line 12
#line 12
allow usbd ctl_default_prop:property_service set;
#line 12
#line 12
allow usbd ctl_default_prop:file { getattr open read map };
#line 12
#line 12
# Start/stop adbd via ctl.start adbd
#line 15
#line 15
allow usbd property_socket:sock_file write;
#line 15
allow usbd init:unix_stream_socket connectto;
#line 15
#line 15
allow usbd ctl_adbd_prop:property_service set;
#line 15
#line 15
allow usbd ctl_adbd_prop:file { getattr open read map };
#line 15
#line 15
#line 1 "system/sepolicy/private/vdc.te"
typeattribute vdc coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init vdc_exec:file { getattr open read execute map };
#line 3
allow init vdc:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow vdc vdc_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init vdc:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init vdc:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init vdc_exec:process vdc;
#line 3
#line 3
# Allow stdin/out back to vehicle_binding_util
allow vdc vehicle_binding_util:fd use;
#line 1 "system/sepolicy/private/vehicle_binding_util.te"
# vehicle binding util startup application
type vehicle_binding_util, domain, coredomain;
# allow init to start vehicle_binding_util
type vehicle_binding_util_exec, exec_type, file_type, system_file_type;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init vehicle_binding_util_exec:file { getattr open read execute map };
#line 6
allow init vehicle_binding_util:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow vehicle_binding_util vehicle_binding_util_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init vehicle_binding_util:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init vehicle_binding_util:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init vehicle_binding_util_exec:process vehicle_binding_util;
#line 6
#line 6
# allow writing to kmsg during boot
allow vehicle_binding_util kmsg_device:chr_file { getattr { open append write lock map } };
# allow reading the binding property from HIDL VHAL.
#line 12
# Call the hwservicemanager and transfer references to it.
#line 12
allow vehicle_binding_util hwservicemanager:binder { call transfer };
#line 12
# Allow hwservicemanager to send out callbacks
#line 12
allow hwservicemanager vehicle_binding_util:binder { call transfer };
#line 12
# hwservicemanager performs getpidcon on clients.
#line 12
allow hwservicemanager vehicle_binding_util:dir search;
#line 12
allow hwservicemanager vehicle_binding_util:file { read open map };
#line 12
allow hwservicemanager vehicle_binding_util:process getattr;
#line 12
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
#line 12
# all domains in domain.te.
#line 12
# allow reading the binding property from AIDL VHAL.
#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow vehicle_binding_util servicemanager:binder { call transfer };
#line 14
# Allow servicemanager to send out callbacks
#line 14
allow servicemanager vehicle_binding_util:binder { call transfer };
#line 14
# servicemanager performs getpidcon on clients.
#line 14
allow servicemanager vehicle_binding_util:dir search;
#line 14
allow servicemanager vehicle_binding_util:file { read open };
#line 14
allow servicemanager vehicle_binding_util:process getattr;
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14
#line 15
typeattribute vehicle_binding_util halclientdomain;
#line 15
typeattribute vehicle_binding_util hal_vehicle_client;
#line 15
#line 15
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 15
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 15
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 15
#line 15
typeattribute vehicle_binding_util hal_vehicle;
#line 15
# Find passthrough HAL implementations
#line 15
allow hal_vehicle system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hal_vehicle vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 15
allow hal_vehicle vendor_file:file { read open getattr execute map };
#line 15
#line 15
# allow executing vdc
#line 18
# Allow the necessary permissions.
#line 18
#line 18
# Old domain may exec the file and transition to the new domain.
#line 18
allow vehicle_binding_util vdc_exec:file { getattr open read execute map };
#line 18
allow vehicle_binding_util vdc:process transition;
#line 18
# New domain is entered by executing the file.
#line 18
allow vdc vdc_exec:file { entrypoint open read execute getattr map };
#line 18
# New domain can send SIGCHLD to its caller.
#line 18
allow vdc vehicle_binding_util:process sigchld;
#line 18
# Enable AT_SECURE, i.e. libc secure mode.
#line 18
dontaudit vehicle_binding_util vdc:process noatsecure;
#line 18
# XXX dontaudit candidate but requires further study.
#line 18
allow vehicle_binding_util vdc:process { siginh rlimitinh };
#line 18
#line 18
# Make the transition occur by default.
#line 18
type_transition vehicle_binding_util vdc_exec:process vdc;
#line 18
# devpts is needed to redirect output from vdc
allow vehicle_binding_util devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
#line 1 "system/sepolicy/private/vendor_init.te"
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit vendor_init sysfs:dir write;
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
# Let vendor_init set service.adb.tcp.port.
#line 10
#line 10
allow vendor_init property_socket:sock_file write;
#line 10
allow vendor_init init:unix_stream_socket connectto;
#line 10
#line 10
allow vendor_init adbd_config_prop:property_service set;
#line 10
#line 10
allow vendor_init adbd_config_prop:file { getattr open read map };
#line 10
#line 10
# Let vendor_init react to AVF device config changes
#line 13
allow vendor_init device_config_virtualization_framework_native_prop:file { getattr open read map };
#line 13
# Let vendor_init use apex.<name>.ready to start services from vendor APEX
#line 16
allow vendor_init apex_ready_prop:file { getattr open read map };
#line 16
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
-keychord_device
-vm_manager_device_type
-port_device
-lowpan_device
-hw_random_device
}:chr_file setattr;
#line 34 "system/sepolicy/private/vfio_handler.te"
# is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
#line 1 "system/sepolicy/private/viewcompiler.te"
# viewcompiler
type viewcompiler, domain, coredomain, mlstrustedsubject;
type viewcompiler_exec, system_file_type, exec_type, file_type;
type viewcompiler_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by viewcompiler vs other
# processes.
#line 11
type_transition viewcompiler tmpfs:file viewcompiler_tmpfs;
#line 11
allow viewcompiler viewcompiler_tmpfs:file { read write getattr map };
#line 11
allow viewcompiler installd:fd use;
# Include write permission for app data files so viewcompiler can generate
# compiled layout dex files
allow viewcompiler app_data_file:file { getattr write };
# Allow the view compiler to read resources from the apps APK.
allow viewcompiler apk_data_file:file { read map };
# priv-apps are moving to a world where they can only execute
# signed code. Make sure viewcompiler never can write to privapp
# directories to avoid introducing unsigned executable code
neverallow viewcompiler privapp_data_file:file { append create link unlink relabelfrom rename setattr write };
#line 1 "system/sepolicy/private/virtual_camera.te"
# virtual_camera - virtual camera daemon
type virtual_camera, domain, coredomain;
type virtual_camera_exec, system_file_type, exec_type, file_type;
#line 6
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init virtual_camera_exec:file { getattr open read execute map };
#line 6
allow init virtual_camera:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow virtual_camera virtual_camera_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init virtual_camera:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init virtual_camera:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition init virtual_camera_exec:process virtual_camera;
#line 6
#line 6
# Since virtual_camera is not a real HAL we don't set the
# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
# we actually need from halserverdomain and hal_camera_server:
#line 11
# Call the servicemanager and transfer references to it.
#line 11
allow virtual_camera servicemanager:binder { call transfer };
#line 11
# Allow servicemanager to send out callbacks
#line 11
allow servicemanager virtual_camera:binder { call transfer };
#line 11
# servicemanager performs getpidcon on clients.
#line 11
allow servicemanager virtual_camera:dir search;
#line 11
allow servicemanager virtual_camera:file { read open };
#line 11
allow servicemanager virtual_camera:process getattr;
#line 11
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 11
# all domains in domain.te.
#line 11
#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow virtual_camera cameraserver:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow cameraserver virtual_camera:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow virtual_camera cameraserver:fd use;
#line 12
#line 13
# Call the server domain and optionally transfer references to it.
#line 13
allow virtual_camera system_server:binder { call transfer };
#line 13
# Allow the serverdomain to transfer references to the client on the reply.
#line 13
allow system_server virtual_camera:binder transfer;
#line 13
# Receive and use open files from the server.
#line 13
allow virtual_camera system_server:fd use;
#line 13
# Allow virtual_camera to communicate with
# mediaserver (required for using Surface originating
# from virtual camera in mediaserver).
#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow virtual_camera mediaserver:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow mediaserver virtual_camera:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow virtual_camera mediaserver:fd use;
#line 18
# Required for the codecs to be able to decode
# video into surface provided by virtual camera.
#line 22
typeattribute virtual_camera halclientdomain;
#line 22
typeattribute virtual_camera hal_codec2_client;
#line 22
#line 22
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 22
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 22
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 22
#line 22
typeattribute virtual_camera hal_codec2;
#line 22
# Find passthrough HAL implementations
#line 22
allow hal_codec2 system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_codec2 vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 22
allow hal_codec2 vendor_file:file { read open getattr execute map };
#line 22
#line 22
#line 23
typeattribute virtual_camera halclientdomain;
#line 23
typeattribute virtual_camera hal_omx_client;
#line 23
#line 23
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 23
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 23
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 23
#line 23
typeattribute virtual_camera hal_omx;
#line 23
# Find passthrough HAL implementations
#line 23
allow hal_omx system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow hal_omx vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 23
allow hal_omx vendor_file:file { read open getattr execute map };
#line 23
#line 23
# Allow virtualCamera to call apps via binder.
#line 26
# Call the server domain and optionally transfer references to it.
#line 26
allow virtual_camera appdomain:binder { call transfer };
#line 26
# Allow the serverdomain to transfer references to the client on the reply.
#line 26
allow appdomain virtual_camera:binder transfer;
#line 26
# Receive and use open files from the server.
#line 26
allow virtual_camera appdomain:fd use;
#line 26
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
# Only allow virtual_camera to add a virtual_camera_service and no one else.
#line 32
allow virtual_camera virtual_camera_service:service_manager { add find };
#line 32
neverallow { domain -virtual_camera } virtual_camera_service:service_manager add;
#line 32
#line 32
# On debug builds with root, allow binder services to use binder over TCP.
#line 32
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 32
#line 32
;
# Allow virtual_camera to map graphic buffers
#line 35
typeattribute virtual_camera halclientdomain;
#line 35
typeattribute virtual_camera hal_graphics_allocator_client;
#line 35
#line 35
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 35
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 35
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 35
#line 35
typeattribute virtual_camera hal_graphics_allocator;
#line 35
# Find passthrough HAL implementations
#line 35
allow hal_graphics_allocator system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow hal_graphics_allocator vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 35
allow hal_graphics_allocator vendor_file:file { read open getattr execute map };
#line 35
#line 35
# Allow virtual_camera to use GPU
allow virtual_camera gpu_device:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow virtual_camera gpu_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow virtual camera to use graphics composer fd-s (fences).
allow virtual_camera hal_graphics_composer:fd use;
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
# Needed for permission checks.
allow virtual_camera permission_service:service_manager find;
#line 1 "system/sepolicy/private/virtual_touchpad.te"
typeattribute virtual_touchpad coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init virtual_touchpad_exec:file { getattr open read execute map };
#line 3
allow init virtual_touchpad:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow virtual_touchpad virtual_touchpad_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init virtual_touchpad:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init virtual_touchpad:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init virtual_touchpad_exec:process virtual_touchpad;
#line 3
#line 3
#line 1 "system/sepolicy/private/virtualizationmanager.te"
# Domain for a child process that manages virtual machines on behalf of its parent.
type virtualizationmanager, domain, coredomain;
type virtualizationmanager_exec, system_file_type, exec_type, file_type;
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
# Allow writing VM logs to the shell console
allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
# Let the virtualizationmanager domain use Binder.
#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow virtualizationmanager servicemanager:binder { call transfer };
#line 14
# Allow servicemanager to send out callbacks
#line 14
allow servicemanager virtualizationmanager:binder { call transfer };
#line 14
# servicemanager performs getpidcon on clients.
#line 14
allow servicemanager virtualizationmanager:dir search;
#line 14
allow servicemanager virtualizationmanager:file { read open };
#line 14
allow servicemanager virtualizationmanager:process getattr;
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14
# Let virtualizationmanager find and communicate with virtualizationservice.
allow virtualizationmanager virtualization_service:service_manager find;
#line 18
# Call the server domain and optionally transfer references to it.
#line 18
allow virtualizationmanager virtualizationservice:binder { call transfer };
#line 18
# Allow the serverdomain to transfer references to the client on the reply.
#line 18
allow virtualizationservice virtualizationmanager:binder transfer;
#line 18
# Receive and use open files from the server.
#line 18
allow virtualizationmanager virtualizationservice:fd use;
#line 18
# Allow calling into the system server to find native services. "permission_service" to check
# permissions, and "package_native" for staged apex info.
#line 22
# Call the server domain and optionally transfer references to it.
#line 22
allow virtualizationmanager system_server:binder { call transfer };
#line 22
# Allow the serverdomain to transfer references to the client on the reply.
#line 22
allow system_server virtualizationmanager:binder transfer;
#line 22
# Receive and use open files from the server.
#line 22
allow virtualizationmanager system_server:fd use;
#line 22
allow virtualizationmanager { package_native_service permission_service }:service_manager find;
# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
#line 26
# Allow the necessary permissions.
#line 26
#line 26
# Old domain may exec the file and transition to the new domain.
#line 26
allow virtualizationmanager crosvm_exec:file { getattr open read execute map };
#line 26
allow virtualizationmanager crosvm:process transition;
#line 26
# New domain is entered by executing the file.
#line 26
allow crosvm crosvm_exec:file { entrypoint open read execute getattr map };
#line 26
# New domain can send SIGCHLD to its caller.
#line 26
allow crosvm virtualizationmanager:process sigchld;
#line 26
# Enable AT_SECURE, i.e. libc secure mode.
#line 26
dontaudit virtualizationmanager crosvm:process noatsecure;
#line 26
# XXX dontaudit candidate but requires further study.
#line 26
allow virtualizationmanager crosvm:process { siginh rlimitinh };
#line 26
#line 26
# Make the transition occur by default.
#line 26
type_transition virtualizationmanager crosvm_exec:process crosvm;
#line 26
# Let virtualizationmanager kill crosvm.
allow virtualizationmanager crosvm:process sigkill;
# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
allow virtualizationmanager virtualizationservice_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Let virtualizationmanager read and write files from its various clients, but not open them
# directly as they must be passed over Binder by the client.
allow virtualizationmanager apk_data_file:file { getattr read };
# Write access is needed for mutable partitions like instance.img
allow virtualizationmanager {
app_data_file
apex_compos_data_file
apex_virt_data_file
privapp_data_file
}:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationmanager shell_data_file:file { getattr read write };
# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
allow virtualizationmanager apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
allow virtualizationmanager apex_data_file:dir search;
allow virtualizationmanager staging_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow virtualizationmanager staging_data_file:dir search;
# Run derive_classpath in our domain
allow virtualizationmanager derive_classpath_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow virtualizationmanager apex_mnt_dir:dir { open getattr read search ioctl lock watch watch_reads };
# Ignore harmless denials on /proc/self/fd
dontaudit virtualizationmanager self:dir write;
# Let virtualizationmanager to accept vsock connection from the guest VMs
allow virtualizationmanager self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept };
# Allow virtualizationmanager to inspect all hypervisor capabilities.
#line 66
allow virtualizationmanager hypervisor_prop:file { getattr open read map };
#line 66
#line 67
allow virtualizationmanager hypervisor_restricted_prop:file { getattr open read map };
#line 67
# Allow virtualizationmanager to be read custom pvmfw.img configuration
dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
neverallow { domain -init -dumpstate } hypervisor_pvmfw_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow virtualizationmanager to be read custom virtualizationmanager configuration
dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
neverallow { domain -init -dumpstate } hypervisor_virtualizationmanager_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
#line 80
allow virtualizationmanager tombstoned_crash_socket:sock_file write;
#line 80
allow virtualizationmanager tombstoned:unix_stream_socket connectto;
#line 80
# Append ramdumps to tombstone files passed as fds from tombstoned
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
#line 87
allow virtualizationmanager proc_dt_avf:dir { open getattr read search ioctl lock watch watch_reads };
#line 87
allow virtualizationmanager proc_dt_avf:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 87
#line 88
allow virtualizationmanager sysfs_dt_avf:dir { open getattr read search ioctl lock watch watch_reads };
#line 88
allow virtualizationmanager sysfs_dt_avf:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 88
# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
# from pVM to HAL.
#line 92
typeattribute virtualizationmanager halclientdomain;
#line 92
typeattribute virtualizationmanager hal_secretkeeper_client;
#line 92
#line 92
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 92
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 92
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 92
#line 92
typeattribute virtualizationmanager hal_secretkeeper;
#line 92
# Find passthrough HAL implementations
#line 92
allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 92
allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 92
allow hal_secretkeeper vendor_file:file { read open getattr execute map };
#line 92
#line 92
;
# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
# (e.g. custom debug policy)
#line 99
# Allow virtualizationmanager to read microdroid related files in vendor partition
#line 102
allow virtualizationmanager vendor_microdroid_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 102
allow virtualizationmanager vendor_microdroid_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 102
# Do not allow writing vendor_microdroid_file from any process.
neverallow { domain } vendor_microdroid_file:dir { add_name create link relabelfrom remove_name rename reparent rmdir setattr write };
neverallow { domain } vendor_microdroid_file:file { append create link unlink relabelfrom rename setattr write };
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
#line 109
allow virtualizationmanager crosvm:dir { open getattr read search ioctl lock watch watch_reads };
#line 109
allow virtualizationmanager crosvm:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 109
;
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
#line 118
#line 1 "system/sepolicy/private/virtualizationservice.te"
type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
# the virtualizationmanager domain running at a more constrained MLS level.
typeattribute virtualizationservice mlstrustedsubject;
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
#line 10
#line 10
# Allow the necessary permissions.
#line 10
#line 10
# Old domain may exec the file and transition to the new domain.
#line 10
allow init virtualizationservice_exec:file { getattr open read execute map };
#line 10
allow init virtualizationservice:process transition;
#line 10
# New domain is entered by executing the file.
#line 10
allow virtualizationservice virtualizationservice_exec:file { entrypoint open read execute getattr map };
#line 10
# New domain can send SIGCHLD to its caller.
#line 10
#line 10
# Enable AT_SECURE, i.e. libc secure mode.
#line 10
dontaudit init virtualizationservice:process noatsecure;
#line 10
# XXX dontaudit candidate but requires further study.
#line 10
allow init virtualizationservice:process { siginh rlimitinh };
#line 10
#line 10
# Make the transition occur by default.
#line 10
type_transition init virtualizationservice_exec:process virtualizationservice;
#line 10
#line 10
# Let the virtualizationservice domain use Binder.
#line 13
# Call the servicemanager and transfer references to it.
#line 13
allow virtualizationservice servicemanager:binder { call transfer };
#line 13
# Allow servicemanager to send out callbacks
#line 13
allow servicemanager virtualizationservice:binder { call transfer };
#line 13
# servicemanager performs getpidcon on clients.
#line 13
allow servicemanager virtualizationservice:dir search;
#line 13
allow servicemanager virtualizationservice:file { read open };
#line 13
allow servicemanager virtualizationservice:process getattr;
#line 13
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 13
# all domains in domain.te.
#line 13
# Register our services with ServiceManager.
#line 16
allow virtualizationservice virtualization_service:service_manager { add find };
#line 16
neverallow { domain -virtualizationservice } virtualization_service:service_manager add;
#line 16
#line 16
# On debug builds with root, allow binder services to use binder over TCP.
#line 16
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
#line 16
#line 16
#line 19
#line 25
# Allow the virtualizationservice domain to serve a remotely provisioned component for
# pVM remote attestation.
#line 29
typeattribute virtualizationservice halserverdomain;
#line 29
typeattribute virtualizationservice hal_remotelyprovisionedcomponent_avf_server;
#line 29
typeattribute virtualizationservice hal_remotelyprovisionedcomponent_avf;
#line 29
# Allow calling into the system server to find "permission_service".
#line 32
# Call the server domain and optionally transfer references to it.
#line 32
allow virtualizationservice system_server:binder { call transfer };
#line 32
# Allow the serverdomain to transfer references to the client on the reply.
#line 32
allow system_server virtualizationservice:binder transfer;
#line 32
# Receive and use open files from the server.
#line 32
allow virtualizationservice system_server:fd use;
#line 32
allow virtualizationservice permission_service:service_manager find;
# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
#line 36
# Call the server domain and optionally transfer references to it.
#line 36
allow virtualizationservice remote_provisioning_service:binder { call transfer };
#line 36
# Allow the serverdomain to transfer references to the client on the reply.
#line 36
allow remote_provisioning_service virtualizationservice:binder transfer;
#line 36
# Receive and use open files from the server.
#line 36
allow virtualizationservice remote_provisioning_service:fd use;
#line 36
allow virtualizationservice remote_provisioning_service:service_manager find;
# Allow virtualizationservice to manage VM secrets via Secretkeeper.
#line 40
typeattribute virtualizationservice halclientdomain;
#line 40
typeattribute virtualizationservice hal_secretkeeper_client;
#line 40
#line 40
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
#line 40
# non-Treble devices. For now, on non-Treble device, always grant clients of a
#line 40
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
#line 40
#line 40
typeattribute virtualizationservice hal_secretkeeper;
#line 40
# Find passthrough HAL implementations
#line 40
allow hal_secretkeeper system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 40
allow hal_secretkeeper vendor_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 40
allow hal_secretkeeper vendor_file:file { read open getattr execute map };
#line 40
#line 40
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
allow virtualizationservice virtualizationservice_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
#line 62
# Transition to virtualizationmanager when the client executes it.
#line 62
#line 62
# Allow the necessary permissions.
#line 62
#line 62
# Old domain may exec the file and transition to the new domain.
#line 62
allow virtualizationservice virtualizationmanager_exec:file { getattr open read execute map };
#line 62
allow virtualizationservice virtualizationmanager:process transition;
#line 62
# New domain is entered by executing the file.
#line 62
allow virtualizationmanager virtualizationmanager_exec:file { entrypoint open read execute getattr map };
#line 62
# New domain can send SIGCHLD to its caller.
#line 62
allow virtualizationmanager virtualizationservice:process sigchld;
#line 62
# Enable AT_SECURE, i.e. libc secure mode.
#line 62
dontaudit virtualizationservice virtualizationmanager:process noatsecure;
#line 62
# XXX dontaudit candidate but requires further study.
#line 62
allow virtualizationservice virtualizationmanager:process { siginh rlimitinh };
#line 62
#line 62
# Make the transition occur by default.
#line 62
type_transition virtualizationservice virtualizationmanager_exec:process virtualizationmanager;
#line 62
#line 62
# Allow virtualizationmanager to communicate over UDS with the client.
#line 62
allow { virtualizationmanager crosvm } virtualizationservice:unix_stream_socket { ioctl getattr read write };
#line 62
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
#line 62
allow { virtualizationmanager crosvm } virtualizationservice:fd use;
#line 62
# Let the client use file descriptors created by virtualizationmanager.
#line 62
allow virtualizationservice virtualizationmanager:fd use;
#line 62
# Allow piping console log to the client
#line 62
allow { virtualizationmanager crosvm } virtualizationservice:fifo_file { ioctl getattr read write };
#line 62
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
#line 62
# that it created. Notice that we do not grant permission to create a vsock;
#line 62
# the client can only connect to VMs that it owns.
#line 62
allow virtualizationservice virtualizationmanager:vsock_socket { getattr getopt read write };
#line 62
# Allow client to inspect hypervisor capabilities
#line 62
#line 62
allow virtualizationservice hypervisor_prop:file { getattr open read map };
#line 62
#line 62
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
#line 62
allow virtualizationservice virtualizationservice_data_file:file { getattr read };
#line 62
# Allow virtualizationservice to read and write in the apex data directory
# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory
# (needed for SQLite database creation).
allow virtualizationservice apex_module_data_file:dir { search getattr };
allow virtualizationservice apex_virt_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow virtualizationservice apex_virt_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { { create { read getattr write setattr lock append bind connect getopt setopt shutdown map } } listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
#line 76
#line 76
allow virtualizationservice property_socket:sock_file write;
#line 76
allow virtualizationservice init:unix_stream_socket connectto;
#line 76
#line 76
allow virtualizationservice virtualizationservice_prop:property_service set;
#line 76
#line 76
allow virtualizationservice virtualizationservice_prop:file { getattr open read map };
#line 76
#line 76
# Allow writing stats to statsd
#line 79
allow virtualizationservice statsdw_socket:sock_file write;
#line 79
allow virtualizationservice statsd:unix_dgram_socket sendto;
#line 79
# Allow virtualization service to talk to tombstoned to push guest tombstones
#line 82
allow virtualizationservice tombstoned_crash_socket:sock_file write;
#line 82
allow virtualizationservice tombstoned:unix_stream_socket connectto;
#line 82
# Append to tombstone files passed as fds from tombstoned
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
# Allow virtualizationservice to check if VFIO is supported
allow virtualizationservice vfio_device:chr_file getattr;
allow virtualizationservice vfio_device:dir { open getattr read search ioctl lock watch watch_reads };
# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
allow virtualizationservice virtualizationmanager:fd use;
# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
#line 96
allow virtualizationservice vendor_configs_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 96
allow virtualizationservice vendor_configs_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 96
neverallow {
domain
-init
-virtualizationservice
} virtualizationservice_prop:property_service set;
neverallow {
domain
-init
-virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
domain
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
#line 120
#line 1 "system/sepolicy/private/vold.te"
typeattribute vold coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init vold_exec:file { getattr open read execute map };
#line 3
allow init vold:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow vold vold_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init vold:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init vold:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init vold_exec:process vold;
#line 3
#line 3
# Switch to more restrictive domains when executing common tools
#line 6
# Allow the necessary permissions.
#line 6
#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow vold sgdisk_exec:file { getattr open read execute map };
#line 6
allow vold sgdisk:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow sgdisk sgdisk_exec:file { entrypoint open read execute getattr map };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow sgdisk vold:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit vold sgdisk:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow vold sgdisk:process { siginh rlimitinh };
#line 6
#line 6
# Make the transition occur by default.
#line 6
type_transition vold sgdisk_exec:process sgdisk;
#line 6
;
#line 7
# Allow the necessary permissions.
#line 7
#line 7
# Old domain may exec the file and transition to the new domain.
#line 7
allow vold sdcardd_exec:file { getattr open read execute map };
#line 7
allow vold sdcardd:process transition;
#line 7
# New domain is entered by executing the file.
#line 7
allow sdcardd sdcardd_exec:file { entrypoint open read execute getattr map };
#line 7
# New domain can send SIGCHLD to its caller.
#line 7
allow sdcardd vold:process sigchld;
#line 7
# Enable AT_SECURE, i.e. libc secure mode.
#line 7
dontaudit vold sdcardd:process noatsecure;
#line 7
# XXX dontaudit candidate but requires further study.
#line 7
allow vold sdcardd:process { siginh rlimitinh };
#line 7
#line 7
# Make the transition occur by default.
#line 7
type_transition vold sdcardd_exec:process sdcardd;
#line 7
;
#line 8
# Allow the necessary permissions.
#line 8
#line 8
# Old domain may exec the file and transition to the new domain.
#line 8
allow vold fuseblkd_untrusted_exec:file { getattr open read execute map };
#line 8
allow vold fuseblkd_untrusted:process transition;
#line 8
# New domain is entered by executing the file.
#line 8
allow fuseblkd_untrusted fuseblkd_untrusted_exec:file { entrypoint open read execute getattr map };
#line 8
# New domain can send SIGCHLD to its caller.
#line 8
allow fuseblkd_untrusted vold:process sigchld;
#line 8
# Enable AT_SECURE, i.e. libc secure mode.
#line 8
dontaudit vold fuseblkd_untrusted:process noatsecure;
#line 8
# XXX dontaudit candidate but requires further study.
#line 8
allow vold fuseblkd_untrusted:process { siginh rlimitinh };
#line 8
#line 8
# Make the transition occur by default.
#line 8
type_transition vold fuseblkd_untrusted_exec:process fuseblkd_untrusted;
#line 8
;
# Switch to e2fs domain when running mkfs.ext4 to format a partition
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow vold e2fs_exec:file { getattr open read execute map };
#line 11
allow vold e2fs:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow e2fs e2fs_exec:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
allow e2fs vold:process sigchld;
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit vold e2fs:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow vold e2fs:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition vold e2fs_exec:process e2fs;
#line 11
;
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
#line 16
# Old domain may exec the file and transition to the new domain.
#line 16
allow vold blkid_exec:file { getattr open read execute map };
#line 16
allow vold blkid:process transition;
#line 16
# New domain is entered by executing the file.
#line 16
allow blkid blkid_exec:file { entrypoint open read execute getattr map };
#line 16
# New domain can send SIGCHLD to its caller.
#line 16
allow blkid vold:process sigchld;
#line 16
# Enable AT_SECURE, i.e. libc secure mode.
#line 16
dontaudit vold blkid:process noatsecure;
#line 16
# XXX dontaudit candidate but requires further study.
#line 16
allow vold blkid:process { siginh rlimitinh };
#line 16
;
#line 17
# Old domain may exec the file and transition to the new domain.
#line 17
allow vold blkid_exec:file { getattr open read execute map };
#line 17
allow vold blkid_untrusted:process transition;
#line 17
# New domain is entered by executing the file.
#line 17
allow blkid_untrusted blkid_exec:file { entrypoint open read execute getattr map };
#line 17
# New domain can send SIGCHLD to its caller.
#line 17
allow blkid_untrusted vold:process sigchld;
#line 17
# Enable AT_SECURE, i.e. libc secure mode.
#line 17
dontaudit vold blkid_untrusted:process noatsecure;
#line 17
# XXX dontaudit candidate but requires further study.
#line 17
allow vold blkid_untrusted:process { siginh rlimitinh };
#line 17
;
#line 18
# Old domain may exec the file and transition to the new domain.
#line 18
allow vold fsck_exec:file { getattr open read execute map };
#line 18
allow vold fsck:process transition;
#line 18
# New domain is entered by executing the file.
#line 18
allow fsck fsck_exec:file { entrypoint open read execute getattr map };
#line 18
# New domain can send SIGCHLD to its caller.
#line 18
allow fsck vold:process sigchld;
#line 18
# Enable AT_SECURE, i.e. libc secure mode.
#line 18
dontaudit vold fsck:process noatsecure;
#line 18
# XXX dontaudit candidate but requires further study.
#line 18
allow vold fsck:process { siginh rlimitinh };
#line 18
;
#line 19
# Old domain may exec the file and transition to the new domain.
#line 19
allow vold fsck_exec:file { getattr open read execute map };
#line 19
allow vold fsck_untrusted:process transition;
#line 19
# New domain is entered by executing the file.
#line 19
allow fsck_untrusted fsck_exec:file { entrypoint open read execute getattr map };
#line 19
# New domain can send SIGCHLD to its caller.
#line 19
allow fsck_untrusted vold:process sigchld;
#line 19
# Enable AT_SECURE, i.e. libc secure mode.
#line 19
dontaudit vold fsck_untrusted:process noatsecure;
#line 19
# XXX dontaudit candidate but requires further study.
#line 19
allow vold fsck_untrusted:process { siginh rlimitinh };
#line 19
;
# Newly created storage dirs are always treated as mount stubs to prevent us
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
# Property Service
#line 27
allow vold vold_config_prop:file { getattr open read map };
#line 27
#line 28
allow vold storage_config_prop:file { getattr open read map };
#line 28
;
#line 29
allow vold incremental_prop:file { getattr open read map };
#line 29
;
#line 30
allow vold gsid_prop:file { getattr open read map };
#line 30
;
#line 32
#line 32
allow vold property_socket:sock_file write;
#line 32
allow vold init:unix_stream_socket connectto;
#line 32
#line 32
allow vold vold_prop:property_service set;
#line 32
#line 32
allow vold vold_prop:file { getattr open read map };
#line 32
#line 32
#line 33
#line 33
allow vold property_socket:sock_file write;
#line 33
allow vold init:unix_stream_socket connectto;
#line 33
#line 33
allow vold vold_status_prop:property_service set;
#line 33
#line 33
allow vold vold_status_prop:file { getattr open read map };
#line 33
#line 33
#line 34
#line 34
allow vold property_socket:sock_file write;
#line 34
allow vold init:unix_stream_socket connectto;
#line 34
#line 34
allow vold powerctl_prop:property_service set;
#line 34
#line 34
allow vold powerctl_prop:file { getattr open read map };
#line 34
#line 34
#line 35
#line 35
allow vold property_socket:sock_file write;
#line 35
allow vold init:unix_stream_socket connectto;
#line 35
#line 35
allow vold ctl_fuse_prop:property_service set;
#line 35
#line 35
allow vold ctl_fuse_prop:file { getattr open read map };
#line 35
#line 35
#line 36
#line 36
allow vold property_socket:sock_file write;
#line 36
allow vold init:unix_stream_socket connectto;
#line 36
#line 36
allow vold restorecon_prop:property_service set;
#line 36
#line 36
allow vold restorecon_prop:file { getattr open read map };
#line 36
#line 36
#line 37
#line 37
allow vold property_socket:sock_file write;
#line 37
allow vold init:unix_stream_socket connectto;
#line 37
#line 37
allow vold ota_prop:property_service set;
#line 37
#line 37
allow vold ota_prop:file { getattr open read map };
#line 37
#line 37
#line 38
#line 38
allow vold property_socket:sock_file write;
#line 38
allow vold init:unix_stream_socket connectto;
#line 38
#line 38
allow vold boottime_prop:property_service set;
#line 38
#line 38
allow vold boottime_prop:file { getattr open read map };
#line 38
#line 38
#line 39
#line 39
allow vold property_socket:sock_file write;
#line 39
allow vold init:unix_stream_socket connectto;
#line 39
#line 39
allow vold boottime_public_prop:property_service set;
#line 39
#line 39
allow vold boottime_public_prop:file { getattr open read map };
#line 39
#line 39
# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
allow vold vold_key:keystore2_key {
convert_storage_key_to_ephemeral
delete
get_info
manage_blob
rebind
req_forced_op
update
use
};
# vold needs to call keystore methods
allow vold keystore:binder call;
# vold needs to find keystore2 services
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys;
neverallow {
domain
-system_server
-vdc
-vold
-update_verifier
-apexd
-gsid
} vold_service:service_manager find;
# Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold {
media_userdir_file
system_userdir_file
vendor_userdir_file
}:dir {
add_name
remove_name
write
};
# Only vold should create (and delete) per-user directories like
# /data/user/$userId. This is very important, as these directories need to be
# encrypted with per-user keys, which only vold can do. Encryption can only be
# set up on empty directories, so creation and encryption must happen together.
neverallow {
domain
-vold
} {
media_userdir_file
system_userdir_file
vendor_userdir_file
}:dir {
add_name
remove_name
write
};
#line 1 "system/sepolicy/private/vold_prepare_subdirs.te"
#line 1
# Allow the necessary permissions.
#line 1
#line 1
# Old domain may exec the file and transition to the new domain.
#line 1
allow vold vold_prepare_subdirs_exec:file { getattr open read execute map };
#line 1
allow vold vold_prepare_subdirs:process transition;
#line 1
# New domain is entered by executing the file.
#line 1
allow vold_prepare_subdirs vold_prepare_subdirs_exec:file { entrypoint open read execute getattr map };
#line 1
# New domain can send SIGCHLD to its caller.
#line 1
allow vold_prepare_subdirs vold:process sigchld;
#line 1
# Enable AT_SECURE, i.e. libc secure mode.
#line 1
dontaudit vold vold_prepare_subdirs:process noatsecure;
#line 1
# XXX dontaudit candidate but requires further study.
#line 1
allow vold vold_prepare_subdirs:process { siginh rlimitinh };
#line 1
#line 1
# Make the transition occur by default.
#line 1
type_transition vold vold_prepare_subdirs_exec:process vold_prepare_subdirs;
#line 1
typeattribute vold_prepare_subdirs mlstrustedsubject;
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow vold_prepare_subdirs toolbox_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow vold_prepare_subdirs devpts:chr_file { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } };
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
allow vold_prepare_subdirs self:{ capability cap_userns } { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_data_file_type
apex_module_data_file
apex_rollback_data_file
backup_data_file
checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } relabelto };
allow vold_prepare_subdirs {
apex_data_file_type
apex_art_staging_data_file
apex_module_data_file
apex_rollback_data_file
backup_data_file
checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
system_data_file
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file { getattr open read ioctl lock map watch watch_reads };
#line 1 "system/sepolicy/private/vzwomatrigger_app.te"
###
### A domain for further sandboxing the VzwOmaTrigger app.
###
type vzwomatrigger_app, domain;
#line 6
typeattribute vzwomatrigger_app appdomain;
#line 6
# Label tmpfs objects for all apps.
#line 6
type_transition vzwomatrigger_app tmpfs:file appdomain_tmpfs;
#line 6
#line 6
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 6
type vzwomatrigger_app_userfaultfd;
#line 6
type_transition vzwomatrigger_app vzwomatrigger_app:anon_inode vzwomatrigger_app_userfaultfd "[userfaultfd]";
#line 6
# Allow domain to create/use userfaultfd anon_inode.
#line 6
allow vzwomatrigger_app vzwomatrigger_app_userfaultfd:anon_inode { create ioctl read };
#line 6
# Suppress errors generate during bugreport
#line 6
dontaudit su vzwomatrigger_app_userfaultfd:anon_inode *;
#line 6
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 6
neverallow { domain -vzwomatrigger_app } vzwomatrigger_app_userfaultfd:anon_inode *;
#line 6
#line 6
allow vzwomatrigger_app appdomain_tmpfs:file { execute getattr map read write };
#line 6
neverallow { vzwomatrigger_app -runas_app -shell -simpleperf } { domain -vzwomatrigger_app }:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
neverallow { appdomain -runas_app -shell -simpleperf -vzwomatrigger_app } vzwomatrigger_app:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
#line 6
# The Android security model guarantees the confidentiality and integrity
#line 6
# of application data and execution state. Ptrace bypasses those
#line 6
# confidentiality guarantees. Disallow ptrace access from system components to
#line 6
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
#line 6
# traces. runas_app is excluded, as it operates only on debuggable apps.
#line 6
# simpleperf is excluded, as it operates only on debuggable or profileable
#line 6
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
#line 6
# live lock conditions.
#line 6
neverallow { domain -vzwomatrigger_app -crash_dump -runas_app -simpleperf } vzwomatrigger_app:process ptrace;
#line 6
#line 1 "system/sepolicy/private/wait_for_keymaster.te"
# wait_for_keymaster service. No longer used;
# here only so that downstream code compiles.
type wait_for_keymaster, domain, coredomain;
type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
#line 1 "system/sepolicy/private/watchdogd.te"
typeattribute watchdogd coredomain;
#line 3
#line 3
# Allow the necessary permissions.
#line 3
#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init watchdogd_exec:file { getattr open read execute map };
#line 3
allow init watchdogd:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow watchdogd watchdogd_exec:file { entrypoint open read execute getattr map };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init watchdogd:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init watchdogd:process { siginh rlimitinh };
#line 3
#line 3
# Make the transition occur by default.
#line 3
type_transition init watchdogd_exec:process watchdogd;
#line 3
#line 3
#line 1 "system/sepolicy/private/webview_zygote.te"
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
typeattribute webview_zygote coredomain;
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
# Allow access to temporary files, which is normally permitted through
# a domain macro.
#line 11
type_transition webview_zygote tmpfs:file webview_zygote_tmpfs;
#line 11
allow webview_zygote webview_zygote_tmpfs:file { read write getattr map };
#line 11
;
#line 13
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 13
type webview_zygote_userfaultfd;
#line 13
type_transition webview_zygote webview_zygote:anon_inode webview_zygote_userfaultfd "[userfaultfd]";
#line 13
# Allow domain to create/use userfaultfd anon_inode.
#line 13
allow webview_zygote webview_zygote_userfaultfd:anon_inode { create ioctl read };
#line 13
# Suppress errors generate during bugreport
#line 13
dontaudit su webview_zygote_userfaultfd:anon_inode *;
#line 13
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 13
neverallow { domain -webview_zygote } webview_zygote_userfaultfd:anon_inode *;
#line 13
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow webview_zygote apk_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# Access to the WebView relro file.
allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file { getattr open read ioctl lock map watch watch_reads };
# Set the UID/GID of the process.
allow webview_zygote self:{ capability cap_userns } { setgid setuid };
# Drop capabilities from bounding set.
allow webview_zygote self:{ capability cap_userns } setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
# For art.
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir { open getattr read search ioctl lock watch watch_reads };
allow webview_zygote dalvikcache_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { { getattr open read ioctl lock map watch watch_reads } execute };
allow webview_zygote apex_module_data_file:dir search;
# To load overlay from /apex (vendor APEXes)
allow webview_zygote vendor_apex_metadata_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow webview_zygote debugfs_trace_marker:file getattr;
# Allow webview_zygote to manage the pgroup of its children.
allow webview_zygote system_server:process getpgid;
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;
# TODO (b/72957399) remove this when webview_zygote is reparented to
# app_process zygote
dontaudit webview_zygote dex2oat_exec:file execute;
# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Check validity of SELinux context before use.
#line 66
#line 66
allow webview_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 66
allow webview_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 66
#line 66
allow webview_zygote selinuxfs:file { open append write lock map };
#line 66
allow webview_zygote kernel:security check_context;
#line 66
# Check SELinux permissions.
#line 68
#line 68
allow webview_zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 68
allow webview_zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 68
#line 68
allow webview_zygote selinuxfs:file { open append write lock map };
#line 68
allow webview_zygote kernel:security compute_av;
#line 68
allow webview_zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 68
# Directory listing in /system.
allow webview_zygote system_file:dir { open getattr read search ioctl lock watch watch_reads };
# Read and inspect temporary files (like system properties) managed by zygote.
allow webview_zygote zygote_tmpfs:file { read getattr };
# Child of zygote.
allow webview_zygote zygote:fd use;
allow webview_zygote zygote:process sigchld;
# Allow apps access to /vendor/overlay
#line 80
allow webview_zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 80
allow webview_zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 80
allow webview_zygote same_process_hal_file:file { execute read open getattr map };
allow webview_zygote system_data_file:lnk_file { getattr open read ioctl lock map watch watch_reads };
# Send unsolicited message to system_server
#line 87
allow webview_zygote system_unsolzygote_socket:sock_file write;
#line 87
allow webview_zygote system_server:unix_dgram_socket sendto;
#line 87
# Allow the webview_zygote to access the runtime feature flag properties.
#line 90
allow webview_zygote device_config_runtime_native_prop:file { getattr open read map };
#line 90
#line 91
allow webview_zygote device_config_runtime_native_boot_prop:file { getattr open read map };
#line 91
# Allow webview_zygote to access odsign verification status
#line 94
allow zygote odsign_prop:file { getattr open read map };
#line 94
# /data/resource-cache
allow webview_zygote resourcecache_data_file:file { getattr open read ioctl lock map watch watch_reads };
allow webview_zygote resourcecache_data_file:dir { open getattr read search ioctl lock watch watch_reads };
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow webview_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# webview_zygote child.
neverallow { domain -zygote } webview_zygote:process dyntransition;
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
neverallow webview_zygote app_data_file_type:file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } };
neverallow webview_zygote {
service_manager_type
-activity_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow webview_zygote gpu_device:chr_file { { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } { getattr execute execute_no_trans map } } };
# Do not allow webview_zygote access to /cache.
neverallow webview_zygote cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
neverallow webview_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow webview_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
xdp_socket
} *;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow webview_zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
#line 1 "system/sepolicy/private/wificond.te"
typeattribute wificond coredomain;
#line 3
#line 3
allow wificond property_socket:sock_file write;
#line 3
allow wificond init:unix_stream_socket connectto;
#line 3
#line 3
allow wificond wifi_hal_prop:property_service set;
#line 3
#line 3
allow wificond wifi_hal_prop:file { getattr open read map };
#line 3
#line 3
#line 4
#line 4
allow wificond property_socket:sock_file write;
#line 4
allow wificond init:unix_stream_socket connectto;
#line 4
#line 4
allow wificond wifi_prop:property_service set;
#line 4
#line 4
allow wificond wifi_prop:file { getattr open read map };
#line 4
#line 4
#line 5
#line 5
allow wificond property_socket:sock_file write;
#line 5
allow wificond init:unix_stream_socket connectto;
#line 5
#line 5
allow wificond ctl_default_prop:property_service set;
#line 5
#line 5
allow wificond ctl_default_prop:file { getattr open read map };
#line 5
#line 5
#line 7
allow wificond hwservicemanager_prop:file { getattr open read map };
#line 7
allow wificond legacykeystore_service:service_manager find;
#line 11
#line 11
# Allow the necessary permissions.
#line 11
#line 11
# Old domain may exec the file and transition to the new domain.
#line 11
allow init wificond_exec:file { getattr open read execute map };
#line 11
allow init wificond:process transition;
#line 11
# New domain is entered by executing the file.
#line 11
allow wificond wificond_exec:file { entrypoint open read execute getattr map };
#line 11
# New domain can send SIGCHLD to its caller.
#line 11
#line 11
# Enable AT_SECURE, i.e. libc secure mode.
#line 11
dontaudit init wificond:process noatsecure;
#line 11
# XXX dontaudit candidate but requires further study.
#line 11
allow init wificond:process { siginh rlimitinh };
#line 11
#line 11
# Make the transition occur by default.
#line 11
type_transition init wificond_exec:process wificond;
#line 11
#line 11
#line 1 "system/sepolicy/private/zygote.te"
# zygote
typeattribute zygote coredomain;
typeattribute zygote mlstrustedsubject;
#line 5
#line 5
# Allow the necessary permissions.
#line 5
#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init zygote_exec:file { getattr open read execute map };
#line 5
allow init zygote:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow zygote zygote_exec:file { entrypoint open read execute getattr map };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init zygote:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init zygote:process { siginh rlimitinh };
#line 5
#line 5
# Make the transition occur by default.
#line 5
type_transition init zygote_exec:process zygote;
#line 5
#line 5
#line 6
type_transition zygote tmpfs:file zygote_tmpfs;
#line 6
allow zygote zygote_tmpfs:file { read write getattr map };
#line 6
#line 8
allow zygote runtime_event_log_tags_file:file { getattr open read ioctl lock map watch watch_reads };
#line 8
# Override DAC on files and switch uid/gid.
allow zygote self:{ capability cap_userns } { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:{ capability cap_userns } setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server_startup:process dyntransition;
allow zygote appdomain:process dyntransition;
allow zygote webview_zygote:process dyntransition;
allow zygote app_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { { getattr open read ioctl lock map watch watch_reads } };
#line 27
# Set up a type_transition to "userfaultfd" named anonymous inode object.
#line 27
type zygote_userfaultfd;
#line 27
type_transition zygote zygote:anon_inode zygote_userfaultfd "[userfaultfd]";
#line 27
# Allow domain to create/use userfaultfd anon_inode.
#line 27
allow zygote zygote_userfaultfd:anon_inode { create ioctl read };
#line 27
# Suppress errors generate during bugreport
#line 27
dontaudit su zygote_userfaultfd:anon_inode *;
#line 27
# Other domains may not use userfaultfd anon_inodes created by this domain.
#line 27
neverallow { domain -zygote } zygote_userfaultfd:anon_inode *;
#line 27
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
allow zygote webview_zygote:process { getpgid setpgid };
allow zygote app_zygote:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir { open getattr read search ioctl lock watch watch_reads };
allow zygote system_data_file:file { getattr open read ioctl lock map watch watch_reads };
# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
allow zygote mnt_expand_file:dir getattr;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow zygote dalvikcache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Create symlinks in /data/dalvik-cache.
allow zygote dalvikcache_data_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Write to /data/resource-cache.
allow zygote resourcecache_data_file:dir { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } };
allow zygote resourcecache_data_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# For updateability, the zygote may fetch the current boot
# classpath from the dalvik cache. Integrity of the files
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
# Allow zygote to find files in APEX data directories.
allow zygote apex_module_data_file:dir search;
# Allow zygote to find and map files created by on device signing.
allow zygote apex_art_data_file:dir { getattr search };
allow zygote apex_art_data_file:file { { getattr open read ioctl lock map watch watch_reads } execute };
# Mount tmpfs over various directories containing per-app directories, to hide
# them for app data isolation. Also traverse these directories (via
# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
allow zygote {
# /data/user{,_de}, /mnt/expand/$volume/user{,_de}
system_userdir_file
# /data/data
system_data_file
# /data/misc/profiles/cur
user_profile_root_file
# /data/misc/profiles/ref
user_profile_data_file
# /storage/emulated/$userId/Android/{data,obb}
media_rw_data_file
# /dev/__properties__
properties_device
}:dir { mounton search };
# Traverse /data_mirror to get to the above directories while their normal paths
# are hidden, in order to bind-mount allowlisted per-app directories.
allow zygote mirror_data_file:dir search;
# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
# need to be hidden by app data isolation, and traverse /mnt/expand to get to
# any allowlisted per-app directories within these directories.
allow zygote mnt_expand_file:dir { open read search };
# Get the inode number of app CE data directories to find them by inode number
# when CE storage is locked. Needed for app data isolation.
allow zygote app_data_file_type:dir getattr;
# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
allow zygote tmpfs:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
# when setting up app data isolation.
allow zygote tmpfs:lnk_file create;
# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
# standard labels. Note: it seems that not all dirs are actually relabeled yet,
# but it works anyway since all domains can search tmpfs:dir.
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_userdir_file:dir relabelto;
allow zygote system_data_file:{ dir lnk_file } relabelto;
allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
# Read if sdcardfs is supported
allow zygote proc_filesystems:file { getattr open read ioctl lock map watch watch_reads };
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
allow zygote ashmem_libcutils_device:chr_file execute;
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
allow zygote idmap_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
allow zygote dex2oat_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow apps access to /vendor/overlay
#line 126
allow zygote vendor_overlay_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 126
allow zygote vendor_overlay_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 126
# Control cgroups.
allow zygote cgroup:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow zygote cgroup:{ file lnk_file } { { getattr open read ioctl lock map watch watch_reads } setattr };
allow zygote cgroup_v2:dir { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } };
allow zygote cgroup_v2:{ file lnk_file } { { getattr open read ioctl lock map watch watch_reads } setattr };
allow zygote self:{ capability cap_userns } sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
# Get seapp_contexts
allow zygote seapp_contexts_file:file { getattr open read ioctl lock map watch watch_reads };
# Check validity of SELinux context before use.
#line 144
#line 144
allow zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 144
allow zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 144
#line 144
allow zygote selinuxfs:file { open append write lock map };
#line 144
allow zygote kernel:security check_context;
#line 144
# Check SELinux permissions.
#line 146
#line 146
allow zygote selinuxfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 146
allow zygote selinuxfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 146
#line 146
allow zygote selinuxfs:file { open append write lock map };
#line 146
allow zygote kernel:security compute_av;
#line 146
allow zygote self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
#line 146
# Native bridge functionality requires that zygote replaces
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
allow zygote proc_cpuinfo:file mounton;
# Allow remounting rootfs as MS_SLAVE.
allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
allow zygote sdcardfs:filesystem { unmount };
allow zygote labeledfs:filesystem { unmount };
# Allow creating user-specific storage source if started before vold.
allow zygote mnt_user_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow zygote mnt_user_file:lnk_file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
allow zygote mnt_user_file:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Allow mounting user-specific storage source if started before vold.
allow zygote mnt_pass_through_file:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
allow zygote { sdcard_type fuse }:dir { { create reparent rename rmdir setattr { { open getattr read search ioctl lock watch watch_reads } { open search write add_name remove_name lock } } } mounton };
allow zygote { sdcard_type fuse }:file { { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } } };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file { { getattr open read ioctl lock map watch watch_reads } { getattr execute execute_no_trans map } };
# Allow zygote to write to statsd.
#line 178
allow zygote statsdw_socket:sock_file write;
#line 178
allow zygote statsd:unix_dgram_socket sendto;
#line 178
# Root fs.
#line 181
allow zygote rootfs:dir { open getattr read search ioctl lock watch watch_reads };
#line 181
allow zygote rootfs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 181
# System file accesses.
#line 184
allow zygote system_file:dir { open getattr read search ioctl lock watch watch_reads };
#line 184
allow zygote system_file:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 184
# /oem accesses.
allow zygote oemfs:dir search;
#line 193
allow zygote ion_device:chr_file { getattr open read ioctl lock map watch watch_reads };
allow zygote tmpfs:dir { open getattr read search ioctl lock watch watch_reads };
allow zygote same_process_hal_file:file { execute read open getattr map };
# Allow zygote to read build properties for attestation feature
#line 201
allow zygote build_attestation_prop:file { getattr open read map };
#line 201
# Allow the zygote to access storage properties to check if sdcardfs is enabled.
#line 204
allow zygote storage_config_prop:file { getattr open read map };
#line 204
;
# Let the zygote access overlays so it can initialize the AssetManager.
#line 207
allow zygote overlay_prop:file { getattr open read map };
#line 207
#line 208
allow zygote exported_overlay_prop:file { getattr open read map };
#line 208
# Allow the zygote to access the runtime feature flag properties.
#line 211
allow zygote device_config_runtime_native_prop:file { getattr open read map };
#line 211
#line 212
allow zygote device_config_runtime_native_boot_prop:file { getattr open read map };
#line 212
# Allow the zygote to access window manager native boot feature flags
# to initialize WindowManager static properties.
#line 216
allow zygote device_config_window_manager_native_boot_prop:file { getattr open read map };
#line 216
# ingore spurious denials
# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
# done to determine if the file should inherit setgid. In this case, setgid on the file is
# undesirable, so suppress the denial.
dontaudit zygote self:{ capability cap_userns } { sys_resource fsetid };
# Ignore spurious denials calling access() on fuse.
# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
# doesn't exist.
# TODO(b/151316657): avoid the denials
dontaudit zygote media_rw_data_file:dir { read open setattr };
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
# Send unsolicited message to system_server
#line 234
allow zygote system_unsolzygote_socket:sock_file write;
#line 234
allow zygote system_server:unix_dgram_socket sendto;
#line 234
# Allow zygote to access media_variant_prop for static initialization
#line 237
allow zygote media_variant_prop:file { getattr open read map };
#line 237
# Allow zygote to access odsign verification status
#line 240
allow zygote odsign_prop:file { getattr open read map };
#line 240
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
#line 243
allow zygote packagemanager_config_prop:file { getattr open read map };
#line 243
# Allow zygote to read qemu.sf.lcd_density
#line 246
allow zygote qemu_sf_lcd_density_prop:file { getattr open read map };
#line 246
# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
# preloaded classes
#line 250
allow zygote persist_wm_debug_prop:file { getattr open read map };
#line 250
# Allow zygote to read persist_sysui_builder_extras_prop
# and persist_sysui_ranking_update_prop
# to toggle experimental features in core preloaded classes
#line 255
allow zygote persist_sysui_builder_extras_prop:file { getattr open read map };
#line 255
#line 256
allow zygote persist_sysui_ranking_update_prop:file { getattr open read map };
#line 256
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file { getattr open read ioctl lock map watch watch_reads };
# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
allow zygote vendor_apex_metadata_file:dir { search };
# Allow zygote to query for compression/features.
#line 268
allow zygote sysfs_fs_f2fs:dir { open getattr read search ioctl lock watch watch_reads };
#line 268
allow zygote sysfs_fs_f2fs:{ file lnk_file } { getattr open read ioctl lock map watch watch_reads };
#line 268
# Allow zygote to read fonts_customization.xml for preloading font files that matches device locale.
allow zygote system_font_fallback_file:file { getattr open read ioctl lock map watch watch_reads };
###
### neverallow rules
###
# Ensure that all types assigned to app processes are included
# in the appdomain attribute, so that all allow and neverallow rules
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server_startup, webview_zygote and
# app_zygote.
neverallow zygote ~{
appdomain
system_server_startup
webview_zygote
app_zygote
}:process dyntransition;
# Zygote should never execute anything from /data except for
# /data/dalvik-cache files or files generated during on-device
# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
-apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file { execute execute_no_trans };
# Do not allow access to Bluetooth-related system properties and files
neverallow zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file { create rename setattr unlink { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } };
# Zygote should not be able to access app private data.
neverallow zygote app_data_file_type:dir ~getattr;
#line 1 "system/sepolicy/private/roles_decl"
role r;
#line 1 "system/sepolicy/public/roles"
role r types domain;
#line 1 "system/sepolicy/private/users"
user u roles { r } level s0 range s0 - s0:c0.c1023;
#line 1 "system/sepolicy/private/initial_sid_contexts"
sid kernel u:r:kernel:s0
sid security u:object_r:kernel:s0
sid unlabeled u:object_r:unlabeled:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0
sid file_labels u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid any_socket u:object_r:unlabeled:s0
sid port u:object_r:port:s0
sid netif u:object_r:netif:s0
sid netmsg u:object_r:unlabeled:s0
sid node u:object_r:node:s0
sid igmp_packet u:object_r:unlabeled:s0
sid icmp_socket u:object_r:unlabeled:s0
sid tcp_socket u:object_r:unlabeled:s0
sid sysctl_modprobe u:object_r:unlabeled:s0
sid sysctl u:object_r:proc:s0
sid sysctl_fs u:object_r:unlabeled:s0
sid sysctl_kernel u:object_r:unlabeled:s0
sid sysctl_net u:object_r:unlabeled:s0
sid sysctl_net_unix u:object_r:unlabeled:s0
sid sysctl_vm u:object_r:unlabeled:s0
sid sysctl_dev u:object_r:unlabeled:s0
sid kmod u:object_r:unlabeled:s0
sid policy u:object_r:unlabeled:s0
sid scmp_packet u:object_r:unlabeled:s0
sid devnull u:object_r:null_device:s0
#line 1 "system/sepolicy/private/fs_use"
# Label inodes via getxattr.
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_xattr ext3 u:object_r:labeledfs:s0;
fs_use_xattr ext4 u:object_r:labeledfs:s0;
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
fs_use_xattr virtiofs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
fs_use_task sockfs u:object_r:sockfs:s0;
# Label inodes from combination of task label and fs label.
# Define type_transition rules if you want per-domain types.
fs_use_trans devpts u:object_r:devpts:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans devtmpfs u:object_r:device:s0;
fs_use_trans shm u:object_r:shm:s0;
fs_use_trans mqueue u:object_r:mqueue:s0;
#line 1 "system/sepolicy/private/genfs_contexts"
# Label inodes with the fs label.
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0
genfscon sysfs /fs/fuse/features u:object_r:sysfs_fs_fuse_features:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/hyp u:object_r:debugfs_tracing:s0
genfscon tracefs /hyp u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /synthetic_events u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/synthetic_events u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/synthetic/rss_stat_throttled u:object_r:debugfs_tracing:s0
genfscon tracefs /events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/synthetic/suspend_resume_minimal u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
genfscon securityfs / u:object_r:securityfs:s0
genfscon binder /binder u:object_r:binder_device:s0
genfscon binder /hwbinder u:object_r:hwbinder_device:s0
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon fuseblk / u:object_r:fuseblk:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
#line 1 "system/sepolicy/private/port_contexts"
# portcon statements go here, e.g.
# portcon tcp 80 u:object_r:http_port:s0
Reference in a new issue View git blame Copy permalink