platform_system_sepolicy/private/coredomain.te

get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)

full_treble_only(`
neverallow {
    coredomain

    # for chowning
    -init

    # generic access to sysfs_type
    -ueventd
    -vold
} sysfs_leds:file *;
')

# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
  # /proc
  neverallow {
    coredomain
    -vold
  } proc:file no_rw_file_perms;

  # /sys
  neverallow {
    coredomain
    -init
    -ueventd
    -vold
  } sysfs:file no_rw_file_perms;

  # /dev
  neverallow {
    coredomain
    -fsck
    -init
    -ueventd
  } device:{ blk_file file } no_rw_file_perms;

  # debugfs
  neverallow {
    coredomain
    -dumpstate
    -init
    -system_server
  } debugfs:file no_rw_file_perms;

  # tracefs
  neverallow {
    coredomain
    -atrace
    -dumpstate
    -init
    userdebug_or_eng(`-perfprofd')
    -traced_probes
    -shell
    -traceur_app
  } debugfs_tracing:file no_rw_file_perms;

  # inotifyfs
  neverallow {
    coredomain
    -init
  } inotify:file no_rw_file_perms;

  # pstorefs
  neverallow {
    coredomain
    -bootstat
    -charger
    -dumpstate
    -healthd
    userdebug_or_eng(`-incidentd')
    -init
    -logd
    -logpersist
    -recovery_persist
    -recovery_refresh
    -shell
    -system_server
  } pstorefs:file no_rw_file_perms;

  # configfs
  neverallow {
    coredomain
    -init
    -system_server
  } configfs:file no_rw_file_perms;

  # functionfs
  neverallow {
    coredomain
    -adbd
    -init
    -mediaprovider
    -system_server
  } functionfs:file no_rw_file_perms;

  # usbfs and binfmt_miscfs
  neverallow {
    coredomain
    -init
  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')