fb889f23d2
Cutting down on the number of attributes associated with each type speeds up policy lookup times when there is an access vector cache miss. This change cuts down on the number of attributes associate with system_server from 19 to 8. The total number of attributes is reduced from 159 to 64. Bug: 36508258 Test: build and boot Marlin Change-Id: I8cdb6fb783ded869e88c5a9868fd7c8f838190f9
391 lines
12 KiB
Text
391 lines
12 KiB
Text
######################################
|
|
# Attribute declarations
|
|
#
|
|
|
|
# All types used for devices.
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
# in tools/checkfc.c
|
|
attribute dev_type;
|
|
|
|
# All types used for processes.
|
|
attribute domain;
|
|
|
|
# All types used for filesystems.
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
# definition in tools/checkfc.c.
|
|
attribute fs_type;
|
|
|
|
# All types used for context= mounts.
|
|
attribute contextmount_type;
|
|
|
|
# All types used for files that can exist on a labeled fs.
|
|
# Do not use for pseudo file types.
|
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
|
# definition in tools/checkfc.c.
|
|
attribute file_type;
|
|
|
|
# All types used for domain entry points.
|
|
attribute exec_type;
|
|
|
|
# All types used for /data files.
|
|
attribute data_file_type;
|
|
# All types in /data, not in /data/vendor
|
|
attribute core_data_file_type;
|
|
# All types in /vendor
|
|
attribute vendor_file_type;
|
|
|
|
# All types use for sysfs files.
|
|
attribute sysfs_type;
|
|
|
|
# All types use for debugfs files.
|
|
attribute debugfs_type;
|
|
|
|
# Attribute used for all sdcards
|
|
attribute sdcard_type;
|
|
|
|
# All types used for nodes/hosts.
|
|
attribute node_type;
|
|
|
|
# All types used for network interfaces.
|
|
attribute netif_type;
|
|
|
|
# All types used for network ports.
|
|
attribute port_type;
|
|
|
|
# All types used for property service
|
|
# On change, update CHECK_PC_ASSERT_ATTRS
|
|
# definition in tools/checkfc.c.
|
|
attribute property_type;
|
|
|
|
# All properties defined in core SELinux policy. Should not be
|
|
# used by device specific properties
|
|
attribute core_property_type;
|
|
|
|
# All properties used to configure log filtering.
|
|
attribute log_property_type;
|
|
|
|
# All service_manager types created by system_server
|
|
attribute system_server_service;
|
|
|
|
# services which should be available to all but isolated apps
|
|
attribute app_api_service;
|
|
|
|
# services which should be available to all ephemeral apps
|
|
attribute ephemeral_app_api_service;
|
|
|
|
# services which export only system_api
|
|
attribute system_api_service;
|
|
|
|
# All types used for services managed by servicemanager.
|
|
# On change, update CHECK_SC_ASSERT_ATTRS
|
|
# definition in tools/checkfc.c.
|
|
attribute service_manager_type;
|
|
|
|
# All types used for services managed by hwservicemanager
|
|
attribute hwservice_manager_type;
|
|
|
|
# All HwBinder services guaranteed to be passthrough. These services always run
|
|
# in the process of their clients, and thus operate with the same access as
|
|
# their clients.
|
|
attribute same_process_hwservice;
|
|
|
|
# All HwBinder services guaranteed to be offered only by core domain components
|
|
attribute coredomain_hwservice;
|
|
|
|
# All types used for services managed by vndservicemanager
|
|
attribute vndservice_manager_type;
|
|
|
|
|
|
# All domains that can override MLS restrictions.
|
|
# i.e. processes that can read up and write down.
|
|
attribute mlstrustedsubject;
|
|
|
|
# All types that can override MLS restrictions.
|
|
# i.e. files that can be read by lower and written by higher
|
|
attribute mlstrustedobject;
|
|
|
|
# All domains used for apps.
|
|
attribute appdomain;
|
|
|
|
# All third party apps.
|
|
attribute untrusted_app_all;
|
|
|
|
# All domains used for apps with network access.
|
|
attribute netdomain;
|
|
|
|
# All domains used for apps with bluetooth access.
|
|
attribute bluetoothdomain;
|
|
|
|
# All domains used for binder service domains.
|
|
attribute binderservicedomain;
|
|
|
|
# update_engine related domains that need to apply an update and run
|
|
# postinstall. This includes the background daemon and the sideload tool from
|
|
# recovery for A/B devices.
|
|
attribute update_engine_common;
|
|
|
|
# All core domains (as opposed to vendor/device-specific domains)
|
|
attribute coredomain;
|
|
|
|
# All socket devices owned by core domain components
|
|
attribute coredomain_socket;
|
|
|
|
# All vendor domains which violate the requirement of not using Binder
|
|
# TODO(b/35870313): Remove this once there are no violations
|
|
attribute binder_in_vendor_violators;
|
|
|
|
# All vendor domains which violate the requirement of not using sockets for
|
|
# communicating with core components
|
|
# TODO(b/36577153): Remove this once there are no violations
|
|
attribute socket_between_core_and_vendor_violators;
|
|
|
|
# All vendor domains which violate the requirement of not executing
|
|
# system processes
|
|
# TODO(b/36463595)
|
|
attribute vendor_executes_system_violators;
|
|
|
|
# PDX services
|
|
attribute pdx_endpoint_dir_type;
|
|
attribute pdx_endpoint_socket_type;
|
|
attribute pdx_channel_socket_type;
|
|
|
|
pdx_service_attributes(display_client)
|
|
pdx_service_attributes(display_manager)
|
|
pdx_service_attributes(display_screenshot)
|
|
pdx_service_attributes(display_vsync)
|
|
pdx_service_attributes(performance_client)
|
|
pdx_service_attributes(bufferhub_client)
|
|
|
|
# All HAL servers
|
|
attribute halserverdomain;
|
|
# All HAL clients
|
|
attribute halclientdomain;
|
|
expandattribute halclientdomain true;
|
|
|
|
# HALs
|
|
attribute hal_allocator;
|
|
expandattribute hal_allocator true;
|
|
attribute hal_allocator_client;
|
|
expandattribute hal_allocator_client true;
|
|
attribute hal_allocator_server;
|
|
expandattribute hal_allocator_server true;
|
|
attribute hal_audio;
|
|
expandattribute hal_audio true;
|
|
attribute hal_audio_client;
|
|
expandattribute hal_audio_client true;
|
|
attribute hal_audio_server;
|
|
expandattribute hal_audio_server true;
|
|
attribute hal_bluetooth;
|
|
expandattribute hal_bluetooth true;
|
|
attribute hal_bluetooth_client;
|
|
expandattribute hal_bluetooth_client true;
|
|
attribute hal_bluetooth_server;
|
|
expandattribute hal_bluetooth_server true;
|
|
attribute hal_bootctl;
|
|
expandattribute hal_bootctl true;
|
|
attribute hal_bootctl_client;
|
|
expandattribute hal_bootctl_client true;
|
|
attribute hal_bootctl_server;
|
|
expandattribute hal_bootctl_server true;
|
|
attribute hal_camera;
|
|
expandattribute hal_camera true;
|
|
attribute hal_camera_client;
|
|
expandattribute hal_camera_client true;
|
|
attribute hal_camera_server;
|
|
expandattribute hal_camera_server true;
|
|
attribute hal_configstore;
|
|
expandattribute hal_configstore true;
|
|
attribute hal_configstore_client;
|
|
expandattribute hal_configstore_client true;
|
|
attribute hal_configstore_server;
|
|
expandattribute hal_configstore_server true;
|
|
attribute hal_contexthub;
|
|
expandattribute hal_contexthub true;
|
|
attribute hal_contexthub_client;
|
|
expandattribute hal_contexthub_client true;
|
|
attribute hal_contexthub_server;
|
|
expandattribute hal_contexthub_server true;
|
|
attribute hal_drm;
|
|
expandattribute hal_drm true;
|
|
attribute hal_drm_client;
|
|
expandattribute hal_drm_client true;
|
|
attribute hal_drm_server;
|
|
expandattribute hal_drm_server true;
|
|
attribute hal_dumpstate;
|
|
expandattribute hal_dumpstate true;
|
|
attribute hal_dumpstate_client;
|
|
expandattribute hal_dumpstate_client true;
|
|
attribute hal_dumpstate_server;
|
|
expandattribute hal_dumpstate_server true;
|
|
attribute hal_fingerprint;
|
|
expandattribute hal_fingerprint true;
|
|
attribute hal_fingerprint_client;
|
|
expandattribute hal_fingerprint_client true;
|
|
attribute hal_fingerprint_server;
|
|
expandattribute hal_fingerprint_server true;
|
|
attribute hal_gatekeeper;
|
|
expandattribute hal_gatekeeper true;
|
|
attribute hal_gatekeeper_client;
|
|
expandattribute hal_gatekeeper_client true;
|
|
attribute hal_gatekeeper_server;
|
|
expandattribute hal_gatekeeper_server true;
|
|
attribute hal_gnss;
|
|
expandattribute hal_gnss true;
|
|
attribute hal_gnss_client;
|
|
expandattribute hal_gnss_client true;
|
|
attribute hal_gnss_server;
|
|
expandattribute hal_gnss_server true;
|
|
attribute hal_graphics_allocator;
|
|
expandattribute hal_graphics_allocator true;
|
|
attribute hal_graphics_allocator_client;
|
|
expandattribute hal_graphics_allocator_client true;
|
|
attribute hal_graphics_allocator_server;
|
|
expandattribute hal_graphics_allocator_server true;
|
|
attribute hal_graphics_composer;
|
|
expandattribute hal_graphics_composer true;
|
|
attribute hal_graphics_composer_client;
|
|
expandattribute hal_graphics_composer_client true;
|
|
attribute hal_graphics_composer_server;
|
|
expandattribute hal_graphics_composer_server true;
|
|
attribute hal_health;
|
|
expandattribute hal_health true;
|
|
attribute hal_health_client;
|
|
expandattribute hal_health_client true;
|
|
attribute hal_health_server;
|
|
expandattribute hal_health_server true;
|
|
attribute hal_ir;
|
|
expandattribute hal_ir true;
|
|
attribute hal_ir_client;
|
|
expandattribute hal_ir_client true;
|
|
attribute hal_ir_server;
|
|
expandattribute hal_ir_server true;
|
|
attribute hal_keymaster;
|
|
expandattribute hal_keymaster true;
|
|
attribute hal_keymaster_client;
|
|
expandattribute hal_keymaster_client true;
|
|
attribute hal_keymaster_server;
|
|
expandattribute hal_keymaster_server true;
|
|
attribute hal_light;
|
|
expandattribute hal_light true;
|
|
attribute hal_light_client;
|
|
expandattribute hal_light_client true;
|
|
attribute hal_light_server;
|
|
expandattribute hal_light_server true;
|
|
attribute hal_memtrack;
|
|
expandattribute hal_memtrack true;
|
|
attribute hal_memtrack_client;
|
|
expandattribute hal_memtrack_client true;
|
|
attribute hal_memtrack_server;
|
|
expandattribute hal_memtrack_server true;
|
|
attribute hal_nfc;
|
|
expandattribute hal_nfc true;
|
|
attribute hal_nfc_client;
|
|
expandattribute hal_nfc_client true;
|
|
attribute hal_nfc_server;
|
|
expandattribute hal_nfc_server true;
|
|
attribute hal_oemlock;
|
|
expandattribute hal_oemlock true;
|
|
attribute hal_oemlock_client;
|
|
expandattribute hal_oemlock_client true;
|
|
attribute hal_oemlock_server;
|
|
expandattribute hal_oemlock_server true;
|
|
attribute hal_power;
|
|
expandattribute hal_power true;
|
|
attribute hal_power_client;
|
|
expandattribute hal_power_client true;
|
|
attribute hal_power_server;
|
|
expandattribute hal_power_server true;
|
|
attribute hal_sensors;
|
|
expandattribute hal_sensors true;
|
|
attribute hal_sensors_client;
|
|
expandattribute hal_sensors_client true;
|
|
attribute hal_sensors_server;
|
|
expandattribute hal_sensors_server true;
|
|
attribute hal_telephony;
|
|
expandattribute hal_telephony true;
|
|
attribute hal_telephony_client;
|
|
expandattribute hal_telephony_client true;
|
|
attribute hal_telephony_server;
|
|
expandattribute hal_telephony_server true;
|
|
attribute hal_tetheroffload;
|
|
expandattribute hal_tetheroffload true;
|
|
attribute hal_tetheroffload_client;
|
|
expandattribute hal_tetheroffload_client true;
|
|
attribute hal_tetheroffload_server;
|
|
expandattribute hal_tetheroffload_server true;
|
|
attribute hal_thermal;
|
|
expandattribute hal_thermal true;
|
|
attribute hal_thermal_client;
|
|
expandattribute hal_thermal_client true;
|
|
attribute hal_thermal_server;
|
|
expandattribute hal_thermal_server true;
|
|
attribute hal_tv_cec;
|
|
expandattribute hal_tv_cec true;
|
|
attribute hal_tv_cec_client;
|
|
expandattribute hal_tv_cec_client true;
|
|
attribute hal_tv_cec_server;
|
|
expandattribute hal_tv_cec_server true;
|
|
attribute hal_tv_input;
|
|
expandattribute hal_tv_input true;
|
|
attribute hal_tv_input_client;
|
|
expandattribute hal_tv_input_client true;
|
|
attribute hal_tv_input_server;
|
|
expandattribute hal_tv_input_server true;
|
|
attribute hal_usb;
|
|
expandattribute hal_usb true;
|
|
attribute hal_usb_client;
|
|
expandattribute hal_usb_client true;
|
|
attribute hal_usb_server;
|
|
expandattribute hal_usb_server true;
|
|
attribute hal_vibrator;
|
|
expandattribute hal_vibrator true;
|
|
attribute hal_vibrator_client;
|
|
expandattribute hal_vibrator_client true;
|
|
attribute hal_vibrator_server;
|
|
expandattribute hal_vibrator_server true;
|
|
attribute hal_vr;
|
|
expandattribute hal_vr true;
|
|
attribute hal_vr_client;
|
|
expandattribute hal_vr_client true;
|
|
attribute hal_vr_server;
|
|
expandattribute hal_vr_server true;
|
|
attribute hal_weaver;
|
|
expandattribute hal_weaver true;
|
|
attribute hal_weaver_client;
|
|
expandattribute hal_weaver_client true;
|
|
attribute hal_weaver_server;
|
|
expandattribute hal_weaver_server true;
|
|
attribute hal_wifi;
|
|
expandattribute hal_wifi true;
|
|
attribute hal_wifi_client;
|
|
expandattribute hal_wifi_client true;
|
|
attribute hal_wifi_server;
|
|
expandattribute hal_wifi_server true;
|
|
attribute hal_wifi_keystore;
|
|
expandattribute hal_wifi_keystore true;
|
|
attribute hal_wifi_keystore_client;
|
|
expandattribute hal_wifi_keystore_client true;
|
|
attribute hal_wifi_keystore_server;
|
|
expandattribute hal_wifi_keystore_server true;
|
|
attribute hal_wifi_offload;
|
|
expandattribute hal_wifi_offload true;
|
|
attribute hal_wifi_offload_client;
|
|
expandattribute hal_wifi_offload_client true;
|
|
attribute hal_wifi_offload_server;
|
|
expandattribute hal_wifi_offload_server true;
|
|
attribute hal_wifi_supplicant;
|
|
expandattribute hal_wifi_supplicant true;
|
|
attribute hal_wifi_supplicant_client;
|
|
expandattribute hal_wifi_supplicant_client true;
|
|
attribute hal_wifi_supplicant_server;
|
|
expandattribute hal_wifi_supplicant_server true;
|
|
|
|
# HwBinder services offered across the core-vendor boundary
|
|
#
|
|
# We annotate server domains with x_server to loosen the coupling between
|
|
# system and vendor images. For example, it should be possible to move a service
|
|
# from one core domain to another, without having to update the vendor image
|
|
# which contains clients of this service.
|
|
|
|
attribute display_service_server;
|
|
attribute wifi_keystore_service_server;
|