254ad0da3a
Some necessary sepolicy rule changes for init process to create directory, mount cgroupv2 module and mount bpf filesystem. Also allow netd to create and pin bpf object as files and read it back from file under the directory where bpf filesystem is mounted. Test: bpf maps show up under /sys/fs/bpf/ Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
177 lines
12 KiB
Text
177 lines
12 KiB
Text
# Label inodes with the fs label.
|
|
genfscon rootfs / u:object_r:rootfs:s0
|
|
# proc labeling can be further refined (longest matching prefix).
|
|
genfscon proc / u:object_r:proc:s0
|
|
genfscon proc /asound u:object_r:proc_asound:s0
|
|
genfscon proc /cmdline u:object_r:proc_cmdline:s0
|
|
genfscon proc /config.gz u:object_r:config_gz:s0
|
|
genfscon proc /diskstats u:object_r:proc_diskstats:s0
|
|
genfscon proc /filesystems u:object_r:proc_filesystems:s0
|
|
genfscon proc /interrupts u:object_r:proc_interrupts:s0
|
|
genfscon proc /iomem u:object_r:proc_iomem:s0
|
|
genfscon proc /kmsg u:object_r:proc_kmsg:s0
|
|
genfscon proc /loadavg u:object_r:proc_loadavg:s0
|
|
genfscon proc /meminfo u:object_r:proc_meminfo:s0
|
|
genfscon proc /misc u:object_r:proc_misc:s0
|
|
genfscon proc /modules u:object_r:proc_modules:s0
|
|
genfscon proc /mounts u:object_r:proc_mounts:s0
|
|
genfscon proc /net u:object_r:proc_net:s0
|
|
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
|
|
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
|
|
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
|
|
genfscon proc /softirqs u:object_r:proc_timer:s0
|
|
genfscon proc /stat u:object_r:proc_stat:s0
|
|
genfscon proc /swaps u:object_r:proc_swaps:s0
|
|
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
|
|
genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
|
|
genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
|
|
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
|
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
|
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
|
|
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
|
|
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
|
|
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
|
|
genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
|
|
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
|
|
genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
|
|
genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
|
|
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
|
|
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
|
|
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
|
|
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/net u:object_r:proc_net:s0
|
|
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
|
|
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
|
|
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
|
|
genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
|
|
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
|
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
|
|
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
|
|
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
|
|
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
|
|
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
|
|
genfscon proc /timer_list u:object_r:proc_timer:s0
|
|
genfscon proc /timer_stats u:object_r:proc_timer:s0
|
|
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
|
|
genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
|
|
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
|
|
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
|
|
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
|
|
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
|
|
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
|
|
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
|
|
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
|
|
genfscon proc /uptime u:object_r:proc_uptime:s0
|
|
genfscon proc /version u:object_r:proc_version:s0
|
|
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
|
|
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
|
|
|
|
# selinuxfs booleans can be individually labeled.
|
|
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
|
genfscon cgroup / u:object_r:cgroup:s0
|
|
genfscon cgroup2 / u:object_r:cgroup_bpf:s0
|
|
# sysfs labels can be set by userspace.
|
|
genfscon sysfs / u:object_r:sysfs:s0
|
|
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
|
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
|
|
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
|
|
genfscon sysfs /class/net u:object_r:sysfs_net:s0
|
|
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
|
|
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
|
|
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
|
|
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
|
|
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
|
|
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
|
|
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
|
|
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
|
|
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
|
|
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
|
|
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
|
|
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
|
|
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
|
|
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
|
|
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
|
|
genfscon sysfs /power/state u:object_r:sysfs_power:s0
|
|
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
|
|
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
|
|
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
|
|
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
|
|
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
|
|
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
|
|
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
|
|
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
|
|
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
|
|
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
|
|
|
|
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
|
|
genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
|
|
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
|
|
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
|
|
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
|
|
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
|
|
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
|
|
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
|
|
|
|
genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
|
|
|
|
genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
|
|
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
|
|
|
|
genfscon inotifyfs / u:object_r:inotify:s0
|
|
genfscon vfat / u:object_r:vfat:s0
|
|
genfscon debugfs / u:object_r:debugfs:s0
|
|
genfscon tracefs / u:object_r:debugfs_tracing:s0
|
|
genfscon fuse / u:object_r:fuse:s0
|
|
genfscon configfs / u:object_r:configfs:s0
|
|
genfscon sdcardfs / u:object_r:sdcardfs:s0
|
|
genfscon pstore / u:object_r:pstorefs:s0
|
|
genfscon functionfs / u:object_r:functionfs:s0
|
|
genfscon usbfs / u:object_r:usbfs:s0
|
|
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
|
|
genfscon bpf / u:object_r:fs_bpf:s0
|