| # Filesystem types |
| type labeledfs, fs_type; |
| type pipefs, fs_type; |
| type sockfs, fs_type; |
| type rootfs, fs_type; |
| type proc, fs_type; |
| # Security-sensitive proc nodes that should not be writable to most. |
| type proc_security, fs_type; |
| type proc_drop_caches, fs_type; |
| type proc_overcommit_memory, fs_type; |
| # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. |
| type usermodehelper, fs_type, sysfs_type; |
| type qtaguid_proc, fs_type, mlstrustedobject; |
| type proc_bluetooth_writable, fs_type; |
| type proc_cpuinfo, fs_type; |
| type proc_interrupts, fs_type; |
| type proc_iomem, fs_type; |
| type proc_meminfo, fs_type; |
| type proc_misc, fs_type; |
| type proc_modules, fs_type; |
| type proc_net, fs_type; |
| type proc_perf, fs_type; |
| type proc_stat, fs_type; |
| type proc_sysrq, fs_type; |
| type proc_timer, fs_type; |
| type proc_tty_drivers, fs_type; |
| type proc_uid_cputime_showstat, fs_type; |
| type proc_uid_cputime_removeuid, fs_type; |
| type proc_uid_io_stats, fs_type; |
| type proc_uid_procstat_set, fs_type; |
| type proc_uid_time_in_state, fs_type; |
| type proc_zoneinfo, fs_type; |
| type selinuxfs, fs_type, mlstrustedobject; |
| type cgroup, fs_type, mlstrustedobject; |
| type sysfs, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_uio, sysfs_type, fs_type; |
| type sysfs_batteryinfo, fs_type, sysfs_type; |
| type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_leds, fs_type, sysfs_type; |
| type sysfs_hwrandom, fs_type, sysfs_type; |
| type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_wake_lock, fs_type, sysfs_type; |
| type sysfs_mac_address, fs_type, sysfs_type; |
| type sysfs_usb, sysfs_type, file_type, mlstrustedobject; |
| type configfs, fs_type; |
| # /sys/devices/system/cpu |
| type sysfs_devices_system_cpu, fs_type, sysfs_type; |
| # /sys/module/lowmemorykiller |
| type sysfs_lowmemorykiller, fs_type, sysfs_type; |
| # /sys/module/wlan/parameters/fwpath |
| type sysfs_wlan_fwpath, fs_type, sysfs_type; |
| type sysfs_vibrator, fs_type, sysfs_type; |
| |
| type sysfs_thermal, sysfs_type, fs_type; |
| |
| type sysfs_zram, fs_type, sysfs_type; |
| type sysfs_zram_uevent, fs_type, sysfs_type; |
| type inotify, fs_type, mlstrustedobject; |
| type devpts, fs_type, mlstrustedobject; |
| type tmpfs, fs_type; |
| type shm, fs_type; |
| type mqueue, fs_type; |
| type fuse, sdcard_type, fs_type, mlstrustedobject; |
| type sdcardfs, sdcard_type, fs_type, mlstrustedobject; |
| type vfat, sdcard_type, fs_type, mlstrustedobject; |
| type debugfs, fs_type; |
| type debugfs_mmc, fs_type, debugfs_type; |
| type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; |
| type debugfs_tracing, fs_type, debugfs_type; |
| type debugfs_tracing_instances, fs_type, debugfs_type; |
| type debugfs_wifi_tracing, fs_type, debugfs_type; |
| type tracing_shell_writable, fs_type, debugfs_type; |
| type pstorefs, fs_type; |
| type functionfs, fs_type, mlstrustedobject; |
| type oemfs, fs_type, contextmount_type; |
| type usbfs, fs_type; |
| type binfmt_miscfs, fs_type; |
| type app_fusefs, fs_type, contextmount_type; |
| |
| # File types |
| type unlabeled, file_type; |
| # Default type for anything under /system. |
| type system_file, file_type; |
| # Speedup access for trusted applications to the runtime event tags |
| type runtime_event_log_tags_file, file_type; |
| # Type for /system/bin/logcat. |
| type logcat_exec, exec_type, file_type; |
| # /cores for coredumps on userdebug / eng builds |
| type coredump_file, file_type; |
| # Default type for anything under /data. |
| type system_data_file, file_type, data_file_type; |
| # Unencrypted data |
| type unencrypted_data_file, file_type, data_file_type; |
| # /data/.layout_version or other installd-created files that |
| # are created in a system_data_file directory. |
| type install_data_file, file_type, data_file_type; |
| # /data/drm - DRM plugin data |
| type drm_data_file, file_type, data_file_type; |
| # /data/adb - adb debugging files |
| type adb_data_file, file_type, data_file_type; |
| # /data/anr - ANR traces |
| type anr_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/tombstones - core dumps |
| type tombstone_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/app - user-installed apps |
| type apk_data_file, file_type, data_file_type; |
| type apk_tmp_file, file_type, data_file_type, mlstrustedobject; |
| # /data/app-private - forward-locked apps |
| type apk_private_data_file, file_type, data_file_type; |
| type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; |
| # /data/dalvik-cache |
| type dalvikcache_data_file, file_type, data_file_type; |
| # /data/ota |
| type ota_data_file, file_type, data_file_type; |
| # /data/ota_package |
| type ota_package_file, file_type, data_file_type, mlstrustedobject; |
| # /data/misc/profiles |
| type user_profile_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/misc/profman |
| type profman_dump_data_file, file_type, data_file_type; |
| # /data/resource-cache |
| type resourcecache_data_file, file_type, data_file_type; |
| # /data/local - writable by shell |
| type shell_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/property |
| type property_data_file, file_type, data_file_type; |
| # /data/bootchart |
| type bootchart_data_file, file_type, data_file_type; |
| # /data/system/heapdump |
| type heapdump_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/nativetest |
| type nativetest_data_file, file_type, data_file_type; |
| # /data/system_de/0/ringtones |
| type ringtone_file, file_type, data_file_type, mlstrustedobject; |
| # /data/preloads |
| type preloads_data_file, file_type, data_file_type; |
| # /data/preloads/media |
| type preloads_media_file, file_type, data_file_type; |
| |
| # Mount locations managed by vold |
| type mnt_media_rw_file, file_type; |
| type mnt_user_file, file_type; |
| type mnt_expand_file, file_type; |
| type storage_file, file_type; |
| |
| # Label for storage dirs which are just mount stubs |
| type mnt_media_rw_stub_file, file_type; |
| type storage_stub_file, file_type; |
| |
| # /postinstall: Mount point used by update_engine to run postinstall. |
| type postinstall_mnt_dir, file_type; |
| # Files inside the /postinstall mountpoint are all labeled as postinstall_file. |
| type postinstall_file, file_type; |
| |
| # /data/misc subdirectories |
| type adb_keys_file, file_type, data_file_type; |
| type audio_data_file, file_type, data_file_type; |
| type audiohal_data_file, file_type, data_file_type; |
| type audioserver_data_file, file_type, data_file_type; |
| type bluetooth_data_file, file_type, data_file_type; |
| type bluetooth_logs_data_file, file_type, data_file_type; |
| type bootstat_data_file, file_type, data_file_type; |
| type boottrace_data_file, file_type, data_file_type; |
| type camera_data_file, file_type, data_file_type; |
| type gatekeeper_data_file, file_type, data_file_type; |
| type incident_data_file, file_type, data_file_type; |
| type keychain_data_file, file_type, data_file_type; |
| type keystore_data_file, file_type, data_file_type; |
| type media_data_file, file_type, data_file_type; |
| type media_rw_data_file, file_type, data_file_type, mlstrustedobject; |
| type misc_user_data_file, file_type, data_file_type; |
| type net_data_file, file_type, data_file_type; |
| type nfc_data_file, file_type, data_file_type; |
| type radio_data_file, file_type, data_file_type, mlstrustedobject; |
| type reboot_data_file, file_type, data_file_type; |
| type recovery_data_file, file_type, data_file_type; |
| type shared_relro_file, file_type, data_file_type; |
| type systemkeys_data_file, file_type, data_file_type; |
| type vpn_data_file, file_type, data_file_type; |
| type wifi_data_file, file_type, data_file_type; |
| type zoneinfo_data_file, file_type, data_file_type; |
| type vold_data_file, file_type, data_file_type; |
| type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/misc/trace for method traces on userdebug / eng builds |
| type method_trace_data_file, file_type, data_file_type, mlstrustedobject; |
| |
| # /data/data subdirectories - app sandboxes |
| type app_data_file, file_type, data_file_type; |
| # /data/data subdirectory for system UID apps. |
| type system_app_data_file, file_type, data_file_type, mlstrustedobject; |
| # Compatibility with type name used in Android 4.3 and 4.4. |
| # Default type for anything under /cache |
| type cache_file, file_type, mlstrustedobject; |
| # Type for /cache/backup_stage/* (fd interchange with apps) |
| type cache_backup_file, file_type, mlstrustedobject; |
| # type for anything under /cache/backup (local transport storage) |
| type cache_private_backup_file, file_type; |
| # Type for anything under /cache/recovery |
| type cache_recovery_file, file_type, mlstrustedobject; |
| # Default type for anything under /efs |
| type efs_file, file_type; |
| # Type for wallpaper file. |
| type wallpaper_file, file_type, data_file_type, mlstrustedobject; |
| # Type for shortcut manager icon file. |
| type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject; |
| # Type for user icon file. |
| type icon_file, file_type, data_file_type; |
| # /mnt/asec |
| type asec_apk_file, file_type, data_file_type, mlstrustedobject; |
| # Elements of asec files (/mnt/asec) that are world readable |
| type asec_public_file, file_type, data_file_type; |
| # /data/app-asec |
| type asec_image_file, file_type, data_file_type; |
| # /data/backup and /data/secure/backup |
| type backup_data_file, file_type, data_file_type, mlstrustedobject; |
| # All devices have bluetooth efs files. But they |
| # vary per device, so this type is used in per |
| # device policy |
| type bluetooth_efs_file, file_type; |
| # Type for fingerprint template file |
| type fingerprintd_data_file, file_type, data_file_type; |
| # Type for appfuse file. |
| type app_fuse_file, file_type, data_file_type, mlstrustedobject; |
| |
| # Socket types |
| type adbd_socket, file_type; |
| type bluetooth_socket, file_type; |
| type dnsproxyd_socket, file_type, mlstrustedobject; |
| type dumpstate_socket, file_type; |
| type fwmarkd_socket, file_type, mlstrustedobject; |
| type lmkd_socket, file_type; |
| type logd_socket, file_type, mlstrustedobject; |
| type logdr_socket, file_type, mlstrustedobject; |
| type logdw_socket, file_type, mlstrustedobject; |
| type mdns_socket, file_type; |
| type mdnsd_socket, file_type, mlstrustedobject; |
| type misc_logd_file, file_type; |
| type mtpd_socket, file_type; |
| type netd_socket, file_type; |
| type property_socket, file_type, mlstrustedobject; |
| type racoon_socket, file_type; |
| type rild_socket, file_type; |
| type rild_debug_socket, file_type; |
| type system_wpa_socket, file_type; |
| type system_ndebug_socket, file_type, mlstrustedobject; |
| type tombstoned_crash_socket, file_type, mlstrustedobject; |
| type tombstoned_java_trace_socket, file_type, mlstrustedobject; |
| type tombstoned_intercept_socket, file_type; |
| type uncrypt_socket, file_type; |
| type vold_socket, file_type; |
| type webview_zygote_socket, file_type; |
| type wpa_socket, file_type; |
| # hostapd control interface. |
| type hostapd_socket, file_type; |
| type zygote_socket, file_type; |
| type sap_uim_socket, file_type; |
| # UART (for GPS) control proc file |
| type gps_control, file_type; |
| |
| # PDX endpoint types |
| type pdx_display_dir, pdx_endpoint_dir_type, file_type; |
| type pdx_performance_dir, pdx_endpoint_dir_type, file_type; |
| type pdx_sensors_dir, pdx_endpoint_dir_type, file_type; |
| type pdx_pose_dir, pdx_endpoint_dir_type, file_type; |
| type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; |
| |
| pdx_service_socket_types(display_client, pdx_display_dir) |
| pdx_service_socket_types(display_manager, pdx_display_dir) |
| pdx_service_socket_types(display_screenshot, pdx_display_dir) |
| pdx_service_socket_types(display_vsync, pdx_display_dir) |
| pdx_service_socket_types(performance_client, pdx_performance_dir) |
| pdx_service_socket_types(sensors_client, pdx_sensors_dir) |
| pdx_service_socket_types(pose_client, pdx_pose_dir) |
| pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) |
| |
| # property_contexts file |
| type property_contexts, file_type; |
| |
| # Allow files to be created in their appropriate filesystems. |
| allow fs_type self:filesystem associate; |
| allow sysfs_type sysfs:filesystem associate; |
| allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; |
| allow file_type labeledfs:filesystem associate; |
| allow file_type tmpfs:filesystem associate; |
| allow file_type rootfs:filesystem associate; |
| allow dev_type tmpfs:filesystem associate; |
| allow app_fuse_file app_fusefs:filesystem associate; |
| allow postinstall_file self:filesystem associate; |
| |
| # It's a bug to assign the file_type attribute and fs_type attribute |
| # to any type. Do not allow it. |
| # |
| # For example, the following is a bug: |
| # type apk_data_file, file_type, data_file_type, fs_type; |
| # Should be: |
| # type apk_data_file, file_type, data_file_type; |
| neverallow fs_type file_type:filesystem associate; |