Home | History | Annotate | Download | only in sepolicy 
      1 # This file contains autogenerated policy based on
      2 # denials seen in the wild.
      3 #
      4 # As a general rule, you should not add policy to
      5 # this file. You SHOULD treat this policy very
      6 # skeptically- while it does preserve compatibility,
      7 # it is also extremely overbroad.
      8 #
      9 # Over time this list should trend to size 0. Your
     10 # assistance in bringing it to 0 is highly appreciated.
     11 
     12 #============= adbd ==============
     13 allow adbd app_data_file:dir { write add_name };
     14 allow adbd app_data_file:file { write create open setattr };
     15 allow adbd proc:file write;
     16 allow adbd system_data_file:file open;
     17 
     18 #============= drmserver ==============
     19 allow drmserver init:unix_stream_socket { read write };
     20 
     21 #============= init ==============
     22 allow init node:rawip_socket node_bind;
     23 
     24 #============= keystore ==============
     25 allow keystore init:unix_stream_socket { read write };
     26 
     27 #============= media_app ==============
     28 allow media_app system_data_file:file append;
     29 
     30 #============= mediaserver ==============
     31 allow mediaserver init:unix_stream_socket { read write };
     32 allow mediaserver system_data_file:file open;
     33 
     34 #============= nfc ==============
     35 allow nfc system_data_file:file append;
     36 
     37 #============= ping ==============
     38 allow ping adbd:process sigchld;
     39 
     40 #============= platform_app ==============
     41 allow platform_app init:unix_stream_socket { read write };
     42 #allow platform_app system_data_file:file append;
     43 allow platform_app unlabeled:file { read getattr open };
     44 
     45 #============= radio ==============
     46 allow radio init:unix_stream_socket { read write };
     47 allow radio system_data_file:file append;
     48 
     49 #============= release_app ==============
     50 allow release_app init:unix_stream_socket { read write };
     51 allow release_app system_data_file:file append;
     52 
     53 #============= shared_app ==============
     54 allow shared_app init:unix_stream_socket { read write };
     55 #allow shared_app system_data_file:file append;
     56 allow shared_app unlabeled:file { read getattr open };
     57 
     58 #============= shell ==============
     59 allow shell apk_private_data_file:dir getattr;
     60 allow shell asec_image_file:dir getattr;
     61 allow shell backup_data_file:dir getattr;
     62 allow shell device:sock_file write;
     63 allow shell drm_data_file:dir getattr;
     64 allow shell gps_data_file:dir getattr;
     65 allow shell rootfs:file getattr;
     66 allow shell sdcard_internal:dir { create rmdir };
     67 #allow shell self:capability { fowner fsetid dac_override };
     68 #allow shell self:capability2 syslog;
     69 #allow shell system_data_file:dir { write add_name };
     70 #allow shell system_data_file:file { write create setattr };
     71 allow shell vold:unix_stream_socket connectto;
     72 allow shell vold_socket:sock_file write;
     73 
     74 #============= surfaceflinger ==============
     75 allow surfaceflinger adbd:binder call;
     76 allow surfaceflinger init:unix_stream_socket { read write };
     77 allow surfaceflinger nfc:binder call;
     78 allow surfaceflinger sysfs:file write;
     79 
     80 #============= system ==============
     81 allow system adbd_socket:sock_file write;
     82 allow system init:unix_stream_socket { read write };
     83 allow system proc:file write;
     84 allow system security_file:lnk_file read;
     85 allow system unlabeled:file { read getattr open };
     86 
     87 #============= system_app ==============
     88 allow system_app unlabeled:file { read getattr open };
     89 
     90 #============= untrusted_app ==============
     91 allow untrusted_app init:dir { getattr search };
     92 allow untrusted_app init:file { read getattr open };
     93 allow untrusted_app init:unix_stream_socket { read write };
     94 allow untrusted_app kernel:dir { search getattr };
     95 allow untrusted_app kernel:file { read getattr open };
     96 allow untrusted_app servicemanager:dir { search getattr };
     97 allow untrusted_app servicemanager:file { read getattr open };
     98 allow untrusted_app shared_app:fifo_file write;
     99 #allow untrusted_app system_data_file:file append;
    100 allow untrusted_app unlabeled:dir getattr;
    101 allow untrusted_app unlabeled:file { read getattr open };
    102 
    103 #============= vold ==============
    104 allow vold unlabeled:dir { read getattr open };
    105 
    106 #============= wpa ==============
    107 allow wpa init:unix_dgram_socket sendto;
    108 allow wpa wifi_data_file:sock_file write;
    109 
    110 #============= zygote ==============
    111 allow zygote security_file:lnk_file read;
    112