1 # This file contains autogenerated policy based on 2 # denials seen in the wild. 3 # 4 # As a general rule, you should not add policy to 5 # this file. You SHOULD treat this policy very 6 # skeptically- while it does preserve compatibility, 7 # it is also extremely overbroad. 8 # 9 # Over time this list should trend to size 0. Your 10 # assistance in bringing it to 0 is highly appreciated. 11 12 #============= adbd ============== 13 allow adbd app_data_file:dir { write add_name }; 14 allow adbd app_data_file:file { write create open setattr }; 15 allow adbd proc:file write; 16 17 #============= debuggerd ============== 18 allow debuggerd system:unix_stream_socket connectto; 19 allow debuggerd system_data_file:sock_file write; 20 21 #============= dhcp ============== 22 allow dhcp unlabeled:file create; 23 24 #============= gpsd ============== 25 allow gpsd system_data_file:fifo_file { read write open setattr }; 26 allow gpsd shell_exec:file { read execute open execute_no_trans }; 27 allow gpsd system_file:file execute_no_trans; 28 29 #============= media_app ============== 30 allow media_app init_tmpfs:file read; 31 32 #============= nfc ============== 33 allow nfc init_tmpfs:file read; 34 allow nfc unlabeled:file { read write open }; 35 36 #============= ping ============== 37 allow ping adbd:process sigchld; 38 39 #============= platform_app ============== 40 allow platform_app unlabeled:file { read getattr open }; 41 42 #============= release_app ============== 43 allow release_app unlabeled:lnk_file read; 44 45 #============= sdcardd ============== 46 allow sdcardd unlabeled:dir { read open }; 47 48 #============= shared_app ============== 49 allow shared_app init_tmpfs:file read; 50 allow shared_app unlabeled:file { write getattr setattr read lock open }; 51 allow shared_app unlabeled:lnk_file read; 52 53 #============= shell ============== 54 allow shell apk_private_data_file:dir getattr; 55 allow shell asec_image_file:dir getattr; 56 allow shell backup_data_file:dir getattr; 57 allow shell drm_data_file:dir getattr; 58 allow shell efs_file:dir getattr; 59 allow shell gps_data_file:dir getattr; 60 allow shell nfc_data_file:dir getattr; 61 allow shell rootfs:file getattr; 62 allow shell sdcard_internal:dir { create rmdir }; 63 #allow shell self:capability { fowner fsetid dac_override }; 64 #allow shell self:capability2 syslog; 65 #allow shell system_data_file:dir { write add_name }; 66 #allow shell system_data_file:file { write create setattr }; 67 allow shell vold:unix_stream_socket connectto; 68 allow shell vold_socket:sock_file write; 69 70 #============= surfaceflinger ============== 71 allow surfaceflinger nfc:binder call; 72 allow surfaceflinger platform_app:binder call; 73 74 #============= system ============== 75 allow system proc:file write; 76 allow system unlabeled:dir { read remove_name write open add_name }; 77 allow system unlabeled:file { rename read create ioctl getattr unlink open append }; 78 79 #============= system_app ============== 80 allow system_app unlabeled:file { read getattr open }; 81 82 #============= untrusted_app ============== 83 allow untrusted_app init:dir { getattr search }; 84 allow untrusted_app init:file { read getattr open }; 85 allow untrusted_app kernel:dir { search getattr }; 86 allow untrusted_app kernel:file { read getattr open }; 87 allow untrusted_app shared_app:fifo_file write; 88 allow untrusted_app unlabeled:dir { write getattr setattr read remove_name open add_name }; 89 allow untrusted_app unlabeled:file { read lock getattr open create }; 90 91 #============= vold ============== 92 allow vold unlabeled:dir { read getattr open }; 93
