Home | History | Annotate | Download | only in sepolicy 
      1 # This file contains autogenerated policy based on
      2 # denials seen in the wild.
      3 #
      4 # As a general rule, you should not add policy to
      5 # this file. You SHOULD treat this policy very
      6 # skeptically- while it does preserve compatibility,
      7 # it is also extremely overbroad.
      8 #
      9 # Over time this list should trend to size 0. Your
     10 # assistance in bringing it to 0 is highly appreciated.
     11 
     12 #============= adbd ==============
     13 allow adbd app_data_file:dir { write add_name };
     14 allow adbd app_data_file:file { write create open setattr };
     15 allow adbd kernel:process setsched;
     16 allow adbd proc:file write;
     17 allow adbd self:capability setpcap;
     18 
     19 #============= debuggerd ==============
     20 allow debuggerd system:unix_stream_socket connectto;
     21 allow debuggerd system_data_file:sock_file write;
     22 
     23 #============= dhcp ==============
     24 allow dhcp system_data_file:file open;
     25 allow dhcp unlabeled:file create;
     26 
     27 #============= drmserver ==============
     28 allow drmserver init:unix_stream_socket { read write };
     29 
     30 #============= init ==============
     31 allow init node:rawip_socket node_bind;
     32 
     33 #============= init_shell ==============
     34 allow init_shell init:fifo_file write;
     35 allow init_shell init:netlink_route_socket { read write };
     36 allow init_shell init:netlink_socket { read write };
     37 allow init_shell init:unix_stream_socket { read write };
     38 allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };
     39 
     40 #============= installd ==============
     41 allow installd download_file:dir { read search open getattr };
     42 
     43 #============= keystore ==============
     44 allow keystore init:unix_stream_socket { read write };
     45 
     46 #============= media_app ==============
     47 allow media_app system_data_file:file append;
     48 
     49 #============= mediaserver ==============
     50 allow mediaserver device:chr_file { read write ioctl open };
     51 allow mediaserver init:unix_dgram_socket sendto;
     52 allow mediaserver init:unix_stream_socket { read write };
     53 allow mediaserver system_data_file:file { write open };
     54 allow mediaserver system_data_file:sock_file write;
     55 
     56 #============= nfc ==============
     57 allow nfc device:chr_file { read write open };
     58 allow nfc init:unix_stream_socket { read write };
     59 #allow nfc system_data_file:dir { write remove_name add_name };
     60 #allow nfc system_data_file:file { write create unlink append };
     61 allow nfc unlabeled:file { read write open };
     62 
     63 #============= ping ==============
     64 allow ping adbd:process sigchld;
     65 
     66 #============= platform_app ==============
     67 allow platform_app device:chr_file { read write ioctl };
     68 allow platform_app init:binder { transfer call };
     69 allow platform_app init:unix_stream_socket { read write };
     70 #allow platform_app system_data_file:file append;
     71 allow platform_app unlabeled:file { read getattr open };
     72 
     73 #============= radio ==============
     74 allow radio init:binder call;
     75 allow radio init:unix_stream_socket { read write };
     76 allow radio system_data_file:file append;
     77 
     78 #============= release_app ==============
     79 allow release_app system_data_file:file append;
     80 allow release_app unlabeled:lnk_file read;
     81 
     82 #============= sdcardd ==============
     83 allow sdcardd unlabeled:dir { read open };
     84 
     85 #============= shared_app ==============
     86 allow shared_app device:chr_file { read write };
     87 allow shared_app init:binder call;
     88 allow shared_app init:unix_stream_socket { read write };
     89 allow shared_app init_tmpfs:file read;
     90 #allow shared_app system_data_file:file append;
     91 allow shared_app unlabeled:file { write lock getattr open read };
     92 
     93 #============= shell ==============
     94 allow shell apk_private_data_file:dir getattr;
     95 allow shell asec_image_file:dir getattr;
     96 allow shell backup_data_file:dir getattr;
     97 allow shell device:sock_file write;
     98 allow shell drm_data_file:dir getattr;
     99 allow shell nfc_data_file:dir getattr;
    100 allow shell rootfs:file getattr;
    101 allow shell sdcard_internal:dir { create rmdir };
    102 #allow shell self:capability { fowner fsetid dac_override };
    103 #allow shell self:capability2 syslog;
    104 #allow shell system_data_file:dir { write remove_name add_name };
    105 #allow shell system_data_file:file { write create setattr };
    106 allow shell unlabeled:dir getattr;
    107 allow shell vold:unix_stream_socket connectto;
    108 allow shell vold_socket:sock_file write;
    109 
    110 #============= surfaceflinger ==============
    111 allow surfaceflinger adbd:binder call;
    112 allow surfaceflinger device:chr_file { read write ioctl open };
    113 allow surfaceflinger init:dir search;
    114 allow surfaceflinger init:file { read open };
    115 allow surfaceflinger init:unix_stream_socket { read write };
    116 allow surfaceflinger platform_app:binder call;
    117 allow surfaceflinger shell_data_file:dir search;
    118 allow surfaceflinger sysfs:file write;
    119 allow surfaceflinger system_app:dir search;
    120 allow surfaceflinger system_app:file { read open };
    121 
    122 #============= system ==============
    123 allow system device:chr_file ioctl;
    124 allow system init:binder { transfer call };
    125 allow system init:unix_stream_socket { read write setopt };
    126 allow system proc:file write;
    127 allow system security_file:lnk_file read;
    128 allow system unlabeled:dir { read remove_name write open add_name };
    129 allow system unlabeled:file { rename getattr read create open ioctl append };
    130 
    131 #============= system_app ==============
    132 allow system_app init:unix_stream_socket { read write setopt };
    133 allow system_app unlabeled:file { read getattr open };
    134 
    135 #============= untrusted_app ==============
    136 allow untrusted_app device:chr_file { read write };
    137 allow untrusted_app init:binder { transfer call };
    138 allow untrusted_app init:dir { getattr search };
    139 allow untrusted_app init:file { read getattr open };
    140 allow untrusted_app init:unix_stream_socket { read write connectto };
    141 allow untrusted_app kernel:dir { getattr search };
    142 allow untrusted_app kernel:file { read getattr open };
    143 allow untrusted_app servicemanager:dir { getattr search };
    144 allow untrusted_app servicemanager:file { read getattr open };
    145 allow untrusted_app shell_data_file:dir search;
    146 allow untrusted_app shell_data_file:file { read getattr open };
    147 #allow untrusted_app system_data_file:file append;
    148 allow untrusted_app ueventd:dir { search getattr };
    149 allow untrusted_app ueventd:file { read getattr open };
    150 allow untrusted_app unlabeled:dir setattr;
    151 allow untrusted_app zygote:dir search;
    152 
    153 #============= vold ==============
    154 allow vold unlabeled:dir { read getattr open };
    155 
    156 #============= wpa ==============
    157 allow wpa init:unix_dgram_socket { read write sendto };
    158 allow wpa wifi_data_file:sock_file write;
    159 
    160 #============= zygote ==============
    161 allow zygote security_file:lnk_file read;
    162