1 ####################################################### 2 # 3 # This is the unconfined template. This template is the base policy 4 # which is used by daemons and other privileged components of 5 # Android. 6 # 7 # Historically, this template was called "unconfined" because it 8 # allowed the domain to do anything it wanted. Over time, 9 # this has changed, and will continue to change in the future. 10 # The rules in this file will be removed when no remaining 11 # unconfined domains require it, or when the rules contradict 12 # Android security best practices. Domains which need rules not 13 # provided by the unconfined template should add them directly to 14 # the relevant policy. 15 # 16 # The use of this template is discouraged. 17 ###################################################### 18 19 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; 20 allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; 21 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; 22 allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; 23 allow unconfineddomain domain:fd *; 24 allow unconfineddomain domain:dir r_dir_perms; 25 allow unconfineddomain domain:lnk_file r_file_perms; 26 allow unconfineddomain domain:{ fifo_file file } rw_file_perms; 27 allow unconfineddomain domain:{ 28 socket 29 netlink_socket 30 key_socket 31 unix_stream_socket 32 unix_dgram_socket 33 netlink_route_socket 34 netlink_firewall_socket 35 netlink_tcpdiag_socket 36 netlink_nflog_socket 37 netlink_xfrm_socket 38 netlink_selinux_socket 39 netlink_audit_socket 40 netlink_ip6fw_socket 41 netlink_dnrt_socket 42 netlink_kobject_uevent_socket 43 tun_socket 44 } *; 45 allow unconfineddomain domain:ipc_class_set *; 46 allow unconfineddomain domain:key *; 47 allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; 48 allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; 49 allow unconfineddomain { 50 file_type 51 -keystore_data_file 52 -property_data_file 53 -system_file 54 -exec_type 55 -security_file 56 -shell_data_file 57 -app_data_file 58 }:{ dir lnk_file sock_file fifo_file } ~relabelto; 59 allow unconfineddomain exec_type:dir r_dir_perms; 60 allow unconfineddomain exec_type:file { r_file_perms execute }; 61 allow unconfineddomain exec_type:lnk_file r_file_perms; 62 allow unconfineddomain system_file:dir r_dir_perms; 63 allow unconfineddomain system_file:file { r_file_perms execute }; 64 allow unconfineddomain system_file:lnk_file r_file_perms; 65 allow unconfineddomain { 66 fs_type 67 -usermodehelper 68 -proc_security 69 -contextmount_type 70 -rootfs 71 -sdcard_type 72 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; 73 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; 74 allow unconfineddomain { 75 file_type 76 -keystore_data_file 77 -property_data_file 78 -system_file 79 -exec_type 80 -security_file 81 -shell_data_file 82 -app_data_file 83 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; 84 allow unconfineddomain rootfs:file execute; 85 allow unconfineddomain contextmount_type:dir r_dir_perms; 86 allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; 87 allow unconfineddomain node_type:node *; 88 allow unconfineddomain netif_type:netif *; 89 allow unconfineddomain domain:peer recv; 90 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; 91