Home | History | Annotate | Download | only in sepolicy 
      1 # Filesystem types
      2 type labeledfs, fs_type;
      3 type pipefs, fs_type;
      4 type sockfs, fs_type;
      5 type rootfs, fs_type;
      6 type proc, fs_type;
      7 # Security-sensitive proc nodes that should not be writable to most.
      8 type proc_security, fs_type;
      9 # Type for /proc/sys/vm/drop_caches
     10 type proc_drop_caches, fs_type;
     11 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
     12 type usermodehelper, fs_type, sysfs_type;
     13 type qtaguid_proc, fs_type, mlstrustedobject;
     14 type proc_bluetooth_writable, fs_type;
     15 type proc_cpuinfo, fs_type;
     16 type proc_net, fs_type;
     17 type proc_sysrq, fs_type;
     18 type proc_uid_cputime_showstat, fs_type;
     19 type proc_uid_cputime_removeuid, fs_type;
     20 type selinuxfs, fs_type, mlstrustedobject;
     21 type cgroup, fs_type, mlstrustedobject;
     22 type sysfs, fs_type, sysfs_type, mlstrustedobject;
     23 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
     24 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
     25 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
     26 type sysfs_wake_lock, fs_type, sysfs_type;
     27 # /sys/devices/system/cpu
     28 type sysfs_devices_system_cpu, fs_type, sysfs_type;
     29 # /sys/module/lowmemorykiller
     30 type sysfs_lowmemorykiller, fs_type, sysfs_type;
     31 type inotify, fs_type, mlstrustedobject;
     32 type devpts, fs_type, mlstrustedobject;
     33 type tmpfs, fs_type;
     34 type shm, fs_type;
     35 type mqueue, fs_type;
     36 type fuse, sdcard_type, fs_type, mlstrustedobject;
     37 type vfat, sdcard_type, fs_type, mlstrustedobject;
     38 typealias fuse alias sdcard_internal;
     39 typealias vfat alias sdcard_external;
     40 type debugfs, fs_type, mlstrustedobject;
     41 type pstorefs, fs_type;
     42 type functionfs, fs_type;
     43 type oemfs, fs_type, contextmount_type;
     44 type usbfs, fs_type;
     45 type binfmt_miscfs, fs_type;
     46 
     47 # File types
     48 type unlabeled, file_type;
     49 # Default type for anything under /system.
     50 type system_file, file_type;
     51 # Type for /system/bin/logcat.
     52 type logcat_exec, exec_type, file_type;
     53 # /cores for coredumps on userdebug / eng builds
     54 type coredump_file, file_type;
     55 # Default type for anything under /data.
     56 type system_data_file, file_type, data_file_type;
     57 # Unencrypted data
     58 type unencrypted_data_file, file_type, data_file_type;
     59 # /data/.layout_version or other installd-created files that
     60 # are created in a system_data_file directory.
     61 type install_data_file, file_type, data_file_type;
     62 # /data/drm - DRM plugin data
     63 type drm_data_file, file_type, data_file_type;
     64 # /data/adb - adb debugging files
     65 type adb_data_file, file_type, data_file_type;
     66 # /data/anr - ANR traces
     67 type anr_data_file, file_type, data_file_type, mlstrustedobject;
     68 # /data/tombstones - core dumps
     69 type tombstone_data_file, file_type, data_file_type;
     70 # /data/app - user-installed apps
     71 type apk_data_file, file_type, data_file_type;
     72 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
     73 # /data/app-private - forward-locked apps
     74 type apk_private_data_file, file_type, data_file_type;
     75 type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
     76 # /data/dalvik-cache
     77 type dalvikcache_data_file, file_type, data_file_type;
     78 # /data/dalvik-cache/profiles
     79 type dalvikcache_profiles_data_file, file_type, data_file_type, mlstrustedobject;
     80 # /data/resource-cache
     81 type resourcecache_data_file, file_type, data_file_type;
     82 # /data/local - writable by shell
     83 type shell_data_file, file_type, data_file_type, mlstrustedobject;
     84 # /data/gps
     85 type gps_data_file, file_type, data_file_type;
     86 # /data/property
     87 type property_data_file, file_type, data_file_type;
     88 # /data/bootchart
     89 type bootchart_data_file, file_type, data_file_type;
     90 # /data/system/heapdump
     91 type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
     92 
     93 # Mount locations managed by vold
     94 type mnt_media_rw_file, file_type;
     95 type mnt_user_file, file_type;
     96 type mnt_expand_file, file_type;
     97 type storage_file, file_type;
     98 
     99 # Label for storage dirs which are just mount stubs
    100 type mnt_media_rw_stub_file, file_type;
    101 type storage_stub_file, file_type;
    102 
    103 # /data/misc subdirectories
    104 type adb_keys_file, file_type, data_file_type;
    105 type audio_data_file, file_type, data_file_type;
    106 type bluetooth_data_file, file_type, data_file_type;
    107 type camera_data_file, file_type, data_file_type;
    108 type gatekeeper_data_file, file_type, data_file_type;
    109 type keychain_data_file, file_type, data_file_type;
    110 type keystore_data_file, file_type, data_file_type;
    111 type media_data_file, file_type, data_file_type;
    112 type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
    113 type misc_user_data_file, file_type, data_file_type;
    114 type net_data_file, file_type, data_file_type;
    115 type nfc_data_file, file_type, data_file_type;
    116 type radio_data_file, file_type, data_file_type, mlstrustedobject;
    117 type shared_relro_file, file_type, data_file_type;
    118 type systemkeys_data_file, file_type, data_file_type;
    119 type vpn_data_file, file_type, data_file_type;
    120 type wifi_data_file, file_type, data_file_type;
    121 type zoneinfo_data_file, file_type, data_file_type;
    122 type vold_data_file, file_type, data_file_type;
    123 type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
    124 
    125 # Compatibility with type names used in vanilla Android 4.3 and 4.4.
    126 typealias audio_data_file alias audio_firmware_file;
    127 # /data/data subdirectories - app sandboxes
    128 type app_data_file, file_type, data_file_type;
    129 # /data/data subdirectory for system UID apps.
    130 type system_app_data_file, file_type, data_file_type, mlstrustedobject;
    131 # Compatibility with type name used in Android 4.3 and 4.4.
    132 typealias app_data_file alias platform_app_data_file;
    133 typealias app_data_file alias download_file;
    134 # Default type for anything under /cache
    135 type cache_file, file_type, mlstrustedobject;
    136 # Type for /cache/.*\.{data|restore} and default
    137 # type for anything under /cache/backup
    138 type cache_backup_file, file_type, mlstrustedobject;
    139 # Default type for anything under /efs
    140 type efs_file, file_type;
    141 # Type for wallpaper file.
    142 type wallpaper_file, file_type, mlstrustedobject;
    143 # /mnt/asec
    144 type asec_apk_file, file_type, data_file_type, mlstrustedobject;
    145 # Elements of asec files (/mnt/asec) that are world readable
    146 type asec_public_file, file_type, data_file_type;
    147 # /data/app-asec
    148 type asec_image_file, file_type, data_file_type;
    149 # /data/backup and /data/secure/backup
    150 type backup_data_file, file_type, data_file_type, mlstrustedobject;
    151 # For /data/security
    152 type security_file, file_type;
    153 # All devices have bluetooth efs files. But they
    154 # vary per device, so this type is used in per
    155 # device policy
    156 type bluetooth_efs_file, file_type;
    157 # Type for fingerprint template file.
    158 type fingerprintd_data_file, file_type, data_file_type;
    159 
    160 # Socket types
    161 type adbd_socket, file_type;
    162 type bluetooth_socket, file_type;
    163 type dnsproxyd_socket, file_type, mlstrustedobject;
    164 type dumpstate_socket, file_type;
    165 type fwmarkd_socket, file_type, mlstrustedobject;
    166 type gps_socket, file_type;
    167 type installd_socket, file_type;
    168 type lmkd_socket, file_type;
    169 type logd_socket, file_type, mlstrustedobject;
    170 type logdr_socket, file_type, mlstrustedobject;
    171 type logdw_socket, file_type, mlstrustedobject;
    172 type mdns_socket, file_type;
    173 type mdnsd_socket, file_type, mlstrustedobject;
    174 type misc_logd_file, file_type;
    175 type mtpd_socket, file_type;
    176 type netd_socket, file_type;
    177 type property_socket, file_type;
    178 type racoon_socket, file_type;
    179 type rild_socket, file_type;
    180 type rild_debug_socket, file_type;
    181 type system_wpa_socket, file_type;
    182 type system_ndebug_socket, file_type;
    183 type vold_socket, file_type;
    184 type wpa_socket, file_type;
    185 type zygote_socket, file_type;
    186 type sap_uim_socket, file_type;
    187 # UART (for GPS) control proc file
    188 type gps_control, file_type;
    189 
    190 # Allow files to be created in their appropriate filesystems.
    191 allow fs_type self:filesystem associate;
    192 allow sysfs_type sysfs:filesystem associate;
    193 allow file_type labeledfs:filesystem associate;
    194 allow file_type tmpfs:filesystem associate;
    195 allow file_type rootfs:filesystem associate;
    196 allow dev_type tmpfs:filesystem associate;
    197 
    198 # It's a bug to assign the file_type attribute and fs_type attribute
    199 # to any type. Do not allow it.
    200 #
    201 # For example, the following is a bug:
    202 #   type apk_data_file, file_type, data_file_type, fs_type;
    203 # Should be:
    204 #   type apk_data_file, file_type, data_file_type;
    205 neverallow fs_type file_type:filesystem associate;
    206