1 # Filesystem types 2 type labeledfs, fs_type; 3 type pipefs, fs_type; 4 type sockfs, fs_type; 5 type rootfs, fs_type; 6 type proc, fs_type; 7 # Security-sensitive proc nodes that should not be writable to most. 8 type proc_security, fs_type; 9 # Type for /proc/sys/vm/drop_caches 10 type proc_drop_caches, fs_type; 11 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12 type usermodehelper, fs_type, sysfs_type; 13 type qtaguid_proc, fs_type, mlstrustedobject; 14 type proc_bluetooth_writable, fs_type; 15 type proc_cpuinfo, fs_type; 16 type proc_iomem, fs_type; 17 type proc_meminfo, fs_type; 18 type proc_net, fs_type; 19 type proc_sysrq, fs_type; 20 type proc_uid_cputime_showstat, fs_type; 21 type proc_uid_cputime_removeuid, fs_type; 22 type selinuxfs, fs_type, mlstrustedobject; 23 type cgroup, fs_type, mlstrustedobject; 24 type sysfs, fs_type, sysfs_type, mlstrustedobject; 25 type sysfs_uio, sysfs_type, fs_type; 26 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; 27 type sysfs_batteryinfo, fs_type, sysfs_type; 28 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 29 type sysfs_hwrandom, fs_type, sysfs_type; 30 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 31 type sysfs_wake_lock, fs_type, sysfs_type; 32 type sysfs_mac_address, fs_type, sysfs_type; 33 type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 34 type configfs, fs_type; 35 # /sys/devices/system/cpu 36 type sysfs_devices_system_cpu, fs_type, sysfs_type; 37 # /sys/module/lowmemorykiller 38 type sysfs_lowmemorykiller, fs_type, sysfs_type; 39 40 type sysfs_thermal, sysfs_type, fs_type; 41 42 type sysfs_zram, fs_type, sysfs_type; 43 type sysfs_zram_uevent, fs_type, sysfs_type; 44 type inotify, fs_type, mlstrustedobject; 45 type devpts, fs_type, mlstrustedobject; 46 type tmpfs, fs_type; 47 type shm, fs_type; 48 type mqueue, fs_type; 49 type fuse, sdcard_type, fs_type, mlstrustedobject; 50 type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 51 type vfat, sdcard_type, fs_type, mlstrustedobject; 52 type debugfs, fs_type; 53 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 54 type debugfs_tracing, fs_type, debugfs_type; 55 type pstorefs, fs_type; 56 type functionfs, fs_type; 57 type oemfs, fs_type, contextmount_type; 58 type usbfs, fs_type; 59 type binfmt_miscfs, fs_type; 60 type app_fusefs, fs_type, contextmount_type; 61 62 # File types 63 type unlabeled, file_type; 64 # Default type for anything under /system. 65 type system_file, file_type; 66 # Type for /system/bin/logcat. 67 type logcat_exec, exec_type, file_type; 68 # /cores for coredumps on userdebug / eng builds 69 type coredump_file, file_type; 70 # Default type for anything under /data. 71 type system_data_file, file_type, data_file_type; 72 # Unencrypted data 73 type unencrypted_data_file, file_type, data_file_type; 74 # /data/.layout_version or other installd-created files that 75 # are created in a system_data_file directory. 76 type install_data_file, file_type, data_file_type; 77 # /data/drm - DRM plugin data 78 type drm_data_file, file_type, data_file_type; 79 # /data/adb - adb debugging files 80 type adb_data_file, file_type, data_file_type; 81 # /data/anr - ANR traces 82 type anr_data_file, file_type, data_file_type, mlstrustedobject; 83 # /data/tombstones - core dumps 84 type tombstone_data_file, file_type, data_file_type; 85 # /data/app - user-installed apps 86 type apk_data_file, file_type, data_file_type; 87 type apk_tmp_file, file_type, data_file_type, mlstrustedobject; 88 # /data/app-private - forward-locked apps 89 type apk_private_data_file, file_type, data_file_type; 90 type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; 91 # /data/dalvik-cache 92 type dalvikcache_data_file, file_type, data_file_type; 93 # /data/ota 94 type ota_data_file, file_type, data_file_type; 95 # /data/ota_package 96 type ota_package_file, file_type, data_file_type, mlstrustedobject; 97 # /data/misc/profiles 98 type user_profile_data_file, file_type, data_file_type, mlstrustedobject; 99 type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject; 100 # /data/misc/profman 101 type profman_dump_data_file, file_type, data_file_type; 102 # /data/resource-cache 103 type resourcecache_data_file, file_type, data_file_type; 104 # /data/local - writable by shell 105 type shell_data_file, file_type, data_file_type, mlstrustedobject; 106 # /data/gps 107 type gps_data_file, file_type, data_file_type; 108 # /data/property 109 type property_data_file, file_type, data_file_type; 110 # /data/bootchart 111 type bootchart_data_file, file_type, data_file_type; 112 # /data/system/heapdump 113 type heapdump_data_file, file_type, data_file_type, mlstrustedobject; 114 # /data/nativetest 115 type nativetest_data_file, file_type, data_file_type; 116 # /data/system_de/0/ringtones 117 type ringtone_file, file_type, data_file_type, mlstrustedobject; 118 # /data/preloads 119 type preloads_data_file, file_type, data_file_type; 120 121 # Mount locations managed by vold 122 type mnt_media_rw_file, file_type; 123 type mnt_user_file, file_type; 124 type mnt_expand_file, file_type; 125 type storage_file, file_type; 126 127 # Label for storage dirs which are just mount stubs 128 type mnt_media_rw_stub_file, file_type; 129 type storage_stub_file, file_type; 130 131 # /postinstall: Mount point used by update_engine to run postinstall. 132 type postinstall_mnt_dir, file_type; 133 # Files inside the /postinstall mountpoint are all labeled as postinstall_file. 134 type postinstall_file, file_type; 135 136 # /data/misc subdirectories 137 type adb_keys_file, file_type, data_file_type; 138 type audio_data_file, file_type, data_file_type; 139 type audioserver_data_file, file_type, data_file_type; 140 type bluetooth_data_file, file_type, data_file_type; 141 type bootstat_data_file, file_type, data_file_type; 142 type boottrace_data_file, file_type, data_file_type; 143 type camera_data_file, file_type, data_file_type; 144 type gatekeeper_data_file, file_type, data_file_type; 145 type keychain_data_file, file_type, data_file_type; 146 type keystore_data_file, file_type, data_file_type; 147 type media_data_file, file_type, data_file_type; 148 type media_rw_data_file, file_type, data_file_type, mlstrustedobject; 149 type misc_user_data_file, file_type, data_file_type; 150 type net_data_file, file_type, data_file_type; 151 type nfc_data_file, file_type, data_file_type; 152 type radio_data_file, file_type, data_file_type, mlstrustedobject; 153 type recovery_data_file, file_type, data_file_type; 154 type shared_relro_file, file_type, data_file_type; 155 type systemkeys_data_file, file_type, data_file_type; 156 type vpn_data_file, file_type, data_file_type; 157 type wifi_data_file, file_type, data_file_type; 158 type zoneinfo_data_file, file_type, data_file_type; 159 type vold_data_file, file_type, data_file_type; 160 type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; 161 # /data/misc/trace for method traces on userdebug / eng builds 162 type method_trace_data_file, file_type, data_file_type, mlstrustedobject; 163 164 # Compatibility with type names used in vanilla Android 4.3 and 4.4. 165 typealias audio_data_file alias audio_firmware_file; 166 # /data/data subdirectories - app sandboxes 167 type app_data_file, file_type, data_file_type; 168 type autoplay_data_file, file_type, data_file_type; 169 # /data/data subdirectory for system UID apps. 170 type system_app_data_file, file_type, data_file_type, mlstrustedobject; 171 # Compatibility with type name used in Android 4.3 and 4.4. 172 typealias app_data_file alias platform_app_data_file; 173 typealias app_data_file alias download_file; 174 # Default type for anything under /cache 175 type cache_file, file_type, mlstrustedobject; 176 # Type for /cache/backup_stage/* (fd interchange with apps) 177 type cache_backup_file, file_type, mlstrustedobject; 178 # type for anything under /cache/backup (local transport storage) 179 type cache_private_backup_file, file_type; 180 # Type for anything under /cache/recovery 181 type cache_recovery_file, file_type, mlstrustedobject; 182 # Default type for anything under /efs 183 type efs_file, file_type; 184 # Type for wallpaper file. 185 type wallpaper_file, file_type, data_file_type, mlstrustedobject; 186 # Type for shortcut manager icon file. 187 type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject; 188 # Type for user icon file. 189 type icon_file, file_type, data_file_type; 190 # /mnt/asec 191 type asec_apk_file, file_type, data_file_type, mlstrustedobject; 192 # Elements of asec files (/mnt/asec) that are world readable 193 type asec_public_file, file_type, data_file_type; 194 # /data/app-asec 195 type asec_image_file, file_type, data_file_type; 196 # /data/backup and /data/secure/backup 197 type backup_data_file, file_type, data_file_type, mlstrustedobject; 198 # For /data/security 199 type security_file, file_type; 200 # All devices have bluetooth efs files. But they 201 # vary per device, so this type is used in per 202 # device policy 203 type bluetooth_efs_file, file_type; 204 # Type for fingerprint template file. 205 type fingerprintd_data_file, file_type, data_file_type; 206 # Type for appfuse file. 207 type app_fuse_file, file_type, data_file_type, mlstrustedobject; 208 209 # Socket types 210 type adbd_socket, file_type; 211 type bluetooth_socket, file_type; 212 type dnsproxyd_socket, file_type, mlstrustedobject; 213 type dumpstate_socket, file_type; 214 type fwmarkd_socket, file_type, mlstrustedobject; 215 type gps_socket, file_type; 216 type installd_socket, file_type; 217 type lmkd_socket, file_type; 218 type logd_socket, file_type, mlstrustedobject; 219 type logdr_socket, file_type, mlstrustedobject; 220 type logdw_socket, file_type, mlstrustedobject; 221 type mdns_socket, file_type; 222 type mdnsd_socket, file_type, mlstrustedobject; 223 type misc_logd_file, file_type; 224 type mtpd_socket, file_type; 225 type netd_socket, file_type; 226 type property_socket, file_type; 227 type racoon_socket, file_type; 228 type rild_socket, file_type; 229 type rild_debug_socket, file_type; 230 type system_wpa_socket, file_type; 231 type system_ndebug_socket, file_type; 232 type uncrypt_socket, file_type; 233 type vold_socket, file_type; 234 type wpa_socket, file_type; 235 type zygote_socket, file_type; 236 type sap_uim_socket, file_type; 237 # UART (for GPS) control proc file 238 type gps_control, file_type; 239 240 # property_contexts file 241 type property_contexts, file_type; 242 243 # Allow files to be created in their appropriate filesystems. 244 allow fs_type self:filesystem associate; 245 allow sysfs_type sysfs:filesystem associate; 246 allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 247 allow file_type labeledfs:filesystem associate; 248 allow file_type tmpfs:filesystem associate; 249 allow file_type rootfs:filesystem associate; 250 allow dev_type tmpfs:filesystem associate; 251 allow app_fuse_file app_fusefs:filesystem associate; 252 allow postinstall_file self:filesystem associate; 253 254 # It's a bug to assign the file_type attribute and fs_type attribute 255 # to any type. Do not allow it. 256 # 257 # For example, the following is a bug: 258 # type apk_data_file, file_type, data_file_type, fs_type; 259 # Should be: 260 # type apk_data_file, file_type, data_file_type; 261 neverallow fs_type file_type:filesystem associate; 262
