1 ###################################### 2 # Attribute declarations 3 # 4 5 # All types used for devices. 6 # On change, update CHECK_FC_ASSERT_ATTRS 7 # in tools/checkfc.c 8 attribute dev_type; 9 10 # All types used for processes. 11 attribute domain; 12 13 # All types used for filesystems. 14 # On change, update CHECK_FC_ASSERT_ATTRS 15 # definition in tools/checkfc.c. 16 attribute fs_type; 17 18 # All types used for context= mounts. 19 attribute contextmount_type; 20 21 # All types used for files that can exist on a labeled fs. 22 # Do not use for pseudo file types. 23 # On change, update CHECK_FC_ASSERT_ATTRS 24 # definition in tools/checkfc.c. 25 attribute file_type; 26 27 # All types used for domain entry points. 28 attribute exec_type; 29 30 # All types used for /data files. 31 attribute data_file_type; 32 expandattribute data_file_type false; 33 # All types in /data, not in /data/vendor 34 attribute core_data_file_type; 35 # All types in /vendor 36 attribute vendor_file_type; 37 38 # All types use for sysfs files. 39 attribute sysfs_type; 40 41 # All types use for debugfs files. 42 attribute debugfs_type; 43 44 # Attribute used for all sdcards 45 attribute sdcard_type; 46 47 # All types used for nodes/hosts. 48 attribute node_type; 49 50 # All types used for network interfaces. 51 attribute netif_type; 52 53 # All types used for network ports. 54 attribute port_type; 55 56 # All types used for property service 57 # On change, update CHECK_PC_ASSERT_ATTRS 58 # definition in tools/checkfc.c. 59 attribute property_type; 60 61 # All properties defined in core SELinux policy. Should not be 62 # used by device specific properties 63 attribute core_property_type; 64 65 # All properties used to configure log filtering. 66 attribute log_property_type; 67 68 # All service_manager types created by system_server 69 attribute system_server_service; 70 71 # services which should be available to all but isolated apps 72 attribute app_api_service; 73 74 # services which should be available to all ephemeral apps 75 attribute ephemeral_app_api_service; 76 77 # services which export only system_api 78 attribute system_api_service; 79 80 # All types used for services managed by servicemanager. 81 # On change, update CHECK_SC_ASSERT_ATTRS 82 # definition in tools/checkfc.c. 83 attribute service_manager_type; 84 85 # All types used for services managed by hwservicemanager 86 attribute hwservice_manager_type; 87 88 # All HwBinder services guaranteed to be passthrough. These services always run 89 # in the process of their clients, and thus operate with the same access as 90 # their clients. 91 attribute same_process_hwservice; 92 93 # All HwBinder services guaranteed to be offered only by core domain components 94 attribute coredomain_hwservice; 95 96 # All types used for services managed by vndservicemanager 97 attribute vndservice_manager_type; 98 99 100 # All domains that can override MLS restrictions. 101 # i.e. processes that can read up and write down. 102 attribute mlstrustedsubject; 103 104 # All types that can override MLS restrictions. 105 # i.e. files that can be read by lower and written by higher 106 attribute mlstrustedobject; 107 108 # All domains used for apps. 109 attribute appdomain; 110 111 # All third party apps. 112 attribute untrusted_app_all; 113 114 # All domains used for apps with network access. 115 attribute netdomain; 116 117 # All domains used for apps with bluetooth access. 118 attribute bluetoothdomain; 119 120 # All domains used for binder service domains. 121 attribute binderservicedomain; 122 123 # update_engine related domains that need to apply an update and run 124 # postinstall. This includes the background daemon and the sideload tool from 125 # recovery for A/B devices. 126 attribute update_engine_common; 127 128 # All core domains (as opposed to vendor/device-specific domains) 129 attribute coredomain; 130 131 # All socket devices owned by core domain components 132 attribute coredomain_socket; 133 134 # All vendor domains which violate the requirement of not using Binder 135 # TODO(b/35870313): Remove this once there are no violations 136 attribute binder_in_vendor_violators; 137 expandattribute binder_in_vendor_violators false; 138 139 # All vendor domains which violate the requirement of not using sockets for 140 # communicating with core components 141 # TODO(b/36577153): Remove this once there are no violations 142 attribute socket_between_core_and_vendor_violators; 143 expandattribute socket_between_core_and_vendor_violators false; 144 145 # All vendor domains which violate the requirement of not executing 146 # system processes 147 # TODO(b/36463595) 148 attribute vendor_executes_system_violators; 149 expandattribute vendor_executes_system_violators false; 150 151 # hwservices that are accessible from untrusted applications 152 # WARNING: Use of this attribute should be avoided unless 153 # absolutely necessary. It is a temporary allowance to aid the 154 # transition to treble and will be removed in a future platform 155 # version, requiring all hwservices that are labeled with this 156 # attribute to be submitted to AOSP in order to maintain their 157 # app-visibility. 158 attribute untrusted_app_visible_hwservice; 159 expandattribute untrusted_app_visible_hwservice false; 160 161 # halserver domains that are accessible to untrusted applications. These 162 # domains are typically those hosting hwservices attributed by the 163 # untrusted_app_visible_hwservice. 164 # WARNING: Use of this attribute should be avoided unless absolutely necessary. 165 # It is a temporary allowance to aid the transition to treble and will be 166 # removed in the future platform version, requiring all halserver domains that 167 # are labeled with this attribute to be submitted to AOSP in order to maintain 168 # their app-visibility. 169 attribute untrusted_app_visible_halserver; 170 expandattribute untrusted_app_visible_halserver false; 171 172 # PDX services 173 attribute pdx_endpoint_dir_type; 174 attribute pdx_endpoint_socket_type; 175 expandattribute pdx_endpoint_socket_type false; 176 attribute pdx_channel_socket_type; 177 expandattribute pdx_channel_socket_type false; 178 179 pdx_service_attributes(display_client) 180 pdx_service_attributes(display_manager) 181 pdx_service_attributes(display_screenshot) 182 pdx_service_attributes(display_vsync) 183 pdx_service_attributes(performance_client) 184 pdx_service_attributes(bufferhub_client) 185 186 # All HAL servers 187 attribute halserverdomain; 188 # All HAL clients 189 attribute halclientdomain; 190 expandattribute halclientdomain true; 191 192 # HALs 193 attribute hal_allocator; 194 expandattribute hal_allocator true; 195 attribute hal_allocator_client; 196 expandattribute hal_allocator_client true; 197 attribute hal_allocator_server; 198 expandattribute hal_allocator_server false; 199 attribute hal_audio; 200 expandattribute hal_audio false; 201 attribute hal_audio_client; 202 expandattribute hal_audio_client true; 203 attribute hal_audio_server; 204 expandattribute hal_audio_server false; 205 attribute hal_bluetooth; 206 expandattribute hal_bluetooth true; 207 attribute hal_bluetooth_client; 208 expandattribute hal_bluetooth_client true; 209 attribute hal_bluetooth_server; 210 expandattribute hal_bluetooth_server false; 211 attribute hal_bootctl; 212 expandattribute hal_bootctl false; 213 attribute hal_bootctl_client; 214 expandattribute hal_bootctl_client true; 215 attribute hal_bootctl_server; 216 expandattribute hal_bootctl_server false; 217 attribute hal_broadcastradio; 218 expandattribute hal_broadcastradio true; 219 attribute hal_broadcastradio_client; 220 expandattribute hal_broadcastradio_client true; 221 attribute hal_broadcastradio_server; 222 expandattribute hal_broadcastradio_server false; 223 attribute hal_camera; 224 expandattribute hal_camera false; 225 attribute hal_camera_client; 226 expandattribute hal_camera_client true; 227 attribute hal_camera_server; 228 expandattribute hal_camera_server false; 229 attribute hal_configstore; 230 expandattribute hal_configstore true; 231 attribute hal_configstore_client; 232 expandattribute hal_configstore_client true; 233 attribute hal_configstore_server; 234 expandattribute hal_configstore_server false; 235 attribute hal_contexthub; 236 expandattribute hal_contexthub true; 237 attribute hal_contexthub_client; 238 expandattribute hal_contexthub_client true; 239 attribute hal_contexthub_server; 240 expandattribute hal_contexthub_server false; 241 attribute hal_drm; 242 expandattribute hal_drm false; 243 attribute hal_drm_client; 244 expandattribute hal_drm_client true; 245 attribute hal_drm_server; 246 expandattribute hal_drm_server false; 247 attribute hal_cas; 248 expandattribute hal_cas false; 249 attribute hal_cas_client; 250 expandattribute hal_cas_client true; 251 attribute hal_cas_server; 252 expandattribute hal_cas_server false; 253 attribute hal_dumpstate; 254 expandattribute hal_dumpstate true; 255 attribute hal_dumpstate_client; 256 expandattribute hal_dumpstate_client true; 257 attribute hal_dumpstate_server; 258 expandattribute hal_dumpstate_server false; 259 attribute hal_fingerprint; 260 expandattribute hal_fingerprint true; 261 attribute hal_fingerprint_client; 262 expandattribute hal_fingerprint_client true; 263 attribute hal_fingerprint_server; 264 expandattribute hal_fingerprint_server false; 265 attribute hal_gatekeeper; 266 expandattribute hal_gatekeeper true; 267 attribute hal_gatekeeper_client; 268 expandattribute hal_gatekeeper_client true; 269 attribute hal_gatekeeper_server; 270 expandattribute hal_gatekeeper_server false; 271 attribute hal_gnss; 272 expandattribute hal_gnss true; 273 attribute hal_gnss_client; 274 expandattribute hal_gnss_client true; 275 attribute hal_gnss_server; 276 expandattribute hal_gnss_server false; 277 attribute hal_graphics_allocator; 278 expandattribute hal_graphics_allocator true; 279 attribute hal_graphics_allocator_client; 280 expandattribute hal_graphics_allocator_client true; 281 attribute hal_graphics_allocator_server; 282 expandattribute hal_graphics_allocator_server false; 283 attribute hal_graphics_composer; 284 expandattribute hal_graphics_composer true; 285 attribute hal_graphics_composer_client; 286 expandattribute hal_graphics_composer_client true; 287 attribute hal_graphics_composer_server; 288 expandattribute hal_graphics_composer_server false; 289 attribute hal_health; 290 expandattribute hal_health true; 291 attribute hal_health_client; 292 expandattribute hal_health_client true; 293 attribute hal_health_server; 294 expandattribute hal_health_server false; 295 attribute hal_ir; 296 expandattribute hal_ir true; 297 attribute hal_ir_client; 298 expandattribute hal_ir_client true; 299 attribute hal_ir_server; 300 expandattribute hal_ir_server false; 301 attribute hal_keymaster; 302 expandattribute hal_keymaster true; 303 attribute hal_keymaster_client; 304 expandattribute hal_keymaster_client true; 305 attribute hal_keymaster_server; 306 expandattribute hal_keymaster_server false; 307 attribute hal_light; 308 expandattribute hal_light true; 309 attribute hal_light_client; 310 expandattribute hal_light_client true; 311 attribute hal_light_server; 312 expandattribute hal_light_server false; 313 attribute hal_memtrack; 314 expandattribute hal_memtrack true; 315 attribute hal_memtrack_client; 316 expandattribute hal_memtrack_client true; 317 attribute hal_memtrack_server; 318 expandattribute hal_memtrack_server false; 319 attribute hal_neuralnetworks; 320 expandattribute hal_neuralnetworks true; 321 attribute hal_neuralnetworks_client; 322 expandattribute hal_neuralnetworks_client true; 323 attribute hal_neuralnetworks_server; 324 expandattribute hal_neuralnetworks_server false; 325 attribute hal_nfc; 326 expandattribute hal_nfc true; 327 attribute hal_nfc_client; 328 expandattribute hal_nfc_client true; 329 attribute hal_nfc_server; 330 expandattribute hal_nfc_server false; 331 attribute hal_oemlock; 332 expandattribute hal_oemlock true; 333 attribute hal_oemlock_client; 334 expandattribute hal_oemlock_client true; 335 attribute hal_oemlock_server; 336 expandattribute hal_oemlock_server false; 337 attribute hal_power; 338 expandattribute hal_power true; 339 attribute hal_power_client; 340 expandattribute hal_power_client true; 341 attribute hal_power_server; 342 expandattribute hal_power_server false; 343 attribute hal_sensors; 344 expandattribute hal_sensors true; 345 attribute hal_sensors_client; 346 expandattribute hal_sensors_client true; 347 attribute hal_sensors_server; 348 expandattribute hal_sensors_server false; 349 attribute hal_telephony; 350 expandattribute hal_telephony true; 351 attribute hal_telephony_client; 352 expandattribute hal_telephony_client true; 353 attribute hal_telephony_server; 354 expandattribute hal_telephony_server false; 355 attribute hal_tetheroffload; 356 expandattribute hal_tetheroffload true; 357 attribute hal_tetheroffload_client; 358 expandattribute hal_tetheroffload_client true; 359 attribute hal_tetheroffload_server; 360 expandattribute hal_tetheroffload_server false; 361 attribute hal_thermal; 362 expandattribute hal_thermal true; 363 attribute hal_thermal_client; 364 expandattribute hal_thermal_client true; 365 attribute hal_thermal_server; 366 expandattribute hal_thermal_server false; 367 attribute hal_tv_cec; 368 expandattribute hal_tv_cec true; 369 attribute hal_tv_cec_client; 370 expandattribute hal_tv_cec_client true; 371 attribute hal_tv_cec_server; 372 expandattribute hal_tv_cec_server false; 373 attribute hal_tv_input; 374 expandattribute hal_tv_input true; 375 attribute hal_tv_input_client; 376 expandattribute hal_tv_input_client true; 377 attribute hal_tv_input_server; 378 expandattribute hal_tv_input_server false; 379 attribute hal_usb; 380 expandattribute hal_usb true; 381 attribute hal_usb_client; 382 expandattribute hal_usb_client true; 383 attribute hal_usb_server; 384 expandattribute hal_usb_server false; 385 attribute hal_vibrator; 386 expandattribute hal_vibrator true; 387 attribute hal_vibrator_client; 388 expandattribute hal_vibrator_client true; 389 attribute hal_vibrator_server; 390 expandattribute hal_vibrator_server false; 391 attribute hal_vr; 392 expandattribute hal_vr true; 393 attribute hal_vr_client; 394 expandattribute hal_vr_client true; 395 attribute hal_vr_server; 396 expandattribute hal_vr_server false; 397 attribute hal_weaver; 398 expandattribute hal_weaver true; 399 attribute hal_weaver_client; 400 expandattribute hal_weaver_client true; 401 attribute hal_weaver_server; 402 expandattribute hal_weaver_server false; 403 attribute hal_wifi; 404 expandattribute hal_wifi true; 405 attribute hal_wifi_client; 406 expandattribute hal_wifi_client true; 407 attribute hal_wifi_server; 408 expandattribute hal_wifi_server false; 409 attribute hal_wifi_offload; 410 expandattribute hal_wifi_offload true; 411 attribute hal_wifi_offload_client; 412 expandattribute hal_wifi_offload_client true; 413 attribute hal_wifi_offload_server; 414 expandattribute hal_wifi_offload_server false; 415 attribute hal_wifi_supplicant; 416 expandattribute hal_wifi_supplicant true; 417 attribute hal_wifi_supplicant_client; 418 expandattribute hal_wifi_supplicant_client true; 419 attribute hal_wifi_supplicant_server; 420 expandattribute hal_wifi_supplicant_server false; 421 422 # HwBinder services offered across the core-vendor boundary 423 # 424 # We annotate server domains with x_server to loosen the coupling between 425 # system and vendor images. For example, it should be possible to move a service 426 # from one core domain to another, without having to update the vendor image 427 # which contains clients of this service. 428 429 attribute display_service_server; 430 attribute wifi_keystore_service_server; 431
