1 # Filesystem types 2 type labeledfs, fs_type; 3 type pipefs, fs_type; 4 type sockfs, fs_type; 5 type rootfs, fs_type; 6 type proc, fs_type; 7 # Security-sensitive proc nodes that should not be writable to most. 8 type proc_security, fs_type; 9 type proc_drop_caches, fs_type; 10 type proc_overcommit_memory, fs_type; 11 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12 type usermodehelper, fs_type; 13 type sysfs_usermodehelper, fs_type, sysfs_type; 14 type qtaguid_proc, fs_type, mlstrustedobject; 15 type proc_bluetooth_writable, fs_type; 16 type proc_cpuinfo, fs_type; 17 type proc_interrupts, fs_type; 18 type proc_iomem, fs_type; 19 type proc_meminfo, fs_type; 20 type proc_misc, fs_type; 21 type proc_modules, fs_type; 22 type proc_net, fs_type; 23 type proc_perf, fs_type; 24 type proc_stat, fs_type; 25 type proc_sysrq, fs_type; 26 type proc_timer, fs_type; 27 type proc_tty_drivers, fs_type; 28 type proc_uid_cputime_showstat, fs_type; 29 type proc_uid_cputime_removeuid, fs_type; 30 type proc_uid_io_stats, fs_type; 31 type proc_uid_procstat_set, fs_type; 32 type proc_uid_time_in_state, fs_type; 33 type proc_zoneinfo, fs_type; 34 type selinuxfs, fs_type, mlstrustedobject; 35 type cgroup, fs_type, mlstrustedobject; 36 type sysfs, fs_type, sysfs_type, mlstrustedobject; 37 type sysfs_uio, sysfs_type, fs_type; 38 type sysfs_batteryinfo, fs_type, sysfs_type; 39 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 40 type sysfs_leds, fs_type, sysfs_type; 41 type sysfs_hwrandom, fs_type, sysfs_type; 42 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 43 type sysfs_wake_lock, fs_type, sysfs_type; 44 type sysfs_mac_address, fs_type, sysfs_type; 45 type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 46 type sysfs_fs_ext4_features, sysfs_type, fs_type; 47 type configfs, fs_type; 48 # /sys/devices/system/cpu 49 type sysfs_devices_system_cpu, fs_type, sysfs_type; 50 # /sys/module/lowmemorykiller 51 type sysfs_lowmemorykiller, fs_type, sysfs_type; 52 # /sys/module/wlan/parameters/fwpath 53 type sysfs_wlan_fwpath, fs_type, sysfs_type; 54 type sysfs_vibrator, fs_type, sysfs_type; 55 56 type sysfs_thermal, sysfs_type, fs_type; 57 58 type sysfs_zram, fs_type, sysfs_type; 59 type sysfs_zram_uevent, fs_type, sysfs_type; 60 type inotify, fs_type, mlstrustedobject; 61 type devpts, fs_type, mlstrustedobject; 62 type tmpfs, fs_type; 63 type shm, fs_type; 64 type mqueue, fs_type; 65 type fuse, sdcard_type, fs_type, mlstrustedobject; 66 type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 67 type vfat, sdcard_type, fs_type, mlstrustedobject; 68 type debugfs, fs_type, debugfs_type; 69 type debugfs_mmc, fs_type, debugfs_type; 70 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 71 type debugfs_tracing, fs_type, debugfs_type; 72 type debugfs_tracing_debug, fs_type, debugfs_type; 73 type debugfs_tracing_instances, fs_type, debugfs_type; 74 type debugfs_wifi_tracing, fs_type, debugfs_type; 75 76 type pstorefs, fs_type; 77 type functionfs, fs_type, mlstrustedobject; 78 type oemfs, fs_type, contextmount_type; 79 type usbfs, fs_type; 80 type binfmt_miscfs, fs_type; 81 type app_fusefs, fs_type, contextmount_type; 82 83 # File types 84 type unlabeled, file_type; 85 86 # Default type for anything under /system. 87 type system_file, file_type; 88 89 # Default type for directories search for 90 # HAL implementations 91 type vendor_hal_file, vendor_file_type, file_type; 92 # Default type for under /vendor or /system/vendor 93 type vendor_file, vendor_file_type, file_type; 94 # Default type for everything in /vendor/app 95 type vendor_app_file, vendor_file_type, file_type; 96 # Default type for everything under /vendor/etc/ 97 type vendor_configs_file, vendor_file_type, file_type; 98 # Default type for all *same process* HALs. 99 # e.g. libEGL_xxx.so, android.hardware.graphics.mapper (a] 2.0-impl.so 100 type same_process_hal_file, vendor_file_type, file_type; 101 # Default type for vndk-sp libs. /vendor/lib/vndk-sp 102 type vndk_sp_file, vendor_file_type, file_type; 103 # Default type for everything in /vendor/framework 104 type vendor_framework_file, vendor_file_type, file_type; 105 # Default type for everything in /vendor/overlay 106 type vendor_overlay_file, vendor_file_type, file_type; 107 108 # Speedup access for trusted applications to the runtime event tags 109 type runtime_event_log_tags_file, file_type; 110 # Type for /system/bin/logcat. 111 type logcat_exec, exec_type, file_type; 112 # /cores for coredumps on userdebug / eng builds 113 type coredump_file, file_type; 114 # Default type for anything under /data. 115 type system_data_file, file_type, data_file_type, core_data_file_type; 116 # Unencrypted data 117 type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 118 # /data/.layout_version or other installd-created files that 119 # are created in a system_data_file directory. 120 type install_data_file, file_type, data_file_type, core_data_file_type; 121 # /data/drm - DRM plugin data 122 type drm_data_file, file_type, data_file_type, core_data_file_type; 123 # /data/adb - adb debugging files 124 type adb_data_file, file_type, data_file_type, core_data_file_type; 125 # /data/anr - ANR traces 126 type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 127 # /data/tombstones - core dumps 128 type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 129 # /data/app - user-installed apps 130 type apk_data_file, file_type, data_file_type, core_data_file_type; 131 type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 132 # /data/app-private - forward-locked apps 133 type apk_private_data_file, file_type, data_file_type, core_data_file_type; 134 type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 135 # /data/dalvik-cache 136 type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 137 # /data/ota 138 type ota_data_file, file_type, data_file_type, core_data_file_type; 139 # /data/ota_package 140 type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 141 # /data/misc/profiles 142 type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 143 # /data/misc/profman 144 type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 145 # /data/resource-cache 146 type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 147 # /data/local - writable by shell 148 type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 149 # /data/property 150 type property_data_file, file_type, data_file_type, core_data_file_type; 151 # /data/bootchart 152 type bootchart_data_file, file_type, data_file_type, core_data_file_type; 153 # /data/system/heapdump 154 type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 155 # /data/nativetest 156 type nativetest_data_file, file_type, data_file_type, core_data_file_type; 157 # /data/system_de/0/ringtones 158 type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 159 # /data/preloads 160 type preloads_data_file, file_type, data_file_type, core_data_file_type; 161 # /data/preloads/media 162 type preloads_media_file, file_type, data_file_type, core_data_file_type; 163 # /data/misc/dhcp and /data/misc/dhcp-6.8.2 164 type dhcp_data_file, file_type, data_file_type, core_data_file_type; 165 166 # Mount locations managed by vold 167 type mnt_media_rw_file, file_type; 168 type mnt_user_file, file_type; 169 type mnt_expand_file, file_type; 170 type storage_file, file_type; 171 172 # Label for storage dirs which are just mount stubs 173 type mnt_media_rw_stub_file, file_type; 174 type storage_stub_file, file_type; 175 176 # /postinstall: Mount point used by update_engine to run postinstall. 177 type postinstall_mnt_dir, file_type; 178 # Files inside the /postinstall mountpoint are all labeled as postinstall_file. 179 type postinstall_file, file_type; 180 181 # /data/misc subdirectories 182 type adb_keys_file, file_type, data_file_type, core_data_file_type; 183 type audio_data_file, file_type, data_file_type, core_data_file_type; 184 type audiohal_data_file, file_type, data_file_type, core_data_file_type; 185 type audioserver_data_file, file_type, data_file_type, core_data_file_type; 186 type bluetooth_data_file, file_type, data_file_type, core_data_file_type; 187 type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 188 type bootstat_data_file, file_type, data_file_type, core_data_file_type; 189 type boottrace_data_file, file_type, data_file_type, core_data_file_type; 190 type camera_data_file, file_type, data_file_type, core_data_file_type; 191 type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 192 type incident_data_file, file_type, data_file_type, core_data_file_type; 193 type keychain_data_file, file_type, data_file_type, core_data_file_type; 194 type keystore_data_file, file_type, data_file_type, core_data_file_type; 195 type media_data_file, file_type, data_file_type, core_data_file_type; 196 type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 197 type misc_user_data_file, file_type, data_file_type, core_data_file_type; 198 type net_data_file, file_type, data_file_type, core_data_file_type; 199 type nfc_data_file, file_type, data_file_type, core_data_file_type; 200 type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 201 type reboot_data_file, file_type, data_file_type, core_data_file_type; 202 type recovery_data_file, file_type, data_file_type, core_data_file_type; 203 type shared_relro_file, file_type, data_file_type, core_data_file_type; 204 type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 205 type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 206 type vpn_data_file, file_type, data_file_type, core_data_file_type; 207 type wifi_data_file, file_type, data_file_type, core_data_file_type; 208 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 209 type vold_data_file, file_type, data_file_type, core_data_file_type; 210 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 211 type tee_data_file, file_type, data_file_type; 212 type update_engine_data_file, file_type, data_file_type, core_data_file_type; 213 # /data/misc/trace for method traces on userdebug / eng builds 214 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 215 216 # /data/data subdirectories - app sandboxes 217 type app_data_file, file_type, data_file_type, core_data_file_type; 218 # /data/data subdirectory for system UID apps. 219 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 220 # Compatibility with type name used in Android 4.3 and 4.4. 221 # Default type for anything under /cache 222 type cache_file, file_type, data_file_type, mlstrustedobject; 223 # Type for /cache/backup_stage/* (fd interchange with apps) 224 type cache_backup_file, file_type, data_file_type, mlstrustedobject; 225 # type for anything under /cache/backup (local transport storage) 226 type cache_private_backup_file, file_type, data_file_type; 227 # Type for anything under /cache/recovery 228 type cache_recovery_file, file_type, data_file_type, mlstrustedobject; 229 # Default type for anything under /efs 230 type efs_file, file_type; 231 # Type for wallpaper file. 232 type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 233 # Type for shortcut manager icon file. 234 type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 235 # Type for user icon file. 236 type icon_file, file_type, data_file_type, core_data_file_type; 237 # /mnt/asec 238 type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 239 # Elements of asec files (/mnt/asec) that are world readable 240 type asec_public_file, file_type, data_file_type, core_data_file_type; 241 # /data/app-asec 242 type asec_image_file, file_type, data_file_type, core_data_file_type; 243 # /data/backup and /data/secure/backup 244 type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 245 # All devices have bluetooth efs files. But they 246 # vary per device, so this type is used in per 247 # device policy 248 type bluetooth_efs_file, file_type; 249 # Type for fingerprint template file 250 type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 251 # Type for appfuse file. 252 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 253 254 # Socket types 255 type adbd_socket, file_type, coredomain_socket; 256 type bluetooth_socket, file_type, data_file_type, coredomain_socket; 257 type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 258 type dumpstate_socket, file_type, coredomain_socket; 259 type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 260 type lmkd_socket, file_type, coredomain_socket; 261 type logd_socket, file_type, coredomain_socket, mlstrustedobject; 262 type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 263 type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 264 type mdns_socket, file_type, coredomain_socket; 265 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 266 type misc_logd_file, coredomain_socket, file_type, data_file_type; 267 type mtpd_socket, file_type, coredomain_socket; 268 type netd_socket, file_type, coredomain_socket; 269 type property_socket, file_type, coredomain_socket, mlstrustedobject; 270 type racoon_socket, file_type, coredomain_socket; 271 type rild_socket, file_type; 272 type rild_debug_socket, file_type; 273 type system_wpa_socket, file_type, data_file_type, coredomain_socket; 274 type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject; 275 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 276 type tombstoned_java_trace_socket, file_type, mlstrustedobject; 277 type tombstoned_intercept_socket, file_type, coredomain_socket; 278 type uncrypt_socket, file_type, coredomain_socket; 279 type vold_socket, file_type, coredomain_socket; 280 type webview_zygote_socket, file_type, coredomain_socket; 281 type wpa_socket, file_type, data_file_type; 282 type zygote_socket, file_type, coredomain_socket; 283 # UART (for GPS) control proc file 284 type gps_control, file_type; 285 286 # PDX endpoint types 287 type pdx_display_dir, pdx_endpoint_dir_type, file_type; 288 type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 289 type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 290 291 pdx_service_socket_types(display_client, pdx_display_dir) 292 pdx_service_socket_types(display_manager, pdx_display_dir) 293 pdx_service_socket_types(display_screenshot, pdx_display_dir) 294 pdx_service_socket_types(display_vsync, pdx_display_dir) 295 pdx_service_socket_types(performance_client, pdx_performance_dir) 296 pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 297 298 # file_contexts files 299 type file_contexts_file, file_type; 300 301 # mac_permissions file 302 type mac_perms_file, file_type; 303 304 # property_contexts file 305 type property_contexts_file, file_type; 306 307 # seapp_contexts file 308 type seapp_contexts_file, file_type; 309 310 # sepolicy files binary and others 311 type sepolicy_file, file_type; 312 313 # service_contexts file 314 type service_contexts_file, file_type; 315 316 # nonplat service_contexts file (only accessible on non full-treble devices) 317 type nonplat_service_contexts_file, file_type; 318 319 # hwservice_contexts file 320 type hwservice_contexts_file, file_type; 321 322 # vndservice_contexts file 323 type vndservice_contexts_file, file_type; 324 325 # Allow files to be created in their appropriate filesystems. 326 allow fs_type self:filesystem associate; 327 allow cgroup tmpfs:filesystem associate; 328 allow sysfs_type sysfs:filesystem associate; 329 allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 330 allow file_type labeledfs:filesystem associate; 331 allow file_type tmpfs:filesystem associate; 332 allow file_type rootfs:filesystem associate; 333 allow dev_type tmpfs:filesystem associate; 334 allow app_fuse_file app_fusefs:filesystem associate; 335 allow postinstall_file self:filesystem associate; 336 337 # asanwrapper (run a sanitized app_process, to be used with wrap properties) 338 with_asan(`type asanwrapper_exec, exec_type, file_type;') 339 340 # It's a bug to assign the file_type attribute and fs_type attribute 341 # to any type. Do not allow it. 342 # 343 # For example, the following is a bug: 344 # type apk_data_file, file_type, data_file_type, fs_type; 345 # Should be: 346 # type apk_data_file, file_type, data_file_type; 347 neverallow fs_type file_type:filesystem associate; 348
