Lines Matching refs:neverallow
2 ### neverallow rules for untrusted app domains
16 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
19 neverallow all_untrusted_apps domain:netlink_socket *;
23 neverallow all_untrusted_apps debugfs_type:file read;
28 neverallow all_untrusted_apps service_manager_type:service_manager add;
31 neverallow all_untrusted_apps vndbinder_device:chr_file *;
32 neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
36 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
37 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
38 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
42 neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
47 # constraints. As there is no direct way to specify a neverallow
52 neverallow all_untrusted_apps mlstrustedsubject:process fork;
60 neverallow all_untrusted_apps file_type:file link;
63 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
66 neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
69 neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
74 neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
75 neverallow all_untrusted_apps *:{
86 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
87 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
94 neverallow { all_untrusted_apps -mediaprovider } {
109 neverallow all_untrusted_apps fuse_device:chr_file *;
112 neverallow all_untrusted_apps tun_device:chr_file open;
115 neverallow all_untrusted_apps anr_data_file:file ~{ open append };
116 neverallow all_untrusted_apps anr_data_file:dir ~search;
120 neverallow all_untrusted_apps {
137 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
140 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
144 neverallow all_untrusted_apps system_file:file lock;
148 neverallow all_untrusted_apps *:hwservice_manager ~find;
177 neverallow all_untrusted_apps {
191 neverallow all_untrusted_apps {
233 neverallow all_untrusted_apps {
243 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
249 neverallow all_untrusted_apps {
262 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
