/system/sepolicy/prebuilts/api/28.0/private/ |
app_neverallows.te | 2 ### neverallow rules for untrusted app domains 16 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; 19 neverallow all_untrusted_apps domain:netlink_socket *; 23 neverallow all_untrusted_apps debugfs_type:file read; 28 neverallow all_untrusted_apps service_manager_type:service_manager add; 31 neverallow all_untrusted_apps vndbinder_device:chr_file *; 32 neverallow all_untrusted_apps vndservice_manager_type:service_manager *; 36 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; 37 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; 38 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set [all...] |
isolated_app.te | 29 # neverallow rules below. 57 ##### Neverallow 61 neverallow isolated_app tun_device:chr_file open; 64 neverallow isolated_app app_data_file:file open; 69 neverallow isolated_app anr_data_file:file ~{ open append }; 70 neverallow isolated_app anr_data_file:dir ~search; 73 neverallow isolated_app hwbinder_device:chr_file *; 74 neverallow isolated_app *:hwservice_manager *; 77 neverallow isolated_app vndbinder_device:chr_file *; 81 neverallow isolated_app *:service_manager ~find [all...] |
ephemeral_app.te | 50 ### neverallow rules 53 neverallow ephemeral_app app_data_file:file execute_no_trans; 56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 59 neverallow ephemeral_app domain:netlink_socket *; 63 neverallow ephemeral_app debugfs:file read; 66 neverallow ephemeral_app gpu_device:chr_file execute; 69 neverallow ephemeral_app sysfs:file *; 73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search [all...] |
priv_app.te | 161 ### neverallow rules 165 neverallow priv_app domain:netlink_kobject_uevent_socket *; 168 neverallow priv_app domain:netlink_socket *; 172 neverallow priv_app debugfs:file read; 177 neverallow priv_app service_manager_type:service_manager add; 181 neverallow priv_app property_socket:sock_file write; 182 neverallow priv_app init:unix_stream_socket connectto; 183 neverallow priv_app property_type:property_service set; 188 # constraints. As there is no direct way to specify a neverallow 193 neverallow priv_app mlstrustedsubject:process fork [all...] |
untrusted_app_all.te | 50 neverallow untrusted_app_all trace_data_file:dir *; 51 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
system_server.te | 798 ### Neverallow rules 804 neverallow system_server sdcard_type:dir { open read write }; 805 neverallow system_server sdcard_type:file rw_file_perms; 812 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; 818 neverallow system_server { [all...] |
/system/sepolicy/private/ |
app_neverallows.te | 2 ### neverallow rules for untrusted app domains 16 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; 19 neverallow all_untrusted_apps domain:netlink_socket *; 23 neverallow all_untrusted_apps debugfs_type:file read; 28 neverallow all_untrusted_apps service_manager_type:service_manager add; 31 neverallow all_untrusted_apps vndbinder_device:chr_file *; 32 neverallow all_untrusted_apps vndservice_manager_type:service_manager *; 36 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; 37 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; 38 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set [all...] |
isolated_app.te | 29 # neverallow rules below. 57 ##### Neverallow 61 neverallow isolated_app tun_device:chr_file open; 64 neverallow isolated_app app_data_file:file open; 69 neverallow isolated_app anr_data_file:file ~{ open append }; 70 neverallow isolated_app anr_data_file:dir ~search; 73 neverallow isolated_app hwbinder_device:chr_file *; 74 neverallow isolated_app *:hwservice_manager *; 77 neverallow isolated_app vndbinder_device:chr_file *; 81 neverallow isolated_app *:service_manager ~find [all...] |
ephemeral_app.te | 50 ### neverallow rules 53 neverallow ephemeral_app app_data_file:file execute_no_trans; 56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 59 neverallow ephemeral_app domain:netlink_socket *; 63 neverallow ephemeral_app debugfs:file read; 66 neverallow ephemeral_app gpu_device:chr_file execute; 69 neverallow ephemeral_app sysfs:file *; 73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search [all...] |
priv_app.te | 161 ### neverallow rules 165 neverallow priv_app domain:netlink_kobject_uevent_socket *; 168 neverallow priv_app domain:netlink_socket *; 172 neverallow priv_app debugfs:file read; 177 neverallow priv_app service_manager_type:service_manager add; 181 neverallow priv_app property_socket:sock_file write; 182 neverallow priv_app init:unix_stream_socket connectto; 183 neverallow priv_app property_type:property_service set; 188 # constraints. As there is no direct way to specify a neverallow 193 neverallow priv_app mlstrustedsubject:process fork [all...] |
untrusted_app_all.te | 50 neverallow untrusted_app_all trace_data_file:dir *; 51 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
/system/sepolicy/prebuilts/api/26.0/private/ |
app_neverallows.te | 2 ### neverallow rules for untrusted app domains 6 neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork; 10 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; 13 neverallow all_untrusted_apps domain:netlink_socket *; 17 neverallow all_untrusted_apps debugfs_type:file read; 22 neverallow all_untrusted_apps service_manager_type:service_manager add; 25 neverallow all_untrusted_apps vndbinder_device:chr_file *; 26 neverallow all_untrusted_apps vndservice_manager_type:service_manager *; 30 neverallow all_untrusted_apps property_socket:sock_file write; 31 neverallow all_untrusted_apps init:unix_stream_socket connectto [all...] |
isolated_app.te | 29 # neverallow rules below. 50 ##### Neverallow 54 neverallow isolated_app tun_device:chr_file open; 57 neverallow isolated_app app_data_file:file open; 62 neverallow isolated_app anr_data_file:file ~{ open append }; 63 neverallow isolated_app anr_data_file:dir ~search; 68 neverallow isolated_app { 76 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 79 neverallow isolated_app cache_file:dir ~{ r_dir_perms }; 80 neverallow isolated_app cache_file:file ~{ read getattr } [all...] |
ephemeral_app.te | 36 ### neverallow rules 40 neverallow ephemeral_app app_data_file:file { execute execute_no_trans }; 43 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 46 neverallow ephemeral_app domain:netlink_socket *; 50 neverallow ephemeral_app debugfs:file read; 53 neverallow ephemeral_app gpu_device:chr_file execute; 56 neverallow ephemeral_app sysfs:file *; 60 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 63 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 64 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search [all...] |
app.te | 335 ### Neverallow rules 342 neverallow { appdomain -bluetooth } self:capability *; 343 neverallow { appdomain -bluetooth } self:capability2 *; 346 neverallow appdomain dev_type:blk_file { read write }; 349 neverallow appdomain { 359 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; 361 neverallow { appdomain -nfc } nfc_device:chr_file 363 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file 365 neverallow appdomain tee_device:chr_file { read write }; 368 neverallow appdomai [all...] |
priv_app.te | 128 ### neverallow rules 132 neverallow priv_app domain:netlink_kobject_uevent_socket *; 135 neverallow priv_app domain:netlink_socket *; 139 neverallow priv_app debugfs:file read; 144 neverallow priv_app service_manager_type:service_manager add; 148 neverallow priv_app property_socket:sock_file write; 149 neverallow priv_app init:unix_stream_socket connectto; 150 neverallow priv_app property_type:property_service set; 155 # constraints. As there is no direct way to specify a neverallow 160 neverallow priv_app mlstrustedsubject:process fork [all...] |
system_server.te | 670 ### Neverallow rules 676 neverallow system_server sdcard_type:dir { open read write }; 677 neverallow system_server sdcard_type:file rw_file_perms; 684 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; 690 neverallow system_server { 699 neverallow system_server { domain -crash_dump }:process transition; 700 neverallow system_server *:process dyntransition; 703 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 709 neverallow system_server dex2oat_exec:file no_x_file_perms; 713 neverallow system_server [all...] |
/system/sepolicy/prebuilts/api/27.0/private/ |
app_neverallows.te | 2 ### neverallow rules for untrusted app domains 15 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; 18 neverallow all_untrusted_apps domain:netlink_socket *; 22 neverallow all_untrusted_apps debugfs_type:file read; 27 neverallow all_untrusted_apps service_manager_type:service_manager add; 30 neverallow all_untrusted_apps vndbinder_device:chr_file *; 31 neverallow all_untrusted_apps vndservice_manager_type:service_manager *; 35 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; 36 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; 37 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set [all...] |
isolated_app.te | 29 # neverallow rules below. 54 ##### Neverallow 58 neverallow isolated_app tun_device:chr_file open; 61 neverallow isolated_app app_data_file:file open; 66 neverallow isolated_app anr_data_file:file ~{ open append }; 67 neverallow isolated_app anr_data_file:dir ~search; 70 neverallow isolated_app hwbinder_device:chr_file *; 71 neverallow isolated_app *:hwservice_manager *; 74 neverallow isolated_app vndbinder_device:chr_file *; 78 neverallow isolated_app *:service_manager ~find [all...] |
ephemeral_app.te | 39 ### neverallow rules 42 neverallow ephemeral_app app_data_file:file execute_no_trans; 45 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 48 neverallow ephemeral_app domain:netlink_socket *; 52 neverallow ephemeral_app debugfs:file read; 55 neverallow ephemeral_app gpu_device:chr_file execute; 58 neverallow ephemeral_app sysfs:file *; 62 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; 65 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; 66 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search [all...] |
priv_app.te | 119 ### neverallow rules 123 neverallow priv_app domain:netlink_kobject_uevent_socket *; 126 neverallow priv_app domain:netlink_socket *; 130 neverallow priv_app debugfs:file read; 135 neverallow priv_app service_manager_type:service_manager add; 139 neverallow priv_app property_socket:sock_file write; 140 neverallow priv_app init:unix_stream_socket connectto; 141 neverallow priv_app property_type:property_service set; 146 # constraints. As there is no direct way to specify a neverallow 151 neverallow priv_app mlstrustedsubject:process fork [all...] |
untrusted_app.te | 35 neverallow untrusted_app system_server:udp_socket {
|
/cts/tools/selinux/ |
SELinuxNeverallowTestFrame.py | 35 * Neverallow Rules SELinux tests. 128 /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */ 130 policyFile.getAbsolutePath(), "neverallow", "-w", "-n", 144 + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
|
/system/sepolicy/tools/sepolicy-analyze/ |
Android.mk | 9 LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
|
/external/selinux/libsepol/src/ |
assertion.c | 44 ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };", 51 ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };", 57 ERR(handle, "neverallow violated by allow %s %s:%s {%s };", 88 static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_extended_perms_t *allow) 91 if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION) 93 if (neverallow->driver == allow->driver) 94 rc = extended_permissions_and(neverallow->perms, allow->perms); 95 } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION) 97 rc = xperm_test(neverallow->driver, allow->perms); 98 } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER [all...] |