| /system/sepolicy/prebuilts/api/28.0/private/ |
| app_neverallows.te | 2 ### neverallow rules for untrusted app domains
16 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
19 neverallow all_untrusted_apps domain:netlink_socket *;
23 neverallow all_untrusted_apps debugfs_type:file read;
28 neverallow all_untrusted_apps service_manager_type:service_manager add;
31 neverallow all_untrusted_apps vndbinder_device:chr_file *;
32 neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
36 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
37 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
38 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set
[all...] |
| isolated_app.te | 29 # neverallow rules below.
57 ##### Neverallow
61 neverallow isolated_app tun_device:chr_file open;
64 neverallow isolated_app app_data_file:file open;
69 neverallow isolated_app anr_data_file:file ~{ open append };
70 neverallow isolated_app anr_data_file:dir ~search;
73 neverallow isolated_app hwbinder_device:chr_file *;
74 neverallow isolated_app *:hwservice_manager *;
77 neverallow isolated_app vndbinder_device:chr_file *;
81 neverallow isolated_app *:service_manager ~find
[all...] |
| ephemeral_app.te | 50 ### neverallow rules
53 neverallow ephemeral_app app_data_file:file execute_no_trans;
56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
59 neverallow ephemeral_app domain:netlink_socket *;
63 neverallow ephemeral_app debugfs:file read;
66 neverallow ephemeral_app gpu_device:chr_file execute;
69 neverallow ephemeral_app sysfs:file *;
73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search
[all...] |
| priv_app.te | 161 ### neverallow rules
165 neverallow priv_app domain:netlink_kobject_uevent_socket *;
168 neverallow priv_app domain:netlink_socket *;
172 neverallow priv_app debugfs:file read;
177 neverallow priv_app service_manager_type:service_manager add;
181 neverallow priv_app property_socket:sock_file write;
182 neverallow priv_app init:unix_stream_socket connectto;
183 neverallow priv_app property_type:property_service set;
188 # constraints. As there is no direct way to specify a neverallow
193 neverallow priv_app mlstrustedsubject:process fork
[all...] |
| untrusted_app_all.te | 50 neverallow untrusted_app_all trace_data_file:dir *;
51 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
| system_server.te | 798 ### Neverallow rules
804 neverallow system_server sdcard_type:dir { open read write };
805 neverallow system_server sdcard_type:file rw_file_perms;
812 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
818 neverallow system_server {
[all...] |
| /system/sepolicy/private/ |
| app_neverallows.te | 2 ### neverallow rules for untrusted app domains
16 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
19 neverallow all_untrusted_apps domain:netlink_socket *;
23 neverallow all_untrusted_apps debugfs_type:file read;
28 neverallow all_untrusted_apps service_manager_type:service_manager add;
31 neverallow all_untrusted_apps vndbinder_device:chr_file *;
32 neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
36 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
37 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
38 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set
[all...] |
| isolated_app.te | 29 # neverallow rules below.
57 ##### Neverallow
61 neverallow isolated_app tun_device:chr_file open;
64 neverallow isolated_app app_data_file:file open;
69 neverallow isolated_app anr_data_file:file ~{ open append };
70 neverallow isolated_app anr_data_file:dir ~search;
73 neverallow isolated_app hwbinder_device:chr_file *;
74 neverallow isolated_app *:hwservice_manager *;
77 neverallow isolated_app vndbinder_device:chr_file *;
81 neverallow isolated_app *:service_manager ~find
[all...] |
| ephemeral_app.te | 50 ### neverallow rules
53 neverallow ephemeral_app app_data_file:file execute_no_trans;
56 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
59 neverallow ephemeral_app domain:netlink_socket *;
63 neverallow ephemeral_app debugfs:file read;
66 neverallow ephemeral_app gpu_device:chr_file execute;
69 neverallow ephemeral_app sysfs:file *;
73 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
76 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
77 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search
[all...] |
| priv_app.te | 161 ### neverallow rules
165 neverallow priv_app domain:netlink_kobject_uevent_socket *;
168 neverallow priv_app domain:netlink_socket *;
172 neverallow priv_app debugfs:file read;
177 neverallow priv_app service_manager_type:service_manager add;
181 neverallow priv_app property_socket:sock_file write;
182 neverallow priv_app init:unix_stream_socket connectto;
183 neverallow priv_app property_type:property_service set;
188 # constraints. As there is no direct way to specify a neverallow
193 neverallow priv_app mlstrustedsubject:process fork
[all...] |
| untrusted_app_all.te | 50 neverallow untrusted_app_all trace_data_file:dir *;
51 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
| /system/sepolicy/prebuilts/api/26.0/private/ |
| app_neverallows.te | 2 ### neverallow rules for untrusted app domains
6 neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
10 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
13 neverallow all_untrusted_apps domain:netlink_socket *;
17 neverallow all_untrusted_apps debugfs_type:file read;
22 neverallow all_untrusted_apps service_manager_type:service_manager add;
25 neverallow all_untrusted_apps vndbinder_device:chr_file *;
26 neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
30 neverallow all_untrusted_apps property_socket:sock_file write;
31 neverallow all_untrusted_apps init:unix_stream_socket connectto
[all...] |
| isolated_app.te | 29 # neverallow rules below.
50 ##### Neverallow
54 neverallow isolated_app tun_device:chr_file open;
57 neverallow isolated_app app_data_file:file open;
62 neverallow isolated_app anr_data_file:file ~{ open append };
63 neverallow isolated_app anr_data_file:dir ~search;
68 neverallow isolated_app {
76 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
79 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
80 neverallow isolated_app cache_file:file ~{ read getattr }
[all...] |
| ephemeral_app.te | 36 ### neverallow rules
40 neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
43 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
46 neverallow ephemeral_app domain:netlink_socket *;
50 neverallow ephemeral_app debugfs:file read;
53 neverallow ephemeral_app gpu_device:chr_file execute;
56 neverallow ephemeral_app sysfs:file *;
60 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
63 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
64 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search
[all...] |
| app.te | 335 ### Neverallow rules
342 neverallow { appdomain -bluetooth } self:capability *;
343 neverallow { appdomain -bluetooth } self:capability2 *;
346 neverallow appdomain dev_type:blk_file { read write };
349 neverallow appdomain {
359 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
361 neverallow { appdomain -nfc } nfc_device:chr_file
363 neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
365 neverallow appdomain tee_device:chr_file { read write };
368 neverallow appdomai
[all...] |
| priv_app.te | 128 ### neverallow rules
132 neverallow priv_app domain:netlink_kobject_uevent_socket *;
135 neverallow priv_app domain:netlink_socket *;
139 neverallow priv_app debugfs:file read;
144 neverallow priv_app service_manager_type:service_manager add;
148 neverallow priv_app property_socket:sock_file write;
149 neverallow priv_app init:unix_stream_socket connectto;
150 neverallow priv_app property_type:property_service set;
155 # constraints. As there is no direct way to specify a neverallow
160 neverallow priv_app mlstrustedsubject:process fork
[all...] |
| system_server.te | 670 ### Neverallow rules
676 neverallow system_server sdcard_type:dir { open read write };
677 neverallow system_server sdcard_type:file rw_file_perms;
684 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
690 neverallow system_server {
699 neverallow system_server { domain -crash_dump }:process transition;
700 neverallow system_server *:process dyntransition;
703 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
709 neverallow system_server dex2oat_exec:file no_x_file_perms;
713 neverallow system_server
[all...] |
| /system/sepolicy/prebuilts/api/27.0/private/ |
| app_neverallows.te | 2 ### neverallow rules for untrusted app domains
15 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
18 neverallow all_untrusted_apps domain:netlink_socket *;
22 neverallow all_untrusted_apps debugfs_type:file read;
27 neverallow all_untrusted_apps service_manager_type:service_manager add;
30 neverallow all_untrusted_apps vndbinder_device:chr_file *;
31 neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
35 neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
36 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
37 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set
[all...] |
| isolated_app.te | 29 # neverallow rules below.
54 ##### Neverallow
58 neverallow isolated_app tun_device:chr_file open;
61 neverallow isolated_app app_data_file:file open;
66 neverallow isolated_app anr_data_file:file ~{ open append };
67 neverallow isolated_app anr_data_file:dir ~search;
70 neverallow isolated_app hwbinder_device:chr_file *;
71 neverallow isolated_app *:hwservice_manager *;
74 neverallow isolated_app vndbinder_device:chr_file *;
78 neverallow isolated_app *:service_manager ~find
[all...] |
| ephemeral_app.te | 39 ### neverallow rules
42 neverallow ephemeral_app app_data_file:file execute_no_trans;
45 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
48 neverallow ephemeral_app domain:netlink_socket *;
52 neverallow ephemeral_app debugfs:file read;
55 neverallow ephemeral_app gpu_device:chr_file execute;
58 neverallow ephemeral_app sysfs:file *;
62 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
65 neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
66 neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search
[all...] |
| priv_app.te | 119 ### neverallow rules
123 neverallow priv_app domain:netlink_kobject_uevent_socket *;
126 neverallow priv_app domain:netlink_socket *;
130 neverallow priv_app debugfs:file read;
135 neverallow priv_app service_manager_type:service_manager add;
139 neverallow priv_app property_socket:sock_file write;
140 neverallow priv_app init:unix_stream_socket connectto;
141 neverallow priv_app property_type:property_service set;
146 # constraints. As there is no direct way to specify a neverallow
151 neverallow priv_app mlstrustedsubject:process fork
[all...] |
| untrusted_app.te | 35 neverallow untrusted_app system_server:udp_socket {
|
| /cts/tools/selinux/ |
| SELinuxNeverallowTestFrame.py | 35 * Neverallow Rules SELinux tests.
128 /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
130 policyFile.getAbsolutePath(), "neverallow", "-w", "-n",
144 + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
|
| /system/sepolicy/tools/sepolicy-analyze/ |
| Android.mk | 9 LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
|
| /external/selinux/libsepol/src/ |
| assertion.c | 44 ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
51 ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
57 ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
88 static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_extended_perms_t *allow)
91 if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
93 if (neverallow->driver == allow->driver)
94 rc = extended_permissions_and(neverallow->perms, allow->perms);
95 } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLFUNCTION)
97 rc = xperm_test(neverallow->driver, allow->perms);
98 } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER
[all...] |
