1 # kernel domain is used for all processes started before Android init installs SELinux policy. 2 # Normally, no processes should be in this domain because clumping multiple processes into a single 3 # SELinux domain overprivileges each of those processes. 4 5 # TODO(b/65049764): Get rid of the hostapd instance started before Android init 6 net_domain(kernel) 7 allow kernel self:capability net_admin; 8 allow kernel self:netlink_socket create_socket_perms_no_ioctl; 9 allow kernel tmpfs:dir search; 10 11 # TODO(b/65049764): Get rid of GCE proxy and similar daemons started before Android init 12 # gce.meta.proxy and gce.ex.outer write to /dev/console which for some reason does not appear 13 # labelled as console_device although it is labeled as such on the filesystem. 14 allow kernel rootfs:chr_file write; 15 16 # kdevtmpfs accesses devices before ueventd runs restorecon and relabels devices 17 allow kernel device:chr_file { create setattr getattr unlink }; 18 allow kernel device:dir create_dir_perms; 19 allow kernel self:capability mknod; 20