1 # Filesystem types 2 type labeledfs, fs_type; 3 type pipefs, fs_type; 4 type sockfs, fs_type; 5 type rootfs, fs_type; 6 type proc, fs_type, proc_type; 7 # Security-sensitive proc nodes that should not be writable to most. 8 type proc_security, fs_type, proc_type; 9 type proc_drop_caches, fs_type, proc_type; 10 type proc_overcommit_memory, fs_type, proc_type; 11 type proc_min_free_order_shift, fs_type, proc_type; 12 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 13 type usermodehelper, fs_type, proc_type; 14 type sysfs_usermodehelper, fs_type, sysfs_type; 15 type qtaguid_proc, fs_type, mlstrustedobject, proc_type; 16 type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; 17 type proc_bluetooth_writable, fs_type, proc_type; 18 type proc_abi, fs_type, proc_type; 19 type proc_asound, fs_type, proc_type; 20 type proc_buddyinfo, fs_type, proc_type; 21 type proc_cmdline, fs_type, proc_type; 22 type proc_cpuinfo, fs_type, proc_type; 23 type proc_dirty, fs_type, proc_type; 24 type proc_diskstats, fs_type, proc_type; 25 type proc_extra_free_kbytes, fs_type, proc_type; 26 type proc_filesystems, fs_type, proc_type; 27 type proc_hostname, fs_type, proc_type; 28 type proc_hung_task, fs_type, proc_type; 29 type proc_interrupts, fs_type, proc_type; 30 type proc_iomem, fs_type, proc_type; 31 type proc_kmsg, fs_type, proc_type; 32 type proc_loadavg, fs_type, proc_type; 33 type proc_max_map_count, fs_type, proc_type; 34 type proc_meminfo, fs_type, proc_type; 35 type proc_misc, fs_type, proc_type; 36 type proc_modules, fs_type, proc_type; 37 type proc_mounts, fs_type, proc_type; 38 type proc_net, fs_type, proc_type; 39 type proc_page_cluster, fs_type, proc_type; 40 type proc_pagetypeinfo, fs_type, proc_type; 41 type proc_panic, fs_type, proc_type; 42 type proc_perf, fs_type, proc_type; 43 type proc_pid_max, fs_type, proc_type; 44 type proc_pipe_conf, fs_type, proc_type; 45 type proc_random, fs_type, proc_type; 46 type proc_sched, fs_type, proc_type; 47 type proc_stat, fs_type, proc_type; 48 type proc_swaps, fs_type, proc_type; 49 type proc_sysrq, fs_type, proc_type; 50 type proc_timer, fs_type, proc_type; 51 type proc_tty_drivers, fs_type, proc_type; 52 type proc_uid_cputime_showstat, fs_type, proc_type; 53 type proc_uid_cputime_removeuid, fs_type, proc_type; 54 type proc_uid_io_stats, fs_type, proc_type; 55 type proc_uid_procstat_set, fs_type, proc_type; 56 type proc_uid_time_in_state, fs_type, proc_type; 57 type proc_uid_concurrent_active_time, fs_type, proc_type; 58 type proc_uid_concurrent_policy_time, fs_type, proc_type; 59 type proc_uid_cpupower, fs_type, proc_type; 60 type proc_uptime, fs_type, proc_type; 61 type proc_version, fs_type, proc_type; 62 type proc_vmallocinfo, fs_type, proc_type; 63 type proc_vmstat, fs_type, proc_type; 64 type proc_zoneinfo, fs_type, proc_type; 65 type selinuxfs, fs_type, mlstrustedobject; 66 type cgroup, fs_type, mlstrustedobject; 67 type cgroup_bpf, fs_type; 68 type sysfs, fs_type, sysfs_type, mlstrustedobject; 69 type sysfs_android_usb, fs_type, sysfs_type; 70 type sysfs_uio, sysfs_type, fs_type; 71 type sysfs_batteryinfo, fs_type, sysfs_type; 72 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 73 type sysfs_dm, fs_type, sysfs_type; 74 type sysfs_dt_firmware_android, fs_type, sysfs_type; 75 type sysfs_ipv4, fs_type, sysfs_type; 76 type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; 77 type sysfs_leds, fs_type, sysfs_type; 78 type sysfs_hwrandom, fs_type, sysfs_type; 79 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 80 type sysfs_wake_lock, fs_type, sysfs_type; 81 type sysfs_mac_address, fs_type, sysfs_type; 82 type sysfs_net, fs_type, sysfs_type; 83 type sysfs_power, fs_type, sysfs_type; 84 type sysfs_rtc, fs_type, sysfs_type; 85 type sysfs_switch, fs_type, sysfs_type; 86 type sysfs_usb, fs_type, sysfs_type; 87 type sysfs_wakeup_reasons, fs_type, sysfs_type; 88 type sysfs_fs_ext4_features, sysfs_type, fs_type; 89 type fs_bpf, fs_type; 90 type configfs, fs_type; 91 # /sys/devices/system/cpu 92 type sysfs_devices_system_cpu, fs_type, sysfs_type; 93 # /sys/module/lowmemorykiller 94 type sysfs_lowmemorykiller, fs_type, sysfs_type; 95 # /sys/module/wlan/parameters/fwpath 96 type sysfs_wlan_fwpath, fs_type, sysfs_type; 97 type sysfs_vibrator, fs_type, sysfs_type; 98 99 type sysfs_thermal, sysfs_type, fs_type; 100 101 type sysfs_zram, fs_type, sysfs_type; 102 type sysfs_zram_uevent, fs_type, sysfs_type; 103 type inotify, fs_type, mlstrustedobject; 104 type devpts, fs_type, mlstrustedobject; 105 type tmpfs, fs_type; 106 type shm, fs_type; 107 type mqueue, fs_type; 108 type fuse, sdcard_type, fs_type, mlstrustedobject; 109 type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 110 type vfat, sdcard_type, fs_type, mlstrustedobject; 111 type exfat, sdcard_type, fs_type, mlstrustedobject; 112 type debugfs, fs_type, debugfs_type; 113 type debugfs_mmc, fs_type, debugfs_type; 114 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 115 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject; 116 type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject; 117 type debugfs_tracing_instances, fs_type, debugfs_type; 118 type debugfs_wakeup_sources, fs_type, debugfs_type; 119 type debugfs_wifi_tracing, fs_type, debugfs_type; 120 121 type pstorefs, fs_type; 122 type functionfs, fs_type, mlstrustedobject; 123 type oemfs, fs_type, contextmount_type; 124 type usbfs, fs_type; 125 type binfmt_miscfs, fs_type; 126 type app_fusefs, fs_type, contextmount_type; 127 128 # File types 129 type unlabeled, file_type; 130 131 # Default type for anything under /system. 132 type system_file, file_type; 133 134 # Default type for directories search for 135 # HAL implementations 136 type vendor_hal_file, vendor_file_type, file_type; 137 # Default type for under /vendor or /system/vendor 138 type vendor_file, vendor_file_type, file_type; 139 # Default type for everything in /vendor/app 140 type vendor_app_file, vendor_file_type, file_type; 141 # Default type for everything under /vendor/etc/ 142 type vendor_configs_file, vendor_file_type, file_type; 143 # Default type for all *same process* HALs. 144 # e.g. libEGL_xxx.so, android.hardware.graphics.mapper (a] 2.0-impl.so 145 type same_process_hal_file, vendor_file_type, file_type; 146 # Default type for vndk-sp libs. /vendor/lib/vndk-sp 147 type vndk_sp_file, vendor_file_type, file_type; 148 # Default type for everything in /vendor/framework 149 type vendor_framework_file, vendor_file_type, file_type; 150 # Default type for everything in /vendor/overlay 151 type vendor_overlay_file, vendor_file_type, file_type; 152 153 # /metadata partition itself 154 type metadata_file, file_type; 155 # Vold files within /metadata 156 type vold_metadata_file, file_type; 157 158 # Speedup access for trusted applications to the runtime event tags 159 type runtime_event_log_tags_file, file_type; 160 # Type for /system/bin/logcat. 161 type logcat_exec, exec_type, file_type; 162 # /cores for coredumps on userdebug / eng builds 163 type coredump_file, file_type; 164 # Default type for anything under /data. 165 type system_data_file, file_type, data_file_type, core_data_file_type; 166 # Default type for anything under /data/vendor{_ce,_de}. 167 type vendor_data_file, file_type, data_file_type; 168 # Unencrypted data 169 type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 170 # /data/.layout_version or other installd-created files that 171 # are created in a system_data_file directory. 172 type install_data_file, file_type, data_file_type, core_data_file_type; 173 # /data/drm - DRM plugin data 174 type drm_data_file, file_type, data_file_type, core_data_file_type; 175 # /data/adb - adb debugging files 176 type adb_data_file, file_type, data_file_type, core_data_file_type; 177 # /data/anr - ANR traces 178 type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 179 # /data/tombstones - core dumps 180 type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 181 # /data/vendor/tombstones/wifi - vendor wifi dumps 182 type tombstone_wifi_data_file, file_type, data_file_type; 183 # /data/app - user-installed apps 184 type apk_data_file, file_type, data_file_type, core_data_file_type; 185 type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 186 # /data/app-private - forward-locked apps 187 type apk_private_data_file, file_type, data_file_type, core_data_file_type; 188 type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 189 # /data/dalvik-cache 190 type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 191 # /data/ota 192 type ota_data_file, file_type, data_file_type, core_data_file_type; 193 # /data/ota_package 194 type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 195 # /data/misc/profiles 196 type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 197 # /data/misc/profman 198 type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 199 # /data/resource-cache 200 type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 201 # /data/local - writable by shell 202 type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 203 # /data/property 204 type property_data_file, file_type, data_file_type, core_data_file_type; 205 # /data/bootchart 206 type bootchart_data_file, file_type, data_file_type, core_data_file_type; 207 # /data/system/heapdump 208 type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 209 # /data/nativetest 210 type nativetest_data_file, file_type, data_file_type, core_data_file_type; 211 # /data/system_de/0/ringtones 212 type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 213 # /data/preloads 214 type preloads_data_file, file_type, data_file_type, core_data_file_type; 215 # /data/preloads/media 216 type preloads_media_file, file_type, data_file_type, core_data_file_type; 217 # /data/misc/dhcp and /data/misc/dhcp-6.8.2 218 type dhcp_data_file, file_type, data_file_type, core_data_file_type; 219 220 # Mount locations managed by vold 221 type mnt_media_rw_file, file_type; 222 type mnt_user_file, file_type; 223 type mnt_expand_file, file_type; 224 type storage_file, file_type; 225 226 # Label for storage dirs which are just mount stubs 227 type mnt_media_rw_stub_file, file_type; 228 type storage_stub_file, file_type; 229 230 # Mount location for read-write vendor partitions. 231 type mnt_vendor_file, file_type; 232 233 # /postinstall: Mount point used by update_engine to run postinstall. 234 type postinstall_mnt_dir, file_type; 235 # Files inside the /postinstall mountpoint are all labeled as postinstall_file. 236 type postinstall_file, file_type; 237 238 # /data/misc subdirectories 239 type adb_keys_file, file_type, data_file_type, core_data_file_type; 240 type audio_data_file, file_type, data_file_type, core_data_file_type; 241 type audioserver_data_file, file_type, data_file_type, core_data_file_type; 242 type bluetooth_data_file, file_type, data_file_type, core_data_file_type; 243 type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 244 type bootstat_data_file, file_type, data_file_type, core_data_file_type; 245 type boottrace_data_file, file_type, data_file_type, core_data_file_type; 246 type camera_data_file, file_type, data_file_type, core_data_file_type; 247 type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 248 type incident_data_file, file_type, data_file_type, core_data_file_type; 249 type keychain_data_file, file_type, data_file_type, core_data_file_type; 250 type keystore_data_file, file_type, data_file_type, core_data_file_type; 251 type media_data_file, file_type, data_file_type, core_data_file_type; 252 type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 253 type misc_user_data_file, file_type, data_file_type, core_data_file_type; 254 type net_data_file, file_type, data_file_type, core_data_file_type; 255 type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; 256 type nfc_data_file, file_type, data_file_type, core_data_file_type; 257 type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 258 type recovery_data_file, file_type, data_file_type, core_data_file_type; 259 type shared_relro_file, file_type, data_file_type, core_data_file_type; 260 type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 261 type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 262 type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 263 type vpn_data_file, file_type, data_file_type, core_data_file_type; 264 type wifi_data_file, file_type, data_file_type, core_data_file_type; 265 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 266 type vold_data_file, file_type, data_file_type, core_data_file_type; 267 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 268 type tee_data_file, file_type, data_file_type; 269 type update_engine_data_file, file_type, data_file_type, core_data_file_type; 270 type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; 271 # /data/misc/trace for method traces on userdebug / eng builds 272 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 273 274 # /data/data subdirectories - app sandboxes 275 type app_data_file, file_type, data_file_type, core_data_file_type; 276 # /data/data subdirectory for system UID apps. 277 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 278 # Compatibility with type name used in Android 4.3 and 4.4. 279 # Default type for anything under /cache 280 type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 281 # Type for /cache/backup_stage/* (fd interchange with apps) 282 type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 283 # type for anything under /cache/backup (local transport storage) 284 type cache_private_backup_file, file_type, data_file_type, core_data_file_type; 285 # Type for anything under /cache/recovery 286 type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 287 # Default type for anything under /efs 288 type efs_file, file_type; 289 # Type for wallpaper file. 290 type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 291 # Type for shortcut manager icon file. 292 type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 293 # Type for user icon file. 294 type icon_file, file_type, data_file_type, core_data_file_type; 295 # /mnt/asec 296 type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 297 # Elements of asec files (/mnt/asec) that are world readable 298 type asec_public_file, file_type, data_file_type, core_data_file_type; 299 # /data/app-asec 300 type asec_image_file, file_type, data_file_type, core_data_file_type; 301 # /data/backup and /data/secure/backup 302 type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 303 # All devices have bluetooth efs files. But they 304 # vary per device, so this type is used in per 305 # device policy 306 type bluetooth_efs_file, file_type; 307 # Type for fingerprint template file 308 type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 309 # Type for _new_ fingerprint template file 310 type fingerprint_vendor_data_file, file_type, data_file_type; 311 # Type for appfuse file. 312 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 313 314 # Socket types 315 type adbd_socket, file_type, coredomain_socket; 316 type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 317 type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 318 type dumpstate_socket, file_type, coredomain_socket; 319 type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 320 type lmkd_socket, file_type, coredomain_socket; 321 type logd_socket, file_type, coredomain_socket, mlstrustedobject; 322 type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 323 type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 324 type mdns_socket, file_type, coredomain_socket; 325 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 326 type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; 327 type mtpd_socket, file_type, coredomain_socket; 328 type netd_socket, file_type, coredomain_socket; 329 type property_socket, file_type, coredomain_socket, mlstrustedobject; 330 type racoon_socket, file_type, coredomain_socket; 331 type rild_socket, file_type; 332 type rild_debug_socket, file_type; 333 type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 334 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 335 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 336 type tombstoned_java_trace_socket, file_type, mlstrustedobject; 337 type tombstoned_intercept_socket, file_type, coredomain_socket; 338 type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; 339 type traced_consumer_socket, file_type, coredomain_socket; 340 type uncrypt_socket, file_type, coredomain_socket; 341 type wpa_socket, file_type, data_file_type, core_data_file_type; 342 type zygote_socket, file_type, coredomain_socket; 343 # UART (for GPS) control proc file 344 type gps_control, file_type; 345 346 # PDX endpoint types 347 type pdx_display_dir, pdx_endpoint_dir_type, file_type; 348 type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 349 type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 350 351 pdx_service_socket_types(display_client, pdx_display_dir) 352 pdx_service_socket_types(display_manager, pdx_display_dir) 353 pdx_service_socket_types(display_screenshot, pdx_display_dir) 354 pdx_service_socket_types(display_vsync, pdx_display_dir) 355 pdx_service_socket_types(performance_client, pdx_performance_dir) 356 pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 357 358 # file_contexts files 359 type file_contexts_file, file_type; 360 361 # mac_permissions file 362 type mac_perms_file, file_type; 363 364 # property_contexts file 365 type property_contexts_file, file_type; 366 367 # seapp_contexts file 368 type seapp_contexts_file, file_type; 369 370 # sepolicy files binary and others 371 type sepolicy_file, file_type; 372 373 # service_contexts file 374 type service_contexts_file, file_type; 375 376 # nonplat service_contexts file (only accessible on non full-treble devices) 377 type nonplat_service_contexts_file, file_type; 378 379 # hwservice_contexts file 380 type hwservice_contexts_file, file_type; 381 382 # vndservice_contexts file 383 type vndservice_contexts_file, file_type; 384 385 # Allow files to be created in their appropriate filesystems. 386 allow fs_type self:filesystem associate; 387 allow cgroup tmpfs:filesystem associate; 388 allow cgroup_bpf tmpfs:filesystem associate; 389 allow sysfs_type sysfs:filesystem associate; 390 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 391 allow file_type labeledfs:filesystem associate; 392 allow file_type tmpfs:filesystem associate; 393 allow file_type rootfs:filesystem associate; 394 allow dev_type tmpfs:filesystem associate; 395 allow app_fuse_file app_fusefs:filesystem associate; 396 allow postinstall_file self:filesystem associate; 397 398 # asanwrapper (run a sanitized app_process, to be used with wrap properties) 399 with_asan(`type asanwrapper_exec, exec_type, file_type;') 400 401 # Deprecated in SDK version 28 402 type audiohal_data_file, file_type, data_file_type, core_data_file_type; 403 404 # It's a bug to assign the file_type attribute and fs_type attribute 405 # to any type. Do not allow it. 406 # 407 # For example, the following is a bug: 408 # type apk_data_file, file_type, data_file_type, fs_type; 409 # Should be: 410 # type apk_data_file, file_type, data_file_type; 411 neverallow fs_type file_type:filesystem associate; 412
