1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type; 9type proc_drop_caches, fs_type; 10type proc_overcommit_memory, fs_type; 11# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12type usermodehelper, fs_type; 13type sysfs_usermodehelper, fs_type, sysfs_type; 14type qtaguid_proc, fs_type, mlstrustedobject; 15type proc_bluetooth_writable, fs_type; 16type proc_cpuinfo, fs_type; 17type proc_interrupts, fs_type; 18type proc_iomem, fs_type; 19type proc_meminfo, fs_type; 20type proc_misc, fs_type; 21type proc_modules, fs_type; 22type proc_net, fs_type; 23type proc_perf, fs_type; 24type proc_stat, fs_type; 25type proc_sysrq, fs_type; 26type proc_timer, fs_type; 27type proc_tty_drivers, fs_type; 28type proc_uid_cputime_showstat, fs_type; 29type proc_uid_cputime_removeuid, fs_type; 30type proc_uid_io_stats, fs_type; 31type proc_uid_procstat_set, fs_type; 32type proc_uid_time_in_state, fs_type; 33type proc_zoneinfo, fs_type; 34type selinuxfs, fs_type, mlstrustedobject; 35type cgroup, fs_type, mlstrustedobject; 36type sysfs, fs_type, sysfs_type, mlstrustedobject; 37type sysfs_uio, sysfs_type, fs_type; 38type sysfs_batteryinfo, fs_type, sysfs_type; 39type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 40type sysfs_leds, fs_type, sysfs_type; 41type sysfs_hwrandom, fs_type, sysfs_type; 42type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 43type sysfs_wake_lock, fs_type, sysfs_type; 44type sysfs_mac_address, fs_type, sysfs_type; 45type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 46type sysfs_fs_ext4_features, sysfs_type, fs_type; 47type configfs, fs_type; 48# /sys/devices/system/cpu 49type sysfs_devices_system_cpu, fs_type, sysfs_type; 50# /sys/module/lowmemorykiller 51type sysfs_lowmemorykiller, fs_type, sysfs_type; 52# /sys/module/wlan/parameters/fwpath 53type sysfs_wlan_fwpath, fs_type, sysfs_type; 54type sysfs_vibrator, fs_type, sysfs_type; 55 56type sysfs_thermal, sysfs_type, fs_type; 57 58type sysfs_zram, fs_type, sysfs_type; 59type sysfs_zram_uevent, fs_type, sysfs_type; 60type inotify, fs_type, mlstrustedobject; 61type devpts, fs_type, mlstrustedobject; 62type tmpfs, fs_type; 63type shm, fs_type; 64type mqueue, fs_type; 65type fuse, sdcard_type, fs_type, mlstrustedobject; 66type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 67type vfat, sdcard_type, fs_type, mlstrustedobject; 68type debugfs, fs_type, debugfs_type; 69type debugfs_mmc, fs_type, debugfs_type; 70type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 71type debugfs_tracing, fs_type, debugfs_type; 72type debugfs_tracing_debug, fs_type, debugfs_type; 73type debugfs_tracing_instances, fs_type, debugfs_type; 74type debugfs_wifi_tracing, fs_type, debugfs_type; 75 76type pstorefs, fs_type; 77type functionfs, fs_type, mlstrustedobject; 78type oemfs, fs_type, contextmount_type; 79type usbfs, fs_type; 80type binfmt_miscfs, fs_type; 81type app_fusefs, fs_type, contextmount_type; 82 83# File types 84type unlabeled, file_type; 85 86# Default type for anything under /system. 87type system_file, file_type; 88 89# Default type for directories search for 90# HAL implementations 91type vendor_hal_file, vendor_file_type, file_type; 92# Default type for under /vendor or /system/vendor 93type vendor_file, vendor_file_type, file_type; 94# Default type for everything in /vendor/app 95type vendor_app_file, vendor_file_type, file_type; 96# Default type for everything under /vendor/etc/ 97type vendor_configs_file, vendor_file_type, file_type; 98# Default type for all *same process* HALs. 99# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so 100type same_process_hal_file, vendor_file_type, file_type; 101# Default type for vndk-sp libs. /vendor/lib/vndk-sp 102type vndk_sp_file, vendor_file_type, file_type; 103# Default type for everything in /vendor/framework 104type vendor_framework_file, vendor_file_type, file_type; 105# Default type for everything in /vendor/overlay 106type vendor_overlay_file, vendor_file_type, file_type; 107 108# Speedup access for trusted applications to the runtime event tags 109type runtime_event_log_tags_file, file_type; 110# Type for /system/bin/logcat. 111type logcat_exec, exec_type, file_type; 112# /cores for coredumps on userdebug / eng builds 113type coredump_file, file_type; 114# Default type for anything under /data. 115type system_data_file, file_type, data_file_type, core_data_file_type; 116# Unencrypted data 117type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 118# /data/.layout_version or other installd-created files that 119# are created in a system_data_file directory. 120type install_data_file, file_type, data_file_type, core_data_file_type; 121# /data/drm - DRM plugin data 122type drm_data_file, file_type, data_file_type, core_data_file_type; 123# /data/adb - adb debugging files 124type adb_data_file, file_type, data_file_type, core_data_file_type; 125# /data/anr - ANR traces 126type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 127# /data/tombstones - core dumps 128type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 129# /data/app - user-installed apps 130type apk_data_file, file_type, data_file_type, core_data_file_type; 131type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 132# /data/app-private - forward-locked apps 133type apk_private_data_file, file_type, data_file_type, core_data_file_type; 134type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 135# /data/dalvik-cache 136type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 137# /data/ota 138type ota_data_file, file_type, data_file_type, core_data_file_type; 139# /data/ota_package 140type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 141# /data/misc/profiles 142type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 143# /data/misc/profman 144type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 145# /data/resource-cache 146type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 147# /data/local - writable by shell 148type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 149# /data/property 150type property_data_file, file_type, data_file_type, core_data_file_type; 151# /data/bootchart 152type bootchart_data_file, file_type, data_file_type, core_data_file_type; 153# /data/system/heapdump 154type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 155# /data/nativetest 156type nativetest_data_file, file_type, data_file_type, core_data_file_type; 157# /data/system_de/0/ringtones 158type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 159# /data/preloads 160type preloads_data_file, file_type, data_file_type, core_data_file_type; 161# /data/preloads/media 162type preloads_media_file, file_type, data_file_type, core_data_file_type; 163# /data/misc/dhcp and /data/misc/dhcp-6.8.2 164type dhcp_data_file, file_type, data_file_type, core_data_file_type; 165 166# Mount locations managed by vold 167type mnt_media_rw_file, file_type; 168type mnt_user_file, file_type; 169type mnt_expand_file, file_type; 170type storage_file, file_type; 171 172# Label for storage dirs which are just mount stubs 173type mnt_media_rw_stub_file, file_type; 174type storage_stub_file, file_type; 175 176# /postinstall: Mount point used by update_engine to run postinstall. 177type postinstall_mnt_dir, file_type; 178# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 179type postinstall_file, file_type; 180 181# /data/misc subdirectories 182type adb_keys_file, file_type, data_file_type, core_data_file_type; 183type audio_data_file, file_type, data_file_type, core_data_file_type; 184type audiohal_data_file, file_type, data_file_type, core_data_file_type; 185type audioserver_data_file, file_type, data_file_type, core_data_file_type; 186type bluetooth_data_file, file_type, data_file_type, core_data_file_type; 187type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 188type bootstat_data_file, file_type, data_file_type, core_data_file_type; 189type boottrace_data_file, file_type, data_file_type, core_data_file_type; 190type camera_data_file, file_type, data_file_type, core_data_file_type; 191type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 192type incident_data_file, file_type, data_file_type, core_data_file_type; 193type keychain_data_file, file_type, data_file_type, core_data_file_type; 194type keystore_data_file, file_type, data_file_type, core_data_file_type; 195type media_data_file, file_type, data_file_type, core_data_file_type; 196type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 197type misc_user_data_file, file_type, data_file_type, core_data_file_type; 198type net_data_file, file_type, data_file_type, core_data_file_type; 199type nfc_data_file, file_type, data_file_type, core_data_file_type; 200type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 201type reboot_data_file, file_type, data_file_type, core_data_file_type; 202type recovery_data_file, file_type, data_file_type, core_data_file_type; 203type shared_relro_file, file_type, data_file_type, core_data_file_type; 204type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 205type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 206type vpn_data_file, file_type, data_file_type, core_data_file_type; 207type wifi_data_file, file_type, data_file_type, core_data_file_type; 208type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 209type vold_data_file, file_type, data_file_type, core_data_file_type; 210type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 211type tee_data_file, file_type, data_file_type; 212type update_engine_data_file, file_type, data_file_type, core_data_file_type; 213# /data/misc/trace for method traces on userdebug / eng builds 214type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 215 216# /data/data subdirectories - app sandboxes 217type app_data_file, file_type, data_file_type, core_data_file_type; 218# /data/data subdirectory for system UID apps. 219type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 220# Compatibility with type name used in Android 4.3 and 4.4. 221# Default type for anything under /cache 222type cache_file, file_type, data_file_type, mlstrustedobject; 223# Type for /cache/backup_stage/* (fd interchange with apps) 224type cache_backup_file, file_type, data_file_type, mlstrustedobject; 225# type for anything under /cache/backup (local transport storage) 226type cache_private_backup_file, file_type, data_file_type; 227# Type for anything under /cache/recovery 228type cache_recovery_file, file_type, data_file_type, mlstrustedobject; 229# Default type for anything under /efs 230type efs_file, file_type; 231# Type for wallpaper file. 232type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 233# Type for shortcut manager icon file. 234type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 235# Type for user icon file. 236type icon_file, file_type, data_file_type, core_data_file_type; 237# /mnt/asec 238type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 239# Elements of asec files (/mnt/asec) that are world readable 240type asec_public_file, file_type, data_file_type, core_data_file_type; 241# /data/app-asec 242type asec_image_file, file_type, data_file_type, core_data_file_type; 243# /data/backup and /data/secure/backup 244type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 245# All devices have bluetooth efs files. But they 246# vary per device, so this type is used in per 247# device policy 248type bluetooth_efs_file, file_type; 249# Type for fingerprint template file 250type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 251# Type for appfuse file. 252type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 253 254# Socket types 255type adbd_socket, file_type, coredomain_socket; 256type bluetooth_socket, file_type, data_file_type, coredomain_socket; 257type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 258type dumpstate_socket, file_type, coredomain_socket; 259type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 260type lmkd_socket, file_type, coredomain_socket; 261type logd_socket, file_type, coredomain_socket, mlstrustedobject; 262type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 263type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 264type mdns_socket, file_type, coredomain_socket; 265type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 266type misc_logd_file, coredomain_socket, file_type, data_file_type; 267type mtpd_socket, file_type, coredomain_socket; 268type netd_socket, file_type, coredomain_socket; 269type property_socket, file_type, coredomain_socket, mlstrustedobject; 270type racoon_socket, file_type, coredomain_socket; 271type rild_socket, file_type; 272type rild_debug_socket, file_type; 273type system_wpa_socket, file_type, data_file_type, coredomain_socket; 274type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject; 275type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 276type tombstoned_java_trace_socket, file_type, mlstrustedobject; 277type tombstoned_intercept_socket, file_type, coredomain_socket; 278type uncrypt_socket, file_type, coredomain_socket; 279type vold_socket, file_type, coredomain_socket; 280type webview_zygote_socket, file_type, coredomain_socket; 281type wpa_socket, file_type, data_file_type; 282type zygote_socket, file_type, coredomain_socket; 283# UART (for GPS) control proc file 284type gps_control, file_type; 285 286# PDX endpoint types 287type pdx_display_dir, pdx_endpoint_dir_type, file_type; 288type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 289type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 290 291pdx_service_socket_types(display_client, pdx_display_dir) 292pdx_service_socket_types(display_manager, pdx_display_dir) 293pdx_service_socket_types(display_screenshot, pdx_display_dir) 294pdx_service_socket_types(display_vsync, pdx_display_dir) 295pdx_service_socket_types(performance_client, pdx_performance_dir) 296pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 297 298# file_contexts files 299type file_contexts_file, file_type; 300 301# mac_permissions file 302type mac_perms_file, file_type; 303 304# property_contexts file 305type property_contexts_file, file_type; 306 307# seapp_contexts file 308type seapp_contexts_file, file_type; 309 310# sepolicy files binary and others 311type sepolicy_file, file_type; 312 313# service_contexts file 314type service_contexts_file, file_type; 315 316# nonplat service_contexts file (only accessible on non full-treble devices) 317type nonplat_service_contexts_file, file_type; 318 319# hwservice_contexts file 320type hwservice_contexts_file, file_type; 321 322# vndservice_contexts file 323type vndservice_contexts_file, file_type; 324 325# Allow files to be created in their appropriate filesystems. 326allow fs_type self:filesystem associate; 327allow cgroup tmpfs:filesystem associate; 328allow sysfs_type sysfs:filesystem associate; 329allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 330allow file_type labeledfs:filesystem associate; 331allow file_type tmpfs:filesystem associate; 332allow file_type rootfs:filesystem associate; 333allow dev_type tmpfs:filesystem associate; 334allow app_fuse_file app_fusefs:filesystem associate; 335allow postinstall_file self:filesystem associate; 336 337# asanwrapper (run a sanitized app_process, to be used with wrap properties) 338with_asan(`type asanwrapper_exec, exec_type, file_type;') 339 340# It's a bug to assign the file_type attribute and fs_type attribute 341# to any type. Do not allow it. 342# 343# For example, the following is a bug: 344# type apk_data_file, file_type, data_file_type, fs_type; 345# Should be: 346# type apk_data_file, file_type, data_file_type; 347neverallow fs_type file_type:filesystem associate; 348