1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# Attribute for block devices.
11attribute bdev_type;
12
13# All types used for processes.
14attribute domain;
15
16# All types used for filesystems.
17# On change, update CHECK_FC_ASSERT_ATTRS
18# definition in tools/checkfc.c.
19attribute fs_type;
20
21# All types used for context= mounts.
22attribute contextmount_type;
23
24# All types used for files that can exist on a labeled fs.
25# Do not use for pseudo file types.
26# On change, update CHECK_FC_ASSERT_ATTRS
27# definition in tools/checkfc.c.
28attribute file_type;
29
30# All types used for domain entry points.
31attribute exec_type;
32
33# All types used for /data files.
34attribute data_file_type;
35expandattribute data_file_type false;
36# All types in /data, not in /data/vendor
37attribute core_data_file_type;
38expandattribute core_data_file_type false;
39
40# All types used for app private data files in seapp_contexts.
41# Such types should not be applied to any other files.
42attribute app_data_file_type;
43expandattribute app_data_file_type false;
44
45# All types in /system
46attribute system_file_type;
47
48# All types in /vendor
49attribute vendor_file_type;
50
51# All types used for procfs files.
52attribute proc_type;
53expandattribute proc_type false;
54
55# Types in /proc/net, excluding qtaguid types.
56# TODO(b/9496886) Lock down access to /proc/net.
57# This attribute is used to audit access to proc_net. it is temporary and will
58# be removed.
59attribute proc_net_type;
60expandattribute proc_net_type true;
61
62# All types used for sysfs files.
63attribute sysfs_type;
64
65# Attribute for /sys/class/block files.
66attribute sysfs_block_type;
67
68# All types use for debugfs files.
69attribute debugfs_type;
70
71# All types used for tracefs files.
72attribute tracefs_type;
73
74# Attribute used for all sdcards
75attribute sdcard_type;
76
77# All types used for nodes/hosts.
78attribute node_type;
79
80# All types used for network interfaces.
81attribute netif_type;
82
83# All types used for network ports.
84attribute port_type;
85
86# All types used for property service
87# On change, update CHECK_PC_ASSERT_ATTRS
88# definition in tools/checkfc.c.
89attribute property_type;
90
91# All properties defined in core SELinux policy. Should not be
92# used by device specific properties
93attribute core_property_type;
94
95# All properties used to configure log filtering.
96attribute log_property_type;
97
98# All properties that are not specific to device but are added from
99# outside of AOSP. (e.g. OEM-specific properties)
100# These properties are not accessible from device-specific domains
101attribute extended_core_property_type;
102
103# Properties used for representing ownership. All properties should have one
104# of: system_property_type, product_property_type, or vendor_property_type.
105
106# All properties defined by /system.
107attribute system_property_type;
108expandattribute system_property_type false;
109
110# All /system-defined properties used only in /system.
111attribute system_internal_property_type;
112expandattribute system_internal_property_type false;
113
114# All /system-defined properties which can't be written outside /system.
115attribute system_restricted_property_type;
116expandattribute system_restricted_property_type false;
117
118# All /system-defined properties with no restrictions.
119attribute system_public_property_type;
120expandattribute system_public_property_type false;
121
122# All keystore2_key labels.
123attribute keystore2_key_type;
124
125# All properties defined by /product.
126# Currently there are no enforcements between /system and /product, so for now
127# /product attributes are just replaced to /system attributes.
128define(`product_property_type',   `system_property_type')
129define(`product_internal_property_type',   `system_internal_property_type')
130define(`product_restricted_property_type', `system_restricted_property_type')
131define(`product_public_property_type',     `system_public_property_type')
132
133# All properties defined by /vendor.
134attribute vendor_property_type;
135expandattribute vendor_property_type false;
136
137# All /vendor-defined properties used only in /vendor.
138attribute vendor_internal_property_type;
139expandattribute vendor_internal_property_type false;
140
141# All /vendor-defined properties which can't be written outside /vendor.
142attribute vendor_restricted_property_type;
143expandattribute vendor_restricted_property_type false;
144
145# All /vendor-defined properties with no restrictions.
146attribute vendor_public_property_type;
147expandattribute vendor_public_property_type false;
148
149# All service_manager types created by system_server
150attribute system_server_service;
151
152# services which should be available to all but isolated apps
153attribute app_api_service;
154
155# services which should be available to all ephemeral apps
156attribute ephemeral_app_api_service;
157
158# services which export only system_api
159attribute system_api_service;
160
161# services which are explicitly disallowed for untrusted apps to access
162attribute protected_service;
163
164# services which served by vendor and also using the copy of libbinder on
165# system (for instance via libbinder_ndk). services using a different copy
166# of libbinder currently need their own context manager (e.g.
167# vndservicemanager)
168attribute vendor_service;
169
170# All types used for services managed by servicemanager.
171# On change, update CHECK_SC_ASSERT_ATTRS
172# definition in tools/checkfc.c.
173attribute service_manager_type;
174
175# All types used for services managed by hwservicemanager
176attribute hwservice_manager_type;
177
178# All HwBinder services guaranteed to be passthrough. These services always run
179# in the process of their clients, and thus operate with the same access as
180# their clients.
181attribute same_process_hwservice;
182
183# All HwBinder services guaranteed to be offered only by core domain components
184attribute coredomain_hwservice;
185
186# All HwBinder services that untrusted apps can't directly access
187attribute protected_hwservice;
188
189# All types used for services managed by vndservicemanager
190attribute vndservice_manager_type;
191
192
193# All domains that can override MLS restrictions.
194# i.e. processes that can read up and write down.
195attribute mlstrustedsubject;
196
197# All types that can override MLS restrictions.
198# i.e. files that can be read by lower and written by higher
199attribute mlstrustedobject;
200
201# All domains used for apps.
202attribute appdomain;
203
204# All third party apps (except isolated_app and ephemeral_app)
205attribute untrusted_app_all;
206
207# All domains used for apps with network access.
208attribute netdomain;
209
210# All domains used for apps with bluetooth access.
211attribute bluetoothdomain;
212
213# All domains used for binder service domains.
214attribute binderservicedomain;
215
216# update_engine related domains that need to apply an update and run
217# postinstall. This includes the background daemon and the sideload tool from
218# recovery for A/B devices.
219attribute update_engine_common;
220
221# All core domains (as opposed to vendor/device-specific domains)
222attribute coredomain;
223
224# All vendor hwservice.
225attribute vendor_hwservice_type;
226
227# All socket devices owned by core domain components
228attribute coredomain_socket;
229expandattribute coredomain_socket false;
230
231# All vendor domains which violate the requirement of not using sockets for
232# communicating with core components
233# TODO(b/36577153): Remove this once there are no violations
234attribute socket_between_core_and_vendor_violators;
235expandattribute socket_between_core_and_vendor_violators false;
236
237# All vendor domains which violate the requirement of not executing
238# system processes
239# TODO(b/36463595)
240attribute vendor_executes_system_violators;
241expandattribute vendor_executes_system_violators false;
242
243# All domains which violate the requirement of not sharing files by path
244# between between vendor and core domains.
245# TODO(b/34980020)
246attribute data_between_core_and_vendor_violators;
247expandattribute data_between_core_and_vendor_violators false;
248
249# All system domains which violate the requirement of not executing vendor
250# binaries/libraries.
251# TODO(b/62041836)
252attribute system_executes_vendor_violators;
253expandattribute system_executes_vendor_violators false;
254
255# All system domains which violate the requirement of not writing vendor
256# properties.
257# TODO(b/78598545): Remove this once there are no violations
258attribute system_writes_vendor_properties_violators;
259expandattribute system_writes_vendor_properties_violators false;
260
261# All system domains which violate the requirement of not writing to
262# /mnt/vendor/*. Must not be used on devices launched with P or later.
263attribute system_writes_mnt_vendor_violators;
264expandattribute system_writes_mnt_vendor_violators false;
265
266# hwservices that are accessible from untrusted applications
267# WARNING: Use of this attribute should be avoided unless
268# absolutely necessary.  It is a temporary allowance to aid the
269# transition to treble and will be removed in a future platform
270# version, requiring all hwservices that are labeled with this
271# attribute to be submitted to AOSP in order to maintain their
272# app-visibility.
273attribute untrusted_app_visible_hwservice_violators;
274expandattribute untrusted_app_visible_hwservice_violators false;
275
276# halserver domains that are accessible to untrusted applications.  These
277# domains are typically those hosting  hwservices attributed by the
278# untrusted_app_visible_hwservice_violators.
279# WARNING: Use of this attribute should be avoided unless absolutely necessary.
280# It is a temporary allowance to aid the transition to treble and will be
281# removed in the future platform version, requiring all halserver domains that
282# are labeled with this attribute to be submitted to AOSP in order to maintain
283# their app-visibility.
284attribute untrusted_app_visible_halserver_violators;
285expandattribute untrusted_app_visible_halserver_violators false;
286
287# PDX services
288attribute pdx_endpoint_dir_type;
289attribute pdx_endpoint_socket_type;
290expandattribute pdx_endpoint_socket_type false;
291attribute pdx_channel_socket_type;
292expandattribute pdx_channel_socket_type false;
293
294pdx_service_attributes(display_client)
295pdx_service_attributes(display_manager)
296pdx_service_attributes(display_screenshot)
297pdx_service_attributes(display_vsync)
298pdx_service_attributes(performance_client)
299pdx_service_attributes(bufferhub_client)
300
301# All HAL servers
302attribute halserverdomain;
303# All HAL clients
304attribute halclientdomain;
305expandattribute halclientdomain true;
306
307# Exempt for halserverdomain to access sockets. Only builds for automotive
308# device types are allowed to use this attribute (enforced by CTS).
309# Unlike phone, in a car many modules are external from Android perspective and
310# HALs should be able to communicate with those devices through sockets.
311attribute hal_automotive_socket_exemption;
312
313# HALs
314hal_attribute(allocator);
315hal_attribute(atrace);
316hal_attribute(audio);
317hal_attribute(audiocontrol);
318hal_attribute(authsecret);
319hal_attribute(bluetooth);
320hal_attribute(bootctl);
321hal_attribute(bufferhub);
322hal_attribute(broadcastradio);
323hal_attribute(camera);
324hal_attribute(can_bus);
325hal_attribute(can_controller);
326hal_attribute(cas);
327hal_attribute(codec2);
328hal_attribute(configstore);
329hal_attribute(confirmationui);
330hal_attribute(contexthub);
331hal_attribute(drm);
332hal_attribute(dumpstate);
333hal_attribute(evs);
334hal_attribute(face);
335hal_attribute(fingerprint);
336hal_attribute(gatekeeper);
337hal_attribute(gnss);
338hal_attribute(graphics_allocator);
339hal_attribute(graphics_composer);
340hal_attribute(health);
341hal_attribute(health_storage);
342hal_attribute(identity);
343hal_attribute(input_classifier);
344hal_attribute(ir);
345hal_attribute(keymaster);
346hal_attribute(keymint);
347hal_attribute(light);
348hal_attribute(lowpan);
349hal_attribute(memtrack);
350hal_attribute(neuralnetworks);
351hal_attribute(nfc);
352hal_attribute(oemlock);
353hal_attribute(omx);
354hal_attribute(power);
355hal_attribute(power_stats);
356hal_attribute(rebootescrow);
357hal_attribute(secure_element);
358hal_attribute(sensors);
359hal_attribute(telephony);
360hal_attribute(tetheroffload);
361hal_attribute(thermal);
362hal_attribute(tv_cec);
363hal_attribute(tv_input);
364hal_attribute(tv_tuner);
365hal_attribute(usb);
366hal_attribute(usb_gadget);
367hal_attribute(uwb);
368hal_attribute(vehicle);
369hal_attribute(vibrator);
370hal_attribute(vr);
371hal_attribute(weaver);
372hal_attribute(wifi);
373hal_attribute(wifi_hostapd);
374hal_attribute(wifi_supplicant);
375
376# HwBinder services offered across the core-vendor boundary
377#
378# We annotate server domains with x_server  to loosen the coupling between
379# system and vendor images. For example, it should be possible to move a service
380# from one core domain to another, without having to update the vendor image
381# which contains clients of this service.
382
383attribute automotive_display_service_server;
384attribute camera_service_server;
385attribute display_service_server;
386attribute scheduler_service_server;
387attribute sensor_service_server;
388attribute stats_service_server;
389attribute system_suspend_internal_server;
390attribute system_suspend_server;
391attribute wifi_keystore_service_server;
392
393# All types used for super partition block devices.
394attribute super_block_device_type;
395
396# All types used for DMA-BUF heaps
397attribute dmabuf_heap_device_type;
398expandattribute dmabuf_heap_device_type false;
399
400# All types used for DSU metadata files.
401attribute gsi_metadata_file_type;
402