CTS/src/example_input_policy.conf

#line 1 "external/sepolicy/security_classes"
# FLASK

#
# Define the security object classes
#

# Classes marked as userspace are classes
# for userspace object managers

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

#
# userspace object manager classes
#

# passwd/chfn/chsh
class passwd			# userspace

# SE-X Windows stuff (more classes below)
class x_drawable		# userspace
class x_screen			# userspace
class x_gc			# userspace
class x_font			# userspace
class x_colormap		# userspace
class x_property		# userspace
class x_selection		# userspace
class x_cursor			# userspace
class x_client			# userspace
class x_device			# userspace
class x_server			# userspace
class x_extension		# userspace

# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket

class dbus			# userspace
class nscd			# userspace

# IPSec association
class association

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket

class appletalk_socket

class packet

# Kernel access key retention
class key

class context			# userspace

class dccp_socket

class memprotect

class db_database		# userspace
class db_table			# userspace
class db_procedure		# userspace
class db_column			# userspace
class db_tuple			# userspace
class db_blob			# userspace

# network peer labels
class peer

# Capabilities >= 32
class capability2

# More SE-X Windows stuff
class x_resource		# userspace
class x_event			# userspace
class x_synthetic_event		# userspace
class x_application_data	# userspace

# kernel services that need to override task security, e.g. cachefiles
class kernel_service

class tun_socket

# Still More SE-X Windows stuff
class x_pointer			# userspace
class x_keyboard		# userspace

# More Database stuff
class db_schema			# userspace
class db_view			# userspace
class db_sequence		# userspace
class db_language		# userspace

class binder
class zygote

# Property service
class property_service          # userspace

# FLASK
#line 1 "external/sepolicy/initial_sids"
# FLASK

#
# Define initial security identifiers
#

sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull

# FLASK
#line 1 "external/sepolicy/access_vectors"
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
}

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
#  Define a common prefix for userspace database object access vectors.
#

common database
{
	create
	drop
	getattr
	setattr
	relabelfrom
	relabelto
}

#
# Define a common prefix for pointer and keyboard access vectors.
#

common x_device
{
	getattr
	setattr
	use
	read
	write
	getfocus
	setfocus
	bell
	force_cursor
	freeze
	grab
	manage
	list_property
	get_property
	set_property
	add
	remove
	create
	destroy
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
	open
	audit_access
	execmod
}

class file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
}

class lnk_file
inherits file
{
	open
	audit_access
	execmod
}

class chr_file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
}

class blk_file
inherits file
{
	open
	audit_access
	execmod
}

class sock_file
inherits file
{
	open
	audit_access
	execmod
}

class fifo_file
inherits file
{
	open
	audit_access
	execmod
}

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
	node_bind
	name_connect
}

class udp_socket
inherits socket
{
	node_bind
}

class rawip_socket
inherits socket
{
	node_bind
}

class node
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
	dccp_recv
	dccp_send
	recvfrom
	sendto
}

class netif
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	dccp_recv
	dccp_send
	ingress
	egress
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
}

class unix_dgram_socket
inherits socket

#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server.
#

class security
{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce     # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
	read_policy
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	syslog_read
	syslog_mod
	syslog_console
	module_request
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the capability2 class.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	audit_write
	audit_control
	setfcap
}

class capability2
{
	mac_override	# unused by SELinux
	mac_admin	# unused by SELinux
	syslog
	wake_alarm
	block_suspend
}

#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
	passwd	# change another user passwd
	chfn	# change another user finger info
	chsh	# change another user shell
	rootok  # pam_rootok check (skip auth)
	crontab # crontab on another user
}

#
# SE-X Windows stuff
#
class x_drawable
{
	create
	destroy
	read
	write
	blend
	getattr
	setattr
	list_child
	add_child
	remove_child
	list_property
	get_property
	set_property
	manage
	override
	show
	hide
	send
	receive
}

class x_screen
{
	getattr
	setattr
	hide_cursor
	show_cursor
	saver_getattr
	saver_setattr
	saver_hide
	saver_show
}

class x_gc
{
	create
	destroy
	getattr
	setattr
	use
}

class x_font
{
	create
	destroy
	getattr
	add_glyph
	remove_glyph
	use
}

class x_colormap
{
	create
	destroy
	read
	write
	getattr
	add_color
	remove_color
	install
	uninstall
	use
}

class x_property
{
	create
	destroy
	read
	write
	append
	getattr
	setattr
}

class x_selection
{
	read
	write
	getattr
	setattr
}

class x_cursor
{
	create
	destroy
	read
	write
	getattr
	setattr
	use
}

class x_client
{
	destroy
	getattr
	setattr
	manage
}

class x_device
inherits x_device

class x_server
{
	getattr
	setattr
	record
	debug
	grab
	manage
}

class x_extension
{
	query
	use
}

class x_resource
{
	read
	write
}

class x_event
{
	send
	receive
}

class x_synthetic_event
{
	send
	receive
}

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_firewall_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_tcpdiag_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
}

class netlink_ip6fw_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
	acquire_svc
	send_msg
}

# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
	getpwd
	getgrp
	gethost
	getstat
	admin
	shmempwd
	shmemgrp
	shmemhost
	getserv
	shmemserv
}

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
	sendto
	recvfrom
	setcontext
	polmatch
}

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

class appletalk_socket
inherits socket

class packet
{
	send
	recv
	relabelto
	flow_in		# deprecated
	flow_out	# deprecated
	forward_in
	forward_out
}

class key
{
	view
	read
	write
	search
	link
	setattr
	create
}

class context
{
	translate
	contains
}

class dccp_socket
inherits socket
{
	node_bind
	name_connect
}

class memprotect
{
	mmap_zero
}

class db_database
inherits database
{
	access
	install_module
	load_module
	get_param	# deprecated
	set_param	# deprecated
}

class db_table
inherits database
{
	use		# deprecated
	select
	update
	insert
	delete
	lock
}

class db_procedure
inherits database
{
	execute
	entrypoint
	install
}

class db_column
inherits database
{
	use		# deprecated
	select
	update
	insert
}

class db_tuple
{
	relabelfrom
	relabelto
	use		# deprecated
	select
	update
	insert
	delete
}

class db_blob
inherits database
{
	read
	write
	import
	export
}

# network peer labels
class peer
{
	recv
}

class x_application_data
{
	paste
	paste_after_confirm
	copy
}

class kernel_service
{
	use_as_override
	create_files_as
}

class tun_socket
inherits socket

class x_pointer
inherits x_device

class x_keyboard
inherits x_device

class db_schema
inherits database
{
	search
	add_name
	remove_name
}

class db_view
inherits database
{
	expand
}

class db_sequence
inherits database
{
	get_value
	next_value
	set_value
}

class db_language
inherits database
{
	implement
	execute
}

class binder
{
	impersonate
	call
	set_context_mgr
	transfer
}

class zygote
{
	specifyids
	specifyrlimits
	specifycapabilities
	specifyinvokewith
	specifyseinfo
}

class property_service
{
	set
}
#line 1 "external/sepolicy/global_macros"
#####################################
# Common groupings of object classes.
#


#####################################
# Common groupings of permissions.
#


#####################################
# Common socket permission sets.


#line 1 "external/sepolicy/mls_macros"
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
#line 10


########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
#line 24


#line 34


########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
#line 45


########################################
#
# Basic level names for system low and high
#


#line 1 "external/sepolicy/mls"
#########################################
# MLS declarations
#

# Generate the desired number of sensitivities and categories.

#line 6
# Each sensitivity has a name and zero or more aliases.
#line 6
sensitivity s0;
#line 6

#line 6

#line 6
# Define the ordering of the sensitivity levels (least to greatest)
#line 6
dominance { s0  }
#line 6

category c0;
#line 7
category c1;
#line 7
category c2;
#line 7
category c3;
#line 7
category c4;
#line 7
category c5;
#line 7
category c6;
#line 7
category c7;
#line 7
category c8;
#line 7
category c9;
#line 7
category c10;
#line 7
category c11;
#line 7
category c12;
#line 7
category c13;
#line 7
category c14;
#line 7
category c15;
#line 7
category c16;
#line 7
category c17;
#line 7
category c18;
#line 7
category c19;
#line 7
category c20;
#line 7
category c21;
#line 7
category c22;
#line 7
category c23;
#line 7
category c24;
#line 7
category c25;
#line 7
category c26;
#line 7
category c27;
#line 7
category c28;
#line 7
category c29;
#line 7
category c30;
#line 7
category c31;
#line 7
category c32;
#line 7
category c33;
#line 7
category c34;
#line 7
category c35;
#line 7
category c36;
#line 7
category c37;
#line 7
category c38;
#line 7
category c39;
#line 7
category c40;
#line 7
category c41;
#line 7
category c42;
#line 7
category c43;
#line 7
category c44;
#line 7
category c45;
#line 7
category c46;
#line 7
category c47;
#line 7
category c48;
#line 7
category c49;
#line 7
category c50;
#line 7
category c51;
#line 7
category c52;
#line 7
category c53;
#line 7
category c54;
#line 7
category c55;
#line 7
category c56;
#line 7
category c57;
#line 7
category c58;
#line 7
category c59;
#line 7
category c60;
#line 7
category c61;
#line 7
category c62;
#line 7
category c63;
#line 7
category c64;
#line 7
category c65;
#line 7
category c66;
#line 7
category c67;
#line 7
category c68;
#line 7
category c69;
#line 7
category c70;
#line 7
category c71;
#line 7
category c72;
#line 7
category c73;
#line 7
category c74;
#line 7
category c75;
#line 7
category c76;
#line 7
category c77;
#line 7
category c78;
#line 7
category c79;
#line 7
category c80;
#line 7
category c81;
#line 7
category c82;
#line 7
category c83;
#line 7
category c84;
#line 7
category c85;
#line 7
category c86;
#line 7
category c87;
#line 7
category c88;
#line 7
category c89;
#line 7
category c90;
#line 7
category c91;
#line 7
category c92;
#line 7
category c93;
#line 7
category c94;
#line 7
category c95;
#line 7
category c96;
#line 7
category c97;
#line 7
category c98;
#line 7
category c99;
#line 7
category c100;
#line 7
category c101;
#line 7
category c102;
#line 7
category c103;
#line 7
category c104;
#line 7
category c105;
#line 7
category c106;
#line 7
category c107;
#line 7
category c108;
#line 7
category c109;
#line 7
category c110;
#line 7
category c111;
#line 7
category c112;
#line 7
category c113;
#line 7
category c114;
#line 7
category c115;
#line 7
category c116;
#line 7
category c117;
#line 7
category c118;
#line 7
category c119;
#line 7
category c120;
#line 7
category c121;
#line 7
category c122;
#line 7
category c123;
#line 7
category c124;
#line 7
category c125;
#line 7
category c126;
#line 7
category c127;
#line 7
category c128;
#line 7
category c129;
#line 7
category c130;
#line 7
category c131;
#line 7
category c132;
#line 7
category c133;
#line 7
category c134;
#line 7
category c135;
#line 7
category c136;
#line 7
category c137;
#line 7
category c138;
#line 7
category c139;
#line 7
category c140;
#line 7
category c141;
#line 7
category c142;
#line 7
category c143;
#line 7
category c144;
#line 7
category c145;
#line 7
category c146;
#line 7
category c147;
#line 7
category c148;
#line 7
category c149;
#line 7
category c150;
#line 7
category c151;
#line 7
category c152;
#line 7
category c153;
#line 7
category c154;
#line 7
category c155;
#line 7
category c156;
#line 7
category c157;
#line 7
category c158;
#line 7
category c159;
#line 7
category c160;
#line 7
category c161;
#line 7
category c162;
#line 7
category c163;
#line 7
category c164;
#line 7
category c165;
#line 7
category c166;
#line 7
category c167;
#line 7
category c168;
#line 7
category c169;
#line 7
category c170;
#line 7
category c171;
#line 7
category c172;
#line 7
category c173;
#line 7
category c174;
#line 7
category c175;
#line 7
category c176;
#line 7
category c177;
#line 7
category c178;
#line 7
category c179;
#line 7
category c180;
#line 7
category c181;
#line 7
category c182;
#line 7
category c183;
#line 7
category c184;
#line 7
category c185;
#line 7
category c186;
#line 7
category c187;
#line 7
category c188;
#line 7
category c189;
#line 7
category c190;
#line 7
category c191;
#line 7
category c192;
#line 7
category c193;
#line 7
category c194;
#line 7
category c195;
#line 7
category c196;
#line 7
category c197;
#line 7
category c198;
#line 7
category c199;
#line 7
category c200;
#line 7
category c201;
#line 7
category c202;
#line 7
category c203;
#line 7
category c204;
#line 7
category c205;
#line 7
category c206;
#line 7
category c207;
#line 7
category c208;
#line 7
category c209;
#line 7
category c210;
#line 7
category c211;
#line 7
category c212;
#line 7
category c213;
#line 7
category c214;
#line 7
category c215;
#line 7
category c216;
#line 7
category c217;
#line 7
category c218;
#line 7
category c219;
#line 7
category c220;
#line 7
category c221;
#line 7
category c222;
#line 7
category c223;
#line 7
category c224;
#line 7
category c225;
#line 7
category c226;
#line 7
category c227;
#line 7
category c228;
#line 7
category c229;
#line 7
category c230;
#line 7
category c231;
#line 7
category c232;
#line 7
category c233;
#line 7
category c234;
#line 7
category c235;
#line 7
category c236;
#line 7
category c237;
#line 7
category c238;
#line 7
category c239;
#line 7
category c240;
#line 7
category c241;
#line 7
category c242;
#line 7
category c243;
#line 7
category c244;
#line 7
category c245;
#line 7
category c246;
#line 7
category c247;
#line 7
category c248;
#line 7
category c249;
#line 7
category c250;
#line 7
category c251;
#line 7
category c252;
#line 7
category c253;
#line 7
category c254;
#line 7
category c255;
#line 7
category c256;
#line 7
category c257;
#line 7
category c258;
#line 7
category c259;
#line 7
category c260;
#line 7
category c261;
#line 7
category c262;
#line 7
category c263;
#line 7
category c264;
#line 7
category c265;
#line 7
category c266;
#line 7
category c267;
#line 7
category c268;
#line 7
category c269;
#line 7
category c270;
#line 7
category c271;
#line 7
category c272;
#line 7
category c273;
#line 7
category c274;
#line 7
category c275;
#line 7
category c276;
#line 7
category c277;
#line 7
category c278;
#line 7
category c279;
#line 7
category c280;
#line 7
category c281;
#line 7
category c282;
#line 7
category c283;
#line 7
category c284;
#line 7
category c285;
#line 7
category c286;
#line 7
category c287;
#line 7
category c288;
#line 7
category c289;
#line 7
category c290;
#line 7
category c291;
#line 7
category c292;
#line 7
category c293;
#line 7
category c294;
#line 7
category c295;
#line 7
category c296;
#line 7
category c297;
#line 7
category c298;
#line 7
category c299;
#line 7
category c300;
#line 7
category c301;
#line 7
category c302;
#line 7
category c303;
#line 7
category c304;
#line 7
category c305;
#line 7
category c306;
#line 7
category c307;
#line 7
category c308;
#line 7
category c309;
#line 7
category c310;
#line 7
category c311;
#line 7
category c312;
#line 7
category c313;
#line 7
category c314;
#line 7
category c315;
#line 7
category c316;
#line 7
category c317;
#line 7
category c318;
#line 7
category c319;
#line 7
category c320;
#line 7
category c321;
#line 7
category c322;
#line 7
category c323;
#line 7
category c324;
#line 7
category c325;
#line 7
category c326;
#line 7
category c327;
#line 7
category c328;
#line 7
category c329;
#line 7
category c330;
#line 7
category c331;
#line 7
category c332;
#line 7
category c333;
#line 7
category c334;
#line 7
category c335;
#line 7
category c336;
#line 7
category c337;
#line 7
category c338;
#line 7
category c339;
#line 7
category c340;
#line 7
category c341;
#line 7
category c342;
#line 7
category c343;
#line 7
category c344;
#line 7
category c345;
#line 7
category c346;
#line 7
category c347;
#line 7
category c348;
#line 7
category c349;
#line 7
category c350;
#line 7
category c351;
#line 7
category c352;
#line 7
category c353;
#line 7
category c354;
#line 7
category c355;
#line 7
category c356;
#line 7
category c357;
#line 7
category c358;
#line 7
category c359;
#line 7
category c360;
#line 7
category c361;
#line 7
category c362;
#line 7
category c363;
#line 7
category c364;
#line 7
category c365;
#line 7
category c366;
#line 7
category c367;
#line 7
category c368;
#line 7
category c369;
#line 7
category c370;
#line 7
category c371;
#line 7
category c372;
#line 7
category c373;
#line 7
category c374;
#line 7
category c375;
#line 7
category c376;
#line 7
category c377;
#line 7
category c378;
#line 7
category c379;
#line 7
category c380;
#line 7
category c381;
#line 7
category c382;
#line 7
category c383;
#line 7
category c384;
#line 7
category c385;
#line 7
category c386;
#line 7
category c387;
#line 7
category c388;
#line 7
category c389;
#line 7
category c390;
#line 7
category c391;
#line 7
category c392;
#line 7
category c393;
#line 7
category c394;
#line 7
category c395;
#line 7
category c396;
#line 7
category c397;
#line 7
category c398;
#line 7
category c399;
#line 7
category c400;
#line 7
category c401;
#line 7
category c402;
#line 7
category c403;
#line 7
category c404;
#line 7
category c405;
#line 7
category c406;
#line 7
category c407;
#line 7
category c408;
#line 7
category c409;
#line 7
category c410;
#line 7
category c411;
#line 7
category c412;
#line 7
category c413;
#line 7
category c414;
#line 7
category c415;
#line 7
category c416;
#line 7
category c417;
#line 7
category c418;
#line 7
category c419;
#line 7
category c420;
#line 7
category c421;
#line 7
category c422;
#line 7
category c423;
#line 7
category c424;
#line 7
category c425;
#line 7
category c426;
#line 7
category c427;
#line 7
category c428;
#line 7
category c429;
#line 7
category c430;
#line 7
category c431;
#line 7
category c432;
#line 7
category c433;
#line 7
category c434;
#line 7
category c435;
#line 7
category c436;
#line 7
category c437;
#line 7
category c438;
#line 7
category c439;
#line 7
category c440;
#line 7
category c441;
#line 7
category c442;
#line 7
category c443;
#line 7
category c444;
#line 7
category c445;
#line 7
category c446;
#line 7
category c447;
#line 7
category c448;
#line 7
category c449;
#line 7
category c450;
#line 7
category c451;
#line 7
category c452;
#line 7
category c453;
#line 7
category c454;
#line 7
category c455;
#line 7
category c456;
#line 7
category c457;
#line 7
category c458;
#line 7
category c459;
#line 7
category c460;
#line 7
category c461;
#line 7
category c462;
#line 7
category c463;
#line 7
category c464;
#line 7
category c465;
#line 7
category c466;
#line 7
category c467;
#line 7
category c468;
#line 7
category c469;
#line 7
category c470;
#line 7
category c471;
#line 7
category c472;
#line 7
category c473;
#line 7
category c474;
#line 7
category c475;
#line 7
category c476;
#line 7
category c477;
#line 7
category c478;
#line 7
category c479;
#line 7
category c480;
#line 7
category c481;
#line 7
category c482;
#line 7
category c483;
#line 7
category c484;
#line 7
category c485;
#line 7
category c486;
#line 7
category c487;
#line 7
category c488;
#line 7
category c489;
#line 7
category c490;
#line 7
category c491;
#line 7
category c492;
#line 7
category c493;
#line 7
category c494;
#line 7
category c495;
#line 7
category c496;
#line 7
category c497;
#line 7
category c498;
#line 7
category c499;
#line 7
category c500;
#line 7
category c501;
#line 7
category c502;
#line 7
category c503;
#line 7
category c504;
#line 7
category c505;
#line 7
category c506;
#line 7
category c507;
#line 7
category c508;
#line 7
category c509;
#line 7
category c510;
#line 7
category c511;
#line 7
category c512;
#line 7
category c513;
#line 7
category c514;
#line 7
category c515;
#line 7
category c516;
#line 7
category c517;
#line 7
category c518;
#line 7
category c519;
#line 7
category c520;
#line 7
category c521;
#line 7
category c522;
#line 7
category c523;
#line 7
category c524;
#line 7
category c525;
#line 7
category c526;
#line 7
category c527;
#line 7
category c528;
#line 7
category c529;
#line 7
category c530;
#line 7
category c531;
#line 7
category c532;
#line 7
category c533;
#line 7
category c534;
#line 7
category c535;
#line 7
category c536;
#line 7
category c537;
#line 7
category c538;
#line 7
category c539;
#line 7
category c540;
#line 7
category c541;
#line 7
category c542;
#line 7
category c543;
#line 7
category c544;
#line 7
category c545;
#line 7
category c546;
#line 7
category c547;
#line 7
category c548;
#line 7
category c549;
#line 7
category c550;
#line 7
category c551;
#line 7
category c552;
#line 7
category c553;
#line 7
category c554;
#line 7
category c555;
#line 7
category c556;
#line 7
category c557;
#line 7
category c558;
#line 7
category c559;
#line 7
category c560;
#line 7
category c561;
#line 7
category c562;
#line 7
category c563;
#line 7
category c564;
#line 7
category c565;
#line 7
category c566;
#line 7
category c567;
#line 7
category c568;
#line 7
category c569;
#line 7
category c570;
#line 7
category c571;
#line 7
category c572;
#line 7
category c573;
#line 7
category c574;
#line 7
category c575;
#line 7
category c576;
#line 7
category c577;
#line 7
category c578;
#line 7
category c579;
#line 7
category c580;
#line 7
category c581;
#line 7
category c582;
#line 7
category c583;
#line 7
category c584;
#line 7
category c585;
#line 7
category c586;
#line 7
category c587;
#line 7
category c588;
#line 7
category c589;
#line 7
category c590;
#line 7
category c591;
#line 7
category c592;
#line 7
category c593;
#line 7
category c594;
#line 7
category c595;
#line 7
category c596;
#line 7
category c597;
#line 7
category c598;
#line 7
category c599;
#line 7
category c600;
#line 7
category c601;
#line 7
category c602;
#line 7
category c603;
#line 7
category c604;
#line 7
category c605;
#line 7
category c606;
#line 7
category c607;
#line 7
category c608;
#line 7
category c609;
#line 7
category c610;
#line 7
category c611;
#line 7
category c612;
#line 7
category c613;
#line 7
category c614;
#line 7
category c615;
#line 7
category c616;
#line 7
category c617;
#line 7
category c618;
#line 7
category c619;
#line 7
category c620;
#line 7
category c621;
#line 7
category c622;
#line 7
category c623;
#line 7
category c624;
#line 7
category c625;
#line 7
category c626;
#line 7
category c627;
#line 7
category c628;
#line 7
category c629;
#line 7
category c630;
#line 7
category c631;
#line 7
category c632;
#line 7
category c633;
#line 7
category c634;
#line 7
category c635;
#line 7
category c636;
#line 7
category c637;
#line 7
category c638;
#line 7
category c639;
#line 7
category c640;
#line 7
category c641;
#line 7
category c642;
#line 7
category c643;
#line 7
category c644;
#line 7
category c645;
#line 7
category c646;
#line 7
category c647;
#line 7
category c648;
#line 7
category c649;
#line 7
category c650;
#line 7
category c651;
#line 7
category c652;
#line 7
category c653;
#line 7
category c654;
#line 7
category c655;
#line 7
category c656;
#line 7
category c657;
#line 7
category c658;
#line 7
category c659;
#line 7
category c660;
#line 7
category c661;
#line 7
category c662;
#line 7
category c663;
#line 7
category c664;
#line 7
category c665;
#line 7
category c666;
#line 7
category c667;
#line 7
category c668;
#line 7
category c669;
#line 7
category c670;
#line 7
category c671;
#line 7
category c672;
#line 7
category c673;
#line 7
category c674;
#line 7
category c675;
#line 7
category c676;
#line 7
category c677;
#line 7
category c678;
#line 7
category c679;
#line 7
category c680;
#line 7
category c681;
#line 7
category c682;
#line 7
category c683;
#line 7
category c684;
#line 7
category c685;
#line 7
category c686;
#line 7
category c687;
#line 7
category c688;
#line 7
category c689;
#line 7
category c690;
#line 7
category c691;
#line 7
category c692;
#line 7
category c693;
#line 7
category c694;
#line 7
category c695;
#line 7
category c696;
#line 7
category c697;
#line 7
category c698;
#line 7
category c699;
#line 7
category c700;
#line 7
category c701;
#line 7
category c702;
#line 7
category c703;
#line 7
category c704;
#line 7
category c705;
#line 7
category c706;
#line 7
category c707;
#line 7
category c708;
#line 7
category c709;
#line 7
category c710;
#line 7
category c711;
#line 7
category c712;
#line 7
category c713;
#line 7
category c714;
#line 7
category c715;
#line 7
category c716;
#line 7
category c717;
#line 7
category c718;
#line 7
category c719;
#line 7
category c720;
#line 7
category c721;
#line 7
category c722;
#line 7
category c723;
#line 7
category c724;
#line 7
category c725;
#line 7
category c726;
#line 7
category c727;
#line 7
category c728;
#line 7
category c729;
#line 7
category c730;
#line 7
category c731;
#line 7
category c732;
#line 7
category c733;
#line 7
category c734;
#line 7
category c735;
#line 7
category c736;
#line 7
category c737;
#line 7
category c738;
#line 7
category c739;
#line 7
category c740;
#line 7
category c741;
#line 7
category c742;
#line 7
category c743;
#line 7
category c744;
#line 7
category c745;
#line 7
category c746;
#line 7
category c747;
#line 7
category c748;
#line 7
category c749;
#line 7
category c750;
#line 7
category c751;
#line 7
category c752;
#line 7
category c753;
#line 7
category c754;
#line 7
category c755;
#line 7
category c756;
#line 7
category c757;
#line 7
category c758;
#line 7
category c759;
#line 7
category c760;
#line 7
category c761;
#line 7
category c762;
#line 7
category c763;
#line 7
category c764;
#line 7
category c765;
#line 7
category c766;
#line 7
category c767;
#line 7
category c768;
#line 7
category c769;
#line 7
category c770;
#line 7
category c771;
#line 7
category c772;
#line 7
category c773;
#line 7
category c774;
#line 7
category c775;
#line 7
category c776;
#line 7
category c777;
#line 7
category c778;
#line 7
category c779;
#line 7
category c780;
#line 7
category c781;
#line 7
category c782;
#line 7
category c783;
#line 7
category c784;
#line 7
category c785;
#line 7
category c786;
#line 7
category c787;
#line 7
category c788;
#line 7
category c789;
#line 7
category c790;
#line 7
category c791;
#line 7
category c792;
#line 7
category c793;
#line 7
category c794;
#line 7
category c795;
#line 7
category c796;
#line 7
category c797;
#line 7
category c798;
#line 7
category c799;
#line 7
category c800;
#line 7
category c801;
#line 7
category c802;
#line 7
category c803;
#line 7
category c804;
#line 7
category c805;
#line 7
category c806;
#line 7
category c807;
#line 7
category c808;
#line 7
category c809;
#line 7
category c810;
#line 7
category c811;
#line 7
category c812;
#line 7
category c813;
#line 7
category c814;
#line 7
category c815;
#line 7
category c816;
#line 7
category c817;
#line 7
category c818;
#line 7
category c819;
#line 7
category c820;
#line 7
category c821;
#line 7
category c822;
#line 7
category c823;
#line 7
category c824;
#line 7
category c825;
#line 7
category c826;
#line 7
category c827;
#line 7
category c828;
#line 7
category c829;
#line 7
category c830;
#line 7
category c831;
#line 7
category c832;
#line 7
category c833;
#line 7
category c834;
#line 7
category c835;
#line 7
category c836;
#line 7
category c837;
#line 7
category c838;
#line 7
category c839;
#line 7
category c840;
#line 7
category c841;
#line 7
category c842;
#line 7
category c843;
#line 7
category c844;
#line 7
category c845;
#line 7
category c846;
#line 7
category c847;
#line 7
category c848;
#line 7
category c849;
#line 7
category c850;
#line 7
category c851;
#line 7
category c852;
#line 7
category c853;
#line 7
category c854;
#line 7
category c855;
#line 7
category c856;
#line 7
category c857;
#line 7
category c858;
#line 7
category c859;
#line 7
category c860;
#line 7
category c861;
#line 7
category c862;
#line 7
category c863;
#line 7
category c864;
#line 7
category c865;
#line 7
category c866;
#line 7
category c867;
#line 7
category c868;
#line 7
category c869;
#line 7
category c870;
#line 7
category c871;
#line 7
category c872;
#line 7
category c873;
#line 7
category c874;
#line 7
category c875;
#line 7
category c876;
#line 7
category c877;
#line 7
category c878;
#line 7
category c879;
#line 7
category c880;
#line 7
category c881;
#line 7
category c882;
#line 7
category c883;
#line 7
category c884;
#line 7
category c885;
#line 7
category c886;
#line 7
category c887;
#line 7
category c888;
#line 7
category c889;
#line 7
category c890;
#line 7
category c891;
#line 7
category c892;
#line 7
category c893;
#line 7
category c894;
#line 7
category c895;
#line 7
category c896;
#line 7
category c897;
#line 7
category c898;
#line 7
category c899;
#line 7
category c900;
#line 7
category c901;
#line 7
category c902;
#line 7
category c903;
#line 7
category c904;
#line 7
category c905;
#line 7
category c906;
#line 7
category c907;
#line 7
category c908;
#line 7
category c909;
#line 7
category c910;
#line 7
category c911;
#line 7
category c912;
#line 7
category c913;
#line 7
category c914;
#line 7
category c915;
#line 7
category c916;
#line 7
category c917;
#line 7
category c918;
#line 7
category c919;
#line 7
category c920;
#line 7
category c921;
#line 7
category c922;
#line 7
category c923;
#line 7
category c924;
#line 7
category c925;
#line 7
category c926;
#line 7
category c927;
#line 7
category c928;
#line 7
category c929;
#line 7
category c930;
#line 7
category c931;
#line 7
category c932;
#line 7
category c933;
#line 7
category c934;
#line 7
category c935;
#line 7
category c936;
#line 7
category c937;
#line 7
category c938;
#line 7
category c939;
#line 7
category c940;
#line 7
category c941;
#line 7
category c942;
#line 7
category c943;
#line 7
category c944;
#line 7
category c945;
#line 7
category c946;
#line 7
category c947;
#line 7
category c948;
#line 7
category c949;
#line 7
category c950;
#line 7
category c951;
#line 7
category c952;
#line 7
category c953;
#line 7
category c954;
#line 7
category c955;
#line 7
category c956;
#line 7
category c957;
#line 7
category c958;
#line 7
category c959;
#line 7
category c960;
#line 7
category c961;
#line 7
category c962;
#line 7
category c963;
#line 7
category c964;
#line 7
category c965;
#line 7
category c966;
#line 7
category c967;
#line 7
category c968;
#line 7
category c969;
#line 7
category c970;
#line 7
category c971;
#line 7
category c972;
#line 7
category c973;
#line 7
category c974;
#line 7
category c975;
#line 7
category c976;
#line 7
category c977;
#line 7
category c978;
#line 7
category c979;
#line 7
category c980;
#line 7
category c981;
#line 7
category c982;
#line 7
category c983;
#line 7
category c984;
#line 7
category c985;
#line 7
category c986;
#line 7
category c987;
#line 7
category c988;
#line 7
category c989;
#line 7
category c990;
#line 7
category c991;
#line 7
category c992;
#line 7
category c993;
#line 7
category c994;
#line 7
category c995;
#line 7
category c996;
#line 7
category c997;
#line 7
category c998;
#line 7
category c999;
#line 7
category c1000;
#line 7
category c1001;
#line 7
category c1002;
#line 7
category c1003;
#line 7
category c1004;
#line 7
category c1005;
#line 7
category c1006;
#line 7
category c1007;
#line 7
category c1008;
#line 7
category c1009;
#line 7
category c1010;
#line 7
category c1011;
#line 7
category c1012;
#line 7
category c1013;
#line 7
category c1014;
#line 7
category c1015;
#line 7
category c1016;
#line 7
category c1017;
#line 7
category c1018;
#line 7
category c1019;
#line 7
category c1020;
#line 7
category c1021;
#line 7
category c1022;
#line 7
category c1023;
#line 7


# Generate level definitions for each sensitivity and category.
level s0:c0.c1023;
#line 10


#################################################
# MLS policy constraints
#

#
# Process constraints
#

# Process transition:  Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
	     (l1 dom l2 or t1 == mlstrustedsubject);

# Process write operations:  No write down unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
	     (l1 domby l2 or t1 == mlstrustedsubject);

#
# Socket constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted.  Sockets inherit the range of their creator.
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Datagram send: Sender must be dominated by receiver unless one of them is
# trusted.
mlsconstrain unix_dgram_socket { sendto }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

# Stream connect:  Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

#
# Directory/file constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto }
	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

#
# Constraints for app data files only.
#

# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must be equivalent to object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);

#
# Constraints for file types other than app data files.
#

# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Write operations: Subject must be dominated by the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a MLS trusted subject and can receive data at any level.
mlsconstrain fifo_file { read getattr }
	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);

mlsconstrain fifo_file { write setattr append unlink link rename }
	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);

#
# IPC constraints
#

# Create/destroy: equivalence or trusted.
mlsconstrain { sem msgq shm ipc } { create destroy }
	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

# Read ops: No read up unless trusted.
mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read }
	     (l1 dom l2 or t1 == mlstrustedsubject);

# Write ops: No write down unless trusted.
mlsconstrain { sem msgq shm ipc } { write unix_write }
	     (l1 domby l2 or t1 == mlstrustedsubject);

#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
#line 1 "external/sepolicy/policy_capabilities"
# Enable new networking controls.
policycap network_peer_controls;

# Enable open permission check.
policycap open_perms;
#line 1 "external/sepolicy/te_macros"
#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
#line 21


#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
#line 33


#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
#line 49


#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
#line 62


#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
#line 71


#####################################
# unconfined_domain(domain)
# Allow the specified domain to perform more privileged operations
# than would be typically allowed. Please see the comments at the
# top of unconfined.te.
#
#line 82


#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
#line 92


#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
#line 101


#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
#line 112


#####################################
# relabelto_domain(domain)
# Allows this domain to use the relabelto permission
#line 119


#####################################
# platform_app_domain(domain)
# Allow permissions specific to platform apps.
#line 127


#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
#line 134


#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
#line 141


#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#line 150


#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
#line 159


#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
#line 169


#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
#line 181


#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
#line 189


#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
#line 199


#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
#line 208


#####################################
# selinux_getenforce(domain)
# Allow domain to check whether SELinux is enforcing.
#line 216


#####################################
# selinux_setenforce(domain)
# Allow domain to set SELinux to enforcing.
#line 225


#####################################
# selinux_setbool(domain)
# Allow domain to set SELinux booleans.
#line 234


#####################################
# security_access_policy(domain)
# Read only access to all policy files and
# selinuxfs
#line 248


#####################################
# selinux_manage_policy(domain)
# Ability to manage policy files and
# trigger runtime reload.
#line 261


#####################################
# mmac_manage_policy(domain)
# Ability to manage mmac policy files,
# trigger runtime reload, change
# mmac enforcing mode and access logcat.
#line 274


#####################################
# access_kmsg(domain)
# Ability to read from kernel logs
# and execute the klogctl syscall
# in a non destructive manner. See
# man 2 klogctl
#line 284


#####################################
# write_klog(domain)
# Ability to write to kernel log via
# klog_write()
# See system/core/libcutil/klog.c
#line 295


#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
#line 309


#####################################
# Non system_app application set
#


#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#


#####################################
# permissive_or_unconfined
# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
# and "unconfined($1)" otherwise.
#
# This is used for experimental domains, where we want to ensure
# the domain is unconfined+enforcing once new SELinux policy development
# has ceased.
#


#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
#line 345


#####################################
# read_logd(domain)
# Ability to read from android
# log daemon via sockets
#line 353


#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
#line 363

#line 1 "external/sepolicy/attributes"
######################################
# Attribute declarations
#

# All types used for devices.
attribute dev_type;

# All types used for processes.
attribute domain;

# All types used for filesystems.
attribute fs_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;

# All types use for sysfs files.
attribute sysfs_type;

# Attribute used for all sdcards
attribute sdcard_type;

# All types used for nodes/hosts.
attribute node_type;

# All types used for network interfaces.
attribute netif_type;

# All types used for network ports.
attribute port_type;

# All types used for property service
attribute property_type;

# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;

# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;

# Domains that are allowed all permissions ("unconfined").
attribute unconfineddomain;

# All domains used for shells.
attribute shelldomain;

# All domains used for apps.
attribute appdomain;

# All domains used for apps with network access.
attribute netdomain;

# All domains used for apps with bluetooth access.
attribute bluetoothdomain;

# All domains used for binder service domains.
attribute binderservicedomain;

# Allow domains used for platform (signed by build key) apps.
attribute platformappdomain;

# All domains which are allowed the "relabelto" permission
attribute relabeltodomain;
#line 1 "external/sepolicy/adbd.te"
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;

#line 7


#line 9
# Allow the necessary permissions.
#line 9

#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow adbd shell_exec:file { getattr open read execute };
#line 9
allow adbd shell:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow shell shell_exec:file { entrypoint read execute };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
allow shell adbd:process sigchld;
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit adbd shell:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow adbd shell:process { siginh rlimitinh };
#line 9

#line 9
# Make the transition occur by default.
#line 9
type_transition adbd shell_exec:process shell;
#line 9

# this is an entrypoint
allow adbd rootfs:file entrypoint;

# Do not sanitize the environment or open fds of the shell.
allow adbd shell:process noatsecure;

# Set UID and GID to shell.  Set supplementary groups.
allow adbd self:capability { setuid setgid };

# Drop capabilities from bounding set on user builds.
allow adbd self:capability setpcap;

# Create and use network sockets.

#line 23
typeattribute adbd netdomain;
#line 23


# Access /dev/android_adb.
allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } };

# On emulator, access /dev/qemu*.
allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Use a pseudo tty.
allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } };

# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# adb push/pull sdcard.
allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Set service.adb.*, sys.powerctl properties.

#line 43
allow adbd property_socket:sock_file write;
#line 43
allow adbd init:unix_stream_socket connectto;
#line 43

allow adbd shell_prop:property_service set;
allow adbd powerctl_prop:property_service set;

# XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
# Also covers running /system/bin/bu.
allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

#line 50
allow adbd vold_socket:sock_file write;
#line 50
allow adbd vold:unix_stream_socket connectto;
#line 50


# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?

#line 54
# Call the servicemanager and transfer references to it.
#line 54
allow adbd servicemanager:binder { call transfer };
#line 54
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 54
# all domains in domain.te.
#line 54


#line 55
# Call the server domain and optionally transfer references to it.
#line 55
allow adbd surfaceflinger:binder { call transfer };
#line 55
# Allow the serverdomain to transfer references to the client on the reply.
#line 55
allow surfaceflinger adbd:binder transfer;
#line 55
# Receive and use open files from the server.
#line 55
allow adbd surfaceflinger:fd use;
#line 55


# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file { getattr open read ioctl lock };

# Allow access in case /data/misc/adb still has the old type.
allow adbd system_data_file:dir search;
allow adbd system_data_file:file { getattr open read ioctl lock };

# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;

# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file { getattr open read ioctl lock };
allow adbd system_file:file { getattr open read ioctl lock };
#line 1 "external/sepolicy/app.te"
###
### Domain for all zygote spawned apps
###
### This file is the base policy for all zygote spawned apps.
### Other policy files, such as isolated_app.te, untrusted_app.te, etc
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###

# Dalvik Compiler JIT Mapping.
allow appdomain self:process execmem;
allow appdomain ashmem_device:chr_file execute;

# Allow apps to connect to the keystore

#line 15
allow appdomain keystore_socket:sock_file write;
#line 15
allow appdomain keystore:unix_stream_socket connectto;
#line 15


# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;

# gdbserver for ndk-gdb reads the zygote.
allow appdomain zygote_exec:file { getattr open read ioctl lock };

# gdbserver for ndk-gdb ptrace attaches to app process.
allow appdomain self:process ptrace;

# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;

# Notify zygote of death;
allow appdomain zygote:process sigchld;

# Notify shell and adbd of death when spawned via runas for ndk-gdb.
allow appdomain shell:process sigchld;
allow appdomain adbd:process sigchld;

# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };

# Communicate with system_server.
allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } };
allow appdomain system_server:unix_stream_socket { read write setopt };

#line 42
# Call the server domain and optionally transfer references to it.
#line 42
allow appdomain system_server:binder { call transfer };
#line 42
# Allow the serverdomain to transfer references to the client on the reply.
#line 42
allow system_server appdomain:binder transfer;
#line 42
# Receive and use open files from the server.
#line 42
allow appdomain system_server:fd use;
#line 42


# Communication with other apps via fifos
allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } };

# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

#line 49
# Call the server domain and optionally transfer references to it.
#line 49
allow appdomain surfaceflinger:binder { call transfer };
#line 49
# Allow the serverdomain to transfer references to the client on the reply.
#line 49
allow surfaceflinger appdomain:binder transfer;
#line 49
# Receive and use open files from the server.
#line 49
allow appdomain surfaceflinger:fd use;
#line 49


# App sandbox file accesses.
allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Read/write data files created by the platform apps if they
# were passed to the app via binder or local IPC.  Do not allow open.
allow appdomain platform_app_data_file:file { getattr read write };

# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir { open getattr read search ioctl };
allow appdomain system_data_file:file { execute execute_no_trans open };

# Execute the shell or other system executables.
allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write };

# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };

# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
allow appdomain shell_data_file:file { write getattr };

# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock };

# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute };

# Use the Binder.

#line 90
# Call the servicemanager and transfer references to it.
#line 90
allow appdomain servicemanager:binder { call transfer };
#line 90
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 90
# all domains in domain.te.
#line 90

# Perform binder IPC to binder services.

#line 92
# Call the server domain and optionally transfer references to it.
#line 92
allow appdomain binderservicedomain:binder { call transfer };
#line 92
# Allow the serverdomain to transfer references to the client on the reply.
#line 92
allow binderservicedomain appdomain:binder transfer;
#line 92
# Receive and use open files from the server.
#line 92
allow appdomain binderservicedomain:fd use;
#line 92

# Perform binder IPC to other apps.

#line 94
# Call the server domain and optionally transfer references to it.
#line 94
allow appdomain appdomain:binder { call transfer };
#line 94
# Allow the serverdomain to transfer references to the client on the reply.
#line 94
allow appdomain appdomain:binder transfer;
#line 94
# Receive and use open files from the server.
#line 94
allow appdomain appdomain:fd use;
#line 94


# Appdomain interaction with isolated apps

#line 97
allow appdomain isolated_app:dir { open getattr read search ioctl };
#line 97
allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock };
#line 97


# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow appdomain isolated_app:unix_stream_socket { read write };

# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
allow appdomain backup_data_file:file { read write getattr };
allow appdomain cache_backup_file:file { read write getattr };
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file getattr;

# Allow all applications to read downloaded files
allow appdomain download_file:dir search;
allow appdomain download_file:file { getattr open read ioctl lock };

# Allow applications to communicate with netd via /dev/socket/dnsproxyd
# to do DNS resolution

#line 118
allow appdomain dnsproxyd_socket:sock_file write;
#line 118
allow appdomain netd:unix_stream_socket connectto;
#line 118


# Allow applications to communicate with drmserver over binder

#line 121
# Call the server domain and optionally transfer references to it.
#line 121
allow appdomain drmserver:binder { call transfer };
#line 121
# Allow the serverdomain to transfer references to the client on the reply.
#line 121
allow drmserver appdomain:binder transfer;
#line 121
# Receive and use open files from the server.
#line 121
allow appdomain drmserver:fd use;
#line 121


# Allow applications to communicate with mediaserver over binder

#line 124
# Call the server domain and optionally transfer references to it.
#line 124
allow appdomain mediaserver:binder { call transfer };
#line 124
# Allow the serverdomain to transfer references to the client on the reply.
#line 124
allow mediaserver appdomain:binder transfer;
#line 124
# Receive and use open files from the server.
#line 124
allow appdomain mediaserver:fd use;
#line 124


# Allow applications to make outbound tcp connections to any port
allow appdomain port_type:tcp_socket name_connect;

# Allow apps to see changes to the routing table.
allow appdomain self:netlink_route_socket {
    read
    bind
    create
    nlmsg_read
    ioctl
    getattr
    setattr
    getopt
    setopt
    shutdown
};

# Allow apps to use rawip sockets. This is needed for apps which execute
# /system/bin/ping, for example.
allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };

# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow appdomain usb_device:chr_file { read write getattr ioctl };
allow appdomain usbaccessory_device:chr_file { read write getattr };

# For art.
allow appdomain dalvikcache_data_file:file execute;

# For legacy unlabeled userdata on existing devices.
# See discussion of Unlabeled files in domain.te for more information.
allow appdomain unlabeled:file { getattr execute execute_no_trans };

###
### CTS-specific rules
###

# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
# Reads /proc/pid/status and statm entries to check that
# no unexpected root processes are running.
# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
# Reads /proc/pid/cmdline of vold.
allow appdomain domain:dir { open read search getattr };
allow appdomain domain:{ file lnk_file } { open read getattr };

# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
# testRunAsHasCorrectCapabilities
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.

# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
# Check SELinux policy and contexts.

#line 181
allow appdomain selinuxfs:dir { open getattr read search ioctl };
#line 181
allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 181
allow appdomain kernel:security compute_av;
#line 181
allow appdomain self:netlink_selinux_socket *;
#line 181


#line 182
allow appdomain selinuxfs:dir { open getattr read search ioctl };
#line 182
allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 182
allow appdomain kernel:security check_context;
#line 182

# Validate that each process is running in the correct security context.
allow appdomain domain:process getattr;

# logd access

#line 187

#line 187
allow appdomain logdr_socket:sock_file write;
#line 187
allow appdomain logd:unix_stream_socket connectto;
#line 187

#line 187

# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;

###
### Neverallow rules
###
### These are things that Android apps should NEVER be able to do
###

# Superuser capabilities.
# bluetooth requires net_admin.
neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
neverallow { appdomain -unconfineddomain } self:capability2 *;

# Block device access.
neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };

# Access to any of the following character devices.
neverallow { appdomain -unconfineddomain } {
    audio_device
    camera_device
    dm_device
    radio_device
    gps_device
    rpmsg_device
}:chr_file { read write };

# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell -unconfineddomain }
    graphics_device:chr_file { read write };

neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
    { read write };
neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
    { read write };
neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };

# Set SELinux enforcing mode, booleans or any other SELinux settings.
neverallow { appdomain -unconfineddomain } kernel:security
    { setenforce setbool setsecparam setcheckreqprot };

# Load security policy.
neverallow appdomain kernel:security load_policy;

# Privileged netlink socket interfaces.
neverallow { appdomain -unconfineddomain }
    self:{
        netlink_socket
        netlink_firewall_socket
        netlink_tcpdiag_socket
        netlink_nflog_socket
        netlink_xfrm_socket
        netlink_audit_socket
        netlink_ip6fw_socket
        netlink_dnrt_socket
        netlink_kobject_uevent_socket
    } *;

# Sockets under /dev/socket that are not specifically typed.
neverallow { appdomain -unconfineddomain } socket_device:sock_file write;

# Unix domain sockets.
neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
    property_socket:sock_file write;
neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;

# ptrace access to non-app domains.
neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;

# Write access to /proc/pid entries for any non-app domain.
neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;

# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
    { sigkill sigstop signal };

# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
    { transition dyntransition };

# Map low memory.
# Note: Take to domain.te and apply to all domains in the future.
neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;

# Write to rootfs.
neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to /system.
neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to entrypoint executables.
neverallow { appdomain -unconfineddomain } exec_type:file
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts.  Define a different type for portions
# that should be writable by apps.
# Exception for system_app for Settings.
neverallow { appdomain -unconfineddomain -system_app }
    system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Write to various other parts of /data.
neverallow { appdomain -system_app -unconfineddomain }
    security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app -unconfineddomain }
    apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app -unconfineddomain }
    apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app -unconfineddomain }
    apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app -unconfineddomain }
    apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -shell -unconfineddomain }
    shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -bluetooth -unconfineddomain }
    bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain }
    keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain }
    systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain }
    wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -unconfineddomain }
    dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
    { create write setattr relabelfrom relabelto append unlink link rename };

# Access to factory files.
neverallow { appdomain -unconfineddomain }
    efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write };

# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc -unconfineddomain }
    sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
neverallow { appdomain -unconfineddomain }
    proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Access to syslog(2) or /proc/kmsg.
neverallow { appdomain -system_app -unconfineddomain }
    kernel:system { syslog_read syslog_mod syslog_console };

# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;

# Ability to set system properties.
neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
    property_type:property_service set;
#line 1 "external/sepolicy/binderservicedomain.te"
# Rules common to all binder service domains

# Allow dumpstate to collect information from binder services
allow binderservicedomain dumpstate:fd use;
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
allow binderservicedomain shell_data_file:file { getattr write };

# Allow dumpsys to work from adb shell
allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
#line 1 "external/sepolicy/bluetooth.te"
# bluetooth subsystem
type bluetooth, domain;

#line 3
typeattribute bluetooth appdomain;
#line 3
# Label ashmem objects with our own unique type.
#line 3

#line 3
type bluetooth_tmpfs, file_type;
#line 3
type_transition bluetooth tmpfs:file bluetooth_tmpfs;
#line 3
allow bluetooth bluetooth_tmpfs:file { read write };
#line 3

#line 3
# Map with PROT_EXEC.
#line 3
allow bluetooth bluetooth_tmpfs:file execute;
#line 3


# Data file accesses.
allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# bluetooth factory file accesses.

#line 14
allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl };
#line 14
allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock };
#line 14


# Device accesses.
allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } };

# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
allow bluetoothdomain self:socket *;

# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
allow bluetooth self:capability net_admin;

# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };

# tethering
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
allow bluetooth efs_file:dir search;

# Talk to init over the property socket.

#line 36
allow bluetooth property_socket:sock_file write;
#line 36
allow bluetooth init:unix_stream_socket connectto;
#line 36


# proc access.
allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };

# bluetooth file transfers
allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Allow reading of media_rw_data_file file descriptors
# passed to bluetooth
allow bluetooth media_rw_data_file:file { read getattr };

# Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set;

###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###

# Superuser capabilities.
# bluetooth requires net_admin.
neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
#line 1 "external/sepolicy/bootanim.te"
# bootanimation oneshot service
type bootanim, domain;
type bootanim_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init bootanim_exec:file { getattr open read execute };
#line 5
allow init bootanim:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow bootanim bootanim_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow bootanim init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init bootanim:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init bootanim:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init bootanim_exec:process bootanim;
#line 5

#line 5

#line 5
type bootanim_tmpfs, file_type;
#line 5
type_transition bootanim tmpfs:file bootanim_tmpfs;
#line 5
allow bootanim bootanim_tmpfs:file { read write };
#line 5

#line 5


#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow bootanim servicemanager:binder { call transfer };
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7


#line 8
# Call the server domain and optionally transfer references to it.
#line 8
allow bootanim surfaceflinger:binder { call transfer };
#line 8
# Allow the serverdomain to transfer references to the client on the reply.
#line 8
allow surfaceflinger bootanim:binder transfer;
#line 8
# Receive and use open files from the server.
#line 8
allow bootanim surfaceflinger:fd use;
#line 8


allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
#line 1 "external/sepolicy/clatd.te"
# 464xlat daemon
type clatd, domain;

#line 3
typeattribute clatd mlstrustedsubject;
#line 3
typeattribute clatd unconfineddomain;
#line 3

type clatd_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init clatd_exec:file { getattr open read execute };
#line 6
allow init clatd:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow clatd clatd_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow clatd init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init clatd:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init clatd:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init clatd_exec:process clatd;
#line 6

#line 6

#line 6
type clatd_tmpfs, file_type;
#line 6
type_transition clatd tmpfs:file clatd_tmpfs;
#line 6
allow clatd clatd_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute clatd netdomain;
#line 7

#line 1 "external/sepolicy/debuggerd.te"
# debugger interface
type debuggerd, domain;
type debuggerd_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init debuggerd_exec:file { getattr open read execute };
#line 5
allow init debuggerd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow debuggerd debuggerd_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow debuggerd init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init debuggerd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init debuggerd:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init debuggerd_exec:process debuggerd;
#line 5

#line 5

#line 5
type debuggerd_tmpfs, file_type;
#line 5
type_transition debuggerd tmpfs:file debuggerd_tmpfs;
#line 5
allow debuggerd debuggerd_tmpfs:file { read write };
#line 5

#line 5

typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir { open getattr read search ioctl };
allow debuggerd domain:file { getattr open read ioctl lock };
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;

#line 12
allow debuggerd security_file:dir { open getattr read search ioctl };
#line 12
allow debuggerd security_file:file { getattr open read ioctl lock };
#line 12
allow debuggerd security_file:lnk_file { getattr open read ioctl lock };
#line 12
allow debuggerd selinuxfs:dir { open getattr read search ioctl };
#line 12
allow debuggerd selinuxfs:file { getattr open read ioctl lock };
#line 12
allow debuggerd rootfs:dir { open getattr read search ioctl };
#line 12
allow debuggerd rootfs:file { getattr open read ioctl lock };
#line 12

allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow debuggerd system_data_file:dir relabelfrom;

#line 15
typeattribute debuggerd relabeltodomain;
#line 15

allow debuggerd tombstone_data_file:dir relabelto;
allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow debuggerd domain:process { sigstop signal };
allow debuggerd exec_type:file { getattr open read ioctl lock };
# Access app library
allow debuggerd system_data_file:file open;

# Connect to system_server via /data/system/ndebugsocket.

#line 25
allow debuggerd system_ndebug_socket:sock_file write;
#line 25
allow debuggerd system_server:unix_stream_socket connectto;
#line 25


#line 30


# logd access

#line 33

#line 33
allow debuggerd logdr_socket:sock_file write;
#line 33
allow debuggerd logd:unix_stream_socket connectto;
#line 33

#line 33

#line 1 "external/sepolicy/device.te"
# Device types
type device, dev_type, fs_type;
type alarm_device, dev_type, mlstrustedobject;
type adb_device, dev_type;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type loop_device, dev_type;
type radio_device, dev_type;
type ram_device, dev_type;
type console_device, dev_type;
type cpuctl_device, dev_type;
type fscklogs, dev_type;
type full_device, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
type kmem_device, dev_type;
type log_device, dev_type, mlstrustedobject;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type qemu_device, dev_type;
type kmsg_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type urandom_device, dev_type;
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type;
type fuse_device, dev_type;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type gps_device, dev_type;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type;
type usb_device, dev_type;
type klog_device, dev_type;
type properties_device, dev_type;

# All devices have a uart for the hci
# attach service. The uart dev node
# varies per device. This type
# is used in per device policy
type hci_attach_dev, dev_type;

# All devices have a rpmsg device for
# achieving remoteproc and rpmsg modules
type rpmsg_device, dev_type;

# Partition layout block device
type root_block_device, dev_type;
#line 1 "external/sepolicy/dhcp.te"
type dhcp, domain;

#line 2
typeattribute dhcp mlstrustedsubject;
#line 2
typeattribute dhcp unconfineddomain;
#line 2

type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init dhcp_exec:file { getattr open read execute };
#line 6
allow init dhcp:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow dhcp dhcp_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow dhcp init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init dhcp:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init dhcp:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init dhcp_exec:process dhcp;
#line 6

#line 6

#line 6
type dhcp_tmpfs, file_type;
#line 6
type_transition dhcp tmpfs:file dhcp_tmpfs;
#line 6
allow dhcp dhcp_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute dhcp netdomain;
#line 7


allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write };
allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
allow dhcp system_prop:property_service set ;

#line 19
allow dhcp property_socket:sock_file write;
#line 19
allow dhcp init:unix_stream_socket connectto;
#line 19

allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };

type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# PAN connections
allow dhcp netd:fd use;
allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } };
allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
#line 1 "external/sepolicy/dnsmasq.te"
# DNS, DHCP services
type dnsmasq, domain;

#line 3
typeattribute dnsmasq mlstrustedsubject;
#line 3
typeattribute dnsmasq unconfineddomain;
#line 3

type dnsmasq_exec, exec_type, file_type;

allow dnsmasq self:capability { net_bind_service setgid setuid };
allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };

allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name };
allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow dnsmasq port:tcp_socket name_bind;
allow dnsmasq node:tcp_socket node_bind;
#line 1 "external/sepolicy/domain.te"
# Rules for all domains.

# Allow reaping by init.
allow domain init:process sigchld;

# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };

# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir { open getattr read search ioctl };

# Intra-domain accesses.
allow domain self:process ~{ execmem execstack execheap ptrace };
allow domain self:fd use;
allow domain self:dir { open getattr read search ioctl };
allow domain self:lnk_file { getattr open read ioctl lock };
allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
allow domain self:{ unix_dgram_socket unix_stream_socket } *;

# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system_server:fd use;

# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };

#line 43


###
### Talk to debuggerd.
###
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;

# Root fs.
allow domain rootfs:dir { open getattr read search ioctl };
allow domain rootfs:file { getattr open read ioctl lock };
allow domain rootfs:lnk_file { getattr open read ioctl lock };

# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file { getattr open read ioctl lock };
allow domain devpts:dir search;
allow domain device:file read;
allow domain socket_device:dir search;
allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain zero_device:chr_file { getattr open read ioctl lock };
allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain log_device:dir search;
allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain alarm_device:chr_file { getattr open read ioctl lock };
allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow domain properties_device:file { getattr open read ioctl lock };

# logd access

#line 76

#line 76

#line 76
allow domain logdw_socket:sock_file write;
#line 76
allow domain logd:unix_dgram_socket sendto;
#line 76

#line 76


# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;

# System file accesses.
allow domain system_file:dir { open getattr read search ioctl };
allow domain system_file:file { getattr open read ioctl lock };
allow domain system_file:file execute;
allow domain system_file:lnk_file { getattr open read ioctl lock };

# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
allow domain system_data_file:lnk_file { getattr open read ioctl lock };

# Read apk files under /data/app.
allow domain apk_data_file:dir { getattr search };
allow domain apk_data_file:file { getattr open read ioctl lock };

# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file { getattr open read ioctl lock };

# Read already opened /cache files.
allow domain cache_file:dir { open getattr read search ioctl };
allow domain cache_file:file { getattr read };
allow domain cache_file:lnk_file { getattr open read ioctl lock };

# Read timezone related information

#line 107
allow domain zoneinfo_data_file:dir { open getattr read search ioctl };
#line 107
allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 107


# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file { open append write };

#Allow access to ion memory allocation device
allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Read access to pseudo filesystems.

#line 117
allow domain proc:dir { open getattr read search ioctl };
#line 117
allow domain proc:{ file lnk_file } { getattr open read ioctl lock };
#line 117


#line 118
allow domain sysfs:dir { open getattr read search ioctl };
#line 118
allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock };
#line 118


#line 119
allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl };
#line 119
allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock };
#line 119


#line 120
allow domain inotify:dir { open getattr read search ioctl };
#line 120
allow domain inotify:{ file lnk_file } { getattr open read ioctl lock };
#line 120


#line 121
allow domain cgroup:dir { open getattr read search ioctl };
#line 121
allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock };
#line 121


#line 122
allow domain proc_net:dir { open getattr read search ioctl };
#line 122
allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock };
#line 122


# debugfs access
allow domain debugfs:dir { open getattr read search ioctl };
allow domain debugfs:file { open append write };

# Get SELinux enforcing status.

#line 129
allow domain selinuxfs:dir { open getattr read search ioctl };
#line 129
allow domain selinuxfs:file { getattr open read ioctl lock };
#line 129


# security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;

# World readable asec image contents
allow domain asec_public_file:file { getattr open read ioctl lock };
allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl };

######## Backwards compatibility - Unlabeled files ############

# Revert to DAC rules when looking at unlabeled files. Over time, the number
# of unlabeled files should decrease.
# TODO: delete these rules in the future.
#
# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
# capability, it's essentially useless. This is needed to allow an app with
# relabelto to relabel unlabeled files.
#
allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom };
allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;

###
### neverallow rules
###

# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;

# Limit device node creation and raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };

# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;

# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;

# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;

# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };

# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;

# Ensure that all entrypoint executables are in exec_type.
neverallow domain { file_type -exec_type }:file entrypoint;

# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };

# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };

# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;

# Init can't receive binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow domain init:binder call;

# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };

# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# ueventd is exempt from this, as its managing these devices.
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };

# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#line 1 "external/sepolicy/drmserver.te"
# drmserver - DRM service
type drmserver, domain;
type drmserver_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init drmserver_exec:file { getattr open read execute };
#line 5
allow init drmserver:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow drmserver drmserver_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow drmserver init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init drmserver:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init drmserver:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init drmserver_exec:process drmserver;
#line 5

#line 5

#line 5
type drmserver_tmpfs, file_type;
#line 5
type_transition drmserver tmpfs:file drmserver_tmpfs;
#line 5
allow drmserver drmserver_tmpfs:file { read write };
#line 5

#line 5

typeattribute drmserver mlstrustedsubject;

# Perform Binder IPC to system server.

#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow drmserver servicemanager:binder { call transfer };
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9


#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow drmserver system_server:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow system_server drmserver:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow drmserver system_server:fd use;
#line 10


#line 11
# Call the server domain and optionally transfer references to it.
#line 11
allow drmserver appdomain:binder { call transfer };
#line 11
# Allow the serverdomain to transfer references to the client on the reply.
#line 11
allow appdomain drmserver:binder transfer;
#line 11
# Receive and use open files from the server.
#line 11
allow drmserver appdomain:fd use;
#line 11


#line 12
typeattribute drmserver binderservicedomain;
#line 12


# Perform Binder IPC to mediaserver

#line 15
# Call the server domain and optionally transfer references to it.
#line 15
allow drmserver mediaserver:binder { call transfer };
#line 15
# Allow the serverdomain to transfer references to the client on the reply.
#line 15
allow mediaserver drmserver:binder transfer;
#line 15
# Receive and use open files from the server.
#line 15
allow drmserver mediaserver:fd use;
#line 15


allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow drmserver self:{ tcp_socket udp_socket } *;
allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow drmserver platform_app_data_file:file { read write getattr };
allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };

#line 26
allow drmserver efs_file:dir { open getattr read search ioctl };
#line 26
allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock };
#line 26


type drmserver_socket, file_type;

# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket.  Not.
allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
type_transition drmserver apk_data_file:sock_file drmserver_socket;
allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;

# After taking a video, drmserver looks at the video file.

#line 40
allow drmserver media_rw_data_file:dir { open getattr read search ioctl };
#line 40
allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 40

#line 1 "external/sepolicy/dumpstate.te"
# dumpstate
type dumpstate, domain;

#line 3
typeattribute dumpstate mlstrustedsubject;
#line 3
typeattribute dumpstate unconfineddomain;
#line 3

type dumpstate_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init dumpstate_exec:file { getattr open read execute };
#line 6
allow init dumpstate:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow dumpstate dumpstate_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow dumpstate init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init dumpstate:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init dumpstate:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init dumpstate_exec:process dumpstate;
#line 6

#line 6

#line 6
type dumpstate_tmpfs, file_type;
#line 6
type_transition dumpstate tmpfs:file dumpstate_tmpfs;
#line 6
allow dumpstate dumpstate_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute dumpstate netdomain;
#line 7


#line 8
typeattribute dumpstate relabeltodomain;
#line 8


#line 9
# Call the servicemanager and transfer references to it.
#line 9
allow dumpstate servicemanager:binder { call transfer };
#line 9
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 9
# all domains in domain.te.
#line 9


# Drop privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid };

# Allow dumpstate to scan through /proc/pid for all processes

#line 15
allow dumpstate domain:dir { open getattr read search ioctl };
#line 15
allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock };
#line 15


# Send signals to processes
allow dumpstate self:capability kill;

# Allow executing files on system, such as:
#   /system/bin/toolbox
#   /system/bin/logcat
#   /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;

# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto };
allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };

# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file { getattr open read ioctl lock };

# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate kernel:system syslog_read;

# Get process attributes
allow dumpstate domain:process getattr;

# Signal java processes to dump their stack
allow dumpstate { appdomain system_server }:process signal;

# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;

# The /system/bin/ip command needs this for routing table information.
allow dumpstate self:netlink_route_socket { write getattr setopt };

# The vdc command needs to talk to the vold socket.

#line 54
allow dumpstate vold_socket:sock_file write;
#line 54
allow dumpstate vold:unix_stream_socket connectto;
#line 54


# Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable
# TODO: create a new file class, instead of allowing write access to all of /sys
allow dumpstate sysfs:file { open append write };

# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file { getattr open read ioctl lock };
allow dumpstate debugfs:file { getattr open read ioctl lock };

# Allow dumpstate to make binder calls to any binder service

#line 66
# Call the server domain and optionally transfer references to it.
#line 66
allow dumpstate binderservicedomain:binder { call transfer };
#line 66
# Allow the serverdomain to transfer references to the client on the reply.
#line 66
allow binderservicedomain dumpstate:binder transfer;
#line 66
# Receive and use open files from the server.
#line 66
allow dumpstate binderservicedomain:fd use;
#line 66


#line 67
# Call the server domain and optionally transfer references to it.
#line 67
allow dumpstate appdomain:binder { call transfer };
#line 67
# Allow the serverdomain to transfer references to the client on the reply.
#line 67
allow appdomain dumpstate:binder transfer;
#line 67
# Receive and use open files from the server.
#line 67
allow dumpstate appdomain:fd use;
#line 67


# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;

# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Run a shell.
allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:file execute;

# logd access

#line 91

#line 91
allow dumpstate logdr_socket:sock_file write;
#line 91
allow dumpstate logd:unix_stream_socket connectto;
#line 91

#line 91


#line 92
# Group AID_LOG checked by filesystem & logd
#line 92
# to permit control commands
#line 92

#line 92
allow dumpstate logd_socket:sock_file write;
#line 92
allow dumpstate logd:unix_stream_socket connectto;
#line 92

#line 92

#line 1 "external/sepolicy/file.te"
# Filesystem types
type labeledfs, fs_type;
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_net, fs_type;
type selinuxfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
type sysfs_lowmemorykiller, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, mlstrustedobject;

# File types
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type;
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type;
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type;
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type;
# /data/gps
type gps_data_file, file_type, data_file_type;

# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;
type media_rw_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type;
type systemkeys_data_file, file_type, data_file_type;
type vpn_data_file, file_type, data_file_type;
type wifi_data_file, file_type, data_file_type;
type zoneinfo_data_file, file_type, data_file_type;

# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
# Type for /cache/.*\.{data|restore} and default
# type for anything under /cache/backup
type cache_backup_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
type wallpaper_file, file_type, mlstrustedobject;
# /mnt/asec
type asec_apk_file, file_type, data_file_type;
# Elements of asec files (/mnt/asec) that are world readable
type asec_public_file, file_type, data_file_type;
# /data/app-asec
type asec_image_file, file_type, data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, mlstrustedobject;
# For /data/security
type security_file, file_type;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Downloaded files
type download_file, file_type;

# Socket types
type adbd_socket, file_type;
type bluetooth_socket, file_type;
type dnsproxyd_socket, file_type, mlstrustedobject;
type dumpstate_socket, file_type;
type gps_socket, file_type;
type installd_socket, file_type;
type keystore_socket, file_type;
type lmkd_socket, file_type;
type logd_debug, file_type;
type logd_socket, file_type;
type logdr_socket, file_type;
type logdw_socket, file_type;
type mdns_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
type qemud_socket, file_type;
type racoon_socket, file_type;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;

# UART (for GPS) control proc file
type gps_control, file_type;

# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
#line 1 "external/sepolicy/gpsd.te"
# gpsd - GPS daemon
type gpsd, domain;

#line 3
typeattribute gpsd mlstrustedsubject;
#line 3
typeattribute gpsd unconfineddomain;
#line 3

type gpsd_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init gpsd_exec:file { getattr open read execute };
#line 6
allow init gpsd:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow gpsd gpsd_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow gpsd init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init gpsd:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init gpsd:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init gpsd_exec:process gpsd;
#line 6

#line 6

#line 6
type gpsd_tmpfs, file_type;
#line 6
type_transition gpsd tmpfs:file gpsd_tmpfs;
#line 6
allow gpsd gpsd_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute gpsd netdomain;
#line 7

allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Socket is created by the daemon, not by init, and under /data/gps,
# not under /dev/socket.
type_transition gpsd gps_data_file:sock_file gps_socket;
allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# XXX Label sysfs files with a specific type?
allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } };

allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Execute the shell or system commands.
allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
#line 1 "external/sepolicy/hci_attach.te"
type hci_attach, domain;
type hci_attach_exec, exec_type, file_type;


#line 4

#line 4
# Allow the necessary permissions.
#line 4

#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init hci_attach_exec:file { getattr open read execute };
#line 4
allow init hci_attach:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow hci_attach hci_attach_exec:file { entrypoint read execute };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
allow hci_attach init:process sigchld;
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init hci_attach:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init hci_attach:process { siginh rlimitinh };
#line 4

#line 4
# Make the transition occur by default.
#line 4
type_transition init hci_attach_exec:process hci_attach;
#line 4

#line 4

#line 4
type hci_attach_tmpfs, file_type;
#line 4
type_transition hci_attach tmpfs:file hci_attach_tmpfs;
#line 4
allow hci_attach hci_attach_tmpfs:file { read write };
#line 4

#line 4


allow hci_attach kernel:system module_request;
allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } };
allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl };
allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock };
#line 1 "external/sepolicy/healthd.te"
# healthd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type healthd, domain;

allow healthd rootfs:file { read entrypoint };

#line 6
type_transition healthd device:chr_file klog_device "__kmsg__";
#line 6
allow healthd klog_device:chr_file { create open write unlink };
#line 6
allow healthd device:dir { write add_name remove_name };
#line 6

# /dev/__null__ created by init prior to policy load,
# open fd inherited by healthd.
allow healthd tmpfs:chr_file { read write };

allow healthd self:capability { net_admin mknod };
allow healthd self:capability2 block_suspend;
allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };

#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow healthd servicemanager:binder { call transfer };
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14


#line 15
typeattribute healthd binderservicedomain;
#line 15


#line 16
# Call the server domain and optionally transfer references to it.
#line 16
allow healthd system_server:binder { call transfer };
#line 16
# Allow the serverdomain to transfer references to the client on the reply.
#line 16
allow system_server healthd:binder transfer;
#line 16
# Receive and use open files from the server.
#line 16
allow healthd system_server:fd use;
#line 16


###
### healthd: charger mode
###

allow healthd graphics_device:dir { open getattr read search ioctl };
allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow healthd input_device:dir { open getattr read search ioctl };
allow healthd input_device:chr_file { getattr open read ioctl lock };
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
#line 1 "external/sepolicy/hostapd.te"
# userspace wifi access points
type hostapd, domain;

#line 3
typeattribute hostapd mlstrustedsubject;
#line 3
typeattribute hostapd unconfineddomain;
#line 3

type hostapd_exec, exec_type, file_type;

allow hostapd self:capability { net_admin net_raw setuid setgid };
allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow hostapd self:packet_socket { create write read };
allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
allow hostapd self:udp_socket { create ioctl };

allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } };
allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow hostapd netd:fd use;
allow hostapd netd:udp_socket { read write };
allow hostapd netd:netlink_kobject_uevent_socket { read write };
allow hostapd netd:netlink_nflog_socket { read write };
allow hostapd netd:netlink_route_socket { read write };
allow hostapd netd:unix_stream_socket { read write };
allow hostapd netd:fifo_file { read write };
#line 1 "external/sepolicy/init_shell.te"
# Restricted domain for shell processes spawned by init
type init_shell, domain, shelldomain;

#line 3
# Allow the necessary permissions.
#line 3

#line 3
# Old domain may exec the file and transition to the new domain.
#line 3
allow init shell_exec:file { getattr open read execute };
#line 3
allow init init_shell:process transition;
#line 3
# New domain is entered by executing the file.
#line 3
allow init_shell shell_exec:file { entrypoint read execute };
#line 3
# New domain can send SIGCHLD to its caller.
#line 3
allow init_shell init:process sigchld;
#line 3
# Enable AT_SECURE, i.e. libc secure mode.
#line 3
dontaudit init init_shell:process noatsecure;
#line 3
# XXX dontaudit candidate but requires further study.
#line 3
allow init init_shell:process { siginh rlimitinh };
#line 3

#line 3
# Make the transition occur by default.
#line 3
type_transition init shell_exec:process init_shell;
#line 3


#line 4
typeattribute init_shell mlstrustedsubject;
#line 4
typeattribute init_shell unconfineddomain;
#line 4


# inherits from shelldomain.te
#line 1 "external/sepolicy/init.te"
# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.

#line 4
typeattribute init mlstrustedsubject;
#line 4
typeattribute init unconfineddomain;
#line 4


#line 5
type init_tmpfs, file_type;
#line 5
type_transition init tmpfs:file init_tmpfs;
#line 5
allow init init_tmpfs:file { read write };
#line 5


#line 6
typeattribute init relabeltodomain;
#line 6

# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;

allow init self:capability { sys_rawio mknod };

allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
allow init kernel:security load_policy;
allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } };
allow init proc_security:file { { getattr open read ioctl lock } { open append write } };

# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;
#line 1 "external/sepolicy/inputflinger.te"
# inputflinger
type inputflinger, domain;

#line 3
typeattribute inputflinger mlstrustedsubject;
#line 3
typeattribute inputflinger unconfineddomain;
#line 3

type inputflinger_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init inputflinger_exec:file { getattr open read execute };
#line 6
allow init inputflinger:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow inputflinger inputflinger_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow inputflinger init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init inputflinger:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init inputflinger:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init inputflinger_exec:process inputflinger;
#line 6

#line 6

#line 6
type inputflinger_tmpfs, file_type;
#line 6
type_transition inputflinger tmpfs:file inputflinger_tmpfs;
#line 6
allow inputflinger inputflinger_tmpfs:file { read write };
#line 6

#line 6


#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow inputflinger servicemanager:binder { call transfer };
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7


#line 8
typeattribute inputflinger binderservicedomain;
#line 8

#line 1 "external/sepolicy/installd.te"
# installer daemon
type installd, domain;
type installd_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init installd_exec:file { getattr open read execute };
#line 5
allow init installd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow installd installd_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow installd init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init installd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init installd:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init installd_exec:process installd;
#line 5

#line 5

#line 5
type installd_tmpfs, file_type;
#line 5
type_transition installd tmpfs:file installd_tmpfs;
#line 5
allow installd installd_tmpfs:file { read write };
#line 5

#line 5


#line 6
typeattribute installd relabeltodomain;
#line 6

typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow installd system_data_file:lnk_file create;
allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow installd data_file_type:dir { relabelfrom relabelto };
allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink };
allow installd apk_data_file:file { getattr open read ioctl lock };
allow installd apk_tmp_file:file { getattr open read ioctl lock };
allow installd system_file:file { getattr execute execute_no_trans };
allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow installd download_file:dir { { open getattr read search ioctl } write remove_name };
allow installd download_file:file { { getattr open read ioctl lock } unlink };
dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.

#line 23
allow installd selinuxfs:dir { open getattr read search ioctl };
#line 23
allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 23
allow installd kernel:security check_context;
#line 23

# Read /seapp_contexts and /data/security/seapp_contexts

#line 25
allow installd security_file:dir { open getattr read search ioctl };
#line 25
allow installd security_file:file { getattr open read ioctl lock };
#line 25
allow installd security_file:lnk_file { getattr open read ioctl lock };
#line 25
allow installd selinuxfs:dir { open getattr read search ioctl };
#line 25
allow installd selinuxfs:file { getattr open read ioctl lock };
#line 25
allow installd rootfs:dir { open getattr read search ioctl };
#line 25
allow installd rootfs:file { getattr open read ioctl lock };
#line 25

# ASEC
allow installd platform_app_data_file:lnk_file { create setattr };
allow installd app_data_file:lnk_file { create setattr };
allow installd asec_apk_file:file { getattr open read ioctl lock };
allow installd bluetooth_data_file:lnk_file { create setattr };
allow installd nfc_data_file:lnk_file { create setattr };
allow installd radio_data_file:lnk_file { create setattr };
allow installd shell_data_file:lnk_file { create setattr };
#line 1 "external/sepolicy/isolated_app.te"
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###

type isolated_app, domain;

#line 13
typeattribute isolated_app appdomain;
#line 13
# Label ashmem objects with our own unique type.
#line 13

#line 13
type isolated_app_tmpfs, file_type;
#line 13
type_transition isolated_app tmpfs:file isolated_app_tmpfs;
#line 13
allow isolated_app isolated_app_tmpfs:file { read write };
#line 13

#line 13
# Map with PROT_EXEC.
#line 13
allow isolated_app isolated_app_tmpfs:file execute;
#line 13


# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow isolated_app appdomain:unix_stream_socket { read write };

allow isolated_app dalvikcache_data_file:file execute;
allow isolated_app apk_data_file:dir getattr;
#line 1 "external/sepolicy/kernel.te"
# Life begins with the kernel.
type kernel, domain;

allow kernel init:process dyntransition;

# The kernel is unconfined.

#line 7
typeattribute kernel mlstrustedsubject;
#line 7
typeattribute kernel unconfineddomain;
#line 7


#line 8
typeattribute kernel relabeltodomain;
#line 8


allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
allow kernel unlabeled:filesystem mount;
allow kernel fs_type:filesystem *;

# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;

# For operations performed by kernel or init prior to switching to init domain.
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
#line 1 "external/sepolicy/keystore.te"
type keystore, domain;
type keystore_exec, exec_type, file_type;

# keystore daemon

#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init keystore_exec:file { getattr open read execute };
#line 5
allow init keystore:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow keystore keystore_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow keystore init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init keystore:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init keystore:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init keystore_exec:process keystore;
#line 5

#line 5

#line 5
type keystore_tmpfs, file_type;
#line 5
type_transition keystore tmpfs:file keystore_tmpfs;
#line 5
allow keystore keystore_tmpfs:file { read write };
#line 5

#line 5

typeattribute keystore mlstrustedsubject;

#line 7
# Call the servicemanager and transfer references to it.
#line 7
allow keystore servicemanager:binder { call transfer };
#line 7
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 7
# all domains in domain.te.
#line 7


#line 8
typeattribute keystore binderservicedomain;
#line 8

allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow keystore tee:unix_stream_socket connectto;
#line 1 "external/sepolicy/lmkd.te"
# lmkd low memory killer daemon
type lmkd, domain;
type lmkd_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init lmkd_exec:file { getattr open read execute };
#line 5
allow init lmkd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow lmkd lmkd_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow lmkd init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init lmkd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init lmkd:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init lmkd_exec:process lmkd;
#line 5

#line 5

#line 5
type lmkd_tmpfs, file_type;
#line 5
type_transition lmkd tmpfs:file lmkd_tmpfs;
#line 5
allow lmkd lmkd_tmpfs:file { read write };
#line 5

#line 5


allow lmkd self:capability { dac_override sys_resource };

## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?

#line 11
allow lmkd appdomain:dir { open getattr read search ioctl };
#line 11
allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock };
#line 11

allow lmkd appdomain:file write;

#line 13
allow lmkd system_server:dir { open getattr read search ioctl };
#line 13
allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock };
#line 13

allow lmkd system_server:file write;

## Writes to /sys/module/lowmemorykiller/parameters/minfree
allow lmkd sysfs_lowmemorykiller:file { open append write };
#line 1 "external/sepolicy/logd.te"
# android user-space log manager
type logd, domain;
type logd_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init logd_exec:file { getattr open read execute };
#line 5
allow init logd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow logd logd_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow logd init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init logd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init logd:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init logd_exec:process logd;
#line 5

#line 5

#line 5
type logd_tmpfs, file_type;
#line 5
type_transition logd tmpfs:file logd_tmpfs;
#line 5
allow logd logd_tmpfs:file { read write };
#line 5

#line 5

allow logd self:unix_stream_socket *;

allow logd self:capability { setuid setgid sys_nice };


#line 10
allow logd domain:dir { open getattr read search ioctl };
#line 10
allow logd domain:{ file lnk_file } { getattr open read ioctl lock };
#line 10


#line 17


###
### Neverallow rules
###
### logd should NEVER do any of this

# Block device access.
neverallow logd dev_type:blk_file { read write };

# ptrace any other app
neverallow logd domain:process ptrace;

# Write to /system.
neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data or system files on /data
neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
#line 1 "external/sepolicy/media_app.te"
###
### Apps signed with the media key.
###

type media_app, domain;

#line 6
typeattribute media_app appdomain;
#line 6
# Label ashmem objects with our own unique type.
#line 6

#line 6
type media_app_tmpfs, file_type;
#line 6
type_transition media_app tmpfs:file media_app_tmpfs;
#line 6
allow media_app media_app_tmpfs:file { read write };
#line 6

#line 6
# Map with PROT_EXEC.
#line 6
allow media_app media_app_tmpfs:file execute;
#line 6


#line 7
typeattribute media_app platformappdomain;
#line 7
typeattribute media_app mlstrustedsubject;
#line 7


#line 8
typeattribute media_app binderservicedomain;
#line 8

# Access the network.

#line 10
typeattribute media_app netdomain;
#line 10

# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } };
# Write to /cache.
allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Stat /cache/lost+found
allow media_app unlabeled:file getattr;
allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;
# Read files in the rootdir (in particular, file_contexts for restorecon).
allow media_app rootfs:file { getattr open read ioctl lock };
allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Allow platform apps to mark platform app data files as download files

#line 27
typeattribute media_app relabeltodomain;
#line 27

allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
#line 1 "external/sepolicy/mediaserver.te"
# mediaserver - multimedia daemon
type mediaserver, domain;

#line 3
typeattribute mediaserver mlstrustedsubject;
#line 3
typeattribute mediaserver unconfineddomain;
#line 3

type mediaserver_exec, exec_type, file_type;

typeattribute mediaserver mlstrustedsubject;


#line 8
typeattribute mediaserver netdomain;
#line 8


#line 9

#line 9
# Allow the necessary permissions.
#line 9

#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow init mediaserver_exec:file { getattr open read execute };
#line 9
allow init mediaserver:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow mediaserver mediaserver_exec:file { entrypoint read execute };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
allow mediaserver init:process sigchld;
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit init mediaserver:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow init mediaserver:process { siginh rlimitinh };
#line 9

#line 9
# Make the transition occur by default.
#line 9
type_transition init mediaserver_exec:process mediaserver;
#line 9

#line 9

#line 9
type mediaserver_tmpfs, file_type;
#line 9
type_transition mediaserver tmpfs:file mediaserver_tmpfs;
#line 9
allow mediaserver mediaserver_tmpfs:file { read write };
#line 9

#line 9


#line 10
allow mediaserver property_socket:sock_file write;
#line 10
allow mediaserver init:unix_stream_socket connectto;
#line 10


#line 12
allow mediaserver sdcard_type:dir { open getattr read search ioctl };
#line 12
allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock };
#line 12


#line 14
# Call the servicemanager and transfer references to it.
#line 14
allow mediaserver servicemanager:binder { call transfer };
#line 14
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 14
# all domains in domain.te.
#line 14


#line 15
# Call the server domain and optionally transfer references to it.
#line 15
allow mediaserver binderservicedomain:binder { call transfer };
#line 15
# Allow the serverdomain to transfer references to the client on the reply.
#line 15
allow binderservicedomain mediaserver:binder transfer;
#line 15
# Receive and use open files from the server.
#line 15
allow mediaserver binderservicedomain:fd use;
#line 15


#line 16
# Call the server domain and optionally transfer references to it.
#line 16
allow mediaserver appdomain:binder { call transfer };
#line 16
# Allow the serverdomain to transfer references to the client on the reply.
#line 16
allow appdomain mediaserver:binder transfer;
#line 16
# Receive and use open files from the server.
#line 16
allow mediaserver appdomain:fd use;
#line 16


#line 17
typeattribute mediaserver binderservicedomain;
#line 17


allow mediaserver self:process execmem;
allow mediaserver kernel:system module_request;
allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } };
allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } };
allow mediaserver video_device:dir { open getattr read search ioctl };
allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow mediaserver audio_device:dir { open getattr read search ioctl };
allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow mediaserver audio_prop:property_service set;

# Access audio devices at all.
allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } };

# XXX Label with a specific type?
allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } };

# XXX Why?
allow mediaserver apk_data_file:file { read getattr };

# Access camera device.
allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file { getattr open read ioctl lock };

# Camera data

#line 52
allow mediaserver camera_data_file:dir { open getattr read search ioctl };
#line 52
allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 52


#line 53
allow mediaserver media_rw_data_file:dir { open getattr read search ioctl };
#line 53
allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 53


# Grant access to audio files to mediaserver
allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write };
allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock };

# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };

# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.

#line 68
allow mediaserver drmserver_socket:sock_file write;
#line 68
allow mediaserver drmserver:unix_stream_socket connectto;
#line 68


# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.

#line 72
allow mediaserver bluetooth_socket:sock_file write;
#line 72
allow mediaserver bluetooth:unix_stream_socket connectto;
#line 72

#line 1 "external/sepolicy/mtp.te"
# vpn tunneling protocol manager
type mtp, domain;

#line 3
typeattribute mtp mlstrustedsubject;
#line 3
typeattribute mtp unconfineddomain;
#line 3

type mtp_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init mtp_exec:file { getattr open read execute };
#line 6
allow init mtp:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow mtp mtp_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow mtp init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init mtp:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init mtp:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init mtp_exec:process mtp;
#line 6

#line 6

#line 6
type mtp_tmpfs, file_type;
#line 6
type_transition mtp tmpfs:file mtp_tmpfs;
#line 6
allow mtp mtp_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute mtp netdomain;
#line 7


# pptp policy
allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
allow mtp port:tcp_socket name_connect;
allow mtp vpn_data_file:dir search;
#line 1 "external/sepolicy/netd.te"
# network manager
type netd, domain;
type netd_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init netd_exec:file { getattr open read execute };
#line 5
allow init netd:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow netd netd_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow netd init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init netd:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init netd:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init netd_exec:process netd;
#line 5

#line 5

#line 5
type netd_tmpfs, file_type;
#line 5
type_transition netd tmpfs:file netd_tmpfs;
#line 5
allow netd netd_tmpfs:file { read write };
#line 5

#line 5


#line 6
typeattribute netd netdomain;
#line 6


allow netd self:capability { net_admin net_raw kill fsetid };
allow netd self:netlink_kobject_uevent_socket *;
allow netd self:netlink_route_socket *;
allow netd self:netlink_nflog_socket *;
allow netd self:rawip_socket *;
allow netd self:unix_stream_socket *;
allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow netd system_file:file { getattr execute execute_no_trans };
allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } };

# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file write;

# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
allow netd sysfs:file write;

# Set dhcp lease for PAN connection

#line 26
allow netd property_socket:sock_file write;
#line 26
allow netd init:unix_stream_socket connectto;
#line 26

allow netd system_prop:property_service set;

# Connect to PAN

#line 30
# Allow the necessary permissions.
#line 30

#line 30
# Old domain may exec the file and transition to the new domain.
#line 30
allow netd dhcp_exec:file { getattr open read execute };
#line 30
allow netd dhcp:process transition;
#line 30
# New domain is entered by executing the file.
#line 30
allow dhcp dhcp_exec:file { entrypoint read execute };
#line 30
# New domain can send SIGCHLD to its caller.
#line 30
allow dhcp netd:process sigchld;
#line 30
# Enable AT_SECURE, i.e. libc secure mode.
#line 30
dontaudit netd dhcp:process noatsecure;
#line 30
# XXX dontaudit candidate but requires further study.
#line 30
allow netd dhcp:process { siginh rlimitinh };
#line 30

#line 30
# Make the transition occur by default.
#line 30
type_transition netd dhcp_exec:process dhcp;
#line 30

allow netd dhcp:process signal;

# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
# these capabilities
allow netd self:capability { dac_override chown fowner };
allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };

# Allow netd to spawn hostapd in it's own domain

#line 41
# Allow the necessary permissions.
#line 41

#line 41
# Old domain may exec the file and transition to the new domain.
#line 41
allow netd hostapd_exec:file { getattr open read execute };
#line 41
allow netd hostapd:process transition;
#line 41
# New domain is entered by executing the file.
#line 41
allow hostapd hostapd_exec:file { entrypoint read execute };
#line 41
# New domain can send SIGCHLD to its caller.
#line 41
allow hostapd netd:process sigchld;
#line 41
# Enable AT_SECURE, i.e. libc secure mode.
#line 41
dontaudit netd hostapd:process noatsecure;
#line 41
# XXX dontaudit candidate but requires further study.
#line 41
allow netd hostapd:process { siginh rlimitinh };
#line 41

#line 41
# Make the transition occur by default.
#line 41
type_transition netd hostapd_exec:process hostapd;
#line 41

allow netd hostapd:process signal;

# Allow netd to spawn dnsmasq in it's own domain

#line 45
# Allow the necessary permissions.
#line 45

#line 45
# Old domain may exec the file and transition to the new domain.
#line 45
allow netd dnsmasq_exec:file { getattr open read execute };
#line 45
allow netd dnsmasq:process transition;
#line 45
# New domain is entered by executing the file.
#line 45
allow dnsmasq dnsmasq_exec:file { entrypoint read execute };
#line 45
# New domain can send SIGCHLD to its caller.
#line 45
allow dnsmasq netd:process sigchld;
#line 45
# Enable AT_SECURE, i.e. libc secure mode.
#line 45
dontaudit netd dnsmasq:process noatsecure;
#line 45
# XXX dontaudit candidate but requires further study.
#line 45
allow netd dnsmasq:process { siginh rlimitinh };
#line 45

#line 45
# Make the transition occur by default.
#line 45
type_transition netd dnsmasq_exec:process dnsmasq;
#line 45

allow netd dnsmasq:process signal;

# Allow netd to start clatd in its own domain

#line 49
# Allow the necessary permissions.
#line 49

#line 49
# Old domain may exec the file and transition to the new domain.
#line 49
allow netd clatd_exec:file { getattr open read execute };
#line 49
allow netd clatd:process transition;
#line 49
# New domain is entered by executing the file.
#line 49
allow clatd clatd_exec:file { entrypoint read execute };
#line 49
# New domain can send SIGCHLD to its caller.
#line 49
allow clatd netd:process sigchld;
#line 49
# Enable AT_SECURE, i.e. libc secure mode.
#line 49
dontaudit netd clatd:process noatsecure;
#line 49
# XXX dontaudit candidate but requires further study.
#line 49
allow netd clatd:process { siginh rlimitinh };
#line 49

#line 49
# Make the transition occur by default.
#line 49
type_transition netd clatd_exec:process clatd;
#line 49

allow netd clatd:process signal;

# Support netd running mdnsd
# TODO: prune this back further
allow netd ctl_default_prop:property_service set;
allow netd device:sock_file write;

###
### Neverallow rules
###
### netd should NEVER do any of this

# Block device access.
neverallow netd dev_type:blk_file { read write };

# Setting SELinux enforcing status or booleans.
neverallow netd kernel:security { setenforce setbool };

# Load security policy.
neverallow netd kernel:security load_policy;

# ptrace any other app
neverallow netd { domain }:process ptrace;

# Write to /system.
neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;

# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
#line 1 "external/sepolicy/net.te"
# Network types
type node, node_type;
type netif, netif_type;
type port, port_type;

# Use network sockets.
allow netdomain self:{ tcp_socket udp_socket } *;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# Get route information.
allow netdomain self:netlink_route_socket { create bind read nlmsg_read };

# Talks to netd via dnsproxyd socket.

#line 18
allow netdomain dnsproxyd_socket:sock_file write;
#line 18
allow netdomain netd:unix_stream_socket connectto;
#line 18

#line 1 "external/sepolicy/nfc.te"
# nfc subsystem
type nfc, domain;

#line 3
typeattribute nfc appdomain;
#line 3
# Label ashmem objects with our own unique type.
#line 3

#line 3
type nfc_tmpfs, file_type;
#line 3
type_transition nfc tmpfs:file nfc_tmpfs;
#line 3
allow nfc nfc_tmpfs:file { read write };
#line 3

#line 3
# Map with PROT_EXEC.
#line 3
allow nfc nfc_tmpfs:file execute;
#line 3


#line 4
typeattribute nfc binderservicedomain;
#line 4


# NFC device access.
allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Data file accesses.
allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
allow nfc sysfs:file write;

allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
#line 1 "external/sepolicy/platform_app.te"
###
### Apps signed with the platform key.
###

type platform_app, domain;

#line 6
typeattribute platform_app mlstrustedsubject;
#line 6
typeattribute platform_app unconfineddomain;
#line 6


#line 7
typeattribute platform_app appdomain;
#line 7
# Label ashmem objects with our own unique type.
#line 7

#line 7
type platform_app_tmpfs, file_type;
#line 7
type_transition platform_app tmpfs:file platform_app_tmpfs;
#line 7
allow platform_app platform_app_tmpfs:file { read write };
#line 7

#line 7
# Map with PROT_EXEC.
#line 7
allow platform_app platform_app_tmpfs:file execute;
#line 7


#line 8
typeattribute platform_app platformappdomain;
#line 8
typeattribute platform_app mlstrustedsubject;
#line 8

# Access the network.

#line 10
typeattribute platform_app netdomain;
#line 10

# Access bluetooth.

#line 12
typeattribute platform_app bluetoothdomain;
#line 12

# Write to /cache.
allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Read from /data/local.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } };
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Access download files.
allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } };
# Allow BackupManagerService to backup all app domains
allow platform_app appdomain:fifo_file write;

#
# Rules for all platform app domains.
#

# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow platformappdomain platform_app_data_file:file execute;
# App sdcard file accesses
allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Access to /data/media.
allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
#line 1 "external/sepolicy/ppp.te"
# Point to Point Protocol daemon
type ppp, domain;

#line 3
typeattribute ppp mlstrustedsubject;
#line 3
typeattribute ppp unconfineddomain;
#line 3

type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow mtp ppp_exec:file { getattr open read execute };
#line 6
allow mtp ppp:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow ppp ppp_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow ppp mtp:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit mtp ppp:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow mtp ppp:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition mtp ppp_exec:process ppp;
#line 6


allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow ppp self:capability net_admin;
allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow ppp vpn_data_file:dir { open search write add_name remove_name };
allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow ppp mtp:fd use;
#line 1 "external/sepolicy/property.te"
type default_prop, property_type;
type shell_prop, property_type;
type debug_prop, property_type;
type debuggerd_prop, property_type;
type radio_prop, property_type;
type system_prop, property_type;
type vold_prop, property_type;
type rild_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_rildaemon_prop, property_type;
type audio_prop, property_type;
type security_prop, property_type;
type bluetooth_prop, property_type;
type powerctl_prop, property_type;
#line 1 "external/sepolicy/qemud.te"
# qemu support daemon
type qemud, domain;
type qemud_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init qemud_exec:file { getattr open read execute };
#line 5
allow init qemud:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow qemud qemud_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow qemud init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init qemud:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init qemud:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init qemud_exec:process qemud;
#line 5

#line 5

#line 5
type qemud_tmpfs, file_type;
#line 5
type_transition qemud tmpfs:file qemud_tmpfs;
#line 5
allow qemud qemud_tmpfs:file { read write };
#line 5

#line 5


#line 6
typeattribute qemud mlstrustedsubject;
#line 6
typeattribute qemud unconfineddomain;
#line 1 "external/sepolicy/racoon.te"
# IKE key management daemon
type racoon, domain;

#line 3
typeattribute racoon mlstrustedsubject;
#line 3
typeattribute racoon unconfineddomain;
#line 3

type racoon_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init racoon_exec:file { getattr open read execute };
#line 6
allow init racoon:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow racoon racoon_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow racoon init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init racoon:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init racoon:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init racoon_exec:process racoon;
#line 6

#line 6

#line 6
type racoon_tmpfs, file_type;
#line 6
type_transition racoon tmpfs:file racoon_tmpfs;
#line 6
allow racoon racoon_tmpfs:file { read write };
#line 6

#line 6

typeattribute racoon mlstrustedsubject;


#line 9
# Call the server domain and optionally transfer references to it.
#line 9
allow racoon servicemanager:binder { call transfer };
#line 9
# Allow the serverdomain to transfer references to the client on the reply.
#line 9
allow servicemanager racoon:binder transfer;
#line 9
# Receive and use open files from the server.
#line 9
allow racoon servicemanager:fd use;
#line 9


#line 10
# Call the server domain and optionally transfer references to it.
#line 10
allow racoon keystore:binder { call transfer };
#line 10
# Allow the serverdomain to transfer references to the client on the reply.
#line 10
allow keystore racoon:binder transfer;
#line 10
# Receive and use open files from the server.
#line 10
allow racoon keystore:fd use;
#line 10


allow racoon tun_device:chr_file { getattr open read ioctl lock };
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon port:udp_socket name_bind;
allow racoon node:udp_socket node_bind;

allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
allow racoon self:tun_socket create;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };

# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow racoon vpn_data_file:dir { open search write add_name remove_name };
#line 1 "external/sepolicy/radio.te"
# phone subsystem
type radio, domain;

#line 3
typeattribute radio appdomain;
#line 3
# Label ashmem objects with our own unique type.
#line 3

#line 3
type radio_tmpfs, file_type;
#line 3
type_transition radio tmpfs:file radio_tmpfs;
#line 3
allow radio radio_tmpfs:file { read write };
#line 3

#line 3
# Map with PROT_EXEC.
#line 3
allow radio radio_tmpfs:file execute;
#line 3


#line 4
typeattribute radio netdomain;
#line 4


#line 5
typeattribute radio bluetoothdomain;
#line 5


#line 6
typeattribute radio binderservicedomain;
#line 6


# Talks to init via the property socket.

#line 9
allow radio property_socket:sock_file write;
#line 9
allow radio init:unix_stream_socket connectto;
#line 9


# Talks to rild via the rild socket.

#line 12
allow radio rild_socket:sock_file write;
#line 12
allow radio rild:unix_stream_socket connectto;
#line 12


# Data file accesses.
allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Property service
allow radio radio_prop:property_service set;

# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
#line 1 "external/sepolicy/recovery.te"
# recovery console (used in recovery init.rc for /sbin/recovery)
type recovery, domain;
allow recovery rootfs:file entrypoint;

#line 4
typeattribute recovery mlstrustedsubject;
#line 4
typeattribute recovery unconfineddomain;
#line 4


#line 5
typeattribute recovery relabeltodomain;
#line 5


allow recovery self:capability2 mac_admin;

allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
allow recovery unlabeled:filesystem mount;
allow recovery fs_type:filesystem *;

# Required to e.g. wipe userdata/cache.
allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } };

allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

## TODO: Investigate whether it is safe to remove these
allow recovery self:capability { sys_rawio mknod };
auditallow recovery self:capability { sys_rawio mknod };
#line 1 "external/sepolicy/release_app.te"
###
### Apps signed with the release key (testkey in AOSP).
###

type release_app, domain;

#line 6
typeattribute release_app mlstrustedsubject;
#line 6
typeattribute release_app unconfineddomain;
#line 6


#line 7
typeattribute release_app appdomain;
#line 7
# Label ashmem objects with our own unique type.
#line 7

#line 7
type release_app_tmpfs, file_type;
#line 7
type_transition release_app tmpfs:file release_app_tmpfs;
#line 7
allow release_app release_app_tmpfs:file { read write };
#line 7

#line 7
# Map with PROT_EXEC.
#line 7
allow release_app release_app_tmpfs:file execute;
#line 7


#line 8
typeattribute release_app platformappdomain;
#line 8
typeattribute release_app mlstrustedsubject;
#line 8

# Access the network.

#line 10
typeattribute release_app netdomain;
#line 10

# Access bluetooth.

#line 12
typeattribute release_app bluetoothdomain;
#line 12


# Write to /cache.
allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
#line 1 "external/sepolicy/rild.te"
# rild - radio interface layer daemon
type rild, domain;

#line 3
typeattribute rild mlstrustedsubject;
#line 3
typeattribute rild unconfineddomain;
#line 3

type rild_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init rild_exec:file { getattr open read execute };
#line 6
allow init rild:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow rild rild_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow rild init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init rild:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init rild:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init rild_exec:process rild;
#line 6

#line 6

#line 6
type rild_tmpfs, file_type;
#line 6
type_transition rild tmpfs:file rild_tmpfs;
#line 6
allow rild rild_tmpfs:file { read write };
#line 6

#line 6


#line 7
typeattribute rild netdomain;
#line 7

allow rild self:netlink_route_socket { setopt write };
allow rild kernel:system module_request;

#line 10
allow rild property_socket:sock_file write;
#line 10
allow rild init:unix_stream_socket connectto;
#line 10


#line 11
allow rild qemud_socket:sock_file write;
#line 11
allow rild qemud:unix_stream_socket connectto;
#line 11

allow rild self:capability { setuid net_admin net_raw };
allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow rild radio_device:blk_file { getattr open read ioctl lock };
allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow rild mtd_device:dir search;
allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow rild bluetooth_efs_file:file { getattr open read ioctl lock };
allow rild bluetooth_efs_file:dir { open getattr read search ioctl };
allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow rild sdcard_type:dir { open getattr read search ioctl };
allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow rild system_file:file { getattr execute execute_no_trans };
dontaudit rild self:capability sys_admin;

# property service
allow rild rild_prop:property_service set;
allow rild radio_prop:property_service set;

# Read/Write to uart driver (for GPS)
allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } };

allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Allow rild to create, bind, read, write to itself through a netlink socket
allow rild self:netlink_socket { create bind read write };

allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };

# Access to wake locks
allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };

allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
#line 1 "external/sepolicy/runas.te"
type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;

# ndk-gdb invokes adb shell run-as.

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow shell runas_exec:file { getattr open read execute };
#line 5
allow shell runas:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow runas runas_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow runas shell:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit shell runas:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow shell runas:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition shell runas_exec:process runas;
#line 5

allow runas adbd:process sigchld;
allow runas shell:fd  use;
allow runas devpts:chr_file { read write ioctl };

# run-as reads package information.
allow runas system_data_file:file { getattr open read ioctl lock };

# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
allow runas app_data_file:dir { getattr search };

# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };

# run-as switches to the app security context.
# read /seapp_contexts and /data/security/seapp_contexts

#line 22
allow runas security_file:dir { open getattr read search ioctl };
#line 22
allow runas security_file:file { getattr open read ioctl lock };
#line 22
allow runas security_file:lnk_file { getattr open read ioctl lock };
#line 22
allow runas selinuxfs:dir { open getattr read search ioctl };
#line 22
allow runas selinuxfs:file { getattr open read ioctl lock };
#line 22
allow runas rootfs:dir { open getattr read search ioctl };
#line 22
allow runas rootfs:file { getattr open read ioctl lock };
#line 22


#line 23
allow runas selinuxfs:dir { open getattr read search ioctl };
#line 23
allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 23
allow runas kernel:security check_context;
#line 23
 # validate context
allow runas { appdomain -system_app }:process dyntransition; # setcon
#line 1 "external/sepolicy/sdcardd.te"
type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;


#line 4

#line 4
# Allow the necessary permissions.
#line 4

#line 4
# Old domain may exec the file and transition to the new domain.
#line 4
allow init sdcardd_exec:file { getattr open read execute };
#line 4
allow init sdcardd:process transition;
#line 4
# New domain is entered by executing the file.
#line 4
allow sdcardd sdcardd_exec:file { entrypoint read execute };
#line 4
# New domain can send SIGCHLD to its caller.
#line 4
allow sdcardd init:process sigchld;
#line 4
# Enable AT_SECURE, i.e. libc secure mode.
#line 4
dontaudit init sdcardd:process noatsecure;
#line 4
# XXX dontaudit candidate but requires further study.
#line 4
allow init sdcardd:process { siginh rlimitinh };
#line 4

#line 4
# Make the transition occur by default.
#line 4
type_transition init sdcardd_exec:process sdcardd;
#line 4

#line 4

#line 4
type sdcardd_tmpfs, file_type;
#line 4
type_transition sdcardd tmpfs:file sdcardd_tmpfs;
#line 4
allow sdcardd sdcardd_tmpfs:file { read write };
#line 4

#line 4


allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow sdcardd rootfs:dir mounton;
allow sdcardd sdcard_type:filesystem mount;
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };

allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Read /data/system/packages.list.
allow sdcardd system_data_file:file { getattr open read ioctl lock };

# Compatibility for existing devices with /data/media in system_data_file.
# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
allow sdcardd system_data_file:dir  { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
#line 1 "external/sepolicy/servicemanager.te"
# servicemanager - the Binder context manager
type servicemanager, domain;
type servicemanager_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init servicemanager_exec:file { getattr open read execute };
#line 5
allow init servicemanager:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow servicemanager servicemanager_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow servicemanager init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init servicemanager:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init servicemanager:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init servicemanager_exec:process servicemanager;
#line 5

#line 5

#line 5
type servicemanager_tmpfs, file_type;
#line 5
type_transition servicemanager tmpfs:file servicemanager_tmpfs;
#line 5
allow servicemanager servicemanager_tmpfs:file { read write };
#line 5

#line 5


# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains.  It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
#line 1 "external/sepolicy/shared_app.te"
###
### Apps signed with the shared key.
###

type shared_app, domain;

#line 6
typeattribute shared_app mlstrustedsubject;
#line 6
typeattribute shared_app unconfineddomain;
#line 6


#line 7
typeattribute shared_app appdomain;
#line 7
# Label ashmem objects with our own unique type.
#line 7

#line 7
type shared_app_tmpfs, file_type;
#line 7
type_transition shared_app tmpfs:file shared_app_tmpfs;
#line 7
allow shared_app shared_app_tmpfs:file { read write };
#line 7

#line 7
# Map with PROT_EXEC.
#line 7
allow shared_app shared_app_tmpfs:file execute;
#line 7


#line 8
typeattribute shared_app platformappdomain;
#line 8
typeattribute shared_app mlstrustedsubject;
#line 8

# Access the network.

#line 10
typeattribute shared_app netdomain;
#line 10

# Access bluetooth.

#line 12
typeattribute shared_app bluetoothdomain;
#line 12

#line 1 "external/sepolicy/shelldomain.te"
# Rules for all shell domains (e.g. console service and adb shell).

# Access /data/local/tmp.
allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

# Access sdcard.
allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# adb bugreport

#line 13
allow shelldomain dumpstate_socket:sock_file write;
#line 13
allow shelldomain dumpstate:unix_stream_socket connectto;
#line 13


allow shelldomain rootfs:dir { open getattr read search ioctl };
allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow shelldomain system_file:file { getattr execute execute_no_trans };
allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };


#line 24
allow shelldomain apk_data_file:dir { open getattr read search ioctl };
#line 24
allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 24


# Set properties.

#line 27
allow shelldomain property_socket:sock_file write;
#line 27
allow shelldomain init:unix_stream_socket connectto;
#line 27

allow shelldomain shell_prop:property_service set;
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;

# ndk-gdb invokes adb shell ps to find the app PID.

#line 34
allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl };
#line 34
allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock };
#line 34


# ndk-gdb invokes adb shell ls to check the app data dir.
allow shelldomain app_data_file:dir search;

# ps and ps -Z output for app processes.

#line 40
allow shelldomain appdomain:dir { open getattr read search ioctl };
#line 40
allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock };
#line 40

allow shelldomain appdomain:process getattr;
#line 1 "external/sepolicy/shell.te"
# Domain for shell processes spawned by ADB
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;

# Create and use network sockets.

#line 6
typeattribute shell netdomain;
#line 6


# Run app_process.
# XXX Transition into its own domain?

#line 10
typeattribute shell appdomain;
#line 10
# Label ashmem objects with our own unique type.
#line 10

#line 10
type shell_tmpfs, file_type;
#line 10
type_transition shell tmpfs:file shell_tmpfs;
#line 10
allow shell shell_tmpfs:file { read write };
#line 10

#line 10
# Map with PROT_EXEC.
#line 10
allow shell shell_tmpfs:file execute;
#line 10


# inherits from shelldomain.te
#line 1 "external/sepolicy/surfaceflinger.te"
# surfaceflinger - display compositor service
type surfaceflinger, domain;

#line 3
typeattribute surfaceflinger mlstrustedsubject;
#line 3
typeattribute surfaceflinger unconfineddomain;
#line 3

type surfaceflinger_exec, exec_type, file_type;


#line 6

#line 6
# Allow the necessary permissions.
#line 6

#line 6
# Old domain may exec the file and transition to the new domain.
#line 6
allow init surfaceflinger_exec:file { getattr open read execute };
#line 6
allow init surfaceflinger:process transition;
#line 6
# New domain is entered by executing the file.
#line 6
allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute };
#line 6
# New domain can send SIGCHLD to its caller.
#line 6
allow surfaceflinger init:process sigchld;
#line 6
# Enable AT_SECURE, i.e. libc secure mode.
#line 6
dontaudit init surfaceflinger:process noatsecure;
#line 6
# XXX dontaudit candidate but requires further study.
#line 6
allow init surfaceflinger:process { siginh rlimitinh };
#line 6

#line 6
# Make the transition occur by default.
#line 6
type_transition init surfaceflinger_exec:process surfaceflinger;
#line 6

#line 6

#line 6
type surfaceflinger_tmpfs, file_type;
#line 6
type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs;
#line 6
allow surfaceflinger surfaceflinger_tmpfs:file { read write };
#line 6

#line 6

typeattribute surfaceflinger mlstrustedsubject;

# Talk to init over the property socket.

#line 10
allow surfaceflinger property_socket:sock_file write;
#line 10
allow surfaceflinger init:unix_stream_socket connectto;
#line 10


# Perform Binder IPC.

#line 13
# Call the servicemanager and transfer references to it.
#line 13
allow surfaceflinger servicemanager:binder { call transfer };
#line 13
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 13
# all domains in domain.te.
#line 13


#line 14
# Call the server domain and optionally transfer references to it.
#line 14
allow surfaceflinger system_server:binder { call transfer };
#line 14
# Allow the serverdomain to transfer references to the client on the reply.
#line 14
allow system_server surfaceflinger:binder transfer;
#line 14
# Receive and use open files from the server.
#line 14
allow surfaceflinger system_server:fd use;
#line 14


#line 15
# Call the server domain and optionally transfer references to it.
#line 15
allow surfaceflinger nfc:binder { call transfer };
#line 15
# Allow the serverdomain to transfer references to the client on the reply.
#line 15
allow nfc surfaceflinger:binder transfer;
#line 15
# Receive and use open files from the server.
#line 15
allow surfaceflinger nfc:fd use;
#line 15


#line 16
# Call the server domain and optionally transfer references to it.
#line 16
allow surfaceflinger mediaserver:binder { call transfer };
#line 16
# Allow the serverdomain to transfer references to the client on the reply.
#line 16
allow mediaserver surfaceflinger:binder transfer;
#line 16
# Receive and use open files from the server.
#line 16
allow surfaceflinger mediaserver:fd use;
#line 16


#line 17
typeattribute surfaceflinger binderservicedomain;
#line 17


# Access the GPU.
allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Access /dev/video1.
allow surfaceflinger video_device:dir { open getattr read search ioctl };
allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;

# Set properties.
allow surfaceflinger system_prop:property_service set;
allow surfaceflinger ctl_default_prop:property_service set;

# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger platform_app_data_file:file { read write };
allow surfaceflinger app_data_file:file { read write };

# Use open file provided by bootanim.
allow surfaceflinger bootanim:fd use;

# Allow a dumpstate triggered screenshot

#line 46
# Call the server domain and optionally transfer references to it.
#line 46
allow surfaceflinger dumpstate:binder { call transfer };
#line 46
# Allow the serverdomain to transfer references to the client on the reply.
#line 46
allow dumpstate surfaceflinger:binder transfer;
#line 46
# Receive and use open files from the server.
#line 46
allow surfaceflinger dumpstate:fd use;
#line 46


#line 47
# Call the server domain and optionally transfer references to it.
#line 47
allow surfaceflinger shell:binder { call transfer };
#line 47
# Allow the serverdomain to transfer references to the client on the reply.
#line 47
allow shell surfaceflinger:binder transfer;
#line 47
# Receive and use open files from the server.
#line 47
allow surfaceflinger shell:fd use;
#line 47


# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
#line 1 "external/sepolicy/su.te"
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;

#line 23

#line 1 "external/sepolicy/system_app.te"
#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings.  These are not as privileged as the system
# server.
#
type system_app, domain;

#line 7
typeattribute system_app mlstrustedsubject;
#line 7
typeattribute system_app unconfineddomain;
#line 7


#line 8
typeattribute system_app appdomain;
#line 8
# Label ashmem objects with our own unique type.
#line 8

#line 8
type system_app_tmpfs, file_type;
#line 8
type_transition system_app tmpfs:file system_app_tmpfs;
#line 8
allow system_app system_app_tmpfs:file { read write };
#line 8

#line 8
# Map with PROT_EXEC.
#line 8
allow system_app system_app_tmpfs:file execute;
#line 8


#line 9
typeattribute system_app binderservicedomain;
#line 9


# Perform binder IPC to any app domain.

#line 12
# Call the server domain and optionally transfer references to it.
#line 12
allow system_app appdomain:binder { call transfer };
#line 12
# Allow the serverdomain to transfer references to the client on the reply.
#line 12
allow appdomain system_app:binder transfer;
#line 12
# Receive and use open files from the server.
#line 12
allow system_app appdomain:fd use;
#line 12


# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Read wallpaper file.
allow system_app wallpaper_file:file { getattr open read ioctl lock };

# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };

# Talk to keystore.

#line 26
allow system_app keystore_socket:sock_file write;
#line 26
allow system_app keystore:unix_stream_socket connectto;
#line 26


# Read SELinux enforcing status.

#line 29
allow system_app selinuxfs:dir { open getattr read search ioctl };
#line 29
allow system_app selinuxfs:file { getattr open read ioctl lock };
#line 29


# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir { open getattr read search ioctl };

# Write to properties

#line 35
allow system_app property_socket:sock_file write;
#line 35
allow system_app init:unix_stream_socket connectto;
#line 35

allow system_app debug_prop:property_service set;
allow system_app radio_prop:property_service set;
allow system_app system_prop:property_service set;
#line 1 "external/sepolicy/system_server.te"
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain, mlstrustedsubject;

#line 6
typeattribute system_server mlstrustedsubject;
#line 6
typeattribute system_server unconfineddomain;
#line 6


# Define a type for tmpfs-backed ashmem regions.

#line 9
type system_server_tmpfs, file_type;
#line 9
type_transition system_server tmpfs:file system_server_tmpfs;
#line 9
allow system_server system_server_tmpfs:file { read write };
#line 9


# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
allow system_server ashmem_device:chr_file execute;
allow system_server system_server_tmpfs:file execute;

# For art.
allow system_server dalvikcache_data_file:file execute;

# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
allow system_server zygote_tmpfs:file read;

# Needed to close the zygote socket, which involves getopt / getattr
# This should be deleted after b/12061011 is fixed
allow system_server zygote:unix_stream_socket { getopt getattr };

# system server gets network and bluetooth permissions.

#line 29
typeattribute system_server netdomain;
#line 29


#line 30
typeattribute system_server bluetoothdomain;
#line 30


# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
    kill
    net_admin
    net_bind_service
    net_broadcast
    net_raw
    sys_boot
    sys_module
    sys_nice
    sys_resource
    sys_time
    sys_tty_config
};

allow system_server self:capability2 block_suspend;

# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;

# Trigger module auto-load.
allow system_server kernel:system module_request;

# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket *;

# Kill apps.
allow system_server appdomain:process { sigkill signal };

# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };

# Read /proc data for apps.
allow system_server appdomain:dir { open getattr read search ioctl };
allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } };

# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file { getattr open read ioctl lock };

# WifiWatchdog uses a packet_socket
allow system_server self:packet_socket *;

# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create;

# Notify init of death.
allow system_server init:process sigchld;

# Talk to init and various daemons via sockets.

#line 87
allow system_server property_socket:sock_file write;
#line 87
allow system_server init:unix_stream_socket connectto;
#line 87


#line 88
allow system_server qemud_socket:sock_file write;
#line 88
allow system_server qemud:unix_stream_socket connectto;
#line 88


#line 89
allow system_server installd_socket:sock_file write;
#line 89
allow system_server installd:unix_stream_socket connectto;
#line 89


#line 90
allow system_server lmkd_socket:sock_file write;
#line 90
allow system_server lmkd:unix_stream_socket connectto;
#line 90


#line 91
allow system_server netd_socket:sock_file write;
#line 91
allow system_server netd:unix_stream_socket connectto;
#line 91


#line 92
allow system_server vold_socket:sock_file write;
#line 92
allow system_server vold:unix_stream_socket connectto;
#line 92


#line 93
allow system_server zygote_socket:sock_file write;
#line 93
allow system_server zygote:unix_stream_socket connectto;
#line 93


#line 94
allow system_server keystore_socket:sock_file write;
#line 94
allow system_server keystore:unix_stream_socket connectto;
#line 94


#line 95
allow system_server gps_socket:sock_file write;
#line 95
allow system_server gpsd:unix_stream_socket connectto;
#line 95


#line 96
allow system_server racoon_socket:sock_file write;
#line 96
allow system_server racoon:unix_stream_socket connectto;
#line 96


#line 97
allow system_server wpa_socket:sock_file write;
#line 97
allow system_server wpa:unix_dgram_socket sendto;
#line 97


# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };

# Perform Binder IPC.

#line 103
# Call the servicemanager and transfer references to it.
#line 103
allow system_server servicemanager:binder { call transfer };
#line 103
# rw access to /dev/binder and /dev/ashmem is presently granted to
#line 103
# all domains in domain.te.
#line 103


#line 104
# Call the server domain and optionally transfer references to it.
#line 104
allow system_server binderservicedomain:binder { call transfer };
#line 104
# Allow the serverdomain to transfer references to the client on the reply.
#line 104
allow binderservicedomain system_server:binder transfer;
#line 104
# Receive and use open files from the server.
#line 104
allow system_server binderservicedomain:fd use;
#line 104


#line 105
# Call the server domain and optionally transfer references to it.
#line 105
allow system_server appdomain:binder { call transfer };
#line 105
# Allow the serverdomain to transfer references to the client on the reply.
#line 105
allow appdomain system_server:binder transfer;
#line 105
# Receive and use open files from the server.
#line 105
allow system_server appdomain:fd use;
#line 105


#line 106
# Call the server domain and optionally transfer references to it.
#line 106
allow system_server healthd:binder { call transfer };
#line 106
# Allow the serverdomain to transfer references to the client on the reply.
#line 106
allow healthd system_server:binder transfer;
#line 106
# Receive and use open files from the server.
#line 106
allow system_server healthd:fd use;
#line 106


#line 107
# Call the server domain and optionally transfer references to it.
#line 107
allow system_server dumpstate:binder { call transfer };
#line 107
# Allow the serverdomain to transfer references to the client on the reply.
#line 107
allow dumpstate system_server:binder transfer;
#line 107
# Receive and use open files from the server.
#line 107
allow system_server dumpstate:fd use;
#line 107


#line 108
typeattribute system_server binderservicedomain;
#line 108


# Read /proc/pid files for Binder clients.

#line 111
allow system_server appdomain:dir { open getattr read search ioctl };
#line 111
allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock };
#line 111


#line 112
allow system_server mediaserver:dir { open getattr read search ioctl };
#line 112
allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock };
#line 112

allow system_server appdomain:process getattr;
allow system_server mediaserver:process getattr;

# Check SELinux permissions.

#line 117
allow system_server selinuxfs:dir { open getattr read search ioctl };
#line 117
allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 117
allow system_server kernel:security compute_av;
#line 117
allow system_server self:netlink_selinux_socket *;
#line 117


# XXX Label sysfs files with a specific type?
allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } };
allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };

# Access devices.
allow system_server device:dir { open getattr read search ioctl };
allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } };
allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server graphics_device:dir search;
allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server input_device:dir { open getattr read search ioctl };
allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server video_device:dir { open getattr read search ioctl };
allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } };

# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Manage data files.
allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Read /file_contexts and /data/security/file_contexts

#line 149
allow system_server security_file:dir { open getattr read search ioctl };
#line 149
allow system_server security_file:file { getattr open read ioctl lock };
#line 149
allow system_server security_file:lnk_file { getattr open read ioctl lock };
#line 149
allow system_server selinuxfs:dir { open getattr read search ioctl };
#line 149
allow system_server selinuxfs:file { getattr open read ioctl lock };
#line 149
allow system_server rootfs:dir { open getattr read search ioctl };
#line 149
allow system_server rootfs:file { getattr open read ioctl lock };
#line 149


# Relabel apk files.

#line 152
typeattribute system_server relabeltodomain;
#line 152

allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };

# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } };

# Relabel /data/anr.
allow system_server system_data_file:dir relabelfrom;
allow system_server anr_data_file:dir relabelto;

# Property Service write
allow system_server system_prop:property_service set;
allow system_server radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;

# ctl interface
allow system_server ctl_default_prop:property_service set;

# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;
allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Remove sockets created by wpa_supplicant
allow system_server wpa_socket:sock_file unlink;

# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Specify any arguments to zygote.
allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

# Manage cache files.
allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } };

# Run system programs, e.g. dexopt.
allow system_server system_file:file { getattr execute execute_no_trans };

# Allow reading of /proc/pid data for other domains.
# XXX dontaudit candidate
allow system_server domain:dir { open getattr read search ioctl };
allow system_server domain:file { getattr open read ioctl lock };

# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } };

# Allow system_server to use app-created sockets.
allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };

# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;

# connect to vpn tunnel
allow system_server mtp:unix_stream_socket { connectto };

# BackupManagerService lets PMS create a data backup file
allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# Relabel /data/backup
allow system_server backup_data_file:dir { relabelto relabelfrom };
# Relabel /cache/.*\.{data|restore}
allow system_server cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };

# Allow system to talk to usb device
allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow system_server usb_device:dir { open getattr read search ioctl };

# Allow system to talk to sensors
allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file { getattr open read ioctl lock };

# Access to wake locks
allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };

# Read and delete files under /dev/fscklogs.

#line 239
allow system_server fscklogs:dir { open getattr read search ioctl };
#line 239
allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock };
#line 239

allow system_server fscklogs:dir { write remove_name };
allow system_server fscklogs:file unlink;

# For SELinuxPolicyInstallReceiver

#line 244

#line 244
allow system_server security_file:dir { open getattr read search ioctl };
#line 244
allow system_server security_file:file { getattr open read ioctl lock };
#line 244
allow system_server security_file:lnk_file { getattr open read ioctl lock };
#line 244
allow system_server selinuxfs:dir { open getattr read search ioctl };
#line 244
allow system_server selinuxfs:file { getattr open read ioctl lock };
#line 244
allow system_server rootfs:dir { open getattr read search ioctl };
#line 244
allow system_server rootfs:file { getattr open read ioctl lock };
#line 244

#line 244

#line 244
allow system_server property_socket:sock_file write;
#line 244
allow system_server init:unix_stream_socket connectto;
#line 244

#line 244
allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
#line 244
allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
#line 244
allow system_server security_file:lnk_file { create rename unlink };
#line 244
allow system_server security_prop:property_service set;
#line 244


# For legacy unlabeled userdata on existing devices.
# See discussion of Unlabeled files in domain.te for more information.
# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
allow system_server unlabeled:file execute;

# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;

# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
# /sys/module/lowmemorykiller/parameters/minfree
allow system_server sysfs_lowmemorykiller:file { open append write };
#line 1 "external/sepolicy/tee.te"
##
# trusted execution environment (tee) daemon
#
type tee, domain;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;


#line 9

#line 9
# Allow the necessary permissions.
#line 9

#line 9
# Old domain may exec the file and transition to the new domain.
#line 9
allow init tee_exec:file { getattr open read execute };
#line 9
allow init tee:process transition;
#line 9
# New domain is entered by executing the file.
#line 9
allow tee tee_exec:file { entrypoint read execute };
#line 9
# New domain can send SIGCHLD to its caller.
#line 9
allow tee init:process sigchld;
#line 9
# Enable AT_SECURE, i.e. libc secure mode.
#line 9
dontaudit init tee:process noatsecure;
#line 9
# XXX dontaudit candidate but requires further study.
#line 9
allow init tee:process { siginh rlimitinh };
#line 9

#line 9
# Make the transition occur by default.
#line 9
type_transition init tee_exec:process tee;
#line 9

#line 9

#line 9
type tee_tmpfs, file_type;
#line 9
type_transition tee tmpfs:file tee_tmpfs;
#line 9
allow tee tee_tmpfs:file { read write };
#line 9

#line 9

allow tee self:capability { dac_override };
allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow tee self:netlink_socket { create bind read };
#line 1 "external/sepolicy/ueventd.te"
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;

#line 4
type ueventd_tmpfs, file_type;
#line 4
type_transition ueventd tmpfs:file ueventd_tmpfs;
#line 4
allow ueventd ueventd_tmpfs:file { read write };
#line 4


#line 5
type_transition ueventd device:chr_file klog_device "__kmsg__";
#line 5
allow ueventd klog_device:chr_file { create open write unlink };
#line 5
allow ueventd device:dir { write add_name remove_name };
#line 5


#line 6
allow ueventd security_file:dir { open getattr read search ioctl };
#line 6
allow ueventd security_file:file { getattr open read ioctl lock };
#line 6
allow ueventd security_file:lnk_file { getattr open read ioctl lock };
#line 6
allow ueventd selinuxfs:dir { open getattr read search ioctl };
#line 6
allow ueventd selinuxfs:file { getattr open read ioctl lock };
#line 6
allow ueventd rootfs:dir { open getattr read search ioctl };
#line 6
allow ueventd rootfs:file { getattr open read ioctl lock };
#line 6


#line 7
typeattribute ueventd relabeltodomain;
#line 7

allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } };
allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } };
allow ueventd sysfs:file setattr;
allow ueventd sysfs_type:file { relabelfrom relabelto };
allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } };
allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } };
allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket *;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file { getattr open read ioctl lock };
#line 1 "external/sepolicy/unconfined.te"
#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################

allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir { open getattr read search ioctl };
allow unconfineddomain domain:lnk_file { getattr open read ioctl lock };
allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *;
allow unconfineddomain domain:{ sem msgq shm ipc } *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;
#line 1 "external/sepolicy/uncrypt.te"
# uncrypt
type uncrypt, domain;
type uncrypt_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init uncrypt_exec:file { getattr open read execute };
#line 5
allow init uncrypt:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow uncrypt uncrypt_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow uncrypt init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init uncrypt:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init uncrypt:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init uncrypt_exec:process uncrypt;
#line 5

#line 5

#line 5
type uncrypt_tmpfs, file_type;
#line 5
type_transition uncrypt tmpfs:file uncrypt_tmpfs;
#line 5
allow uncrypt uncrypt_tmpfs:file { read write };
#line 5

#line 5


#line 6
typeattribute uncrypt mlstrustedsubject;
#line 6
typeattribute uncrypt unconfineddomain;
#line 6


allow uncrypt self:capability dac_override;

# Read OTA zip file from /data/data/com.google.android.gsf/app_download

#line 11
allow uncrypt app_data_file:dir { open getattr read search ioctl };
#line 11
allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock };
#line 11


#line 16


# Create tmp file /cache/recovery/command.tmp
# Read /cache/recovery/command
# Rename /cache/recovery/command.tmp to /cache/recovery/command
allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Set a property to reboot the device.

#line 25
allow uncrypt property_socket:sock_file write;
#line 25
allow uncrypt init:unix_stream_socket connectto;
#line 25

allow uncrypt powerctl_prop:property_service set;

# Raw writes to block device
allow uncrypt self:capability sys_rawio;
allow uncrypt block_device:blk_file { open append write };
#line 1 "external/sepolicy/untrusted_app.te"
###
### Untrusted apps.
###
### This file defines the rules for untrusted apps. An "untrusted
### app" is an APP with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000).
###
### untrusted_app includes all the appdomain rules, plus the
### additional following rules:
###

type untrusted_app, domain;

#line 13
typeattribute untrusted_app mlstrustedsubject;
#line 13
typeattribute untrusted_app unconfineddomain;
#line 13


#line 14
typeattribute untrusted_app appdomain;
#line 14
# Label ashmem objects with our own unique type.
#line 14

#line 14
type untrusted_app_tmpfs, file_type;
#line 14
type_transition untrusted_app tmpfs:file untrusted_app_tmpfs;
#line 14
allow untrusted_app untrusted_app_tmpfs:file { read write };
#line 14

#line 14
# Map with PROT_EXEC.
#line 14
allow untrusted_app untrusted_app_tmpfs:file execute;
#line 14


#line 15
typeattribute untrusted_app netdomain;
#line 15


#line 16
typeattribute untrusted_app bluetoothdomain;
#line 16


# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } };

# Internal SDCard rw access.
allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# External SDCard rw access.
allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file { getattr open read ioctl lock };
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file execute;

# Create tcp/udp sockets
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen };
# Bind to a particular hostname/address/interface (e.g., localhost) instead of
# ANY. Normally, apps should not be listening on all interfaces.
allow untrusted_app port:{ tcp_socket udp_socket } name_bind;

# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm

#line 47
# Each domain gets a unique devpts type.
#line 47
type untrusted_app_devpts, fs_type;
#line 47
# Label the pty with the unique type when created.
#line 47
type_transition untrusted_app devpts:chr_file untrusted_app_devpts;
#line 47
# Allow use of the pty after creation.
#line 47
allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl };
#line 47
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
#line 47
# allowed to everyone via domain.te.
#line 47


# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
# TODO: Long term, we don't want apps probing into shell data files.
# Figure out a way to remove these rules.
allow untrusted_app shell_data_file:file { getattr open read ioctl lock };
allow untrusted_app shell_data_file:dir { open getattr read search ioctl };
#line 1 "external/sepolicy/vold.te"
# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init vold_exec:file { getattr open read execute };
#line 5
allow init vold:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow vold vold_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow vold init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init vold:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init vold:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init vold_exec:process vold;
#line 5

#line 5

#line 5
type vold_tmpfs, file_type;
#line 5
type_transition vold tmpfs:file vold_tmpfs;
#line 5
allow vold vold_tmpfs:file { read write };
#line 5

#line 5


typeattribute vold mlstrustedsubject;
allow vold system_file:file { getattr execute execute_no_trans };
allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow vold device:dir write;
allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } };
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket *;
allow vold app_data_file:dir search;
allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } };
allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } };
allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir { open getattr read search ioctl };
allow vold domain:{ file lnk_file } { getattr open read ioctl lock };
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };

# For blkid
allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };

# XXX Label sysfs files with a specific type?
allow vold sysfs:file { { getattr open read ioctl lock } { open append write } };


#line 39
type_transition vold device:chr_file klog_device "__kmsg__";
#line 39
allow vold klog_device:chr_file { create open write unlink };
#line 39
allow vold device:dir { write add_name remove_name };
#line 39


# Log fsck results
allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

#
# Rules to support encrypted fs support.
#

# Set property.

#line 50
allow vold property_socket:sock_file write;
#line 50
allow vold init:unix_stream_socket connectto;
#line 50


# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };

# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file { { getattr open read ioctl lock } { open append write } };

# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton };

# Set scheduling policy of kernel processes
allow vold kernel:process setsched;

# Property Service
allow vold vold_prop:property_service set;
allow vold powerctl_prop:property_service set;
allow vold ctl_default_prop:property_service set;

# ASEC
allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };

#line 73
allow vold security_file:dir { open getattr read search ioctl };
#line 73
allow vold security_file:file { getattr open read ioctl lock };
#line 73
allow vold security_file:lnk_file { getattr open read ioctl lock };
#line 73
allow vold selinuxfs:dir { open getattr read search ioctl };
#line 73
allow vold selinuxfs:file { getattr open read ioctl lock };
#line 73
allow vold rootfs:dir { open getattr read search ioctl };
#line 73
allow vold rootfs:file { getattr open read ioctl lock };
#line 73


#line 74
typeattribute vold relabeltodomain;
#line 74

allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom };
allow vold asec_public_file:file { relabelto setattr };

# Handle wake locks (used for device encryption)
allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
allow vold self:capability2 block_suspend;
#line 1 "external/sepolicy/watchdogd.te"
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } };
allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } };
# because of /dev/__kmsg__ and /dev/__null__

#line 8
type_transition watchdogd device:chr_file klog_device "__kmsg__";
#line 8
allow watchdogd klog_device:chr_file { create open write unlink };
#line 8
allow watchdogd device:dir { write add_name remove_name };
#line 8

type_transition watchdogd device:chr_file null_device "__null__";
allow watchdogd null_device:chr_file { create unlink };
#line 1 "external/sepolicy/wpa_supplicant.te"
# wpa - wpa supplicant or equivalent
type wpa, domain;
type wpa_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init wpa_exec:file { getattr open read execute };
#line 5
allow init wpa:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow wpa wpa_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow wpa init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init wpa:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init wpa:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init wpa_exec:process wpa;
#line 5

#line 5

#line 5
type wpa_tmpfs, file_type;
#line 5
type_transition wpa tmpfs:file wpa_tmpfs;
#line 5
allow wpa wpa_tmpfs:file { read write };
#line 5

#line 5

allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow wpa self:netlink_route_socket *;
allow wpa self:netlink_socket *;
allow wpa self:packet_socket *;
allow wpa self:udp_socket *;
allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

#line 15
allow wpa system_wpa_socket:sock_file write;
#line 15
allow wpa system_server:unix_dgram_socket sendto;
#line 15

allow wpa random_device:chr_file { getattr open read ioctl lock };

# Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:sock_file wpa_socket;
allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr };
allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };

# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with.
#line 27

#line 1 "external/sepolicy/zygote.te"
# zygote
type zygote, domain;
type zygote_exec, exec_type, file_type;


#line 5

#line 5
# Allow the necessary permissions.
#line 5

#line 5
# Old domain may exec the file and transition to the new domain.
#line 5
allow init zygote_exec:file { getattr open read execute };
#line 5
allow init zygote:process transition;
#line 5
# New domain is entered by executing the file.
#line 5
allow zygote zygote_exec:file { entrypoint read execute };
#line 5
# New domain can send SIGCHLD to its caller.
#line 5
allow zygote init:process sigchld;
#line 5
# Enable AT_SECURE, i.e. libc secure mode.
#line 5
dontaudit init zygote:process noatsecure;
#line 5
# XXX dontaudit candidate but requires further study.
#line 5
allow init zygote:process { siginh rlimitinh };
#line 5

#line 5
# Make the transition occur by default.
#line 5
type_transition init zygote_exec:process zygote;
#line 5

#line 5

#line 5
type zygote_tmpfs, file_type;
#line 5
type_transition zygote tmpfs:file zygote_tmpfs;
#line 5
allow zygote zygote_tmpfs:file { read write };
#line 5

#line 5

typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { { getattr open read ioctl lock } };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
# For art.
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.
allow zygote system_file:file { getattr execute execute_no_trans };
# Control cgroups.
allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
allow zygote self:capability sys_admin;
# Check validity of SELinux context before use.

#line 33
allow zygote selinuxfs:dir { open getattr read search ioctl };
#line 33
allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 33
allow zygote kernel:security check_context;
#line 33

# Check SELinux permissions.

#line 35
allow zygote selinuxfs:dir { open getattr read search ioctl };
#line 35
allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
#line 35
allow zygote kernel:security compute_av;
#line 35
allow zygote self:netlink_selinux_socket *;
#line 35

# Read /seapp_contexts and /data/security/seapp_contexts

#line 37
allow zygote security_file:dir { open getattr read search ioctl };
#line 37
allow zygote security_file:file { getattr open read ioctl lock };
#line 37
allow zygote security_file:lnk_file { getattr open read ioctl lock };
#line 37
allow zygote selinuxfs:dir { open getattr read search ioctl };
#line 37
allow zygote selinuxfs:file { getattr open read ioctl lock };
#line 37
allow zygote rootfs:dir { open getattr read search ioctl };
#line 37
allow zygote rootfs:file { getattr open read ioctl lock };
#line 37


# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
dontaudit zygote self:capability fsetid;
allow zygote tmpfs:dir { write create add_name setattr mounton search };
allow zygote tmpfs:filesystem mount;
allow zygote labeledfs:filesystem remount;

# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file { execute_no_trans open };

# handle bugreports b/10498304
allow zygote ashmem_device:chr_file execute;
allow zygote shell_data_file:file { write getattr };
allow zygote system_server:binder { transfer call };
allow zygote servicemanager:binder { call };

# For legacy unlabeled userdata on existing devices.
# See discussion of Unlabeled files in domain.te for more information.
# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
allow zygote unlabeled:file execute;
#line 1 "build/target/board/generic/sepolicy/bootanim.te"
allow bootanim self:process execmem;
allow bootanim ashmem_device:chr_file execute;
#line 1 "build/target/board/generic/sepolicy/domain.te"
# For /sys/qemu_trace files in the emulator.
allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } };
#line 1 "build/target/board/generic/sepolicy/surfaceflinger.te"
allow surfaceflinger self:process execmem;
allow surfaceflinger ashmem_device:chr_file execute;
#line 1 "external/sepolicy/roles"
role r;
role r types domain;
#line 1 "external/sepolicy/users"
user u roles { r } level s0 range s0 - s0:c0.c1023;
#line 1 "external/sepolicy/initial_sid_contexts"
sid kernel u:r:kernel:s0
sid security u:object_r:kernel:s0
sid unlabeled u:object_r:unlabeled:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0
sid file_labels u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid any_socket u:object_r:unlabeled:s0
sid port u:object_r:port:s0
sid netif u:object_r:netif:s0
sid netmsg u:object_r:unlabeled:s0
sid node u:object_r:node:s0
sid igmp_packet u:object_r:unlabeled:s0
sid icmp_socket u:object_r:unlabeled:s0
sid tcp_socket u:object_r:unlabeled:s0
sid sysctl_modprobe u:object_r:unlabeled:s0
sid sysctl u:object_r:proc:s0
sid sysctl_fs u:object_r:unlabeled:s0
sid sysctl_kernel u:object_r:unlabeled:s0
sid sysctl_net u:object_r:unlabeled:s0
sid sysctl_net_unix u:object_r:unlabeled:s0
sid sysctl_vm u:object_r:unlabeled:s0
sid sysctl_dev u:object_r:unlabeled:s0
sid kmod u:object_r:unlabeled:s0
sid policy u:object_r:unlabeled:s0
sid scmp_packet u:object_r:unlabeled:s0
sid devnull u:object_r:null_device:s0
#line 1 "external/sepolicy/fs_use"
# Label inodes via getxattr.
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_xattr ext3 u:object_r:labeledfs:s0;
fs_use_xattr ext4 u:object_r:labeledfs:s0;
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;

# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
fs_use_task sockfs u:object_r:sockfs:s0;

# Label inodes from combination of task label and fs label.
# Define type_transition rules if you want per-domain types.
fs_use_trans devpts u:object_r:devpts:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans devtmpfs u:object_r:device:s0;
fs_use_trans shm u:object_r:shm:s0;
fs_use_trans mqueue u:object_r:mqueue:s0;

#line 1 "external/sepolicy/genfs_contexts"
# Label inodes with the fs label.
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:sdcard_external:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:sdcard_internal:s0
#line 1 "external/sepolicy/port_contexts"
# portcon statements go here, e.g.
# portcon tcp 80 u:object_r:http_port:s0