1#line 1 "external/sepolicy/security_classes" 2# FLASK 3 4# 5# Define the security object classes 6# 7 8# Classes marked as userspace are classes 9# for userspace object managers 10 11class security 12class process 13class system 14class capability 15 16# file-related classes 17class filesystem 18class file 19class dir 20class fd 21class lnk_file 22class chr_file 23class blk_file 24class sock_file 25class fifo_file 26 27# network-related classes 28class socket 29class tcp_socket 30class udp_socket 31class rawip_socket 32class node 33class netif 34class netlink_socket 35class packet_socket 36class key_socket 37class unix_stream_socket 38class unix_dgram_socket 39 40# sysv-ipc-related classes 41class sem 42class msg 43class msgq 44class shm 45class ipc 46 47# 48# userspace object manager classes 49# 50 51# passwd/chfn/chsh 52class passwd # userspace 53 54# SE-X Windows stuff (more classes below) 55class x_drawable # userspace 56class x_screen # userspace 57class x_gc # userspace 58class x_font # userspace 59class x_colormap # userspace 60class x_property # userspace 61class x_selection # userspace 62class x_cursor # userspace 63class x_client # userspace 64class x_device # userspace 65class x_server # userspace 66class x_extension # userspace 67 68# extended netlink sockets 69class netlink_route_socket 70class netlink_firewall_socket 71class netlink_tcpdiag_socket 72class netlink_nflog_socket 73class netlink_xfrm_socket 74class netlink_selinux_socket 75class netlink_audit_socket 76class netlink_ip6fw_socket 77class netlink_dnrt_socket 78 79class dbus # userspace 80class nscd # userspace 81 82# IPSec association 83class association 84 85# Updated Netlink class for KOBJECT_UEVENT family. 86class netlink_kobject_uevent_socket 87 88class appletalk_socket 89 90class packet 91 92# Kernel access key retention 93class key 94 95class context # userspace 96 97class dccp_socket 98 99class memprotect 100 101class db_database # userspace 102class db_table # userspace 103class db_procedure # userspace 104class db_column # userspace 105class db_tuple # userspace 106class db_blob # userspace 107 108# network peer labels 109class peer 110 111# Capabilities >= 32 112class capability2 113 114# More SE-X Windows stuff 115class x_resource # userspace 116class x_event # userspace 117class x_synthetic_event # userspace 118class x_application_data # userspace 119 120# kernel services that need to override task security, e.g. cachefiles 121class kernel_service 122 123class tun_socket 124 125# Still More SE-X Windows stuff 126class x_pointer # userspace 127class x_keyboard # userspace 128 129# More Database stuff 130class db_schema # userspace 131class db_view # userspace 132class db_sequence # userspace 133class db_language # userspace 134 135class binder 136class zygote 137 138# Property service 139class property_service # userspace 140 141# FLASK 142#line 1 "external/sepolicy/initial_sids" 143# FLASK 144 145# 146# Define initial security identifiers 147# 148 149sid kernel 150sid security 151sid unlabeled 152sid fs 153sid file 154sid file_labels 155sid init 156sid any_socket 157sid port 158sid netif 159sid netmsg 160sid node 161sid igmp_packet 162sid icmp_socket 163sid tcp_socket 164sid sysctl_modprobe 165sid sysctl 166sid sysctl_fs 167sid sysctl_kernel 168sid sysctl_net 169sid sysctl_net_unix 170sid sysctl_vm 171sid sysctl_dev 172sid kmod 173sid policy 174sid scmp_packet 175sid devnull 176 177# FLASK 178#line 1 "external/sepolicy/access_vectors" 179# 180# Define common prefixes for access vectors 181# 182# common common_name { permission_name ... } 183 184 185# 186# Define a common prefix for file access vectors. 187# 188 189common file 190{ 191 ioctl 192 read 193 write 194 create 195 getattr 196 setattr 197 lock 198 relabelfrom 199 relabelto 200 append 201 unlink 202 link 203 rename 204 execute 205 swapon 206 quotaon 207 mounton 208} 209 210 211# 212# Define a common prefix for socket access vectors. 213# 214 215common socket 216{ 217# inherited from file 218 ioctl 219 read 220 write 221 create 222 getattr 223 setattr 224 lock 225 relabelfrom 226 relabelto 227 append 228# socket-specific 229 bind 230 connect 231 listen 232 accept 233 getopt 234 setopt 235 shutdown 236 recvfrom 237 sendto 238 recv_msg 239 send_msg 240 name_bind 241} 242 243# 244# Define a common prefix for ipc access vectors. 245# 246 247common ipc 248{ 249 create 250 destroy 251 getattr 252 setattr 253 read 254 write 255 associate 256 unix_read 257 unix_write 258} 259 260# 261# Define a common prefix for userspace database object access vectors. 262# 263 264common database 265{ 266 create 267 drop 268 getattr 269 setattr 270 relabelfrom 271 relabelto 272} 273 274# 275# Define a common prefix for pointer and keyboard access vectors. 276# 277 278common x_device 279{ 280 getattr 281 setattr 282 use 283 read 284 write 285 getfocus 286 setfocus 287 bell 288 force_cursor 289 freeze 290 grab 291 manage 292 list_property 293 get_property 294 set_property 295 add 296 remove 297 create 298 destroy 299} 300 301# 302# Define the access vectors. 303# 304# class class_name [ inherits common_name ] { permission_name ... } 305 306 307# 308# Define the access vector interpretation for file-related objects. 309# 310 311class filesystem 312{ 313 mount 314 remount 315 unmount 316 getattr 317 relabelfrom 318 relabelto 319 transition 320 associate 321 quotamod 322 quotaget 323} 324 325class dir 326inherits file 327{ 328 add_name 329 remove_name 330 reparent 331 search 332 rmdir 333 open 334 audit_access 335 execmod 336} 337 338class file 339inherits file 340{ 341 execute_no_trans 342 entrypoint 343 execmod 344 open 345 audit_access 346} 347 348class lnk_file 349inherits file 350{ 351 open 352 audit_access 353 execmod 354} 355 356class chr_file 357inherits file 358{ 359 execute_no_trans 360 entrypoint 361 execmod 362 open 363 audit_access 364} 365 366class blk_file 367inherits file 368{ 369 open 370 audit_access 371 execmod 372} 373 374class sock_file 375inherits file 376{ 377 open 378 audit_access 379 execmod 380} 381 382class fifo_file 383inherits file 384{ 385 open 386 audit_access 387 execmod 388} 389 390class fd 391{ 392 use 393} 394 395 396# 397# Define the access vector interpretation for network-related objects. 398# 399 400class socket 401inherits socket 402 403class tcp_socket 404inherits socket 405{ 406 connectto 407 newconn 408 acceptfrom 409 node_bind 410 name_connect 411} 412 413class udp_socket 414inherits socket 415{ 416 node_bind 417} 418 419class rawip_socket 420inherits socket 421{ 422 node_bind 423} 424 425class node 426{ 427 tcp_recv 428 tcp_send 429 udp_recv 430 udp_send 431 rawip_recv 432 rawip_send 433 enforce_dest 434 dccp_recv 435 dccp_send 436 recvfrom 437 sendto 438} 439 440class netif 441{ 442 tcp_recv 443 tcp_send 444 udp_recv 445 udp_send 446 rawip_recv 447 rawip_send 448 dccp_recv 449 dccp_send 450 ingress 451 egress 452} 453 454class netlink_socket 455inherits socket 456 457class packet_socket 458inherits socket 459 460class key_socket 461inherits socket 462 463class unix_stream_socket 464inherits socket 465{ 466 connectto 467 newconn 468 acceptfrom 469} 470 471class unix_dgram_socket 472inherits socket 473 474# 475# Define the access vector interpretation for process-related objects 476# 477 478class process 479{ 480 fork 481 transition 482 sigchld # commonly granted from child to parent 483 sigkill # cannot be caught or ignored 484 sigstop # cannot be caught or ignored 485 signull # for kill(pid, 0) 486 signal # all other signals 487 ptrace 488 getsched 489 setsched 490 getsession 491 getpgid 492 setpgid 493 getcap 494 setcap 495 share 496 getattr 497 setexec 498 setfscreate 499 noatsecure 500 siginh 501 setrlimit 502 rlimitinh 503 dyntransition 504 setcurrent 505 execmem 506 execstack 507 execheap 508 setkeycreate 509 setsockcreate 510} 511 512 513# 514# Define the access vector interpretation for ipc-related objects 515# 516 517class ipc 518inherits ipc 519 520class sem 521inherits ipc 522 523class msgq 524inherits ipc 525{ 526 enqueue 527} 528 529class msg 530{ 531 send 532 receive 533} 534 535class shm 536inherits ipc 537{ 538 lock 539} 540 541 542# 543# Define the access vector interpretation for the security server. 544# 545 546class security 547{ 548 compute_av 549 compute_create 550 compute_member 551 check_context 552 load_policy 553 compute_relabel 554 compute_user 555 setenforce # was avc_toggle in system class 556 setbool 557 setsecparam 558 setcheckreqprot 559 read_policy 560} 561 562 563# 564# Define the access vector interpretation for system operations. 565# 566 567class system 568{ 569 ipc_info 570 syslog_read 571 syslog_mod 572 syslog_console 573 module_request 574} 575 576# 577# Define the access vector interpretation for controling capabilies 578# 579 580class capability 581{ 582 # The capabilities are defined in include/linux/capability.h 583 # Capabilities >= 32 are defined in the capability2 class. 584 # Care should be taken to ensure that these are consistent with 585 # those definitions. (Order matters) 586 587 chown 588 dac_override 589 dac_read_search 590 fowner 591 fsetid 592 kill 593 setgid 594 setuid 595 setpcap 596 linux_immutable 597 net_bind_service 598 net_broadcast 599 net_admin 600 net_raw 601 ipc_lock 602 ipc_owner 603 sys_module 604 sys_rawio 605 sys_chroot 606 sys_ptrace 607 sys_pacct 608 sys_admin 609 sys_boot 610 sys_nice 611 sys_resource 612 sys_time 613 sys_tty_config 614 mknod 615 lease 616 audit_write 617 audit_control 618 setfcap 619} 620 621class capability2 622{ 623 mac_override # unused by SELinux 624 mac_admin # unused by SELinux 625 syslog 626 wake_alarm 627 block_suspend 628} 629 630# 631# Define the access vector interpretation for controlling 632# changes to passwd information. 633# 634class passwd 635{ 636 passwd # change another user passwd 637 chfn # change another user finger info 638 chsh # change another user shell 639 rootok # pam_rootok check (skip auth) 640 crontab # crontab on another user 641} 642 643# 644# SE-X Windows stuff 645# 646class x_drawable 647{ 648 create 649 destroy 650 read 651 write 652 blend 653 getattr 654 setattr 655 list_child 656 add_child 657 remove_child 658 list_property 659 get_property 660 set_property 661 manage 662 override 663 show 664 hide 665 send 666 receive 667} 668 669class x_screen 670{ 671 getattr 672 setattr 673 hide_cursor 674 show_cursor 675 saver_getattr 676 saver_setattr 677 saver_hide 678 saver_show 679} 680 681class x_gc 682{ 683 create 684 destroy 685 getattr 686 setattr 687 use 688} 689 690class x_font 691{ 692 create 693 destroy 694 getattr 695 add_glyph 696 remove_glyph 697 use 698} 699 700class x_colormap 701{ 702 create 703 destroy 704 read 705 write 706 getattr 707 add_color 708 remove_color 709 install 710 uninstall 711 use 712} 713 714class x_property 715{ 716 create 717 destroy 718 read 719 write 720 append 721 getattr 722 setattr 723} 724 725class x_selection 726{ 727 read 728 write 729 getattr 730 setattr 731} 732 733class x_cursor 734{ 735 create 736 destroy 737 read 738 write 739 getattr 740 setattr 741 use 742} 743 744class x_client 745{ 746 destroy 747 getattr 748 setattr 749 manage 750} 751 752class x_device 753inherits x_device 754 755class x_server 756{ 757 getattr 758 setattr 759 record 760 debug 761 grab 762 manage 763} 764 765class x_extension 766{ 767 query 768 use 769} 770 771class x_resource 772{ 773 read 774 write 775} 776 777class x_event 778{ 779 send 780 receive 781} 782 783class x_synthetic_event 784{ 785 send 786 receive 787} 788 789# 790# Extended Netlink classes 791# 792class netlink_route_socket 793inherits socket 794{ 795 nlmsg_read 796 nlmsg_write 797} 798 799class netlink_firewall_socket 800inherits socket 801{ 802 nlmsg_read 803 nlmsg_write 804} 805 806class netlink_tcpdiag_socket 807inherits socket 808{ 809 nlmsg_read 810 nlmsg_write 811} 812 813class netlink_nflog_socket 814inherits socket 815 816class netlink_xfrm_socket 817inherits socket 818{ 819 nlmsg_read 820 nlmsg_write 821} 822 823class netlink_selinux_socket 824inherits socket 825 826class netlink_audit_socket 827inherits socket 828{ 829 nlmsg_read 830 nlmsg_write 831 nlmsg_relay 832 nlmsg_readpriv 833 nlmsg_tty_audit 834} 835 836class netlink_ip6fw_socket 837inherits socket 838{ 839 nlmsg_read 840 nlmsg_write 841} 842 843class netlink_dnrt_socket 844inherits socket 845 846# Define the access vector interpretation for controlling 847# access and communication through the D-BUS messaging 848# system. 849# 850class dbus 851{ 852 acquire_svc 853 send_msg 854} 855 856# Define the access vector interpretation for controlling 857# access through the name service cache daemon (nscd). 858# 859class nscd 860{ 861 getpwd 862 getgrp 863 gethost 864 getstat 865 admin 866 shmempwd 867 shmemgrp 868 shmemhost 869 getserv 870 shmemserv 871} 872 873# Define the access vector interpretation for controlling 874# access to IPSec network data by association 875# 876class association 877{ 878 sendto 879 recvfrom 880 setcontext 881 polmatch 882} 883 884# Updated Netlink class for KOBJECT_UEVENT family. 885class netlink_kobject_uevent_socket 886inherits socket 887 888class appletalk_socket 889inherits socket 890 891class packet 892{ 893 send 894 recv 895 relabelto 896 flow_in # deprecated 897 flow_out # deprecated 898 forward_in 899 forward_out 900} 901 902class key 903{ 904 view 905 read 906 write 907 search 908 link 909 setattr 910 create 911} 912 913class context 914{ 915 translate 916 contains 917} 918 919class dccp_socket 920inherits socket 921{ 922 node_bind 923 name_connect 924} 925 926class memprotect 927{ 928 mmap_zero 929} 930 931class db_database 932inherits database 933{ 934 access 935 install_module 936 load_module 937 get_param # deprecated 938 set_param # deprecated 939} 940 941class db_table 942inherits database 943{ 944 use # deprecated 945 select 946 update 947 insert 948 delete 949 lock 950} 951 952class db_procedure 953inherits database 954{ 955 execute 956 entrypoint 957 install 958} 959 960class db_column 961inherits database 962{ 963 use # deprecated 964 select 965 update 966 insert 967} 968 969class db_tuple 970{ 971 relabelfrom 972 relabelto 973 use # deprecated 974 select 975 update 976 insert 977 delete 978} 979 980class db_blob 981inherits database 982{ 983 read 984 write 985 import 986 export 987} 988 989# network peer labels 990class peer 991{ 992 recv 993} 994 995class x_application_data 996{ 997 paste 998 paste_after_confirm 999 copy 1000} 1001 1002class kernel_service 1003{ 1004 use_as_override 1005 create_files_as 1006} 1007 1008class tun_socket 1009inherits socket 1010 1011class x_pointer 1012inherits x_device 1013 1014class x_keyboard 1015inherits x_device 1016 1017class db_schema 1018inherits database 1019{ 1020 search 1021 add_name 1022 remove_name 1023} 1024 1025class db_view 1026inherits database 1027{ 1028 expand 1029} 1030 1031class db_sequence 1032inherits database 1033{ 1034 get_value 1035 next_value 1036 set_value 1037} 1038 1039class db_language 1040inherits database 1041{ 1042 implement 1043 execute 1044} 1045 1046class binder 1047{ 1048 impersonate 1049 call 1050 set_context_mgr 1051 transfer 1052} 1053 1054class zygote 1055{ 1056 specifyids 1057 specifyrlimits 1058 specifycapabilities 1059 specifyinvokewith 1060 specifyseinfo 1061} 1062 1063class property_service 1064{ 1065 set 1066} 1067#line 1 "external/sepolicy/global_macros" 1068##################################### 1069# Common groupings of object classes. 1070# 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085##################################### 1086# Common groupings of permissions. 1087# 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109##################################### 1110# Common socket permission sets. 1111 1112 1113#line 1 "external/sepolicy/mls_macros" 1114######################################## 1115# 1116# gen_cats(N) 1117# 1118# declares categores c0 to c(N-1) 1119# 1120#line 10 1121 1122 1123 1124 1125######################################## 1126# 1127# gen_sens(N) 1128# 1129# declares sensitivites s0 to s(N-1) with dominance 1130# in increasing numeric order with s0 lowest, s(N-1) highest 1131# 1132#line 24 1133 1134 1135 1136 1137#line 34 1138 1139 1140######################################## 1141# 1142# gen_levels(N,M) 1143# 1144# levels from s0 to (N-1) with categories c0 to (M-1) 1145# 1146#line 45 1147 1148 1149 1150 1151######################################## 1152# 1153# Basic level names for system low and high 1154# 1155 1156 1157#line 1 "external/sepolicy/mls" 1158######################################### 1159# MLS declarations 1160# 1161 1162# Generate the desired number of sensitivities and categories. 1163 1164#line 6 1165# Each sensitivity has a name and zero or more aliases. 1166#line 6 1167sensitivity s0; 1168#line 6 1169 1170#line 6 1171 1172#line 6 1173# Define the ordering of the sensitivity levels (least to greatest) 1174#line 6 1175dominance { s0 } 1176#line 6 1177 1178category c0; 1179#line 7 1180category c1; 1181#line 7 1182category c2; 1183#line 7 1184category c3; 1185#line 7 1186category c4; 1187#line 7 1188category c5; 1189#line 7 1190category c6; 1191#line 7 1192category c7; 1193#line 7 1194category c8; 1195#line 7 1196category c9; 1197#line 7 1198category c10; 1199#line 7 1200category c11; 1201#line 7 1202category c12; 1203#line 7 1204category c13; 1205#line 7 1206category c14; 1207#line 7 1208category c15; 1209#line 7 1210category c16; 1211#line 7 1212category c17; 1213#line 7 1214category c18; 1215#line 7 1216category c19; 1217#line 7 1218category c20; 1219#line 7 1220category c21; 1221#line 7 1222category c22; 1223#line 7 1224category c23; 1225#line 7 1226category c24; 1227#line 7 1228category c25; 1229#line 7 1230category c26; 1231#line 7 1232category c27; 1233#line 7 1234category c28; 1235#line 7 1236category c29; 1237#line 7 1238category c30; 1239#line 7 1240category c31; 1241#line 7 1242category c32; 1243#line 7 1244category c33; 1245#line 7 1246category c34; 1247#line 7 1248category c35; 1249#line 7 1250category c36; 1251#line 7 1252category c37; 1253#line 7 1254category c38; 1255#line 7 1256category c39; 1257#line 7 1258category c40; 1259#line 7 1260category c41; 1261#line 7 1262category c42; 1263#line 7 1264category c43; 1265#line 7 1266category c44; 1267#line 7 1268category c45; 1269#line 7 1270category c46; 1271#line 7 1272category c47; 1273#line 7 1274category c48; 1275#line 7 1276category c49; 1277#line 7 1278category c50; 1279#line 7 1280category c51; 1281#line 7 1282category c52; 1283#line 7 1284category c53; 1285#line 7 1286category c54; 1287#line 7 1288category c55; 1289#line 7 1290category c56; 1291#line 7 1292category c57; 1293#line 7 1294category c58; 1295#line 7 1296category c59; 1297#line 7 1298category c60; 1299#line 7 1300category c61; 1301#line 7 1302category c62; 1303#line 7 1304category c63; 1305#line 7 1306category c64; 1307#line 7 1308category c65; 1309#line 7 1310category c66; 1311#line 7 1312category c67; 1313#line 7 1314category c68; 1315#line 7 1316category c69; 1317#line 7 1318category c70; 1319#line 7 1320category c71; 1321#line 7 1322category c72; 1323#line 7 1324category c73; 1325#line 7 1326category c74; 1327#line 7 1328category c75; 1329#line 7 1330category c76; 1331#line 7 1332category c77; 1333#line 7 1334category c78; 1335#line 7 1336category c79; 1337#line 7 1338category c80; 1339#line 7 1340category c81; 1341#line 7 1342category c82; 1343#line 7 1344category c83; 1345#line 7 1346category c84; 1347#line 7 1348category c85; 1349#line 7 1350category c86; 1351#line 7 1352category c87; 1353#line 7 1354category c88; 1355#line 7 1356category c89; 1357#line 7 1358category c90; 1359#line 7 1360category c91; 1361#line 7 1362category c92; 1363#line 7 1364category c93; 1365#line 7 1366category c94; 1367#line 7 1368category c95; 1369#line 7 1370category c96; 1371#line 7 1372category c97; 1373#line 7 1374category c98; 1375#line 7 1376category c99; 1377#line 7 1378category c100; 1379#line 7 1380category c101; 1381#line 7 1382category c102; 1383#line 7 1384category c103; 1385#line 7 1386category c104; 1387#line 7 1388category c105; 1389#line 7 1390category c106; 1391#line 7 1392category c107; 1393#line 7 1394category c108; 1395#line 7 1396category c109; 1397#line 7 1398category c110; 1399#line 7 1400category c111; 1401#line 7 1402category c112; 1403#line 7 1404category c113; 1405#line 7 1406category c114; 1407#line 7 1408category c115; 1409#line 7 1410category c116; 1411#line 7 1412category c117; 1413#line 7 1414category c118; 1415#line 7 1416category c119; 1417#line 7 1418category c120; 1419#line 7 1420category c121; 1421#line 7 1422category c122; 1423#line 7 1424category c123; 1425#line 7 1426category c124; 1427#line 7 1428category c125; 1429#line 7 1430category c126; 1431#line 7 1432category c127; 1433#line 7 1434category c128; 1435#line 7 1436category c129; 1437#line 7 1438category c130; 1439#line 7 1440category c131; 1441#line 7 1442category c132; 1443#line 7 1444category c133; 1445#line 7 1446category c134; 1447#line 7 1448category c135; 1449#line 7 1450category c136; 1451#line 7 1452category c137; 1453#line 7 1454category c138; 1455#line 7 1456category c139; 1457#line 7 1458category c140; 1459#line 7 1460category c141; 1461#line 7 1462category c142; 1463#line 7 1464category c143; 1465#line 7 1466category c144; 1467#line 7 1468category c145; 1469#line 7 1470category c146; 1471#line 7 1472category c147; 1473#line 7 1474category c148; 1475#line 7 1476category c149; 1477#line 7 1478category c150; 1479#line 7 1480category c151; 1481#line 7 1482category c152; 1483#line 7 1484category c153; 1485#line 7 1486category c154; 1487#line 7 1488category c155; 1489#line 7 1490category c156; 1491#line 7 1492category c157; 1493#line 7 1494category c158; 1495#line 7 1496category c159; 1497#line 7 1498category c160; 1499#line 7 1500category c161; 1501#line 7 1502category c162; 1503#line 7 1504category c163; 1505#line 7 1506category c164; 1507#line 7 1508category c165; 1509#line 7 1510category c166; 1511#line 7 1512category c167; 1513#line 7 1514category c168; 1515#line 7 1516category c169; 1517#line 7 1518category c170; 1519#line 7 1520category c171; 1521#line 7 1522category c172; 1523#line 7 1524category c173; 1525#line 7 1526category c174; 1527#line 7 1528category c175; 1529#line 7 1530category c176; 1531#line 7 1532category c177; 1533#line 7 1534category c178; 1535#line 7 1536category c179; 1537#line 7 1538category c180; 1539#line 7 1540category c181; 1541#line 7 1542category c182; 1543#line 7 1544category c183; 1545#line 7 1546category c184; 1547#line 7 1548category c185; 1549#line 7 1550category c186; 1551#line 7 1552category c187; 1553#line 7 1554category c188; 1555#line 7 1556category c189; 1557#line 7 1558category c190; 1559#line 7 1560category c191; 1561#line 7 1562category c192; 1563#line 7 1564category c193; 1565#line 7 1566category c194; 1567#line 7 1568category c195; 1569#line 7 1570category c196; 1571#line 7 1572category c197; 1573#line 7 1574category c198; 1575#line 7 1576category c199; 1577#line 7 1578category c200; 1579#line 7 1580category c201; 1581#line 7 1582category c202; 1583#line 7 1584category c203; 1585#line 7 1586category c204; 1587#line 7 1588category c205; 1589#line 7 1590category c206; 1591#line 7 1592category c207; 1593#line 7 1594category c208; 1595#line 7 1596category c209; 1597#line 7 1598category c210; 1599#line 7 1600category c211; 1601#line 7 1602category c212; 1603#line 7 1604category c213; 1605#line 7 1606category c214; 1607#line 7 1608category c215; 1609#line 7 1610category c216; 1611#line 7 1612category c217; 1613#line 7 1614category c218; 1615#line 7 1616category c219; 1617#line 7 1618category c220; 1619#line 7 1620category c221; 1621#line 7 1622category c222; 1623#line 7 1624category c223; 1625#line 7 1626category c224; 1627#line 7 1628category c225; 1629#line 7 1630category c226; 1631#line 7 1632category c227; 1633#line 7 1634category c228; 1635#line 7 1636category c229; 1637#line 7 1638category c230; 1639#line 7 1640category c231; 1641#line 7 1642category c232; 1643#line 7 1644category c233; 1645#line 7 1646category c234; 1647#line 7 1648category c235; 1649#line 7 1650category c236; 1651#line 7 1652category c237; 1653#line 7 1654category c238; 1655#line 7 1656category c239; 1657#line 7 1658category c240; 1659#line 7 1660category c241; 1661#line 7 1662category c242; 1663#line 7 1664category c243; 1665#line 7 1666category c244; 1667#line 7 1668category c245; 1669#line 7 1670category c246; 1671#line 7 1672category c247; 1673#line 7 1674category c248; 1675#line 7 1676category c249; 1677#line 7 1678category c250; 1679#line 7 1680category c251; 1681#line 7 1682category c252; 1683#line 7 1684category c253; 1685#line 7 1686category c254; 1687#line 7 1688category c255; 1689#line 7 1690category c256; 1691#line 7 1692category c257; 1693#line 7 1694category c258; 1695#line 7 1696category c259; 1697#line 7 1698category c260; 1699#line 7 1700category c261; 1701#line 7 1702category c262; 1703#line 7 1704category c263; 1705#line 7 1706category c264; 1707#line 7 1708category c265; 1709#line 7 1710category c266; 1711#line 7 1712category c267; 1713#line 7 1714category c268; 1715#line 7 1716category c269; 1717#line 7 1718category c270; 1719#line 7 1720category c271; 1721#line 7 1722category c272; 1723#line 7 1724category c273; 1725#line 7 1726category c274; 1727#line 7 1728category c275; 1729#line 7 1730category c276; 1731#line 7 1732category c277; 1733#line 7 1734category c278; 1735#line 7 1736category c279; 1737#line 7 1738category c280; 1739#line 7 1740category c281; 1741#line 7 1742category c282; 1743#line 7 1744category c283; 1745#line 7 1746category c284; 1747#line 7 1748category c285; 1749#line 7 1750category c286; 1751#line 7 1752category c287; 1753#line 7 1754category c288; 1755#line 7 1756category c289; 1757#line 7 1758category c290; 1759#line 7 1760category c291; 1761#line 7 1762category c292; 1763#line 7 1764category c293; 1765#line 7 1766category c294; 1767#line 7 1768category c295; 1769#line 7 1770category c296; 1771#line 7 1772category c297; 1773#line 7 1774category c298; 1775#line 7 1776category c299; 1777#line 7 1778category c300; 1779#line 7 1780category c301; 1781#line 7 1782category c302; 1783#line 7 1784category c303; 1785#line 7 1786category c304; 1787#line 7 1788category c305; 1789#line 7 1790category c306; 1791#line 7 1792category c307; 1793#line 7 1794category c308; 1795#line 7 1796category c309; 1797#line 7 1798category c310; 1799#line 7 1800category c311; 1801#line 7 1802category c312; 1803#line 7 1804category c313; 1805#line 7 1806category c314; 1807#line 7 1808category c315; 1809#line 7 1810category c316; 1811#line 7 1812category c317; 1813#line 7 1814category c318; 1815#line 7 1816category c319; 1817#line 7 1818category c320; 1819#line 7 1820category c321; 1821#line 7 1822category c322; 1823#line 7 1824category c323; 1825#line 7 1826category c324; 1827#line 7 1828category c325; 1829#line 7 1830category c326; 1831#line 7 1832category c327; 1833#line 7 1834category c328; 1835#line 7 1836category c329; 1837#line 7 1838category c330; 1839#line 7 1840category c331; 1841#line 7 1842category c332; 1843#line 7 1844category c333; 1845#line 7 1846category c334; 1847#line 7 1848category c335; 1849#line 7 1850category c336; 1851#line 7 1852category c337; 1853#line 7 1854category c338; 1855#line 7 1856category c339; 1857#line 7 1858category c340; 1859#line 7 1860category c341; 1861#line 7 1862category c342; 1863#line 7 1864category c343; 1865#line 7 1866category c344; 1867#line 7 1868category c345; 1869#line 7 1870category c346; 1871#line 7 1872category c347; 1873#line 7 1874category c348; 1875#line 7 1876category c349; 1877#line 7 1878category c350; 1879#line 7 1880category c351; 1881#line 7 1882category c352; 1883#line 7 1884category c353; 1885#line 7 1886category c354; 1887#line 7 1888category c355; 1889#line 7 1890category c356; 1891#line 7 1892category c357; 1893#line 7 1894category c358; 1895#line 7 1896category c359; 1897#line 7 1898category c360; 1899#line 7 1900category c361; 1901#line 7 1902category c362; 1903#line 7 1904category c363; 1905#line 7 1906category c364; 1907#line 7 1908category c365; 1909#line 7 1910category c366; 1911#line 7 1912category c367; 1913#line 7 1914category c368; 1915#line 7 1916category c369; 1917#line 7 1918category c370; 1919#line 7 1920category c371; 1921#line 7 1922category c372; 1923#line 7 1924category c373; 1925#line 7 1926category c374; 1927#line 7 1928category c375; 1929#line 7 1930category c376; 1931#line 7 1932category c377; 1933#line 7 1934category c378; 1935#line 7 1936category c379; 1937#line 7 1938category c380; 1939#line 7 1940category c381; 1941#line 7 1942category c382; 1943#line 7 1944category c383; 1945#line 7 1946category c384; 1947#line 7 1948category c385; 1949#line 7 1950category c386; 1951#line 7 1952category c387; 1953#line 7 1954category c388; 1955#line 7 1956category c389; 1957#line 7 1958category c390; 1959#line 7 1960category c391; 1961#line 7 1962category c392; 1963#line 7 1964category c393; 1965#line 7 1966category c394; 1967#line 7 1968category c395; 1969#line 7 1970category c396; 1971#line 7 1972category c397; 1973#line 7 1974category c398; 1975#line 7 1976category c399; 1977#line 7 1978category c400; 1979#line 7 1980category c401; 1981#line 7 1982category c402; 1983#line 7 1984category c403; 1985#line 7 1986category c404; 1987#line 7 1988category c405; 1989#line 7 1990category c406; 1991#line 7 1992category c407; 1993#line 7 1994category c408; 1995#line 7 1996category c409; 1997#line 7 1998category c410; 1999#line 7 2000category c411; 2001#line 7 2002category c412; 2003#line 7 2004category c413; 2005#line 7 2006category c414; 2007#line 7 2008category c415; 2009#line 7 2010category c416; 2011#line 7 2012category c417; 2013#line 7 2014category c418; 2015#line 7 2016category c419; 2017#line 7 2018category c420; 2019#line 7 2020category c421; 2021#line 7 2022category c422; 2023#line 7 2024category c423; 2025#line 7 2026category c424; 2027#line 7 2028category c425; 2029#line 7 2030category c426; 2031#line 7 2032category c427; 2033#line 7 2034category c428; 2035#line 7 2036category c429; 2037#line 7 2038category c430; 2039#line 7 2040category c431; 2041#line 7 2042category c432; 2043#line 7 2044category c433; 2045#line 7 2046category c434; 2047#line 7 2048category c435; 2049#line 7 2050category c436; 2051#line 7 2052category c437; 2053#line 7 2054category c438; 2055#line 7 2056category c439; 2057#line 7 2058category c440; 2059#line 7 2060category c441; 2061#line 7 2062category c442; 2063#line 7 2064category c443; 2065#line 7 2066category c444; 2067#line 7 2068category c445; 2069#line 7 2070category c446; 2071#line 7 2072category c447; 2073#line 7 2074category c448; 2075#line 7 2076category c449; 2077#line 7 2078category c450; 2079#line 7 2080category c451; 2081#line 7 2082category c452; 2083#line 7 2084category c453; 2085#line 7 2086category c454; 2087#line 7 2088category c455; 2089#line 7 2090category c456; 2091#line 7 2092category c457; 2093#line 7 2094category c458; 2095#line 7 2096category c459; 2097#line 7 2098category c460; 2099#line 7 2100category c461; 2101#line 7 2102category c462; 2103#line 7 2104category c463; 2105#line 7 2106category c464; 2107#line 7 2108category c465; 2109#line 7 2110category c466; 2111#line 7 2112category c467; 2113#line 7 2114category c468; 2115#line 7 2116category c469; 2117#line 7 2118category c470; 2119#line 7 2120category c471; 2121#line 7 2122category c472; 2123#line 7 2124category c473; 2125#line 7 2126category c474; 2127#line 7 2128category c475; 2129#line 7 2130category c476; 2131#line 7 2132category c477; 2133#line 7 2134category c478; 2135#line 7 2136category c479; 2137#line 7 2138category c480; 2139#line 7 2140category c481; 2141#line 7 2142category c482; 2143#line 7 2144category c483; 2145#line 7 2146category c484; 2147#line 7 2148category c485; 2149#line 7 2150category c486; 2151#line 7 2152category c487; 2153#line 7 2154category c488; 2155#line 7 2156category c489; 2157#line 7 2158category c490; 2159#line 7 2160category c491; 2161#line 7 2162category c492; 2163#line 7 2164category c493; 2165#line 7 2166category c494; 2167#line 7 2168category c495; 2169#line 7 2170category c496; 2171#line 7 2172category c497; 2173#line 7 2174category c498; 2175#line 7 2176category c499; 2177#line 7 2178category c500; 2179#line 7 2180category c501; 2181#line 7 2182category c502; 2183#line 7 2184category c503; 2185#line 7 2186category c504; 2187#line 7 2188category c505; 2189#line 7 2190category c506; 2191#line 7 2192category c507; 2193#line 7 2194category c508; 2195#line 7 2196category c509; 2197#line 7 2198category c510; 2199#line 7 2200category c511; 2201#line 7 2202category c512; 2203#line 7 2204category c513; 2205#line 7 2206category c514; 2207#line 7 2208category c515; 2209#line 7 2210category c516; 2211#line 7 2212category c517; 2213#line 7 2214category c518; 2215#line 7 2216category c519; 2217#line 7 2218category c520; 2219#line 7 2220category c521; 2221#line 7 2222category c522; 2223#line 7 2224category c523; 2225#line 7 2226category c524; 2227#line 7 2228category c525; 2229#line 7 2230category c526; 2231#line 7 2232category c527; 2233#line 7 2234category c528; 2235#line 7 2236category c529; 2237#line 7 2238category c530; 2239#line 7 2240category c531; 2241#line 7 2242category c532; 2243#line 7 2244category c533; 2245#line 7 2246category c534; 2247#line 7 2248category c535; 2249#line 7 2250category c536; 2251#line 7 2252category c537; 2253#line 7 2254category c538; 2255#line 7 2256category c539; 2257#line 7 2258category c540; 2259#line 7 2260category c541; 2261#line 7 2262category c542; 2263#line 7 2264category c543; 2265#line 7 2266category c544; 2267#line 7 2268category c545; 2269#line 7 2270category c546; 2271#line 7 2272category c547; 2273#line 7 2274category c548; 2275#line 7 2276category c549; 2277#line 7 2278category c550; 2279#line 7 2280category c551; 2281#line 7 2282category c552; 2283#line 7 2284category c553; 2285#line 7 2286category c554; 2287#line 7 2288category c555; 2289#line 7 2290category c556; 2291#line 7 2292category c557; 2293#line 7 2294category c558; 2295#line 7 2296category c559; 2297#line 7 2298category c560; 2299#line 7 2300category c561; 2301#line 7 2302category c562; 2303#line 7 2304category c563; 2305#line 7 2306category c564; 2307#line 7 2308category c565; 2309#line 7 2310category c566; 2311#line 7 2312category c567; 2313#line 7 2314category c568; 2315#line 7 2316category c569; 2317#line 7 2318category c570; 2319#line 7 2320category c571; 2321#line 7 2322category c572; 2323#line 7 2324category c573; 2325#line 7 2326category c574; 2327#line 7 2328category c575; 2329#line 7 2330category c576; 2331#line 7 2332category c577; 2333#line 7 2334category c578; 2335#line 7 2336category c579; 2337#line 7 2338category c580; 2339#line 7 2340category c581; 2341#line 7 2342category c582; 2343#line 7 2344category c583; 2345#line 7 2346category c584; 2347#line 7 2348category c585; 2349#line 7 2350category c586; 2351#line 7 2352category c587; 2353#line 7 2354category c588; 2355#line 7 2356category c589; 2357#line 7 2358category c590; 2359#line 7 2360category c591; 2361#line 7 2362category c592; 2363#line 7 2364category c593; 2365#line 7 2366category c594; 2367#line 7 2368category c595; 2369#line 7 2370category c596; 2371#line 7 2372category c597; 2373#line 7 2374category c598; 2375#line 7 2376category c599; 2377#line 7 2378category c600; 2379#line 7 2380category c601; 2381#line 7 2382category c602; 2383#line 7 2384category c603; 2385#line 7 2386category c604; 2387#line 7 2388category c605; 2389#line 7 2390category c606; 2391#line 7 2392category c607; 2393#line 7 2394category c608; 2395#line 7 2396category c609; 2397#line 7 2398category c610; 2399#line 7 2400category c611; 2401#line 7 2402category c612; 2403#line 7 2404category c613; 2405#line 7 2406category c614; 2407#line 7 2408category c615; 2409#line 7 2410category c616; 2411#line 7 2412category c617; 2413#line 7 2414category c618; 2415#line 7 2416category c619; 2417#line 7 2418category c620; 2419#line 7 2420category c621; 2421#line 7 2422category c622; 2423#line 7 2424category c623; 2425#line 7 2426category c624; 2427#line 7 2428category c625; 2429#line 7 2430category c626; 2431#line 7 2432category c627; 2433#line 7 2434category c628; 2435#line 7 2436category c629; 2437#line 7 2438category c630; 2439#line 7 2440category c631; 2441#line 7 2442category c632; 2443#line 7 2444category c633; 2445#line 7 2446category c634; 2447#line 7 2448category c635; 2449#line 7 2450category c636; 2451#line 7 2452category c637; 2453#line 7 2454category c638; 2455#line 7 2456category c639; 2457#line 7 2458category c640; 2459#line 7 2460category c641; 2461#line 7 2462category c642; 2463#line 7 2464category c643; 2465#line 7 2466category c644; 2467#line 7 2468category c645; 2469#line 7 2470category c646; 2471#line 7 2472category c647; 2473#line 7 2474category c648; 2475#line 7 2476category c649; 2477#line 7 2478category c650; 2479#line 7 2480category c651; 2481#line 7 2482category c652; 2483#line 7 2484category c653; 2485#line 7 2486category c654; 2487#line 7 2488category c655; 2489#line 7 2490category c656; 2491#line 7 2492category c657; 2493#line 7 2494category c658; 2495#line 7 2496category c659; 2497#line 7 2498category c660; 2499#line 7 2500category c661; 2501#line 7 2502category c662; 2503#line 7 2504category c663; 2505#line 7 2506category c664; 2507#line 7 2508category c665; 2509#line 7 2510category c666; 2511#line 7 2512category c667; 2513#line 7 2514category c668; 2515#line 7 2516category c669; 2517#line 7 2518category c670; 2519#line 7 2520category c671; 2521#line 7 2522category c672; 2523#line 7 2524category c673; 2525#line 7 2526category c674; 2527#line 7 2528category c675; 2529#line 7 2530category c676; 2531#line 7 2532category c677; 2533#line 7 2534category c678; 2535#line 7 2536category c679; 2537#line 7 2538category c680; 2539#line 7 2540category c681; 2541#line 7 2542category c682; 2543#line 7 2544category c683; 2545#line 7 2546category c684; 2547#line 7 2548category c685; 2549#line 7 2550category c686; 2551#line 7 2552category c687; 2553#line 7 2554category c688; 2555#line 7 2556category c689; 2557#line 7 2558category c690; 2559#line 7 2560category c691; 2561#line 7 2562category c692; 2563#line 7 2564category c693; 2565#line 7 2566category c694; 2567#line 7 2568category c695; 2569#line 7 2570category c696; 2571#line 7 2572category c697; 2573#line 7 2574category c698; 2575#line 7 2576category c699; 2577#line 7 2578category c700; 2579#line 7 2580category c701; 2581#line 7 2582category c702; 2583#line 7 2584category c703; 2585#line 7 2586category c704; 2587#line 7 2588category c705; 2589#line 7 2590category c706; 2591#line 7 2592category c707; 2593#line 7 2594category c708; 2595#line 7 2596category c709; 2597#line 7 2598category c710; 2599#line 7 2600category c711; 2601#line 7 2602category c712; 2603#line 7 2604category c713; 2605#line 7 2606category c714; 2607#line 7 2608category c715; 2609#line 7 2610category c716; 2611#line 7 2612category c717; 2613#line 7 2614category c718; 2615#line 7 2616category c719; 2617#line 7 2618category c720; 2619#line 7 2620category c721; 2621#line 7 2622category c722; 2623#line 7 2624category c723; 2625#line 7 2626category c724; 2627#line 7 2628category c725; 2629#line 7 2630category c726; 2631#line 7 2632category c727; 2633#line 7 2634category c728; 2635#line 7 2636category c729; 2637#line 7 2638category c730; 2639#line 7 2640category c731; 2641#line 7 2642category c732; 2643#line 7 2644category c733; 2645#line 7 2646category c734; 2647#line 7 2648category c735; 2649#line 7 2650category c736; 2651#line 7 2652category c737; 2653#line 7 2654category c738; 2655#line 7 2656category c739; 2657#line 7 2658category c740; 2659#line 7 2660category c741; 2661#line 7 2662category c742; 2663#line 7 2664category c743; 2665#line 7 2666category c744; 2667#line 7 2668category c745; 2669#line 7 2670category c746; 2671#line 7 2672category c747; 2673#line 7 2674category c748; 2675#line 7 2676category c749; 2677#line 7 2678category c750; 2679#line 7 2680category c751; 2681#line 7 2682category c752; 2683#line 7 2684category c753; 2685#line 7 2686category c754; 2687#line 7 2688category c755; 2689#line 7 2690category c756; 2691#line 7 2692category c757; 2693#line 7 2694category c758; 2695#line 7 2696category c759; 2697#line 7 2698category c760; 2699#line 7 2700category c761; 2701#line 7 2702category c762; 2703#line 7 2704category c763; 2705#line 7 2706category c764; 2707#line 7 2708category c765; 2709#line 7 2710category c766; 2711#line 7 2712category c767; 2713#line 7 2714category c768; 2715#line 7 2716category c769; 2717#line 7 2718category c770; 2719#line 7 2720category c771; 2721#line 7 2722category c772; 2723#line 7 2724category c773; 2725#line 7 2726category c774; 2727#line 7 2728category c775; 2729#line 7 2730category c776; 2731#line 7 2732category c777; 2733#line 7 2734category c778; 2735#line 7 2736category c779; 2737#line 7 2738category c780; 2739#line 7 2740category c781; 2741#line 7 2742category c782; 2743#line 7 2744category c783; 2745#line 7 2746category c784; 2747#line 7 2748category c785; 2749#line 7 2750category c786; 2751#line 7 2752category c787; 2753#line 7 2754category c788; 2755#line 7 2756category c789; 2757#line 7 2758category c790; 2759#line 7 2760category c791; 2761#line 7 2762category c792; 2763#line 7 2764category c793; 2765#line 7 2766category c794; 2767#line 7 2768category c795; 2769#line 7 2770category c796; 2771#line 7 2772category c797; 2773#line 7 2774category c798; 2775#line 7 2776category c799; 2777#line 7 2778category c800; 2779#line 7 2780category c801; 2781#line 7 2782category c802; 2783#line 7 2784category c803; 2785#line 7 2786category c804; 2787#line 7 2788category c805; 2789#line 7 2790category c806; 2791#line 7 2792category c807; 2793#line 7 2794category c808; 2795#line 7 2796category c809; 2797#line 7 2798category c810; 2799#line 7 2800category c811; 2801#line 7 2802category c812; 2803#line 7 2804category c813; 2805#line 7 2806category c814; 2807#line 7 2808category c815; 2809#line 7 2810category c816; 2811#line 7 2812category c817; 2813#line 7 2814category c818; 2815#line 7 2816category c819; 2817#line 7 2818category c820; 2819#line 7 2820category c821; 2821#line 7 2822category c822; 2823#line 7 2824category c823; 2825#line 7 2826category c824; 2827#line 7 2828category c825; 2829#line 7 2830category c826; 2831#line 7 2832category c827; 2833#line 7 2834category c828; 2835#line 7 2836category c829; 2837#line 7 2838category c830; 2839#line 7 2840category c831; 2841#line 7 2842category c832; 2843#line 7 2844category c833; 2845#line 7 2846category c834; 2847#line 7 2848category c835; 2849#line 7 2850category c836; 2851#line 7 2852category c837; 2853#line 7 2854category c838; 2855#line 7 2856category c839; 2857#line 7 2858category c840; 2859#line 7 2860category c841; 2861#line 7 2862category c842; 2863#line 7 2864category c843; 2865#line 7 2866category c844; 2867#line 7 2868category c845; 2869#line 7 2870category c846; 2871#line 7 2872category c847; 2873#line 7 2874category c848; 2875#line 7 2876category c849; 2877#line 7 2878category c850; 2879#line 7 2880category c851; 2881#line 7 2882category c852; 2883#line 7 2884category c853; 2885#line 7 2886category c854; 2887#line 7 2888category c855; 2889#line 7 2890category c856; 2891#line 7 2892category c857; 2893#line 7 2894category c858; 2895#line 7 2896category c859; 2897#line 7 2898category c860; 2899#line 7 2900category c861; 2901#line 7 2902category c862; 2903#line 7 2904category c863; 2905#line 7 2906category c864; 2907#line 7 2908category c865; 2909#line 7 2910category c866; 2911#line 7 2912category c867; 2913#line 7 2914category c868; 2915#line 7 2916category c869; 2917#line 7 2918category c870; 2919#line 7 2920category c871; 2921#line 7 2922category c872; 2923#line 7 2924category c873; 2925#line 7 2926category c874; 2927#line 7 2928category c875; 2929#line 7 2930category c876; 2931#line 7 2932category c877; 2933#line 7 2934category c878; 2935#line 7 2936category c879; 2937#line 7 2938category c880; 2939#line 7 2940category c881; 2941#line 7 2942category c882; 2943#line 7 2944category c883; 2945#line 7 2946category c884; 2947#line 7 2948category c885; 2949#line 7 2950category c886; 2951#line 7 2952category c887; 2953#line 7 2954category c888; 2955#line 7 2956category c889; 2957#line 7 2958category c890; 2959#line 7 2960category c891; 2961#line 7 2962category c892; 2963#line 7 2964category c893; 2965#line 7 2966category c894; 2967#line 7 2968category c895; 2969#line 7 2970category c896; 2971#line 7 2972category c897; 2973#line 7 2974category c898; 2975#line 7 2976category c899; 2977#line 7 2978category c900; 2979#line 7 2980category c901; 2981#line 7 2982category c902; 2983#line 7 2984category c903; 2985#line 7 2986category c904; 2987#line 7 2988category c905; 2989#line 7 2990category c906; 2991#line 7 2992category c907; 2993#line 7 2994category c908; 2995#line 7 2996category c909; 2997#line 7 2998category c910; 2999#line 7 3000category c911; 3001#line 7 3002category c912; 3003#line 7 3004category c913; 3005#line 7 3006category c914; 3007#line 7 3008category c915; 3009#line 7 3010category c916; 3011#line 7 3012category c917; 3013#line 7 3014category c918; 3015#line 7 3016category c919; 3017#line 7 3018category c920; 3019#line 7 3020category c921; 3021#line 7 3022category c922; 3023#line 7 3024category c923; 3025#line 7 3026category c924; 3027#line 7 3028category c925; 3029#line 7 3030category c926; 3031#line 7 3032category c927; 3033#line 7 3034category c928; 3035#line 7 3036category c929; 3037#line 7 3038category c930; 3039#line 7 3040category c931; 3041#line 7 3042category c932; 3043#line 7 3044category c933; 3045#line 7 3046category c934; 3047#line 7 3048category c935; 3049#line 7 3050category c936; 3051#line 7 3052category c937; 3053#line 7 3054category c938; 3055#line 7 3056category c939; 3057#line 7 3058category c940; 3059#line 7 3060category c941; 3061#line 7 3062category c942; 3063#line 7 3064category c943; 3065#line 7 3066category c944; 3067#line 7 3068category c945; 3069#line 7 3070category c946; 3071#line 7 3072category c947; 3073#line 7 3074category c948; 3075#line 7 3076category c949; 3077#line 7 3078category c950; 3079#line 7 3080category c951; 3081#line 7 3082category c952; 3083#line 7 3084category c953; 3085#line 7 3086category c954; 3087#line 7 3088category c955; 3089#line 7 3090category c956; 3091#line 7 3092category c957; 3093#line 7 3094category c958; 3095#line 7 3096category c959; 3097#line 7 3098category c960; 3099#line 7 3100category c961; 3101#line 7 3102category c962; 3103#line 7 3104category c963; 3105#line 7 3106category c964; 3107#line 7 3108category c965; 3109#line 7 3110category c966; 3111#line 7 3112category c967; 3113#line 7 3114category c968; 3115#line 7 3116category c969; 3117#line 7 3118category c970; 3119#line 7 3120category c971; 3121#line 7 3122category c972; 3123#line 7 3124category c973; 3125#line 7 3126category c974; 3127#line 7 3128category c975; 3129#line 7 3130category c976; 3131#line 7 3132category c977; 3133#line 7 3134category c978; 3135#line 7 3136category c979; 3137#line 7 3138category c980; 3139#line 7 3140category c981; 3141#line 7 3142category c982; 3143#line 7 3144category c983; 3145#line 7 3146category c984; 3147#line 7 3148category c985; 3149#line 7 3150category c986; 3151#line 7 3152category c987; 3153#line 7 3154category c988; 3155#line 7 3156category c989; 3157#line 7 3158category c990; 3159#line 7 3160category c991; 3161#line 7 3162category c992; 3163#line 7 3164category c993; 3165#line 7 3166category c994; 3167#line 7 3168category c995; 3169#line 7 3170category c996; 3171#line 7 3172category c997; 3173#line 7 3174category c998; 3175#line 7 3176category c999; 3177#line 7 3178category c1000; 3179#line 7 3180category c1001; 3181#line 7 3182category c1002; 3183#line 7 3184category c1003; 3185#line 7 3186category c1004; 3187#line 7 3188category c1005; 3189#line 7 3190category c1006; 3191#line 7 3192category c1007; 3193#line 7 3194category c1008; 3195#line 7 3196category c1009; 3197#line 7 3198category c1010; 3199#line 7 3200category c1011; 3201#line 7 3202category c1012; 3203#line 7 3204category c1013; 3205#line 7 3206category c1014; 3207#line 7 3208category c1015; 3209#line 7 3210category c1016; 3211#line 7 3212category c1017; 3213#line 7 3214category c1018; 3215#line 7 3216category c1019; 3217#line 7 3218category c1020; 3219#line 7 3220category c1021; 3221#line 7 3222category c1022; 3223#line 7 3224category c1023; 3225#line 7 3226 3227 3228# Generate level definitions for each sensitivity and category. 3229level s0:c0.c1023; 3230#line 10 3231 3232 3233 3234################################################# 3235# MLS policy constraints 3236# 3237 3238# 3239# Process constraints 3240# 3241 3242# Process transition: Require equivalence unless the subject is trusted. 3243mlsconstrain process { transition dyntransition } 3244 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 3245 3246# Process read operations: No read up unless trusted. 3247mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } 3248 (l1 dom l2 or t1 == mlstrustedsubject); 3249 3250# Process write operations: No write down unless trusted. 3251mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } 3252 (l1 domby l2 or t1 == mlstrustedsubject); 3253 3254# 3255# Socket constraints 3256# 3257 3258# Create/relabel operations: Subject must be equivalent to object unless 3259# the subject is trusted. Sockets inherit the range of their creator. 3260mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto } 3261 ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); 3262 3263# Datagram send: Sender must be dominated by receiver unless one of them is 3264# trusted. 3265mlsconstrain unix_dgram_socket { sendto } 3266 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 3267 3268# Stream connect: Client must be equivalent to server unless one of them 3269# is trusted. 3270mlsconstrain unix_stream_socket { connectto } 3271 (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 3272 3273# 3274# Directory/file constraints 3275# 3276 3277# Create/relabel operations: Subject must be equivalent to object unless 3278# the subject is trusted. Also, files should always be single-level. 3279# Do NOT exempt mlstrustedobject types from this constraint. 3280mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto } 3281 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 3282 3283# 3284# Constraints for app data files only. 3285# 3286 3287# Only constrain open, not read/write. 3288# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. 3289# Subject must be equivalent to object unless the subject is trusted. 3290mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } 3291 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 3292mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } 3293 (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); 3294 3295# 3296# Constraints for file types other than app data files. 3297# 3298 3299# Read operations: Subject must dominate object unless the subject 3300# or the object is trusted. 3301mlsconstrain dir { read getattr search } 3302 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 3303 3304mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } 3305 (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 3306 3307# Write operations: Subject must be dominated by the object unless the 3308# subject or the object is trusted. 3309mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } 3310 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 3311 3312mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } 3313 (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); 3314 3315# Special case for FIFOs. 3316# These can be unnamed pipes, in which case they will be labeled with the 3317# creating process' label. Thus we also have an exemption when the "object" 3318# is a MLS trusted subject and can receive data at any level. 3319mlsconstrain fifo_file { read getattr } 3320 (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 3321 3322mlsconstrain fifo_file { write setattr append unlink link rename } 3323 (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); 3324 3325# 3326# IPC constraints 3327# 3328 3329# Create/destroy: equivalence or trusted. 3330mlsconstrain { sem msgq shm ipc } { create destroy } 3331 (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); 3332 3333# Read ops: No read up unless trusted. 3334mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read } 3335 (l1 dom l2 or t1 == mlstrustedsubject); 3336 3337# Write ops: No write down unless trusted. 3338mlsconstrain { sem msgq shm ipc } { write unix_write } 3339 (l1 domby l2 or t1 == mlstrustedsubject); 3340 3341# 3342# Binder IPC constraints 3343# 3344# Presently commented out, as apps are expected to call one another. 3345# This would only make sense if apps were assigned categories 3346# based on allowable communications rather than per-app categories. 3347#mlsconstrain binder call 3348# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); 3349#line 1 "external/sepolicy/policy_capabilities" 3350# Enable new networking controls. 3351policycap network_peer_controls; 3352 3353# Enable open permission check. 3354policycap open_perms; 3355#line 1 "external/sepolicy/te_macros" 3356##################################### 3357# domain_trans(olddomain, type, newdomain) 3358# Allow a transition from olddomain to newdomain 3359# upon executing a file labeled with type. 3360# This only allows the transition; it does not 3361# cause it to occur automatically - use domain_auto_trans 3362# if that is what you want. 3363# 3364#line 21 3365 3366 3367##################################### 3368# domain_auto_trans(olddomain, type, newdomain) 3369# Automatically transition from olddomain to newdomain 3370# upon executing a file labeled with type. 3371# 3372#line 33 3373 3374 3375##################################### 3376# file_type_trans(domain, dir_type, file_type) 3377# Allow domain to create a file labeled file_type in a 3378# directory labeled dir_type. 3379# This only allows the transition; it does not 3380# cause it to occur automatically - use file_type_auto_trans 3381# if that is what you want. 3382# 3383#line 49 3384 3385 3386##################################### 3387# file_type_auto_trans(domain, dir_type, file_type) 3388# Automatically label new files with file_type when 3389# they are created by domain in directories labeled dir_type. 3390# 3391#line 62 3392 3393 3394##################################### 3395# r_dir_file(domain, type) 3396# Allow the specified domain to read directories, files 3397# and symbolic links of the specified type. 3398#line 71 3399 3400 3401##################################### 3402# unconfined_domain(domain) 3403# Allow the specified domain to perform more privileged operations 3404# than would be typically allowed. Please see the comments at the 3405# top of unconfined.te. 3406# 3407#line 82 3408 3409 3410##################################### 3411# tmpfs_domain(domain) 3412# Define and allow access to a unique type for 3413# this domain when creating tmpfs / shmem / ashmem files. 3414#line 92 3415 3416 3417##################################### 3418# init_daemon_domain(domain) 3419# Set up a transition from init to the daemon domain 3420# upon executing its binary. 3421#line 101 3422 3423 3424##################################### 3425# app_domain(domain) 3426# Allow a base set of permissions required for all apps. 3427#line 112 3428 3429 3430##################################### 3431# relabelto_domain(domain) 3432# Allows this domain to use the relabelto permission 3433#line 119 3434 3435 3436##################################### 3437# platform_app_domain(domain) 3438# Allow permissions specific to platform apps. 3439#line 127 3440 3441 3442##################################### 3443# net_domain(domain) 3444# Allow a base set of permissions required for network access. 3445#line 134 3446 3447 3448##################################### 3449# bluetooth_domain(domain) 3450# Allow a base set of permissions required for bluetooth access. 3451#line 141 3452 3453 3454##################################### 3455# unix_socket_connect(clientdomain, socket, serverdomain) 3456# Allow a local socket connection from clientdomain via 3457# socket to serverdomain. 3458#line 150 3459 3460 3461##################################### 3462# unix_socket_send(clientdomain, socket, serverdomain) 3463# Allow a local socket send from clientdomain via 3464# socket to serverdomain. 3465#line 159 3466 3467 3468##################################### 3469# binder_use(domain) 3470# Allow domain to use Binder IPC. 3471#line 169 3472 3473 3474##################################### 3475# binder_call(clientdomain, serverdomain) 3476# Allow clientdomain to perform binder IPC to serverdomain. 3477#line 181 3478 3479 3480##################################### 3481# binder_service(domain) 3482# Mark a domain as being a Binder service domain. 3483# Used to allow binder IPC to the various system services. 3484#line 189 3485 3486 3487##################################### 3488# selinux_check_access(domain) 3489# Allow domain to check SELinux permissions via selinuxfs. 3490#line 199 3491 3492 3493##################################### 3494# selinux_check_context(domain) 3495# Allow domain to check SELinux contexts via selinuxfs. 3496#line 208 3497 3498 3499##################################### 3500# selinux_getenforce(domain) 3501# Allow domain to check whether SELinux is enforcing. 3502#line 216 3503 3504 3505##################################### 3506# selinux_setenforce(domain) 3507# Allow domain to set SELinux to enforcing. 3508#line 225 3509 3510 3511##################################### 3512# selinux_setbool(domain) 3513# Allow domain to set SELinux booleans. 3514#line 234 3515 3516 3517##################################### 3518# security_access_policy(domain) 3519# Read only access to all policy files and 3520# selinuxfs 3521#line 248 3522 3523 3524##################################### 3525# selinux_manage_policy(domain) 3526# Ability to manage policy files and 3527# trigger runtime reload. 3528#line 261 3529 3530 3531##################################### 3532# mmac_manage_policy(domain) 3533# Ability to manage mmac policy files, 3534# trigger runtime reload, change 3535# mmac enforcing mode and access logcat. 3536#line 274 3537 3538 3539##################################### 3540# access_kmsg(domain) 3541# Ability to read from kernel logs 3542# and execute the klogctl syscall 3543# in a non destructive manner. See 3544# man 2 klogctl 3545#line 284 3546 3547 3548##################################### 3549# write_klog(domain) 3550# Ability to write to kernel log via 3551# klog_write() 3552# See system/core/libcutil/klog.c 3553#line 295 3554 3555 3556##################################### 3557# create_pty(domain) 3558# Allow domain to create and use a pty, isolated from any other domain ptys. 3559#line 309 3560 3561 3562##################################### 3563# Non system_app application set 3564# 3565 3566 3567##################################### 3568# Userdebug or eng builds 3569# SELinux rules which apply only to userdebug or eng builds 3570# 3571 3572 3573##################################### 3574# permissive_or_unconfined 3575# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, 3576# and "unconfined($1)" otherwise. 3577# 3578# This is used for experimental domains, where we want to ensure 3579# the domain is unconfined+enforcing once new SELinux policy development 3580# has ceased. 3581# 3582 3583 3584##################################### 3585# write_logd(domain) 3586# Ability to write to android log 3587# daemon via sockets 3588#line 345 3589 3590 3591##################################### 3592# read_logd(domain) 3593# Ability to read from android 3594# log daemon via sockets 3595#line 353 3596 3597 3598##################################### 3599# control_logd(domain) 3600# Ability to control 3601# android log daemon via sockets 3602#line 363 3603 3604#line 1 "external/sepolicy/attributes" 3605###################################### 3606# Attribute declarations 3607# 3608 3609# All types used for devices. 3610attribute dev_type; 3611 3612# All types used for processes. 3613attribute domain; 3614 3615# All types used for filesystems. 3616attribute fs_type; 3617 3618# All types used for files that can exist on a labeled fs. 3619# Do not use for pseudo file types. 3620attribute file_type; 3621 3622# All types used for domain entry points. 3623attribute exec_type; 3624 3625# All types used for /data files. 3626attribute data_file_type; 3627 3628# All types use for sysfs files. 3629attribute sysfs_type; 3630 3631# Attribute used for all sdcards 3632attribute sdcard_type; 3633 3634# All types used for nodes/hosts. 3635attribute node_type; 3636 3637# All types used for network interfaces. 3638attribute netif_type; 3639 3640# All types used for network ports. 3641attribute port_type; 3642 3643# All types used for property service 3644attribute property_type; 3645 3646# All domains that can override MLS restrictions. 3647# i.e. processes that can read up and write down. 3648attribute mlstrustedsubject; 3649 3650# All types that can override MLS restrictions. 3651# i.e. files that can be read by lower and written by higher 3652attribute mlstrustedobject; 3653 3654# Domains that are allowed all permissions ("unconfined"). 3655attribute unconfineddomain; 3656 3657# All domains used for shells. 3658attribute shelldomain; 3659 3660# All domains used for apps. 3661attribute appdomain; 3662 3663# All domains used for apps with network access. 3664attribute netdomain; 3665 3666# All domains used for apps with bluetooth access. 3667attribute bluetoothdomain; 3668 3669# All domains used for binder service domains. 3670attribute binderservicedomain; 3671 3672# Allow domains used for platform (signed by build key) apps. 3673attribute platformappdomain; 3674 3675# All domains which are allowed the "relabelto" permission 3676attribute relabeltodomain; 3677#line 1 "external/sepolicy/adbd.te" 3678# adbd seclabel is specified in init.rc since 3679# it lives in the rootfs and has no unique file type. 3680type adbd, domain; 3681 3682#line 7 3683 3684 3685 3686#line 9 3687# Allow the necessary permissions. 3688#line 9 3689 3690#line 9 3691# Old domain may exec the file and transition to the new domain. 3692#line 9 3693allow adbd shell_exec:file { getattr open read execute }; 3694#line 9 3695allow adbd shell:process transition; 3696#line 9 3697# New domain is entered by executing the file. 3698#line 9 3699allow shell shell_exec:file { entrypoint read execute }; 3700#line 9 3701# New domain can send SIGCHLD to its caller. 3702#line 9 3703allow shell adbd:process sigchld; 3704#line 9 3705# Enable AT_SECURE, i.e. libc secure mode. 3706#line 9 3707dontaudit adbd shell:process noatsecure; 3708#line 9 3709# XXX dontaudit candidate but requires further study. 3710#line 9 3711allow adbd shell:process { siginh rlimitinh }; 3712#line 9 3713 3714#line 9 3715# Make the transition occur by default. 3716#line 9 3717type_transition adbd shell_exec:process shell; 3718#line 9 3719 3720# this is an entrypoint 3721allow adbd rootfs:file entrypoint; 3722 3723# Do not sanitize the environment or open fds of the shell. 3724allow adbd shell:process noatsecure; 3725 3726# Set UID and GID to shell. Set supplementary groups. 3727allow adbd self:capability { setuid setgid }; 3728 3729# Drop capabilities from bounding set on user builds. 3730allow adbd self:capability setpcap; 3731 3732# Create and use network sockets. 3733 3734#line 23 3735typeattribute adbd netdomain; 3736#line 23 3737 3738 3739# Access /dev/android_adb. 3740allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } }; 3741 3742# On emulator, access /dev/qemu*. 3743allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 3744 3745# Use a pseudo tty. 3746allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; 3747 3748# adb push/pull /data/local/tmp. 3749allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 3750allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 3751 3752# adb push/pull sdcard. 3753allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 3754allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 3755 3756# Set service.adb.*, sys.powerctl properties. 3757 3758#line 43 3759allow adbd property_socket:sock_file write; 3760#line 43 3761allow adbd init:unix_stream_socket connectto; 3762#line 43 3763 3764allow adbd shell_prop:property_service set; 3765allow adbd powerctl_prop:property_service set; 3766 3767# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? 3768# Also covers running /system/bin/bu. 3769allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 3770 3771#line 50 3772allow adbd vold_socket:sock_file write; 3773#line 50 3774allow adbd vold:unix_stream_socket connectto; 3775#line 50 3776 3777 3778# Perform binder IPC to surfaceflinger (screencap) 3779# XXX Run screencap in a separate domain? 3780 3781#line 54 3782# Call the servicemanager and transfer references to it. 3783#line 54 3784allow adbd servicemanager:binder { call transfer }; 3785#line 54 3786# rw access to /dev/binder and /dev/ashmem is presently granted to 3787#line 54 3788# all domains in domain.te. 3789#line 54 3790 3791 3792#line 55 3793# Call the server domain and optionally transfer references to it. 3794#line 55 3795allow adbd surfaceflinger:binder { call transfer }; 3796#line 55 3797# Allow the serverdomain to transfer references to the client on the reply. 3798#line 55 3799allow surfaceflinger adbd:binder transfer; 3800#line 55 3801# Receive and use open files from the server. 3802#line 55 3803allow adbd surfaceflinger:fd use; 3804#line 55 3805 3806 3807# Read /data/misc/adb/adb_keys. 3808allow adbd adb_keys_file:dir search; 3809allow adbd adb_keys_file:file { getattr open read ioctl lock }; 3810 3811# Allow access in case /data/misc/adb still has the old type. 3812allow adbd system_data_file:dir search; 3813allow adbd system_data_file:file { getattr open read ioctl lock }; 3814 3815# ndk-gdb invokes adb forward to forward the gdbserver socket. 3816allow adbd app_data_file:dir search; 3817allow adbd app_data_file:sock_file write; 3818allow adbd appdomain:unix_stream_socket connectto; 3819 3820# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 3821allow adbd zygote_exec:file { getattr open read ioctl lock }; 3822allow adbd system_file:file { getattr open read ioctl lock }; 3823#line 1 "external/sepolicy/app.te" 3824### 3825### Domain for all zygote spawned apps 3826### 3827### This file is the base policy for all zygote spawned apps. 3828### Other policy files, such as isolated_app.te, untrusted_app.te, etc 3829### extend from this policy. Only policies which should apply to ALL 3830### zygote spawned apps should be added here. 3831### 3832 3833# Dalvik Compiler JIT Mapping. 3834allow appdomain self:process execmem; 3835allow appdomain ashmem_device:chr_file execute; 3836 3837# Allow apps to connect to the keystore 3838 3839#line 15 3840allow appdomain keystore_socket:sock_file write; 3841#line 15 3842allow appdomain keystore:unix_stream_socket connectto; 3843#line 15 3844 3845 3846# Receive and use open file descriptors inherited from zygote. 3847allow appdomain zygote:fd use; 3848 3849# gdbserver for ndk-gdb reads the zygote. 3850allow appdomain zygote_exec:file { getattr open read ioctl lock }; 3851 3852# gdbserver for ndk-gdb ptrace attaches to app process. 3853allow appdomain self:process ptrace; 3854 3855# Read system properties managed by zygote. 3856allow appdomain zygote_tmpfs:file read; 3857 3858# Notify zygote of death; 3859allow appdomain zygote:process sigchld; 3860 3861# Notify shell and adbd of death when spawned via runas for ndk-gdb. 3862allow appdomain shell:process sigchld; 3863allow appdomain adbd:process sigchld; 3864 3865# child shell or gdbserver pty access for runas. 3866allow appdomain devpts:chr_file { getattr read write ioctl }; 3867 3868# Communicate with system_server. 3869allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } }; 3870allow appdomain system_server:unix_stream_socket { read write setopt }; 3871 3872#line 42 3873# Call the server domain and optionally transfer references to it. 3874#line 42 3875allow appdomain system_server:binder { call transfer }; 3876#line 42 3877# Allow the serverdomain to transfer references to the client on the reply. 3878#line 42 3879allow system_server appdomain:binder transfer; 3880#line 42 3881# Receive and use open files from the server. 3882#line 42 3883allow appdomain system_server:fd use; 3884#line 42 3885 3886 3887# Communication with other apps via fifos 3888allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } }; 3889 3890# Communicate with surfaceflinger. 3891allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; 3892 3893#line 49 3894# Call the server domain and optionally transfer references to it. 3895#line 49 3896allow appdomain surfaceflinger:binder { call transfer }; 3897#line 49 3898# Allow the serverdomain to transfer references to the client on the reply. 3899#line 49 3900allow surfaceflinger appdomain:binder transfer; 3901#line 49 3902# Receive and use open files from the server. 3903#line 49 3904allow appdomain surfaceflinger:fd use; 3905#line 49 3906 3907 3908# App sandbox file accesses. 3909allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 3910allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 3911 3912# Read/write data files created by the platform apps if they 3913# were passed to the app via binder or local IPC. Do not allow open. 3914allow appdomain platform_app_data_file:file { getattr read write }; 3915 3916# lib subdirectory of /data/data dir is system-owned. 3917allow appdomain system_data_file:dir { open getattr read search ioctl }; 3918allow appdomain system_data_file:file { execute execute_no_trans open }; 3919 3920# Execute the shell or other system executables. 3921allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 3922allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 3923 3924# Read/write wallpaper file (opened by system). 3925allow appdomain wallpaper_file:file { getattr read write }; 3926 3927# Write to /data/anr/traces.txt. 3928allow appdomain anr_data_file:dir search; 3929allow appdomain anr_data_file:file { open append }; 3930 3931# Allow apps to send dump information to dumpstate 3932allow appdomain dumpstate:fd use; 3933allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; 3934allow appdomain shell_data_file:file { write getattr }; 3935 3936# Write to /proc/net/xt_qtaguid/ctrl file. 3937allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; 3938# Everybody can read the xt_qtaguid resource tracking misc dev. 3939# So allow all apps to read from /dev/xt_qtaguid. 3940allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock }; 3941 3942# Grant GPU access to all processes started by Zygote. 3943# They need that to render the standard UI. 3944allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute }; 3945 3946# Use the Binder. 3947 3948#line 90 3949# Call the servicemanager and transfer references to it. 3950#line 90 3951allow appdomain servicemanager:binder { call transfer }; 3952#line 90 3953# rw access to /dev/binder and /dev/ashmem is presently granted to 3954#line 90 3955# all domains in domain.te. 3956#line 90 3957 3958# Perform binder IPC to binder services. 3959 3960#line 92 3961# Call the server domain and optionally transfer references to it. 3962#line 92 3963allow appdomain binderservicedomain:binder { call transfer }; 3964#line 92 3965# Allow the serverdomain to transfer references to the client on the reply. 3966#line 92 3967allow binderservicedomain appdomain:binder transfer; 3968#line 92 3969# Receive and use open files from the server. 3970#line 92 3971allow appdomain binderservicedomain:fd use; 3972#line 92 3973 3974# Perform binder IPC to other apps. 3975 3976#line 94 3977# Call the server domain and optionally transfer references to it. 3978#line 94 3979allow appdomain appdomain:binder { call transfer }; 3980#line 94 3981# Allow the serverdomain to transfer references to the client on the reply. 3982#line 94 3983allow appdomain appdomain:binder transfer; 3984#line 94 3985# Receive and use open files from the server. 3986#line 94 3987allow appdomain appdomain:fd use; 3988#line 94 3989 3990 3991# Appdomain interaction with isolated apps 3992 3993#line 97 3994allow appdomain isolated_app:dir { open getattr read search ioctl }; 3995#line 97 3996allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock }; 3997#line 97 3998 3999 4000# Already connected, unnamed sockets being passed over some other IPC 4001# hence no sock_file or connectto permission. This appears to be how 4002# Chrome works, may need to be updated as more apps using isolated services 4003# are examined. 4004allow appdomain isolated_app:unix_stream_socket { read write }; 4005 4006# Backup ability for every app. BMS opens and passes the fd 4007# to any app that has backup ability. Hence, no open permissions here. 4008allow appdomain backup_data_file:file { read write getattr }; 4009allow appdomain cache_backup_file:file { read write getattr }; 4010# Backup ability using 'adb backup' 4011allow appdomain system_data_file:lnk_file getattr; 4012 4013# Allow all applications to read downloaded files 4014allow appdomain download_file:dir search; 4015allow appdomain download_file:file { getattr open read ioctl lock }; 4016 4017# Allow applications to communicate with netd via /dev/socket/dnsproxyd 4018# to do DNS resolution 4019 4020#line 118 4021allow appdomain dnsproxyd_socket:sock_file write; 4022#line 118 4023allow appdomain netd:unix_stream_socket connectto; 4024#line 118 4025 4026 4027# Allow applications to communicate with drmserver over binder 4028 4029#line 121 4030# Call the server domain and optionally transfer references to it. 4031#line 121 4032allow appdomain drmserver:binder { call transfer }; 4033#line 121 4034# Allow the serverdomain to transfer references to the client on the reply. 4035#line 121 4036allow drmserver appdomain:binder transfer; 4037#line 121 4038# Receive and use open files from the server. 4039#line 121 4040allow appdomain drmserver:fd use; 4041#line 121 4042 4043 4044# Allow applications to communicate with mediaserver over binder 4045 4046#line 124 4047# Call the server domain and optionally transfer references to it. 4048#line 124 4049allow appdomain mediaserver:binder { call transfer }; 4050#line 124 4051# Allow the serverdomain to transfer references to the client on the reply. 4052#line 124 4053allow mediaserver appdomain:binder transfer; 4054#line 124 4055# Receive and use open files from the server. 4056#line 124 4057allow appdomain mediaserver:fd use; 4058#line 124 4059 4060 4061# Allow applications to make outbound tcp connections to any port 4062allow appdomain port_type:tcp_socket name_connect; 4063 4064# Allow apps to see changes to the routing table. 4065allow appdomain self:netlink_route_socket { 4066 read 4067 bind 4068 create 4069 nlmsg_read 4070 ioctl 4071 getattr 4072 setattr 4073 getopt 4074 setopt 4075 shutdown 4076}; 4077 4078# Allow apps to use rawip sockets. This is needed for apps which execute 4079# /system/bin/ping, for example. 4080allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 4081 4082# Allow apps to use the USB Accessory interface. 4083# http://developer.android.com/guide/topics/connectivity/usb/accessory.html 4084# 4085# USB devices are first opened by the system server (USBDeviceManagerService) 4086# and the file descriptor is passed to the right Activity via binder. 4087allow appdomain usb_device:chr_file { read write getattr ioctl }; 4088allow appdomain usbaccessory_device:chr_file { read write getattr }; 4089 4090# For art. 4091allow appdomain dalvikcache_data_file:file execute; 4092 4093# For legacy unlabeled userdata on existing devices. 4094# See discussion of Unlabeled files in domain.te for more information. 4095allow appdomain unlabeled:file { getattr execute execute_no_trans }; 4096 4097### 4098### CTS-specific rules 4099### 4100 4101# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. 4102# Reads /proc/pid/status and statm entries to check that 4103# no unexpected root processes are running. 4104# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java 4105# Reads /proc/pid/cmdline of vold. 4106allow appdomain domain:dir { open read search getattr }; 4107allow appdomain domain:{ file lnk_file } { open read getattr }; 4108 4109# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. 4110# testRunAsHasCorrectCapabilities 4111allow appdomain runas_exec:file getattr; 4112# Others are either allowed elsewhere or not desired. 4113 4114# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java 4115# Check SELinux policy and contexts. 4116 4117#line 181 4118allow appdomain selinuxfs:dir { open getattr read search ioctl }; 4119#line 181 4120allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 4121#line 181 4122allow appdomain kernel:security compute_av; 4123#line 181 4124allow appdomain self:netlink_selinux_socket *; 4125#line 181 4126 4127 4128#line 182 4129allow appdomain selinuxfs:dir { open getattr read search ioctl }; 4130#line 182 4131allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 4132#line 182 4133allow appdomain kernel:security check_context; 4134#line 182 4135 4136# Validate that each process is running in the correct security context. 4137allow appdomain domain:process getattr; 4138 4139# logd access 4140 4141#line 187 4142 4143#line 187 4144allow appdomain logdr_socket:sock_file write; 4145#line 187 4146allow appdomain logd:unix_stream_socket connectto; 4147#line 187 4148 4149#line 187 4150 4151# application inherit logd write socket (urge is to deprecate this long term) 4152allow appdomain zygote:unix_dgram_socket write; 4153 4154### 4155### Neverallow rules 4156### 4157### These are things that Android apps should NEVER be able to do 4158### 4159 4160# Superuser capabilities. 4161# bluetooth requires net_admin. 4162neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; 4163neverallow { appdomain -unconfineddomain } self:capability2 *; 4164 4165# Block device access. 4166neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; 4167 4168# Access to any of the following character devices. 4169neverallow { appdomain -unconfineddomain } { 4170 audio_device 4171 camera_device 4172 dm_device 4173 radio_device 4174 gps_device 4175 rpmsg_device 4176}:chr_file { read write }; 4177 4178# Note: Try expanding list of app domains in the future. 4179neverallow { untrusted_app isolated_app shell -unconfineddomain } 4180 graphics_device:chr_file { read write }; 4181 4182neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file 4183 { read write }; 4184neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file 4185 { read write }; 4186neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; 4187 4188# Set SELinux enforcing mode, booleans or any other SELinux settings. 4189neverallow { appdomain -unconfineddomain } kernel:security 4190 { setenforce setbool setsecparam setcheckreqprot }; 4191 4192# Load security policy. 4193neverallow appdomain kernel:security load_policy; 4194 4195# Privileged netlink socket interfaces. 4196neverallow { appdomain -unconfineddomain } 4197 self:{ 4198 netlink_socket 4199 netlink_firewall_socket 4200 netlink_tcpdiag_socket 4201 netlink_nflog_socket 4202 netlink_xfrm_socket 4203 netlink_audit_socket 4204 netlink_ip6fw_socket 4205 netlink_dnrt_socket 4206 netlink_kobject_uevent_socket 4207 } *; 4208 4209# Sockets under /dev/socket that are not specifically typed. 4210neverallow { appdomain -unconfineddomain } socket_device:sock_file write; 4211 4212# Unix domain sockets. 4213neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; 4214neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; 4215neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } 4216 property_socket:sock_file write; 4217neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; 4218neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; 4219neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; 4220 4221# ptrace access to non-app domains. 4222neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; 4223 4224# Write access to /proc/pid entries for any non-app domain. 4225neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; 4226 4227# signal access to non-app domains. 4228# sigchld allowed for parent death notification. 4229# signull allowed for kill(pid, 0) existence test. 4230# All others prohibited. 4231neverallow { appdomain -unconfineddomain } { domain -appdomain }:process 4232 { sigkill sigstop signal }; 4233 4234# Transition to a non-app domain. 4235# Exception for the shell domain, can transition to runas, etc. 4236neverallow { appdomain -shell -unconfineddomain } ~appdomain:process 4237 { transition dyntransition }; 4238 4239# Map low memory. 4240# Note: Take to domain.te and apply to all domains in the future. 4241neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; 4242 4243# Write to rootfs. 4244neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4245 { create write setattr relabelfrom relabelto append unlink link rename }; 4246 4247# Write to /system. 4248neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4249 { create write setattr relabelfrom relabelto append unlink link rename }; 4250 4251# Write to entrypoint executables. 4252neverallow { appdomain -unconfineddomain } exec_type:file 4253 { create write setattr relabelfrom relabelto append unlink link rename }; 4254 4255# Write to system-owned parts of /data. 4256# This is the default type for anything under /data not otherwise 4257# specified in file_contexts. Define a different type for portions 4258# that should be writable by apps. 4259# Exception for system_app for Settings. 4260neverallow { appdomain -unconfineddomain -system_app } 4261 system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4262 { create write setattr relabelfrom relabelto append unlink link rename }; 4263 4264# Write to various other parts of /data. 4265neverallow { appdomain -system_app -unconfineddomain } 4266 security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4267 { create write setattr relabelfrom relabelto append unlink link rename }; 4268neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4269 { create write setattr relabelfrom relabelto append unlink link rename }; 4270neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4271 { create write setattr relabelfrom relabelto append unlink link rename }; 4272neverallow { appdomain -platform_app -unconfineddomain } 4273 apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4274 { create write setattr relabelfrom relabelto append unlink link rename }; 4275neverallow { appdomain -platform_app -unconfineddomain } 4276 apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4277 { create write setattr relabelfrom relabelto append unlink link rename }; 4278neverallow { appdomain -platform_app -unconfineddomain } 4279 apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4280 { create write setattr relabelfrom relabelto append unlink link rename }; 4281neverallow { appdomain -platform_app -unconfineddomain } 4282 apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4283 { create write setattr relabelfrom relabelto append unlink link rename }; 4284neverallow { appdomain -shell -unconfineddomain } 4285 shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4286 { create setattr relabelfrom relabelto append unlink link rename }; 4287neverallow { appdomain -bluetooth -unconfineddomain } 4288 bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4289 { create write setattr relabelfrom relabelto append unlink link rename }; 4290neverallow { appdomain -unconfineddomain } 4291 keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4292 { create write setattr relabelfrom relabelto append unlink link rename }; 4293neverallow { appdomain -unconfineddomain } 4294 systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4295 { create write setattr relabelfrom relabelto append unlink link rename }; 4296neverallow { appdomain -unconfineddomain } 4297 wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4298 { create write setattr relabelfrom relabelto append unlink link rename }; 4299neverallow { appdomain -unconfineddomain } 4300 dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } 4301 { create write setattr relabelfrom relabelto append unlink link rename }; 4302 4303# Access to factory files. 4304neverallow { appdomain -unconfineddomain } 4305 efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write }; 4306 4307# Write to various pseudo file systems. 4308neverallow { appdomain -bluetooth -nfc -unconfineddomain } 4309 sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 4310neverallow { appdomain -unconfineddomain } 4311 proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 4312 4313# Access to syslog(2) or /proc/kmsg. 4314neverallow { appdomain -system_app -unconfineddomain } 4315 kernel:system { syslog_read syslog_mod syslog_console }; 4316 4317# Ability to perform any filesystem operation other than statfs(2). 4318# i.e. no mount(2), unmount(2), etc. 4319neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; 4320 4321# Ability to set system properties. 4322neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } 4323 property_type:property_service set; 4324#line 1 "external/sepolicy/binderservicedomain.te" 4325# Rules common to all binder service domains 4326 4327# Allow dumpstate to collect information from binder services 4328allow binderservicedomain dumpstate:fd use; 4329allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr }; 4330allow binderservicedomain shell_data_file:file { getattr write }; 4331 4332# Allow dumpsys to work from adb shell 4333allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; 4334#line 1 "external/sepolicy/bluetooth.te" 4335# bluetooth subsystem 4336type bluetooth, domain; 4337 4338#line 3 4339typeattribute bluetooth appdomain; 4340#line 3 4341# Label ashmem objects with our own unique type. 4342#line 3 4343 4344#line 3 4345type bluetooth_tmpfs, file_type; 4346#line 3 4347type_transition bluetooth tmpfs:file bluetooth_tmpfs; 4348#line 3 4349allow bluetooth bluetooth_tmpfs:file { read write }; 4350#line 3 4351 4352#line 3 4353# Map with PROT_EXEC. 4354#line 3 4355allow bluetooth bluetooth_tmpfs:file execute; 4356#line 3 4357 4358 4359# Data file accesses. 4360allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 4361allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4362 4363# Socket creation under /data/misc/bluedroid. 4364type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; 4365allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4366 4367# bluetooth factory file accesses. 4368 4369#line 14 4370allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl }; 4371#line 14 4372allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock }; 4373#line 14 4374 4375 4376# Device accesses. 4377allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } }; 4378 4379# Other domains that can create and use bluetooth sockets. 4380# SELinux does not presently define a specific socket class for 4381# bluetooth sockets, nor does it distinguish among the bluetooth protocols. 4382allow bluetoothdomain self:socket *; 4383 4384# sysfs access. 4385allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; 4386allow bluetooth self:capability net_admin; 4387 4388# Allow clients to use a socket provided by the bluetooth app. 4389allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; 4390 4391# tethering 4392allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; 4393allow bluetooth efs_file:dir search; 4394 4395# Talk to init over the property socket. 4396 4397#line 36 4398allow bluetooth property_socket:sock_file write; 4399#line 36 4400allow bluetooth init:unix_stream_socket connectto; 4401#line 36 4402 4403 4404# proc access. 4405allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; 4406 4407# bluetooth file transfers 4408allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 4409allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4410 4411# Allow reading of media_rw_data_file file descriptors 4412# passed to bluetooth 4413allow bluetooth media_rw_data_file:file { read getattr }; 4414 4415# Allow write access to bluetooth specific properties 4416allow bluetooth bluetooth_prop:property_service set; 4417 4418### 4419### Neverallow rules 4420### 4421### These are things that the bluetooth app should NEVER be able to do 4422### 4423 4424# Superuser capabilities. 4425# bluetooth requires net_admin. 4426neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; 4427#line 1 "external/sepolicy/bootanim.te" 4428# bootanimation oneshot service 4429type bootanim, domain; 4430type bootanim_exec, exec_type, file_type; 4431 4432 4433#line 5 4434 4435#line 5 4436# Allow the necessary permissions. 4437#line 5 4438 4439#line 5 4440# Old domain may exec the file and transition to the new domain. 4441#line 5 4442allow init bootanim_exec:file { getattr open read execute }; 4443#line 5 4444allow init bootanim:process transition; 4445#line 5 4446# New domain is entered by executing the file. 4447#line 5 4448allow bootanim bootanim_exec:file { entrypoint read execute }; 4449#line 5 4450# New domain can send SIGCHLD to its caller. 4451#line 5 4452allow bootanim init:process sigchld; 4453#line 5 4454# Enable AT_SECURE, i.e. libc secure mode. 4455#line 5 4456dontaudit init bootanim:process noatsecure; 4457#line 5 4458# XXX dontaudit candidate but requires further study. 4459#line 5 4460allow init bootanim:process { siginh rlimitinh }; 4461#line 5 4462 4463#line 5 4464# Make the transition occur by default. 4465#line 5 4466type_transition init bootanim_exec:process bootanim; 4467#line 5 4468 4469#line 5 4470 4471#line 5 4472type bootanim_tmpfs, file_type; 4473#line 5 4474type_transition bootanim tmpfs:file bootanim_tmpfs; 4475#line 5 4476allow bootanim bootanim_tmpfs:file { read write }; 4477#line 5 4478 4479#line 5 4480 4481 4482 4483#line 7 4484# Call the servicemanager and transfer references to it. 4485#line 7 4486allow bootanim servicemanager:binder { call transfer }; 4487#line 7 4488# rw access to /dev/binder and /dev/ashmem is presently granted to 4489#line 7 4490# all domains in domain.te. 4491#line 7 4492 4493 4494#line 8 4495# Call the server domain and optionally transfer references to it. 4496#line 8 4497allow bootanim surfaceflinger:binder { call transfer }; 4498#line 8 4499# Allow the serverdomain to transfer references to the client on the reply. 4500#line 8 4501allow surfaceflinger bootanim:binder transfer; 4502#line 8 4503# Receive and use open files from the server. 4504#line 8 4505allow bootanim surfaceflinger:fd use; 4506#line 8 4507 4508 4509allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4510#line 1 "external/sepolicy/clatd.te" 4511# 464xlat daemon 4512type clatd, domain; 4513 4514#line 3 4515typeattribute clatd mlstrustedsubject; 4516#line 3 4517typeattribute clatd unconfineddomain; 4518#line 3 4519 4520type clatd_exec, exec_type, file_type; 4521 4522 4523#line 6 4524 4525#line 6 4526# Allow the necessary permissions. 4527#line 6 4528 4529#line 6 4530# Old domain may exec the file and transition to the new domain. 4531#line 6 4532allow init clatd_exec:file { getattr open read execute }; 4533#line 6 4534allow init clatd:process transition; 4535#line 6 4536# New domain is entered by executing the file. 4537#line 6 4538allow clatd clatd_exec:file { entrypoint read execute }; 4539#line 6 4540# New domain can send SIGCHLD to its caller. 4541#line 6 4542allow clatd init:process sigchld; 4543#line 6 4544# Enable AT_SECURE, i.e. libc secure mode. 4545#line 6 4546dontaudit init clatd:process noatsecure; 4547#line 6 4548# XXX dontaudit candidate but requires further study. 4549#line 6 4550allow init clatd:process { siginh rlimitinh }; 4551#line 6 4552 4553#line 6 4554# Make the transition occur by default. 4555#line 6 4556type_transition init clatd_exec:process clatd; 4557#line 6 4558 4559#line 6 4560 4561#line 6 4562type clatd_tmpfs, file_type; 4563#line 6 4564type_transition clatd tmpfs:file clatd_tmpfs; 4565#line 6 4566allow clatd clatd_tmpfs:file { read write }; 4567#line 6 4568 4569#line 6 4570 4571 4572#line 7 4573typeattribute clatd netdomain; 4574#line 7 4575 4576#line 1 "external/sepolicy/debuggerd.te" 4577# debugger interface 4578type debuggerd, domain; 4579type debuggerd_exec, exec_type, file_type; 4580 4581 4582#line 5 4583 4584#line 5 4585# Allow the necessary permissions. 4586#line 5 4587 4588#line 5 4589# Old domain may exec the file and transition to the new domain. 4590#line 5 4591allow init debuggerd_exec:file { getattr open read execute }; 4592#line 5 4593allow init debuggerd:process transition; 4594#line 5 4595# New domain is entered by executing the file. 4596#line 5 4597allow debuggerd debuggerd_exec:file { entrypoint read execute }; 4598#line 5 4599# New domain can send SIGCHLD to its caller. 4600#line 5 4601allow debuggerd init:process sigchld; 4602#line 5 4603# Enable AT_SECURE, i.e. libc secure mode. 4604#line 5 4605dontaudit init debuggerd:process noatsecure; 4606#line 5 4607# XXX dontaudit candidate but requires further study. 4608#line 5 4609allow init debuggerd:process { siginh rlimitinh }; 4610#line 5 4611 4612#line 5 4613# Make the transition occur by default. 4614#line 5 4615type_transition init debuggerd_exec:process debuggerd; 4616#line 5 4617 4618#line 5 4619 4620#line 5 4621type debuggerd_tmpfs, file_type; 4622#line 5 4623type_transition debuggerd tmpfs:file debuggerd_tmpfs; 4624#line 5 4625allow debuggerd debuggerd_tmpfs:file { read write }; 4626#line 5 4627 4628#line 5 4629 4630typeattribute debuggerd mlstrustedsubject; 4631allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner }; 4632allow debuggerd self:capability2 { syslog }; 4633allow debuggerd domain:dir { open getattr read search ioctl }; 4634allow debuggerd domain:file { getattr open read ioctl lock }; 4635allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace; 4636 4637#line 12 4638allow debuggerd security_file:dir { open getattr read search ioctl }; 4639#line 12 4640allow debuggerd security_file:file { getattr open read ioctl lock }; 4641#line 12 4642allow debuggerd security_file:lnk_file { getattr open read ioctl lock }; 4643#line 12 4644allow debuggerd selinuxfs:dir { open getattr read search ioctl }; 4645#line 12 4646allow debuggerd selinuxfs:file { getattr open read ioctl lock }; 4647#line 12 4648allow debuggerd rootfs:dir { open getattr read search ioctl }; 4649#line 12 4650allow debuggerd rootfs:file { getattr open read ioctl lock }; 4651#line 12 4652 4653allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 4654allow debuggerd system_data_file:dir relabelfrom; 4655 4656#line 15 4657typeattribute debuggerd relabeltodomain; 4658#line 15 4659 4660allow debuggerd tombstone_data_file:dir relabelto; 4661allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 4662allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4663allow debuggerd domain:process { sigstop signal }; 4664allow debuggerd exec_type:file { getattr open read ioctl lock }; 4665# Access app library 4666allow debuggerd system_data_file:file open; 4667 4668# Connect to system_server via /data/system/ndebugsocket. 4669 4670#line 25 4671allow debuggerd system_ndebug_socket:sock_file write; 4672#line 25 4673allow debuggerd system_server:unix_stream_socket connectto; 4674#line 25 4675 4676 4677#line 30 4678 4679 4680# logd access 4681 4682#line 33 4683 4684#line 33 4685allow debuggerd logdr_socket:sock_file write; 4686#line 33 4687allow debuggerd logd:unix_stream_socket connectto; 4688#line 33 4689 4690#line 33 4691 4692#line 1 "external/sepolicy/device.te" 4693# Device types 4694type device, dev_type, fs_type; 4695type alarm_device, dev_type, mlstrustedobject; 4696type adb_device, dev_type; 4697type ashmem_device, dev_type, mlstrustedobject; 4698type audio_device, dev_type; 4699type binder_device, dev_type, mlstrustedobject; 4700type block_device, dev_type; 4701type camera_device, dev_type; 4702type dm_device, dev_type; 4703type loop_device, dev_type; 4704type radio_device, dev_type; 4705type ram_device, dev_type; 4706type console_device, dev_type; 4707type cpuctl_device, dev_type; 4708type fscklogs, dev_type; 4709type full_device, dev_type; 4710# GPU (used by most UI apps) 4711type gpu_device, dev_type, mlstrustedobject; 4712type graphics_device, dev_type; 4713type hw_random_device, dev_type; 4714type input_device, dev_type; 4715type kmem_device, dev_type; 4716type log_device, dev_type, mlstrustedobject; 4717type mtd_device, dev_type; 4718type mtp_device, dev_type, mlstrustedobject; 4719type nfc_device, dev_type; 4720type ptmx_device, dev_type, mlstrustedobject; 4721type qemu_device, dev_type; 4722type kmsg_device, dev_type; 4723type null_device, dev_type, mlstrustedobject; 4724type random_device, dev_type; 4725type sensors_device, dev_type; 4726type serial_device, dev_type; 4727type socket_device, dev_type; 4728type owntty_device, dev_type, mlstrustedobject; 4729type tty_device, dev_type; 4730type urandom_device, dev_type; 4731type video_device, dev_type; 4732type vcs_device, dev_type; 4733type zero_device, dev_type; 4734type fuse_device, dev_type; 4735type iio_device, dev_type; 4736type ion_device, dev_type, mlstrustedobject; 4737type gps_device, dev_type; 4738type qtaguid_device, dev_type; 4739type watchdog_device, dev_type; 4740type uhid_device, dev_type; 4741type tun_device, dev_type, mlstrustedobject; 4742type usbaccessory_device, dev_type; 4743type usb_device, dev_type; 4744type klog_device, dev_type; 4745type properties_device, dev_type; 4746 4747# All devices have a uart for the hci 4748# attach service. The uart dev node 4749# varies per device. This type 4750# is used in per device policy 4751type hci_attach_dev, dev_type; 4752 4753# All devices have a rpmsg device for 4754# achieving remoteproc and rpmsg modules 4755type rpmsg_device, dev_type; 4756 4757# Partition layout block device 4758type root_block_device, dev_type; 4759#line 1 "external/sepolicy/dhcp.te" 4760type dhcp, domain; 4761 4762#line 2 4763typeattribute dhcp mlstrustedsubject; 4764#line 2 4765typeattribute dhcp unconfineddomain; 4766#line 2 4767 4768type dhcp_exec, exec_type, file_type; 4769type dhcp_data_file, file_type, data_file_type; 4770 4771 4772#line 6 4773 4774#line 6 4775# Allow the necessary permissions. 4776#line 6 4777 4778#line 6 4779# Old domain may exec the file and transition to the new domain. 4780#line 6 4781allow init dhcp_exec:file { getattr open read execute }; 4782#line 6 4783allow init dhcp:process transition; 4784#line 6 4785# New domain is entered by executing the file. 4786#line 6 4787allow dhcp dhcp_exec:file { entrypoint read execute }; 4788#line 6 4789# New domain can send SIGCHLD to its caller. 4790#line 6 4791allow dhcp init:process sigchld; 4792#line 6 4793# Enable AT_SECURE, i.e. libc secure mode. 4794#line 6 4795dontaudit init dhcp:process noatsecure; 4796#line 6 4797# XXX dontaudit candidate but requires further study. 4798#line 6 4799allow init dhcp:process { siginh rlimitinh }; 4800#line 6 4801 4802#line 6 4803# Make the transition occur by default. 4804#line 6 4805type_transition init dhcp_exec:process dhcp; 4806#line 6 4807 4808#line 6 4809 4810#line 6 4811type dhcp_tmpfs, file_type; 4812#line 6 4813type_transition dhcp tmpfs:file dhcp_tmpfs; 4814#line 6 4815allow dhcp dhcp_tmpfs:file { read write }; 4816#line 6 4817 4818#line 6 4819 4820 4821#line 7 4822typeattribute dhcp netdomain; 4823#line 7 4824 4825 4826allow dhcp cgroup:dir { create write add_name }; 4827allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; 4828allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 4829allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write }; 4830allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 4831allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 4832allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 4833# For /proc/sys/net/ipv4/conf/*/promote_secondaries 4834allow dhcp proc_net:file write; 4835allow dhcp system_prop:property_service set ; 4836 4837#line 19 4838allow dhcp property_socket:sock_file write; 4839#line 19 4840allow dhcp init:unix_stream_socket connectto; 4841#line 19 4842 4843allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4844 4845type_transition dhcp system_data_file:{ dir file } dhcp_data_file; 4846allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 4847allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4848 4849# PAN connections 4850allow dhcp netd:fd use; 4851allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } }; 4852allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write }; 4853allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; 4854#line 1 "external/sepolicy/dnsmasq.te" 4855# DNS, DHCP services 4856type dnsmasq, domain; 4857 4858#line 3 4859typeattribute dnsmasq mlstrustedsubject; 4860#line 3 4861typeattribute dnsmasq unconfineddomain; 4862#line 3 4863 4864type dnsmasq_exec, exec_type, file_type; 4865 4866allow dnsmasq self:capability { net_bind_service setgid setuid }; 4867allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 4868 4869allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name }; 4870allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 4871allow dnsmasq port:tcp_socket name_bind; 4872allow dnsmasq node:tcp_socket node_bind; 4873#line 1 "external/sepolicy/domain.te" 4874# Rules for all domains. 4875 4876# Allow reaping by init. 4877allow domain init:process sigchld; 4878 4879# Read access to properties mapping. 4880allow domain kernel:fd use; 4881allow domain tmpfs:file { read getattr }; 4882 4883# Search /storage/emulated tmpfs mount. 4884allow domain tmpfs:dir { open getattr read search ioctl }; 4885 4886# Intra-domain accesses. 4887allow domain self:process ~{ execmem execstack execheap ptrace }; 4888allow domain self:fd use; 4889allow domain self:dir { open getattr read search ioctl }; 4890allow domain self:lnk_file { getattr open read ioctl lock }; 4891allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; 4892allow domain self:{ unix_dgram_socket unix_stream_socket } *; 4893 4894# Inherit or receive open files from others. 4895allow domain init:fd use; 4896allow domain system_server:fd use; 4897 4898# Connect to adbd and use a socket transferred from it. 4899# This is used for e.g. adb backup/restore. 4900allow domain adbd:unix_stream_socket connectto; 4901allow domain adbd:fd use; 4902allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; 4903 4904#line 43 4905 4906 4907### 4908### Talk to debuggerd. 4909### 4910allow domain debuggerd:process sigchld; 4911allow domain debuggerd:unix_stream_socket connectto; 4912 4913# Root fs. 4914allow domain rootfs:dir { open getattr read search ioctl }; 4915allow domain rootfs:file { getattr open read ioctl lock }; 4916allow domain rootfs:lnk_file { getattr open read ioctl lock }; 4917 4918# Device accesses. 4919allow domain device:dir search; 4920allow domain dev_type:lnk_file { getattr open read ioctl lock }; 4921allow domain devpts:dir search; 4922allow domain device:file read; 4923allow domain socket_device:dir search; 4924allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4925allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4926allow domain zero_device:chr_file { getattr open read ioctl lock }; 4927allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4928allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4929allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4930allow domain log_device:dir search; 4931allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4932allow domain alarm_device:chr_file { getattr open read ioctl lock }; 4933allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4934allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4935allow domain properties_device:file { getattr open read ioctl lock }; 4936 4937# logd access 4938 4939#line 76 4940 4941#line 76 4942 4943#line 76 4944allow domain logdw_socket:sock_file write; 4945#line 76 4946allow domain logd:unix_dgram_socket sendto; 4947#line 76 4948 4949#line 76 4950 4951 4952# Filesystem accesses. 4953allow domain fs_type:filesystem getattr; 4954allow domain fs_type:dir getattr; 4955 4956# System file accesses. 4957allow domain system_file:dir { open getattr read search ioctl }; 4958allow domain system_file:file { getattr open read ioctl lock }; 4959allow domain system_file:file execute; 4960allow domain system_file:lnk_file { getattr open read ioctl lock }; 4961 4962# Read files already opened under /data. 4963allow domain system_data_file:dir { search getattr }; 4964allow domain system_data_file:file { getattr read }; 4965allow domain system_data_file:lnk_file { getattr open read ioctl lock }; 4966 4967# Read apk files under /data/app. 4968allow domain apk_data_file:dir { getattr search }; 4969allow domain apk_data_file:file { getattr open read ioctl lock }; 4970 4971# Read /data/dalvik-cache. 4972allow domain dalvikcache_data_file:dir { search getattr }; 4973allow domain dalvikcache_data_file:file { getattr open read ioctl lock }; 4974 4975# Read already opened /cache files. 4976allow domain cache_file:dir { open getattr read search ioctl }; 4977allow domain cache_file:file { getattr read }; 4978allow domain cache_file:lnk_file { getattr open read ioctl lock }; 4979 4980# Read timezone related information 4981 4982#line 107 4983allow domain zoneinfo_data_file:dir { open getattr read search ioctl }; 4984#line 107 4985allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock }; 4986#line 107 4987 4988 4989# For /acct/uid/*/tasks. 4990allow domain cgroup:dir { search write }; 4991allow domain cgroup:file { open append write }; 4992 4993#Allow access to ion memory allocation device 4994allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } }; 4995 4996# Read access to pseudo filesystems. 4997 4998#line 117 4999allow domain proc:dir { open getattr read search ioctl }; 5000#line 117 5001allow domain proc:{ file lnk_file } { getattr open read ioctl lock }; 5002#line 117 5003 5004 5005#line 118 5006allow domain sysfs:dir { open getattr read search ioctl }; 5007#line 118 5008allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock }; 5009#line 118 5010 5011 5012#line 119 5013allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl }; 5014#line 119 5015allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock }; 5016#line 119 5017 5018 5019#line 120 5020allow domain inotify:dir { open getattr read search ioctl }; 5021#line 120 5022allow domain inotify:{ file lnk_file } { getattr open read ioctl lock }; 5023#line 120 5024 5025 5026#line 121 5027allow domain cgroup:dir { open getattr read search ioctl }; 5028#line 121 5029allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock }; 5030#line 121 5031 5032 5033#line 122 5034allow domain proc_net:dir { open getattr read search ioctl }; 5035#line 122 5036allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock }; 5037#line 122 5038 5039 5040# debugfs access 5041allow domain debugfs:dir { open getattr read search ioctl }; 5042allow domain debugfs:file { open append write }; 5043 5044# Get SELinux enforcing status. 5045 5046#line 129 5047allow domain selinuxfs:dir { open getattr read search ioctl }; 5048#line 129 5049allow domain selinuxfs:file { getattr open read ioctl lock }; 5050#line 129 5051 5052 5053# security files 5054allow domain security_file:dir { search getattr }; 5055allow domain security_file:file getattr; 5056 5057# World readable asec image contents 5058allow domain asec_public_file:file { getattr open read ioctl lock }; 5059allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl }; 5060 5061######## Backwards compatibility - Unlabeled files ############ 5062 5063# Revert to DAC rules when looking at unlabeled files. Over time, the number 5064# of unlabeled files should decrease. 5065# TODO: delete these rules in the future. 5066# 5067# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto 5068# capability, it's essentially useless. This is needed to allow an app with 5069# relabelto to relabel unlabeled files. 5070# 5071allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom }; 5072allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; 5073neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; 5074 5075### 5076### neverallow rules 5077### 5078 5079# Limit ability to ptrace or read sensitive /proc/pid files of processes 5080# with other UIDs to these whitelisted domains. 5081neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; 5082 5083# Limit device node creation and raw I/O to these whitelisted domains. 5084neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod }; 5085 5086# No domain needs mac_override as it is unused by SELinux. 5087neverallow domain self:capability2 mac_override; 5088 5089# Only recovery needs mac_admin to set contexts not defined in current policy. 5090neverallow { domain -recovery } self:capability2 mac_admin; 5091 5092# Only init should be able to load SELinux policies. 5093# The first load technically occurs while still in the kernel domain, 5094# but this does not trigger a denial since there is no policy yet. 5095# Policy reload requires allowing this to the init domain. 5096neverallow { domain -init } kernel:security load_policy; 5097 5098# Only init prior to switching context should be able to set enforcing mode. 5099# init starts in kernel domain and switches to init domain via setcon in 5100# the init.rc, so the setenforce occurs while still in kernel. After 5101# switching domains, there is never any need to setenforce again by init. 5102neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot }; 5103 5104# Only init, ueventd and system_server should be able to access HW RNG 5105neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; 5106 5107# Ensure that all entrypoint executables are in exec_type. 5108neverallow domain { file_type -exec_type }:file entrypoint; 5109 5110# Ensure that nothing in userspace can access /dev/mem or /dev/kmem 5111neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; 5112neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; 5113 5114# Only init should be able to configure kernel usermodehelpers or 5115# security-sensitive proc settings. 5116neverallow { domain -init } usermodehelper:file { append write }; 5117neverallow { domain -init } proc_security:file { append write }; 5118 5119# No domain should be allowed to ptrace init. 5120neverallow domain init:process ptrace; 5121 5122# Init can't receive binder calls. If this neverallow rule is being 5123# triggered, it's probably due to a service with no SELinux domain. 5124neverallow domain init:binder call; 5125 5126# Don't allow raw read/write/open access to block_device 5127# Rather force a relabel to a more specific type 5128neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; 5129 5130# Don't allow raw read/write/open access to generic devices. 5131# Rather force a relabel to a more specific type. 5132# ueventd is exempt from this, as its managing these devices. 5133neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; 5134 5135# Limit what domains can mount filesystems or change their mount flags. 5136# sdcard_type / vfat is exempt as a larger set of domains need 5137# this capability, including device-specific domains. 5138neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; 5139#line 1 "external/sepolicy/drmserver.te" 5140# drmserver - DRM service 5141type drmserver, domain; 5142type drmserver_exec, exec_type, file_type; 5143 5144 5145#line 5 5146 5147#line 5 5148# Allow the necessary permissions. 5149#line 5 5150 5151#line 5 5152# Old domain may exec the file and transition to the new domain. 5153#line 5 5154allow init drmserver_exec:file { getattr open read execute }; 5155#line 5 5156allow init drmserver:process transition; 5157#line 5 5158# New domain is entered by executing the file. 5159#line 5 5160allow drmserver drmserver_exec:file { entrypoint read execute }; 5161#line 5 5162# New domain can send SIGCHLD to its caller. 5163#line 5 5164allow drmserver init:process sigchld; 5165#line 5 5166# Enable AT_SECURE, i.e. libc secure mode. 5167#line 5 5168dontaudit init drmserver:process noatsecure; 5169#line 5 5170# XXX dontaudit candidate but requires further study. 5171#line 5 5172allow init drmserver:process { siginh rlimitinh }; 5173#line 5 5174 5175#line 5 5176# Make the transition occur by default. 5177#line 5 5178type_transition init drmserver_exec:process drmserver; 5179#line 5 5180 5181#line 5 5182 5183#line 5 5184type drmserver_tmpfs, file_type; 5185#line 5 5186type_transition drmserver tmpfs:file drmserver_tmpfs; 5187#line 5 5188allow drmserver drmserver_tmpfs:file { read write }; 5189#line 5 5190 5191#line 5 5192 5193typeattribute drmserver mlstrustedsubject; 5194 5195# Perform Binder IPC to system server. 5196 5197#line 9 5198# Call the servicemanager and transfer references to it. 5199#line 9 5200allow drmserver servicemanager:binder { call transfer }; 5201#line 9 5202# rw access to /dev/binder and /dev/ashmem is presently granted to 5203#line 9 5204# all domains in domain.te. 5205#line 9 5206 5207 5208#line 10 5209# Call the server domain and optionally transfer references to it. 5210#line 10 5211allow drmserver system_server:binder { call transfer }; 5212#line 10 5213# Allow the serverdomain to transfer references to the client on the reply. 5214#line 10 5215allow system_server drmserver:binder transfer; 5216#line 10 5217# Receive and use open files from the server. 5218#line 10 5219allow drmserver system_server:fd use; 5220#line 10 5221 5222 5223#line 11 5224# Call the server domain and optionally transfer references to it. 5225#line 11 5226allow drmserver appdomain:binder { call transfer }; 5227#line 11 5228# Allow the serverdomain to transfer references to the client on the reply. 5229#line 11 5230allow appdomain drmserver:binder transfer; 5231#line 11 5232# Receive and use open files from the server. 5233#line 11 5234allow drmserver appdomain:fd use; 5235#line 11 5236 5237 5238#line 12 5239typeattribute drmserver binderservicedomain; 5240#line 12 5241 5242 5243# Perform Binder IPC to mediaserver 5244 5245#line 15 5246# Call the server domain and optionally transfer references to it. 5247#line 15 5248allow drmserver mediaserver:binder { call transfer }; 5249#line 15 5250# Allow the serverdomain to transfer references to the client on the reply. 5251#line 15 5252allow mediaserver drmserver:binder transfer; 5253#line 15 5254# Receive and use open files from the server. 5255#line 15 5256allow drmserver mediaserver:fd use; 5257#line 15 5258 5259 5260allow drmserver sdcard_type:dir search; 5261allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 5262allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5263allow drmserver self:{ tcp_socket udp_socket } *; 5264allow drmserver port:tcp_socket name_connect; 5265allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; 5266allow drmserver platform_app_data_file:file { read write getattr }; 5267allow drmserver app_data_file:file { read write getattr }; 5268allow drmserver sdcard_type:file { read write getattr }; 5269 5270#line 26 5271allow drmserver efs_file:dir { open getattr read search ioctl }; 5272#line 26 5273allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock }; 5274#line 26 5275 5276 5277type drmserver_socket, file_type; 5278 5279# /data/app/tlcd_sock socket file. 5280# Clearly, /data/app is the most logical place to create a socket. Not. 5281allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 5282type_transition drmserver apk_data_file:sock_file drmserver_socket; 5283allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5284allow drmserver tee:unix_stream_socket connectto; 5285# Delete old socket file if present. 5286allow drmserver apk_data_file:sock_file unlink; 5287 5288# After taking a video, drmserver looks at the video file. 5289 5290#line 40 5291allow drmserver media_rw_data_file:dir { open getattr read search ioctl }; 5292#line 40 5293allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; 5294#line 40 5295 5296#line 1 "external/sepolicy/dumpstate.te" 5297# dumpstate 5298type dumpstate, domain; 5299 5300#line 3 5301typeattribute dumpstate mlstrustedsubject; 5302#line 3 5303typeattribute dumpstate unconfineddomain; 5304#line 3 5305 5306type dumpstate_exec, exec_type, file_type; 5307 5308 5309#line 6 5310 5311#line 6 5312# Allow the necessary permissions. 5313#line 6 5314 5315#line 6 5316# Old domain may exec the file and transition to the new domain. 5317#line 6 5318allow init dumpstate_exec:file { getattr open read execute }; 5319#line 6 5320allow init dumpstate:process transition; 5321#line 6 5322# New domain is entered by executing the file. 5323#line 6 5324allow dumpstate dumpstate_exec:file { entrypoint read execute }; 5325#line 6 5326# New domain can send SIGCHLD to its caller. 5327#line 6 5328allow dumpstate init:process sigchld; 5329#line 6 5330# Enable AT_SECURE, i.e. libc secure mode. 5331#line 6 5332dontaudit init dumpstate:process noatsecure; 5333#line 6 5334# XXX dontaudit candidate but requires further study. 5335#line 6 5336allow init dumpstate:process { siginh rlimitinh }; 5337#line 6 5338 5339#line 6 5340# Make the transition occur by default. 5341#line 6 5342type_transition init dumpstate_exec:process dumpstate; 5343#line 6 5344 5345#line 6 5346 5347#line 6 5348type dumpstate_tmpfs, file_type; 5349#line 6 5350type_transition dumpstate tmpfs:file dumpstate_tmpfs; 5351#line 6 5352allow dumpstate dumpstate_tmpfs:file { read write }; 5353#line 6 5354 5355#line 6 5356 5357 5358#line 7 5359typeattribute dumpstate netdomain; 5360#line 7 5361 5362 5363#line 8 5364typeattribute dumpstate relabeltodomain; 5365#line 8 5366 5367 5368#line 9 5369# Call the servicemanager and transfer references to it. 5370#line 9 5371allow dumpstate servicemanager:binder { call transfer }; 5372#line 9 5373# rw access to /dev/binder and /dev/ashmem is presently granted to 5374#line 9 5375# all domains in domain.te. 5376#line 9 5377 5378 5379# Drop privileges by switching UID / GID 5380allow dumpstate self:capability { setuid setgid }; 5381 5382# Allow dumpstate to scan through /proc/pid for all processes 5383 5384#line 15 5385allow dumpstate domain:dir { open getattr read search ioctl }; 5386#line 15 5387allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock }; 5388#line 15 5389 5390 5391# Send signals to processes 5392allow dumpstate self:capability kill; 5393 5394# Allow executing files on system, such as: 5395# /system/bin/toolbox 5396# /system/bin/logcat 5397# /system/bin/dumpsys 5398allow dumpstate system_file:file execute_no_trans; 5399 5400# Create and write into /data/anr/ 5401allow dumpstate self:capability { dac_override chown fowner fsetid }; 5402allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto }; 5403allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5404allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; 5405 5406# Allow reading /data/system/uiderrors.txt 5407# TODO: scope this down. 5408allow dumpstate system_data_file:file { getattr open read ioctl lock }; 5409 5410# Read dmesg 5411allow dumpstate self:capability2 syslog; 5412allow dumpstate kernel:system syslog_read; 5413 5414# Get process attributes 5415allow dumpstate domain:process getattr; 5416 5417# Signal java processes to dump their stack 5418allow dumpstate { appdomain system_server }:process signal; 5419 5420# Signal native processes to dump their stack. 5421# This list comes from native_processes_to_dump in dumpstate/utils.c 5422allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; 5423 5424# The /system/bin/ip command needs this for routing table information. 5425allow dumpstate self:netlink_route_socket { write getattr setopt }; 5426 5427# The vdc command needs to talk to the vold socket. 5428 5429#line 54 5430allow dumpstate vold_socket:sock_file write; 5431#line 54 5432allow dumpstate vold:unix_stream_socket connectto; 5433#line 54 5434 5435 5436# Vibrate the device after we're done collecting the bugreport 5437# /sys/class/timed_output/vibrator/enable 5438# TODO: create a new file class, instead of allowing write access to all of /sys 5439allow dumpstate sysfs:file { open append write }; 5440 5441# Other random bits of data we want to collect 5442allow dumpstate qtaguid_proc:file { getattr open read ioctl lock }; 5443allow dumpstate debugfs:file { getattr open read ioctl lock }; 5444 5445# Allow dumpstate to make binder calls to any binder service 5446 5447#line 66 5448# Call the server domain and optionally transfer references to it. 5449#line 66 5450allow dumpstate binderservicedomain:binder { call transfer }; 5451#line 66 5452# Allow the serverdomain to transfer references to the client on the reply. 5453#line 66 5454allow binderservicedomain dumpstate:binder transfer; 5455#line 66 5456# Receive and use open files from the server. 5457#line 66 5458allow dumpstate binderservicedomain:fd use; 5459#line 66 5460 5461 5462#line 67 5463# Call the server domain and optionally transfer references to it. 5464#line 67 5465allow dumpstate appdomain:binder { call transfer }; 5466#line 67 5467# Allow the serverdomain to transfer references to the client on the reply. 5468#line 67 5469allow appdomain dumpstate:binder transfer; 5470#line 67 5471# Receive and use open files from the server. 5472#line 67 5473allow dumpstate appdomain:fd use; 5474#line 67 5475 5476 5477# Reading /proc/PID/maps of other processes 5478allow dumpstate self:capability sys_ptrace; 5479 5480# Allow the bugreport service to create a file in 5481# /data/data/com.android.shell/files/bugreports/bugreport 5482allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 5483allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5484 5485# Run a shell. 5486allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 5487 5488# For running am and similar framework commands. 5489# Run /system/bin/app_process. 5490allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 5491# Dalvik Compiler JIT. 5492allow dumpstate ashmem_device:chr_file execute; 5493allow dumpstate dumpstate_tmpfs:file execute; 5494allow dumpstate self:process execmem; 5495# For art. 5496allow dumpstate dalvikcache_data_file:file execute; 5497 5498# logd access 5499 5500#line 91 5501 5502#line 91 5503allow dumpstate logdr_socket:sock_file write; 5504#line 91 5505allow dumpstate logd:unix_stream_socket connectto; 5506#line 91 5507 5508#line 91 5509 5510 5511#line 92 5512# Group AID_LOG checked by filesystem & logd 5513#line 92 5514# to permit control commands 5515#line 92 5516 5517#line 92 5518allow dumpstate logd_socket:sock_file write; 5519#line 92 5520allow dumpstate logd:unix_stream_socket connectto; 5521#line 92 5522 5523#line 92 5524 5525#line 1 "external/sepolicy/file.te" 5526# Filesystem types 5527type labeledfs, fs_type; 5528type pipefs, fs_type; 5529type sockfs, fs_type; 5530type rootfs, fs_type; 5531type proc, fs_type; 5532# Security-sensitive proc nodes that should not be writable to most. 5533type proc_security, fs_type; 5534# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 5535type usermodehelper, fs_type, sysfs_type; 5536type qtaguid_proc, fs_type, mlstrustedobject; 5537type proc_bluetooth_writable, fs_type; 5538type proc_net, fs_type; 5539type selinuxfs, fs_type; 5540type cgroup, fs_type, mlstrustedobject; 5541type sysfs, fs_type, mlstrustedobject; 5542type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; 5543type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 5544type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 5545type sysfs_wake_lock, fs_type, sysfs_type; 5546# /sys/devices/system/cpu 5547type sysfs_devices_system_cpu, fs_type, sysfs_type; 5548# /sys/module/lowmemorykiller 5549type sysfs_lowmemorykiller, fs_type, sysfs_type; 5550type inotify, fs_type, mlstrustedobject; 5551type devpts, fs_type, mlstrustedobject; 5552type tmpfs, fs_type; 5553type shm, fs_type; 5554type mqueue, fs_type; 5555type sdcard_internal, sdcard_type, fs_type, mlstrustedobject; 5556type sdcard_external, sdcard_type, fs_type, mlstrustedobject; 5557type debugfs, fs_type, mlstrustedobject; 5558 5559# File types 5560type unlabeled, file_type; 5561# Default type for anything under /system. 5562type system_file, file_type; 5563# Default type for anything under /data. 5564type system_data_file, file_type, data_file_type; 5565# /data/drm - DRM plugin data 5566type drm_data_file, file_type, data_file_type; 5567# /data/anr - ANR traces 5568type anr_data_file, file_type, data_file_type, mlstrustedobject; 5569# /data/tombstones - core dumps 5570type tombstone_data_file, file_type, data_file_type; 5571# /data/app - user-installed apps 5572type apk_data_file, file_type, data_file_type; 5573type apk_tmp_file, file_type, data_file_type, mlstrustedobject; 5574# /data/app-private - forward-locked apps 5575type apk_private_data_file, file_type, data_file_type; 5576type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; 5577# /data/dalvik-cache 5578type dalvikcache_data_file, file_type, data_file_type; 5579# /data/local - writable by shell 5580type shell_data_file, file_type, data_file_type; 5581# /data/gps 5582type gps_data_file, file_type, data_file_type; 5583 5584# /data/misc subdirectories 5585type adb_keys_file, file_type, data_file_type; 5586type audio_data_file, file_type, data_file_type; 5587type bluetooth_data_file, file_type, data_file_type; 5588type camera_data_file, file_type, data_file_type; 5589type keystore_data_file, file_type, data_file_type; 5590type media_data_file, file_type, data_file_type; 5591type media_rw_data_file, file_type, data_file_type; 5592type nfc_data_file, file_type, data_file_type; 5593type radio_data_file, file_type, data_file_type; 5594type systemkeys_data_file, file_type, data_file_type; 5595type vpn_data_file, file_type, data_file_type; 5596type wifi_data_file, file_type, data_file_type; 5597type zoneinfo_data_file, file_type, data_file_type; 5598 5599# Compatibility with type names used in vanilla Android 4.3 and 4.4. 5600typealias audio_data_file alias audio_firmware_file; 5601# /data/data subdirectories - app sandboxes 5602type app_data_file, file_type, data_file_type; 5603type platform_app_data_file, file_type, data_file_type, mlstrustedobject; 5604# Default type for anything under /cache 5605type cache_file, file_type, mlstrustedobject; 5606# Type for /cache/.*\.{data|restore} and default 5607# type for anything under /cache/backup 5608type cache_backup_file, file_type, mlstrustedobject; 5609# Default type for anything under /efs 5610type efs_file, file_type; 5611# Type for wallpaper file. 5612type wallpaper_file, file_type, mlstrustedobject; 5613# /mnt/asec 5614type asec_apk_file, file_type, data_file_type; 5615# Elements of asec files (/mnt/asec) that are world readable 5616type asec_public_file, file_type, data_file_type; 5617# /data/app-asec 5618type asec_image_file, file_type, data_file_type; 5619# /data/backup and /data/secure/backup 5620type backup_data_file, file_type, data_file_type, mlstrustedobject; 5621# For /data/security 5622type security_file, file_type; 5623# All devices have bluetooth efs files. But they 5624# vary per device, so this type is used in per 5625# device policy 5626type bluetooth_efs_file, file_type; 5627# Downloaded files 5628type download_file, file_type; 5629 5630# Socket types 5631type adbd_socket, file_type; 5632type bluetooth_socket, file_type; 5633type dnsproxyd_socket, file_type, mlstrustedobject; 5634type dumpstate_socket, file_type; 5635type gps_socket, file_type; 5636type installd_socket, file_type; 5637type keystore_socket, file_type; 5638type lmkd_socket, file_type; 5639type logd_debug, file_type; 5640type logd_socket, file_type; 5641type logdr_socket, file_type; 5642type logdw_socket, file_type; 5643type mdns_socket, file_type; 5644type netd_socket, file_type; 5645type property_socket, file_type; 5646type qemud_socket, file_type; 5647type racoon_socket, file_type; 5648type rild_socket, file_type; 5649type rild_debug_socket, file_type; 5650type system_wpa_socket, file_type; 5651type system_ndebug_socket, file_type; 5652type vold_socket, file_type; 5653type wpa_socket, file_type; 5654type zygote_socket, file_type; 5655 5656# UART (for GPS) control proc file 5657type gps_control, file_type; 5658 5659# Allow files to be created in their appropriate filesystems. 5660allow fs_type self:filesystem associate; 5661allow sysfs_type sysfs:filesystem associate; 5662allow file_type labeledfs:filesystem associate; 5663allow file_type tmpfs:filesystem associate; 5664allow file_type rootfs:filesystem associate; 5665allow dev_type tmpfs:filesystem associate; 5666#line 1 "external/sepolicy/gpsd.te" 5667# gpsd - GPS daemon 5668type gpsd, domain; 5669 5670#line 3 5671typeattribute gpsd mlstrustedsubject; 5672#line 3 5673typeattribute gpsd unconfineddomain; 5674#line 3 5675 5676type gpsd_exec, exec_type, file_type; 5677 5678 5679#line 6 5680 5681#line 6 5682# Allow the necessary permissions. 5683#line 6 5684 5685#line 6 5686# Old domain may exec the file and transition to the new domain. 5687#line 6 5688allow init gpsd_exec:file { getattr open read execute }; 5689#line 6 5690allow init gpsd:process transition; 5691#line 6 5692# New domain is entered by executing the file. 5693#line 6 5694allow gpsd gpsd_exec:file { entrypoint read execute }; 5695#line 6 5696# New domain can send SIGCHLD to its caller. 5697#line 6 5698allow gpsd init:process sigchld; 5699#line 6 5700# Enable AT_SECURE, i.e. libc secure mode. 5701#line 6 5702dontaudit init gpsd:process noatsecure; 5703#line 6 5704# XXX dontaudit candidate but requires further study. 5705#line 6 5706allow init gpsd:process { siginh rlimitinh }; 5707#line 6 5708 5709#line 6 5710# Make the transition occur by default. 5711#line 6 5712type_transition init gpsd_exec:process gpsd; 5713#line 6 5714 5715#line 6 5716 5717#line 6 5718type gpsd_tmpfs, file_type; 5719#line 6 5720type_transition gpsd tmpfs:file gpsd_tmpfs; 5721#line 6 5722allow gpsd gpsd_tmpfs:file { read write }; 5723#line 6 5724 5725#line 6 5726 5727 5728#line 7 5729typeattribute gpsd netdomain; 5730#line 7 5731 5732allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 5733allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5734# Socket is created by the daemon, not by init, and under /data/gps, 5735# not under /dev/socket. 5736type_transition gpsd gps_data_file:sock_file gps_socket; 5737allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5738# XXX Label sysfs files with a specific type? 5739allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } }; 5740 5741allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; 5742 5743# Execute the shell or system commands. 5744allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 5745allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 5746#line 1 "external/sepolicy/hci_attach.te" 5747type hci_attach, domain; 5748type hci_attach_exec, exec_type, file_type; 5749 5750 5751#line 4 5752 5753#line 4 5754# Allow the necessary permissions. 5755#line 4 5756 5757#line 4 5758# Old domain may exec the file and transition to the new domain. 5759#line 4 5760allow init hci_attach_exec:file { getattr open read execute }; 5761#line 4 5762allow init hci_attach:process transition; 5763#line 4 5764# New domain is entered by executing the file. 5765#line 4 5766allow hci_attach hci_attach_exec:file { entrypoint read execute }; 5767#line 4 5768# New domain can send SIGCHLD to its caller. 5769#line 4 5770allow hci_attach init:process sigchld; 5771#line 4 5772# Enable AT_SECURE, i.e. libc secure mode. 5773#line 4 5774dontaudit init hci_attach:process noatsecure; 5775#line 4 5776# XXX dontaudit candidate but requires further study. 5777#line 4 5778allow init hci_attach:process { siginh rlimitinh }; 5779#line 4 5780 5781#line 4 5782# Make the transition occur by default. 5783#line 4 5784type_transition init hci_attach_exec:process hci_attach; 5785#line 4 5786 5787#line 4 5788 5789#line 4 5790type hci_attach_tmpfs, file_type; 5791#line 4 5792type_transition hci_attach tmpfs:file hci_attach_tmpfs; 5793#line 4 5794allow hci_attach hci_attach_tmpfs:file { read write }; 5795#line 4 5796 5797#line 4 5798 5799 5800allow hci_attach kernel:system module_request; 5801allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } }; 5802allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl }; 5803allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock }; 5804#line 1 "external/sepolicy/healthd.te" 5805# healthd seclabel is specified in init.rc since 5806# it lives in the rootfs and has no unique file type. 5807type healthd, domain; 5808 5809allow healthd rootfs:file { read entrypoint }; 5810 5811#line 6 5812type_transition healthd device:chr_file klog_device "__kmsg__"; 5813#line 6 5814allow healthd klog_device:chr_file { create open write unlink }; 5815#line 6 5816allow healthd device:dir { write add_name remove_name }; 5817#line 6 5818 5819# /dev/__null__ created by init prior to policy load, 5820# open fd inherited by healthd. 5821allow healthd tmpfs:chr_file { read write }; 5822 5823allow healthd self:capability { net_admin mknod }; 5824allow healthd self:capability2 block_suspend; 5825allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 5826 5827#line 14 5828# Call the servicemanager and transfer references to it. 5829#line 14 5830allow healthd servicemanager:binder { call transfer }; 5831#line 14 5832# rw access to /dev/binder and /dev/ashmem is presently granted to 5833#line 14 5834# all domains in domain.te. 5835#line 14 5836 5837 5838#line 15 5839typeattribute healthd binderservicedomain; 5840#line 15 5841 5842 5843#line 16 5844# Call the server domain and optionally transfer references to it. 5845#line 16 5846allow healthd system_server:binder { call transfer }; 5847#line 16 5848# Allow the serverdomain to transfer references to the client on the reply. 5849#line 16 5850allow system_server healthd:binder transfer; 5851#line 16 5852# Receive and use open files from the server. 5853#line 16 5854allow healthd system_server:fd use; 5855#line 16 5856 5857 5858### 5859### healthd: charger mode 5860### 5861 5862allow healthd graphics_device:dir { open getattr read search ioctl }; 5863allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; 5864allow healthd input_device:dir { open getattr read search ioctl }; 5865allow healthd input_device:chr_file { getattr open read ioctl lock }; 5866allow healthd ashmem_device:chr_file execute; 5867allow healthd self:process execmem; 5868#line 1 "external/sepolicy/hostapd.te" 5869# userspace wifi access points 5870type hostapd, domain; 5871 5872#line 3 5873typeattribute hostapd mlstrustedsubject; 5874#line 3 5875typeattribute hostapd unconfineddomain; 5876#line 3 5877 5878type hostapd_exec, exec_type, file_type; 5879 5880allow hostapd self:capability { net_admin net_raw setuid setgid }; 5881allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 5882allow hostapd self:packet_socket { create write read }; 5883allow hostapd self:netlink_route_socket { bind create write nlmsg_write read }; 5884allow hostapd self:udp_socket { create ioctl }; 5885 5886allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } }; 5887allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 5888allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 5889allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 5890allow hostapd netd:fd use; 5891allow hostapd netd:udp_socket { read write }; 5892allow hostapd netd:netlink_kobject_uevent_socket { read write }; 5893allow hostapd netd:netlink_nflog_socket { read write }; 5894allow hostapd netd:netlink_route_socket { read write }; 5895allow hostapd netd:unix_stream_socket { read write }; 5896allow hostapd netd:fifo_file { read write }; 5897#line 1 "external/sepolicy/init_shell.te" 5898# Restricted domain for shell processes spawned by init 5899type init_shell, domain, shelldomain; 5900 5901#line 3 5902# Allow the necessary permissions. 5903#line 3 5904 5905#line 3 5906# Old domain may exec the file and transition to the new domain. 5907#line 3 5908allow init shell_exec:file { getattr open read execute }; 5909#line 3 5910allow init init_shell:process transition; 5911#line 3 5912# New domain is entered by executing the file. 5913#line 3 5914allow init_shell shell_exec:file { entrypoint read execute }; 5915#line 3 5916# New domain can send SIGCHLD to its caller. 5917#line 3 5918allow init_shell init:process sigchld; 5919#line 3 5920# Enable AT_SECURE, i.e. libc secure mode. 5921#line 3 5922dontaudit init init_shell:process noatsecure; 5923#line 3 5924# XXX dontaudit candidate but requires further study. 5925#line 3 5926allow init init_shell:process { siginh rlimitinh }; 5927#line 3 5928 5929#line 3 5930# Make the transition occur by default. 5931#line 3 5932type_transition init shell_exec:process init_shell; 5933#line 3 5934 5935 5936#line 4 5937typeattribute init_shell mlstrustedsubject; 5938#line 4 5939typeattribute init_shell unconfineddomain; 5940#line 4 5941 5942 5943# inherits from shelldomain.te 5944#line 1 "external/sepolicy/init.te" 5945# init switches to init domain (via init.rc). 5946type init, domain; 5947# init is unconfined. 5948 5949#line 4 5950typeattribute init mlstrustedsubject; 5951#line 4 5952typeattribute init unconfineddomain; 5953#line 4 5954 5955 5956#line 5 5957type init_tmpfs, file_type; 5958#line 5 5959type_transition init tmpfs:file init_tmpfs; 5960#line 5 5961allow init init_tmpfs:file { read write }; 5962#line 5 5963 5964 5965#line 6 5966typeattribute init relabeltodomain; 5967#line 6 5968 5969# add a rule to handle unlabelled mounts 5970allow init unlabeled:filesystem mount; 5971 5972allow init self:capability { sys_rawio mknod }; 5973 5974allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; 5975allow init fs_type:filesystem *; 5976allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; 5977allow init kernel:security load_policy; 5978allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } }; 5979allow init proc_security:file { { getattr open read ioctl lock } { open append write } }; 5980 5981# Transitions to seclabel processes in init.rc 5982allow init adbd:process transition; 5983allow init healthd:process transition; 5984allow init recovery:process transition; 5985allow init shell:process transition; 5986allow init ueventd:process transition; 5987allow init watchdogd:process transition; 5988#line 1 "external/sepolicy/inputflinger.te" 5989# inputflinger 5990type inputflinger, domain; 5991 5992#line 3 5993typeattribute inputflinger mlstrustedsubject; 5994#line 3 5995typeattribute inputflinger unconfineddomain; 5996#line 3 5997 5998type inputflinger_exec, exec_type, file_type; 5999 6000 6001#line 6 6002 6003#line 6 6004# Allow the necessary permissions. 6005#line 6 6006 6007#line 6 6008# Old domain may exec the file and transition to the new domain. 6009#line 6 6010allow init inputflinger_exec:file { getattr open read execute }; 6011#line 6 6012allow init inputflinger:process transition; 6013#line 6 6014# New domain is entered by executing the file. 6015#line 6 6016allow inputflinger inputflinger_exec:file { entrypoint read execute }; 6017#line 6 6018# New domain can send SIGCHLD to its caller. 6019#line 6 6020allow inputflinger init:process sigchld; 6021#line 6 6022# Enable AT_SECURE, i.e. libc secure mode. 6023#line 6 6024dontaudit init inputflinger:process noatsecure; 6025#line 6 6026# XXX dontaudit candidate but requires further study. 6027#line 6 6028allow init inputflinger:process { siginh rlimitinh }; 6029#line 6 6030 6031#line 6 6032# Make the transition occur by default. 6033#line 6 6034type_transition init inputflinger_exec:process inputflinger; 6035#line 6 6036 6037#line 6 6038 6039#line 6 6040type inputflinger_tmpfs, file_type; 6041#line 6 6042type_transition inputflinger tmpfs:file inputflinger_tmpfs; 6043#line 6 6044allow inputflinger inputflinger_tmpfs:file { read write }; 6045#line 6 6046 6047#line 6 6048 6049 6050#line 7 6051# Call the servicemanager and transfer references to it. 6052#line 7 6053allow inputflinger servicemanager:binder { call transfer }; 6054#line 7 6055# rw access to /dev/binder and /dev/ashmem is presently granted to 6056#line 7 6057# all domains in domain.te. 6058#line 7 6059 6060 6061#line 8 6062typeattribute inputflinger binderservicedomain; 6063#line 8 6064 6065#line 1 "external/sepolicy/installd.te" 6066# installer daemon 6067type installd, domain; 6068type installd_exec, exec_type, file_type; 6069 6070 6071#line 5 6072 6073#line 5 6074# Allow the necessary permissions. 6075#line 5 6076 6077#line 5 6078# Old domain may exec the file and transition to the new domain. 6079#line 5 6080allow init installd_exec:file { getattr open read execute }; 6081#line 5 6082allow init installd:process transition; 6083#line 5 6084# New domain is entered by executing the file. 6085#line 5 6086allow installd installd_exec:file { entrypoint read execute }; 6087#line 5 6088# New domain can send SIGCHLD to its caller. 6089#line 5 6090allow installd init:process sigchld; 6091#line 5 6092# Enable AT_SECURE, i.e. libc secure mode. 6093#line 5 6094dontaudit init installd:process noatsecure; 6095#line 5 6096# XXX dontaudit candidate but requires further study. 6097#line 5 6098allow init installd:process { siginh rlimitinh }; 6099#line 5 6100 6101#line 5 6102# Make the transition occur by default. 6103#line 5 6104type_transition init installd_exec:process installd; 6105#line 5 6106 6107#line 5 6108 6109#line 5 6110type installd_tmpfs, file_type; 6111#line 5 6112type_transition installd tmpfs:file installd_tmpfs; 6113#line 5 6114allow installd installd_tmpfs:file { read write }; 6115#line 5 6116 6117#line 5 6118 6119 6120#line 6 6121typeattribute installd relabeltodomain; 6122#line 6 6123 6124typeattribute installd mlstrustedsubject; 6125allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; 6126allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6127allow installd system_data_file:lnk_file create; 6128allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6129allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 6130allow installd data_file_type:dir { relabelfrom relabelto }; 6131allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink }; 6132allow installd apk_data_file:file { getattr open read ioctl lock }; 6133allow installd apk_tmp_file:file { getattr open read ioctl lock }; 6134allow installd system_file:file { getattr execute execute_no_trans }; 6135allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 6136allow installd download_file:dir { { open getattr read search ioctl } write remove_name }; 6137allow installd download_file:file { { getattr open read ioctl lock } unlink }; 6138dontaudit installd self:capability sys_admin; 6139# Check validity of SELinux context before use. 6140 6141#line 23 6142allow installd selinuxfs:dir { open getattr read search ioctl }; 6143#line 23 6144allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 6145#line 23 6146allow installd kernel:security check_context; 6147#line 23 6148 6149# Read /seapp_contexts and /data/security/seapp_contexts 6150 6151#line 25 6152allow installd security_file:dir { open getattr read search ioctl }; 6153#line 25 6154allow installd security_file:file { getattr open read ioctl lock }; 6155#line 25 6156allow installd security_file:lnk_file { getattr open read ioctl lock }; 6157#line 25 6158allow installd selinuxfs:dir { open getattr read search ioctl }; 6159#line 25 6160allow installd selinuxfs:file { getattr open read ioctl lock }; 6161#line 25 6162allow installd rootfs:dir { open getattr read search ioctl }; 6163#line 25 6164allow installd rootfs:file { getattr open read ioctl lock }; 6165#line 25 6166 6167# ASEC 6168allow installd platform_app_data_file:lnk_file { create setattr }; 6169allow installd app_data_file:lnk_file { create setattr }; 6170allow installd asec_apk_file:file { getattr open read ioctl lock }; 6171allow installd bluetooth_data_file:lnk_file { create setattr }; 6172allow installd nfc_data_file:lnk_file { create setattr }; 6173allow installd radio_data_file:lnk_file { create setattr }; 6174allow installd shell_data_file:lnk_file { create setattr }; 6175#line 1 "external/sepolicy/isolated_app.te" 6176### 6177### Services with isolatedProcess=true in their manifest. 6178### 6179### This file defines the rules for isolated apps. An "isolated 6180### app" is an APP with UID between AID_ISOLATED_START (99000) 6181### and AID_ISOLATED_END (99999). 6182### 6183### isolated_app includes all the appdomain rules, plus the 6184### additional following rules: 6185### 6186 6187type isolated_app, domain; 6188 6189#line 13 6190typeattribute isolated_app appdomain; 6191#line 13 6192# Label ashmem objects with our own unique type. 6193#line 13 6194 6195#line 13 6196type isolated_app_tmpfs, file_type; 6197#line 13 6198type_transition isolated_app tmpfs:file isolated_app_tmpfs; 6199#line 13 6200allow isolated_app isolated_app_tmpfs:file { read write }; 6201#line 13 6202 6203#line 13 6204# Map with PROT_EXEC. 6205#line 13 6206allow isolated_app isolated_app_tmpfs:file execute; 6207#line 13 6208 6209 6210# Already connected, unnamed sockets being passed over some other IPC 6211# hence no sock_file or connectto permission. This appears to be how 6212# Chrome works, may need to be updated as more apps using isolated services 6213# are examined. 6214allow isolated_app appdomain:unix_stream_socket { read write }; 6215 6216allow isolated_app dalvikcache_data_file:file execute; 6217allow isolated_app apk_data_file:dir getattr; 6218#line 1 "external/sepolicy/kernel.te" 6219# Life begins with the kernel. 6220type kernel, domain; 6221 6222allow kernel init:process dyntransition; 6223 6224# The kernel is unconfined. 6225 6226#line 7 6227typeattribute kernel mlstrustedsubject; 6228#line 7 6229typeattribute kernel unconfineddomain; 6230#line 7 6231 6232 6233#line 8 6234typeattribute kernel relabeltodomain; 6235#line 8 6236 6237 6238allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; 6239allow kernel unlabeled:filesystem mount; 6240allow kernel fs_type:filesystem *; 6241 6242# Initial setenforce by init prior to switching to init domain. 6243allow kernel self:security setenforce; 6244 6245# Set checkreqprot by init.rc prior to switching to init domain. 6246allow kernel self:security setcheckreqprot; 6247 6248# For operations performed by kernel or init prior to switching to init domain. 6249## TODO: Investigate whether it is safe to remove these 6250allow kernel self:capability { sys_rawio mknod }; 6251auditallow kernel self:capability { sys_rawio mknod }; 6252allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; 6253auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; 6254#line 1 "external/sepolicy/keystore.te" 6255type keystore, domain; 6256type keystore_exec, exec_type, file_type; 6257 6258# keystore daemon 6259 6260#line 5 6261 6262#line 5 6263# Allow the necessary permissions. 6264#line 5 6265 6266#line 5 6267# Old domain may exec the file and transition to the new domain. 6268#line 5 6269allow init keystore_exec:file { getattr open read execute }; 6270#line 5 6271allow init keystore:process transition; 6272#line 5 6273# New domain is entered by executing the file. 6274#line 5 6275allow keystore keystore_exec:file { entrypoint read execute }; 6276#line 5 6277# New domain can send SIGCHLD to its caller. 6278#line 5 6279allow keystore init:process sigchld; 6280#line 5 6281# Enable AT_SECURE, i.e. libc secure mode. 6282#line 5 6283dontaudit init keystore:process noatsecure; 6284#line 5 6285# XXX dontaudit candidate but requires further study. 6286#line 5 6287allow init keystore:process { siginh rlimitinh }; 6288#line 5 6289 6290#line 5 6291# Make the transition occur by default. 6292#line 5 6293type_transition init keystore_exec:process keystore; 6294#line 5 6295 6296#line 5 6297 6298#line 5 6299type keystore_tmpfs, file_type; 6300#line 5 6301type_transition keystore tmpfs:file keystore_tmpfs; 6302#line 5 6303allow keystore keystore_tmpfs:file { read write }; 6304#line 5 6305 6306#line 5 6307 6308typeattribute keystore mlstrustedsubject; 6309 6310#line 7 6311# Call the servicemanager and transfer references to it. 6312#line 7 6313allow keystore servicemanager:binder { call transfer }; 6314#line 7 6315# rw access to /dev/binder and /dev/ashmem is presently granted to 6316#line 7 6317# all domains in domain.te. 6318#line 7 6319 6320 6321#line 8 6322typeattribute keystore binderservicedomain; 6323#line 8 6324 6325allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 6326allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6327allow keystore keystore_exec:file { getattr }; 6328allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6329allow keystore tee:unix_stream_socket connectto; 6330#line 1 "external/sepolicy/lmkd.te" 6331# lmkd low memory killer daemon 6332type lmkd, domain; 6333type lmkd_exec, exec_type, file_type; 6334 6335 6336#line 5 6337 6338#line 5 6339# Allow the necessary permissions. 6340#line 5 6341 6342#line 5 6343# Old domain may exec the file and transition to the new domain. 6344#line 5 6345allow init lmkd_exec:file { getattr open read execute }; 6346#line 5 6347allow init lmkd:process transition; 6348#line 5 6349# New domain is entered by executing the file. 6350#line 5 6351allow lmkd lmkd_exec:file { entrypoint read execute }; 6352#line 5 6353# New domain can send SIGCHLD to its caller. 6354#line 5 6355allow lmkd init:process sigchld; 6356#line 5 6357# Enable AT_SECURE, i.e. libc secure mode. 6358#line 5 6359dontaudit init lmkd:process noatsecure; 6360#line 5 6361# XXX dontaudit candidate but requires further study. 6362#line 5 6363allow init lmkd:process { siginh rlimitinh }; 6364#line 5 6365 6366#line 5 6367# Make the transition occur by default. 6368#line 5 6369type_transition init lmkd_exec:process lmkd; 6370#line 5 6371 6372#line 5 6373 6374#line 5 6375type lmkd_tmpfs, file_type; 6376#line 5 6377type_transition lmkd tmpfs:file lmkd_tmpfs; 6378#line 5 6379allow lmkd lmkd_tmpfs:file { read write }; 6380#line 5 6381 6382#line 5 6383 6384 6385allow lmkd self:capability { dac_override sys_resource }; 6386 6387## Open and write to /proc/PID/oom_score_adj 6388## TODO: maybe scope this down? 6389 6390#line 11 6391allow lmkd appdomain:dir { open getattr read search ioctl }; 6392#line 11 6393allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock }; 6394#line 11 6395 6396allow lmkd appdomain:file write; 6397 6398#line 13 6399allow lmkd system_server:dir { open getattr read search ioctl }; 6400#line 13 6401allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock }; 6402#line 13 6403 6404allow lmkd system_server:file write; 6405 6406## Writes to /sys/module/lowmemorykiller/parameters/minfree 6407allow lmkd sysfs_lowmemorykiller:file { open append write }; 6408#line 1 "external/sepolicy/logd.te" 6409# android user-space log manager 6410type logd, domain; 6411type logd_exec, exec_type, file_type; 6412 6413 6414#line 5 6415 6416#line 5 6417# Allow the necessary permissions. 6418#line 5 6419 6420#line 5 6421# Old domain may exec the file and transition to the new domain. 6422#line 5 6423allow init logd_exec:file { getattr open read execute }; 6424#line 5 6425allow init logd:process transition; 6426#line 5 6427# New domain is entered by executing the file. 6428#line 5 6429allow logd logd_exec:file { entrypoint read execute }; 6430#line 5 6431# New domain can send SIGCHLD to its caller. 6432#line 5 6433allow logd init:process sigchld; 6434#line 5 6435# Enable AT_SECURE, i.e. libc secure mode. 6436#line 5 6437dontaudit init logd:process noatsecure; 6438#line 5 6439# XXX dontaudit candidate but requires further study. 6440#line 5 6441allow init logd:process { siginh rlimitinh }; 6442#line 5 6443 6444#line 5 6445# Make the transition occur by default. 6446#line 5 6447type_transition init logd_exec:process logd; 6448#line 5 6449 6450#line 5 6451 6452#line 5 6453type logd_tmpfs, file_type; 6454#line 5 6455type_transition logd tmpfs:file logd_tmpfs; 6456#line 5 6457allow logd logd_tmpfs:file { read write }; 6458#line 5 6459 6460#line 5 6461 6462allow logd self:unix_stream_socket *; 6463 6464allow logd self:capability { setuid setgid sys_nice }; 6465 6466 6467#line 10 6468allow logd domain:dir { open getattr read search ioctl }; 6469#line 10 6470allow logd domain:{ file lnk_file } { getattr open read ioctl lock }; 6471#line 10 6472 6473 6474#line 17 6475 6476 6477### 6478### Neverallow rules 6479### 6480### logd should NEVER do any of this 6481 6482# Block device access. 6483neverallow logd dev_type:blk_file { read write }; 6484 6485# ptrace any other app 6486neverallow logd domain:process ptrace; 6487 6488# Write to /system. 6489neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 6490 6491# Write to files in /data/data or system files on /data 6492neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 6493#line 1 "external/sepolicy/media_app.te" 6494### 6495### Apps signed with the media key. 6496### 6497 6498type media_app, domain; 6499 6500#line 6 6501typeattribute media_app appdomain; 6502#line 6 6503# Label ashmem objects with our own unique type. 6504#line 6 6505 6506#line 6 6507type media_app_tmpfs, file_type; 6508#line 6 6509type_transition media_app tmpfs:file media_app_tmpfs; 6510#line 6 6511allow media_app media_app_tmpfs:file { read write }; 6512#line 6 6513 6514#line 6 6515# Map with PROT_EXEC. 6516#line 6 6517allow media_app media_app_tmpfs:file execute; 6518#line 6 6519 6520 6521#line 7 6522typeattribute media_app platformappdomain; 6523#line 7 6524typeattribute media_app mlstrustedsubject; 6525#line 7 6526 6527 6528#line 8 6529typeattribute media_app binderservicedomain; 6530#line 8 6531 6532# Access the network. 6533 6534#line 10 6535typeattribute media_app netdomain; 6536#line 10 6537 6538# Access /dev/mtp_usb. 6539allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6540# Write to /cache. 6541allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 6542allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6543# Stat /cache/lost+found 6544allow media_app unlabeled:file getattr; 6545allow media_app unlabeled:dir getattr; 6546# Stat /cache/backup 6547allow media_app cache_backup_file:file getattr; 6548allow media_app cache_backup_file:dir getattr; 6549# Read files in the rootdir (in particular, file_contexts for restorecon). 6550allow media_app rootfs:file { getattr open read ioctl lock }; 6551allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 6552allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6553# Allow platform apps to mark platform app data files as download files 6554 6555#line 27 6556typeattribute media_app relabeltodomain; 6557#line 27 6558 6559allow media_app platform_app_data_file:dir relabelfrom; 6560allow media_app download_file:dir relabelto; 6561#line 1 "external/sepolicy/mediaserver.te" 6562# mediaserver - multimedia daemon 6563type mediaserver, domain; 6564 6565#line 3 6566typeattribute mediaserver mlstrustedsubject; 6567#line 3 6568typeattribute mediaserver unconfineddomain; 6569#line 3 6570 6571type mediaserver_exec, exec_type, file_type; 6572 6573typeattribute mediaserver mlstrustedsubject; 6574 6575 6576#line 8 6577typeattribute mediaserver netdomain; 6578#line 8 6579 6580 6581#line 9 6582 6583#line 9 6584# Allow the necessary permissions. 6585#line 9 6586 6587#line 9 6588# Old domain may exec the file and transition to the new domain. 6589#line 9 6590allow init mediaserver_exec:file { getattr open read execute }; 6591#line 9 6592allow init mediaserver:process transition; 6593#line 9 6594# New domain is entered by executing the file. 6595#line 9 6596allow mediaserver mediaserver_exec:file { entrypoint read execute }; 6597#line 9 6598# New domain can send SIGCHLD to its caller. 6599#line 9 6600allow mediaserver init:process sigchld; 6601#line 9 6602# Enable AT_SECURE, i.e. libc secure mode. 6603#line 9 6604dontaudit init mediaserver:process noatsecure; 6605#line 9 6606# XXX dontaudit candidate but requires further study. 6607#line 9 6608allow init mediaserver:process { siginh rlimitinh }; 6609#line 9 6610 6611#line 9 6612# Make the transition occur by default. 6613#line 9 6614type_transition init mediaserver_exec:process mediaserver; 6615#line 9 6616 6617#line 9 6618 6619#line 9 6620type mediaserver_tmpfs, file_type; 6621#line 9 6622type_transition mediaserver tmpfs:file mediaserver_tmpfs; 6623#line 9 6624allow mediaserver mediaserver_tmpfs:file { read write }; 6625#line 9 6626 6627#line 9 6628 6629 6630#line 10 6631allow mediaserver property_socket:sock_file write; 6632#line 10 6633allow mediaserver init:unix_stream_socket connectto; 6634#line 10 6635 6636 6637 6638#line 12 6639allow mediaserver sdcard_type:dir { open getattr read search ioctl }; 6640#line 12 6641allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock }; 6642#line 12 6643 6644 6645 6646#line 14 6647# Call the servicemanager and transfer references to it. 6648#line 14 6649allow mediaserver servicemanager:binder { call transfer }; 6650#line 14 6651# rw access to /dev/binder and /dev/ashmem is presently granted to 6652#line 14 6653# all domains in domain.te. 6654#line 14 6655 6656 6657#line 15 6658# Call the server domain and optionally transfer references to it. 6659#line 15 6660allow mediaserver binderservicedomain:binder { call transfer }; 6661#line 15 6662# Allow the serverdomain to transfer references to the client on the reply. 6663#line 15 6664allow binderservicedomain mediaserver:binder transfer; 6665#line 15 6666# Receive and use open files from the server. 6667#line 15 6668allow mediaserver binderservicedomain:fd use; 6669#line 15 6670 6671 6672#line 16 6673# Call the server domain and optionally transfer references to it. 6674#line 16 6675allow mediaserver appdomain:binder { call transfer }; 6676#line 16 6677# Allow the serverdomain to transfer references to the client on the reply. 6678#line 16 6679allow appdomain mediaserver:binder transfer; 6680#line 16 6681# Receive and use open files from the server. 6682#line 16 6683allow mediaserver appdomain:fd use; 6684#line 16 6685 6686 6687#line 17 6688typeattribute mediaserver binderservicedomain; 6689#line 17 6690 6691 6692allow mediaserver self:process execmem; 6693allow mediaserver kernel:system module_request; 6694allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 6695allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6696allow mediaserver app_data_file:dir search; 6697allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } }; 6698allow mediaserver platform_app_data_file:file { getattr read }; 6699allow mediaserver sdcard_type:file write; 6700allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } }; 6701allow mediaserver video_device:dir { open getattr read search ioctl }; 6702allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6703allow mediaserver audio_device:dir { open getattr read search ioctl }; 6704allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6705allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6706allow mediaserver audio_prop:property_service set; 6707 6708# Access audio devices at all. 6709allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6710 6711# XXX Label with a specific type? 6712allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } }; 6713 6714# XXX Why? 6715allow mediaserver apk_data_file:file { read getattr }; 6716 6717# Access camera device. 6718allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6719allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } }; 6720 6721# Inter System processes communicate over named pipe (FIFO) 6722allow mediaserver system_server:fifo_file { getattr open read ioctl lock }; 6723 6724# Camera data 6725 6726#line 52 6727allow mediaserver camera_data_file:dir { open getattr read search ioctl }; 6728#line 52 6729allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock }; 6730#line 52 6731 6732 6733#line 53 6734allow mediaserver media_rw_data_file:dir { open getattr read search ioctl }; 6735#line 53 6736allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; 6737#line 53 6738 6739 6740# Grant access to audio files to mediaserver 6741allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write }; 6742allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6743 6744# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid 6745allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; 6746allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock }; 6747 6748# Allow abstract socket connection 6749allow mediaserver rild:unix_stream_socket { connectto read write setopt }; 6750 6751# Needed on some devices for playing DRM protected content, 6752# but seems expected and appropriate for all devices. 6753 6754#line 68 6755allow mediaserver drmserver_socket:sock_file write; 6756#line 68 6757allow mediaserver drmserver:unix_stream_socket connectto; 6758#line 68 6759 6760 6761# Needed on some devices for playing audio on paired BT device, 6762# but seems appropriate for all devices. 6763 6764#line 72 6765allow mediaserver bluetooth_socket:sock_file write; 6766#line 72 6767allow mediaserver bluetooth:unix_stream_socket connectto; 6768#line 72 6769 6770#line 1 "external/sepolicy/mtp.te" 6771# vpn tunneling protocol manager 6772type mtp, domain; 6773 6774#line 3 6775typeattribute mtp mlstrustedsubject; 6776#line 3 6777typeattribute mtp unconfineddomain; 6778#line 3 6779 6780type mtp_exec, exec_type, file_type; 6781 6782 6783#line 6 6784 6785#line 6 6786# Allow the necessary permissions. 6787#line 6 6788 6789#line 6 6790# Old domain may exec the file and transition to the new domain. 6791#line 6 6792allow init mtp_exec:file { getattr open read execute }; 6793#line 6 6794allow init mtp:process transition; 6795#line 6 6796# New domain is entered by executing the file. 6797#line 6 6798allow mtp mtp_exec:file { entrypoint read execute }; 6799#line 6 6800# New domain can send SIGCHLD to its caller. 6801#line 6 6802allow mtp init:process sigchld; 6803#line 6 6804# Enable AT_SECURE, i.e. libc secure mode. 6805#line 6 6806dontaudit init mtp:process noatsecure; 6807#line 6 6808# XXX dontaudit candidate but requires further study. 6809#line 6 6810allow init mtp:process { siginh rlimitinh }; 6811#line 6 6812 6813#line 6 6814# Make the transition occur by default. 6815#line 6 6816type_transition init mtp_exec:process mtp; 6817#line 6 6818 6819#line 6 6820 6821#line 6 6822type mtp_tmpfs, file_type; 6823#line 6 6824type_transition mtp tmpfs:file mtp_tmpfs; 6825#line 6 6826allow mtp mtp_tmpfs:file { read write }; 6827#line 6 6828 6829#line 6 6830 6831 6832#line 7 6833typeattribute mtp netdomain; 6834#line 7 6835 6836 6837# pptp policy 6838allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 6839allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 6840allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 6841allow mtp self:capability net_raw; 6842allow mtp ppp:process signal; 6843allow mtp port:tcp_socket name_connect; 6844allow mtp vpn_data_file:dir search; 6845#line 1 "external/sepolicy/netd.te" 6846# network manager 6847type netd, domain; 6848type netd_exec, exec_type, file_type; 6849 6850 6851#line 5 6852 6853#line 5 6854# Allow the necessary permissions. 6855#line 5 6856 6857#line 5 6858# Old domain may exec the file and transition to the new domain. 6859#line 5 6860allow init netd_exec:file { getattr open read execute }; 6861#line 5 6862allow init netd:process transition; 6863#line 5 6864# New domain is entered by executing the file. 6865#line 5 6866allow netd netd_exec:file { entrypoint read execute }; 6867#line 5 6868# New domain can send SIGCHLD to its caller. 6869#line 5 6870allow netd init:process sigchld; 6871#line 5 6872# Enable AT_SECURE, i.e. libc secure mode. 6873#line 5 6874dontaudit init netd:process noatsecure; 6875#line 5 6876# XXX dontaudit candidate but requires further study. 6877#line 5 6878allow init netd:process { siginh rlimitinh }; 6879#line 5 6880 6881#line 5 6882# Make the transition occur by default. 6883#line 5 6884type_transition init netd_exec:process netd; 6885#line 5 6886 6887#line 5 6888 6889#line 5 6890type netd_tmpfs, file_type; 6891#line 5 6892type_transition netd tmpfs:file netd_tmpfs; 6893#line 5 6894allow netd netd_tmpfs:file { read write }; 6895#line 5 6896 6897#line 5 6898 6899 6900#line 6 6901typeattribute netd netdomain; 6902#line 6 6903 6904 6905allow netd self:capability { net_admin net_raw kill fsetid }; 6906allow netd self:netlink_kobject_uevent_socket *; 6907allow netd self:netlink_route_socket *; 6908allow netd self:netlink_nflog_socket *; 6909allow netd self:rawip_socket *; 6910allow netd self:unix_stream_socket *; 6911allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 6912allow netd system_file:file { getattr execute execute_no_trans }; 6913allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; 6914 6915# For /proc/sys/net/ipv[46]/route/flush. 6916allow netd proc_net:file write; 6917 6918# For /sys/modules/bcmdhd/parameters/firmware_path 6919# XXX Split into its own type. 6920allow netd sysfs:file write; 6921 6922# Set dhcp lease for PAN connection 6923 6924#line 26 6925allow netd property_socket:sock_file write; 6926#line 26 6927allow netd init:unix_stream_socket connectto; 6928#line 26 6929 6930allow netd system_prop:property_service set; 6931 6932# Connect to PAN 6933 6934#line 30 6935# Allow the necessary permissions. 6936#line 30 6937 6938#line 30 6939# Old domain may exec the file and transition to the new domain. 6940#line 30 6941allow netd dhcp_exec:file { getattr open read execute }; 6942#line 30 6943allow netd dhcp:process transition; 6944#line 30 6945# New domain is entered by executing the file. 6946#line 30 6947allow dhcp dhcp_exec:file { entrypoint read execute }; 6948#line 30 6949# New domain can send SIGCHLD to its caller. 6950#line 30 6951allow dhcp netd:process sigchld; 6952#line 30 6953# Enable AT_SECURE, i.e. libc secure mode. 6954#line 30 6955dontaudit netd dhcp:process noatsecure; 6956#line 30 6957# XXX dontaudit candidate but requires further study. 6958#line 30 6959allow netd dhcp:process { siginh rlimitinh }; 6960#line 30 6961 6962#line 30 6963# Make the transition occur by default. 6964#line 30 6965type_transition netd dhcp_exec:process dhcp; 6966#line 30 6967 6968allow netd dhcp:process signal; 6969 6970# Needed to update /data/misc/wifi/hostapd.conf 6971# TODO: See what we can do to reduce the need for 6972# these capabilities 6973allow netd self:capability { dac_override chown fowner }; 6974allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 6975allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 6976 6977# Allow netd to spawn hostapd in it's own domain 6978 6979#line 41 6980# Allow the necessary permissions. 6981#line 41 6982 6983#line 41 6984# Old domain may exec the file and transition to the new domain. 6985#line 41 6986allow netd hostapd_exec:file { getattr open read execute }; 6987#line 41 6988allow netd hostapd:process transition; 6989#line 41 6990# New domain is entered by executing the file. 6991#line 41 6992allow hostapd hostapd_exec:file { entrypoint read execute }; 6993#line 41 6994# New domain can send SIGCHLD to its caller. 6995#line 41 6996allow hostapd netd:process sigchld; 6997#line 41 6998# Enable AT_SECURE, i.e. libc secure mode. 6999#line 41 7000dontaudit netd hostapd:process noatsecure; 7001#line 41 7002# XXX dontaudit candidate but requires further study. 7003#line 41 7004allow netd hostapd:process { siginh rlimitinh }; 7005#line 41 7006 7007#line 41 7008# Make the transition occur by default. 7009#line 41 7010type_transition netd hostapd_exec:process hostapd; 7011#line 41 7012 7013allow netd hostapd:process signal; 7014 7015# Allow netd to spawn dnsmasq in it's own domain 7016 7017#line 45 7018# Allow the necessary permissions. 7019#line 45 7020 7021#line 45 7022# Old domain may exec the file and transition to the new domain. 7023#line 45 7024allow netd dnsmasq_exec:file { getattr open read execute }; 7025#line 45 7026allow netd dnsmasq:process transition; 7027#line 45 7028# New domain is entered by executing the file. 7029#line 45 7030allow dnsmasq dnsmasq_exec:file { entrypoint read execute }; 7031#line 45 7032# New domain can send SIGCHLD to its caller. 7033#line 45 7034allow dnsmasq netd:process sigchld; 7035#line 45 7036# Enable AT_SECURE, i.e. libc secure mode. 7037#line 45 7038dontaudit netd dnsmasq:process noatsecure; 7039#line 45 7040# XXX dontaudit candidate but requires further study. 7041#line 45 7042allow netd dnsmasq:process { siginh rlimitinh }; 7043#line 45 7044 7045#line 45 7046# Make the transition occur by default. 7047#line 45 7048type_transition netd dnsmasq_exec:process dnsmasq; 7049#line 45 7050 7051allow netd dnsmasq:process signal; 7052 7053# Allow netd to start clatd in its own domain 7054 7055#line 49 7056# Allow the necessary permissions. 7057#line 49 7058 7059#line 49 7060# Old domain may exec the file and transition to the new domain. 7061#line 49 7062allow netd clatd_exec:file { getattr open read execute }; 7063#line 49 7064allow netd clatd:process transition; 7065#line 49 7066# New domain is entered by executing the file. 7067#line 49 7068allow clatd clatd_exec:file { entrypoint read execute }; 7069#line 49 7070# New domain can send SIGCHLD to its caller. 7071#line 49 7072allow clatd netd:process sigchld; 7073#line 49 7074# Enable AT_SECURE, i.e. libc secure mode. 7075#line 49 7076dontaudit netd clatd:process noatsecure; 7077#line 49 7078# XXX dontaudit candidate but requires further study. 7079#line 49 7080allow netd clatd:process { siginh rlimitinh }; 7081#line 49 7082 7083#line 49 7084# Make the transition occur by default. 7085#line 49 7086type_transition netd clatd_exec:process clatd; 7087#line 49 7088 7089allow netd clatd:process signal; 7090 7091# Support netd running mdnsd 7092# TODO: prune this back further 7093allow netd ctl_default_prop:property_service set; 7094allow netd device:sock_file write; 7095 7096### 7097### Neverallow rules 7098### 7099### netd should NEVER do any of this 7100 7101# Block device access. 7102neverallow netd dev_type:blk_file { read write }; 7103 7104# Setting SELinux enforcing status or booleans. 7105neverallow netd kernel:security { setenforce setbool }; 7106 7107# Load security policy. 7108neverallow netd kernel:security load_policy; 7109 7110# ptrace any other app 7111neverallow netd { domain }:process ptrace; 7112 7113# Write to /system. 7114neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 7115 7116# Write to files in /data/data or system files on /data 7117neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; 7118#line 1 "external/sepolicy/net.te" 7119# Network types 7120type node, node_type; 7121type netif, netif_type; 7122type port, port_type; 7123 7124# Use network sockets. 7125allow netdomain self:{ tcp_socket udp_socket } *; 7126# Connect to ports. 7127allow netdomain port_type:tcp_socket name_connect; 7128# Bind to ports. 7129allow netdomain node_type:{ tcp_socket udp_socket } node_bind; 7130allow netdomain port_type:udp_socket name_bind; 7131allow netdomain port_type:tcp_socket name_bind; 7132# Get route information. 7133allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; 7134 7135# Talks to netd via dnsproxyd socket. 7136 7137#line 18 7138allow netdomain dnsproxyd_socket:sock_file write; 7139#line 18 7140allow netdomain netd:unix_stream_socket connectto; 7141#line 18 7142 7143#line 1 "external/sepolicy/nfc.te" 7144# nfc subsystem 7145type nfc, domain; 7146 7147#line 3 7148typeattribute nfc appdomain; 7149#line 3 7150# Label ashmem objects with our own unique type. 7151#line 3 7152 7153#line 3 7154type nfc_tmpfs, file_type; 7155#line 3 7156type_transition nfc tmpfs:file nfc_tmpfs; 7157#line 3 7158allow nfc nfc_tmpfs:file { read write }; 7159#line 3 7160 7161#line 3 7162# Map with PROT_EXEC. 7163#line 3 7164allow nfc nfc_tmpfs:file execute; 7165#line 3 7166 7167 7168#line 4 7169typeattribute nfc binderservicedomain; 7170#line 4 7171 7172 7173# NFC device access. 7174allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7175 7176# Data file accesses. 7177allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7178allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7179 7180allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; 7181allow nfc sysfs:file write; 7182 7183allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7184allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7185#line 1 "external/sepolicy/platform_app.te" 7186### 7187### Apps signed with the platform key. 7188### 7189 7190type platform_app, domain; 7191 7192#line 6 7193typeattribute platform_app mlstrustedsubject; 7194#line 6 7195typeattribute platform_app unconfineddomain; 7196#line 6 7197 7198 7199#line 7 7200typeattribute platform_app appdomain; 7201#line 7 7202# Label ashmem objects with our own unique type. 7203#line 7 7204 7205#line 7 7206type platform_app_tmpfs, file_type; 7207#line 7 7208type_transition platform_app tmpfs:file platform_app_tmpfs; 7209#line 7 7210allow platform_app platform_app_tmpfs:file { read write }; 7211#line 7 7212 7213#line 7 7214# Map with PROT_EXEC. 7215#line 7 7216allow platform_app platform_app_tmpfs:file execute; 7217#line 7 7218 7219 7220#line 8 7221typeattribute platform_app platformappdomain; 7222#line 8 7223typeattribute platform_app mlstrustedsubject; 7224#line 8 7225 7226# Access the network. 7227 7228#line 10 7229typeattribute platform_app netdomain; 7230#line 10 7231 7232# Access bluetooth. 7233 7234#line 12 7235typeattribute platform_app bluetoothdomain; 7236#line 12 7237 7238# Write to /cache. 7239allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 7240allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7241# Read from /data/local. 7242allow platform_app shell_data_file:dir search; 7243allow platform_app shell_data_file:file { open getattr read }; 7244allow platform_app shell_data_file:lnk_file read; 7245# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files 7246# created by system server. 7247allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } }; 7248allow platform_app apk_private_data_file:dir search; 7249# ASEC 7250allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7251allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7252# Access download files. 7253allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } }; 7254# Allow BackupManagerService to backup all app domains 7255allow platform_app appdomain:fifo_file write; 7256 7257# 7258# Rules for all platform app domains. 7259# 7260 7261# App sandbox file accesses. 7262allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7263allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7264allow platformappdomain platform_app_data_file:file execute; 7265# App sdcard file accesses 7266allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7267allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7268# Access to /data/media. 7269allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7270allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7271#line 1 "external/sepolicy/ppp.te" 7272# Point to Point Protocol daemon 7273type ppp, domain; 7274 7275#line 3 7276typeattribute ppp mlstrustedsubject; 7277#line 3 7278typeattribute ppp unconfineddomain; 7279#line 3 7280 7281type ppp_device, dev_type; 7282type ppp_exec, exec_type, file_type; 7283 7284#line 6 7285# Allow the necessary permissions. 7286#line 6 7287 7288#line 6 7289# Old domain may exec the file and transition to the new domain. 7290#line 6 7291allow mtp ppp_exec:file { getattr open read execute }; 7292#line 6 7293allow mtp ppp:process transition; 7294#line 6 7295# New domain is entered by executing the file. 7296#line 6 7297allow ppp ppp_exec:file { entrypoint read execute }; 7298#line 6 7299# New domain can send SIGCHLD to its caller. 7300#line 6 7301allow ppp mtp:process sigchld; 7302#line 6 7303# Enable AT_SECURE, i.e. libc secure mode. 7304#line 6 7305dontaudit mtp ppp:process noatsecure; 7306#line 6 7307# XXX dontaudit candidate but requires further study. 7308#line 6 7309allow mtp ppp:process { siginh rlimitinh }; 7310#line 6 7311 7312#line 6 7313# Make the transition occur by default. 7314#line 6 7315type_transition mtp ppp_exec:process ppp; 7316#line 6 7317 7318 7319allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; 7320allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7321allow ppp self:capability net_admin; 7322allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 7323allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 7324allow ppp vpn_data_file:dir { open search write add_name remove_name }; 7325allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7326allow ppp mtp:fd use; 7327#line 1 "external/sepolicy/property.te" 7328type default_prop, property_type; 7329type shell_prop, property_type; 7330type debug_prop, property_type; 7331type debuggerd_prop, property_type; 7332type radio_prop, property_type; 7333type system_prop, property_type; 7334type vold_prop, property_type; 7335type rild_prop, property_type; 7336type ctl_default_prop, property_type; 7337type ctl_dumpstate_prop, property_type; 7338type ctl_rildaemon_prop, property_type; 7339type audio_prop, property_type; 7340type security_prop, property_type; 7341type bluetooth_prop, property_type; 7342type powerctl_prop, property_type; 7343#line 1 "external/sepolicy/qemud.te" 7344# qemu support daemon 7345type qemud, domain; 7346type qemud_exec, exec_type, file_type; 7347 7348 7349#line 5 7350 7351#line 5 7352# Allow the necessary permissions. 7353#line 5 7354 7355#line 5 7356# Old domain may exec the file and transition to the new domain. 7357#line 5 7358allow init qemud_exec:file { getattr open read execute }; 7359#line 5 7360allow init qemud:process transition; 7361#line 5 7362# New domain is entered by executing the file. 7363#line 5 7364allow qemud qemud_exec:file { entrypoint read execute }; 7365#line 5 7366# New domain can send SIGCHLD to its caller. 7367#line 5 7368allow qemud init:process sigchld; 7369#line 5 7370# Enable AT_SECURE, i.e. libc secure mode. 7371#line 5 7372dontaudit init qemud:process noatsecure; 7373#line 5 7374# XXX dontaudit candidate but requires further study. 7375#line 5 7376allow init qemud:process { siginh rlimitinh }; 7377#line 5 7378 7379#line 5 7380# Make the transition occur by default. 7381#line 5 7382type_transition init qemud_exec:process qemud; 7383#line 5 7384 7385#line 5 7386 7387#line 5 7388type qemud_tmpfs, file_type; 7389#line 5 7390type_transition qemud tmpfs:file qemud_tmpfs; 7391#line 5 7392allow qemud qemud_tmpfs:file { read write }; 7393#line 5 7394 7395#line 5 7396 7397 7398#line 6 7399typeattribute qemud mlstrustedsubject; 7400#line 6 7401typeattribute qemud unconfineddomain; 7402#line 1 "external/sepolicy/racoon.te" 7403# IKE key management daemon 7404type racoon, domain; 7405 7406#line 3 7407typeattribute racoon mlstrustedsubject; 7408#line 3 7409typeattribute racoon unconfineddomain; 7410#line 3 7411 7412type racoon_exec, exec_type, file_type; 7413 7414 7415#line 6 7416 7417#line 6 7418# Allow the necessary permissions. 7419#line 6 7420 7421#line 6 7422# Old domain may exec the file and transition to the new domain. 7423#line 6 7424allow init racoon_exec:file { getattr open read execute }; 7425#line 6 7426allow init racoon:process transition; 7427#line 6 7428# New domain is entered by executing the file. 7429#line 6 7430allow racoon racoon_exec:file { entrypoint read execute }; 7431#line 6 7432# New domain can send SIGCHLD to its caller. 7433#line 6 7434allow racoon init:process sigchld; 7435#line 6 7436# Enable AT_SECURE, i.e. libc secure mode. 7437#line 6 7438dontaudit init racoon:process noatsecure; 7439#line 6 7440# XXX dontaudit candidate but requires further study. 7441#line 6 7442allow init racoon:process { siginh rlimitinh }; 7443#line 6 7444 7445#line 6 7446# Make the transition occur by default. 7447#line 6 7448type_transition init racoon_exec:process racoon; 7449#line 6 7450 7451#line 6 7452 7453#line 6 7454type racoon_tmpfs, file_type; 7455#line 6 7456type_transition racoon tmpfs:file racoon_tmpfs; 7457#line 6 7458allow racoon racoon_tmpfs:file { read write }; 7459#line 6 7460 7461#line 6 7462 7463typeattribute racoon mlstrustedsubject; 7464 7465 7466#line 9 7467# Call the server domain and optionally transfer references to it. 7468#line 9 7469allow racoon servicemanager:binder { call transfer }; 7470#line 9 7471# Allow the serverdomain to transfer references to the client on the reply. 7472#line 9 7473allow servicemanager racoon:binder transfer; 7474#line 9 7475# Receive and use open files from the server. 7476#line 9 7477allow racoon servicemanager:fd use; 7478#line 9 7479 7480 7481#line 10 7482# Call the server domain and optionally transfer references to it. 7483#line 10 7484allow racoon keystore:binder { call transfer }; 7485#line 10 7486# Allow the serverdomain to transfer references to the client on the reply. 7487#line 10 7488allow keystore racoon:binder transfer; 7489#line 10 7490# Receive and use open files from the server. 7491#line 10 7492allow racoon keystore:fd use; 7493#line 10 7494 7495 7496allow racoon tun_device:chr_file { getattr open read ioctl lock }; 7497allow racoon cgroup:dir { add_name create }; 7498allow racoon kernel:system module_request; 7499allow racoon port:udp_socket name_bind; 7500allow racoon node:udp_socket node_bind; 7501 7502allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 7503allow racoon self:tun_socket create; 7504allow racoon self:capability { net_admin net_bind_service net_raw setuid }; 7505 7506# XXX: should we give ip-up-vpn its own label (currently racoon domain) 7507allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 7508allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7509allow racoon vpn_data_file:dir { open search write add_name remove_name }; 7510#line 1 "external/sepolicy/radio.te" 7511# phone subsystem 7512type radio, domain; 7513 7514#line 3 7515typeattribute radio appdomain; 7516#line 3 7517# Label ashmem objects with our own unique type. 7518#line 3 7519 7520#line 3 7521type radio_tmpfs, file_type; 7522#line 3 7523type_transition radio tmpfs:file radio_tmpfs; 7524#line 3 7525allow radio radio_tmpfs:file { read write }; 7526#line 3 7527 7528#line 3 7529# Map with PROT_EXEC. 7530#line 3 7531allow radio radio_tmpfs:file execute; 7532#line 3 7533 7534 7535#line 4 7536typeattribute radio netdomain; 7537#line 4 7538 7539 7540#line 5 7541typeattribute radio bluetoothdomain; 7542#line 5 7543 7544 7545#line 6 7546typeattribute radio binderservicedomain; 7547#line 6 7548 7549 7550# Talks to init via the property socket. 7551 7552#line 9 7553allow radio property_socket:sock_file write; 7554#line 9 7555allow radio init:unix_stream_socket connectto; 7556#line 9 7557 7558 7559# Talks to rild via the rild socket. 7560 7561#line 12 7562allow radio rild_socket:sock_file write; 7563#line 12 7564allow radio rild:unix_stream_socket connectto; 7565#line 12 7566 7567 7568# Data file accesses. 7569allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7570allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7571 7572allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7573 7574# Property service 7575allow radio radio_prop:property_service set; 7576 7577# ctl interface 7578allow radio ctl_rildaemon_prop:property_service set; 7579#line 1 "external/sepolicy/recovery.te" 7580# recovery console (used in recovery init.rc for /sbin/recovery) 7581type recovery, domain; 7582allow recovery rootfs:file entrypoint; 7583 7584#line 4 7585typeattribute recovery mlstrustedsubject; 7586#line 4 7587typeattribute recovery unconfineddomain; 7588#line 4 7589 7590 7591#line 5 7592typeattribute recovery relabeltodomain; 7593#line 5 7594 7595 7596allow recovery self:capability2 mac_admin; 7597 7598allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; 7599allow recovery unlabeled:filesystem mount; 7600allow recovery fs_type:filesystem *; 7601 7602# Required to e.g. wipe userdata/cache. 7603allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; 7604 7605allow recovery self:process execmem; 7606allow recovery ashmem_device:chr_file execute; 7607allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 7608 7609## TODO: Investigate whether it is safe to remove these 7610allow recovery self:capability { sys_rawio mknod }; 7611auditallow recovery self:capability { sys_rawio mknod }; 7612#line 1 "external/sepolicy/release_app.te" 7613### 7614### Apps signed with the release key (testkey in AOSP). 7615### 7616 7617type release_app, domain; 7618 7619#line 6 7620typeattribute release_app mlstrustedsubject; 7621#line 6 7622typeattribute release_app unconfineddomain; 7623#line 6 7624 7625 7626#line 7 7627typeattribute release_app appdomain; 7628#line 7 7629# Label ashmem objects with our own unique type. 7630#line 7 7631 7632#line 7 7633type release_app_tmpfs, file_type; 7634#line 7 7635type_transition release_app tmpfs:file release_app_tmpfs; 7636#line 7 7637allow release_app release_app_tmpfs:file { read write }; 7638#line 7 7639 7640#line 7 7641# Map with PROT_EXEC. 7642#line 7 7643allow release_app release_app_tmpfs:file execute; 7644#line 7 7645 7646 7647#line 8 7648typeattribute release_app platformappdomain; 7649#line 8 7650typeattribute release_app mlstrustedsubject; 7651#line 8 7652 7653# Access the network. 7654 7655#line 10 7656typeattribute release_app netdomain; 7657#line 10 7658 7659# Access bluetooth. 7660 7661#line 12 7662typeattribute release_app bluetoothdomain; 7663#line 12 7664 7665 7666# Write to /cache. 7667allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 7668allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7669#line 1 "external/sepolicy/rild.te" 7670# rild - radio interface layer daemon 7671type rild, domain; 7672 7673#line 3 7674typeattribute rild mlstrustedsubject; 7675#line 3 7676typeattribute rild unconfineddomain; 7677#line 3 7678 7679type rild_exec, exec_type, file_type; 7680 7681 7682#line 6 7683 7684#line 6 7685# Allow the necessary permissions. 7686#line 6 7687 7688#line 6 7689# Old domain may exec the file and transition to the new domain. 7690#line 6 7691allow init rild_exec:file { getattr open read execute }; 7692#line 6 7693allow init rild:process transition; 7694#line 6 7695# New domain is entered by executing the file. 7696#line 6 7697allow rild rild_exec:file { entrypoint read execute }; 7698#line 6 7699# New domain can send SIGCHLD to its caller. 7700#line 6 7701allow rild init:process sigchld; 7702#line 6 7703# Enable AT_SECURE, i.e. libc secure mode. 7704#line 6 7705dontaudit init rild:process noatsecure; 7706#line 6 7707# XXX dontaudit candidate but requires further study. 7708#line 6 7709allow init rild:process { siginh rlimitinh }; 7710#line 6 7711 7712#line 6 7713# Make the transition occur by default. 7714#line 6 7715type_transition init rild_exec:process rild; 7716#line 6 7717 7718#line 6 7719 7720#line 6 7721type rild_tmpfs, file_type; 7722#line 6 7723type_transition rild tmpfs:file rild_tmpfs; 7724#line 6 7725allow rild rild_tmpfs:file { read write }; 7726#line 6 7727 7728#line 6 7729 7730 7731#line 7 7732typeattribute rild netdomain; 7733#line 7 7734 7735allow rild self:netlink_route_socket { setopt write }; 7736allow rild kernel:system module_request; 7737 7738#line 10 7739allow rild property_socket:sock_file write; 7740#line 10 7741allow rild init:unix_stream_socket connectto; 7742#line 10 7743 7744 7745#line 11 7746allow rild qemud_socket:sock_file write; 7747#line 11 7748allow rild qemud:unix_stream_socket connectto; 7749#line 11 7750 7751allow rild self:capability { setuid net_admin net_raw }; 7752allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7753allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7754allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7755allow rild radio_device:blk_file { getattr open read ioctl lock }; 7756allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7757allow rild mtd_device:dir search; 7758allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7759allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7760allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 7761allow rild bluetooth_efs_file:file { getattr open read ioctl lock }; 7762allow rild bluetooth_efs_file:dir { open getattr read search ioctl }; 7763allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 7764allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7765allow rild sdcard_type:dir { open getattr read search ioctl }; 7766allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7767allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7768allow rild system_file:file { getattr execute execute_no_trans }; 7769dontaudit rild self:capability sys_admin; 7770 7771# property service 7772allow rild rild_prop:property_service set; 7773allow rild radio_prop:property_service set; 7774 7775# Read/Write to uart driver (for GPS) 7776allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7777 7778allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7779 7780# Allow rild to create, bind, read, write to itself through a netlink socket 7781allow rild self:netlink_socket { create bind read write }; 7782 7783allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt }; 7784 7785# Access to wake locks 7786allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; 7787 7788allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 7789#line 1 "external/sepolicy/runas.te" 7790type runas, domain, mlstrustedsubject; 7791type runas_exec, exec_type, file_type; 7792 7793# ndk-gdb invokes adb shell run-as. 7794 7795#line 5 7796# Allow the necessary permissions. 7797#line 5 7798 7799#line 5 7800# Old domain may exec the file and transition to the new domain. 7801#line 5 7802allow shell runas_exec:file { getattr open read execute }; 7803#line 5 7804allow shell runas:process transition; 7805#line 5 7806# New domain is entered by executing the file. 7807#line 5 7808allow runas runas_exec:file { entrypoint read execute }; 7809#line 5 7810# New domain can send SIGCHLD to its caller. 7811#line 5 7812allow runas shell:process sigchld; 7813#line 5 7814# Enable AT_SECURE, i.e. libc secure mode. 7815#line 5 7816dontaudit shell runas:process noatsecure; 7817#line 5 7818# XXX dontaudit candidate but requires further study. 7819#line 5 7820allow shell runas:process { siginh rlimitinh }; 7821#line 5 7822 7823#line 5 7824# Make the transition occur by default. 7825#line 5 7826type_transition shell runas_exec:process runas; 7827#line 5 7828 7829allow runas adbd:process sigchld; 7830allow runas shell:fd use; 7831allow runas devpts:chr_file { read write ioctl }; 7832 7833# run-as reads package information. 7834allow runas system_data_file:file { getattr open read ioctl lock }; 7835 7836# run-as checks and changes to the app data dir. 7837dontaudit runas self:capability dac_override; 7838allow runas app_data_file:dir { getattr search }; 7839 7840# run-as switches to the app UID/GID. 7841allow runas self:capability { setuid setgid }; 7842 7843# run-as switches to the app security context. 7844# read /seapp_contexts and /data/security/seapp_contexts 7845 7846#line 22 7847allow runas security_file:dir { open getattr read search ioctl }; 7848#line 22 7849allow runas security_file:file { getattr open read ioctl lock }; 7850#line 22 7851allow runas security_file:lnk_file { getattr open read ioctl lock }; 7852#line 22 7853allow runas selinuxfs:dir { open getattr read search ioctl }; 7854#line 22 7855allow runas selinuxfs:file { getattr open read ioctl lock }; 7856#line 22 7857allow runas rootfs:dir { open getattr read search ioctl }; 7858#line 22 7859allow runas rootfs:file { getattr open read ioctl lock }; 7860#line 22 7861 7862 7863#line 23 7864allow runas selinuxfs:dir { open getattr read search ioctl }; 7865#line 23 7866allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 7867#line 23 7868allow runas kernel:security check_context; 7869#line 23 7870 # validate context 7871allow runas { appdomain -system_app }:process dyntransition; # setcon 7872#line 1 "external/sepolicy/sdcardd.te" 7873type sdcardd, domain; 7874type sdcardd_exec, exec_type, file_type; 7875 7876 7877#line 4 7878 7879#line 4 7880# Allow the necessary permissions. 7881#line 4 7882 7883#line 4 7884# Old domain may exec the file and transition to the new domain. 7885#line 4 7886allow init sdcardd_exec:file { getattr open read execute }; 7887#line 4 7888allow init sdcardd:process transition; 7889#line 4 7890# New domain is entered by executing the file. 7891#line 4 7892allow sdcardd sdcardd_exec:file { entrypoint read execute }; 7893#line 4 7894# New domain can send SIGCHLD to its caller. 7895#line 4 7896allow sdcardd init:process sigchld; 7897#line 4 7898# Enable AT_SECURE, i.e. libc secure mode. 7899#line 4 7900dontaudit init sdcardd:process noatsecure; 7901#line 4 7902# XXX dontaudit candidate but requires further study. 7903#line 4 7904allow init sdcardd:process { siginh rlimitinh }; 7905#line 4 7906 7907#line 4 7908# Make the transition occur by default. 7909#line 4 7910type_transition init sdcardd_exec:process sdcardd; 7911#line 4 7912 7913#line 4 7914 7915#line 4 7916type sdcardd_tmpfs, file_type; 7917#line 4 7918type_transition sdcardd tmpfs:file sdcardd_tmpfs; 7919#line 4 7920allow sdcardd sdcardd_tmpfs:file { read write }; 7921#line 4 7922 7923#line 4 7924 7925 7926allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7927allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } }; 7928allow sdcardd rootfs:dir mounton; 7929allow sdcardd sdcard_type:filesystem mount; 7930allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; 7931 7932allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7933allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7934 7935type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; 7936allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7937allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7938 7939# Read /data/system/packages.list. 7940allow sdcardd system_data_file:file { getattr open read ioctl lock }; 7941 7942# Compatibility for existing devices with /data/media in system_data_file. 7943# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file. 7944allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 7945allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 7946#line 1 "external/sepolicy/servicemanager.te" 7947# servicemanager - the Binder context manager 7948type servicemanager, domain; 7949type servicemanager_exec, exec_type, file_type; 7950 7951 7952#line 5 7953 7954#line 5 7955# Allow the necessary permissions. 7956#line 5 7957 7958#line 5 7959# Old domain may exec the file and transition to the new domain. 7960#line 5 7961allow init servicemanager_exec:file { getattr open read execute }; 7962#line 5 7963allow init servicemanager:process transition; 7964#line 5 7965# New domain is entered by executing the file. 7966#line 5 7967allow servicemanager servicemanager_exec:file { entrypoint read execute }; 7968#line 5 7969# New domain can send SIGCHLD to its caller. 7970#line 5 7971allow servicemanager init:process sigchld; 7972#line 5 7973# Enable AT_SECURE, i.e. libc secure mode. 7974#line 5 7975dontaudit init servicemanager:process noatsecure; 7976#line 5 7977# XXX dontaudit candidate but requires further study. 7978#line 5 7979allow init servicemanager:process { siginh rlimitinh }; 7980#line 5 7981 7982#line 5 7983# Make the transition occur by default. 7984#line 5 7985type_transition init servicemanager_exec:process servicemanager; 7986#line 5 7987 7988#line 5 7989 7990#line 5 7991type servicemanager_tmpfs, file_type; 7992#line 5 7993type_transition servicemanager tmpfs:file servicemanager_tmpfs; 7994#line 5 7995allow servicemanager servicemanager_tmpfs:file { read write }; 7996#line 5 7997 7998#line 5 7999 8000 8001# Note that we do not use the binder_* macros here. 8002# servicemanager is unique in that it only provides 8003# name service (aka context manager) for Binder. 8004# As such, it only ever receives and transfers other references 8005# created by other domains. It never passes its own references 8006# or initiates a Binder IPC. 8007allow servicemanager self:binder set_context_mgr; 8008allow servicemanager domain:binder transfer; 8009#line 1 "external/sepolicy/shared_app.te" 8010### 8011### Apps signed with the shared key. 8012### 8013 8014type shared_app, domain; 8015 8016#line 6 8017typeattribute shared_app mlstrustedsubject; 8018#line 6 8019typeattribute shared_app unconfineddomain; 8020#line 6 8021 8022 8023#line 7 8024typeattribute shared_app appdomain; 8025#line 7 8026# Label ashmem objects with our own unique type. 8027#line 7 8028 8029#line 7 8030type shared_app_tmpfs, file_type; 8031#line 7 8032type_transition shared_app tmpfs:file shared_app_tmpfs; 8033#line 7 8034allow shared_app shared_app_tmpfs:file { read write }; 8035#line 7 8036 8037#line 7 8038# Map with PROT_EXEC. 8039#line 7 8040allow shared_app shared_app_tmpfs:file execute; 8041#line 7 8042 8043 8044#line 8 8045typeattribute shared_app platformappdomain; 8046#line 8 8047typeattribute shared_app mlstrustedsubject; 8048#line 8 8049 8050# Access the network. 8051 8052#line 10 8053typeattribute shared_app netdomain; 8054#line 10 8055 8056# Access bluetooth. 8057 8058#line 12 8059typeattribute shared_app bluetoothdomain; 8060#line 12 8061 8062#line 1 "external/sepolicy/shelldomain.te" 8063# Rules for all shell domains (e.g. console service and adb shell). 8064 8065# Access /data/local/tmp. 8066allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 8067allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8068allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 8069 8070# Access sdcard. 8071allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 8072allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8073 8074# adb bugreport 8075 8076#line 13 8077allow shelldomain dumpstate_socket:sock_file write; 8078#line 13 8079allow shelldomain dumpstate:unix_stream_socket connectto; 8080#line 13 8081 8082 8083allow shelldomain rootfs:dir { open getattr read search ioctl }; 8084allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; 8085allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8086allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8087allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8088allow shelldomain system_file:file { getattr execute execute_no_trans }; 8089allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 8090allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 8091 8092 8093#line 24 8094allow shelldomain apk_data_file:dir { open getattr read search ioctl }; 8095#line 24 8096allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock }; 8097#line 24 8098 8099 8100# Set properties. 8101 8102#line 27 8103allow shelldomain property_socket:sock_file write; 8104#line 27 8105allow shelldomain init:unix_stream_socket connectto; 8106#line 27 8107 8108allow shelldomain shell_prop:property_service set; 8109allow shelldomain ctl_dumpstate_prop:property_service set; 8110allow shelldomain debug_prop:property_service set; 8111allow shelldomain powerctl_prop:property_service set; 8112 8113# ndk-gdb invokes adb shell ps to find the app PID. 8114 8115#line 34 8116allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl }; 8117#line 34 8118allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock }; 8119#line 34 8120 8121 8122# ndk-gdb invokes adb shell ls to check the app data dir. 8123allow shelldomain app_data_file:dir search; 8124 8125# ps and ps -Z output for app processes. 8126 8127#line 40 8128allow shelldomain appdomain:dir { open getattr read search ioctl }; 8129#line 40 8130allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock }; 8131#line 40 8132 8133allow shelldomain appdomain:process getattr; 8134#line 1 "external/sepolicy/shell.te" 8135# Domain for shell processes spawned by ADB 8136type shell, domain, shelldomain, mlstrustedsubject; 8137type shell_exec, exec_type, file_type; 8138 8139# Create and use network sockets. 8140 8141#line 6 8142typeattribute shell netdomain; 8143#line 6 8144 8145 8146# Run app_process. 8147# XXX Transition into its own domain? 8148 8149#line 10 8150typeattribute shell appdomain; 8151#line 10 8152# Label ashmem objects with our own unique type. 8153#line 10 8154 8155#line 10 8156type shell_tmpfs, file_type; 8157#line 10 8158type_transition shell tmpfs:file shell_tmpfs; 8159#line 10 8160allow shell shell_tmpfs:file { read write }; 8161#line 10 8162 8163#line 10 8164# Map with PROT_EXEC. 8165#line 10 8166allow shell shell_tmpfs:file execute; 8167#line 10 8168 8169 8170# inherits from shelldomain.te 8171#line 1 "external/sepolicy/surfaceflinger.te" 8172# surfaceflinger - display compositor service 8173type surfaceflinger, domain; 8174 8175#line 3 8176typeattribute surfaceflinger mlstrustedsubject; 8177#line 3 8178typeattribute surfaceflinger unconfineddomain; 8179#line 3 8180 8181type surfaceflinger_exec, exec_type, file_type; 8182 8183 8184#line 6 8185 8186#line 6 8187# Allow the necessary permissions. 8188#line 6 8189 8190#line 6 8191# Old domain may exec the file and transition to the new domain. 8192#line 6 8193allow init surfaceflinger_exec:file { getattr open read execute }; 8194#line 6 8195allow init surfaceflinger:process transition; 8196#line 6 8197# New domain is entered by executing the file. 8198#line 6 8199allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute }; 8200#line 6 8201# New domain can send SIGCHLD to its caller. 8202#line 6 8203allow surfaceflinger init:process sigchld; 8204#line 6 8205# Enable AT_SECURE, i.e. libc secure mode. 8206#line 6 8207dontaudit init surfaceflinger:process noatsecure; 8208#line 6 8209# XXX dontaudit candidate but requires further study. 8210#line 6 8211allow init surfaceflinger:process { siginh rlimitinh }; 8212#line 6 8213 8214#line 6 8215# Make the transition occur by default. 8216#line 6 8217type_transition init surfaceflinger_exec:process surfaceflinger; 8218#line 6 8219 8220#line 6 8221 8222#line 6 8223type surfaceflinger_tmpfs, file_type; 8224#line 6 8225type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs; 8226#line 6 8227allow surfaceflinger surfaceflinger_tmpfs:file { read write }; 8228#line 6 8229 8230#line 6 8231 8232typeattribute surfaceflinger mlstrustedsubject; 8233 8234# Talk to init over the property socket. 8235 8236#line 10 8237allow surfaceflinger property_socket:sock_file write; 8238#line 10 8239allow surfaceflinger init:unix_stream_socket connectto; 8240#line 10 8241 8242 8243# Perform Binder IPC. 8244 8245#line 13 8246# Call the servicemanager and transfer references to it. 8247#line 13 8248allow surfaceflinger servicemanager:binder { call transfer }; 8249#line 13 8250# rw access to /dev/binder and /dev/ashmem is presently granted to 8251#line 13 8252# all domains in domain.te. 8253#line 13 8254 8255 8256#line 14 8257# Call the server domain and optionally transfer references to it. 8258#line 14 8259allow surfaceflinger system_server:binder { call transfer }; 8260#line 14 8261# Allow the serverdomain to transfer references to the client on the reply. 8262#line 14 8263allow system_server surfaceflinger:binder transfer; 8264#line 14 8265# Receive and use open files from the server. 8266#line 14 8267allow surfaceflinger system_server:fd use; 8268#line 14 8269 8270 8271#line 15 8272# Call the server domain and optionally transfer references to it. 8273#line 15 8274allow surfaceflinger nfc:binder { call transfer }; 8275#line 15 8276# Allow the serverdomain to transfer references to the client on the reply. 8277#line 15 8278allow nfc surfaceflinger:binder transfer; 8279#line 15 8280# Receive and use open files from the server. 8281#line 15 8282allow surfaceflinger nfc:fd use; 8283#line 15 8284 8285 8286#line 16 8287# Call the server domain and optionally transfer references to it. 8288#line 16 8289allow surfaceflinger mediaserver:binder { call transfer }; 8290#line 16 8291# Allow the serverdomain to transfer references to the client on the reply. 8292#line 16 8293allow mediaserver surfaceflinger:binder transfer; 8294#line 16 8295# Receive and use open files from the server. 8296#line 16 8297allow surfaceflinger mediaserver:fd use; 8298#line 16 8299 8300 8301#line 17 8302typeattribute surfaceflinger binderservicedomain; 8303#line 17 8304 8305 8306# Access the GPU. 8307allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8308 8309# Access /dev/graphics/fb0. 8310allow surfaceflinger graphics_device:dir search; 8311allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8312 8313# Access /dev/video1. 8314allow surfaceflinger video_device:dir { open getattr read search ioctl }; 8315allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8316 8317# Create and use netlink kobject uevent sockets. 8318allow surfaceflinger self:netlink_kobject_uevent_socket *; 8319 8320# Set properties. 8321allow surfaceflinger system_prop:property_service set; 8322allow surfaceflinger ctl_default_prop:property_service set; 8323 8324# Use open files supplied by an app. 8325allow surfaceflinger appdomain:fd use; 8326allow surfaceflinger platform_app_data_file:file { read write }; 8327allow surfaceflinger app_data_file:file { read write }; 8328 8329# Use open file provided by bootanim. 8330allow surfaceflinger bootanim:fd use; 8331 8332# Allow a dumpstate triggered screenshot 8333 8334#line 46 8335# Call the server domain and optionally transfer references to it. 8336#line 46 8337allow surfaceflinger dumpstate:binder { call transfer }; 8338#line 46 8339# Allow the serverdomain to transfer references to the client on the reply. 8340#line 46 8341allow dumpstate surfaceflinger:binder transfer; 8342#line 46 8343# Receive and use open files from the server. 8344#line 46 8345allow surfaceflinger dumpstate:fd use; 8346#line 46 8347 8348 8349#line 47 8350# Call the server domain and optionally transfer references to it. 8351#line 47 8352allow surfaceflinger shell:binder { call transfer }; 8353#line 47 8354# Allow the serverdomain to transfer references to the client on the reply. 8355#line 47 8356allow shell surfaceflinger:binder transfer; 8357#line 47 8358# Receive and use open files from the server. 8359#line 47 8360allow surfaceflinger shell:fd use; 8361#line 47 8362 8363 8364# Needed on some devices for playing DRM protected content, 8365# but seems expected and appropriate for all devices. 8366allow surfaceflinger tee:unix_stream_socket connectto; 8367allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8368#line 1 "external/sepolicy/su.te" 8369# File types must be defined for file_contexts. 8370type su_exec, exec_type, file_type; 8371 8372#line 23 8373 8374#line 1 "external/sepolicy/system_app.te" 8375# 8376# Apps that run with the system UID, e.g. com.android.system.ui, 8377# com.android.settings. These are not as privileged as the system 8378# server. 8379# 8380type system_app, domain; 8381 8382#line 7 8383typeattribute system_app mlstrustedsubject; 8384#line 7 8385typeattribute system_app unconfineddomain; 8386#line 7 8387 8388 8389#line 8 8390typeattribute system_app appdomain; 8391#line 8 8392# Label ashmem objects with our own unique type. 8393#line 8 8394 8395#line 8 8396type system_app_tmpfs, file_type; 8397#line 8 8398type_transition system_app tmpfs:file system_app_tmpfs; 8399#line 8 8400allow system_app system_app_tmpfs:file { read write }; 8401#line 8 8402 8403#line 8 8404# Map with PROT_EXEC. 8405#line 8 8406allow system_app system_app_tmpfs:file execute; 8407#line 8 8408 8409 8410#line 9 8411typeattribute system_app binderservicedomain; 8412#line 9 8413 8414 8415# Perform binder IPC to any app domain. 8416 8417#line 12 8418# Call the server domain and optionally transfer references to it. 8419#line 12 8420allow system_app appdomain:binder { call transfer }; 8421#line 12 8422# Allow the serverdomain to transfer references to the client on the reply. 8423#line 12 8424allow appdomain system_app:binder transfer; 8425#line 12 8426# Receive and use open files from the server. 8427#line 12 8428allow system_app appdomain:fd use; 8429#line 12 8430 8431 8432# Read and write system data files. 8433# May want to split into separate types. 8434allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 8435allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8436 8437# Read wallpaper file. 8438allow system_app wallpaper_file:file { getattr open read ioctl lock }; 8439 8440# Write to dalvikcache. 8441allow system_app dalvikcache_data_file:file { write setattr }; 8442 8443# Talk to keystore. 8444 8445#line 26 8446allow system_app keystore_socket:sock_file write; 8447#line 26 8448allow system_app keystore:unix_stream_socket connectto; 8449#line 26 8450 8451 8452# Read SELinux enforcing status. 8453 8454#line 29 8455allow system_app selinuxfs:dir { open getattr read search ioctl }; 8456#line 29 8457allow system_app selinuxfs:file { getattr open read ioctl lock }; 8458#line 29 8459 8460 8461# Settings app reads sdcard for storage stats 8462allow system_app sdcard_type:dir { open getattr read search ioctl }; 8463 8464# Write to properties 8465 8466#line 35 8467allow system_app property_socket:sock_file write; 8468#line 35 8469allow system_app init:unix_stream_socket connectto; 8470#line 35 8471 8472allow system_app debug_prop:property_service set; 8473allow system_app radio_prop:property_service set; 8474allow system_app system_prop:property_service set; 8475#line 1 "external/sepolicy/system_server.te" 8476# 8477# System Server aka system_server spawned by zygote. 8478# Most of the framework services run in this process. 8479# 8480type system_server, domain, mlstrustedsubject; 8481 8482#line 6 8483typeattribute system_server mlstrustedsubject; 8484#line 6 8485typeattribute system_server unconfineddomain; 8486#line 6 8487 8488 8489# Define a type for tmpfs-backed ashmem regions. 8490 8491#line 9 8492type system_server_tmpfs, file_type; 8493#line 9 8494type_transition system_server tmpfs:file system_server_tmpfs; 8495#line 9 8496allow system_server system_server_tmpfs:file { read write }; 8497#line 9 8498 8499 8500# Dalvik Compiler JIT Mapping. 8501allow system_server self:process execmem; 8502allow system_server ashmem_device:chr_file execute; 8503allow system_server system_server_tmpfs:file execute; 8504 8505# For art. 8506allow system_server dalvikcache_data_file:file execute; 8507 8508# Child of the zygote. 8509allow system_server zygote:fd use; 8510allow system_server zygote:process sigchld; 8511allow system_server zygote_tmpfs:file read; 8512 8513# Needed to close the zygote socket, which involves getopt / getattr 8514# This should be deleted after b/12061011 is fixed 8515allow system_server zygote:unix_stream_socket { getopt getattr }; 8516 8517# system server gets network and bluetooth permissions. 8518 8519#line 29 8520typeattribute system_server netdomain; 8521#line 29 8522 8523 8524#line 30 8525typeattribute system_server bluetoothdomain; 8526#line 30 8527 8528 8529# These are the capabilities assigned by the zygote to the 8530# system server. 8531allow system_server self:capability { 8532 kill 8533 net_admin 8534 net_bind_service 8535 net_broadcast 8536 net_raw 8537 sys_boot 8538 sys_module 8539 sys_nice 8540 sys_resource 8541 sys_time 8542 sys_tty_config 8543}; 8544 8545allow system_server self:capability2 block_suspend; 8546 8547# Triggered by /proc/pid accesses, not allowed. 8548dontaudit system_server self:capability sys_ptrace; 8549 8550# Trigger module auto-load. 8551allow system_server kernel:system module_request; 8552 8553# Use netlink uevent sockets. 8554allow system_server self:netlink_kobject_uevent_socket *; 8555 8556# Kill apps. 8557allow system_server appdomain:process { sigkill signal }; 8558 8559# Set scheduling info for apps. 8560allow system_server appdomain:process { getsched setsched }; 8561allow system_server mediaserver:process { getsched setsched }; 8562 8563# Read /proc data for apps. 8564allow system_server appdomain:dir { open getattr read search ioctl }; 8565allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } }; 8566 8567# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 8568allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; 8569allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8570 8571# Read /sys/kernel/debug/wakeup_sources. 8572allow system_server debugfs:file { getattr open read ioctl lock }; 8573 8574# WifiWatchdog uses a packet_socket 8575allow system_server self:packet_socket *; 8576 8577# 3rd party VPN clients require a tun_socket to be created 8578allow system_server self:tun_socket create; 8579 8580# Notify init of death. 8581allow system_server init:process sigchld; 8582 8583# Talk to init and various daemons via sockets. 8584 8585#line 87 8586allow system_server property_socket:sock_file write; 8587#line 87 8588allow system_server init:unix_stream_socket connectto; 8589#line 87 8590 8591 8592#line 88 8593allow system_server qemud_socket:sock_file write; 8594#line 88 8595allow system_server qemud:unix_stream_socket connectto; 8596#line 88 8597 8598 8599#line 89 8600allow system_server installd_socket:sock_file write; 8601#line 89 8602allow system_server installd:unix_stream_socket connectto; 8603#line 89 8604 8605 8606#line 90 8607allow system_server lmkd_socket:sock_file write; 8608#line 90 8609allow system_server lmkd:unix_stream_socket connectto; 8610#line 90 8611 8612 8613#line 91 8614allow system_server netd_socket:sock_file write; 8615#line 91 8616allow system_server netd:unix_stream_socket connectto; 8617#line 91 8618 8619 8620#line 92 8621allow system_server vold_socket:sock_file write; 8622#line 92 8623allow system_server vold:unix_stream_socket connectto; 8624#line 92 8625 8626 8627#line 93 8628allow system_server zygote_socket:sock_file write; 8629#line 93 8630allow system_server zygote:unix_stream_socket connectto; 8631#line 93 8632 8633 8634#line 94 8635allow system_server keystore_socket:sock_file write; 8636#line 94 8637allow system_server keystore:unix_stream_socket connectto; 8638#line 94 8639 8640 8641#line 95 8642allow system_server gps_socket:sock_file write; 8643#line 95 8644allow system_server gpsd:unix_stream_socket connectto; 8645#line 95 8646 8647 8648#line 96 8649allow system_server racoon_socket:sock_file write; 8650#line 96 8651allow system_server racoon:unix_stream_socket connectto; 8652#line 96 8653 8654 8655#line 97 8656allow system_server wpa_socket:sock_file write; 8657#line 97 8658allow system_server wpa:unix_dgram_socket sendto; 8659#line 97 8660 8661 8662# Communicate over a socket created by surfaceflinger. 8663allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 8664 8665# Perform Binder IPC. 8666 8667#line 103 8668# Call the servicemanager and transfer references to it. 8669#line 103 8670allow system_server servicemanager:binder { call transfer }; 8671#line 103 8672# rw access to /dev/binder and /dev/ashmem is presently granted to 8673#line 103 8674# all domains in domain.te. 8675#line 103 8676 8677 8678#line 104 8679# Call the server domain and optionally transfer references to it. 8680#line 104 8681allow system_server binderservicedomain:binder { call transfer }; 8682#line 104 8683# Allow the serverdomain to transfer references to the client on the reply. 8684#line 104 8685allow binderservicedomain system_server:binder transfer; 8686#line 104 8687# Receive and use open files from the server. 8688#line 104 8689allow system_server binderservicedomain:fd use; 8690#line 104 8691 8692 8693#line 105 8694# Call the server domain and optionally transfer references to it. 8695#line 105 8696allow system_server appdomain:binder { call transfer }; 8697#line 105 8698# Allow the serverdomain to transfer references to the client on the reply. 8699#line 105 8700allow appdomain system_server:binder transfer; 8701#line 105 8702# Receive and use open files from the server. 8703#line 105 8704allow system_server appdomain:fd use; 8705#line 105 8706 8707 8708#line 106 8709# Call the server domain and optionally transfer references to it. 8710#line 106 8711allow system_server healthd:binder { call transfer }; 8712#line 106 8713# Allow the serverdomain to transfer references to the client on the reply. 8714#line 106 8715allow healthd system_server:binder transfer; 8716#line 106 8717# Receive and use open files from the server. 8718#line 106 8719allow system_server healthd:fd use; 8720#line 106 8721 8722 8723#line 107 8724# Call the server domain and optionally transfer references to it. 8725#line 107 8726allow system_server dumpstate:binder { call transfer }; 8727#line 107 8728# Allow the serverdomain to transfer references to the client on the reply. 8729#line 107 8730allow dumpstate system_server:binder transfer; 8731#line 107 8732# Receive and use open files from the server. 8733#line 107 8734allow system_server dumpstate:fd use; 8735#line 107 8736 8737 8738#line 108 8739typeattribute system_server binderservicedomain; 8740#line 108 8741 8742 8743# Read /proc/pid files for Binder clients. 8744 8745#line 111 8746allow system_server appdomain:dir { open getattr read search ioctl }; 8747#line 111 8748allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock }; 8749#line 111 8750 8751 8752#line 112 8753allow system_server mediaserver:dir { open getattr read search ioctl }; 8754#line 112 8755allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock }; 8756#line 112 8757 8758allow system_server appdomain:process getattr; 8759allow system_server mediaserver:process getattr; 8760 8761# Check SELinux permissions. 8762 8763#line 117 8764allow system_server selinuxfs:dir { open getattr read search ioctl }; 8765#line 117 8766allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 8767#line 117 8768allow system_server kernel:security compute_av; 8769#line 117 8770allow system_server self:netlink_selinux_socket *; 8771#line 117 8772 8773 8774# XXX Label sysfs files with a specific type? 8775allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } }; 8776allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; 8777 8778# Access devices. 8779allow system_server device:dir { open getattr read search ioctl }; 8780allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } }; 8781allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8782allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8783allow system_server graphics_device:dir search; 8784allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8785allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8786allow system_server input_device:dir { open getattr read search ioctl }; 8787allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8788allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8789allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8790allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8791allow system_server video_device:dir { open getattr read search ioctl }; 8792allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8793allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8794allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } }; 8795 8796# tun device used for 3rd party vpn apps 8797allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8798 8799# Manage data files. 8800allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 8801allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8802 8803# Read /file_contexts and /data/security/file_contexts 8804 8805#line 149 8806allow system_server security_file:dir { open getattr read search ioctl }; 8807#line 149 8808allow system_server security_file:file { getattr open read ioctl lock }; 8809#line 149 8810allow system_server security_file:lnk_file { getattr open read ioctl lock }; 8811#line 149 8812allow system_server selinuxfs:dir { open getattr read search ioctl }; 8813#line 149 8814allow system_server selinuxfs:file { getattr open read ioctl lock }; 8815#line 149 8816allow system_server rootfs:dir { open getattr read search ioctl }; 8817#line 149 8818allow system_server rootfs:file { getattr open read ioctl lock }; 8819#line 149 8820 8821 8822# Relabel apk files. 8823 8824#line 152 8825typeattribute system_server relabeltodomain; 8826#line 152 8827 8828allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; 8829allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; 8830 8831# Relabel wallpaper. 8832allow system_server system_data_file:file relabelfrom; 8833allow system_server wallpaper_file:file relabelto; 8834allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } }; 8835 8836# Relabel /data/anr. 8837allow system_server system_data_file:dir relabelfrom; 8838allow system_server anr_data_file:dir relabelto; 8839 8840# Property Service write 8841allow system_server system_prop:property_service set; 8842allow system_server radio_prop:property_service set; 8843allow system_server debug_prop:property_service set; 8844allow system_server powerctl_prop:property_service set; 8845 8846# ctl interface 8847allow system_server ctl_default_prop:property_service set; 8848 8849# Create a socket for receiving info from wpa. 8850type_transition system_server wifi_data_file:sock_file system_wpa_socket; 8851type_transition system_server wpa_socket:sock_file system_wpa_socket; 8852allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 8853allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8854 8855# Remove sockets created by wpa_supplicant 8856allow system_server wpa_socket:sock_file unlink; 8857 8858# Create a socket for connections from debuggerd. 8859type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 8860allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8861 8862# Specify any arguments to zygote. 8863allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; 8864 8865# Manage cache files. 8866allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; 8867allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } }; 8868 8869# Run system programs, e.g. dexopt. 8870allow system_server system_file:file { getattr execute execute_no_trans }; 8871 8872# Allow reading of /proc/pid data for other domains. 8873# XXX dontaudit candidate 8874allow system_server domain:dir { open getattr read search ioctl }; 8875allow system_server domain:file { getattr open read ioctl lock }; 8876 8877# LocationManager(e.g, GPS) needs to read and write 8878# to uart driver and ctrl proc entry 8879allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8880allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } }; 8881 8882# Allow system_server to use app-created sockets. 8883allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write }; 8884 8885# Allow abstract socket connection 8886allow system_server rild:unix_stream_socket connectto; 8887 8888# connect to vpn tunnel 8889allow system_server mtp:unix_stream_socket { connectto }; 8890 8891# BackupManagerService lets PMS create a data backup file 8892allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8893# Relabel /data/backup 8894allow system_server backup_data_file:dir { relabelto relabelfrom }; 8895# Relabel /cache/.*\.{data|restore} 8896allow system_server cache_backup_file:file { relabelto relabelfrom }; 8897# LocalTransport creates and relabels /cache/backup 8898allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; 8899 8900# Allow system to talk to usb device 8901allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8902allow system_server usb_device:dir { open getattr read search ioctl }; 8903 8904# Allow system to talk to sensors 8905allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } }; 8906 8907# Read from HW RNG (needed by EntropyMixer). 8908allow system_server hw_random_device:chr_file { getattr open read ioctl lock }; 8909 8910# Access to wake locks 8911allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; 8912 8913# Read and delete files under /dev/fscklogs. 8914 8915#line 239 8916allow system_server fscklogs:dir { open getattr read search ioctl }; 8917#line 239 8918allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock }; 8919#line 239 8920 8921allow system_server fscklogs:dir { write remove_name }; 8922allow system_server fscklogs:file unlink; 8923 8924# For SELinuxPolicyInstallReceiver 8925 8926#line 244 8927 8928#line 244 8929allow system_server security_file:dir { open getattr read search ioctl }; 8930#line 244 8931allow system_server security_file:file { getattr open read ioctl lock }; 8932#line 244 8933allow system_server security_file:lnk_file { getattr open read ioctl lock }; 8934#line 244 8935allow system_server selinuxfs:dir { open getattr read search ioctl }; 8936#line 244 8937allow system_server selinuxfs:file { getattr open read ioctl lock }; 8938#line 244 8939allow system_server rootfs:dir { open getattr read search ioctl }; 8940#line 244 8941allow system_server rootfs:file { getattr open read ioctl lock }; 8942#line 244 8943 8944#line 244 8945 8946#line 244 8947allow system_server property_socket:sock_file write; 8948#line 244 8949allow system_server init:unix_stream_socket connectto; 8950#line 244 8951 8952#line 244 8953allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 8954#line 244 8955allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 8956#line 244 8957allow system_server security_file:lnk_file { create rename unlink }; 8958#line 244 8959allow system_server security_prop:property_service set; 8960#line 244 8961 8962 8963# For legacy unlabeled userdata on existing devices. 8964# See discussion of Unlabeled files in domain.te for more information. 8965# This rule is for dalvikcache mmap/mprotect PROT_EXEC. 8966allow system_server unlabeled:file execute; 8967 8968# logd access, system_server inherit logd write socket 8969# (urge is to deprecate this long term) 8970allow system_server zygote:unix_dgram_socket write; 8971 8972# Be consistent with DAC permissions. Allow system_server to write to 8973# /sys/module/lowmemorykiller/parameters/adj 8974# /sys/module/lowmemorykiller/parameters/minfree 8975allow system_server sysfs_lowmemorykiller:file { open append write }; 8976#line 1 "external/sepolicy/tee.te" 8977## 8978# trusted execution environment (tee) daemon 8979# 8980type tee, domain; 8981type tee_exec, exec_type, file_type; 8982type tee_device, dev_type; 8983type tee_data_file, file_type, data_file_type; 8984 8985 8986#line 9 8987 8988#line 9 8989# Allow the necessary permissions. 8990#line 9 8991 8992#line 9 8993# Old domain may exec the file and transition to the new domain. 8994#line 9 8995allow init tee_exec:file { getattr open read execute }; 8996#line 9 8997allow init tee:process transition; 8998#line 9 8999# New domain is entered by executing the file. 9000#line 9 9001allow tee tee_exec:file { entrypoint read execute }; 9002#line 9 9003# New domain can send SIGCHLD to its caller. 9004#line 9 9005allow tee init:process sigchld; 9006#line 9 9007# Enable AT_SECURE, i.e. libc secure mode. 9008#line 9 9009dontaudit init tee:process noatsecure; 9010#line 9 9011# XXX dontaudit candidate but requires further study. 9012#line 9 9013allow init tee:process { siginh rlimitinh }; 9014#line 9 9015 9016#line 9 9017# Make the transition occur by default. 9018#line 9 9019type_transition init tee_exec:process tee; 9020#line 9 9021 9022#line 9 9023 9024#line 9 9025type tee_tmpfs, file_type; 9026#line 9 9027type_transition tee tmpfs:file tee_tmpfs; 9028#line 9 9029allow tee tee_tmpfs:file { read write }; 9030#line 9 9031 9032#line 9 9033 9034allow tee self:capability { dac_override }; 9035allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; 9036allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9037allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9038allow tee self:netlink_socket { create bind read }; 9039#line 1 "external/sepolicy/ueventd.te" 9040# ueventd seclabel is specified in init.rc since 9041# it lives in the rootfs and has no unique file type. 9042type ueventd, domain; 9043 9044#line 4 9045type ueventd_tmpfs, file_type; 9046#line 4 9047type_transition ueventd tmpfs:file ueventd_tmpfs; 9048#line 4 9049allow ueventd ueventd_tmpfs:file { read write }; 9050#line 4 9051 9052 9053#line 5 9054type_transition ueventd device:chr_file klog_device "__kmsg__"; 9055#line 5 9056allow ueventd klog_device:chr_file { create open write unlink }; 9057#line 5 9058allow ueventd device:dir { write add_name remove_name }; 9059#line 5 9060 9061 9062#line 6 9063allow ueventd security_file:dir { open getattr read search ioctl }; 9064#line 6 9065allow ueventd security_file:file { getattr open read ioctl lock }; 9066#line 6 9067allow ueventd security_file:lnk_file { getattr open read ioctl lock }; 9068#line 6 9069allow ueventd selinuxfs:dir { open getattr read search ioctl }; 9070#line 6 9071allow ueventd selinuxfs:file { getattr open read ioctl lock }; 9072#line 6 9073allow ueventd rootfs:dir { open getattr read search ioctl }; 9074#line 6 9075allow ueventd rootfs:file { getattr open read ioctl lock }; 9076#line 6 9077 9078 9079#line 7 9080typeattribute ueventd relabeltodomain; 9081#line 7 9082 9083allow ueventd rootfs:file entrypoint; 9084allow ueventd init:process sigchld; 9085allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; 9086allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9087allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } }; 9088allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } }; 9089allow ueventd sysfs:file setattr; 9090allow ueventd sysfs_type:file { relabelfrom relabelto }; 9091allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } }; 9092allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } }; 9093allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9094allow ueventd dev_type:lnk_file { create unlink }; 9095allow ueventd dev_type:chr_file { create setattr unlink }; 9096allow ueventd dev_type:blk_file { create setattr unlink }; 9097allow ueventd self:netlink_kobject_uevent_socket *; 9098allow ueventd efs_file:dir search; 9099allow ueventd efs_file:file { getattr open read ioctl lock }; 9100#line 1 "external/sepolicy/unconfined.te" 9101####################################################### 9102# 9103# This is the unconfined template. This template is the base policy 9104# which is used by daemons and other privileged components of 9105# Android. 9106# 9107# Historically, this template was called "unconfined" because it 9108# allowed the domain to do anything it wanted. Over time, 9109# this has changed, and will continue to change in the future. 9110# The rules in this file will be removed when no remaining 9111# unconfined domains require it, or when the rules contradict 9112# Android security best practices. Domains which need rules not 9113# provided by the unconfined template should add them directly to 9114# the relevant policy. 9115# 9116# The use of this template is discouraged. 9117###################################################### 9118 9119allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; 9120allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; 9121allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot }; 9122allow unconfineddomain kernel:system *; 9123allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition }; 9124allow unconfineddomain domain:fd *; 9125allow unconfineddomain domain:dir { open getattr read search ioctl }; 9126allow unconfineddomain domain:lnk_file { getattr open read ioctl lock }; 9127allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; 9128allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *; 9129allow unconfineddomain domain:{ sem msgq shm ipc } *; 9130allow unconfineddomain domain:key *; 9131allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; 9132allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto}; 9133allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto}; 9134allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto}; 9135allow unconfineddomain { rootfs system_file exec_type }:file execute; 9136allow unconfineddomain node_type:node *; 9137allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; 9138allow unconfineddomain netif_type:netif *; 9139allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind; 9140allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; 9141allow unconfineddomain domain:peer recv; 9142allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; 9143allow unconfineddomain property_type:property_service set; 9144#line 1 "external/sepolicy/uncrypt.te" 9145# uncrypt 9146type uncrypt, domain; 9147type uncrypt_exec, exec_type, file_type; 9148 9149 9150#line 5 9151 9152#line 5 9153# Allow the necessary permissions. 9154#line 5 9155 9156#line 5 9157# Old domain may exec the file and transition to the new domain. 9158#line 5 9159allow init uncrypt_exec:file { getattr open read execute }; 9160#line 5 9161allow init uncrypt:process transition; 9162#line 5 9163# New domain is entered by executing the file. 9164#line 5 9165allow uncrypt uncrypt_exec:file { entrypoint read execute }; 9166#line 5 9167# New domain can send SIGCHLD to its caller. 9168#line 5 9169allow uncrypt init:process sigchld; 9170#line 5 9171# Enable AT_SECURE, i.e. libc secure mode. 9172#line 5 9173dontaudit init uncrypt:process noatsecure; 9174#line 5 9175# XXX dontaudit candidate but requires further study. 9176#line 5 9177allow init uncrypt:process { siginh rlimitinh }; 9178#line 5 9179 9180#line 5 9181# Make the transition occur by default. 9182#line 5 9183type_transition init uncrypt_exec:process uncrypt; 9184#line 5 9185 9186#line 5 9187 9188#line 5 9189type uncrypt_tmpfs, file_type; 9190#line 5 9191type_transition uncrypt tmpfs:file uncrypt_tmpfs; 9192#line 5 9193allow uncrypt uncrypt_tmpfs:file { read write }; 9194#line 5 9195 9196#line 5 9197 9198 9199#line 6 9200typeattribute uncrypt mlstrustedsubject; 9201#line 6 9202typeattribute uncrypt unconfineddomain; 9203#line 6 9204 9205 9206allow uncrypt self:capability dac_override; 9207 9208# Read OTA zip file from /data/data/com.google.android.gsf/app_download 9209 9210#line 11 9211allow uncrypt app_data_file:dir { open getattr read search ioctl }; 9212#line 11 9213allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock }; 9214#line 11 9215 9216 9217#line 16 9218 9219 9220# Create tmp file /cache/recovery/command.tmp 9221# Read /cache/recovery/command 9222# Rename /cache/recovery/command.tmp to /cache/recovery/command 9223allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9224allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9225 9226# Set a property to reboot the device. 9227 9228#line 25 9229allow uncrypt property_socket:sock_file write; 9230#line 25 9231allow uncrypt init:unix_stream_socket connectto; 9232#line 25 9233 9234allow uncrypt powerctl_prop:property_service set; 9235 9236# Raw writes to block device 9237allow uncrypt self:capability sys_rawio; 9238allow uncrypt block_device:blk_file { open append write }; 9239#line 1 "external/sepolicy/untrusted_app.te" 9240### 9241### Untrusted apps. 9242### 9243### This file defines the rules for untrusted apps. An "untrusted 9244### app" is an APP with UID between APP_AID (10000) 9245### and AID_ISOLATED_START (99000). 9246### 9247### untrusted_app includes all the appdomain rules, plus the 9248### additional following rules: 9249### 9250 9251type untrusted_app, domain; 9252 9253#line 13 9254typeattribute untrusted_app mlstrustedsubject; 9255#line 13 9256typeattribute untrusted_app unconfineddomain; 9257#line 13 9258 9259 9260#line 14 9261typeattribute untrusted_app appdomain; 9262#line 14 9263# Label ashmem objects with our own unique type. 9264#line 14 9265 9266#line 14 9267type untrusted_app_tmpfs, file_type; 9268#line 14 9269type_transition untrusted_app tmpfs:file untrusted_app_tmpfs; 9270#line 14 9271allow untrusted_app untrusted_app_tmpfs:file { read write }; 9272#line 14 9273 9274#line 14 9275# Map with PROT_EXEC. 9276#line 14 9277allow untrusted_app untrusted_app_tmpfs:file execute; 9278#line 14 9279 9280 9281#line 15 9282typeattribute untrusted_app netdomain; 9283#line 15 9284 9285 9286#line 16 9287typeattribute untrusted_app bluetoothdomain; 9288#line 16 9289 9290 9291# Some apps ship with shared libraries and binaries that they write out 9292# to their sandbox directory and then execute. 9293allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 9294 9295allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; 9296 9297# Internal SDCard rw access. 9298allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9299allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9300 9301# External SDCard rw access. 9302allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9303allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9304 9305# ASEC 9306allow untrusted_app asec_apk_file:dir { getattr }; 9307allow untrusted_app asec_apk_file:file { getattr open read ioctl lock }; 9308# Execute libs in asec containers. 9309allow untrusted_app asec_public_file:file execute; 9310 9311# Create tcp/udp sockets 9312allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; 9313allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen }; 9314# Bind to a particular hostname/address/interface (e.g., localhost) instead of 9315# ANY. Normally, apps should not be listening on all interfaces. 9316allow untrusted_app port:{ tcp_socket udp_socket } name_bind; 9317 9318# Allow the allocation and use of ptys 9319# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm 9320 9321#line 47 9322# Each domain gets a unique devpts type. 9323#line 47 9324type untrusted_app_devpts, fs_type; 9325#line 47 9326# Label the pty with the unique type when created. 9327#line 47 9328type_transition untrusted_app devpts:chr_file untrusted_app_devpts; 9329#line 47 9330# Allow use of the pty after creation. 9331#line 47 9332allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl }; 9333#line 47 9334# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms 9335#line 47 9336# allowed to everyone via domain.te. 9337#line 47 9338 9339 9340# Used by Finsky / Android "Verify Apps" functionality when 9341# running "adb install foo.apk". 9342# TODO: Long term, we don't want apps probing into shell data files. 9343# Figure out a way to remove these rules. 9344allow untrusted_app shell_data_file:file { getattr open read ioctl lock }; 9345allow untrusted_app shell_data_file:dir { open getattr read search ioctl }; 9346#line 1 "external/sepolicy/vold.te" 9347# volume manager 9348type vold, domain; 9349type vold_exec, exec_type, file_type; 9350 9351 9352#line 5 9353 9354#line 5 9355# Allow the necessary permissions. 9356#line 5 9357 9358#line 5 9359# Old domain may exec the file and transition to the new domain. 9360#line 5 9361allow init vold_exec:file { getattr open read execute }; 9362#line 5 9363allow init vold:process transition; 9364#line 5 9365# New domain is entered by executing the file. 9366#line 5 9367allow vold vold_exec:file { entrypoint read execute }; 9368#line 5 9369# New domain can send SIGCHLD to its caller. 9370#line 5 9371allow vold init:process sigchld; 9372#line 5 9373# Enable AT_SECURE, i.e. libc secure mode. 9374#line 5 9375dontaudit init vold:process noatsecure; 9376#line 5 9377# XXX dontaudit candidate but requires further study. 9378#line 5 9379allow init vold:process { siginh rlimitinh }; 9380#line 5 9381 9382#line 5 9383# Make the transition occur by default. 9384#line 5 9385type_transition init vold_exec:process vold; 9386#line 5 9387 9388#line 5 9389 9390#line 5 9391type vold_tmpfs, file_type; 9392#line 5 9393type_transition vold tmpfs:file vold_tmpfs; 9394#line 5 9395allow vold vold_tmpfs:file { read write }; 9396#line 5 9397 9398#line 5 9399 9400 9401typeattribute vold mlstrustedsubject; 9402allow vold system_file:file { getattr execute execute_no_trans }; 9403allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9404allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9405allow vold device:dir write; 9406allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } }; 9407allow vold rootfs:dir mounton; 9408allow vold sdcard_type:dir mounton; 9409allow vold sdcard_type:filesystem { mount remount unmount }; 9410allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9411allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9412allow vold tmpfs:filesystem { mount unmount }; 9413allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9414allow vold tmpfs:dir mounton; 9415allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; 9416allow vold self:netlink_kobject_uevent_socket *; 9417allow vold app_data_file:dir search; 9418allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } }; 9419allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } }; 9420allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } }; 9421# For vold Process::killProcessesWithOpenFiles function. 9422allow vold domain:dir { open getattr read search ioctl }; 9423allow vold domain:{ file lnk_file } { getattr open read ioctl lock }; 9424allow vold domain:process { signal sigkill }; 9425allow vold self:capability { sys_ptrace kill }; 9426 9427# For blkid 9428allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; 9429 9430# XXX Label sysfs files with a specific type? 9431allow vold sysfs:file { { getattr open read ioctl lock } { open append write } }; 9432 9433 9434#line 39 9435type_transition vold device:chr_file klog_device "__kmsg__"; 9436#line 39 9437allow vold klog_device:chr_file { create open write unlink }; 9438#line 39 9439allow vold device:dir { write add_name remove_name }; 9440#line 39 9441 9442 9443# Log fsck results 9444allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9445allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9446 9447# 9448# Rules to support encrypted fs support. 9449# 9450 9451# Set property. 9452 9453#line 50 9454allow vold property_socket:sock_file write; 9455#line 50 9456allow vold init:unix_stream_socket connectto; 9457#line 50 9458 9459 9460# Unmount and mount the fs. 9461allow vold labeledfs:filesystem { mount unmount remount }; 9462 9463# Access /efs/userdata_footer. 9464# XXX Split into a separate type? 9465allow vold efs_file:file { { getattr open read ioctl lock } { open append write } }; 9466 9467# Create and mount on /data/tmp_mnt. 9468allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton }; 9469 9470# Set scheduling policy of kernel processes 9471allow vold kernel:process setsched; 9472 9473# Property Service 9474allow vold vold_prop:property_service set; 9475allow vold powerctl_prop:property_service set; 9476allow vold ctl_default_prop:property_service set; 9477 9478# ASEC 9479allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9480allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9481 9482#line 73 9483allow vold security_file:dir { open getattr read search ioctl }; 9484#line 73 9485allow vold security_file:file { getattr open read ioctl lock }; 9486#line 73 9487allow vold security_file:lnk_file { getattr open read ioctl lock }; 9488#line 73 9489allow vold selinuxfs:dir { open getattr read search ioctl }; 9490#line 73 9491allow vold selinuxfs:file { getattr open read ioctl lock }; 9492#line 73 9493allow vold rootfs:dir { open getattr read search ioctl }; 9494#line 73 9495allow vold rootfs:file { getattr open read ioctl lock }; 9496#line 73 9497 9498 9499#line 74 9500typeattribute vold relabeltodomain; 9501#line 74 9502 9503allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom }; 9504allow vold asec_public_file:dir { relabelto setattr }; 9505allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom }; 9506allow vold asec_public_file:file { relabelto setattr }; 9507 9508# Handle wake locks (used for device encryption) 9509allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; 9510allow vold self:capability2 block_suspend; 9511#line 1 "external/sepolicy/watchdogd.te" 9512# watchdogd seclabel is specified in init.<board>.rc 9513type watchdogd, domain; 9514allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } }; 9515allow watchdogd self:capability mknod; 9516allow watchdogd device:dir { add_name write remove_name }; 9517allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } }; 9518# because of /dev/__kmsg__ and /dev/__null__ 9519 9520#line 8 9521type_transition watchdogd device:chr_file klog_device "__kmsg__"; 9522#line 8 9523allow watchdogd klog_device:chr_file { create open write unlink }; 9524#line 8 9525allow watchdogd device:dir { write add_name remove_name }; 9526#line 8 9527 9528type_transition watchdogd device:chr_file null_device "__null__"; 9529allow watchdogd null_device:chr_file { create unlink }; 9530#line 1 "external/sepolicy/wpa_supplicant.te" 9531# wpa - wpa supplicant or equivalent 9532type wpa, domain; 9533type wpa_exec, exec_type, file_type; 9534 9535 9536#line 5 9537 9538#line 5 9539# Allow the necessary permissions. 9540#line 5 9541 9542#line 5 9543# Old domain may exec the file and transition to the new domain. 9544#line 5 9545allow init wpa_exec:file { getattr open read execute }; 9546#line 5 9547allow init wpa:process transition; 9548#line 5 9549# New domain is entered by executing the file. 9550#line 5 9551allow wpa wpa_exec:file { entrypoint read execute }; 9552#line 5 9553# New domain can send SIGCHLD to its caller. 9554#line 5 9555allow wpa init:process sigchld; 9556#line 5 9557# Enable AT_SECURE, i.e. libc secure mode. 9558#line 5 9559dontaudit init wpa:process noatsecure; 9560#line 5 9561# XXX dontaudit candidate but requires further study. 9562#line 5 9563allow init wpa:process { siginh rlimitinh }; 9564#line 5 9565 9566#line 5 9567# Make the transition occur by default. 9568#line 5 9569type_transition init wpa_exec:process wpa; 9570#line 5 9571 9572#line 5 9573 9574#line 5 9575type wpa_tmpfs, file_type; 9576#line 5 9577type_transition wpa tmpfs:file wpa_tmpfs; 9578#line 5 9579allow wpa wpa_tmpfs:file { read write }; 9580#line 5 9581 9582#line 5 9583 9584allow wpa kernel:system module_request; 9585allow wpa self:capability { setuid net_admin setgid net_raw }; 9586allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9587allow wpa self:netlink_route_socket *; 9588allow wpa self:netlink_socket *; 9589allow wpa self:packet_socket *; 9590allow wpa self:udp_socket *; 9591allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9592allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9593 9594#line 15 9595allow wpa system_wpa_socket:sock_file write; 9596#line 15 9597allow wpa system_server:unix_dgram_socket sendto; 9598#line 15 9599 9600allow wpa random_device:chr_file { getattr open read ioctl lock }; 9601 9602# Create a socket for receiving info from wpa 9603type_transition wpa wifi_data_file:sock_file wpa_socket; 9604allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr }; 9605allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9606 9607# Allow wpa_cli to work. wpa_cli creates a socket in 9608# /data/misc/wifi/sockets which wpa supplicant communicates with. 9609#line 27 9610 9611#line 1 "external/sepolicy/zygote.te" 9612# zygote 9613type zygote, domain; 9614type zygote_exec, exec_type, file_type; 9615 9616 9617#line 5 9618 9619#line 5 9620# Allow the necessary permissions. 9621#line 5 9622 9623#line 5 9624# Old domain may exec the file and transition to the new domain. 9625#line 5 9626allow init zygote_exec:file { getattr open read execute }; 9627#line 5 9628allow init zygote:process transition; 9629#line 5 9630# New domain is entered by executing the file. 9631#line 5 9632allow zygote zygote_exec:file { entrypoint read execute }; 9633#line 5 9634# New domain can send SIGCHLD to its caller. 9635#line 5 9636allow zygote init:process sigchld; 9637#line 5 9638# Enable AT_SECURE, i.e. libc secure mode. 9639#line 5 9640dontaudit init zygote:process noatsecure; 9641#line 5 9642# XXX dontaudit candidate but requires further study. 9643#line 5 9644allow init zygote:process { siginh rlimitinh }; 9645#line 5 9646 9647#line 5 9648# Make the transition occur by default. 9649#line 5 9650type_transition init zygote_exec:process zygote; 9651#line 5 9652 9653#line 5 9654 9655#line 5 9656type zygote_tmpfs, file_type; 9657#line 5 9658type_transition zygote tmpfs:file zygote_tmpfs; 9659#line 5 9660allow zygote zygote_tmpfs:file { read write }; 9661#line 5 9662 9663#line 5 9664 9665typeattribute zygote mlstrustedsubject; 9666# Override DAC on files and switch uid/gid. 9667allow zygote self:capability { dac_override setgid setuid fowner }; 9668# Drop capabilities from bounding set. 9669allow zygote self:capability setpcap; 9670# Switch SELinux context to app domains. 9671allow zygote system_server:process dyntransition; 9672allow zygote appdomain:process dyntransition; 9673# Allow zygote to read app /proc/pid dirs (b/10455872) 9674allow zygote appdomain:dir { getattr search }; 9675allow zygote appdomain:file { { getattr open read ioctl lock } }; 9676# Move children into the peer process group. 9677allow zygote system_server:process { getpgid setpgid }; 9678allow zygote appdomain:process { getpgid setpgid }; 9679# Write to system data. 9680allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9681allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9682allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; 9683allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; 9684# For art. 9685allow zygote dalvikcache_data_file:file execute; 9686# Execute dexopt. 9687allow zygote system_file:file { getattr execute execute_no_trans }; 9688# Control cgroups. 9689allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; 9690allow zygote self:capability sys_admin; 9691# Check validity of SELinux context before use. 9692 9693#line 33 9694allow zygote selinuxfs:dir { open getattr read search ioctl }; 9695#line 33 9696allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 9697#line 33 9698allow zygote kernel:security check_context; 9699#line 33 9700 9701# Check SELinux permissions. 9702 9703#line 35 9704allow zygote selinuxfs:dir { open getattr read search ioctl }; 9705#line 35 9706allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; 9707#line 35 9708allow zygote kernel:security compute_av; 9709#line 35 9710allow zygote self:netlink_selinux_socket *; 9711#line 35 9712 9713# Read /seapp_contexts and /data/security/seapp_contexts 9714 9715#line 37 9716allow zygote security_file:dir { open getattr read search ioctl }; 9717#line 37 9718allow zygote security_file:file { getattr open read ioctl lock }; 9719#line 37 9720allow zygote security_file:lnk_file { getattr open read ioctl lock }; 9721#line 37 9722allow zygote selinuxfs:dir { open getattr read search ioctl }; 9723#line 37 9724allow zygote selinuxfs:file { getattr open read ioctl lock }; 9725#line 37 9726allow zygote rootfs:dir { open getattr read search ioctl }; 9727#line 37 9728allow zygote rootfs:file { getattr open read ioctl lock }; 9729#line 37 9730 9731 9732# Setting up /storage/emulated. 9733allow zygote rootfs:dir mounton; 9734allow zygote sdcard_type:dir { write search setattr create add_name mounton }; 9735dontaudit zygote self:capability fsetid; 9736allow zygote tmpfs:dir { write create add_name setattr mounton search }; 9737allow zygote tmpfs:filesystem mount; 9738allow zygote labeledfs:filesystem remount; 9739 9740# Handle --invoke-with command when launching Zygote with a wrapper command. 9741allow zygote zygote_exec:file { execute_no_trans open }; 9742 9743# handle bugreports b/10498304 9744allow zygote ashmem_device:chr_file execute; 9745allow zygote shell_data_file:file { write getattr }; 9746allow zygote system_server:binder { transfer call }; 9747allow zygote servicemanager:binder { call }; 9748 9749# For legacy unlabeled userdata on existing devices. 9750# See discussion of Unlabeled files in domain.te for more information. 9751# This rule is for dalvikcache mmap/mprotect PROT_EXEC. 9752allow zygote unlabeled:file execute; 9753#line 1 "build/target/board/generic/sepolicy/bootanim.te" 9754allow bootanim self:process execmem; 9755allow bootanim ashmem_device:chr_file execute; 9756#line 1 "build/target/board/generic/sepolicy/domain.te" 9757# For /sys/qemu_trace files in the emulator. 9758allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } }; 9759#line 1 "build/target/board/generic/sepolicy/surfaceflinger.te" 9760allow surfaceflinger self:process execmem; 9761allow surfaceflinger ashmem_device:chr_file execute; 9762#line 1 "external/sepolicy/roles" 9763role r; 9764role r types domain; 9765#line 1 "external/sepolicy/users" 9766user u roles { r } level s0 range s0 - s0:c0.c1023; 9767#line 1 "external/sepolicy/initial_sid_contexts" 9768sid kernel u:r:kernel:s0 9769sid security u:object_r:kernel:s0 9770sid unlabeled u:object_r:unlabeled:s0 9771sid fs u:object_r:labeledfs:s0 9772sid file u:object_r:unlabeled:s0 9773sid file_labels u:object_r:unlabeled:s0 9774sid init u:object_r:unlabeled:s0 9775sid any_socket u:object_r:unlabeled:s0 9776sid port u:object_r:port:s0 9777sid netif u:object_r:netif:s0 9778sid netmsg u:object_r:unlabeled:s0 9779sid node u:object_r:node:s0 9780sid igmp_packet u:object_r:unlabeled:s0 9781sid icmp_socket u:object_r:unlabeled:s0 9782sid tcp_socket u:object_r:unlabeled:s0 9783sid sysctl_modprobe u:object_r:unlabeled:s0 9784sid sysctl u:object_r:proc:s0 9785sid sysctl_fs u:object_r:unlabeled:s0 9786sid sysctl_kernel u:object_r:unlabeled:s0 9787sid sysctl_net u:object_r:unlabeled:s0 9788sid sysctl_net_unix u:object_r:unlabeled:s0 9789sid sysctl_vm u:object_r:unlabeled:s0 9790sid sysctl_dev u:object_r:unlabeled:s0 9791sid kmod u:object_r:unlabeled:s0 9792sid policy u:object_r:unlabeled:s0 9793sid scmp_packet u:object_r:unlabeled:s0 9794sid devnull u:object_r:null_device:s0 9795#line 1 "external/sepolicy/fs_use" 9796# Label inodes via getxattr. 9797fs_use_xattr yaffs2 u:object_r:labeledfs:s0; 9798fs_use_xattr jffs2 u:object_r:labeledfs:s0; 9799fs_use_xattr ext2 u:object_r:labeledfs:s0; 9800fs_use_xattr ext3 u:object_r:labeledfs:s0; 9801fs_use_xattr ext4 u:object_r:labeledfs:s0; 9802fs_use_xattr xfs u:object_r:labeledfs:s0; 9803fs_use_xattr btrfs u:object_r:labeledfs:s0; 9804 9805# Label inodes from task label. 9806fs_use_task pipefs u:object_r:pipefs:s0; 9807fs_use_task sockfs u:object_r:sockfs:s0; 9808 9809# Label inodes from combination of task label and fs label. 9810# Define type_transition rules if you want per-domain types. 9811fs_use_trans devpts u:object_r:devpts:s0; 9812fs_use_trans tmpfs u:object_r:tmpfs:s0; 9813fs_use_trans devtmpfs u:object_r:device:s0; 9814fs_use_trans shm u:object_r:shm:s0; 9815fs_use_trans mqueue u:object_r:mqueue:s0; 9816 9817#line 1 "external/sepolicy/genfs_contexts" 9818# Label inodes with the fs label. 9819genfscon rootfs / u:object_r:rootfs:s0 9820# proc labeling can be further refined (longest matching prefix). 9821genfscon proc / u:object_r:proc:s0 9822genfscon proc /net u:object_r:proc_net:s0 9823genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 9824genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 9825genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 9826genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 9827genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 9828genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 9829genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 9830genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 9831genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 9832genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 9833genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 9834genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 9835genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 9836genfscon proc /sys/net u:object_r:proc_net:s0 9837genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 9838# selinuxfs booleans can be individually labeled. 9839genfscon selinuxfs / u:object_r:selinuxfs:s0 9840genfscon cgroup / u:object_r:cgroup:s0 9841# sysfs labels can be set by userspace. 9842genfscon sysfs / u:object_r:sysfs:s0 9843genfscon inotifyfs / u:object_r:inotify:s0 9844genfscon vfat / u:object_r:sdcard_external:s0 9845genfscon debugfs / u:object_r:debugfs:s0 9846genfscon fuse / u:object_r:sdcard_internal:s0 9847#line 1 "external/sepolicy/port_contexts" 9848# portcon statements go here, e.g. 9849# portcon tcp 80 u:object_r:http_port:s0 9850 9851