Lines Matching refs:domain
4 allow domain init:process sigchld;
7 allow domain kernel:fd use;
8 allow domain tmpfs:file { read getattr };
9 allow domain tmpfs:lnk_file { read getattr };
12 allow domain tmpfs:dir r_dir_perms;
14 # Intra-domain accesses.
15 allow domain self:process {
32 allow domain self:fd use;
33 allow domain self:dir r_dir_perms;
34 allow domain self:lnk_file r_file_perms;
35 allow domain self:{ fifo_file file } rw_file_perms;
36 allow domain self:unix_dgram_socket { create_socket_perms sendto };
37 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
40 allow domain init:fd use;
41 allow domain system_server:fd use;
45 allow domain adbd:unix_stream_socket connectto;
46 allow domain adbd:fd use;
47 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
51 allow domain su:unix_stream_socket connectto;
52 allow domain su:fd use;
53 allow domain su:unix_stream_socket { getattr getopt read write shutdown };
55 binder_call({ domain -init }, su)
59 allow domain su:fifo_file { write getattr };
62 allow domain su:process sigchld;
65 allow domain coredump_file:file create_file_perms;
66 allow domain coredump_file:dir ra_dir_perms;
72 allow domain debuggerd:process sigchld;
73 allow domain debuggerd:unix_stream_socket connectto;
76 allow domain rootfs:dir r_dir_perms;
77 allow domain rootfs:file r_file_perms;
78 allow domain rootfs:lnk_file r_file_perms;
81 allow domain device:dir search;
82 allow domain dev_type:lnk_file r_file_perms;
83 allow domain devpts:dir search;
84 allow domain device:file read;
85 allow domain socket_device:dir r_dir_perms;
86 allow domain owntty_device:chr_file rw_file_perms;
87 allow domain null_device:chr_file rw_file_perms;
88 allow domain zero_device:chr_file rw_file_perms;
89 allow domain ashmem_device:chr_file rw_file_perms;
90 allow domain binder_device:chr_file rw_file_perms;
91 allow domain ptmx_device:chr_file rw_file_perms;
92 allow domain alarm_device:chr_file r_file_perms;
93 allow domain urandom_device:chr_file rw_file_perms;
94 allow domain random_device:chr_file rw_file_perms;
95 allow domain properties_device:file r_file_perms;
96 allow domain init:key search;
97 allow domain vold:key search;
100 write_logd(domain)
103 allow domain fs_type:filesystem getattr;
104 allow domain fs_type:dir getattr;
107 allow domain system_file:dir r_dir_perms;
108 allow domain system_file:file r_file_perms;
109 allow domain system_file:file execute;
110 allow domain system_file:lnk_file r_file_perms;
114 allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
117 allow domain system_data_file:dir { search getattr };
118 allow domain system_data_file:file { getattr read };
119 allow domain system_data_file:lnk_file r_file_perms;
122 allow domain apk_data_file:dir { getattr search };
123 allow domain apk_data_file:file r_file_perms;
124 allow domain apk_data_file:lnk_file r_file_perms;
127 allow domain dalvikcache_data_file:dir { search getattr };
128 allow domain dalvikcache_data_file:file r_file_perms;
131 allow domain cache_file:dir r_dir_perms;
132 allow domain cache_file:file { getattr read };
133 allow domain cache_file:lnk_file r_file_perms;
136 r_dir_file(domain, zoneinfo_data_file)
139 allow domain cgroup:dir { search write };
140 allow domain cgroup:file w_file_perms;
143 allow domain ion_device:chr_file rw_file_perms;
146 r_dir_file(domain, proc)
147 r_dir_file(domain, sysfs)
148 r_dir_file(domain, sysfs_devices_system_cpu)
149 r_dir_file(domain, inotify)
150 r_dir_file(domain, cgroup)
151 r_dir_file(domain, proc_net)
152 allow domain proc_cpuinfo:file r_file_perms;
155 allow domain debugfs:dir r_dir_perms;
156 allow domain debugfs:file w_file_perms;
159 allow domain selinuxfs:dir r_dir_perms;
160 allow domain selinuxfs:file r_file_perms;
163 allow domain security_file:dir { search getattr };
164 allow domain security_file:file getattr;
165 allow domain security_file:lnk_file r_file_perms;
168 allow domain asec_public_file:file r_file_perms;
169 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
175 # Do not allow any domain other than init or recovery to create unlabeled files.
176 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
181 domain
192 domain
200 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self…
203 neverallow domain self:memprotect mmap_zero;
205 # No domain needs mac_override as it is unused by SELinux.
206 neverallow domain self:capability2 mac_override;
209 neverallow { domain -recovery } self:capability2 mac_admin;
212 # The first load technically occurs while still in the kernel domain,
214 # Policy reload requires allowing this to the init domain.
215 neverallow { domain -init } kernel:security load_policy;
219 neverallow { domain -init -system_server } security_prop:property_service set;
224 neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
228 neverallow { domain -init -system_server } security_file:dir { create setattr };
230 neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
231 neverallow { domain -system_server } security_file:file { create setattr write append unlink link r…
232 neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
235 # init starts in kernel domain and switches to init domain via setcon in
238 neverallow domain kernel:security setenforce;
239 neverallow { domain -kernel } kernel:security setcheckreqprot;
242 neverallow domain kernel:security setbool;
247 neverallow { domain -init } kernel:security setsecparam;
250 neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
253 neverallow domain { file_type -exec_type }:file entrypoint;
256 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
257 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
261 neverallow { domain -init } usermodehelper:file { append write };
262 neverallow { domain -init } proc_security:file { append write };
264 # No domain should be allowed to ptrace init.
265 neverallow domain init:process ptrace;
268 # triggered, it's probably due to a service with no SELinux domain.
269 neverallow domain init:binder *;
273 neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read writ…
279 neverallow { domain -init -ueventd } device:chr_file { open read write };
284 neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { m…
291 domain
300 domain
306 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
307 neverallow { domain -init } property_data_file:file no_w_file_perms;
310 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
312 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
315 neverallow domain { system_file exec_type }:dir_file_class_set mounton;
318 neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
322 neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
327 neverallow { domain -recovery } contextmount_type:dir_file_class_set
335 neverallow domain default_android_service:service_manager add;
339 neverallow { domain -init } default_prop:property_service set;
341 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
343 # No domain other than recovery can write to system.
344 neverallow { domain -recovery } system_block_device:blk_file write;
347 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
350 neverallow { domain -servicemanager } *:binder set_context_mgr;
355 domain
363 domain
371 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
372 neverallow { domain -system_server } zygote_socket:sock_file write;
390 neverallow domain domain:{ shm sem msg msgq } *;
394 neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
399 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
406 neverallow domain {
417 # neverallow { domain -appdomain } file_type:file execmod;
419 neverallow { domain -init } proc:{ file dir } mounton;
422 # in the domain attribute, so that all allow and neverallow rules
423 # written on domain are applied to all processes.
425 # from a domain to a non-domain type and vice versa.
426 neverallow domain ~domain:process { transition dyntransition };
427 neverallow ~domain domain:process { transition dyntransition };
438 domain
449 # Only these domains should transition to shell domain. This domain is
451 # script with differing privilege, define a domain and set up a transition.
454 domain
464 domain
471 domain