untrusted_app.te - OpenGrok cross reference for /system/sepolicy/untrusted

Lines Matching refs:to
6 ### optionally package name to seinfo value) and seapp_contexts (maps UID
7 ### and optionally seinfo value to domain for process and type for data
12 ### domain is assigned to all non-system apps as well as to any system apps
14 ### a system app into a specific domain, add a signer entry for it to
29 # to their sandbox directory and then execute.
44 # Figure out a way to remove these rules.
55 # This includes what used to be media_app, shared_app, and release_app.
58 # Access to /data/media.
63 # TODO: narrow this to just MediaProvider
66 # allow cts to query all services
81 # Allow GMS core to access perfprofd output, which is stored
82 # in /data/misc/perfprofd/. GMS core will need to list all
83 # data stored in that directory to process them one by one.
89 # gdbserver for ndk-gdb ptrace attaches to app process.
92 # Programs routinely attempt to scan through /system, looking
96 # TODO: switch to meminfo service
119 # best practice to ensure these files aren't readable.
122 # Do not allow untrusted apps to register services.
127 # Do not allow untrusted_apps to connect to the property service
133 # Do not allow untrusted_app to be assigned mlstrustedsubject.
136 # constraints.  As there is no direct way to specify a neverallow
139 # never be granted to any other domain within mlstrustedsubject)
140 # and untrusted_app is allowed fork permission to itself.
143 # Do not allow untrusted_app to hard link to any files.
144 # In particular, if untrusted_app links to other app data
145 # files, installd will not be able to guarantee the deletion
146 # of the linked to file. Hard links also contribute to security
147 # bugs, so we want to ensure untrusted_app never has this
151 # Do not allow untrusted_app to access network MAC address file
168 # Do not allow untrusted_app access to /cache
172 # Do not allow untrusted_app to set system properties.
176 # Do not allow untrusted_app to create/unlink files outside of its sandbox,
178 # World accessible data locations allow application to fill the device
189   -user_profile_data_file   # Access to profile files
190   -user_profile_foreign_dex_data_file   # Access to profile files
197 # Do not allow untrusted_app to directly open tun_device
200 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)