1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type; 9# Type for /proc/sys/vm/drop_caches 10type proc_drop_caches, fs_type; 11# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12type usermodehelper, fs_type, sysfs_type; 13type qtaguid_proc, fs_type, mlstrustedobject; 14type proc_bluetooth_writable, fs_type; 15type proc_cpuinfo, fs_type; 16type proc_iomem, fs_type; 17type proc_meminfo, fs_type; 18type proc_net, fs_type; 19type proc_sysrq, fs_type; 20type proc_uid_cputime_showstat, fs_type; 21type proc_uid_cputime_removeuid, fs_type; 22type selinuxfs, fs_type, mlstrustedobject; 23type cgroup, fs_type, mlstrustedobject; 24type sysfs, fs_type, sysfs_type, mlstrustedobject; 25type sysfs_uio, sysfs_type, fs_type; 26type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; 27type sysfs_batteryinfo, fs_type, sysfs_type; 28type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 29type sysfs_hwrandom, fs_type, sysfs_type; 30type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 31type sysfs_wake_lock, fs_type, sysfs_type; 32type sysfs_mac_address, fs_type, sysfs_type; 33type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 34type configfs, fs_type; 35# /sys/devices/system/cpu 36type sysfs_devices_system_cpu, fs_type, sysfs_type; 37# /sys/module/lowmemorykiller 38type sysfs_lowmemorykiller, fs_type, sysfs_type; 39 40type sysfs_thermal, sysfs_type, fs_type; 41 42type sysfs_zram, fs_type, sysfs_type; 43type sysfs_zram_uevent, fs_type, sysfs_type; 44type inotify, fs_type, mlstrustedobject; 45type devpts, fs_type, mlstrustedobject; 46type tmpfs, fs_type; 47type shm, fs_type; 48type mqueue, fs_type; 49type fuse, sdcard_type, fs_type, mlstrustedobject; 50type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 51type vfat, sdcard_type, fs_type, mlstrustedobject; 52type debugfs, fs_type; 53type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 54type debugfs_tracing, fs_type, debugfs_type; 55type pstorefs, fs_type; 56type functionfs, fs_type; 57type oemfs, fs_type, contextmount_type; 58type usbfs, fs_type; 59type binfmt_miscfs, fs_type; 60type app_fusefs, fs_type, contextmount_type; 61 62# File types 63type unlabeled, file_type; 64# Default type for anything under /system. 65type system_file, file_type; 66# Type for /system/bin/logcat. 67type logcat_exec, exec_type, file_type; 68# /cores for coredumps on userdebug / eng builds 69type coredump_file, file_type; 70# Default type for anything under /data. 71type system_data_file, file_type, data_file_type; 72# Unencrypted data 73type unencrypted_data_file, file_type, data_file_type; 74# /data/.layout_version or other installd-created files that 75# are created in a system_data_file directory. 76type install_data_file, file_type, data_file_type; 77# /data/drm - DRM plugin data 78type drm_data_file, file_type, data_file_type; 79# /data/adb - adb debugging files 80type adb_data_file, file_type, data_file_type; 81# /data/anr - ANR traces 82type anr_data_file, file_type, data_file_type, mlstrustedobject; 83# /data/tombstones - core dumps 84type tombstone_data_file, file_type, data_file_type; 85# /data/app - user-installed apps 86type apk_data_file, file_type, data_file_type; 87type apk_tmp_file, file_type, data_file_type, mlstrustedobject; 88# /data/app-private - forward-locked apps 89type apk_private_data_file, file_type, data_file_type; 90type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; 91# /data/dalvik-cache 92type dalvikcache_data_file, file_type, data_file_type; 93# /data/ota 94type ota_data_file, file_type, data_file_type; 95# /data/misc/profiles 96type user_profile_data_file, file_type, data_file_type, mlstrustedobject; 97type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject; 98# /data/misc/profman 99type profman_dump_data_file, file_type, data_file_type; 100# /data/resource-cache 101type resourcecache_data_file, file_type, data_file_type; 102# /data/local - writable by shell 103type shell_data_file, file_type, data_file_type, mlstrustedobject; 104# /data/gps 105type gps_data_file, file_type, data_file_type; 106# /data/property 107type property_data_file, file_type, data_file_type; 108# /data/bootchart 109type bootchart_data_file, file_type, data_file_type; 110# /data/system/heapdump 111type heapdump_data_file, file_type, data_file_type, mlstrustedobject; 112# /data/nativetest 113type nativetest_data_file, file_type, data_file_type; 114# /data/system_de/0/ringtones 115type ringtone_file, file_type, data_file_type, mlstrustedobject; 116# /data/preloads 117type preloads_data_file, file_type, data_file_type; 118 119# Mount locations managed by vold 120type mnt_media_rw_file, file_type; 121type mnt_user_file, file_type; 122type mnt_expand_file, file_type; 123type storage_file, file_type; 124 125# Label for storage dirs which are just mount stubs 126type mnt_media_rw_stub_file, file_type; 127type storage_stub_file, file_type; 128 129# /postinstall: Mount point used by update_engine to run postinstall. 130type postinstall_mnt_dir, file_type; 131# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 132type postinstall_file, file_type; 133 134# /data/misc subdirectories 135type adb_keys_file, file_type, data_file_type; 136type audio_data_file, file_type, data_file_type; 137type audioserver_data_file, file_type, data_file_type; 138type bluetooth_data_file, file_type, data_file_type; 139type bootstat_data_file, file_type, data_file_type; 140type boottrace_data_file, file_type, data_file_type; 141type camera_data_file, file_type, data_file_type; 142type gatekeeper_data_file, file_type, data_file_type; 143type keychain_data_file, file_type, data_file_type; 144type keystore_data_file, file_type, data_file_type; 145type media_data_file, file_type, data_file_type; 146type media_rw_data_file, file_type, data_file_type, mlstrustedobject; 147type misc_user_data_file, file_type, data_file_type; 148type net_data_file, file_type, data_file_type; 149type nfc_data_file, file_type, data_file_type; 150type radio_data_file, file_type, data_file_type, mlstrustedobject; 151type recovery_data_file, file_type, data_file_type; 152type shared_relro_file, file_type, data_file_type; 153type systemkeys_data_file, file_type, data_file_type; 154type vpn_data_file, file_type, data_file_type; 155type wifi_data_file, file_type, data_file_type; 156type zoneinfo_data_file, file_type, data_file_type; 157type vold_data_file, file_type, data_file_type; 158type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; 159# /data/misc/trace for method traces on userdebug / eng builds 160type method_trace_data_file, file_type, data_file_type, mlstrustedobject; 161 162# Compatibility with type names used in vanilla Android 4.3 and 4.4. 163typealias audio_data_file alias audio_firmware_file; 164# /data/data subdirectories - app sandboxes 165type app_data_file, file_type, data_file_type; 166type autoplay_data_file, file_type, data_file_type; 167# /data/data subdirectory for system UID apps. 168type system_app_data_file, file_type, data_file_type, mlstrustedobject; 169# Compatibility with type name used in Android 4.3 and 4.4. 170typealias app_data_file alias platform_app_data_file; 171typealias app_data_file alias download_file; 172# Default type for anything under /cache 173type cache_file, file_type, mlstrustedobject; 174# Type for /cache/backup_stage/* (fd interchange with apps) 175type cache_backup_file, file_type, mlstrustedobject; 176# type for anything under /cache/backup (local transport storage) 177type cache_private_backup_file, file_type; 178# Type for anything under /cache/recovery 179type cache_recovery_file, file_type, mlstrustedobject; 180# Default type for anything under /efs 181type efs_file, file_type; 182# Type for wallpaper file. 183type wallpaper_file, file_type, data_file_type, mlstrustedobject; 184# Type for shortcut manager icon file. 185type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject; 186# Type for user icon file. 187type icon_file, file_type, data_file_type; 188# /mnt/asec 189type asec_apk_file, file_type, data_file_type, mlstrustedobject; 190# Elements of asec files (/mnt/asec) that are world readable 191type asec_public_file, file_type, data_file_type; 192# /data/app-asec 193type asec_image_file, file_type, data_file_type; 194# /data/backup and /data/secure/backup 195type backup_data_file, file_type, data_file_type, mlstrustedobject; 196# For /data/security 197type security_file, file_type; 198# All devices have bluetooth efs files. But they 199# vary per device, so this type is used in per 200# device policy 201type bluetooth_efs_file, file_type; 202# Type for fingerprint template file. 203type fingerprintd_data_file, file_type, data_file_type; 204# Type for appfuse file. 205type app_fuse_file, file_type, data_file_type, mlstrustedobject; 206 207# Socket types 208type adbd_socket, file_type; 209type bluetooth_socket, file_type; 210type dnsproxyd_socket, file_type, mlstrustedobject; 211type dumpstate_socket, file_type; 212type fwmarkd_socket, file_type, mlstrustedobject; 213type gps_socket, file_type; 214type installd_socket, file_type; 215type lmkd_socket, file_type; 216type logd_socket, file_type, mlstrustedobject; 217type logdr_socket, file_type, mlstrustedobject; 218type logdw_socket, file_type, mlstrustedobject; 219type mdns_socket, file_type; 220type mdnsd_socket, file_type, mlstrustedobject; 221type misc_logd_file, file_type; 222type mtpd_socket, file_type; 223type netd_socket, file_type; 224type property_socket, file_type; 225type racoon_socket, file_type; 226type rild_socket, file_type; 227type rild_debug_socket, file_type; 228type system_wpa_socket, file_type; 229type system_ndebug_socket, file_type; 230type uncrypt_socket, file_type; 231type vold_socket, file_type; 232type wpa_socket, file_type; 233type zygote_socket, file_type; 234type sap_uim_socket, file_type; 235# UART (for GPS) control proc file 236type gps_control, file_type; 237 238# property_contexts file 239type property_contexts, file_type; 240 241# Allow files to be created in their appropriate filesystems. 242allow fs_type self:filesystem associate; 243allow sysfs_type sysfs:filesystem associate; 244allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 245allow file_type labeledfs:filesystem associate; 246allow file_type tmpfs:filesystem associate; 247allow file_type rootfs:filesystem associate; 248allow dev_type tmpfs:filesystem associate; 249allow app_fuse_file app_fusefs:filesystem associate; 250allow postinstall_file self:filesystem associate; 251 252# It's a bug to assign the file_type attribute and fs_type attribute 253# to any type. Do not allow it. 254# 255# For example, the following is a bug: 256# type apk_data_file, file_type, data_file_type, fs_type; 257# Should be: 258# type apk_data_file, file_type, data_file_type; 259neverallow fs_type file_type:filesystem associate; 260