| #line 1 "external/sepolicy/security_classes" |
| # FLASK |
| |
| # |
| # Define the security object classes |
| # |
| |
| # Classes marked as userspace are classes |
| # for userspace object managers |
| |
| class security |
| class process |
| class system |
| class capability |
| |
| # file-related classes |
| class filesystem |
| class file |
| class dir |
| class fd |
| class lnk_file |
| class chr_file |
| class blk_file |
| class sock_file |
| class fifo_file |
| |
| # network-related classes |
| class socket |
| class tcp_socket |
| class udp_socket |
| class rawip_socket |
| class node |
| class netif |
| class netlink_socket |
| class packet_socket |
| class key_socket |
| class unix_stream_socket |
| class unix_dgram_socket |
| |
| # sysv-ipc-related classes |
| class sem |
| class msg |
| class msgq |
| class shm |
| class ipc |
| |
| # |
| # userspace object manager classes |
| # |
| |
| # passwd/chfn/chsh |
| class passwd # userspace |
| |
| # SE-X Windows stuff (more classes below) |
| class x_drawable # userspace |
| class x_screen # userspace |
| class x_gc # userspace |
| class x_font # userspace |
| class x_colormap # userspace |
| class x_property # userspace |
| class x_selection # userspace |
| class x_cursor # userspace |
| class x_client # userspace |
| class x_device # userspace |
| class x_server # userspace |
| class x_extension # userspace |
| |
| # extended netlink sockets |
| class netlink_route_socket |
| class netlink_firewall_socket |
| class netlink_tcpdiag_socket |
| class netlink_nflog_socket |
| class netlink_xfrm_socket |
| class netlink_selinux_socket |
| class netlink_audit_socket |
| class netlink_ip6fw_socket |
| class netlink_dnrt_socket |
| |
| class dbus # userspace |
| class nscd # userspace |
| |
| # IPSec association |
| class association |
| |
| # Updated Netlink class for KOBJECT_UEVENT family. |
| class netlink_kobject_uevent_socket |
| |
| class appletalk_socket |
| |
| class packet |
| |
| # Kernel access key retention |
| class key |
| |
| class context # userspace |
| |
| class dccp_socket |
| |
| class memprotect |
| |
| class db_database # userspace |
| class db_table # userspace |
| class db_procedure # userspace |
| class db_column # userspace |
| class db_tuple # userspace |
| class db_blob # userspace |
| |
| # network peer labels |
| class peer |
| |
| # Capabilities >= 32 |
| class capability2 |
| |
| # More SE-X Windows stuff |
| class x_resource # userspace |
| class x_event # userspace |
| class x_synthetic_event # userspace |
| class x_application_data # userspace |
| |
| # kernel services that need to override task security, e.g. cachefiles |
| class kernel_service |
| |
| class tun_socket |
| |
| # Still More SE-X Windows stuff |
| class x_pointer # userspace |
| class x_keyboard # userspace |
| |
| # More Database stuff |
| class db_schema # userspace |
| class db_view # userspace |
| class db_sequence # userspace |
| class db_language # userspace |
| |
| class binder |
| class zygote |
| |
| # Property service |
| class property_service # userspace |
| |
| # FLASK |
| #line 1 "external/sepolicy/initial_sids" |
| # FLASK |
| |
| # |
| # Define initial security identifiers |
| # |
| |
| sid kernel |
| sid security |
| sid unlabeled |
| sid fs |
| sid file |
| sid file_labels |
| sid init |
| sid any_socket |
| sid port |
| sid netif |
| sid netmsg |
| sid node |
| sid igmp_packet |
| sid icmp_socket |
| sid tcp_socket |
| sid sysctl_modprobe |
| sid sysctl |
| sid sysctl_fs |
| sid sysctl_kernel |
| sid sysctl_net |
| sid sysctl_net_unix |
| sid sysctl_vm |
| sid sysctl_dev |
| sid kmod |
| sid policy |
| sid scmp_packet |
| sid devnull |
| |
| # FLASK |
| #line 1 "external/sepolicy/access_vectors" |
| # |
| # Define common prefixes for access vectors |
| # |
| # common common_name { permission_name ... } |
| |
| |
| # |
| # Define a common prefix for file access vectors. |
| # |
| |
| common file |
| { |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| unlink |
| link |
| rename |
| execute |
| swapon |
| quotaon |
| mounton |
| } |
| |
| |
| # |
| # Define a common prefix for socket access vectors. |
| # |
| |
| common socket |
| { |
| # inherited from file |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| # socket-specific |
| bind |
| connect |
| listen |
| accept |
| getopt |
| setopt |
| shutdown |
| recvfrom |
| sendto |
| recv_msg |
| send_msg |
| name_bind |
| } |
| |
| # |
| # Define a common prefix for ipc access vectors. |
| # |
| |
| common ipc |
| { |
| create |
| destroy |
| getattr |
| setattr |
| read |
| write |
| associate |
| unix_read |
| unix_write |
| } |
| |
| # |
| # Define a common prefix for userspace database object access vectors. |
| # |
| |
| common database |
| { |
| create |
| drop |
| getattr |
| setattr |
| relabelfrom |
| relabelto |
| } |
| |
| # |
| # Define a common prefix for pointer and keyboard access vectors. |
| # |
| |
| common x_device |
| { |
| getattr |
| setattr |
| use |
| read |
| write |
| getfocus |
| setfocus |
| bell |
| force_cursor |
| freeze |
| grab |
| manage |
| list_property |
| get_property |
| set_property |
| add |
| remove |
| create |
| destroy |
| } |
| |
| # |
| # Define the access vectors. |
| # |
| # class class_name [ inherits common_name ] { permission_name ... } |
| |
| |
| # |
| # Define the access vector interpretation for file-related objects. |
| # |
| |
| class filesystem |
| { |
| mount |
| remount |
| unmount |
| getattr |
| relabelfrom |
| relabelto |
| transition |
| associate |
| quotamod |
| quotaget |
| } |
| |
| class dir |
| inherits file |
| { |
| add_name |
| remove_name |
| reparent |
| search |
| rmdir |
| open |
| audit_access |
| execmod |
| } |
| |
| class file |
| inherits file |
| { |
| execute_no_trans |
| entrypoint |
| execmod |
| open |
| audit_access |
| } |
| |
| class lnk_file |
| inherits file |
| { |
| open |
| audit_access |
| execmod |
| } |
| |
| class chr_file |
| inherits file |
| { |
| execute_no_trans |
| entrypoint |
| execmod |
| open |
| audit_access |
| } |
| |
| class blk_file |
| inherits file |
| { |
| open |
| audit_access |
| execmod |
| } |
| |
| class sock_file |
| inherits file |
| { |
| open |
| audit_access |
| execmod |
| } |
| |
| class fifo_file |
| inherits file |
| { |
| open |
| audit_access |
| execmod |
| } |
| |
| class fd |
| { |
| use |
| } |
| |
| |
| # |
| # Define the access vector interpretation for network-related objects. |
| # |
| |
| class socket |
| inherits socket |
| |
| class tcp_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| node_bind |
| name_connect |
| } |
| |
| class udp_socket |
| inherits socket |
| { |
| node_bind |
| } |
| |
| class rawip_socket |
| inherits socket |
| { |
| node_bind |
| } |
| |
| class node |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| enforce_dest |
| dccp_recv |
| dccp_send |
| recvfrom |
| sendto |
| } |
| |
| class netif |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| dccp_recv |
| dccp_send |
| ingress |
| egress |
| } |
| |
| class netlink_socket |
| inherits socket |
| |
| class packet_socket |
| inherits socket |
| |
| class key_socket |
| inherits socket |
| |
| class unix_stream_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| } |
| |
| class unix_dgram_socket |
| inherits socket |
| |
| # |
| # Define the access vector interpretation for process-related objects |
| # |
| |
| class process |
| { |
| fork |
| transition |
| sigchld # commonly granted from child to parent |
| sigkill # cannot be caught or ignored |
| sigstop # cannot be caught or ignored |
| signull # for kill(pid, 0) |
| signal # all other signals |
| ptrace |
| getsched |
| setsched |
| getsession |
| getpgid |
| setpgid |
| getcap |
| setcap |
| share |
| getattr |
| setexec |
| setfscreate |
| noatsecure |
| siginh |
| setrlimit |
| rlimitinh |
| dyntransition |
| setcurrent |
| execmem |
| execstack |
| execheap |
| setkeycreate |
| setsockcreate |
| } |
| |
| |
| # |
| # Define the access vector interpretation for ipc-related objects |
| # |
| |
| class ipc |
| inherits ipc |
| |
| class sem |
| inherits ipc |
| |
| class msgq |
| inherits ipc |
| { |
| enqueue |
| } |
| |
| class msg |
| { |
| send |
| receive |
| } |
| |
| class shm |
| inherits ipc |
| { |
| lock |
| } |
| |
| |
| # |
| # Define the access vector interpretation for the security server. |
| # |
| |
| class security |
| { |
| compute_av |
| compute_create |
| compute_member |
| check_context |
| load_policy |
| compute_relabel |
| compute_user |
| setenforce # was avc_toggle in system class |
| setbool |
| setsecparam |
| setcheckreqprot |
| read_policy |
| } |
| |
| |
| # |
| # Define the access vector interpretation for system operations. |
| # |
| |
| class system |
| { |
| ipc_info |
| syslog_read |
| syslog_mod |
| syslog_console |
| module_request |
| } |
| |
| # |
| # Define the access vector interpretation for controling capabilies |
| # |
| |
| class capability |
| { |
| # The capabilities are defined in include/linux/capability.h |
| # Capabilities >= 32 are defined in the capability2 class. |
| # Care should be taken to ensure that these are consistent with |
| # those definitions. (Order matters) |
| |
| chown |
| dac_override |
| dac_read_search |
| fowner |
| fsetid |
| kill |
| setgid |
| setuid |
| setpcap |
| linux_immutable |
| net_bind_service |
| net_broadcast |
| net_admin |
| net_raw |
| ipc_lock |
| ipc_owner |
| sys_module |
| sys_rawio |
| sys_chroot |
| sys_ptrace |
| sys_pacct |
| sys_admin |
| sys_boot |
| sys_nice |
| sys_resource |
| sys_time |
| sys_tty_config |
| mknod |
| lease |
| audit_write |
| audit_control |
| setfcap |
| } |
| |
| class capability2 |
| { |
| mac_override # unused by SELinux |
| mac_admin # unused by SELinux |
| syslog |
| wake_alarm |
| block_suspend |
| } |
| |
| # |
| # Define the access vector interpretation for controlling |
| # changes to passwd information. |
| # |
| class passwd |
| { |
| passwd # change another user passwd |
| chfn # change another user finger info |
| chsh # change another user shell |
| rootok # pam_rootok check (skip auth) |
| crontab # crontab on another user |
| } |
| |
| # |
| # SE-X Windows stuff |
| # |
| class x_drawable |
| { |
| create |
| destroy |
| read |
| write |
| blend |
| getattr |
| setattr |
| list_child |
| add_child |
| remove_child |
| list_property |
| get_property |
| set_property |
| manage |
| override |
| show |
| hide |
| send |
| receive |
| } |
| |
| class x_screen |
| { |
| getattr |
| setattr |
| hide_cursor |
| show_cursor |
| saver_getattr |
| saver_setattr |
| saver_hide |
| saver_show |
| } |
| |
| class x_gc |
| { |
| create |
| destroy |
| getattr |
| setattr |
| use |
| } |
| |
| class x_font |
| { |
| create |
| destroy |
| getattr |
| add_glyph |
| remove_glyph |
| use |
| } |
| |
| class x_colormap |
| { |
| create |
| destroy |
| read |
| write |
| getattr |
| add_color |
| remove_color |
| install |
| uninstall |
| use |
| } |
| |
| class x_property |
| { |
| create |
| destroy |
| read |
| write |
| append |
| getattr |
| setattr |
| } |
| |
| class x_selection |
| { |
| read |
| write |
| getattr |
| setattr |
| } |
| |
| class x_cursor |
| { |
| create |
| destroy |
| read |
| write |
| getattr |
| setattr |
| use |
| } |
| |
| class x_client |
| { |
| destroy |
| getattr |
| setattr |
| manage |
| } |
| |
| class x_device |
| inherits x_device |
| |
| class x_server |
| { |
| getattr |
| setattr |
| record |
| debug |
| grab |
| manage |
| } |
| |
| class x_extension |
| { |
| query |
| use |
| } |
| |
| class x_resource |
| { |
| read |
| write |
| } |
| |
| class x_event |
| { |
| send |
| receive |
| } |
| |
| class x_synthetic_event |
| { |
| send |
| receive |
| } |
| |
| # |
| # Extended Netlink classes |
| # |
| class netlink_route_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| |
| class netlink_firewall_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| |
| class netlink_tcpdiag_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| |
| class netlink_nflog_socket |
| inherits socket |
| |
| class netlink_xfrm_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| |
| class netlink_selinux_socket |
| inherits socket |
| |
| class netlink_audit_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| nlmsg_relay |
| nlmsg_readpriv |
| nlmsg_tty_audit |
| } |
| |
| class netlink_ip6fw_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| |
| class netlink_dnrt_socket |
| inherits socket |
| |
| # Define the access vector interpretation for controlling |
| # access and communication through the D-BUS messaging |
| # system. |
| # |
| class dbus |
| { |
| acquire_svc |
| send_msg |
| } |
| |
| # Define the access vector interpretation for controlling |
| # access through the name service cache daemon (nscd). |
| # |
| class nscd |
| { |
| getpwd |
| getgrp |
| gethost |
| getstat |
| admin |
| shmempwd |
| shmemgrp |
| shmemhost |
| getserv |
| shmemserv |
| } |
| |
| # Define the access vector interpretation for controlling |
| # access to IPSec network data by association |
| # |
| class association |
| { |
| sendto |
| recvfrom |
| setcontext |
| polmatch |
| } |
| |
| # Updated Netlink class for KOBJECT_UEVENT family. |
| class netlink_kobject_uevent_socket |
| inherits socket |
| |
| class appletalk_socket |
| inherits socket |
| |
| class packet |
| { |
| send |
| recv |
| relabelto |
| flow_in # deprecated |
| flow_out # deprecated |
| forward_in |
| forward_out |
| } |
| |
| class key |
| { |
| view |
| read |
| write |
| search |
| link |
| setattr |
| create |
| } |
| |
| class context |
| { |
| translate |
| contains |
| } |
| |
| class dccp_socket |
| inherits socket |
| { |
| node_bind |
| name_connect |
| } |
| |
| class memprotect |
| { |
| mmap_zero |
| } |
| |
| class db_database |
| inherits database |
| { |
| access |
| install_module |
| load_module |
| get_param # deprecated |
| set_param # deprecated |
| } |
| |
| class db_table |
| inherits database |
| { |
| use # deprecated |
| select |
| update |
| insert |
| delete |
| lock |
| } |
| |
| class db_procedure |
| inherits database |
| { |
| execute |
| entrypoint |
| install |
| } |
| |
| class db_column |
| inherits database |
| { |
| use # deprecated |
| select |
| update |
| insert |
| } |
| |
| class db_tuple |
| { |
| relabelfrom |
| relabelto |
| use # deprecated |
| select |
| update |
| insert |
| delete |
| } |
| |
| class db_blob |
| inherits database |
| { |
| read |
| write |
| import |
| export |
| } |
| |
| # network peer labels |
| class peer |
| { |
| recv |
| } |
| |
| class x_application_data |
| { |
| paste |
| paste_after_confirm |
| copy |
| } |
| |
| class kernel_service |
| { |
| use_as_override |
| create_files_as |
| } |
| |
| class tun_socket |
| inherits socket |
| |
| class x_pointer |
| inherits x_device |
| |
| class x_keyboard |
| inherits x_device |
| |
| class db_schema |
| inherits database |
| { |
| search |
| add_name |
| remove_name |
| } |
| |
| class db_view |
| inherits database |
| { |
| expand |
| } |
| |
| class db_sequence |
| inherits database |
| { |
| get_value |
| next_value |
| set_value |
| } |
| |
| class db_language |
| inherits database |
| { |
| implement |
| execute |
| } |
| |
| class binder |
| { |
| impersonate |
| call |
| set_context_mgr |
| transfer |
| } |
| |
| class zygote |
| { |
| specifyids |
| specifyrlimits |
| specifycapabilities |
| specifyinvokewith |
| specifyseinfo |
| } |
| |
| class property_service |
| { |
| set |
| } |
| #line 1 "external/sepolicy/global_macros" |
| ##################################### |
| # Common groupings of object classes. |
| # |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| ##################################### |
| # Common groupings of permissions. |
| # |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| ##################################### |
| # Common socket permission sets. |
| |
| |
| #line 1 "external/sepolicy/mls_macros" |
| ######################################## |
| # |
| # gen_cats(N) |
| # |
| # declares categores c0 to c(N-1) |
| # |
| #line 10 |
| |
| |
| |
| |
| ######################################## |
| # |
| # gen_sens(N) |
| # |
| # declares sensitivites s0 to s(N-1) with dominance |
| # in increasing numeric order with s0 lowest, s(N-1) highest |
| # |
| #line 24 |
| |
| |
| |
| |
| #line 34 |
| |
| |
| ######################################## |
| # |
| # gen_levels(N,M) |
| # |
| # levels from s0 to (N-1) with categories c0 to (M-1) |
| # |
| #line 45 |
| |
| |
| |
| |
| ######################################## |
| # |
| # Basic level names for system low and high |
| # |
| |
| |
| #line 1 "external/sepolicy/mls" |
| ######################################### |
| # MLS declarations |
| # |
| |
| # Generate the desired number of sensitivities and categories. |
| |
| #line 6 |
| # Each sensitivity has a name and zero or more aliases. |
| #line 6 |
| sensitivity s0; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| # Define the ordering of the sensitivity levels (least to greatest) |
| #line 6 |
| dominance { s0 } |
| #line 6 |
| |
| category c0; |
| #line 7 |
| category c1; |
| #line 7 |
| category c2; |
| #line 7 |
| category c3; |
| #line 7 |
| category c4; |
| #line 7 |
| category c5; |
| #line 7 |
| category c6; |
| #line 7 |
| category c7; |
| #line 7 |
| category c8; |
| #line 7 |
| category c9; |
| #line 7 |
| category c10; |
| #line 7 |
| category c11; |
| #line 7 |
| category c12; |
| #line 7 |
| category c13; |
| #line 7 |
| category c14; |
| #line 7 |
| category c15; |
| #line 7 |
| category c16; |
| #line 7 |
| category c17; |
| #line 7 |
| category c18; |
| #line 7 |
| category c19; |
| #line 7 |
| category c20; |
| #line 7 |
| category c21; |
| #line 7 |
| category c22; |
| #line 7 |
| category c23; |
| #line 7 |
| category c24; |
| #line 7 |
| category c25; |
| #line 7 |
| category c26; |
| #line 7 |
| category c27; |
| #line 7 |
| category c28; |
| #line 7 |
| category c29; |
| #line 7 |
| category c30; |
| #line 7 |
| category c31; |
| #line 7 |
| category c32; |
| #line 7 |
| category c33; |
| #line 7 |
| category c34; |
| #line 7 |
| category c35; |
| #line 7 |
| category c36; |
| #line 7 |
| category c37; |
| #line 7 |
| category c38; |
| #line 7 |
| category c39; |
| #line 7 |
| category c40; |
| #line 7 |
| category c41; |
| #line 7 |
| category c42; |
| #line 7 |
| category c43; |
| #line 7 |
| category c44; |
| #line 7 |
| category c45; |
| #line 7 |
| category c46; |
| #line 7 |
| category c47; |
| #line 7 |
| category c48; |
| #line 7 |
| category c49; |
| #line 7 |
| category c50; |
| #line 7 |
| category c51; |
| #line 7 |
| category c52; |
| #line 7 |
| category c53; |
| #line 7 |
| category c54; |
| #line 7 |
| category c55; |
| #line 7 |
| category c56; |
| #line 7 |
| category c57; |
| #line 7 |
| category c58; |
| #line 7 |
| category c59; |
| #line 7 |
| category c60; |
| #line 7 |
| category c61; |
| #line 7 |
| category c62; |
| #line 7 |
| category c63; |
| #line 7 |
| category c64; |
| #line 7 |
| category c65; |
| #line 7 |
| category c66; |
| #line 7 |
| category c67; |
| #line 7 |
| category c68; |
| #line 7 |
| category c69; |
| #line 7 |
| category c70; |
| #line 7 |
| category c71; |
| #line 7 |
| category c72; |
| #line 7 |
| category c73; |
| #line 7 |
| category c74; |
| #line 7 |
| category c75; |
| #line 7 |
| category c76; |
| #line 7 |
| category c77; |
| #line 7 |
| category c78; |
| #line 7 |
| category c79; |
| #line 7 |
| category c80; |
| #line 7 |
| category c81; |
| #line 7 |
| category c82; |
| #line 7 |
| category c83; |
| #line 7 |
| category c84; |
| #line 7 |
| category c85; |
| #line 7 |
| category c86; |
| #line 7 |
| category c87; |
| #line 7 |
| category c88; |
| #line 7 |
| category c89; |
| #line 7 |
| category c90; |
| #line 7 |
| category c91; |
| #line 7 |
| category c92; |
| #line 7 |
| category c93; |
| #line 7 |
| category c94; |
| #line 7 |
| category c95; |
| #line 7 |
| category c96; |
| #line 7 |
| category c97; |
| #line 7 |
| category c98; |
| #line 7 |
| category c99; |
| #line 7 |
| category c100; |
| #line 7 |
| category c101; |
| #line 7 |
| category c102; |
| #line 7 |
| category c103; |
| #line 7 |
| category c104; |
| #line 7 |
| category c105; |
| #line 7 |
| category c106; |
| #line 7 |
| category c107; |
| #line 7 |
| category c108; |
| #line 7 |
| category c109; |
| #line 7 |
| category c110; |
| #line 7 |
| category c111; |
| #line 7 |
| category c112; |
| #line 7 |
| category c113; |
| #line 7 |
| category c114; |
| #line 7 |
| category c115; |
| #line 7 |
| category c116; |
| #line 7 |
| category c117; |
| #line 7 |
| category c118; |
| #line 7 |
| category c119; |
| #line 7 |
| category c120; |
| #line 7 |
| category c121; |
| #line 7 |
| category c122; |
| #line 7 |
| category c123; |
| #line 7 |
| category c124; |
| #line 7 |
| category c125; |
| #line 7 |
| category c126; |
| #line 7 |
| category c127; |
| #line 7 |
| category c128; |
| #line 7 |
| category c129; |
| #line 7 |
| category c130; |
| #line 7 |
| category c131; |
| #line 7 |
| category c132; |
| #line 7 |
| category c133; |
| #line 7 |
| category c134; |
| #line 7 |
| category c135; |
| #line 7 |
| category c136; |
| #line 7 |
| category c137; |
| #line 7 |
| category c138; |
| #line 7 |
| category c139; |
| #line 7 |
| category c140; |
| #line 7 |
| category c141; |
| #line 7 |
| category c142; |
| #line 7 |
| category c143; |
| #line 7 |
| category c144; |
| #line 7 |
| category c145; |
| #line 7 |
| category c146; |
| #line 7 |
| category c147; |
| #line 7 |
| category c148; |
| #line 7 |
| category c149; |
| #line 7 |
| category c150; |
| #line 7 |
| category c151; |
| #line 7 |
| category c152; |
| #line 7 |
| category c153; |
| #line 7 |
| category c154; |
| #line 7 |
| category c155; |
| #line 7 |
| category c156; |
| #line 7 |
| category c157; |
| #line 7 |
| category c158; |
| #line 7 |
| category c159; |
| #line 7 |
| category c160; |
| #line 7 |
| category c161; |
| #line 7 |
| category c162; |
| #line 7 |
| category c163; |
| #line 7 |
| category c164; |
| #line 7 |
| category c165; |
| #line 7 |
| category c166; |
| #line 7 |
| category c167; |
| #line 7 |
| category c168; |
| #line 7 |
| category c169; |
| #line 7 |
| category c170; |
| #line 7 |
| category c171; |
| #line 7 |
| category c172; |
| #line 7 |
| category c173; |
| #line 7 |
| category c174; |
| #line 7 |
| category c175; |
| #line 7 |
| category c176; |
| #line 7 |
| category c177; |
| #line 7 |
| category c178; |
| #line 7 |
| category c179; |
| #line 7 |
| category c180; |
| #line 7 |
| category c181; |
| #line 7 |
| category c182; |
| #line 7 |
| category c183; |
| #line 7 |
| category c184; |
| #line 7 |
| category c185; |
| #line 7 |
| category c186; |
| #line 7 |
| category c187; |
| #line 7 |
| category c188; |
| #line 7 |
| category c189; |
| #line 7 |
| category c190; |
| #line 7 |
| category c191; |
| #line 7 |
| category c192; |
| #line 7 |
| category c193; |
| #line 7 |
| category c194; |
| #line 7 |
| category c195; |
| #line 7 |
| category c196; |
| #line 7 |
| category c197; |
| #line 7 |
| category c198; |
| #line 7 |
| category c199; |
| #line 7 |
| category c200; |
| #line 7 |
| category c201; |
| #line 7 |
| category c202; |
| #line 7 |
| category c203; |
| #line 7 |
| category c204; |
| #line 7 |
| category c205; |
| #line 7 |
| category c206; |
| #line 7 |
| category c207; |
| #line 7 |
| category c208; |
| #line 7 |
| category c209; |
| #line 7 |
| category c210; |
| #line 7 |
| category c211; |
| #line 7 |
| category c212; |
| #line 7 |
| category c213; |
| #line 7 |
| category c214; |
| #line 7 |
| category c215; |
| #line 7 |
| category c216; |
| #line 7 |
| category c217; |
| #line 7 |
| category c218; |
| #line 7 |
| category c219; |
| #line 7 |
| category c220; |
| #line 7 |
| category c221; |
| #line 7 |
| category c222; |
| #line 7 |
| category c223; |
| #line 7 |
| category c224; |
| #line 7 |
| category c225; |
| #line 7 |
| category c226; |
| #line 7 |
| category c227; |
| #line 7 |
| category c228; |
| #line 7 |
| category c229; |
| #line 7 |
| category c230; |
| #line 7 |
| category c231; |
| #line 7 |
| category c232; |
| #line 7 |
| category c233; |
| #line 7 |
| category c234; |
| #line 7 |
| category c235; |
| #line 7 |
| category c236; |
| #line 7 |
| category c237; |
| #line 7 |
| category c238; |
| #line 7 |
| category c239; |
| #line 7 |
| category c240; |
| #line 7 |
| category c241; |
| #line 7 |
| category c242; |
| #line 7 |
| category c243; |
| #line 7 |
| category c244; |
| #line 7 |
| category c245; |
| #line 7 |
| category c246; |
| #line 7 |
| category c247; |
| #line 7 |
| category c248; |
| #line 7 |
| category c249; |
| #line 7 |
| category c250; |
| #line 7 |
| category c251; |
| #line 7 |
| category c252; |
| #line 7 |
| category c253; |
| #line 7 |
| category c254; |
| #line 7 |
| category c255; |
| #line 7 |
| category c256; |
| #line 7 |
| category c257; |
| #line 7 |
| category c258; |
| #line 7 |
| category c259; |
| #line 7 |
| category c260; |
| #line 7 |
| category c261; |
| #line 7 |
| category c262; |
| #line 7 |
| category c263; |
| #line 7 |
| category c264; |
| #line 7 |
| category c265; |
| #line 7 |
| category c266; |
| #line 7 |
| category c267; |
| #line 7 |
| category c268; |
| #line 7 |
| category c269; |
| #line 7 |
| category c270; |
| #line 7 |
| category c271; |
| #line 7 |
| category c272; |
| #line 7 |
| category c273; |
| #line 7 |
| category c274; |
| #line 7 |
| category c275; |
| #line 7 |
| category c276; |
| #line 7 |
| category c277; |
| #line 7 |
| category c278; |
| #line 7 |
| category c279; |
| #line 7 |
| category c280; |
| #line 7 |
| category c281; |
| #line 7 |
| category c282; |
| #line 7 |
| category c283; |
| #line 7 |
| category c284; |
| #line 7 |
| category c285; |
| #line 7 |
| category c286; |
| #line 7 |
| category c287; |
| #line 7 |
| category c288; |
| #line 7 |
| category c289; |
| #line 7 |
| category c290; |
| #line 7 |
| category c291; |
| #line 7 |
| category c292; |
| #line 7 |
| category c293; |
| #line 7 |
| category c294; |
| #line 7 |
| category c295; |
| #line 7 |
| category c296; |
| #line 7 |
| category c297; |
| #line 7 |
| category c298; |
| #line 7 |
| category c299; |
| #line 7 |
| category c300; |
| #line 7 |
| category c301; |
| #line 7 |
| category c302; |
| #line 7 |
| category c303; |
| #line 7 |
| category c304; |
| #line 7 |
| category c305; |
| #line 7 |
| category c306; |
| #line 7 |
| category c307; |
| #line 7 |
| category c308; |
| #line 7 |
| category c309; |
| #line 7 |
| category c310; |
| #line 7 |
| category c311; |
| #line 7 |
| category c312; |
| #line 7 |
| category c313; |
| #line 7 |
| category c314; |
| #line 7 |
| category c315; |
| #line 7 |
| category c316; |
| #line 7 |
| category c317; |
| #line 7 |
| category c318; |
| #line 7 |
| category c319; |
| #line 7 |
| category c320; |
| #line 7 |
| category c321; |
| #line 7 |
| category c322; |
| #line 7 |
| category c323; |
| #line 7 |
| category c324; |
| #line 7 |
| category c325; |
| #line 7 |
| category c326; |
| #line 7 |
| category c327; |
| #line 7 |
| category c328; |
| #line 7 |
| category c329; |
| #line 7 |
| category c330; |
| #line 7 |
| category c331; |
| #line 7 |
| category c332; |
| #line 7 |
| category c333; |
| #line 7 |
| category c334; |
| #line 7 |
| category c335; |
| #line 7 |
| category c336; |
| #line 7 |
| category c337; |
| #line 7 |
| category c338; |
| #line 7 |
| category c339; |
| #line 7 |
| category c340; |
| #line 7 |
| category c341; |
| #line 7 |
| category c342; |
| #line 7 |
| category c343; |
| #line 7 |
| category c344; |
| #line 7 |
| category c345; |
| #line 7 |
| category c346; |
| #line 7 |
| category c347; |
| #line 7 |
| category c348; |
| #line 7 |
| category c349; |
| #line 7 |
| category c350; |
| #line 7 |
| category c351; |
| #line 7 |
| category c352; |
| #line 7 |
| category c353; |
| #line 7 |
| category c354; |
| #line 7 |
| category c355; |
| #line 7 |
| category c356; |
| #line 7 |
| category c357; |
| #line 7 |
| category c358; |
| #line 7 |
| category c359; |
| #line 7 |
| category c360; |
| #line 7 |
| category c361; |
| #line 7 |
| category c362; |
| #line 7 |
| category c363; |
| #line 7 |
| category c364; |
| #line 7 |
| category c365; |
| #line 7 |
| category c366; |
| #line 7 |
| category c367; |
| #line 7 |
| category c368; |
| #line 7 |
| category c369; |
| #line 7 |
| category c370; |
| #line 7 |
| category c371; |
| #line 7 |
| category c372; |
| #line 7 |
| category c373; |
| #line 7 |
| category c374; |
| #line 7 |
| category c375; |
| #line 7 |
| category c376; |
| #line 7 |
| category c377; |
| #line 7 |
| category c378; |
| #line 7 |
| category c379; |
| #line 7 |
| category c380; |
| #line 7 |
| category c381; |
| #line 7 |
| category c382; |
| #line 7 |
| category c383; |
| #line 7 |
| category c384; |
| #line 7 |
| category c385; |
| #line 7 |
| category c386; |
| #line 7 |
| category c387; |
| #line 7 |
| category c388; |
| #line 7 |
| category c389; |
| #line 7 |
| category c390; |
| #line 7 |
| category c391; |
| #line 7 |
| category c392; |
| #line 7 |
| category c393; |
| #line 7 |
| category c394; |
| #line 7 |
| category c395; |
| #line 7 |
| category c396; |
| #line 7 |
| category c397; |
| #line 7 |
| category c398; |
| #line 7 |
| category c399; |
| #line 7 |
| category c400; |
| #line 7 |
| category c401; |
| #line 7 |
| category c402; |
| #line 7 |
| category c403; |
| #line 7 |
| category c404; |
| #line 7 |
| category c405; |
| #line 7 |
| category c406; |
| #line 7 |
| category c407; |
| #line 7 |
| category c408; |
| #line 7 |
| category c409; |
| #line 7 |
| category c410; |
| #line 7 |
| category c411; |
| #line 7 |
| category c412; |
| #line 7 |
| category c413; |
| #line 7 |
| category c414; |
| #line 7 |
| category c415; |
| #line 7 |
| category c416; |
| #line 7 |
| category c417; |
| #line 7 |
| category c418; |
| #line 7 |
| category c419; |
| #line 7 |
| category c420; |
| #line 7 |
| category c421; |
| #line 7 |
| category c422; |
| #line 7 |
| category c423; |
| #line 7 |
| category c424; |
| #line 7 |
| category c425; |
| #line 7 |
| category c426; |
| #line 7 |
| category c427; |
| #line 7 |
| category c428; |
| #line 7 |
| category c429; |
| #line 7 |
| category c430; |
| #line 7 |
| category c431; |
| #line 7 |
| category c432; |
| #line 7 |
| category c433; |
| #line 7 |
| category c434; |
| #line 7 |
| category c435; |
| #line 7 |
| category c436; |
| #line 7 |
| category c437; |
| #line 7 |
| category c438; |
| #line 7 |
| category c439; |
| #line 7 |
| category c440; |
| #line 7 |
| category c441; |
| #line 7 |
| category c442; |
| #line 7 |
| category c443; |
| #line 7 |
| category c444; |
| #line 7 |
| category c445; |
| #line 7 |
| category c446; |
| #line 7 |
| category c447; |
| #line 7 |
| category c448; |
| #line 7 |
| category c449; |
| #line 7 |
| category c450; |
| #line 7 |
| category c451; |
| #line 7 |
| category c452; |
| #line 7 |
| category c453; |
| #line 7 |
| category c454; |
| #line 7 |
| category c455; |
| #line 7 |
| category c456; |
| #line 7 |
| category c457; |
| #line 7 |
| category c458; |
| #line 7 |
| category c459; |
| #line 7 |
| category c460; |
| #line 7 |
| category c461; |
| #line 7 |
| category c462; |
| #line 7 |
| category c463; |
| #line 7 |
| category c464; |
| #line 7 |
| category c465; |
| #line 7 |
| category c466; |
| #line 7 |
| category c467; |
| #line 7 |
| category c468; |
| #line 7 |
| category c469; |
| #line 7 |
| category c470; |
| #line 7 |
| category c471; |
| #line 7 |
| category c472; |
| #line 7 |
| category c473; |
| #line 7 |
| category c474; |
| #line 7 |
| category c475; |
| #line 7 |
| category c476; |
| #line 7 |
| category c477; |
| #line 7 |
| category c478; |
| #line 7 |
| category c479; |
| #line 7 |
| category c480; |
| #line 7 |
| category c481; |
| #line 7 |
| category c482; |
| #line 7 |
| category c483; |
| #line 7 |
| category c484; |
| #line 7 |
| category c485; |
| #line 7 |
| category c486; |
| #line 7 |
| category c487; |
| #line 7 |
| category c488; |
| #line 7 |
| category c489; |
| #line 7 |
| category c490; |
| #line 7 |
| category c491; |
| #line 7 |
| category c492; |
| #line 7 |
| category c493; |
| #line 7 |
| category c494; |
| #line 7 |
| category c495; |
| #line 7 |
| category c496; |
| #line 7 |
| category c497; |
| #line 7 |
| category c498; |
| #line 7 |
| category c499; |
| #line 7 |
| category c500; |
| #line 7 |
| category c501; |
| #line 7 |
| category c502; |
| #line 7 |
| category c503; |
| #line 7 |
| category c504; |
| #line 7 |
| category c505; |
| #line 7 |
| category c506; |
| #line 7 |
| category c507; |
| #line 7 |
| category c508; |
| #line 7 |
| category c509; |
| #line 7 |
| category c510; |
| #line 7 |
| category c511; |
| #line 7 |
| category c512; |
| #line 7 |
| category c513; |
| #line 7 |
| category c514; |
| #line 7 |
| category c515; |
| #line 7 |
| category c516; |
| #line 7 |
| category c517; |
| #line 7 |
| category c518; |
| #line 7 |
| category c519; |
| #line 7 |
| category c520; |
| #line 7 |
| category c521; |
| #line 7 |
| category c522; |
| #line 7 |
| category c523; |
| #line 7 |
| category c524; |
| #line 7 |
| category c525; |
| #line 7 |
| category c526; |
| #line 7 |
| category c527; |
| #line 7 |
| category c528; |
| #line 7 |
| category c529; |
| #line 7 |
| category c530; |
| #line 7 |
| category c531; |
| #line 7 |
| category c532; |
| #line 7 |
| category c533; |
| #line 7 |
| category c534; |
| #line 7 |
| category c535; |
| #line 7 |
| category c536; |
| #line 7 |
| category c537; |
| #line 7 |
| category c538; |
| #line 7 |
| category c539; |
| #line 7 |
| category c540; |
| #line 7 |
| category c541; |
| #line 7 |
| category c542; |
| #line 7 |
| category c543; |
| #line 7 |
| category c544; |
| #line 7 |
| category c545; |
| #line 7 |
| category c546; |
| #line 7 |
| category c547; |
| #line 7 |
| category c548; |
| #line 7 |
| category c549; |
| #line 7 |
| category c550; |
| #line 7 |
| category c551; |
| #line 7 |
| category c552; |
| #line 7 |
| category c553; |
| #line 7 |
| category c554; |
| #line 7 |
| category c555; |
| #line 7 |
| category c556; |
| #line 7 |
| category c557; |
| #line 7 |
| category c558; |
| #line 7 |
| category c559; |
| #line 7 |
| category c560; |
| #line 7 |
| category c561; |
| #line 7 |
| category c562; |
| #line 7 |
| category c563; |
| #line 7 |
| category c564; |
| #line 7 |
| category c565; |
| #line 7 |
| category c566; |
| #line 7 |
| category c567; |
| #line 7 |
| category c568; |
| #line 7 |
| category c569; |
| #line 7 |
| category c570; |
| #line 7 |
| category c571; |
| #line 7 |
| category c572; |
| #line 7 |
| category c573; |
| #line 7 |
| category c574; |
| #line 7 |
| category c575; |
| #line 7 |
| category c576; |
| #line 7 |
| category c577; |
| #line 7 |
| category c578; |
| #line 7 |
| category c579; |
| #line 7 |
| category c580; |
| #line 7 |
| category c581; |
| #line 7 |
| category c582; |
| #line 7 |
| category c583; |
| #line 7 |
| category c584; |
| #line 7 |
| category c585; |
| #line 7 |
| category c586; |
| #line 7 |
| category c587; |
| #line 7 |
| category c588; |
| #line 7 |
| category c589; |
| #line 7 |
| category c590; |
| #line 7 |
| category c591; |
| #line 7 |
| category c592; |
| #line 7 |
| category c593; |
| #line 7 |
| category c594; |
| #line 7 |
| category c595; |
| #line 7 |
| category c596; |
| #line 7 |
| category c597; |
| #line 7 |
| category c598; |
| #line 7 |
| category c599; |
| #line 7 |
| category c600; |
| #line 7 |
| category c601; |
| #line 7 |
| category c602; |
| #line 7 |
| category c603; |
| #line 7 |
| category c604; |
| #line 7 |
| category c605; |
| #line 7 |
| category c606; |
| #line 7 |
| category c607; |
| #line 7 |
| category c608; |
| #line 7 |
| category c609; |
| #line 7 |
| category c610; |
| #line 7 |
| category c611; |
| #line 7 |
| category c612; |
| #line 7 |
| category c613; |
| #line 7 |
| category c614; |
| #line 7 |
| category c615; |
| #line 7 |
| category c616; |
| #line 7 |
| category c617; |
| #line 7 |
| category c618; |
| #line 7 |
| category c619; |
| #line 7 |
| category c620; |
| #line 7 |
| category c621; |
| #line 7 |
| category c622; |
| #line 7 |
| category c623; |
| #line 7 |
| category c624; |
| #line 7 |
| category c625; |
| #line 7 |
| category c626; |
| #line 7 |
| category c627; |
| #line 7 |
| category c628; |
| #line 7 |
| category c629; |
| #line 7 |
| category c630; |
| #line 7 |
| category c631; |
| #line 7 |
| category c632; |
| #line 7 |
| category c633; |
| #line 7 |
| category c634; |
| #line 7 |
| category c635; |
| #line 7 |
| category c636; |
| #line 7 |
| category c637; |
| #line 7 |
| category c638; |
| #line 7 |
| category c639; |
| #line 7 |
| category c640; |
| #line 7 |
| category c641; |
| #line 7 |
| category c642; |
| #line 7 |
| category c643; |
| #line 7 |
| category c644; |
| #line 7 |
| category c645; |
| #line 7 |
| category c646; |
| #line 7 |
| category c647; |
| #line 7 |
| category c648; |
| #line 7 |
| category c649; |
| #line 7 |
| category c650; |
| #line 7 |
| category c651; |
| #line 7 |
| category c652; |
| #line 7 |
| category c653; |
| #line 7 |
| category c654; |
| #line 7 |
| category c655; |
| #line 7 |
| category c656; |
| #line 7 |
| category c657; |
| #line 7 |
| category c658; |
| #line 7 |
| category c659; |
| #line 7 |
| category c660; |
| #line 7 |
| category c661; |
| #line 7 |
| category c662; |
| #line 7 |
| category c663; |
| #line 7 |
| category c664; |
| #line 7 |
| category c665; |
| #line 7 |
| category c666; |
| #line 7 |
| category c667; |
| #line 7 |
| category c668; |
| #line 7 |
| category c669; |
| #line 7 |
| category c670; |
| #line 7 |
| category c671; |
| #line 7 |
| category c672; |
| #line 7 |
| category c673; |
| #line 7 |
| category c674; |
| #line 7 |
| category c675; |
| #line 7 |
| category c676; |
| #line 7 |
| category c677; |
| #line 7 |
| category c678; |
| #line 7 |
| category c679; |
| #line 7 |
| category c680; |
| #line 7 |
| category c681; |
| #line 7 |
| category c682; |
| #line 7 |
| category c683; |
| #line 7 |
| category c684; |
| #line 7 |
| category c685; |
| #line 7 |
| category c686; |
| #line 7 |
| category c687; |
| #line 7 |
| category c688; |
| #line 7 |
| category c689; |
| #line 7 |
| category c690; |
| #line 7 |
| category c691; |
| #line 7 |
| category c692; |
| #line 7 |
| category c693; |
| #line 7 |
| category c694; |
| #line 7 |
| category c695; |
| #line 7 |
| category c696; |
| #line 7 |
| category c697; |
| #line 7 |
| category c698; |
| #line 7 |
| category c699; |
| #line 7 |
| category c700; |
| #line 7 |
| category c701; |
| #line 7 |
| category c702; |
| #line 7 |
| category c703; |
| #line 7 |
| category c704; |
| #line 7 |
| category c705; |
| #line 7 |
| category c706; |
| #line 7 |
| category c707; |
| #line 7 |
| category c708; |
| #line 7 |
| category c709; |
| #line 7 |
| category c710; |
| #line 7 |
| category c711; |
| #line 7 |
| category c712; |
| #line 7 |
| category c713; |
| #line 7 |
| category c714; |
| #line 7 |
| category c715; |
| #line 7 |
| category c716; |
| #line 7 |
| category c717; |
| #line 7 |
| category c718; |
| #line 7 |
| category c719; |
| #line 7 |
| category c720; |
| #line 7 |
| category c721; |
| #line 7 |
| category c722; |
| #line 7 |
| category c723; |
| #line 7 |
| category c724; |
| #line 7 |
| category c725; |
| #line 7 |
| category c726; |
| #line 7 |
| category c727; |
| #line 7 |
| category c728; |
| #line 7 |
| category c729; |
| #line 7 |
| category c730; |
| #line 7 |
| category c731; |
| #line 7 |
| category c732; |
| #line 7 |
| category c733; |
| #line 7 |
| category c734; |
| #line 7 |
| category c735; |
| #line 7 |
| category c736; |
| #line 7 |
| category c737; |
| #line 7 |
| category c738; |
| #line 7 |
| category c739; |
| #line 7 |
| category c740; |
| #line 7 |
| category c741; |
| #line 7 |
| category c742; |
| #line 7 |
| category c743; |
| #line 7 |
| category c744; |
| #line 7 |
| category c745; |
| #line 7 |
| category c746; |
| #line 7 |
| category c747; |
| #line 7 |
| category c748; |
| #line 7 |
| category c749; |
| #line 7 |
| category c750; |
| #line 7 |
| category c751; |
| #line 7 |
| category c752; |
| #line 7 |
| category c753; |
| #line 7 |
| category c754; |
| #line 7 |
| category c755; |
| #line 7 |
| category c756; |
| #line 7 |
| category c757; |
| #line 7 |
| category c758; |
| #line 7 |
| category c759; |
| #line 7 |
| category c760; |
| #line 7 |
| category c761; |
| #line 7 |
| category c762; |
| #line 7 |
| category c763; |
| #line 7 |
| category c764; |
| #line 7 |
| category c765; |
| #line 7 |
| category c766; |
| #line 7 |
| category c767; |
| #line 7 |
| category c768; |
| #line 7 |
| category c769; |
| #line 7 |
| category c770; |
| #line 7 |
| category c771; |
| #line 7 |
| category c772; |
| #line 7 |
| category c773; |
| #line 7 |
| category c774; |
| #line 7 |
| category c775; |
| #line 7 |
| category c776; |
| #line 7 |
| category c777; |
| #line 7 |
| category c778; |
| #line 7 |
| category c779; |
| #line 7 |
| category c780; |
| #line 7 |
| category c781; |
| #line 7 |
| category c782; |
| #line 7 |
| category c783; |
| #line 7 |
| category c784; |
| #line 7 |
| category c785; |
| #line 7 |
| category c786; |
| #line 7 |
| category c787; |
| #line 7 |
| category c788; |
| #line 7 |
| category c789; |
| #line 7 |
| category c790; |
| #line 7 |
| category c791; |
| #line 7 |
| category c792; |
| #line 7 |
| category c793; |
| #line 7 |
| category c794; |
| #line 7 |
| category c795; |
| #line 7 |
| category c796; |
| #line 7 |
| category c797; |
| #line 7 |
| category c798; |
| #line 7 |
| category c799; |
| #line 7 |
| category c800; |
| #line 7 |
| category c801; |
| #line 7 |
| category c802; |
| #line 7 |
| category c803; |
| #line 7 |
| category c804; |
| #line 7 |
| category c805; |
| #line 7 |
| category c806; |
| #line 7 |
| category c807; |
| #line 7 |
| category c808; |
| #line 7 |
| category c809; |
| #line 7 |
| category c810; |
| #line 7 |
| category c811; |
| #line 7 |
| category c812; |
| #line 7 |
| category c813; |
| #line 7 |
| category c814; |
| #line 7 |
| category c815; |
| #line 7 |
| category c816; |
| #line 7 |
| category c817; |
| #line 7 |
| category c818; |
| #line 7 |
| category c819; |
| #line 7 |
| category c820; |
| #line 7 |
| category c821; |
| #line 7 |
| category c822; |
| #line 7 |
| category c823; |
| #line 7 |
| category c824; |
| #line 7 |
| category c825; |
| #line 7 |
| category c826; |
| #line 7 |
| category c827; |
| #line 7 |
| category c828; |
| #line 7 |
| category c829; |
| #line 7 |
| category c830; |
| #line 7 |
| category c831; |
| #line 7 |
| category c832; |
| #line 7 |
| category c833; |
| #line 7 |
| category c834; |
| #line 7 |
| category c835; |
| #line 7 |
| category c836; |
| #line 7 |
| category c837; |
| #line 7 |
| category c838; |
| #line 7 |
| category c839; |
| #line 7 |
| category c840; |
| #line 7 |
| category c841; |
| #line 7 |
| category c842; |
| #line 7 |
| category c843; |
| #line 7 |
| category c844; |
| #line 7 |
| category c845; |
| #line 7 |
| category c846; |
| #line 7 |
| category c847; |
| #line 7 |
| category c848; |
| #line 7 |
| category c849; |
| #line 7 |
| category c850; |
| #line 7 |
| category c851; |
| #line 7 |
| category c852; |
| #line 7 |
| category c853; |
| #line 7 |
| category c854; |
| #line 7 |
| category c855; |
| #line 7 |
| category c856; |
| #line 7 |
| category c857; |
| #line 7 |
| category c858; |
| #line 7 |
| category c859; |
| #line 7 |
| category c860; |
| #line 7 |
| category c861; |
| #line 7 |
| category c862; |
| #line 7 |
| category c863; |
| #line 7 |
| category c864; |
| #line 7 |
| category c865; |
| #line 7 |
| category c866; |
| #line 7 |
| category c867; |
| #line 7 |
| category c868; |
| #line 7 |
| category c869; |
| #line 7 |
| category c870; |
| #line 7 |
| category c871; |
| #line 7 |
| category c872; |
| #line 7 |
| category c873; |
| #line 7 |
| category c874; |
| #line 7 |
| category c875; |
| #line 7 |
| category c876; |
| #line 7 |
| category c877; |
| #line 7 |
| category c878; |
| #line 7 |
| category c879; |
| #line 7 |
| category c880; |
| #line 7 |
| category c881; |
| #line 7 |
| category c882; |
| #line 7 |
| category c883; |
| #line 7 |
| category c884; |
| #line 7 |
| category c885; |
| #line 7 |
| category c886; |
| #line 7 |
| category c887; |
| #line 7 |
| category c888; |
| #line 7 |
| category c889; |
| #line 7 |
| category c890; |
| #line 7 |
| category c891; |
| #line 7 |
| category c892; |
| #line 7 |
| category c893; |
| #line 7 |
| category c894; |
| #line 7 |
| category c895; |
| #line 7 |
| category c896; |
| #line 7 |
| category c897; |
| #line 7 |
| category c898; |
| #line 7 |
| category c899; |
| #line 7 |
| category c900; |
| #line 7 |
| category c901; |
| #line 7 |
| category c902; |
| #line 7 |
| category c903; |
| #line 7 |
| category c904; |
| #line 7 |
| category c905; |
| #line 7 |
| category c906; |
| #line 7 |
| category c907; |
| #line 7 |
| category c908; |
| #line 7 |
| category c909; |
| #line 7 |
| category c910; |
| #line 7 |
| category c911; |
| #line 7 |
| category c912; |
| #line 7 |
| category c913; |
| #line 7 |
| category c914; |
| #line 7 |
| category c915; |
| #line 7 |
| category c916; |
| #line 7 |
| category c917; |
| #line 7 |
| category c918; |
| #line 7 |
| category c919; |
| #line 7 |
| category c920; |
| #line 7 |
| category c921; |
| #line 7 |
| category c922; |
| #line 7 |
| category c923; |
| #line 7 |
| category c924; |
| #line 7 |
| category c925; |
| #line 7 |
| category c926; |
| #line 7 |
| category c927; |
| #line 7 |
| category c928; |
| #line 7 |
| category c929; |
| #line 7 |
| category c930; |
| #line 7 |
| category c931; |
| #line 7 |
| category c932; |
| #line 7 |
| category c933; |
| #line 7 |
| category c934; |
| #line 7 |
| category c935; |
| #line 7 |
| category c936; |
| #line 7 |
| category c937; |
| #line 7 |
| category c938; |
| #line 7 |
| category c939; |
| #line 7 |
| category c940; |
| #line 7 |
| category c941; |
| #line 7 |
| category c942; |
| #line 7 |
| category c943; |
| #line 7 |
| category c944; |
| #line 7 |
| category c945; |
| #line 7 |
| category c946; |
| #line 7 |
| category c947; |
| #line 7 |
| category c948; |
| #line 7 |
| category c949; |
| #line 7 |
| category c950; |
| #line 7 |
| category c951; |
| #line 7 |
| category c952; |
| #line 7 |
| category c953; |
| #line 7 |
| category c954; |
| #line 7 |
| category c955; |
| #line 7 |
| category c956; |
| #line 7 |
| category c957; |
| #line 7 |
| category c958; |
| #line 7 |
| category c959; |
| #line 7 |
| category c960; |
| #line 7 |
| category c961; |
| #line 7 |
| category c962; |
| #line 7 |
| category c963; |
| #line 7 |
| category c964; |
| #line 7 |
| category c965; |
| #line 7 |
| category c966; |
| #line 7 |
| category c967; |
| #line 7 |
| category c968; |
| #line 7 |
| category c969; |
| #line 7 |
| category c970; |
| #line 7 |
| category c971; |
| #line 7 |
| category c972; |
| #line 7 |
| category c973; |
| #line 7 |
| category c974; |
| #line 7 |
| category c975; |
| #line 7 |
| category c976; |
| #line 7 |
| category c977; |
| #line 7 |
| category c978; |
| #line 7 |
| category c979; |
| #line 7 |
| category c980; |
| #line 7 |
| category c981; |
| #line 7 |
| category c982; |
| #line 7 |
| category c983; |
| #line 7 |
| category c984; |
| #line 7 |
| category c985; |
| #line 7 |
| category c986; |
| #line 7 |
| category c987; |
| #line 7 |
| category c988; |
| #line 7 |
| category c989; |
| #line 7 |
| category c990; |
| #line 7 |
| category c991; |
| #line 7 |
| category c992; |
| #line 7 |
| category c993; |
| #line 7 |
| category c994; |
| #line 7 |
| category c995; |
| #line 7 |
| category c996; |
| #line 7 |
| category c997; |
| #line 7 |
| category c998; |
| #line 7 |
| category c999; |
| #line 7 |
| category c1000; |
| #line 7 |
| category c1001; |
| #line 7 |
| category c1002; |
| #line 7 |
| category c1003; |
| #line 7 |
| category c1004; |
| #line 7 |
| category c1005; |
| #line 7 |
| category c1006; |
| #line 7 |
| category c1007; |
| #line 7 |
| category c1008; |
| #line 7 |
| category c1009; |
| #line 7 |
| category c1010; |
| #line 7 |
| category c1011; |
| #line 7 |
| category c1012; |
| #line 7 |
| category c1013; |
| #line 7 |
| category c1014; |
| #line 7 |
| category c1015; |
| #line 7 |
| category c1016; |
| #line 7 |
| category c1017; |
| #line 7 |
| category c1018; |
| #line 7 |
| category c1019; |
| #line 7 |
| category c1020; |
| #line 7 |
| category c1021; |
| #line 7 |
| category c1022; |
| #line 7 |
| category c1023; |
| #line 7 |
| |
| |
| # Generate level definitions for each sensitivity and category. |
| level s0:c0.c1023; |
| #line 10 |
| |
| |
| |
| ################################################# |
| # MLS policy constraints |
| # |
| |
| # |
| # Process constraints |
| # |
| |
| # Process transition: Require equivalence unless the subject is trusted. |
| mlsconstrain process { transition dyntransition } |
| ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| |
| # Process read operations: No read up unless trusted. |
| mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } |
| (l1 dom l2 or t1 == mlstrustedsubject); |
| |
| # Process write operations: No write down unless trusted. |
| mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } |
| (l1 domby l2 or t1 == mlstrustedsubject); |
| |
| # |
| # Socket constraints |
| # |
| |
| # Create/relabel operations: Subject must be equivalent to object unless |
| # the subject is trusted. Sockets inherit the range of their creator. |
| mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto } |
| ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); |
| |
| # Datagram send: Sender must be dominated by receiver unless one of them is |
| # trusted. |
| mlsconstrain unix_dgram_socket { sendto } |
| (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| |
| # Stream connect: Client must be equivalent to server unless one of them |
| # is trusted. |
| mlsconstrain unix_stream_socket { connectto } |
| (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| |
| # |
| # Directory/file constraints |
| # |
| |
| # Create/relabel operations: Subject must be equivalent to object unless |
| # the subject is trusted. Also, files should always be single-level. |
| # Do NOT exempt mlstrustedobject types from this constraint. |
| mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto } |
| (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); |
| |
| # |
| # Constraints for app data files only. |
| # |
| |
| # Only constrain open, not read/write. |
| # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. |
| # Subject must be equivalent to object unless the subject is trusted. |
| mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } |
| (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); |
| mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } |
| (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); |
| |
| # |
| # Constraints for file types other than app data files. |
| # |
| |
| # Read operations: Subject must dominate object unless the subject |
| # or the object is trusted. |
| mlsconstrain dir { read getattr search } |
| (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } |
| (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| # Write operations: Subject must be dominated by the object unless the |
| # subject or the object is trusted. |
| mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } |
| (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } |
| (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); |
| |
| # Special case for FIFOs. |
| # These can be unnamed pipes, in which case they will be labeled with the |
| # creating process' label. Thus we also have an exemption when the "object" |
| # is a MLS trusted subject and can receive data at any level. |
| mlsconstrain fifo_file { read getattr } |
| (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); |
| |
| mlsconstrain fifo_file { write setattr append unlink link rename } |
| (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); |
| |
| # |
| # IPC constraints |
| # |
| |
| # Create/destroy: equivalence or trusted. |
| mlsconstrain { sem msgq shm ipc } { create destroy } |
| (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); |
| |
| # Read ops: No read up unless trusted. |
| mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read } |
| (l1 dom l2 or t1 == mlstrustedsubject); |
| |
| # Write ops: No write down unless trusted. |
| mlsconstrain { sem msgq shm ipc } { write unix_write } |
| (l1 domby l2 or t1 == mlstrustedsubject); |
| |
| # |
| # Binder IPC constraints |
| # |
| # Presently commented out, as apps are expected to call one another. |
| # This would only make sense if apps were assigned categories |
| # based on allowable communications rather than per-app categories. |
| #mlsconstrain binder call |
| # (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); |
| #line 1 "external/sepolicy/policy_capabilities" |
| # Enable new networking controls. |
| policycap network_peer_controls; |
| |
| # Enable open permission check. |
| policycap open_perms; |
| #line 1 "external/sepolicy/te_macros" |
| ##################################### |
| # domain_trans(olddomain, type, newdomain) |
| # Allow a transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use domain_auto_trans |
| # if that is what you want. |
| # |
| #line 21 |
| |
| |
| ##################################### |
| # domain_auto_trans(olddomain, type, newdomain) |
| # Automatically transition from olddomain to newdomain |
| # upon executing a file labeled with type. |
| # |
| #line 33 |
| |
| |
| ##################################### |
| # file_type_trans(domain, dir_type, file_type) |
| # Allow domain to create a file labeled file_type in a |
| # directory labeled dir_type. |
| # This only allows the transition; it does not |
| # cause it to occur automatically - use file_type_auto_trans |
| # if that is what you want. |
| # |
| #line 49 |
| |
| |
| ##################################### |
| # file_type_auto_trans(domain, dir_type, file_type) |
| # Automatically label new files with file_type when |
| # they are created by domain in directories labeled dir_type. |
| # |
| #line 62 |
| |
| |
| ##################################### |
| # r_dir_file(domain, type) |
| # Allow the specified domain to read directories, files |
| # and symbolic links of the specified type. |
| #line 71 |
| |
| |
| ##################################### |
| # unconfined_domain(domain) |
| # Allow the specified domain to perform more privileged operations |
| # than would be typically allowed. Please see the comments at the |
| # top of unconfined.te. |
| # |
| #line 82 |
| |
| |
| ##################################### |
| # tmpfs_domain(domain) |
| # Define and allow access to a unique type for |
| # this domain when creating tmpfs / shmem / ashmem files. |
| #line 92 |
| |
| |
| ##################################### |
| # init_daemon_domain(domain) |
| # Set up a transition from init to the daemon domain |
| # upon executing its binary. |
| #line 101 |
| |
| |
| ##################################### |
| # app_domain(domain) |
| # Allow a base set of permissions required for all apps. |
| #line 112 |
| |
| |
| ##################################### |
| # relabelto_domain(domain) |
| # Allows this domain to use the relabelto permission |
| #line 119 |
| |
| |
| ##################################### |
| # platform_app_domain(domain) |
| # Allow permissions specific to platform apps. |
| #line 127 |
| |
| |
| ##################################### |
| # net_domain(domain) |
| # Allow a base set of permissions required for network access. |
| #line 134 |
| |
| |
| ##################################### |
| # bluetooth_domain(domain) |
| # Allow a base set of permissions required for bluetooth access. |
| #line 141 |
| |
| |
| ##################################### |
| # unix_socket_connect(clientdomain, socket, serverdomain) |
| # Allow a local socket connection from clientdomain via |
| # socket to serverdomain. |
| #line 150 |
| |
| |
| ##################################### |
| # unix_socket_send(clientdomain, socket, serverdomain) |
| # Allow a local socket send from clientdomain via |
| # socket to serverdomain. |
| #line 159 |
| |
| |
| ##################################### |
| # binder_use(domain) |
| # Allow domain to use Binder IPC. |
| #line 169 |
| |
| |
| ##################################### |
| # binder_call(clientdomain, serverdomain) |
| # Allow clientdomain to perform binder IPC to serverdomain. |
| #line 181 |
| |
| |
| ##################################### |
| # binder_service(domain) |
| # Mark a domain as being a Binder service domain. |
| # Used to allow binder IPC to the various system services. |
| #line 189 |
| |
| |
| ##################################### |
| # selinux_check_access(domain) |
| # Allow domain to check SELinux permissions via selinuxfs. |
| #line 199 |
| |
| |
| ##################################### |
| # selinux_check_context(domain) |
| # Allow domain to check SELinux contexts via selinuxfs. |
| #line 208 |
| |
| |
| ##################################### |
| # selinux_getenforce(domain) |
| # Allow domain to check whether SELinux is enforcing. |
| #line 216 |
| |
| |
| ##################################### |
| # selinux_setenforce(domain) |
| # Allow domain to set SELinux to enforcing. |
| #line 225 |
| |
| |
| ##################################### |
| # selinux_setbool(domain) |
| # Allow domain to set SELinux booleans. |
| #line 234 |
| |
| |
| ##################################### |
| # security_access_policy(domain) |
| # Read only access to all policy files and |
| # selinuxfs |
| #line 248 |
| |
| |
| ##################################### |
| # selinux_manage_policy(domain) |
| # Ability to manage policy files and |
| # trigger runtime reload. |
| #line 261 |
| |
| |
| ##################################### |
| # mmac_manage_policy(domain) |
| # Ability to manage mmac policy files, |
| # trigger runtime reload, change |
| # mmac enforcing mode and access logcat. |
| #line 274 |
| |
| |
| ##################################### |
| # access_kmsg(domain) |
| # Ability to read from kernel logs |
| # and execute the klogctl syscall |
| # in a non destructive manner. See |
| # man 2 klogctl |
| #line 284 |
| |
| |
| ##################################### |
| # write_klog(domain) |
| # Ability to write to kernel log via |
| # klog_write() |
| # See system/core/libcutil/klog.c |
| #line 295 |
| |
| |
| ##################################### |
| # create_pty(domain) |
| # Allow domain to create and use a pty, isolated from any other domain ptys. |
| #line 309 |
| |
| |
| ##################################### |
| # Non system_app application set |
| # |
| |
| |
| ##################################### |
| # Userdebug or eng builds |
| # SELinux rules which apply only to userdebug or eng builds |
| # |
| |
| |
| ##################################### |
| # permissive_or_unconfined |
| # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, |
| # and "unconfined($1)" otherwise. |
| # |
| # This is used for experimental domains, where we want to ensure |
| # the domain is unconfined+enforcing once new SELinux policy development |
| # has ceased. |
| # |
| |
| |
| ##################################### |
| # write_logd(domain) |
| # Ability to write to android log |
| # daemon via sockets |
| #line 345 |
| |
| |
| ##################################### |
| # read_logd(domain) |
| # Ability to read from android |
| # log daemon via sockets |
| #line 353 |
| |
| |
| ##################################### |
| # control_logd(domain) |
| # Ability to control |
| # android log daemon via sockets |
| #line 363 |
| |
| #line 1 "external/sepolicy/attributes" |
| ###################################### |
| # Attribute declarations |
| # |
| |
| # All types used for devices. |
| attribute dev_type; |
| |
| # All types used for processes. |
| attribute domain; |
| |
| # All types used for filesystems. |
| attribute fs_type; |
| |
| # All types used for files that can exist on a labeled fs. |
| # Do not use for pseudo file types. |
| attribute file_type; |
| |
| # All types used for domain entry points. |
| attribute exec_type; |
| |
| # All types used for /data files. |
| attribute data_file_type; |
| |
| # All types use for sysfs files. |
| attribute sysfs_type; |
| |
| # Attribute used for all sdcards |
| attribute sdcard_type; |
| |
| # All types used for nodes/hosts. |
| attribute node_type; |
| |
| # All types used for network interfaces. |
| attribute netif_type; |
| |
| # All types used for network ports. |
| attribute port_type; |
| |
| # All types used for property service |
| attribute property_type; |
| |
| # All domains that can override MLS restrictions. |
| # i.e. processes that can read up and write down. |
| attribute mlstrustedsubject; |
| |
| # All types that can override MLS restrictions. |
| # i.e. files that can be read by lower and written by higher |
| attribute mlstrustedobject; |
| |
| # Domains that are allowed all permissions ("unconfined"). |
| attribute unconfineddomain; |
| |
| # All domains used for shells. |
| attribute shelldomain; |
| |
| # All domains used for apps. |
| attribute appdomain; |
| |
| # All domains used for apps with network access. |
| attribute netdomain; |
| |
| # All domains used for apps with bluetooth access. |
| attribute bluetoothdomain; |
| |
| # All domains used for binder service domains. |
| attribute binderservicedomain; |
| |
| # Allow domains used for platform (signed by build key) apps. |
| attribute platformappdomain; |
| |
| # All domains which are allowed the "relabelto" permission |
| attribute relabeltodomain; |
| #line 1 "external/sepolicy/adbd.te" |
| # adbd seclabel is specified in init.rc since |
| # it lives in the rootfs and has no unique file type. |
| type adbd, domain; |
| |
| #line 7 |
| |
| |
| |
| #line 9 |
| # Allow the necessary permissions. |
| #line 9 |
| |
| #line 9 |
| # Old domain may exec the file and transition to the new domain. |
| #line 9 |
| allow adbd shell_exec:file { getattr open read execute }; |
| #line 9 |
| allow adbd shell:process transition; |
| #line 9 |
| # New domain is entered by executing the file. |
| #line 9 |
| allow shell shell_exec:file { entrypoint read execute }; |
| #line 9 |
| # New domain can send SIGCHLD to its caller. |
| #line 9 |
| allow shell adbd:process sigchld; |
| #line 9 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 9 |
| dontaudit adbd shell:process noatsecure; |
| #line 9 |
| # XXX dontaudit candidate but requires further study. |
| #line 9 |
| allow adbd shell:process { siginh rlimitinh }; |
| #line 9 |
| |
| #line 9 |
| # Make the transition occur by default. |
| #line 9 |
| type_transition adbd shell_exec:process shell; |
| #line 9 |
| |
| # this is an entrypoint |
| allow adbd rootfs:file entrypoint; |
| |
| # Do not sanitize the environment or open fds of the shell. |
| allow adbd shell:process noatsecure; |
| |
| # Set UID and GID to shell. Set supplementary groups. |
| allow adbd self:capability { setuid setgid }; |
| |
| # Drop capabilities from bounding set on user builds. |
| allow adbd self:capability setpcap; |
| |
| # Create and use network sockets. |
| |
| #line 23 |
| typeattribute adbd netdomain; |
| #line 23 |
| |
| |
| # Access /dev/android_adb. |
| allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # On emulator, access /dev/qemu*. |
| allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Use a pseudo tty. |
| allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # adb push/pull /data/local/tmp. |
| allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # adb push/pull sdcard. |
| allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Set service.adb.*, sys.powerctl properties. |
| |
| #line 43 |
| allow adbd property_socket:sock_file write; |
| #line 43 |
| allow adbd init:unix_stream_socket connectto; |
| #line 43 |
| |
| allow adbd shell_prop:property_service set; |
| allow adbd powerctl_prop:property_service set; |
| |
| # XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? |
| # Also covers running /system/bin/bu. |
| allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| #line 50 |
| allow adbd vold_socket:sock_file write; |
| #line 50 |
| allow adbd vold:unix_stream_socket connectto; |
| #line 50 |
| |
| |
| # Perform binder IPC to surfaceflinger (screencap) |
| # XXX Run screencap in a separate domain? |
| |
| #line 54 |
| # Call the servicemanager and transfer references to it. |
| #line 54 |
| allow adbd servicemanager:binder { call transfer }; |
| #line 54 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 54 |
| # all domains in domain.te. |
| #line 54 |
| |
| |
| #line 55 |
| # Call the server domain and optionally transfer references to it. |
| #line 55 |
| allow adbd surfaceflinger:binder { call transfer }; |
| #line 55 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 55 |
| allow surfaceflinger adbd:binder transfer; |
| #line 55 |
| # Receive and use open files from the server. |
| #line 55 |
| allow adbd surfaceflinger:fd use; |
| #line 55 |
| |
| |
| # Read /data/misc/adb/adb_keys. |
| allow adbd adb_keys_file:dir search; |
| allow adbd adb_keys_file:file { getattr open read ioctl lock }; |
| |
| # Allow access in case /data/misc/adb still has the old type. |
| allow adbd system_data_file:dir search; |
| allow adbd system_data_file:file { getattr open read ioctl lock }; |
| |
| # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| allow adbd app_data_file:dir search; |
| allow adbd app_data_file:sock_file write; |
| allow adbd appdomain:unix_stream_socket connectto; |
| |
| # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| allow adbd zygote_exec:file { getattr open read ioctl lock }; |
| allow adbd system_file:file { getattr open read ioctl lock }; |
| #line 1 "external/sepolicy/app.te" |
| ### |
| ### Domain for all zygote spawned apps |
| ### |
| ### This file is the base policy for all zygote spawned apps. |
| ### Other policy files, such as isolated_app.te, untrusted_app.te, etc |
| ### extend from this policy. Only policies which should apply to ALL |
| ### zygote spawned apps should be added here. |
| ### |
| |
| # Dalvik Compiler JIT Mapping. |
| allow appdomain self:process execmem; |
| allow appdomain ashmem_device:chr_file execute; |
| |
| # Allow apps to connect to the keystore |
| |
| #line 15 |
| allow appdomain keystore_socket:sock_file write; |
| #line 15 |
| allow appdomain keystore:unix_stream_socket connectto; |
| #line 15 |
| |
| |
| # Receive and use open file descriptors inherited from zygote. |
| allow appdomain zygote:fd use; |
| |
| # gdbserver for ndk-gdb reads the zygote. |
| allow appdomain zygote_exec:file { getattr open read ioctl lock }; |
| |
| # gdbserver for ndk-gdb ptrace attaches to app process. |
| allow appdomain self:process ptrace; |
| |
| # Read system properties managed by zygote. |
| allow appdomain zygote_tmpfs:file read; |
| |
| # Notify zygote of death; |
| allow appdomain zygote:process sigchld; |
| |
| # Notify shell and adbd of death when spawned via runas for ndk-gdb. |
| allow appdomain shell:process sigchld; |
| allow appdomain adbd:process sigchld; |
| |
| # child shell or gdbserver pty access for runas. |
| allow appdomain devpts:chr_file { getattr read write ioctl }; |
| |
| # Communicate with system_server. |
| allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } }; |
| allow appdomain system_server:unix_stream_socket { read write setopt }; |
| |
| #line 42 |
| # Call the server domain and optionally transfer references to it. |
| #line 42 |
| allow appdomain system_server:binder { call transfer }; |
| #line 42 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 42 |
| allow system_server appdomain:binder transfer; |
| #line 42 |
| # Receive and use open files from the server. |
| #line 42 |
| allow appdomain system_server:fd use; |
| #line 42 |
| |
| |
| # Communication with other apps via fifos |
| allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Communicate with surfaceflinger. |
| allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; |
| |
| #line 49 |
| # Call the server domain and optionally transfer references to it. |
| #line 49 |
| allow appdomain surfaceflinger:binder { call transfer }; |
| #line 49 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 49 |
| allow surfaceflinger appdomain:binder transfer; |
| #line 49 |
| # Receive and use open files from the server. |
| #line 49 |
| allow appdomain surfaceflinger:fd use; |
| #line 49 |
| |
| |
| # App sandbox file accesses. |
| allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Read/write data files created by the platform apps if they |
| # were passed to the app via binder or local IPC. Do not allow open. |
| allow appdomain platform_app_data_file:file { getattr read write }; |
| |
| # lib subdirectory of /data/data dir is system-owned. |
| allow appdomain system_data_file:dir { open getattr read search ioctl }; |
| allow appdomain system_data_file:file { execute execute_no_trans open }; |
| |
| # Execute the shell or other system executables. |
| allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| # Read/write wallpaper file (opened by system). |
| allow appdomain wallpaper_file:file { getattr read write }; |
| |
| # Write to /data/anr/traces.txt. |
| allow appdomain anr_data_file:dir search; |
| allow appdomain anr_data_file:file { open append }; |
| |
| # Allow apps to send dump information to dumpstate |
| allow appdomain dumpstate:fd use; |
| allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; |
| allow appdomain shell_data_file:file { write getattr }; |
| |
| # Write to /proc/net/xt_qtaguid/ctrl file. |
| allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; |
| # Everybody can read the xt_qtaguid resource tracking misc dev. |
| # So allow all apps to read from /dev/xt_qtaguid. |
| allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock }; |
| |
| # Grant GPU access to all processes started by Zygote. |
| # They need that to render the standard UI. |
| allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute }; |
| |
| # Use the Binder. |
| |
| #line 90 |
| # Call the servicemanager and transfer references to it. |
| #line 90 |
| allow appdomain servicemanager:binder { call transfer }; |
| #line 90 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 90 |
| # all domains in domain.te. |
| #line 90 |
| |
| # Perform binder IPC to binder services. |
| |
| #line 92 |
| # Call the server domain and optionally transfer references to it. |
| #line 92 |
| allow appdomain binderservicedomain:binder { call transfer }; |
| #line 92 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 92 |
| allow binderservicedomain appdomain:binder transfer; |
| #line 92 |
| # Receive and use open files from the server. |
| #line 92 |
| allow appdomain binderservicedomain:fd use; |
| #line 92 |
| |
| # Perform binder IPC to other apps. |
| |
| #line 94 |
| # Call the server domain and optionally transfer references to it. |
| #line 94 |
| allow appdomain appdomain:binder { call transfer }; |
| #line 94 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 94 |
| allow appdomain appdomain:binder transfer; |
| #line 94 |
| # Receive and use open files from the server. |
| #line 94 |
| allow appdomain appdomain:fd use; |
| #line 94 |
| |
| |
| # Appdomain interaction with isolated apps |
| |
| #line 97 |
| allow appdomain isolated_app:dir { open getattr read search ioctl }; |
| #line 97 |
| allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 97 |
| |
| |
| # Already connected, unnamed sockets being passed over some other IPC |
| # hence no sock_file or connectto permission. This appears to be how |
| # Chrome works, may need to be updated as more apps using isolated services |
| # are examined. |
| allow appdomain isolated_app:unix_stream_socket { read write }; |
| |
| # Backup ability for every app. BMS opens and passes the fd |
| # to any app that has backup ability. Hence, no open permissions here. |
| allow appdomain backup_data_file:file { read write getattr }; |
| allow appdomain cache_backup_file:file { read write getattr }; |
| # Backup ability using 'adb backup' |
| allow appdomain system_data_file:lnk_file getattr; |
| |
| # Allow all applications to read downloaded files |
| allow appdomain download_file:dir search; |
| allow appdomain download_file:file { getattr open read ioctl lock }; |
| |
| # Allow applications to communicate with netd via /dev/socket/dnsproxyd |
| # to do DNS resolution |
| |
| #line 118 |
| allow appdomain dnsproxyd_socket:sock_file write; |
| #line 118 |
| allow appdomain netd:unix_stream_socket connectto; |
| #line 118 |
| |
| |
| # Allow applications to communicate with drmserver over binder |
| |
| #line 121 |
| # Call the server domain and optionally transfer references to it. |
| #line 121 |
| allow appdomain drmserver:binder { call transfer }; |
| #line 121 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 121 |
| allow drmserver appdomain:binder transfer; |
| #line 121 |
| # Receive and use open files from the server. |
| #line 121 |
| allow appdomain drmserver:fd use; |
| #line 121 |
| |
| |
| # Allow applications to communicate with mediaserver over binder |
| |
| #line 124 |
| # Call the server domain and optionally transfer references to it. |
| #line 124 |
| allow appdomain mediaserver:binder { call transfer }; |
| #line 124 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 124 |
| allow mediaserver appdomain:binder transfer; |
| #line 124 |
| # Receive and use open files from the server. |
| #line 124 |
| allow appdomain mediaserver:fd use; |
| #line 124 |
| |
| |
| # Allow applications to make outbound tcp connections to any port |
| allow appdomain port_type:tcp_socket name_connect; |
| |
| # Allow apps to see changes to the routing table. |
| allow appdomain self:netlink_route_socket { |
| read |
| bind |
| create |
| nlmsg_read |
| ioctl |
| getattr |
| setattr |
| getopt |
| setopt |
| shutdown |
| }; |
| |
| # Allow apps to use rawip sockets. This is needed for apps which execute |
| # /system/bin/ping, for example. |
| allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| |
| # Allow apps to use the USB Accessory interface. |
| # http://developer.android.com/guide/topics/connectivity/usb/accessory.html |
| # |
| # USB devices are first opened by the system server (USBDeviceManagerService) |
| # and the file descriptor is passed to the right Activity via binder. |
| allow appdomain usb_device:chr_file { read write getattr ioctl }; |
| allow appdomain usbaccessory_device:chr_file { read write getattr }; |
| |
| # For art. |
| allow appdomain dalvikcache_data_file:file execute; |
| |
| # For legacy unlabeled userdata on existing devices. |
| # See discussion of Unlabeled files in domain.te for more information. |
| allow appdomain unlabeled:file { getattr execute execute_no_trans }; |
| |
| ### |
| ### CTS-specific rules |
| ### |
| |
| # For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. |
| # Reads /proc/pid/status and statm entries to check that |
| # no unexpected root processes are running. |
| # Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java |
| # Reads /proc/pid/cmdline of vold. |
| allow appdomain domain:dir { open read search getattr }; |
| allow appdomain domain:{ file lnk_file } { open read getattr }; |
| |
| # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. |
| # testRunAsHasCorrectCapabilities |
| allow appdomain runas_exec:file getattr; |
| # Others are either allowed elsewhere or not desired. |
| |
| # For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java |
| # Check SELinux policy and contexts. |
| |
| #line 181 |
| allow appdomain selinuxfs:dir { open getattr read search ioctl }; |
| #line 181 |
| allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 181 |
| allow appdomain kernel:security compute_av; |
| #line 181 |
| allow appdomain self:netlink_selinux_socket *; |
| #line 181 |
| |
| |
| #line 182 |
| allow appdomain selinuxfs:dir { open getattr read search ioctl }; |
| #line 182 |
| allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 182 |
| allow appdomain kernel:security check_context; |
| #line 182 |
| |
| # Validate that each process is running in the correct security context. |
| allow appdomain domain:process getattr; |
| |
| # logd access |
| |
| #line 187 |
| |
| #line 187 |
| allow appdomain logdr_socket:sock_file write; |
| #line 187 |
| allow appdomain logd:unix_stream_socket connectto; |
| #line 187 |
| |
| #line 187 |
| |
| # application inherit logd write socket (urge is to deprecate this long term) |
| allow appdomain zygote:unix_dgram_socket write; |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### These are things that Android apps should NEVER be able to do |
| ### |
| |
| # Superuser capabilities. |
| # bluetooth requires net_admin. |
| neverallow { appdomain -unconfineddomain -bluetooth } self:capability *; |
| neverallow { appdomain -unconfineddomain } self:capability2 *; |
| |
| # Block device access. |
| neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write }; |
| |
| # Access to any of the following character devices. |
| neverallow { appdomain -unconfineddomain } { |
| audio_device |
| camera_device |
| dm_device |
| radio_device |
| gps_device |
| rpmsg_device |
| }:chr_file { read write }; |
| |
| # Note: Try expanding list of app domains in the future. |
| neverallow { untrusted_app isolated_app shell -unconfineddomain } |
| graphics_device:chr_file { read write }; |
| |
| neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file |
| { read write }; |
| neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file |
| { read write }; |
| neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write }; |
| |
| # Set SELinux enforcing mode, booleans or any other SELinux settings. |
| neverallow { appdomain -unconfineddomain } kernel:security |
| { setenforce setbool setsecparam setcheckreqprot }; |
| |
| # Load security policy. |
| neverallow appdomain kernel:security load_policy; |
| |
| # Privileged netlink socket interfaces. |
| neverallow { appdomain -unconfineddomain } |
| self:{ |
| netlink_socket |
| netlink_firewall_socket |
| netlink_tcpdiag_socket |
| netlink_nflog_socket |
| netlink_xfrm_socket |
| netlink_audit_socket |
| netlink_ip6fw_socket |
| netlink_dnrt_socket |
| netlink_kobject_uevent_socket |
| } *; |
| |
| # Sockets under /dev/socket that are not specifically typed. |
| neverallow { appdomain -unconfineddomain } socket_device:sock_file write; |
| |
| # Unix domain sockets. |
| neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write; |
| neverallow { appdomain -unconfineddomain } installd_socket:sock_file write; |
| neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain } |
| property_socket:sock_file write; |
| neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write; |
| neverallow { appdomain -unconfineddomain } vold_socket:sock_file write; |
| neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write; |
| |
| # ptrace access to non-app domains. |
| neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace; |
| |
| # Write access to /proc/pid entries for any non-app domain. |
| neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write; |
| |
| # signal access to non-app domains. |
| # sigchld allowed for parent death notification. |
| # signull allowed for kill(pid, 0) existence test. |
| # All others prohibited. |
| neverallow { appdomain -unconfineddomain } { domain -appdomain }:process |
| { sigkill sigstop signal }; |
| |
| # Transition to a non-app domain. |
| # Exception for the shell domain, can transition to runas, etc. |
| neverallow { appdomain -shell -unconfineddomain } ~appdomain:process |
| { transition dyntransition }; |
| |
| # Map low memory. |
| # Note: Take to domain.te and apply to all domains in the future. |
| neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero; |
| |
| # Write to rootfs. |
| neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| |
| # Write to /system. |
| neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| |
| # Write to entrypoint executables. |
| neverallow { appdomain -unconfineddomain } exec_type:file |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| |
| # Write to system-owned parts of /data. |
| # This is the default type for anything under /data not otherwise |
| # specified in file_contexts. Define a different type for portions |
| # that should be writable by apps. |
| # Exception for system_app for Settings. |
| neverallow { appdomain -unconfineddomain -system_app } |
| system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| |
| # Write to various other parts of /data. |
| neverallow { appdomain -system_app -unconfineddomain } |
| security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -platform_app -unconfineddomain } |
| apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -platform_app -unconfineddomain } |
| apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -platform_app -unconfineddomain } |
| apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -platform_app -unconfineddomain } |
| apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -shell -unconfineddomain } |
| shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -bluetooth -unconfineddomain } |
| bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } |
| keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } |
| systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } |
| wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| neverallow { appdomain -unconfineddomain } |
| dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } |
| { create write setattr relabelfrom relabelto append unlink link rename }; |
| |
| # Access to factory files. |
| neverallow { appdomain -unconfineddomain } |
| efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write }; |
| |
| # Write to various pseudo file systems. |
| neverallow { appdomain -bluetooth -nfc -unconfineddomain } |
| sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| neverallow { appdomain -unconfineddomain } |
| proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| |
| # Access to syslog(2) or /proc/kmsg. |
| neverallow { appdomain -system_app -unconfineddomain } |
| kernel:system { syslog_read syslog_mod syslog_console }; |
| |
| # Ability to perform any filesystem operation other than statfs(2). |
| # i.e. no mount(2), unmount(2), etc. |
| neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr; |
| |
| # Ability to set system properties. |
| neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain } |
| property_type:property_service set; |
| #line 1 "external/sepolicy/binderservicedomain.te" |
| # Rules common to all binder service domains |
| |
| # Allow dumpstate to collect information from binder services |
| allow binderservicedomain dumpstate:fd use; |
| allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr }; |
| allow binderservicedomain shell_data_file:file { getattr write }; |
| |
| # Allow dumpsys to work from adb shell |
| allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; |
| #line 1 "external/sepolicy/bluetooth.te" |
| # bluetooth subsystem |
| type bluetooth, domain; |
| |
| #line 3 |
| typeattribute bluetooth appdomain; |
| #line 3 |
| # Label ashmem objects with our own unique type. |
| #line 3 |
| |
| #line 3 |
| type bluetooth_tmpfs, file_type; |
| #line 3 |
| type_transition bluetooth tmpfs:file bluetooth_tmpfs; |
| #line 3 |
| allow bluetooth bluetooth_tmpfs:file { read write }; |
| #line 3 |
| |
| #line 3 |
| # Map with PROT_EXEC. |
| #line 3 |
| allow bluetooth bluetooth_tmpfs:file execute; |
| #line 3 |
| |
| |
| # Data file accesses. |
| allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Socket creation under /data/misc/bluedroid. |
| type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; |
| allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # bluetooth factory file accesses. |
| |
| #line 14 |
| allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl }; |
| #line 14 |
| allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 14 |
| |
| |
| # Device accesses. |
| allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Other domains that can create and use bluetooth sockets. |
| # SELinux does not presently define a specific socket class for |
| # bluetooth sockets, nor does it distinguish among the bluetooth protocols. |
| allow bluetoothdomain self:socket *; |
| |
| # sysfs access. |
| allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; |
| allow bluetooth self:capability net_admin; |
| |
| # Allow clients to use a socket provided by the bluetooth app. |
| allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; |
| |
| # tethering |
| allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; |
| allow bluetooth efs_file:dir search; |
| |
| # Talk to init over the property socket. |
| |
| #line 36 |
| allow bluetooth property_socket:sock_file write; |
| #line 36 |
| allow bluetooth init:unix_stream_socket connectto; |
| #line 36 |
| |
| |
| # proc access. |
| allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # bluetooth file transfers |
| allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Allow reading of media_rw_data_file file descriptors |
| # passed to bluetooth |
| allow bluetooth media_rw_data_file:file { read getattr }; |
| |
| # Allow write access to bluetooth specific properties |
| allow bluetooth bluetooth_prop:property_service set; |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### These are things that the bluetooth app should NEVER be able to do |
| ### |
| |
| # Superuser capabilities. |
| # bluetooth requires net_admin. |
| neverallow { bluetooth -unconfineddomain } self:capability ~net_admin; |
| #line 1 "external/sepolicy/bootanim.te" |
| # bootanimation oneshot service |
| type bootanim, domain; |
| type bootanim_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init bootanim_exec:file { getattr open read execute }; |
| #line 5 |
| allow init bootanim:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow bootanim bootanim_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow bootanim init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init bootanim:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init bootanim:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init bootanim_exec:process bootanim; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type bootanim_tmpfs, file_type; |
| #line 5 |
| type_transition bootanim tmpfs:file bootanim_tmpfs; |
| #line 5 |
| allow bootanim bootanim_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| |
| #line 7 |
| # Call the servicemanager and transfer references to it. |
| #line 7 |
| allow bootanim servicemanager:binder { call transfer }; |
| #line 7 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 7 |
| # all domains in domain.te. |
| #line 7 |
| |
| |
| #line 8 |
| # Call the server domain and optionally transfer references to it. |
| #line 8 |
| allow bootanim surfaceflinger:binder { call transfer }; |
| #line 8 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 8 |
| allow surfaceflinger bootanim:binder transfer; |
| #line 8 |
| # Receive and use open files from the server. |
| #line 8 |
| allow bootanim surfaceflinger:fd use; |
| #line 8 |
| |
| |
| allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| #line 1 "external/sepolicy/clatd.te" |
| # 464xlat daemon |
| type clatd, domain; |
| |
| #line 3 |
| typeattribute clatd mlstrustedsubject; |
| #line 3 |
| typeattribute clatd unconfineddomain; |
| #line 3 |
| |
| type clatd_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init clatd_exec:file { getattr open read execute }; |
| #line 6 |
| allow init clatd:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow clatd clatd_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow clatd init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init clatd:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init clatd:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init clatd_exec:process clatd; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type clatd_tmpfs, file_type; |
| #line 6 |
| type_transition clatd tmpfs:file clatd_tmpfs; |
| #line 6 |
| allow clatd clatd_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute clatd netdomain; |
| #line 7 |
| |
| #line 1 "external/sepolicy/debuggerd.te" |
| # debugger interface |
| type debuggerd, domain; |
| type debuggerd_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init debuggerd_exec:file { getattr open read execute }; |
| #line 5 |
| allow init debuggerd:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow debuggerd debuggerd_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow debuggerd init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init debuggerd:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init debuggerd:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init debuggerd_exec:process debuggerd; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type debuggerd_tmpfs, file_type; |
| #line 5 |
| type_transition debuggerd tmpfs:file debuggerd_tmpfs; |
| #line 5 |
| allow debuggerd debuggerd_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| typeattribute debuggerd mlstrustedsubject; |
| allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner }; |
| allow debuggerd self:capability2 { syslog }; |
| allow debuggerd domain:dir { open getattr read search ioctl }; |
| allow debuggerd domain:file { getattr open read ioctl lock }; |
| allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace; |
| |
| #line 12 |
| allow debuggerd security_file:dir { open getattr read search ioctl }; |
| #line 12 |
| allow debuggerd security_file:file { getattr open read ioctl lock }; |
| #line 12 |
| allow debuggerd security_file:lnk_file { getattr open read ioctl lock }; |
| #line 12 |
| allow debuggerd selinuxfs:dir { open getattr read search ioctl }; |
| #line 12 |
| allow debuggerd selinuxfs:file { getattr open read ioctl lock }; |
| #line 12 |
| allow debuggerd rootfs:dir { open getattr read search ioctl }; |
| #line 12 |
| allow debuggerd rootfs:file { getattr open read ioctl lock }; |
| #line 12 |
| |
| allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow debuggerd system_data_file:dir relabelfrom; |
| |
| #line 15 |
| typeattribute debuggerd relabeltodomain; |
| #line 15 |
| |
| allow debuggerd tombstone_data_file:dir relabelto; |
| allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow debuggerd domain:process { sigstop signal }; |
| allow debuggerd exec_type:file { getattr open read ioctl lock }; |
| # Access app library |
| allow debuggerd system_data_file:file open; |
| |
| # Connect to system_server via /data/system/ndebugsocket. |
| |
| #line 25 |
| allow debuggerd system_ndebug_socket:sock_file write; |
| #line 25 |
| allow debuggerd system_server:unix_stream_socket connectto; |
| #line 25 |
| |
| |
| #line 30 |
| |
| |
| # logd access |
| |
| #line 33 |
| |
| #line 33 |
| allow debuggerd logdr_socket:sock_file write; |
| #line 33 |
| allow debuggerd logd:unix_stream_socket connectto; |
| #line 33 |
| |
| #line 33 |
| |
| #line 1 "external/sepolicy/device.te" |
| # Device types |
| type device, dev_type, fs_type; |
| type alarm_device, dev_type, mlstrustedobject; |
| type adb_device, dev_type; |
| type ashmem_device, dev_type, mlstrustedobject; |
| type audio_device, dev_type; |
| type binder_device, dev_type, mlstrustedobject; |
| type block_device, dev_type; |
| type camera_device, dev_type; |
| type dm_device, dev_type; |
| type loop_device, dev_type; |
| type radio_device, dev_type; |
| type ram_device, dev_type; |
| type console_device, dev_type; |
| type cpuctl_device, dev_type; |
| type fscklogs, dev_type; |
| type full_device, dev_type; |
| # GPU (used by most UI apps) |
| type gpu_device, dev_type, mlstrustedobject; |
| type graphics_device, dev_type; |
| type hw_random_device, dev_type; |
| type input_device, dev_type; |
| type kmem_device, dev_type; |
| type log_device, dev_type, mlstrustedobject; |
| type mtd_device, dev_type; |
| type mtp_device, dev_type, mlstrustedobject; |
| type nfc_device, dev_type; |
| type ptmx_device, dev_type, mlstrustedobject; |
| type qemu_device, dev_type; |
| type kmsg_device, dev_type; |
| type null_device, dev_type, mlstrustedobject; |
| type random_device, dev_type; |
| type sensors_device, dev_type; |
| type serial_device, dev_type; |
| type socket_device, dev_type; |
| type owntty_device, dev_type, mlstrustedobject; |
| type tty_device, dev_type; |
| type urandom_device, dev_type; |
| type video_device, dev_type; |
| type vcs_device, dev_type; |
| type zero_device, dev_type; |
| type fuse_device, dev_type; |
| type iio_device, dev_type; |
| type ion_device, dev_type, mlstrustedobject; |
| type gps_device, dev_type; |
| type qtaguid_device, dev_type; |
| type watchdog_device, dev_type; |
| type uhid_device, dev_type; |
| type tun_device, dev_type, mlstrustedobject; |
| type usbaccessory_device, dev_type; |
| type usb_device, dev_type; |
| type klog_device, dev_type; |
| type properties_device, dev_type; |
| |
| # All devices have a uart for the hci |
| # attach service. The uart dev node |
| # varies per device. This type |
| # is used in per device policy |
| type hci_attach_dev, dev_type; |
| |
| # All devices have a rpmsg device for |
| # achieving remoteproc and rpmsg modules |
| type rpmsg_device, dev_type; |
| |
| # Partition layout block device |
| type root_block_device, dev_type; |
| #line 1 "external/sepolicy/dhcp.te" |
| type dhcp, domain; |
| |
| #line 2 |
| typeattribute dhcp mlstrustedsubject; |
| #line 2 |
| typeattribute dhcp unconfineddomain; |
| #line 2 |
| |
| type dhcp_exec, exec_type, file_type; |
| type dhcp_data_file, file_type, data_file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init dhcp_exec:file { getattr open read execute }; |
| #line 6 |
| allow init dhcp:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow dhcp dhcp_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow dhcp init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init dhcp:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init dhcp:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init dhcp_exec:process dhcp; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type dhcp_tmpfs, file_type; |
| #line 6 |
| type_transition dhcp tmpfs:file dhcp_tmpfs; |
| #line 6 |
| allow dhcp dhcp_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute dhcp netdomain; |
| #line 7 |
| |
| |
| allow dhcp cgroup:dir { create write add_name }; |
| allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; |
| allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write }; |
| allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| # For /proc/sys/net/ipv4/conf/*/promote_secondaries |
| allow dhcp proc_net:file write; |
| allow dhcp system_prop:property_service set ; |
| |
| #line 19 |
| allow dhcp property_socket:sock_file write; |
| #line 19 |
| allow dhcp init:unix_stream_socket connectto; |
| #line 19 |
| |
| allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| type_transition dhcp system_data_file:{ dir file } dhcp_data_file; |
| allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # PAN connections |
| allow dhcp netd:fd use; |
| allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } }; |
| allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write }; |
| allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; |
| #line 1 "external/sepolicy/dnsmasq.te" |
| # DNS, DHCP services |
| type dnsmasq, domain; |
| |
| #line 3 |
| typeattribute dnsmasq mlstrustedsubject; |
| #line 3 |
| typeattribute dnsmasq unconfineddomain; |
| #line 3 |
| |
| type dnsmasq_exec, exec_type, file_type; |
| |
| allow dnsmasq self:capability { net_bind_service setgid setuid }; |
| allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| |
| allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name }; |
| allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow dnsmasq port:tcp_socket name_bind; |
| allow dnsmasq node:tcp_socket node_bind; |
| #line 1 "external/sepolicy/domain.te" |
| # Rules for all domains. |
| |
| # Allow reaping by init. |
| allow domain init:process sigchld; |
| |
| # Read access to properties mapping. |
| allow domain kernel:fd use; |
| allow domain tmpfs:file { read getattr }; |
| |
| # Search /storage/emulated tmpfs mount. |
| allow domain tmpfs:dir { open getattr read search ioctl }; |
| |
| # Intra-domain accesses. |
| allow domain self:process ~{ execmem execstack execheap ptrace }; |
| allow domain self:fd use; |
| allow domain self:dir { open getattr read search ioctl }; |
| allow domain self:lnk_file { getattr open read ioctl lock }; |
| allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; |
| allow domain self:{ unix_dgram_socket unix_stream_socket } *; |
| |
| # Inherit or receive open files from others. |
| allow domain init:fd use; |
| allow domain system_server:fd use; |
| |
| # Connect to adbd and use a socket transferred from it. |
| # This is used for e.g. adb backup/restore. |
| allow domain adbd:unix_stream_socket connectto; |
| allow domain adbd:fd use; |
| allow domain adbd:unix_stream_socket { getattr getopt read write shutdown }; |
| |
| #line 43 |
| |
| |
| ### |
| ### Talk to debuggerd. |
| ### |
| allow domain debuggerd:process sigchld; |
| allow domain debuggerd:unix_stream_socket connectto; |
| |
| # Root fs. |
| allow domain rootfs:dir { open getattr read search ioctl }; |
| allow domain rootfs:file { getattr open read ioctl lock }; |
| allow domain rootfs:lnk_file { getattr open read ioctl lock }; |
| |
| # Device accesses. |
| allow domain device:dir search; |
| allow domain dev_type:lnk_file { getattr open read ioctl lock }; |
| allow domain devpts:dir search; |
| allow domain device:file read; |
| allow domain socket_device:dir search; |
| allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain zero_device:chr_file { getattr open read ioctl lock }; |
| allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain log_device:dir search; |
| allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain alarm_device:chr_file { getattr open read ioctl lock }; |
| allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow domain properties_device:file { getattr open read ioctl lock }; |
| |
| # logd access |
| |
| #line 76 |
| |
| #line 76 |
| |
| #line 76 |
| allow domain logdw_socket:sock_file write; |
| #line 76 |
| allow domain logd:unix_dgram_socket sendto; |
| #line 76 |
| |
| #line 76 |
| |
| |
| # Filesystem accesses. |
| allow domain fs_type:filesystem getattr; |
| allow domain fs_type:dir getattr; |
| |
| # System file accesses. |
| allow domain system_file:dir { open getattr read search ioctl }; |
| allow domain system_file:file { getattr open read ioctl lock }; |
| allow domain system_file:file execute; |
| allow domain system_file:lnk_file { getattr open read ioctl lock }; |
| |
| # Read files already opened under /data. |
| allow domain system_data_file:dir { search getattr }; |
| allow domain system_data_file:file { getattr read }; |
| allow domain system_data_file:lnk_file { getattr open read ioctl lock }; |
| |
| # Read apk files under /data/app. |
| allow domain apk_data_file:dir { getattr search }; |
| allow domain apk_data_file:file { getattr open read ioctl lock }; |
| |
| # Read /data/dalvik-cache. |
| allow domain dalvikcache_data_file:dir { search getattr }; |
| allow domain dalvikcache_data_file:file { getattr open read ioctl lock }; |
| |
| # Read already opened /cache files. |
| allow domain cache_file:dir { open getattr read search ioctl }; |
| allow domain cache_file:file { getattr read }; |
| allow domain cache_file:lnk_file { getattr open read ioctl lock }; |
| |
| # Read timezone related information |
| |
| #line 107 |
| allow domain zoneinfo_data_file:dir { open getattr read search ioctl }; |
| #line 107 |
| allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 107 |
| |
| |
| # For /acct/uid/*/tasks. |
| allow domain cgroup:dir { search write }; |
| allow domain cgroup:file { open append write }; |
| |
| #Allow access to ion memory allocation device |
| allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Read access to pseudo filesystems. |
| |
| #line 117 |
| allow domain proc:dir { open getattr read search ioctl }; |
| #line 117 |
| allow domain proc:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 117 |
| |
| |
| #line 118 |
| allow domain sysfs:dir { open getattr read search ioctl }; |
| #line 118 |
| allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 118 |
| |
| |
| #line 119 |
| allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl }; |
| #line 119 |
| allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 119 |
| |
| |
| #line 120 |
| allow domain inotify:dir { open getattr read search ioctl }; |
| #line 120 |
| allow domain inotify:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 120 |
| |
| |
| #line 121 |
| allow domain cgroup:dir { open getattr read search ioctl }; |
| #line 121 |
| allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 121 |
| |
| |
| #line 122 |
| allow domain proc_net:dir { open getattr read search ioctl }; |
| #line 122 |
| allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 122 |
| |
| |
| # debugfs access |
| allow domain debugfs:dir { open getattr read search ioctl }; |
| allow domain debugfs:file { open append write }; |
| |
| # Get SELinux enforcing status. |
| |
| #line 129 |
| allow domain selinuxfs:dir { open getattr read search ioctl }; |
| #line 129 |
| allow domain selinuxfs:file { getattr open read ioctl lock }; |
| #line 129 |
| |
| |
| # security files |
| allow domain security_file:dir { search getattr }; |
| allow domain security_file:file getattr; |
| |
| # World readable asec image contents |
| allow domain asec_public_file:file { getattr open read ioctl lock }; |
| allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl }; |
| |
| ######## Backwards compatibility - Unlabeled files ############ |
| |
| # Revert to DAC rules when looking at unlabeled files. Over time, the number |
| # of unlabeled files should decrease. |
| # TODO: delete these rules in the future. |
| # |
| # Note on relabelfrom: We allow any app relabelfrom, but without the relabelto |
| # capability, it's essentially useless. This is needed to allow an app with |
| # relabelto to relabel unlabeled files. |
| # |
| allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom }; |
| allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; |
| neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # Limit ability to ptrace or read sensitive /proc/pid files of processes |
| # with other UIDs to these whitelisted domains. |
| neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; |
| |
| # Limit device node creation and raw I/O to these whitelisted domains. |
| neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod }; |
| |
| # No domain needs mac_override as it is unused by SELinux. |
| neverallow domain self:capability2 mac_override; |
| |
| # Only recovery needs mac_admin to set contexts not defined in current policy. |
| neverallow { domain -recovery } self:capability2 mac_admin; |
| |
| # Only init should be able to load SELinux policies. |
| # The first load technically occurs while still in the kernel domain, |
| # but this does not trigger a denial since there is no policy yet. |
| # Policy reload requires allowing this to the init domain. |
| neverallow { domain -init } kernel:security load_policy; |
| |
| # Only init prior to switching context should be able to set enforcing mode. |
| # init starts in kernel domain and switches to init domain via setcon in |
| # the init.rc, so the setenforce occurs while still in kernel. After |
| # switching domains, there is never any need to setenforce again by init. |
| neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot }; |
| |
| # Only init, ueventd and system_server should be able to access HW RNG |
| neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; |
| |
| # Ensure that all entrypoint executables are in exec_type. |
| neverallow domain { file_type -exec_type }:file entrypoint; |
| |
| # Ensure that nothing in userspace can access /dev/mem or /dev/kmem |
| neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; |
| neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; |
| |
| # Only init should be able to configure kernel usermodehelpers or |
| # security-sensitive proc settings. |
| neverallow { domain -init } usermodehelper:file { append write }; |
| neverallow { domain -init } proc_security:file { append write }; |
| |
| # No domain should be allowed to ptrace init. |
| neverallow domain init:process ptrace; |
| |
| # Init can't receive binder calls. If this neverallow rule is being |
| # triggered, it's probably due to a service with no SELinux domain. |
| neverallow domain init:binder call; |
| |
| # Don't allow raw read/write/open access to block_device |
| # Rather force a relabel to a more specific type |
| neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; |
| |
| # Don't allow raw read/write/open access to generic devices. |
| # Rather force a relabel to a more specific type. |
| # ueventd is exempt from this, as its managing these devices. |
| neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; |
| |
| # Limit what domains can mount filesystems or change their mount flags. |
| # sdcard_type / vfat is exempt as a larger set of domains need |
| # this capability, including device-specific domains. |
| neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; |
| #line 1 "external/sepolicy/drmserver.te" |
| # drmserver - DRM service |
| type drmserver, domain; |
| type drmserver_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init drmserver_exec:file { getattr open read execute }; |
| #line 5 |
| allow init drmserver:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow drmserver drmserver_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow drmserver init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init drmserver:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init drmserver:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init drmserver_exec:process drmserver; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type drmserver_tmpfs, file_type; |
| #line 5 |
| type_transition drmserver tmpfs:file drmserver_tmpfs; |
| #line 5 |
| allow drmserver drmserver_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| typeattribute drmserver mlstrustedsubject; |
| |
| # Perform Binder IPC to system server. |
| |
| #line 9 |
| # Call the servicemanager and transfer references to it. |
| #line 9 |
| allow drmserver servicemanager:binder { call transfer }; |
| #line 9 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 9 |
| # all domains in domain.te. |
| #line 9 |
| |
| |
| #line 10 |
| # Call the server domain and optionally transfer references to it. |
| #line 10 |
| allow drmserver system_server:binder { call transfer }; |
| #line 10 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 10 |
| allow system_server drmserver:binder transfer; |
| #line 10 |
| # Receive and use open files from the server. |
| #line 10 |
| allow drmserver system_server:fd use; |
| #line 10 |
| |
| |
| #line 11 |
| # Call the server domain and optionally transfer references to it. |
| #line 11 |
| allow drmserver appdomain:binder { call transfer }; |
| #line 11 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 11 |
| allow appdomain drmserver:binder transfer; |
| #line 11 |
| # Receive and use open files from the server. |
| #line 11 |
| allow drmserver appdomain:fd use; |
| #line 11 |
| |
| |
| #line 12 |
| typeattribute drmserver binderservicedomain; |
| #line 12 |
| |
| |
| # Perform Binder IPC to mediaserver |
| |
| #line 15 |
| # Call the server domain and optionally transfer references to it. |
| #line 15 |
| allow drmserver mediaserver:binder { call transfer }; |
| #line 15 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 15 |
| allow mediaserver drmserver:binder transfer; |
| #line 15 |
| # Receive and use open files from the server. |
| #line 15 |
| allow drmserver mediaserver:fd use; |
| #line 15 |
| |
| |
| allow drmserver sdcard_type:dir search; |
| allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow drmserver self:{ tcp_socket udp_socket } *; |
| allow drmserver port:tcp_socket name_connect; |
| allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow drmserver platform_app_data_file:file { read write getattr }; |
| allow drmserver app_data_file:file { read write getattr }; |
| allow drmserver sdcard_type:file { read write getattr }; |
| |
| #line 26 |
| allow drmserver efs_file:dir { open getattr read search ioctl }; |
| #line 26 |
| allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 26 |
| |
| |
| type drmserver_socket, file_type; |
| |
| # /data/app/tlcd_sock socket file. |
| # Clearly, /data/app is the most logical place to create a socket. Not. |
| allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| type_transition drmserver apk_data_file:sock_file drmserver_socket; |
| allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow drmserver tee:unix_stream_socket connectto; |
| # Delete old socket file if present. |
| allow drmserver apk_data_file:sock_file unlink; |
| |
| # After taking a video, drmserver looks at the video file. |
| |
| #line 40 |
| allow drmserver media_rw_data_file:dir { open getattr read search ioctl }; |
| #line 40 |
| allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 40 |
| |
| #line 1 "external/sepolicy/dumpstate.te" |
| # dumpstate |
| type dumpstate, domain; |
| |
| #line 3 |
| typeattribute dumpstate mlstrustedsubject; |
| #line 3 |
| typeattribute dumpstate unconfineddomain; |
| #line 3 |
| |
| type dumpstate_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init dumpstate_exec:file { getattr open read execute }; |
| #line 6 |
| allow init dumpstate:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow dumpstate dumpstate_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow dumpstate init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init dumpstate:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init dumpstate:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init dumpstate_exec:process dumpstate; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type dumpstate_tmpfs, file_type; |
| #line 6 |
| type_transition dumpstate tmpfs:file dumpstate_tmpfs; |
| #line 6 |
| allow dumpstate dumpstate_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute dumpstate netdomain; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute dumpstate relabeltodomain; |
| #line 8 |
| |
| |
| #line 9 |
| # Call the servicemanager and transfer references to it. |
| #line 9 |
| allow dumpstate servicemanager:binder { call transfer }; |
| #line 9 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 9 |
| # all domains in domain.te. |
| #line 9 |
| |
| |
| # Drop privileges by switching UID / GID |
| allow dumpstate self:capability { setuid setgid }; |
| |
| # Allow dumpstate to scan through /proc/pid for all processes |
| |
| #line 15 |
| allow dumpstate domain:dir { open getattr read search ioctl }; |
| #line 15 |
| allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 15 |
| |
| |
| # Send signals to processes |
| allow dumpstate self:capability kill; |
| |
| # Allow executing files on system, such as: |
| # /system/bin/toolbox |
| # /system/bin/logcat |
| # /system/bin/dumpsys |
| allow dumpstate system_file:file execute_no_trans; |
| |
| # Create and write into /data/anr/ |
| allow dumpstate self:capability { dac_override chown fowner fsetid }; |
| allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto }; |
| allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom }; |
| |
| # Allow reading /data/system/uiderrors.txt |
| # TODO: scope this down. |
| allow dumpstate system_data_file:file { getattr open read ioctl lock }; |
| |
| # Read dmesg |
| allow dumpstate self:capability2 syslog; |
| allow dumpstate kernel:system syslog_read; |
| |
| # Get process attributes |
| allow dumpstate domain:process getattr; |
| |
| # Signal java processes to dump their stack |
| allow dumpstate { appdomain system_server }:process signal; |
| |
| # Signal native processes to dump their stack. |
| # This list comes from native_processes_to_dump in dumpstate/utils.c |
| allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; |
| |
| # The /system/bin/ip command needs this for routing table information. |
| allow dumpstate self:netlink_route_socket { write getattr setopt }; |
| |
| # The vdc command needs to talk to the vold socket. |
| |
| #line 54 |
| allow dumpstate vold_socket:sock_file write; |
| #line 54 |
| allow dumpstate vold:unix_stream_socket connectto; |
| #line 54 |
| |
| |
| # Vibrate the device after we're done collecting the bugreport |
| # /sys/class/timed_output/vibrator/enable |
| # TODO: create a new file class, instead of allowing write access to all of /sys |
| allow dumpstate sysfs:file { open append write }; |
| |
| # Other random bits of data we want to collect |
| allow dumpstate qtaguid_proc:file { getattr open read ioctl lock }; |
| allow dumpstate debugfs:file { getattr open read ioctl lock }; |
| |
| # Allow dumpstate to make binder calls to any binder service |
| |
| #line 66 |
| # Call the server domain and optionally transfer references to it. |
| #line 66 |
| allow dumpstate binderservicedomain:binder { call transfer }; |
| #line 66 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 66 |
| allow binderservicedomain dumpstate:binder transfer; |
| #line 66 |
| # Receive and use open files from the server. |
| #line 66 |
| allow dumpstate binderservicedomain:fd use; |
| #line 66 |
| |
| |
| #line 67 |
| # Call the server domain and optionally transfer references to it. |
| #line 67 |
| allow dumpstate appdomain:binder { call transfer }; |
| #line 67 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 67 |
| allow appdomain dumpstate:binder transfer; |
| #line 67 |
| # Receive and use open files from the server. |
| #line 67 |
| allow dumpstate appdomain:fd use; |
| #line 67 |
| |
| |
| # Reading /proc/PID/maps of other processes |
| allow dumpstate self:capability sys_ptrace; |
| |
| # Allow the bugreport service to create a file in |
| # /data/data/com.android.shell/files/bugreports/bugreport |
| allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Run a shell. |
| allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| # For running am and similar framework commands. |
| # Run /system/bin/app_process. |
| allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| # Dalvik Compiler JIT. |
| allow dumpstate ashmem_device:chr_file execute; |
| allow dumpstate dumpstate_tmpfs:file execute; |
| allow dumpstate self:process execmem; |
| # For art. |
| allow dumpstate dalvikcache_data_file:file execute; |
| |
| # logd access |
| |
| #line 91 |
| |
| #line 91 |
| allow dumpstate logdr_socket:sock_file write; |
| #line 91 |
| allow dumpstate logd:unix_stream_socket connectto; |
| #line 91 |
| |
| #line 91 |
| |
| |
| #line 92 |
| # Group AID_LOG checked by filesystem & logd |
| #line 92 |
| # to permit control commands |
| #line 92 |
| |
| #line 92 |
| allow dumpstate logd_socket:sock_file write; |
| #line 92 |
| allow dumpstate logd:unix_stream_socket connectto; |
| #line 92 |
| |
| #line 92 |
| |
| #line 1 "external/sepolicy/file.te" |
| # Filesystem types |
| type labeledfs, fs_type; |
| type pipefs, fs_type; |
| type sockfs, fs_type; |
| type rootfs, fs_type; |
| type proc, fs_type; |
| # Security-sensitive proc nodes that should not be writable to most. |
| type proc_security, fs_type; |
| # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. |
| type usermodehelper, fs_type, sysfs_type; |
| type qtaguid_proc, fs_type, mlstrustedobject; |
| type proc_bluetooth_writable, fs_type; |
| type proc_net, fs_type; |
| type selinuxfs, fs_type; |
| type cgroup, fs_type, mlstrustedobject; |
| type sysfs, fs_type, mlstrustedobject; |
| type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; |
| type sysfs_wake_lock, fs_type, sysfs_type; |
| # /sys/devices/system/cpu |
| type sysfs_devices_system_cpu, fs_type, sysfs_type; |
| # /sys/module/lowmemorykiller |
| type sysfs_lowmemorykiller, fs_type, sysfs_type; |
| type inotify, fs_type, mlstrustedobject; |
| type devpts, fs_type, mlstrustedobject; |
| type tmpfs, fs_type; |
| type shm, fs_type; |
| type mqueue, fs_type; |
| type sdcard_internal, sdcard_type, fs_type, mlstrustedobject; |
| type sdcard_external, sdcard_type, fs_type, mlstrustedobject; |
| type debugfs, fs_type, mlstrustedobject; |
| |
| # File types |
| type unlabeled, file_type; |
| # Default type for anything under /system. |
| type system_file, file_type; |
| # Default type for anything under /data. |
| type system_data_file, file_type, data_file_type; |
| # /data/drm - DRM plugin data |
| type drm_data_file, file_type, data_file_type; |
| # /data/anr - ANR traces |
| type anr_data_file, file_type, data_file_type, mlstrustedobject; |
| # /data/tombstones - core dumps |
| type tombstone_data_file, file_type, data_file_type; |
| # /data/app - user-installed apps |
| type apk_data_file, file_type, data_file_type; |
| type apk_tmp_file, file_type, data_file_type, mlstrustedobject; |
| # /data/app-private - forward-locked apps |
| type apk_private_data_file, file_type, data_file_type; |
| type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; |
| # /data/dalvik-cache |
| type dalvikcache_data_file, file_type, data_file_type; |
| # /data/local - writable by shell |
| type shell_data_file, file_type, data_file_type; |
| # /data/gps |
| type gps_data_file, file_type, data_file_type; |
| |
| # /data/misc subdirectories |
| type adb_keys_file, file_type, data_file_type; |
| type audio_data_file, file_type, data_file_type; |
| type bluetooth_data_file, file_type, data_file_type; |
| type camera_data_file, file_type, data_file_type; |
| type keystore_data_file, file_type, data_file_type; |
| type media_data_file, file_type, data_file_type; |
| type media_rw_data_file, file_type, data_file_type; |
| type nfc_data_file, file_type, data_file_type; |
| type radio_data_file, file_type, data_file_type; |
| type systemkeys_data_file, file_type, data_file_type; |
| type vpn_data_file, file_type, data_file_type; |
| type wifi_data_file, file_type, data_file_type; |
| type zoneinfo_data_file, file_type, data_file_type; |
| |
| # Compatibility with type names used in vanilla Android 4.3 and 4.4. |
| typealias audio_data_file alias audio_firmware_file; |
| # /data/data subdirectories - app sandboxes |
| type app_data_file, file_type, data_file_type; |
| type platform_app_data_file, file_type, data_file_type, mlstrustedobject; |
| # Default type for anything under /cache |
| type cache_file, file_type, mlstrustedobject; |
| # Type for /cache/.*\.{data|restore} and default |
| # type for anything under /cache/backup |
| type cache_backup_file, file_type, mlstrustedobject; |
| # Default type for anything under /efs |
| type efs_file, file_type; |
| # Type for wallpaper file. |
| type wallpaper_file, file_type, mlstrustedobject; |
| # /mnt/asec |
| type asec_apk_file, file_type, data_file_type; |
| # Elements of asec files (/mnt/asec) that are world readable |
| type asec_public_file, file_type, data_file_type; |
| # /data/app-asec |
| type asec_image_file, file_type, data_file_type; |
| # /data/backup and /data/secure/backup |
| type backup_data_file, file_type, data_file_type, mlstrustedobject; |
| # For /data/security |
| type security_file, file_type; |
| # All devices have bluetooth efs files. But they |
| # vary per device, so this type is used in per |
| # device policy |
| type bluetooth_efs_file, file_type; |
| # Downloaded files |
| type download_file, file_type; |
| |
| # Socket types |
| type adbd_socket, file_type; |
| type bluetooth_socket, file_type; |
| type dnsproxyd_socket, file_type, mlstrustedobject; |
| type dumpstate_socket, file_type; |
| type gps_socket, file_type; |
| type installd_socket, file_type; |
| type keystore_socket, file_type; |
| type lmkd_socket, file_type; |
| type logd_debug, file_type; |
| type logd_socket, file_type; |
| type logdr_socket, file_type; |
| type logdw_socket, file_type; |
| type mdns_socket, file_type; |
| type netd_socket, file_type; |
| type property_socket, file_type; |
| type qemud_socket, file_type; |
| type racoon_socket, file_type; |
| type rild_socket, file_type; |
| type rild_debug_socket, file_type; |
| type system_wpa_socket, file_type; |
| type system_ndebug_socket, file_type; |
| type vold_socket, file_type; |
| type wpa_socket, file_type; |
| type zygote_socket, file_type; |
| |
| # UART (for GPS) control proc file |
| type gps_control, file_type; |
| |
| # Allow files to be created in their appropriate filesystems. |
| allow fs_type self:filesystem associate; |
| allow sysfs_type sysfs:filesystem associate; |
| allow file_type labeledfs:filesystem associate; |
| allow file_type tmpfs:filesystem associate; |
| allow file_type rootfs:filesystem associate; |
| allow dev_type tmpfs:filesystem associate; |
| #line 1 "external/sepolicy/gpsd.te" |
| # gpsd - GPS daemon |
| type gpsd, domain; |
| |
| #line 3 |
| typeattribute gpsd mlstrustedsubject; |
| #line 3 |
| typeattribute gpsd unconfineddomain; |
| #line 3 |
| |
| type gpsd_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init gpsd_exec:file { getattr open read execute }; |
| #line 6 |
| allow init gpsd:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow gpsd gpsd_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow gpsd init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init gpsd:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init gpsd:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init gpsd_exec:process gpsd; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type gpsd_tmpfs, file_type; |
| #line 6 |
| type_transition gpsd tmpfs:file gpsd_tmpfs; |
| #line 6 |
| allow gpsd gpsd_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute gpsd netdomain; |
| #line 7 |
| |
| allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Socket is created by the daemon, not by init, and under /data/gps, |
| # not under /dev/socket. |
| type_transition gpsd gps_data_file:sock_file gps_socket; |
| allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # XXX Label sysfs files with a specific type? |
| allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } }; |
| |
| allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Execute the shell or system commands. |
| allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| #line 1 "external/sepolicy/hci_attach.te" |
| type hci_attach, domain; |
| type hci_attach_exec, exec_type, file_type; |
| |
| |
| #line 4 |
| |
| #line 4 |
| # Allow the necessary permissions. |
| #line 4 |
| |
| #line 4 |
| # Old domain may exec the file and transition to the new domain. |
| #line 4 |
| allow init hci_attach_exec:file { getattr open read execute }; |
| #line 4 |
| allow init hci_attach:process transition; |
| #line 4 |
| # New domain is entered by executing the file. |
| #line 4 |
| allow hci_attach hci_attach_exec:file { entrypoint read execute }; |
| #line 4 |
| # New domain can send SIGCHLD to its caller. |
| #line 4 |
| allow hci_attach init:process sigchld; |
| #line 4 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 4 |
| dontaudit init hci_attach:process noatsecure; |
| #line 4 |
| # XXX dontaudit candidate but requires further study. |
| #line 4 |
| allow init hci_attach:process { siginh rlimitinh }; |
| #line 4 |
| |
| #line 4 |
| # Make the transition occur by default. |
| #line 4 |
| type_transition init hci_attach_exec:process hci_attach; |
| #line 4 |
| |
| #line 4 |
| |
| #line 4 |
| type hci_attach_tmpfs, file_type; |
| #line 4 |
| type_transition hci_attach tmpfs:file hci_attach_tmpfs; |
| #line 4 |
| allow hci_attach hci_attach_tmpfs:file { read write }; |
| #line 4 |
| |
| #line 4 |
| |
| |
| allow hci_attach kernel:system module_request; |
| allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl }; |
| allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock }; |
| #line 1 "external/sepolicy/healthd.te" |
| # healthd seclabel is specified in init.rc since |
| # it lives in the rootfs and has no unique file type. |
| type healthd, domain; |
| |
| allow healthd rootfs:file { read entrypoint }; |
| |
| #line 6 |
| type_transition healthd device:chr_file klog_device "__kmsg__"; |
| #line 6 |
| allow healthd klog_device:chr_file { create open write unlink }; |
| #line 6 |
| allow healthd device:dir { write add_name remove_name }; |
| #line 6 |
| |
| # /dev/__null__ created by init prior to policy load, |
| # open fd inherited by healthd. |
| allow healthd tmpfs:chr_file { read write }; |
| |
| allow healthd self:capability { net_admin mknod }; |
| allow healthd self:capability2 block_suspend; |
| allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| |
| #line 14 |
| # Call the servicemanager and transfer references to it. |
| #line 14 |
| allow healthd servicemanager:binder { call transfer }; |
| #line 14 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 14 |
| # all domains in domain.te. |
| #line 14 |
| |
| |
| #line 15 |
| typeattribute healthd binderservicedomain; |
| #line 15 |
| |
| |
| #line 16 |
| # Call the server domain and optionally transfer references to it. |
| #line 16 |
| allow healthd system_server:binder { call transfer }; |
| #line 16 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 16 |
| allow system_server healthd:binder transfer; |
| #line 16 |
| # Receive and use open files from the server. |
| #line 16 |
| allow healthd system_server:fd use; |
| #line 16 |
| |
| |
| ### |
| ### healthd: charger mode |
| ### |
| |
| allow healthd graphics_device:dir { open getattr read search ioctl }; |
| allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow healthd input_device:dir { open getattr read search ioctl }; |
| allow healthd input_device:chr_file { getattr open read ioctl lock }; |
| allow healthd ashmem_device:chr_file execute; |
| allow healthd self:process execmem; |
| #line 1 "external/sepolicy/hostapd.te" |
| # userspace wifi access points |
| type hostapd, domain; |
| |
| #line 3 |
| typeattribute hostapd mlstrustedsubject; |
| #line 3 |
| typeattribute hostapd unconfineddomain; |
| #line 3 |
| |
| type hostapd_exec, exec_type, file_type; |
| |
| allow hostapd self:capability { net_admin net_raw setuid setgid }; |
| allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow hostapd self:packet_socket { create write read }; |
| allow hostapd self:netlink_route_socket { bind create write nlmsg_write read }; |
| allow hostapd self:udp_socket { create ioctl }; |
| |
| allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } }; |
| allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow hostapd netd:fd use; |
| allow hostapd netd:udp_socket { read write }; |
| allow hostapd netd:netlink_kobject_uevent_socket { read write }; |
| allow hostapd netd:netlink_nflog_socket { read write }; |
| allow hostapd netd:netlink_route_socket { read write }; |
| allow hostapd netd:unix_stream_socket { read write }; |
| allow hostapd netd:fifo_file { read write }; |
| #line 1 "external/sepolicy/init_shell.te" |
| # Restricted domain for shell processes spawned by init |
| type init_shell, domain, shelldomain; |
| |
| #line 3 |
| # Allow the necessary permissions. |
| #line 3 |
| |
| #line 3 |
| # Old domain may exec the file and transition to the new domain. |
| #line 3 |
| allow init shell_exec:file { getattr open read execute }; |
| #line 3 |
| allow init init_shell:process transition; |
| #line 3 |
| # New domain is entered by executing the file. |
| #line 3 |
| allow init_shell shell_exec:file { entrypoint read execute }; |
| #line 3 |
| # New domain can send SIGCHLD to its caller. |
| #line 3 |
| allow init_shell init:process sigchld; |
| #line 3 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 3 |
| dontaudit init init_shell:process noatsecure; |
| #line 3 |
| # XXX dontaudit candidate but requires further study. |
| #line 3 |
| allow init init_shell:process { siginh rlimitinh }; |
| #line 3 |
| |
| #line 3 |
| # Make the transition occur by default. |
| #line 3 |
| type_transition init shell_exec:process init_shell; |
| #line 3 |
| |
| |
| #line 4 |
| typeattribute init_shell mlstrustedsubject; |
| #line 4 |
| typeattribute init_shell unconfineddomain; |
| #line 4 |
| |
| |
| # inherits from shelldomain.te |
| #line 1 "external/sepolicy/init.te" |
| # init switches to init domain (via init.rc). |
| type init, domain; |
| # init is unconfined. |
| |
| #line 4 |
| typeattribute init mlstrustedsubject; |
| #line 4 |
| typeattribute init unconfineddomain; |
| #line 4 |
| |
| |
| #line 5 |
| type init_tmpfs, file_type; |
| #line 5 |
| type_transition init tmpfs:file init_tmpfs; |
| #line 5 |
| allow init init_tmpfs:file { read write }; |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute init relabeltodomain; |
| #line 6 |
| |
| # add a rule to handle unlabelled mounts |
| allow init unlabeled:filesystem mount; |
| |
| allow init self:capability { sys_rawio mknod }; |
| |
| allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; |
| allow init fs_type:filesystem *; |
| allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; |
| allow init kernel:security load_policy; |
| allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } }; |
| allow init proc_security:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Transitions to seclabel processes in init.rc |
| allow init adbd:process transition; |
| allow init healthd:process transition; |
| allow init recovery:process transition; |
| allow init shell:process transition; |
| allow init ueventd:process transition; |
| allow init watchdogd:process transition; |
| #line 1 "external/sepolicy/inputflinger.te" |
| # inputflinger |
| type inputflinger, domain; |
| |
| #line 3 |
| typeattribute inputflinger mlstrustedsubject; |
| #line 3 |
| typeattribute inputflinger unconfineddomain; |
| #line 3 |
| |
| type inputflinger_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init inputflinger_exec:file { getattr open read execute }; |
| #line 6 |
| allow init inputflinger:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow inputflinger inputflinger_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow inputflinger init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init inputflinger:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init inputflinger:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init inputflinger_exec:process inputflinger; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type inputflinger_tmpfs, file_type; |
| #line 6 |
| type_transition inputflinger tmpfs:file inputflinger_tmpfs; |
| #line 6 |
| allow inputflinger inputflinger_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| # Call the servicemanager and transfer references to it. |
| #line 7 |
| allow inputflinger servicemanager:binder { call transfer }; |
| #line 7 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 7 |
| # all domains in domain.te. |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute inputflinger binderservicedomain; |
| #line 8 |
| |
| #line 1 "external/sepolicy/installd.te" |
| # installer daemon |
| type installd, domain; |
| type installd_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init installd_exec:file { getattr open read execute }; |
| #line 5 |
| allow init installd:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow installd installd_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow installd init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init installd:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init installd:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init installd_exec:process installd; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type installd_tmpfs, file_type; |
| #line 5 |
| type_transition installd tmpfs:file installd_tmpfs; |
| #line 5 |
| allow installd installd_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute installd relabeltodomain; |
| #line 6 |
| |
| typeattribute installd mlstrustedsubject; |
| allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; |
| allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow installd system_data_file:lnk_file create; |
| allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow installd data_file_type:dir { relabelfrom relabelto }; |
| allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink }; |
| allow installd apk_data_file:file { getattr open read ioctl lock }; |
| allow installd apk_tmp_file:file { getattr open read ioctl lock }; |
| allow installd system_file:file { getattr execute execute_no_trans }; |
| allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow installd download_file:dir { { open getattr read search ioctl } write remove_name }; |
| allow installd download_file:file { { getattr open read ioctl lock } unlink }; |
| dontaudit installd self:capability sys_admin; |
| # Check validity of SELinux context before use. |
| |
| #line 23 |
| allow installd selinuxfs:dir { open getattr read search ioctl }; |
| #line 23 |
| allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 23 |
| allow installd kernel:security check_context; |
| #line 23 |
| |
| # Read /seapp_contexts and /data/security/seapp_contexts |
| |
| #line 25 |
| allow installd security_file:dir { open getattr read search ioctl }; |
| #line 25 |
| allow installd security_file:file { getattr open read ioctl lock }; |
| #line 25 |
| allow installd security_file:lnk_file { getattr open read ioctl lock }; |
| #line 25 |
| allow installd selinuxfs:dir { open getattr read search ioctl }; |
| #line 25 |
| allow installd selinuxfs:file { getattr open read ioctl lock }; |
| #line 25 |
| allow installd rootfs:dir { open getattr read search ioctl }; |
| #line 25 |
| allow installd rootfs:file { getattr open read ioctl lock }; |
| #line 25 |
| |
| # ASEC |
| allow installd platform_app_data_file:lnk_file { create setattr }; |
| allow installd app_data_file:lnk_file { create setattr }; |
| allow installd asec_apk_file:file { getattr open read ioctl lock }; |
| allow installd bluetooth_data_file:lnk_file { create setattr }; |
| allow installd nfc_data_file:lnk_file { create setattr }; |
| allow installd radio_data_file:lnk_file { create setattr }; |
| allow installd shell_data_file:lnk_file { create setattr }; |
| #line 1 "external/sepolicy/isolated_app.te" |
| ### |
| ### Services with isolatedProcess=true in their manifest. |
| ### |
| ### This file defines the rules for isolated apps. An "isolated |
| ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| ### and AID_ISOLATED_END (99999). |
| ### |
| ### isolated_app includes all the appdomain rules, plus the |
| ### additional following rules: |
| ### |
| |
| type isolated_app, domain; |
| |
| #line 13 |
| typeattribute isolated_app appdomain; |
| #line 13 |
| # Label ashmem objects with our own unique type. |
| #line 13 |
| |
| #line 13 |
| type isolated_app_tmpfs, file_type; |
| #line 13 |
| type_transition isolated_app tmpfs:file isolated_app_tmpfs; |
| #line 13 |
| allow isolated_app isolated_app_tmpfs:file { read write }; |
| #line 13 |
| |
| #line 13 |
| # Map with PROT_EXEC. |
| #line 13 |
| allow isolated_app isolated_app_tmpfs:file execute; |
| #line 13 |
| |
| |
| # Already connected, unnamed sockets being passed over some other IPC |
| # hence no sock_file or connectto permission. This appears to be how |
| # Chrome works, may need to be updated as more apps using isolated services |
| # are examined. |
| allow isolated_app appdomain:unix_stream_socket { read write }; |
| |
| allow isolated_app dalvikcache_data_file:file execute; |
| allow isolated_app apk_data_file:dir getattr; |
| #line 1 "external/sepolicy/kernel.te" |
| # Life begins with the kernel. |
| type kernel, domain; |
| |
| allow kernel init:process dyntransition; |
| |
| # The kernel is unconfined. |
| |
| #line 7 |
| typeattribute kernel mlstrustedsubject; |
| #line 7 |
| typeattribute kernel unconfineddomain; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute kernel relabeltodomain; |
| #line 8 |
| |
| |
| allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; |
| allow kernel unlabeled:filesystem mount; |
| allow kernel fs_type:filesystem *; |
| |
| # Initial setenforce by init prior to switching to init domain. |
| allow kernel self:security setenforce; |
| |
| # Set checkreqprot by init.rc prior to switching to init domain. |
| allow kernel self:security setcheckreqprot; |
| |
| # For operations performed by kernel or init prior to switching to init domain. |
| ## TODO: Investigate whether it is safe to remove these |
| allow kernel self:capability { sys_rawio mknod }; |
| auditallow kernel self:capability { sys_rawio mknod }; |
| allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; |
| auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; |
| #line 1 "external/sepolicy/keystore.te" |
| type keystore, domain; |
| type keystore_exec, exec_type, file_type; |
| |
| # keystore daemon |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init keystore_exec:file { getattr open read execute }; |
| #line 5 |
| allow init keystore:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow keystore keystore_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow keystore init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init keystore:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init keystore:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init keystore_exec:process keystore; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type keystore_tmpfs, file_type; |
| #line 5 |
| type_transition keystore tmpfs:file keystore_tmpfs; |
| #line 5 |
| allow keystore keystore_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| typeattribute keystore mlstrustedsubject; |
| |
| #line 7 |
| # Call the servicemanager and transfer references to it. |
| #line 7 |
| allow keystore servicemanager:binder { call transfer }; |
| #line 7 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 7 |
| # all domains in domain.te. |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute keystore binderservicedomain; |
| #line 8 |
| |
| allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow keystore keystore_exec:file { getattr }; |
| allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow keystore tee:unix_stream_socket connectto; |
| #line 1 "external/sepolicy/lmkd.te" |
| # lmkd low memory killer daemon |
| type lmkd, domain; |
| type lmkd_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init lmkd_exec:file { getattr open read execute }; |
| #line 5 |
| allow init lmkd:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow lmkd lmkd_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow lmkd init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init lmkd:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init lmkd:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init lmkd_exec:process lmkd; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type lmkd_tmpfs, file_type; |
| #line 5 |
| type_transition lmkd tmpfs:file lmkd_tmpfs; |
| #line 5 |
| allow lmkd lmkd_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| allow lmkd self:capability { dac_override sys_resource }; |
| |
| ## Open and write to /proc/PID/oom_score_adj |
| ## TODO: maybe scope this down? |
| |
| #line 11 |
| allow lmkd appdomain:dir { open getattr read search ioctl }; |
| #line 11 |
| allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 11 |
| |
| allow lmkd appdomain:file write; |
| |
| #line 13 |
| allow lmkd system_server:dir { open getattr read search ioctl }; |
| #line 13 |
| allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 13 |
| |
| allow lmkd system_server:file write; |
| |
| ## Writes to /sys/module/lowmemorykiller/parameters/minfree |
| allow lmkd sysfs_lowmemorykiller:file { open append write }; |
| #line 1 "external/sepolicy/logd.te" |
| # android user-space log manager |
| type logd, domain; |
| type logd_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init logd_exec:file { getattr open read execute }; |
| #line 5 |
| allow init logd:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow logd logd_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow logd init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init logd:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init logd:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init logd_exec:process logd; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type logd_tmpfs, file_type; |
| #line 5 |
| type_transition logd tmpfs:file logd_tmpfs; |
| #line 5 |
| allow logd logd_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| allow logd self:unix_stream_socket *; |
| |
| allow logd self:capability { setuid setgid sys_nice }; |
| |
| |
| #line 10 |
| allow logd domain:dir { open getattr read search ioctl }; |
| #line 10 |
| allow logd domain:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 10 |
| |
| |
| #line 17 |
| |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### logd should NEVER do any of this |
| |
| # Block device access. |
| neverallow logd dev_type:blk_file { read write }; |
| |
| # ptrace any other app |
| neverallow logd domain:process ptrace; |
| |
| # Write to /system. |
| neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| |
| # Write to files in /data/data or system files on /data |
| neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| #line 1 "external/sepolicy/media_app.te" |
| ### |
| ### Apps signed with the media key. |
| ### |
| |
| type media_app, domain; |
| |
| #line 6 |
| typeattribute media_app appdomain; |
| #line 6 |
| # Label ashmem objects with our own unique type. |
| #line 6 |
| |
| #line 6 |
| type media_app_tmpfs, file_type; |
| #line 6 |
| type_transition media_app tmpfs:file media_app_tmpfs; |
| #line 6 |
| allow media_app media_app_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| # Map with PROT_EXEC. |
| #line 6 |
| allow media_app media_app_tmpfs:file execute; |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute media_app platformappdomain; |
| #line 7 |
| typeattribute media_app mlstrustedsubject; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute media_app binderservicedomain; |
| #line 8 |
| |
| # Access the network. |
| |
| #line 10 |
| typeattribute media_app netdomain; |
| #line 10 |
| |
| # Access /dev/mtp_usb. |
| allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| # Write to /cache. |
| allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Stat /cache/lost+found |
| allow media_app unlabeled:file getattr; |
| allow media_app unlabeled:dir getattr; |
| # Stat /cache/backup |
| allow media_app cache_backup_file:file getattr; |
| allow media_app cache_backup_file:dir getattr; |
| # Read files in the rootdir (in particular, file_contexts for restorecon). |
| allow media_app rootfs:file { getattr open read ioctl lock }; |
| allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Allow platform apps to mark platform app data files as download files |
| |
| #line 27 |
| typeattribute media_app relabeltodomain; |
| #line 27 |
| |
| allow media_app platform_app_data_file:dir relabelfrom; |
| allow media_app download_file:dir relabelto; |
| #line 1 "external/sepolicy/mediaserver.te" |
| # mediaserver - multimedia daemon |
| type mediaserver, domain; |
| |
| #line 3 |
| typeattribute mediaserver mlstrustedsubject; |
| #line 3 |
| typeattribute mediaserver unconfineddomain; |
| #line 3 |
| |
| type mediaserver_exec, exec_type, file_type; |
| |
| typeattribute mediaserver mlstrustedsubject; |
| |
| |
| #line 8 |
| typeattribute mediaserver netdomain; |
| #line 8 |
| |
| |
| #line 9 |
| |
| #line 9 |
| # Allow the necessary permissions. |
| #line 9 |
| |
| #line 9 |
| # Old domain may exec the file and transition to the new domain. |
| #line 9 |
| allow init mediaserver_exec:file { getattr open read execute }; |
| #line 9 |
| allow init mediaserver:process transition; |
| #line 9 |
| # New domain is entered by executing the file. |
| #line 9 |
| allow mediaserver mediaserver_exec:file { entrypoint read execute }; |
| #line 9 |
| # New domain can send SIGCHLD to its caller. |
| #line 9 |
| allow mediaserver init:process sigchld; |
| #line 9 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 9 |
| dontaudit init mediaserver:process noatsecure; |
| #line 9 |
| # XXX dontaudit candidate but requires further study. |
| #line 9 |
| allow init mediaserver:process { siginh rlimitinh }; |
| #line 9 |
| |
| #line 9 |
| # Make the transition occur by default. |
| #line 9 |
| type_transition init mediaserver_exec:process mediaserver; |
| #line 9 |
| |
| #line 9 |
| |
| #line 9 |
| type mediaserver_tmpfs, file_type; |
| #line 9 |
| type_transition mediaserver tmpfs:file mediaserver_tmpfs; |
| #line 9 |
| allow mediaserver mediaserver_tmpfs:file { read write }; |
| #line 9 |
| |
| #line 9 |
| |
| |
| #line 10 |
| allow mediaserver property_socket:sock_file write; |
| #line 10 |
| allow mediaserver init:unix_stream_socket connectto; |
| #line 10 |
| |
| |
| |
| #line 12 |
| allow mediaserver sdcard_type:dir { open getattr read search ioctl }; |
| #line 12 |
| allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 12 |
| |
| |
| |
| #line 14 |
| # Call the servicemanager and transfer references to it. |
| #line 14 |
| allow mediaserver servicemanager:binder { call transfer }; |
| #line 14 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 14 |
| # all domains in domain.te. |
| #line 14 |
| |
| |
| #line 15 |
| # Call the server domain and optionally transfer references to it. |
| #line 15 |
| allow mediaserver binderservicedomain:binder { call transfer }; |
| #line 15 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 15 |
| allow binderservicedomain mediaserver:binder transfer; |
| #line 15 |
| # Receive and use open files from the server. |
| #line 15 |
| allow mediaserver binderservicedomain:fd use; |
| #line 15 |
| |
| |
| #line 16 |
| # Call the server domain and optionally transfer references to it. |
| #line 16 |
| allow mediaserver appdomain:binder { call transfer }; |
| #line 16 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 16 |
| allow appdomain mediaserver:binder transfer; |
| #line 16 |
| # Receive and use open files from the server. |
| #line 16 |
| allow mediaserver appdomain:fd use; |
| #line 16 |
| |
| |
| #line 17 |
| typeattribute mediaserver binderservicedomain; |
| #line 17 |
| |
| |
| allow mediaserver self:process execmem; |
| allow mediaserver kernel:system module_request; |
| allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow mediaserver app_data_file:dir search; |
| allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver platform_app_data_file:file { getattr read }; |
| allow mediaserver sdcard_type:file write; |
| allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver video_device:dir { open getattr read search ioctl }; |
| allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver audio_device:dir { open getattr read search ioctl }; |
| allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver audio_prop:property_service set; |
| |
| # Access audio devices at all. |
| allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # XXX Label with a specific type? |
| allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # XXX Why? |
| allow mediaserver apk_data_file:file { read getattr }; |
| |
| # Access camera device. |
| allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Inter System processes communicate over named pipe (FIFO) |
| allow mediaserver system_server:fifo_file { getattr open read ioctl lock }; |
| |
| # Camera data |
| |
| #line 52 |
| allow mediaserver camera_data_file:dir { open getattr read search ioctl }; |
| #line 52 |
| allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 52 |
| |
| |
| #line 53 |
| allow mediaserver media_rw_data_file:dir { open getattr read search ioctl }; |
| #line 53 |
| allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 53 |
| |
| |
| # Grant access to audio files to mediaserver |
| allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write }; |
| allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid |
| allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; |
| allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock }; |
| |
| # Allow abstract socket connection |
| allow mediaserver rild:unix_stream_socket { connectto read write setopt }; |
| |
| # Needed on some devices for playing DRM protected content, |
| # but seems expected and appropriate for all devices. |
| |
| #line 68 |
| allow mediaserver drmserver_socket:sock_file write; |
| #line 68 |
| allow mediaserver drmserver:unix_stream_socket connectto; |
| #line 68 |
| |
| |
| # Needed on some devices for playing audio on paired BT device, |
| # but seems appropriate for all devices. |
| |
| #line 72 |
| allow mediaserver bluetooth_socket:sock_file write; |
| #line 72 |
| allow mediaserver bluetooth:unix_stream_socket connectto; |
| #line 72 |
| |
| #line 1 "external/sepolicy/mtp.te" |
| # vpn tunneling protocol manager |
| type mtp, domain; |
| |
| #line 3 |
| typeattribute mtp mlstrustedsubject; |
| #line 3 |
| typeattribute mtp unconfineddomain; |
| #line 3 |
| |
| type mtp_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init mtp_exec:file { getattr open read execute }; |
| #line 6 |
| allow init mtp:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow mtp mtp_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow mtp init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init mtp:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init mtp:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init mtp_exec:process mtp; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type mtp_tmpfs, file_type; |
| #line 6 |
| type_transition mtp tmpfs:file mtp_tmpfs; |
| #line 6 |
| allow mtp mtp_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute mtp netdomain; |
| #line 7 |
| |
| |
| # pptp policy |
| allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow mtp self:capability net_raw; |
| allow mtp ppp:process signal; |
| allow mtp port:tcp_socket name_connect; |
| allow mtp vpn_data_file:dir search; |
| #line 1 "external/sepolicy/netd.te" |
| # network manager |
| type netd, domain; |
| type netd_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init netd_exec:file { getattr open read execute }; |
| #line 5 |
| allow init netd:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow netd netd_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow netd init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init netd:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init netd:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init netd_exec:process netd; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type netd_tmpfs, file_type; |
| #line 5 |
| type_transition netd tmpfs:file netd_tmpfs; |
| #line 5 |
| allow netd netd_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute netd netdomain; |
| #line 6 |
| |
| |
| allow netd self:capability { net_admin net_raw kill fsetid }; |
| allow netd self:netlink_kobject_uevent_socket *; |
| allow netd self:netlink_route_socket *; |
| allow netd self:netlink_nflog_socket *; |
| allow netd self:rawip_socket *; |
| allow netd self:unix_stream_socket *; |
| allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow netd system_file:file { getattr execute execute_no_trans }; |
| allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # For /proc/sys/net/ipv[46]/route/flush. |
| allow netd proc_net:file write; |
| |
| # For /sys/modules/bcmdhd/parameters/firmware_path |
| # XXX Split into its own type. |
| allow netd sysfs:file write; |
| |
| # Set dhcp lease for PAN connection |
| |
| #line 26 |
| allow netd property_socket:sock_file write; |
| #line 26 |
| allow netd init:unix_stream_socket connectto; |
| #line 26 |
| |
| allow netd system_prop:property_service set; |
| |
| # Connect to PAN |
| |
| #line 30 |
| # Allow the necessary permissions. |
| #line 30 |
| |
| #line 30 |
| # Old domain may exec the file and transition to the new domain. |
| #line 30 |
| allow netd dhcp_exec:file { getattr open read execute }; |
| #line 30 |
| allow netd dhcp:process transition; |
| #line 30 |
| # New domain is entered by executing the file. |
| #line 30 |
| allow dhcp dhcp_exec:file { entrypoint read execute }; |
| #line 30 |
| # New domain can send SIGCHLD to its caller. |
| #line 30 |
| allow dhcp netd:process sigchld; |
| #line 30 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 30 |
| dontaudit netd dhcp:process noatsecure; |
| #line 30 |
| # XXX dontaudit candidate but requires further study. |
| #line 30 |
| allow netd dhcp:process { siginh rlimitinh }; |
| #line 30 |
| |
| #line 30 |
| # Make the transition occur by default. |
| #line 30 |
| type_transition netd dhcp_exec:process dhcp; |
| #line 30 |
| |
| allow netd dhcp:process signal; |
| |
| # Needed to update /data/misc/wifi/hostapd.conf |
| # TODO: See what we can do to reduce the need for |
| # these capabilities |
| allow netd self:capability { dac_override chown fowner }; |
| allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| |
| # Allow netd to spawn hostapd in it's own domain |
| |
| #line 41 |
| # Allow the necessary permissions. |
| #line 41 |
| |
| #line 41 |
| # Old domain may exec the file and transition to the new domain. |
| #line 41 |
| allow netd hostapd_exec:file { getattr open read execute }; |
| #line 41 |
| allow netd hostapd:process transition; |
| #line 41 |
| # New domain is entered by executing the file. |
| #line 41 |
| allow hostapd hostapd_exec:file { entrypoint read execute }; |
| #line 41 |
| # New domain can send SIGCHLD to its caller. |
| #line 41 |
| allow hostapd netd:process sigchld; |
| #line 41 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 41 |
| dontaudit netd hostapd:process noatsecure; |
| #line 41 |
| # XXX dontaudit candidate but requires further study. |
| #line 41 |
| allow netd hostapd:process { siginh rlimitinh }; |
| #line 41 |
| |
| #line 41 |
| # Make the transition occur by default. |
| #line 41 |
| type_transition netd hostapd_exec:process hostapd; |
| #line 41 |
| |
| allow netd hostapd:process signal; |
| |
| # Allow netd to spawn dnsmasq in it's own domain |
| |
| #line 45 |
| # Allow the necessary permissions. |
| #line 45 |
| |
| #line 45 |
| # Old domain may exec the file and transition to the new domain. |
| #line 45 |
| allow netd dnsmasq_exec:file { getattr open read execute }; |
| #line 45 |
| allow netd dnsmasq:process transition; |
| #line 45 |
| # New domain is entered by executing the file. |
| #line 45 |
| allow dnsmasq dnsmasq_exec:file { entrypoint read execute }; |
| #line 45 |
| # New domain can send SIGCHLD to its caller. |
| #line 45 |
| allow dnsmasq netd:process sigchld; |
| #line 45 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 45 |
| dontaudit netd dnsmasq:process noatsecure; |
| #line 45 |
| # XXX dontaudit candidate but requires further study. |
| #line 45 |
| allow netd dnsmasq:process { siginh rlimitinh }; |
| #line 45 |
| |
| #line 45 |
| # Make the transition occur by default. |
| #line 45 |
| type_transition netd dnsmasq_exec:process dnsmasq; |
| #line 45 |
| |
| allow netd dnsmasq:process signal; |
| |
| # Allow netd to start clatd in its own domain |
| |
| #line 49 |
| # Allow the necessary permissions. |
| #line 49 |
| |
| #line 49 |
| # Old domain may exec the file and transition to the new domain. |
| #line 49 |
| allow netd clatd_exec:file { getattr open read execute }; |
| #line 49 |
| allow netd clatd:process transition; |
| #line 49 |
| # New domain is entered by executing the file. |
| #line 49 |
| allow clatd clatd_exec:file { entrypoint read execute }; |
| #line 49 |
| # New domain can send SIGCHLD to its caller. |
| #line 49 |
| allow clatd netd:process sigchld; |
| #line 49 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 49 |
| dontaudit netd clatd:process noatsecure; |
| #line 49 |
| # XXX dontaudit candidate but requires further study. |
| #line 49 |
| allow netd clatd:process { siginh rlimitinh }; |
| #line 49 |
| |
| #line 49 |
| # Make the transition occur by default. |
| #line 49 |
| type_transition netd clatd_exec:process clatd; |
| #line 49 |
| |
| allow netd clatd:process signal; |
| |
| # Support netd running mdnsd |
| # TODO: prune this back further |
| allow netd ctl_default_prop:property_service set; |
| allow netd device:sock_file write; |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### netd should NEVER do any of this |
| |
| # Block device access. |
| neverallow netd dev_type:blk_file { read write }; |
| |
| # Setting SELinux enforcing status or booleans. |
| neverallow netd kernel:security { setenforce setbool }; |
| |
| # Load security policy. |
| neverallow netd kernel:security load_policy; |
| |
| # ptrace any other app |
| neverallow netd { domain }:process ptrace; |
| |
| # Write to /system. |
| neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| |
| # Write to files in /data/data or system files on /data |
| neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write; |
| #line 1 "external/sepolicy/net.te" |
| # Network types |
| type node, node_type; |
| type netif, netif_type; |
| type port, port_type; |
| |
| # Use network sockets. |
| allow netdomain self:{ tcp_socket udp_socket } *; |
| # Connect to ports. |
| allow netdomain port_type:tcp_socket name_connect; |
| # Bind to ports. |
| allow netdomain node_type:{ tcp_socket udp_socket } node_bind; |
| allow netdomain port_type:udp_socket name_bind; |
| allow netdomain port_type:tcp_socket name_bind; |
| # Get route information. |
| allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; |
| |
| # Talks to netd via dnsproxyd socket. |
| |
| #line 18 |
| allow netdomain dnsproxyd_socket:sock_file write; |
| #line 18 |
| allow netdomain netd:unix_stream_socket connectto; |
| #line 18 |
| |
| #line 1 "external/sepolicy/nfc.te" |
| # nfc subsystem |
| type nfc, domain; |
| |
| #line 3 |
| typeattribute nfc appdomain; |
| #line 3 |
| # Label ashmem objects with our own unique type. |
| #line 3 |
| |
| #line 3 |
| type nfc_tmpfs, file_type; |
| #line 3 |
| type_transition nfc tmpfs:file nfc_tmpfs; |
| #line 3 |
| allow nfc nfc_tmpfs:file { read write }; |
| #line 3 |
| |
| #line 3 |
| # Map with PROT_EXEC. |
| #line 3 |
| allow nfc nfc_tmpfs:file execute; |
| #line 3 |
| |
| |
| #line 4 |
| typeattribute nfc binderservicedomain; |
| #line 4 |
| |
| |
| # NFC device access. |
| allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Data file accesses. |
| allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; |
| allow nfc sysfs:file write; |
| |
| allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| #line 1 "external/sepolicy/platform_app.te" |
| ### |
| ### Apps signed with the platform key. |
| ### |
| |
| type platform_app, domain; |
| |
| #line 6 |
| typeattribute platform_app mlstrustedsubject; |
| #line 6 |
| typeattribute platform_app unconfineddomain; |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute platform_app appdomain; |
| #line 7 |
| # Label ashmem objects with our own unique type. |
| #line 7 |
| |
| #line 7 |
| type platform_app_tmpfs, file_type; |
| #line 7 |
| type_transition platform_app tmpfs:file platform_app_tmpfs; |
| #line 7 |
| allow platform_app platform_app_tmpfs:file { read write }; |
| #line 7 |
| |
| #line 7 |
| # Map with PROT_EXEC. |
| #line 7 |
| allow platform_app platform_app_tmpfs:file execute; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute platform_app platformappdomain; |
| #line 8 |
| typeattribute platform_app mlstrustedsubject; |
| #line 8 |
| |
| # Access the network. |
| |
| #line 10 |
| typeattribute platform_app netdomain; |
| #line 10 |
| |
| # Access bluetooth. |
| |
| #line 12 |
| typeattribute platform_app bluetoothdomain; |
| #line 12 |
| |
| # Write to /cache. |
| allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Read from /data/local. |
| allow platform_app shell_data_file:dir search; |
| allow platform_app shell_data_file:file { open getattr read }; |
| allow platform_app shell_data_file:lnk_file read; |
| # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files |
| # created by system server. |
| allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } }; |
| allow platform_app apk_private_data_file:dir search; |
| # ASEC |
| allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Access download files. |
| allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } }; |
| # Allow BackupManagerService to backup all app domains |
| allow platform_app appdomain:fifo_file write; |
| |
| # |
| # Rules for all platform app domains. |
| # |
| |
| # App sandbox file accesses. |
| allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow platformappdomain platform_app_data_file:file execute; |
| # App sdcard file accesses |
| allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Access to /data/media. |
| allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| #line 1 "external/sepolicy/ppp.te" |
| # Point to Point Protocol daemon |
| type ppp, domain; |
| |
| #line 3 |
| typeattribute ppp mlstrustedsubject; |
| #line 3 |
| typeattribute ppp unconfineddomain; |
| #line 3 |
| |
| type ppp_device, dev_type; |
| type ppp_exec, exec_type, file_type; |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow mtp ppp_exec:file { getattr open read execute }; |
| #line 6 |
| allow mtp ppp:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow ppp ppp_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow ppp mtp:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit mtp ppp:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow mtp ppp:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition mtp ppp_exec:process ppp; |
| #line 6 |
| |
| |
| allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown }; |
| allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow ppp self:capability net_admin; |
| allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow ppp vpn_data_file:dir { open search write add_name remove_name }; |
| allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow ppp mtp:fd use; |
| #line 1 "external/sepolicy/property.te" |
| type default_prop, property_type; |
| type shell_prop, property_type; |
| type debug_prop, property_type; |
| type debuggerd_prop, property_type; |
| type radio_prop, property_type; |
| type system_prop, property_type; |
| type vold_prop, property_type; |
| type rild_prop, property_type; |
| type ctl_default_prop, property_type; |
| type ctl_dumpstate_prop, property_type; |
| type ctl_rildaemon_prop, property_type; |
| type audio_prop, property_type; |
| type security_prop, property_type; |
| type bluetooth_prop, property_type; |
| type powerctl_prop, property_type; |
| #line 1 "external/sepolicy/qemud.te" |
| # qemu support daemon |
| type qemud, domain; |
| type qemud_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init qemud_exec:file { getattr open read execute }; |
| #line 5 |
| allow init qemud:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow qemud qemud_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow qemud init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init qemud:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init qemud:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init qemud_exec:process qemud; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type qemud_tmpfs, file_type; |
| #line 5 |
| type_transition qemud tmpfs:file qemud_tmpfs; |
| #line 5 |
| allow qemud qemud_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute qemud mlstrustedsubject; |
| #line 6 |
| typeattribute qemud unconfineddomain; |
| #line 1 "external/sepolicy/racoon.te" |
| # IKE key management daemon |
| type racoon, domain; |
| |
| #line 3 |
| typeattribute racoon mlstrustedsubject; |
| #line 3 |
| typeattribute racoon unconfineddomain; |
| #line 3 |
| |
| type racoon_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init racoon_exec:file { getattr open read execute }; |
| #line 6 |
| allow init racoon:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow racoon racoon_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow racoon init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init racoon:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init racoon:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init racoon_exec:process racoon; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type racoon_tmpfs, file_type; |
| #line 6 |
| type_transition racoon tmpfs:file racoon_tmpfs; |
| #line 6 |
| allow racoon racoon_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| typeattribute racoon mlstrustedsubject; |
| |
| |
| #line 9 |
| # Call the server domain and optionally transfer references to it. |
| #line 9 |
| allow racoon servicemanager:binder { call transfer }; |
| #line 9 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 9 |
| allow servicemanager racoon:binder transfer; |
| #line 9 |
| # Receive and use open files from the server. |
| #line 9 |
| allow racoon servicemanager:fd use; |
| #line 9 |
| |
| |
| #line 10 |
| # Call the server domain and optionally transfer references to it. |
| #line 10 |
| allow racoon keystore:binder { call transfer }; |
| #line 10 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 10 |
| allow keystore racoon:binder transfer; |
| #line 10 |
| # Receive and use open files from the server. |
| #line 10 |
| allow racoon keystore:fd use; |
| #line 10 |
| |
| |
| allow racoon tun_device:chr_file { getattr open read ioctl lock }; |
| allow racoon cgroup:dir { add_name create }; |
| allow racoon kernel:system module_request; |
| allow racoon port:udp_socket name_bind; |
| allow racoon node:udp_socket node_bind; |
| |
| allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow racoon self:tun_socket create; |
| allow racoon self:capability { net_admin net_bind_service net_raw setuid }; |
| |
| # XXX: should we give ip-up-vpn its own label (currently racoon domain) |
| allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow racoon vpn_data_file:dir { open search write add_name remove_name }; |
| #line 1 "external/sepolicy/radio.te" |
| # phone subsystem |
| type radio, domain; |
| |
| #line 3 |
| typeattribute radio appdomain; |
| #line 3 |
| # Label ashmem objects with our own unique type. |
| #line 3 |
| |
| #line 3 |
| type radio_tmpfs, file_type; |
| #line 3 |
| type_transition radio tmpfs:file radio_tmpfs; |
| #line 3 |
| allow radio radio_tmpfs:file { read write }; |
| #line 3 |
| |
| #line 3 |
| # Map with PROT_EXEC. |
| #line 3 |
| allow radio radio_tmpfs:file execute; |
| #line 3 |
| |
| |
| #line 4 |
| typeattribute radio netdomain; |
| #line 4 |
| |
| |
| #line 5 |
| typeattribute radio bluetoothdomain; |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute radio binderservicedomain; |
| #line 6 |
| |
| |
| # Talks to init via the property socket. |
| |
| #line 9 |
| allow radio property_socket:sock_file write; |
| #line 9 |
| allow radio init:unix_stream_socket connectto; |
| #line 9 |
| |
| |
| # Talks to rild via the rild socket. |
| |
| #line 12 |
| allow radio rild_socket:sock_file write; |
| #line 12 |
| allow radio rild:unix_stream_socket connectto; |
| #line 12 |
| |
| |
| # Data file accesses. |
| allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Property service |
| allow radio radio_prop:property_service set; |
| |
| # ctl interface |
| allow radio ctl_rildaemon_prop:property_service set; |
| #line 1 "external/sepolicy/recovery.te" |
| # recovery console (used in recovery init.rc for /sbin/recovery) |
| type recovery, domain; |
| allow recovery rootfs:file entrypoint; |
| |
| #line 4 |
| typeattribute recovery mlstrustedsubject; |
| #line 4 |
| typeattribute recovery unconfineddomain; |
| #line 4 |
| |
| |
| #line 5 |
| typeattribute recovery relabeltodomain; |
| #line 5 |
| |
| |
| allow recovery self:capability2 mac_admin; |
| |
| allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto; |
| allow recovery unlabeled:filesystem mount; |
| allow recovery fs_type:filesystem *; |
| |
| # Required to e.g. wipe userdata/cache. |
| allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } }; |
| |
| allow recovery self:process execmem; |
| allow recovery ashmem_device:chr_file execute; |
| allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| ## TODO: Investigate whether it is safe to remove these |
| allow recovery self:capability { sys_rawio mknod }; |
| auditallow recovery self:capability { sys_rawio mknod }; |
| #line 1 "external/sepolicy/release_app.te" |
| ### |
| ### Apps signed with the release key (testkey in AOSP). |
| ### |
| |
| type release_app, domain; |
| |
| #line 6 |
| typeattribute release_app mlstrustedsubject; |
| #line 6 |
| typeattribute release_app unconfineddomain; |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute release_app appdomain; |
| #line 7 |
| # Label ashmem objects with our own unique type. |
| #line 7 |
| |
| #line 7 |
| type release_app_tmpfs, file_type; |
| #line 7 |
| type_transition release_app tmpfs:file release_app_tmpfs; |
| #line 7 |
| allow release_app release_app_tmpfs:file { read write }; |
| #line 7 |
| |
| #line 7 |
| # Map with PROT_EXEC. |
| #line 7 |
| allow release_app release_app_tmpfs:file execute; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute release_app platformappdomain; |
| #line 8 |
| typeattribute release_app mlstrustedsubject; |
| #line 8 |
| |
| # Access the network. |
| |
| #line 10 |
| typeattribute release_app netdomain; |
| #line 10 |
| |
| # Access bluetooth. |
| |
| #line 12 |
| typeattribute release_app bluetoothdomain; |
| #line 12 |
| |
| |
| # Write to /cache. |
| allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| #line 1 "external/sepolicy/rild.te" |
| # rild - radio interface layer daemon |
| type rild, domain; |
| |
| #line 3 |
| typeattribute rild mlstrustedsubject; |
| #line 3 |
| typeattribute rild unconfineddomain; |
| #line 3 |
| |
| type rild_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init rild_exec:file { getattr open read execute }; |
| #line 6 |
| allow init rild:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow rild rild_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow rild init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init rild:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init rild:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init rild_exec:process rild; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type rild_tmpfs, file_type; |
| #line 6 |
| type_transition rild tmpfs:file rild_tmpfs; |
| #line 6 |
| allow rild rild_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute rild netdomain; |
| #line 7 |
| |
| allow rild self:netlink_route_socket { setopt write }; |
| allow rild kernel:system module_request; |
| |
| #line 10 |
| allow rild property_socket:sock_file write; |
| #line 10 |
| allow rild init:unix_stream_socket connectto; |
| #line 10 |
| |
| |
| #line 11 |
| allow rild qemud_socket:sock_file write; |
| #line 11 |
| allow rild qemud:unix_stream_socket connectto; |
| #line 11 |
| |
| allow rild self:capability { setuid net_admin net_raw }; |
| allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow rild radio_device:blk_file { getattr open read ioctl lock }; |
| allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow rild mtd_device:dir search; |
| allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow rild bluetooth_efs_file:file { getattr open read ioctl lock }; |
| allow rild bluetooth_efs_file:dir { open getattr read search ioctl }; |
| allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow rild sdcard_type:dir { open getattr read search ioctl }; |
| allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow rild system_file:file { getattr execute execute_no_trans }; |
| dontaudit rild self:capability sys_admin; |
| |
| # property service |
| allow rild rild_prop:property_service set; |
| allow rild radio_prop:property_service set; |
| |
| # Read/Write to uart driver (for GPS) |
| allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Allow rild to create, bind, read, write to itself through a netlink socket |
| allow rild self:netlink_socket { create bind read write }; |
| |
| allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt }; |
| |
| # Access to wake locks |
| allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; |
| |
| allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| #line 1 "external/sepolicy/runas.te" |
| type runas, domain, mlstrustedsubject; |
| type runas_exec, exec_type, file_type; |
| |
| # ndk-gdb invokes adb shell run-as. |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow shell runas_exec:file { getattr open read execute }; |
| #line 5 |
| allow shell runas:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow runas runas_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow runas shell:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit shell runas:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow shell runas:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition shell runas_exec:process runas; |
| #line 5 |
| |
| allow runas adbd:process sigchld; |
| allow runas shell:fd use; |
| allow runas devpts:chr_file { read write ioctl }; |
| |
| # run-as reads package information. |
| allow runas system_data_file:file { getattr open read ioctl lock }; |
| |
| # run-as checks and changes to the app data dir. |
| dontaudit runas self:capability dac_override; |
| allow runas app_data_file:dir { getattr search }; |
| |
| # run-as switches to the app UID/GID. |
| allow runas self:capability { setuid setgid }; |
| |
| # run-as switches to the app security context. |
| # read /seapp_contexts and /data/security/seapp_contexts |
| |
| #line 22 |
| allow runas security_file:dir { open getattr read search ioctl }; |
| #line 22 |
| allow runas security_file:file { getattr open read ioctl lock }; |
| #line 22 |
| allow runas security_file:lnk_file { getattr open read ioctl lock }; |
| #line 22 |
| allow runas selinuxfs:dir { open getattr read search ioctl }; |
| #line 22 |
| allow runas selinuxfs:file { getattr open read ioctl lock }; |
| #line 22 |
| allow runas rootfs:dir { open getattr read search ioctl }; |
| #line 22 |
| allow runas rootfs:file { getattr open read ioctl lock }; |
| #line 22 |
| |
| |
| #line 23 |
| allow runas selinuxfs:dir { open getattr read search ioctl }; |
| #line 23 |
| allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 23 |
| allow runas kernel:security check_context; |
| #line 23 |
| # validate context |
| allow runas { appdomain -system_app }:process dyntransition; # setcon |
| #line 1 "external/sepolicy/sdcardd.te" |
| type sdcardd, domain; |
| type sdcardd_exec, exec_type, file_type; |
| |
| |
| #line 4 |
| |
| #line 4 |
| # Allow the necessary permissions. |
| #line 4 |
| |
| #line 4 |
| # Old domain may exec the file and transition to the new domain. |
| #line 4 |
| allow init sdcardd_exec:file { getattr open read execute }; |
| #line 4 |
| allow init sdcardd:process transition; |
| #line 4 |
| # New domain is entered by executing the file. |
| #line 4 |
| allow sdcardd sdcardd_exec:file { entrypoint read execute }; |
| #line 4 |
| # New domain can send SIGCHLD to its caller. |
| #line 4 |
| allow sdcardd init:process sigchld; |
| #line 4 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 4 |
| dontaudit init sdcardd:process noatsecure; |
| #line 4 |
| # XXX dontaudit candidate but requires further study. |
| #line 4 |
| allow init sdcardd:process { siginh rlimitinh }; |
| #line 4 |
| |
| #line 4 |
| # Make the transition occur by default. |
| #line 4 |
| type_transition init sdcardd_exec:process sdcardd; |
| #line 4 |
| |
| #line 4 |
| |
| #line 4 |
| type sdcardd_tmpfs, file_type; |
| #line 4 |
| type_transition sdcardd tmpfs:file sdcardd_tmpfs; |
| #line 4 |
| allow sdcardd sdcardd_tmpfs:file { read write }; |
| #line 4 |
| |
| #line 4 |
| |
| |
| allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow sdcardd rootfs:dir mounton; |
| allow sdcardd sdcard_type:filesystem mount; |
| allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; |
| |
| allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; |
| allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Read /data/system/packages.list. |
| allow sdcardd system_data_file:file { getattr open read ioctl lock }; |
| |
| # Compatibility for existing devices with /data/media in system_data_file. |
| # TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file. |
| allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| #line 1 "external/sepolicy/servicemanager.te" |
| # servicemanager - the Binder context manager |
| type servicemanager, domain; |
| type servicemanager_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init servicemanager_exec:file { getattr open read execute }; |
| #line 5 |
| allow init servicemanager:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow servicemanager servicemanager_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow servicemanager init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init servicemanager:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init servicemanager:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init servicemanager_exec:process servicemanager; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type servicemanager_tmpfs, file_type; |
| #line 5 |
| type_transition servicemanager tmpfs:file servicemanager_tmpfs; |
| #line 5 |
| allow servicemanager servicemanager_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| # Note that we do not use the binder_* macros here. |
| # servicemanager is unique in that it only provides |
| # name service (aka context manager) for Binder. |
| # As such, it only ever receives and transfers other references |
| # created by other domains. It never passes its own references |
| # or initiates a Binder IPC. |
| allow servicemanager self:binder set_context_mgr; |
| allow servicemanager domain:binder transfer; |
| #line 1 "external/sepolicy/shared_app.te" |
| ### |
| ### Apps signed with the shared key. |
| ### |
| |
| type shared_app, domain; |
| |
| #line 6 |
| typeattribute shared_app mlstrustedsubject; |
| #line 6 |
| typeattribute shared_app unconfineddomain; |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute shared_app appdomain; |
| #line 7 |
| # Label ashmem objects with our own unique type. |
| #line 7 |
| |
| #line 7 |
| type shared_app_tmpfs, file_type; |
| #line 7 |
| type_transition shared_app tmpfs:file shared_app_tmpfs; |
| #line 7 |
| allow shared_app shared_app_tmpfs:file { read write }; |
| #line 7 |
| |
| #line 7 |
| # Map with PROT_EXEC. |
| #line 7 |
| allow shared_app shared_app_tmpfs:file execute; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute shared_app platformappdomain; |
| #line 8 |
| typeattribute shared_app mlstrustedsubject; |
| #line 8 |
| |
| # Access the network. |
| |
| #line 10 |
| typeattribute shared_app netdomain; |
| #line 10 |
| |
| # Access bluetooth. |
| |
| #line 12 |
| typeattribute shared_app bluetoothdomain; |
| #line 12 |
| |
| #line 1 "external/sepolicy/shelldomain.te" |
| # Rules for all shell domains (e.g. console service and adb shell). |
| |
| # Access /data/local/tmp. |
| allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| # Access sdcard. |
| allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # adb bugreport |
| |
| #line 13 |
| allow shelldomain dumpstate_socket:sock_file write; |
| #line 13 |
| allow shelldomain dumpstate:unix_stream_socket connectto; |
| #line 13 |
| |
| |
| allow shelldomain rootfs:dir { open getattr read search ioctl }; |
| allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow shelldomain system_file:file { getattr execute execute_no_trans }; |
| allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| |
| #line 24 |
| allow shelldomain apk_data_file:dir { open getattr read search ioctl }; |
| #line 24 |
| allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 24 |
| |
| |
| # Set properties. |
| |
| #line 27 |
| allow shelldomain property_socket:sock_file write; |
| #line 27 |
| allow shelldomain init:unix_stream_socket connectto; |
| #line 27 |
| |
| allow shelldomain shell_prop:property_service set; |
| allow shelldomain ctl_dumpstate_prop:property_service set; |
| allow shelldomain debug_prop:property_service set; |
| allow shelldomain powerctl_prop:property_service set; |
| |
| # ndk-gdb invokes adb shell ps to find the app PID. |
| |
| #line 34 |
| allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl }; |
| #line 34 |
| allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 34 |
| |
| |
| # ndk-gdb invokes adb shell ls to check the app data dir. |
| allow shelldomain app_data_file:dir search; |
| |
| # ps and ps -Z output for app processes. |
| |
| #line 40 |
| allow shelldomain appdomain:dir { open getattr read search ioctl }; |
| #line 40 |
| allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 40 |
| |
| allow shelldomain appdomain:process getattr; |
| #line 1 "external/sepolicy/shell.te" |
| # Domain for shell processes spawned by ADB |
| type shell, domain, shelldomain, mlstrustedsubject; |
| type shell_exec, exec_type, file_type; |
| |
| # Create and use network sockets. |
| |
| #line 6 |
| typeattribute shell netdomain; |
| #line 6 |
| |
| |
| # Run app_process. |
| # XXX Transition into its own domain? |
| |
| #line 10 |
| typeattribute shell appdomain; |
| #line 10 |
| # Label ashmem objects with our own unique type. |
| #line 10 |
| |
| #line 10 |
| type shell_tmpfs, file_type; |
| #line 10 |
| type_transition shell tmpfs:file shell_tmpfs; |
| #line 10 |
| allow shell shell_tmpfs:file { read write }; |
| #line 10 |
| |
| #line 10 |
| # Map with PROT_EXEC. |
| #line 10 |
| allow shell shell_tmpfs:file execute; |
| #line 10 |
| |
| |
| # inherits from shelldomain.te |
| #line 1 "external/sepolicy/surfaceflinger.te" |
| # surfaceflinger - display compositor service |
| type surfaceflinger, domain; |
| |
| #line 3 |
| typeattribute surfaceflinger mlstrustedsubject; |
| #line 3 |
| typeattribute surfaceflinger unconfineddomain; |
| #line 3 |
| |
| type surfaceflinger_exec, exec_type, file_type; |
| |
| |
| #line 6 |
| |
| #line 6 |
| # Allow the necessary permissions. |
| #line 6 |
| |
| #line 6 |
| # Old domain may exec the file and transition to the new domain. |
| #line 6 |
| allow init surfaceflinger_exec:file { getattr open read execute }; |
| #line 6 |
| allow init surfaceflinger:process transition; |
| #line 6 |
| # New domain is entered by executing the file. |
| #line 6 |
| allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute }; |
| #line 6 |
| # New domain can send SIGCHLD to its caller. |
| #line 6 |
| allow surfaceflinger init:process sigchld; |
| #line 6 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 6 |
| dontaudit init surfaceflinger:process noatsecure; |
| #line 6 |
| # XXX dontaudit candidate but requires further study. |
| #line 6 |
| allow init surfaceflinger:process { siginh rlimitinh }; |
| #line 6 |
| |
| #line 6 |
| # Make the transition occur by default. |
| #line 6 |
| type_transition init surfaceflinger_exec:process surfaceflinger; |
| #line 6 |
| |
| #line 6 |
| |
| #line 6 |
| type surfaceflinger_tmpfs, file_type; |
| #line 6 |
| type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs; |
| #line 6 |
| allow surfaceflinger surfaceflinger_tmpfs:file { read write }; |
| #line 6 |
| |
| #line 6 |
| |
| typeattribute surfaceflinger mlstrustedsubject; |
| |
| # Talk to init over the property socket. |
| |
| #line 10 |
| allow surfaceflinger property_socket:sock_file write; |
| #line 10 |
| allow surfaceflinger init:unix_stream_socket connectto; |
| #line 10 |
| |
| |
| # Perform Binder IPC. |
| |
| #line 13 |
| # Call the servicemanager and transfer references to it. |
| #line 13 |
| allow surfaceflinger servicemanager:binder { call transfer }; |
| #line 13 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 13 |
| # all domains in domain.te. |
| #line 13 |
| |
| |
| #line 14 |
| # Call the server domain and optionally transfer references to it. |
| #line 14 |
| allow surfaceflinger system_server:binder { call transfer }; |
| #line 14 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 14 |
| allow system_server surfaceflinger:binder transfer; |
| #line 14 |
| # Receive and use open files from the server. |
| #line 14 |
| allow surfaceflinger system_server:fd use; |
| #line 14 |
| |
| |
| #line 15 |
| # Call the server domain and optionally transfer references to it. |
| #line 15 |
| allow surfaceflinger nfc:binder { call transfer }; |
| #line 15 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 15 |
| allow nfc surfaceflinger:binder transfer; |
| #line 15 |
| # Receive and use open files from the server. |
| #line 15 |
| allow surfaceflinger nfc:fd use; |
| #line 15 |
| |
| |
| #line 16 |
| # Call the server domain and optionally transfer references to it. |
| #line 16 |
| allow surfaceflinger mediaserver:binder { call transfer }; |
| #line 16 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 16 |
| allow mediaserver surfaceflinger:binder transfer; |
| #line 16 |
| # Receive and use open files from the server. |
| #line 16 |
| allow surfaceflinger mediaserver:fd use; |
| #line 16 |
| |
| |
| #line 17 |
| typeattribute surfaceflinger binderservicedomain; |
| #line 17 |
| |
| |
| # Access the GPU. |
| allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Access /dev/graphics/fb0. |
| allow surfaceflinger graphics_device:dir search; |
| allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Access /dev/video1. |
| allow surfaceflinger video_device:dir { open getattr read search ioctl }; |
| allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Create and use netlink kobject uevent sockets. |
| allow surfaceflinger self:netlink_kobject_uevent_socket *; |
| |
| # Set properties. |
| allow surfaceflinger system_prop:property_service set; |
| allow surfaceflinger ctl_default_prop:property_service set; |
| |
| # Use open files supplied by an app. |
| allow surfaceflinger appdomain:fd use; |
| allow surfaceflinger platform_app_data_file:file { read write }; |
| allow surfaceflinger app_data_file:file { read write }; |
| |
| # Use open file provided by bootanim. |
| allow surfaceflinger bootanim:fd use; |
| |
| # Allow a dumpstate triggered screenshot |
| |
| #line 46 |
| # Call the server domain and optionally transfer references to it. |
| #line 46 |
| allow surfaceflinger dumpstate:binder { call transfer }; |
| #line 46 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 46 |
| allow dumpstate surfaceflinger:binder transfer; |
| #line 46 |
| # Receive and use open files from the server. |
| #line 46 |
| allow surfaceflinger dumpstate:fd use; |
| #line 46 |
| |
| |
| #line 47 |
| # Call the server domain and optionally transfer references to it. |
| #line 47 |
| allow surfaceflinger shell:binder { call transfer }; |
| #line 47 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 47 |
| allow shell surfaceflinger:binder transfer; |
| #line 47 |
| # Receive and use open files from the server. |
| #line 47 |
| allow surfaceflinger shell:fd use; |
| #line 47 |
| |
| |
| # Needed on some devices for playing DRM protected content, |
| # but seems expected and appropriate for all devices. |
| allow surfaceflinger tee:unix_stream_socket connectto; |
| allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| #line 1 "external/sepolicy/su.te" |
| # File types must be defined for file_contexts. |
| type su_exec, exec_type, file_type; |
| |
| #line 23 |
| |
| #line 1 "external/sepolicy/system_app.te" |
| # |
| # Apps that run with the system UID, e.g. com.android.system.ui, |
| # com.android.settings. These are not as privileged as the system |
| # server. |
| # |
| type system_app, domain; |
| |
| #line 7 |
| typeattribute system_app mlstrustedsubject; |
| #line 7 |
| typeattribute system_app unconfineddomain; |
| #line 7 |
| |
| |
| #line 8 |
| typeattribute system_app appdomain; |
| #line 8 |
| # Label ashmem objects with our own unique type. |
| #line 8 |
| |
| #line 8 |
| type system_app_tmpfs, file_type; |
| #line 8 |
| type_transition system_app tmpfs:file system_app_tmpfs; |
| #line 8 |
| allow system_app system_app_tmpfs:file { read write }; |
| #line 8 |
| |
| #line 8 |
| # Map with PROT_EXEC. |
| #line 8 |
| allow system_app system_app_tmpfs:file execute; |
| #line 8 |
| |
| |
| #line 9 |
| typeattribute system_app binderservicedomain; |
| #line 9 |
| |
| |
| # Perform binder IPC to any app domain. |
| |
| #line 12 |
| # Call the server domain and optionally transfer references to it. |
| #line 12 |
| allow system_app appdomain:binder { call transfer }; |
| #line 12 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 12 |
| allow appdomain system_app:binder transfer; |
| #line 12 |
| # Receive and use open files from the server. |
| #line 12 |
| allow system_app appdomain:fd use; |
| #line 12 |
| |
| |
| # Read and write system data files. |
| # May want to split into separate types. |
| allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Read wallpaper file. |
| allow system_app wallpaper_file:file { getattr open read ioctl lock }; |
| |
| # Write to dalvikcache. |
| allow system_app dalvikcache_data_file:file { write setattr }; |
| |
| # Talk to keystore. |
| |
| #line 26 |
| allow system_app keystore_socket:sock_file write; |
| #line 26 |
| allow system_app keystore:unix_stream_socket connectto; |
| #line 26 |
| |
| |
| # Read SELinux enforcing status. |
| |
| #line 29 |
| allow system_app selinuxfs:dir { open getattr read search ioctl }; |
| #line 29 |
| allow system_app selinuxfs:file { getattr open read ioctl lock }; |
| #line 29 |
| |
| |
| # Settings app reads sdcard for storage stats |
| allow system_app sdcard_type:dir { open getattr read search ioctl }; |
| |
| # Write to properties |
| |
| #line 35 |
| allow system_app property_socket:sock_file write; |
| #line 35 |
| allow system_app init:unix_stream_socket connectto; |
| #line 35 |
| |
| allow system_app debug_prop:property_service set; |
| allow system_app radio_prop:property_service set; |
| allow system_app system_prop:property_service set; |
| #line 1 "external/sepolicy/system_server.te" |
| # |
| # System Server aka system_server spawned by zygote. |
| # Most of the framework services run in this process. |
| # |
| type system_server, domain, mlstrustedsubject; |
| |
| #line 6 |
| typeattribute system_server mlstrustedsubject; |
| #line 6 |
| typeattribute system_server unconfineddomain; |
| #line 6 |
| |
| |
| # Define a type for tmpfs-backed ashmem regions. |
| |
| #line 9 |
| type system_server_tmpfs, file_type; |
| #line 9 |
| type_transition system_server tmpfs:file system_server_tmpfs; |
| #line 9 |
| allow system_server system_server_tmpfs:file { read write }; |
| #line 9 |
| |
| |
| # Dalvik Compiler JIT Mapping. |
| allow system_server self:process execmem; |
| allow system_server ashmem_device:chr_file execute; |
| allow system_server system_server_tmpfs:file execute; |
| |
| # For art. |
| allow system_server dalvikcache_data_file:file execute; |
| |
| # Child of the zygote. |
| allow system_server zygote:fd use; |
| allow system_server zygote:process sigchld; |
| allow system_server zygote_tmpfs:file read; |
| |
| # Needed to close the zygote socket, which involves getopt / getattr |
| # This should be deleted after b/12061011 is fixed |
| allow system_server zygote:unix_stream_socket { getopt getattr }; |
| |
| # system server gets network and bluetooth permissions. |
| |
| #line 29 |
| typeattribute system_server netdomain; |
| #line 29 |
| |
| |
| #line 30 |
| typeattribute system_server bluetoothdomain; |
| #line 30 |
| |
| |
| # These are the capabilities assigned by the zygote to the |
| # system server. |
| allow system_server self:capability { |
| kill |
| net_admin |
| net_bind_service |
| net_broadcast |
| net_raw |
| sys_boot |
| sys_module |
| sys_nice |
| sys_resource |
| sys_time |
| sys_tty_config |
| }; |
| |
| allow system_server self:capability2 block_suspend; |
| |
| # Triggered by /proc/pid accesses, not allowed. |
| dontaudit system_server self:capability sys_ptrace; |
| |
| # Trigger module auto-load. |
| allow system_server kernel:system module_request; |
| |
| # Use netlink uevent sockets. |
| allow system_server self:netlink_kobject_uevent_socket *; |
| |
| # Kill apps. |
| allow system_server appdomain:process { sigkill signal }; |
| |
| # Set scheduling info for apps. |
| allow system_server appdomain:process { getsched setsched }; |
| allow system_server mediaserver:process { getsched setsched }; |
| |
| # Read /proc data for apps. |
| allow system_server appdomain:dir { open getattr read search ioctl }; |
| allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } }; |
| |
| # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. |
| allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Read /sys/kernel/debug/wakeup_sources. |
| allow system_server debugfs:file { getattr open read ioctl lock }; |
| |
| # WifiWatchdog uses a packet_socket |
| allow system_server self:packet_socket *; |
| |
| # 3rd party VPN clients require a tun_socket to be created |
| allow system_server self:tun_socket create; |
| |
| # Notify init of death. |
| allow system_server init:process sigchld; |
| |
| # Talk to init and various daemons via sockets. |
| |
| #line 87 |
| allow system_server property_socket:sock_file write; |
| #line 87 |
| allow system_server init:unix_stream_socket connectto; |
| #line 87 |
| |
| |
| #line 88 |
| allow system_server qemud_socket:sock_file write; |
| #line 88 |
| allow system_server qemud:unix_stream_socket connectto; |
| #line 88 |
| |
| |
| #line 89 |
| allow system_server installd_socket:sock_file write; |
| #line 89 |
| allow system_server installd:unix_stream_socket connectto; |
| #line 89 |
| |
| |
| #line 90 |
| allow system_server lmkd_socket:sock_file write; |
| #line 90 |
| allow system_server lmkd:unix_stream_socket connectto; |
| #line 90 |
| |
| |
| #line 91 |
| allow system_server netd_socket:sock_file write; |
| #line 91 |
| allow system_server netd:unix_stream_socket connectto; |
| #line 91 |
| |
| |
| #line 92 |
| allow system_server vold_socket:sock_file write; |
| #line 92 |
| allow system_server vold:unix_stream_socket connectto; |
| #line 92 |
| |
| |
| #line 93 |
| allow system_server zygote_socket:sock_file write; |
| #line 93 |
| allow system_server zygote:unix_stream_socket connectto; |
| #line 93 |
| |
| |
| #line 94 |
| allow system_server keystore_socket:sock_file write; |
| #line 94 |
| allow system_server keystore:unix_stream_socket connectto; |
| #line 94 |
| |
| |
| #line 95 |
| allow system_server gps_socket:sock_file write; |
| #line 95 |
| allow system_server gpsd:unix_stream_socket connectto; |
| #line 95 |
| |
| |
| #line 96 |
| allow system_server racoon_socket:sock_file write; |
| #line 96 |
| allow system_server racoon:unix_stream_socket connectto; |
| #line 96 |
| |
| |
| #line 97 |
| allow system_server wpa_socket:sock_file write; |
| #line 97 |
| allow system_server wpa:unix_dgram_socket sendto; |
| #line 97 |
| |
| |
| # Communicate over a socket created by surfaceflinger. |
| allow system_server surfaceflinger:unix_stream_socket { read write setopt }; |
| |
| # Perform Binder IPC. |
| |
| #line 103 |
| # Call the servicemanager and transfer references to it. |
| #line 103 |
| allow system_server servicemanager:binder { call transfer }; |
| #line 103 |
| # rw access to /dev/binder and /dev/ashmem is presently granted to |
| #line 103 |
| # all domains in domain.te. |
| #line 103 |
| |
| |
| #line 104 |
| # Call the server domain and optionally transfer references to it. |
| #line 104 |
| allow system_server binderservicedomain:binder { call transfer }; |
| #line 104 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 104 |
| allow binderservicedomain system_server:binder transfer; |
| #line 104 |
| # Receive and use open files from the server. |
| #line 104 |
| allow system_server binderservicedomain:fd use; |
| #line 104 |
| |
| |
| #line 105 |
| # Call the server domain and optionally transfer references to it. |
| #line 105 |
| allow system_server appdomain:binder { call transfer }; |
| #line 105 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 105 |
| allow appdomain system_server:binder transfer; |
| #line 105 |
| # Receive and use open files from the server. |
| #line 105 |
| allow system_server appdomain:fd use; |
| #line 105 |
| |
| |
| #line 106 |
| # Call the server domain and optionally transfer references to it. |
| #line 106 |
| allow system_server healthd:binder { call transfer }; |
| #line 106 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 106 |
| allow healthd system_server:binder transfer; |
| #line 106 |
| # Receive and use open files from the server. |
| #line 106 |
| allow system_server healthd:fd use; |
| #line 106 |
| |
| |
| #line 107 |
| # Call the server domain and optionally transfer references to it. |
| #line 107 |
| allow system_server dumpstate:binder { call transfer }; |
| #line 107 |
| # Allow the serverdomain to transfer references to the client on the reply. |
| #line 107 |
| allow dumpstate system_server:binder transfer; |
| #line 107 |
| # Receive and use open files from the server. |
| #line 107 |
| allow system_server dumpstate:fd use; |
| #line 107 |
| |
| |
| #line 108 |
| typeattribute system_server binderservicedomain; |
| #line 108 |
| |
| |
| # Read /proc/pid files for Binder clients. |
| |
| #line 111 |
| allow system_server appdomain:dir { open getattr read search ioctl }; |
| #line 111 |
| allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 111 |
| |
| |
| #line 112 |
| allow system_server mediaserver:dir { open getattr read search ioctl }; |
| #line 112 |
| allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 112 |
| |
| allow system_server appdomain:process getattr; |
| allow system_server mediaserver:process getattr; |
| |
| # Check SELinux permissions. |
| |
| #line 117 |
| allow system_server selinuxfs:dir { open getattr read search ioctl }; |
| #line 117 |
| allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 117 |
| allow system_server kernel:security compute_av; |
| #line 117 |
| allow system_server self:netlink_selinux_socket *; |
| #line 117 |
| |
| |
| # XXX Label sysfs files with a specific type? |
| allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Access devices. |
| allow system_server device:dir { open getattr read search ioctl }; |
| allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server graphics_device:dir search; |
| allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server input_device:dir { open getattr read search ioctl }; |
| allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server video_device:dir { open getattr read search ioctl }; |
| allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # tun device used for 3rd party vpn apps |
| allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Manage data files. |
| allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Read /file_contexts and /data/security/file_contexts |
| |
| #line 149 |
| allow system_server security_file:dir { open getattr read search ioctl }; |
| #line 149 |
| allow system_server security_file:file { getattr open read ioctl lock }; |
| #line 149 |
| allow system_server security_file:lnk_file { getattr open read ioctl lock }; |
| #line 149 |
| allow system_server selinuxfs:dir { open getattr read search ioctl }; |
| #line 149 |
| allow system_server selinuxfs:file { getattr open read ioctl lock }; |
| #line 149 |
| allow system_server rootfs:dir { open getattr read search ioctl }; |
| #line 149 |
| allow system_server rootfs:file { getattr open read ioctl lock }; |
| #line 149 |
| |
| |
| # Relabel apk files. |
| |
| #line 152 |
| typeattribute system_server relabeltodomain; |
| #line 152 |
| |
| allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; |
| allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; |
| |
| # Relabel wallpaper. |
| allow system_server system_data_file:file relabelfrom; |
| allow system_server wallpaper_file:file relabelto; |
| allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Relabel /data/anr. |
| allow system_server system_data_file:dir relabelfrom; |
| allow system_server anr_data_file:dir relabelto; |
| |
| # Property Service write |
| allow system_server system_prop:property_service set; |
| allow system_server radio_prop:property_service set; |
| allow system_server debug_prop:property_service set; |
| allow system_server powerctl_prop:property_service set; |
| |
| # ctl interface |
| allow system_server ctl_default_prop:property_service set; |
| |
| # Create a socket for receiving info from wpa. |
| type_transition system_server wifi_data_file:sock_file system_wpa_socket; |
| type_transition system_server wpa_socket:sock_file system_wpa_socket; |
| allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Remove sockets created by wpa_supplicant |
| allow system_server wpa_socket:sock_file unlink; |
| |
| # Create a socket for connections from debuggerd. |
| type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; |
| allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Specify any arguments to zygote. |
| allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; |
| |
| # Manage cache files. |
| allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; |
| allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } }; |
| |
| # Run system programs, e.g. dexopt. |
| allow system_server system_file:file { getattr execute execute_no_trans }; |
| |
| # Allow reading of /proc/pid data for other domains. |
| # XXX dontaudit candidate |
| allow system_server domain:dir { open getattr read search ioctl }; |
| allow system_server domain:file { getattr open read ioctl lock }; |
| |
| # LocationManager(e.g, GPS) needs to read and write |
| # to uart driver and ctrl proc entry |
| allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Allow system_server to use app-created sockets. |
| allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write }; |
| |
| # Allow abstract socket connection |
| allow system_server rild:unix_stream_socket connectto; |
| |
| # connect to vpn tunnel |
| allow system_server mtp:unix_stream_socket { connectto }; |
| |
| # BackupManagerService lets PMS create a data backup file |
| allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # Relabel /data/backup |
| allow system_server backup_data_file:dir { relabelto relabelfrom }; |
| # Relabel /cache/.*\.{data|restore} |
| allow system_server cache_backup_file:file { relabelto relabelfrom }; |
| # LocalTransport creates and relabels /cache/backup |
| allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } }; |
| |
| # Allow system to talk to usb device |
| allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow system_server usb_device:dir { open getattr read search ioctl }; |
| |
| # Allow system to talk to sensors |
| allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Read from HW RNG (needed by EntropyMixer). |
| allow system_server hw_random_device:chr_file { getattr open read ioctl lock }; |
| |
| # Access to wake locks |
| allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Read and delete files under /dev/fscklogs. |
| |
| #line 239 |
| allow system_server fscklogs:dir { open getattr read search ioctl }; |
| #line 239 |
| allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 239 |
| |
| allow system_server fscklogs:dir { write remove_name }; |
| allow system_server fscklogs:file unlink; |
| |
| # For SELinuxPolicyInstallReceiver |
| |
| #line 244 |
| |
| #line 244 |
| allow system_server security_file:dir { open getattr read search ioctl }; |
| #line 244 |
| allow system_server security_file:file { getattr open read ioctl lock }; |
| #line 244 |
| allow system_server security_file:lnk_file { getattr open read ioctl lock }; |
| #line 244 |
| allow system_server selinuxfs:dir { open getattr read search ioctl }; |
| #line 244 |
| allow system_server selinuxfs:file { getattr open read ioctl lock }; |
| #line 244 |
| allow system_server rootfs:dir { open getattr read search ioctl }; |
| #line 244 |
| allow system_server rootfs:file { getattr open read ioctl lock }; |
| #line 244 |
| |
| #line 244 |
| |
| #line 244 |
| allow system_server property_socket:sock_file write; |
| #line 244 |
| allow system_server init:unix_stream_socket connectto; |
| #line 244 |
| |
| #line 244 |
| allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| #line 244 |
| allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| #line 244 |
| allow system_server security_file:lnk_file { create rename unlink }; |
| #line 244 |
| allow system_server security_prop:property_service set; |
| #line 244 |
| |
| |
| # For legacy unlabeled userdata on existing devices. |
| # See discussion of Unlabeled files in domain.te for more information. |
| # This rule is for dalvikcache mmap/mprotect PROT_EXEC. |
| allow system_server unlabeled:file execute; |
| |
| # logd access, system_server inherit logd write socket |
| # (urge is to deprecate this long term) |
| allow system_server zygote:unix_dgram_socket write; |
| |
| # Be consistent with DAC permissions. Allow system_server to write to |
| # /sys/module/lowmemorykiller/parameters/adj |
| # /sys/module/lowmemorykiller/parameters/minfree |
| allow system_server sysfs_lowmemorykiller:file { open append write }; |
| #line 1 "external/sepolicy/tee.te" |
| ## |
| # trusted execution environment (tee) daemon |
| # |
| type tee, domain; |
| type tee_exec, exec_type, file_type; |
| type tee_device, dev_type; |
| type tee_data_file, file_type, data_file_type; |
| |
| |
| #line 9 |
| |
| #line 9 |
| # Allow the necessary permissions. |
| #line 9 |
| |
| #line 9 |
| # Old domain may exec the file and transition to the new domain. |
| #line 9 |
| allow init tee_exec:file { getattr open read execute }; |
| #line 9 |
| allow init tee:process transition; |
| #line 9 |
| # New domain is entered by executing the file. |
| #line 9 |
| allow tee tee_exec:file { entrypoint read execute }; |
| #line 9 |
| # New domain can send SIGCHLD to its caller. |
| #line 9 |
| allow tee init:process sigchld; |
| #line 9 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 9 |
| dontaudit init tee:process noatsecure; |
| #line 9 |
| # XXX dontaudit candidate but requires further study. |
| #line 9 |
| allow init tee:process { siginh rlimitinh }; |
| #line 9 |
| |
| #line 9 |
| # Make the transition occur by default. |
| #line 9 |
| type_transition init tee_exec:process tee; |
| #line 9 |
| |
| #line 9 |
| |
| #line 9 |
| type tee_tmpfs, file_type; |
| #line 9 |
| type_transition tee tmpfs:file tee_tmpfs; |
| #line 9 |
| allow tee tee_tmpfs:file { read write }; |
| #line 9 |
| |
| #line 9 |
| |
| allow tee self:capability { dac_override }; |
| allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow tee self:netlink_socket { create bind read }; |
| #line 1 "external/sepolicy/ueventd.te" |
| # ueventd seclabel is specified in init.rc since |
| # it lives in the rootfs and has no unique file type. |
| type ueventd, domain; |
| |
| #line 4 |
| type ueventd_tmpfs, file_type; |
| #line 4 |
| type_transition ueventd tmpfs:file ueventd_tmpfs; |
| #line 4 |
| allow ueventd ueventd_tmpfs:file { read write }; |
| #line 4 |
| |
| |
| #line 5 |
| type_transition ueventd device:chr_file klog_device "__kmsg__"; |
| #line 5 |
| allow ueventd klog_device:chr_file { create open write unlink }; |
| #line 5 |
| allow ueventd device:dir { write add_name remove_name }; |
| #line 5 |
| |
| |
| #line 6 |
| allow ueventd security_file:dir { open getattr read search ioctl }; |
| #line 6 |
| allow ueventd security_file:file { getattr open read ioctl lock }; |
| #line 6 |
| allow ueventd security_file:lnk_file { getattr open read ioctl lock }; |
| #line 6 |
| allow ueventd selinuxfs:dir { open getattr read search ioctl }; |
| #line 6 |
| allow ueventd selinuxfs:file { getattr open read ioctl lock }; |
| #line 6 |
| allow ueventd rootfs:dir { open getattr read search ioctl }; |
| #line 6 |
| allow ueventd rootfs:file { getattr open read ioctl lock }; |
| #line 6 |
| |
| |
| #line 7 |
| typeattribute ueventd relabeltodomain; |
| #line 7 |
| |
| allow ueventd rootfs:file entrypoint; |
| allow ueventd init:process sigchld; |
| allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; |
| allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } }; |
| allow ueventd sysfs:file setattr; |
| allow ueventd sysfs_type:file { relabelfrom relabelto }; |
| allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } }; |
| allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow ueventd dev_type:lnk_file { create unlink }; |
| allow ueventd dev_type:chr_file { create setattr unlink }; |
| allow ueventd dev_type:blk_file { create setattr unlink }; |
| allow ueventd self:netlink_kobject_uevent_socket *; |
| allow ueventd efs_file:dir search; |
| allow ueventd efs_file:file { getattr open read ioctl lock }; |
| #line 1 "external/sepolicy/unconfined.te" |
| ####################################################### |
| # |
| # This is the unconfined template. This template is the base policy |
| # which is used by daemons and other privileged components of |
| # Android. |
| # |
| # Historically, this template was called "unconfined" because it |
| # allowed the domain to do anything it wanted. Over time, |
| # this has changed, and will continue to change in the future. |
| # The rules in this file will be removed when no remaining |
| # unconfined domains require it, or when the rules contradict |
| # Android security best practices. Domains which need rules not |
| # provided by the unconfined template should add them directly to |
| # the relevant policy. |
| # |
| # The use of this template is discouraged. |
| ###################################################### |
| |
| allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; |
| allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; |
| allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot }; |
| allow unconfineddomain kernel:system *; |
| allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition }; |
| allow unconfineddomain domain:fd *; |
| allow unconfineddomain domain:dir { open getattr read search ioctl }; |
| allow unconfineddomain domain:lnk_file { getattr open read ioctl lock }; |
| allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } }; |
| allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *; |
| allow unconfineddomain domain:{ sem msgq shm ipc } *; |
| allow unconfineddomain domain:key *; |
| allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; |
| allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto}; |
| allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto}; |
| allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto}; |
| allow unconfineddomain { rootfs system_file exec_type }:file execute; |
| allow unconfineddomain node_type:node *; |
| allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; |
| allow unconfineddomain netif_type:netif *; |
| allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind; |
| allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; |
| allow unconfineddomain domain:peer recv; |
| allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; |
| allow unconfineddomain property_type:property_service set; |
| #line 1 "external/sepolicy/uncrypt.te" |
| # uncrypt |
| type uncrypt, domain; |
| type uncrypt_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init uncrypt_exec:file { getattr open read execute }; |
| #line 5 |
| allow init uncrypt:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow uncrypt uncrypt_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow uncrypt init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init uncrypt:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init uncrypt:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init uncrypt_exec:process uncrypt; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type uncrypt_tmpfs, file_type; |
| #line 5 |
| type_transition uncrypt tmpfs:file uncrypt_tmpfs; |
| #line 5 |
| allow uncrypt uncrypt_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| #line 6 |
| typeattribute uncrypt mlstrustedsubject; |
| #line 6 |
| typeattribute uncrypt unconfineddomain; |
| #line 6 |
| |
| |
| allow uncrypt self:capability dac_override; |
| |
| # Read OTA zip file from /data/data/com.google.android.gsf/app_download |
| |
| #line 11 |
| allow uncrypt app_data_file:dir { open getattr read search ioctl }; |
| #line 11 |
| allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock }; |
| #line 11 |
| |
| |
| #line 16 |
| |
| |
| # Create tmp file /cache/recovery/command.tmp |
| # Read /cache/recovery/command |
| # Rename /cache/recovery/command.tmp to /cache/recovery/command |
| allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Set a property to reboot the device. |
| |
| #line 25 |
| allow uncrypt property_socket:sock_file write; |
| #line 25 |
| allow uncrypt init:unix_stream_socket connectto; |
| #line 25 |
| |
| allow uncrypt powerctl_prop:property_service set; |
| |
| # Raw writes to block device |
| allow uncrypt self:capability sys_rawio; |
| allow uncrypt block_device:blk_file { open append write }; |
| #line 1 "external/sepolicy/untrusted_app.te" |
| ### |
| ### Untrusted apps. |
| ### |
| ### This file defines the rules for untrusted apps. An "untrusted |
| ### app" is an APP with UID between APP_AID (10000) |
| ### and AID_ISOLATED_START (99000). |
| ### |
| ### untrusted_app includes all the appdomain rules, plus the |
| ### additional following rules: |
| ### |
| |
| type untrusted_app, domain; |
| |
| #line 13 |
| typeattribute untrusted_app mlstrustedsubject; |
| #line 13 |
| typeattribute untrusted_app unconfineddomain; |
| #line 13 |
| |
| |
| #line 14 |
| typeattribute untrusted_app appdomain; |
| #line 14 |
| # Label ashmem objects with our own unique type. |
| #line 14 |
| |
| #line 14 |
| type untrusted_app_tmpfs, file_type; |
| #line 14 |
| type_transition untrusted_app tmpfs:file untrusted_app_tmpfs; |
| #line 14 |
| allow untrusted_app untrusted_app_tmpfs:file { read write }; |
| #line 14 |
| |
| #line 14 |
| # Map with PROT_EXEC. |
| #line 14 |
| allow untrusted_app untrusted_app_tmpfs:file execute; |
| #line 14 |
| |
| |
| #line 15 |
| typeattribute untrusted_app netdomain; |
| #line 15 |
| |
| |
| #line 16 |
| typeattribute untrusted_app bluetoothdomain; |
| #line 16 |
| |
| |
| # Some apps ship with shared libraries and binaries that they write out |
| # to their sandbox directory and then execute. |
| allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Internal SDCard rw access. |
| allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # External SDCard rw access. |
| allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # ASEC |
| allow untrusted_app asec_apk_file:dir { getattr }; |
| allow untrusted_app asec_apk_file:file { getattr open read ioctl lock }; |
| # Execute libs in asec containers. |
| allow untrusted_app asec_public_file:file execute; |
| |
| # Create tcp/udp sockets |
| allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; |
| allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen }; |
| # Bind to a particular hostname/address/interface (e.g., localhost) instead of |
| # ANY. Normally, apps should not be listening on all interfaces. |
| allow untrusted_app port:{ tcp_socket udp_socket } name_bind; |
| |
| # Allow the allocation and use of ptys |
| # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm |
| |
| #line 47 |
| # Each domain gets a unique devpts type. |
| #line 47 |
| type untrusted_app_devpts, fs_type; |
| #line 47 |
| # Label the pty with the unique type when created. |
| #line 47 |
| type_transition untrusted_app devpts:chr_file untrusted_app_devpts; |
| #line 47 |
| # Allow use of the pty after creation. |
| #line 47 |
| allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl }; |
| #line 47 |
| # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms |
| #line 47 |
| # allowed to everyone via domain.te. |
| #line 47 |
| |
| |
| # Used by Finsky / Android "Verify Apps" functionality when |
| # running "adb install foo.apk". |
| # TODO: Long term, we don't want apps probing into shell data files. |
| # Figure out a way to remove these rules. |
| allow untrusted_app shell_data_file:file { getattr open read ioctl lock }; |
| allow untrusted_app shell_data_file:dir { open getattr read search ioctl }; |
| #line 1 "external/sepolicy/vold.te" |
| # volume manager |
| type vold, domain; |
| type vold_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init vold_exec:file { getattr open read execute }; |
| #line 5 |
| allow init vold:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow vold vold_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow vold init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init vold:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init vold:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init vold_exec:process vold; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type vold_tmpfs, file_type; |
| #line 5 |
| type_transition vold tmpfs:file vold_tmpfs; |
| #line 5 |
| allow vold vold_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| |
| typeattribute vold mlstrustedsubject; |
| allow vold system_file:file { getattr execute execute_no_trans }; |
| allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow vold device:dir write; |
| allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } }; |
| allow vold rootfs:dir mounton; |
| allow vold sdcard_type:dir mounton; |
| allow vold sdcard_type:filesystem { mount remount unmount }; |
| allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow vold tmpfs:filesystem { mount unmount }; |
| allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow vold tmpfs:dir mounton; |
| allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; |
| allow vold self:netlink_kobject_uevent_socket *; |
| allow vold app_data_file:dir search; |
| allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } }; |
| allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } }; |
| allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| # For vold Process::killProcessesWithOpenFiles function. |
| allow vold domain:dir { open getattr read search ioctl }; |
| allow vold domain:{ file lnk_file } { getattr open read ioctl lock }; |
| allow vold domain:process { signal sigkill }; |
| allow vold self:capability { sys_ptrace kill }; |
| |
| # For blkid |
| allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } }; |
| |
| # XXX Label sysfs files with a specific type? |
| allow vold sysfs:file { { getattr open read ioctl lock } { open append write } }; |
| |
| |
| #line 39 |
| type_transition vold device:chr_file klog_device "__kmsg__"; |
| #line 39 |
| allow vold klog_device:chr_file { create open write unlink }; |
| #line 39 |
| allow vold device:dir { write add_name remove_name }; |
| #line 39 |
| |
| |
| # Log fsck results |
| allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # |
| # Rules to support encrypted fs support. |
| # |
| |
| # Set property. |
| |
| #line 50 |
| allow vold property_socket:sock_file write; |
| #line 50 |
| allow vold init:unix_stream_socket connectto; |
| #line 50 |
| |
| |
| # Unmount and mount the fs. |
| allow vold labeledfs:filesystem { mount unmount remount }; |
| |
| # Access /efs/userdata_footer. |
| # XXX Split into a separate type? |
| allow vold efs_file:file { { getattr open read ioctl lock } { open append write } }; |
| |
| # Create and mount on /data/tmp_mnt. |
| allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton }; |
| |
| # Set scheduling policy of kernel processes |
| allow vold kernel:process setsched; |
| |
| # Property Service |
| allow vold vold_prop:property_service set; |
| allow vold powerctl_prop:property_service set; |
| allow vold ctl_default_prop:property_service set; |
| |
| # ASEC |
| allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| |
| #line 73 |
| allow vold security_file:dir { open getattr read search ioctl }; |
| #line 73 |
| allow vold security_file:file { getattr open read ioctl lock }; |
| #line 73 |
| allow vold security_file:lnk_file { getattr open read ioctl lock }; |
| #line 73 |
| allow vold selinuxfs:dir { open getattr read search ioctl }; |
| #line 73 |
| allow vold selinuxfs:file { getattr open read ioctl lock }; |
| #line 73 |
| allow vold rootfs:dir { open getattr read search ioctl }; |
| #line 73 |
| allow vold rootfs:file { getattr open read ioctl lock }; |
| #line 73 |
| |
| |
| #line 74 |
| typeattribute vold relabeltodomain; |
| #line 74 |
| |
| allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom }; |
| allow vold asec_public_file:dir { relabelto setattr }; |
| allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom }; |
| allow vold asec_public_file:file { relabelto setattr }; |
| |
| # Handle wake locks (used for device encryption) |
| allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } }; |
| allow vold self:capability2 block_suspend; |
| #line 1 "external/sepolicy/watchdogd.te" |
| # watchdogd seclabel is specified in init.<board>.rc |
| type watchdogd, domain; |
| allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } }; |
| allow watchdogd self:capability mknod; |
| allow watchdogd device:dir { add_name write remove_name }; |
| allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } }; |
| # because of /dev/__kmsg__ and /dev/__null__ |
| |
| #line 8 |
| type_transition watchdogd device:chr_file klog_device "__kmsg__"; |
| #line 8 |
| allow watchdogd klog_device:chr_file { create open write unlink }; |
| #line 8 |
| allow watchdogd device:dir { write add_name remove_name }; |
| #line 8 |
| |
| type_transition watchdogd device:chr_file null_device "__null__"; |
| allow watchdogd null_device:chr_file { create unlink }; |
| #line 1 "external/sepolicy/wpa_supplicant.te" |
| # wpa - wpa supplicant or equivalent |
| type wpa, domain; |
| type wpa_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init wpa_exec:file { getattr open read execute }; |
| #line 5 |
| allow init wpa:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow wpa wpa_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow wpa init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init wpa:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init wpa:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init wpa_exec:process wpa; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type wpa_tmpfs, file_type; |
| #line 5 |
| type_transition wpa tmpfs:file wpa_tmpfs; |
| #line 5 |
| allow wpa wpa_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| allow wpa kernel:system module_request; |
| allow wpa self:capability { setuid net_admin setgid net_raw }; |
| allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow wpa self:netlink_route_socket *; |
| allow wpa self:netlink_socket *; |
| allow wpa self:packet_socket *; |
| allow wpa self:udp_socket *; |
| allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| #line 15 |
| allow wpa system_wpa_socket:sock_file write; |
| #line 15 |
| allow wpa system_server:unix_dgram_socket sendto; |
| #line 15 |
| |
| allow wpa random_device:chr_file { getattr open read ioctl lock }; |
| |
| # Create a socket for receiving info from wpa |
| type_transition wpa wifi_data_file:sock_file wpa_socket; |
| allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr }; |
| allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| |
| # Allow wpa_cli to work. wpa_cli creates a socket in |
| # /data/misc/wifi/sockets which wpa supplicant communicates with. |
| #line 27 |
| |
| #line 1 "external/sepolicy/zygote.te" |
| # zygote |
| type zygote, domain; |
| type zygote_exec, exec_type, file_type; |
| |
| |
| #line 5 |
| |
| #line 5 |
| # Allow the necessary permissions. |
| #line 5 |
| |
| #line 5 |
| # Old domain may exec the file and transition to the new domain. |
| #line 5 |
| allow init zygote_exec:file { getattr open read execute }; |
| #line 5 |
| allow init zygote:process transition; |
| #line 5 |
| # New domain is entered by executing the file. |
| #line 5 |
| allow zygote zygote_exec:file { entrypoint read execute }; |
| #line 5 |
| # New domain can send SIGCHLD to its caller. |
| #line 5 |
| allow zygote init:process sigchld; |
| #line 5 |
| # Enable AT_SECURE, i.e. libc secure mode. |
| #line 5 |
| dontaudit init zygote:process noatsecure; |
| #line 5 |
| # XXX dontaudit candidate but requires further study. |
| #line 5 |
| allow init zygote:process { siginh rlimitinh }; |
| #line 5 |
| |
| #line 5 |
| # Make the transition occur by default. |
| #line 5 |
| type_transition init zygote_exec:process zygote; |
| #line 5 |
| |
| #line 5 |
| |
| #line 5 |
| type zygote_tmpfs, file_type; |
| #line 5 |
| type_transition zygote tmpfs:file zygote_tmpfs; |
| #line 5 |
| allow zygote zygote_tmpfs:file { read write }; |
| #line 5 |
| |
| #line 5 |
| |
| typeattribute zygote mlstrustedsubject; |
| # Override DAC on files and switch uid/gid. |
| allow zygote self:capability { dac_override setgid setuid fowner }; |
| # Drop capabilities from bounding set. |
| allow zygote self:capability setpcap; |
| # Switch SELinux context to app domains. |
| allow zygote system_server:process dyntransition; |
| allow zygote appdomain:process dyntransition; |
| # Allow zygote to read app /proc/pid dirs (b/10455872) |
| allow zygote appdomain:dir { getattr search }; |
| allow zygote appdomain:file { { getattr open read ioctl lock } }; |
| # Move children into the peer process group. |
| allow zygote system_server:process { getpgid setpgid }; |
| allow zygote appdomain:process { getpgid setpgid }; |
| # Write to system data. |
| allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } }; |
| allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } }; |
| # For art. |
| allow zygote dalvikcache_data_file:file execute; |
| # Execute dexopt. |
| allow zygote system_file:file { getattr execute execute_no_trans }; |
| # Control cgroups. |
| allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } }; |
| allow zygote self:capability sys_admin; |
| # Check validity of SELinux context before use. |
| |
| #line 33 |
| allow zygote selinuxfs:dir { open getattr read search ioctl }; |
| #line 33 |
| allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 33 |
| allow zygote kernel:security check_context; |
| #line 33 |
| |
| # Check SELinux permissions. |
| |
| #line 35 |
| allow zygote selinuxfs:dir { open getattr read search ioctl }; |
| #line 35 |
| allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } }; |
| #line 35 |
| allow zygote kernel:security compute_av; |
| #line 35 |
| allow zygote self:netlink_selinux_socket *; |
| #line 35 |
| |
| # Read /seapp_contexts and /data/security/seapp_contexts |
| |
| #line 37 |
| allow zygote security_file:dir { open getattr read search ioctl }; |
| #line 37 |
| allow zygote security_file:file { getattr open read ioctl lock }; |
| #line 37 |
| allow zygote security_file:lnk_file { getattr open read ioctl lock }; |
| #line 37 |
| allow zygote selinuxfs:dir { open getattr read search ioctl }; |
| #line 37 |
| allow zygote selinuxfs:file { getattr open read ioctl lock }; |
| #line 37 |
| allow zygote rootfs:dir { open getattr read search ioctl }; |
| #line 37 |
| allow zygote rootfs:file { getattr open read ioctl lock }; |
| #line 37 |
| |
| |
| # Setting up /storage/emulated. |
| allow zygote rootfs:dir mounton; |
| allow zygote sdcard_type:dir { write search setattr create add_name mounton }; |
| dontaudit zygote self:capability fsetid; |
| allow zygote tmpfs:dir { write create add_name setattr mounton search }; |
| allow zygote tmpfs:filesystem mount; |
| allow zygote labeledfs:filesystem remount; |
| |
| # Handle --invoke-with command when launching Zygote with a wrapper command. |
| allow zygote zygote_exec:file { execute_no_trans open }; |
| |
| # handle bugreports b/10498304 |
| allow zygote ashmem_device:chr_file execute; |
| allow zygote shell_data_file:file { write getattr }; |
| allow zygote system_server:binder { transfer call }; |
| allow zygote servicemanager:binder { call }; |
| |
| # For legacy unlabeled userdata on existing devices. |
| # See discussion of Unlabeled files in domain.te for more information. |
| # This rule is for dalvikcache mmap/mprotect PROT_EXEC. |
| allow zygote unlabeled:file execute; |
| #line 1 "build/target/board/generic/sepolicy/bootanim.te" |
| allow bootanim self:process execmem; |
| allow bootanim ashmem_device:chr_file execute; |
| #line 1 "build/target/board/generic/sepolicy/domain.te" |
| # For /sys/qemu_trace files in the emulator. |
| allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } }; |
| #line 1 "build/target/board/generic/sepolicy/surfaceflinger.te" |
| allow surfaceflinger self:process execmem; |
| allow surfaceflinger ashmem_device:chr_file execute; |
| #line 1 "external/sepolicy/roles" |
| role r; |
| role r types domain; |
| #line 1 "external/sepolicy/users" |
| user u roles { r } level s0 range s0 - s0:c0.c1023; |
| #line 1 "external/sepolicy/initial_sid_contexts" |
| sid kernel u:r:kernel:s0 |
| sid security u:object_r:kernel:s0 |
| sid unlabeled u:object_r:unlabeled:s0 |
| sid fs u:object_r:labeledfs:s0 |
| sid file u:object_r:unlabeled:s0 |
| sid file_labels u:object_r:unlabeled:s0 |
| sid init u:object_r:unlabeled:s0 |
| sid any_socket u:object_r:unlabeled:s0 |
| sid port u:object_r:port:s0 |
| sid netif u:object_r:netif:s0 |
| sid netmsg u:object_r:unlabeled:s0 |
| sid node u:object_r:node:s0 |
| sid igmp_packet u:object_r:unlabeled:s0 |
| sid icmp_socket u:object_r:unlabeled:s0 |
| sid tcp_socket u:object_r:unlabeled:s0 |
| sid sysctl_modprobe u:object_r:unlabeled:s0 |
| sid sysctl u:object_r:proc:s0 |
| sid sysctl_fs u:object_r:unlabeled:s0 |
| sid sysctl_kernel u:object_r:unlabeled:s0 |
| sid sysctl_net u:object_r:unlabeled:s0 |
| sid sysctl_net_unix u:object_r:unlabeled:s0 |
| sid sysctl_vm u:object_r:unlabeled:s0 |
| sid sysctl_dev u:object_r:unlabeled:s0 |
| sid kmod u:object_r:unlabeled:s0 |
| sid policy u:object_r:unlabeled:s0 |
| sid scmp_packet u:object_r:unlabeled:s0 |
| sid devnull u:object_r:null_device:s0 |
| #line 1 "external/sepolicy/fs_use" |
| # Label inodes via getxattr. |
| fs_use_xattr yaffs2 u:object_r:labeledfs:s0; |
| fs_use_xattr jffs2 u:object_r:labeledfs:s0; |
| fs_use_xattr ext2 u:object_r:labeledfs:s0; |
| fs_use_xattr ext3 u:object_r:labeledfs:s0; |
| fs_use_xattr ext4 u:object_r:labeledfs:s0; |
| fs_use_xattr xfs u:object_r:labeledfs:s0; |
| fs_use_xattr btrfs u:object_r:labeledfs:s0; |
| |
| # Label inodes from task label. |
| fs_use_task pipefs u:object_r:pipefs:s0; |
| fs_use_task sockfs u:object_r:sockfs:s0; |
| |
| # Label inodes from combination of task label and fs label. |
| # Define type_transition rules if you want per-domain types. |
| fs_use_trans devpts u:object_r:devpts:s0; |
| fs_use_trans tmpfs u:object_r:tmpfs:s0; |
| fs_use_trans devtmpfs u:object_r:device:s0; |
| fs_use_trans shm u:object_r:shm:s0; |
| fs_use_trans mqueue u:object_r:mqueue:s0; |
| |
| #line 1 "external/sepolicy/genfs_contexts" |
| # Label inodes with the fs label. |
| genfscon rootfs / u:object_r:rootfs:s0 |
| # proc labeling can be further refined (longest matching prefix). |
| genfscon proc / u:object_r:proc:s0 |
| genfscon proc /net u:object_r:proc_net:s0 |
| genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 |
| genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 |
| genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 |
| genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 |
| genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 |
| genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 |
| genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 |
| genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 |
| genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 |
| genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 |
| genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 |
| genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 |
| genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 |
| genfscon proc /sys/net u:object_r:proc_net:s0 |
| genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 |
| # selinuxfs booleans can be individually labeled. |
| genfscon selinuxfs / u:object_r:selinuxfs:s0 |
| genfscon cgroup / u:object_r:cgroup:s0 |
| # sysfs labels can be set by userspace. |
| genfscon sysfs / u:object_r:sysfs:s0 |
| genfscon inotifyfs / u:object_r:inotify:s0 |
| genfscon vfat / u:object_r:sdcard_external:s0 |
| genfscon debugfs / u:object_r:debugfs:s0 |
| genfscon fuse / u:object_r:sdcard_internal:s0 |
| #line 1 "external/sepolicy/port_contexts" |
| # portcon statements go here, e.g. |
| # portcon tcp 80 u:object_r:http_port:s0 |
| |