Remove legacy SELinux policy parser.
This is essentially a cherry-pick of commit: 5efc6d6b034fe77953828e93ae6de82f49527553
but there is a discrepancy between external and internal branches.
Actual cherry-pick of commit: 06cd8124705d6cf8c09373a2a18b792efc26d7be
Change-Id: Icd693e4cda9b7fa3ab6efb6f523ff0c3c85c66ec
diff --git a/tools/selinux/src/SELinux_CTS.py b/tools/selinux/src/SELinux_CTS.py
deleted file mode 100644
index ec12be0..0000000
--- a/tools/selinux/src/SELinux_CTS.py
+++ /dev/null
@@ -1,542 +0,0 @@
-import pdb
-import re
-from xml.etree.ElementTree import Element, SubElement, tostring
-
-#define equivalents
-TYPE = 0
-ATTRIBUTE = 1
-TYPEATTRIBUTE = 2
-CLASS = 3
-COMMON = 4
-ALLOW_RULE = 5
-NEVERALLOW_RULE = 6
-OTHER = 7
-
-#define helper methods
-# advance_past_whitespace(): helper function to skip whitespace at current
-# position in file.
-# returns: the non-whitespace character at the file's new position
-#TODO: should I deal with comments here as well?
-def advance_past_whitespace(file_obj):
- c = file_obj.read(1)
- while c.isspace():
- c = file_obj.read(1)
- file_obj.seek(-1, 1)
- return c
-
-# advance_until_whitespace(): helper function to grab the string represented
-# by the current position in file until next whitespace.
-# returns: string until next whitespace. overlooks comments.
-def advance_until_whitespace(file_obj):
- ret_string = ""
- c = file_obj.read(1)
- #TODO: make a better way to deal with ':' and ';'
- while not (c.isspace() or c == ':' or c == '' or c == ';'):
- #don't count comments
- if c == '#':
- file_obj.readline()
- return ret_string
- else:
- ret_string+=c
- c = file_obj.read(1)
- if not c == ':':
- file_obj.seek(-1, 1)
- return ret_string
-
-# expand_avc_rule - takes a processed avc rule and converts it into a list of
-# 4-tuples for use in an access check of form:
- # (source_type, target_type, class, permission)
-def expand_avc_rule(policy, avc_rule):
- ret_list = [ ]
-
- #expand source_types
- source_types = avc_rule['source_types']['set']
- source_types = policy.expand_types(source_types)
- if(avc_rule['source_types']['flags']['complement']):
- #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
- source_types = policy.types - source_types #complement these types
- if len(source_types) == 0:
- print "ERROR: source_types empty after expansion"
- print "Before: "
- print avc_rule['source_types']['set']
- return
-
- #expand target_types
- target_types = avc_rule['target_types']['set']
- target_types = policy.expand_types(target_types)
- if(avc_rule['target_types']['flags']['complement']):
- #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
- target_types = policy.types - target_types #complement these types
- if len(target_types) == 0:
- print "ERROR: target_types empty after expansion"
- print "Before: "
- print avc_rule['target_types']['set']
- return
-
- # get classes
- rule_classes = avc_rule['classes']['set']
- if '' in rule_classes:
- print "FOUND EMPTY STRING IN CLASSES"
- print "Total sets:"
- print avc_rule['source_types']['set']
- print avc_rule['target_types']['set']
- print rule_classes
- print avc_rule['permissions']['set']
-
- if len(rule_classes) == 0:
- print "ERROR: empy set of object classes in avc rule"
- return
-
- # get permissions
- permissions = avc_rule['permissions']['set']
- if len(permissions) == 0:
- print "ERROR: empy set of permissions in avc rule\n"
- return
-
- #create the list with collosal nesting, n^4 baby!
- for s in source_types:
- for t in target_types:
- for c in rule_classes:
- if c == '':
- continue
- #expand permissions on a per-class basis
- exp_permissions = policy.expand_permissions(c, permissions)
- if(avc_rule['permissions']['flags']['complement']):
- exp_permissions = policy.classes[c] - exp_permissions
- if len(exp_permissions) == 0:
- print "ERROR: permissions empty after expansion\n"
- print "Before: "
- print avc_rule['permissions']['set']
- return
- for p in exp_permissions:
- source = s
- if t == 'self':
- target = s
- else:
- target = t
- obj_class = c
- permission = p
- ret_list.append((source, target, obj_class, permission))
- return ret_list
-
-# expand_avc_rule - takes a processed avc rule and converts it into an xml
-# representation with the information needed in a checkSELinuxAccess() call.
-# (source_type, target_type, class, permission)
-def expand_avc_rule_to_xml(policy, avc_rule, rule_name, rule_type):
- rule_xml = Element('avc_rule')
- rule_xml.set('name', rule_name)
- rule_xml.set('type', rule_type)
-
- #expand source_types
- source_types = avc_rule['source_types']['set']
- source_types = policy.expand_types(source_types)
- if(avc_rule['source_types']['flags']['complement']):
- #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
- source_types = policy.types - source_types #complement these types
- if len(source_types) == 0:
- print "ERROR: source_types empty after expansion"
- print "Before: "
- print avc_rule['source_types']['set']
- return
- for s in source_types:
- elem = SubElement(rule_xml, 'type')
- elem.set('type', 'source')
- elem.text = s
-
- #expand target_types
- target_types = avc_rule['target_types']['set']
- target_types = policy.expand_types(target_types)
- if(avc_rule['target_types']['flags']['complement']):
- #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
- target_types = policy.types - target_types #complement these types
- if len(target_types) == 0:
- print "ERROR: target_types empty after expansion"
- print "Before: "
- print avc_rule['target_types']['set']
- return
- for t in target_types:
- elem = SubElement(rule_xml, 'type')
- elem.set('type', 'target')
- elem.text = t
-
- # get classes
- rule_classes = avc_rule['classes']['set']
-
- if len(rule_classes) == 0:
- print "ERROR: empy set of object classes in avc rule"
- return
-
- # get permissions
- permissions = avc_rule['permissions']['set']
- if len(permissions) == 0:
- print "ERROR: empy set of permissions in avc rule\n"
- return
-
- # permissions are class-dependent, so bundled together
- for c in rule_classes:
- if c == '':
- print "AH!!! empty class found!\n"
- continue
- c_elem = SubElement(rule_xml, 'obj_class')
- c_elem.set('name', c)
- #expand permissions on a per-class basis
- exp_permissions = policy.expand_permissions(c, permissions)
- if(avc_rule['permissions']['flags']['complement']):
- exp_permissions = policy.classes[c] - exp_permissions
- if len(exp_permissions) == 0:
- print "ERROR: permissions empty after expansion\n"
- print "Before: "
- print avc_rule['permissions']['set']
- return
-
- for p in exp_permissions:
- p_elem = SubElement(c_elem, 'permission')
- p_elem.text = p
-
- return rule_xml
-
-# expand_brackets - helper function which reads a file into a string until '{ }'s
-# are balanced. Brackets are removed from the string. This function is based
-# on the understanding that nested brackets in our policy.conf file occur only due
-# to macro expansion, and we just need to know how much is included in a given
-# policy sub-component.
-def expand_brackets(file_obj):
- ret_string = ""
- c = file_obj.read(1)
- if not c == '{':
- print "Invalid bracket expression: " + c + "\n"
- file_obj.seek(-1, 1)
- return ""
- else:
- bracket_count = 1
- while bracket_count > 0:
- c = file_obj.read(1)
- if c == '{':
- bracket_count+=1
- elif c == '}':
- bracket_count-=1
- elif c == '#':
- #get rid of comment and replace with whitespace
- file_obj.readline()
- ret_string+=' '
- else:
- ret_string+=c
- return ret_string
-
-# get_avc_rule_component - grabs the next component from an avc rule. Basically,
-# just reads the next word or bracketed set of words.
-# returns - a set of the word, or words with metadata
-def get_avc_rule_component(file_obj):
- ret_dict = { 'flags': {}, 'set': set() }
- c = advance_past_whitespace(file_obj)
- if c == '~':
- ret_dict['flags']['complement'] = True
- file_obj.read(1) #move to next char
- c = advance_past_whitespace(file_obj)
- else:
- ret_dict['flags']['complement'] = False
- if not c == '{':
- #TODO: change operations on file to operations on string?
- single_type = advance_until_whitespace(file_obj)
- ret_dict['set'].add(single_type)
- else:
- mult_types = expand_brackets(file_obj)
- mult_types = mult_types.split()
- for t in mult_types:
- ret_dict['set'].add(t)
- return ret_dict
-
-def get_line_type(line):
- if re.search(r'^type\s', line):
- return TYPE
- if re.search(r'^attribute\s', line):
- return ATTRIBUTE
- if re.search(r'^typeattribute\s', line):
- return TYPEATTRIBUTE
- if re.search(r'^class\s', line):
- return CLASS
- if re.search(r'^common\s', line):
- return COMMON
- if re.search(r'^allow\s', line):
- return ALLOW_RULE
- if re.search(r'^neverallow\s', line):
- return NEVERALLOW_RULE
- else:
- return OTHER
-
-def is_multi_line(line_type):
- if line_type == CLASS:
- return True
- elif line_type == COMMON:
- return True
- elif line_type == ALLOW_RULE:
- return True
- elif line_type == NEVERALLOW_RULE:
- return True
- else:
- return False
-
-
-#should only be called with file pointing to the 'i' in 'inherits' segment
-def process_inherits_segment(file_obj):
- inherit_keyword = file_obj.read(8)
- if not inherit_keyword == 'inherits':
- #TODO: handle error, invalid class statement
- print "ERROR: invalid inherits statement"
- return
- else:
- advance_past_whitespace(file_obj)
- ret_inherited_common = advance_until_whitespace(file_obj)
- return ret_inherited_common
-
-class SELinuxPolicy:
-
- def __init__(self):
- self.types = set()
- self.attributes = { }
- self.classes = { }
- self.common_classes = { }
- self.allow_rules = [ ]
- self.neverallow_rules = [ ]
-
- # create policy directly from policy file
- #@classmethod
- def from_file_name(self, policy_file_name):
- self.types = set()
- self.attributes = { }
- self.classes = { }
- self.common_classes = { }
- self.allow_rules = [ ]
- self.neverallow_rules = [ ]
- with open(policy_file_name, 'r') as policy_file:
- line = policy_file.readline()
- while line:
- line_type = get_line_type(line)
- if is_multi_line(line_type):
- self.parse_multi_line(line, line_type, policy_file)
- else:
- self.parse_single_line(line, line_type)
- line = policy_file.readline()
-
- # expand_permissions - generates the actual permission set based on the listed
- # permissions with wildcards and the given class on which they're based.
- def expand_permissions(self, obj_class, permission_set):
- ret_set = set()
- neg_set = set()
- for p in permission_set:
- if p[0] == '-':
- real_p = p[1:]
- if real_p in self.classes[obj_class]:
- neg_set.add(real_p)
- else:
- print "ERROR: invalid permission in avc rule " + real_t + "\n"
- return
- else:
- if p in self.classes[obj_class]:
- ret_set.add(p)
- elif p == '*': #pretty sure this can't be negated? eg -*
- ret_set |= self.classes[obj_class] #All of the permissions
- else:
- print "ERROR: invalid permission in avc rule " + p + "\n"
- return
- return ret_set - neg_set
-
- # expand_types - generates the actual type set based on the listed types,
- # attributes, wildcards and negation. self is left as-is, and is processed
- # specially when generating checkAccess() 4-tuples
- def expand_types(self, type_set):
- ret_set = set()
- neg_set = set()
- for t in type_set:
- if t[0] == '-':
- real_t = t[1:]
- if real_t in self.attributes:
- neg_set |= self.attributes[real_t]
- elif real_t in self.types:
- neg_set.add(real_t)
- elif real_t == 'self':
- ret_set |= real_t
- else:
- print "ERROR: invalid type in avc rule " + real_t + "\nTYPE SET:"
- print type_set
- return
- else:
- if t in self.attributes:
- ret_set |= self.attributes[t]
- elif t in self.types:
- ret_set.add(t)
- elif t == 'self':
- ret_set.add(t)
- elif t == '*': #pretty sure this can't be negated?
- ret_set |= self.types #All of the types
- else:
- print "ERROR: invalid type in avc rule " + t + "\nTYPE SET"
- print type_set
- return
- return ret_set - neg_set
-
- def parse_multi_line(self, line, line_type, file_obj):
- if line_type == CLASS:
- self.process_class_line(line, file_obj)
- elif line_type == COMMON:
- self.process_common_line(line, file_obj)
- elif line_type == ALLOW_RULE:
- self.process_avc_rule_line(line, file_obj)
- elif line_type == NEVERALLOW_RULE:
- self.process_avc_rule_line(line, file_obj)
- else:
- print "Error: This is not a multi-line input"
-
- def parse_single_line(self, line, line_type):
- if line_type == TYPE:
- self.process_type_line(line)
- elif line_type == ATTRIBUTE:
- self.process_attribute_line(line)
- elif line_type == TYPEATTRIBUTE:
- self.process_typeattribute_line(line)
- return
-
- def process_attribute_line(self, line):
- match = re.search(r'^attribute\s+(.+);', line)
- if match:
- declared_attribute = match.group(1)
- self.attributes[declared_attribute] = set()
- else:
- #TODO: handle error? (no state changed)
- return
-
- def process_class_line(self, line, file_obj):
- match = re.search(r'^class\s([^\s]+)\s(.*$)', line)
- if match:
- declared_class = match.group(1)
- #first class declaration has no perms
- if not declared_class in self.classes:
- self.classes[declared_class] = set()
- return
- else:
- #need to parse file from after class name until end of '{ }'s
- file_obj.seek(-(len(match.group(2)) + 1), 1)
- c = advance_past_whitespace(file_obj)
- if not (c == 'i' or c == '{'):
- print "ERROR: invalid class statement"
- return
- elif c == 'i':
- #add inherited permissions
- inherited = process_inherits_segment(file_obj)
- self.classes[declared_class] |= self.common_classes[inherited]
- c = advance_past_whitespace(file_obj)
- if c == '{':
- permissions = expand_brackets(file_obj)
- permissions = re.sub(r'#[^\n]*\n','\n' , permissions) #get rid of all comments
- permissions = permissions.split()
- for p in permissions:
- self.classes[declared_class].add(p)
-
- def process_common_line(self, line, file_obj):
- match = re.search(r'^common\s([^\s]+)(.*$)', line)
- if match:
- declared_common_class = match.group(1)
- #TODO: common classes should only be declared once...
- if not declared_common_class in self.common_classes:
- self.common_classes[declared_common_class] = set()
- #need to parse file from after common_class name until end of '{ }'s
- file_obj.seek(-(len(match.group(2)) + 1), 1)
- c = advance_past_whitespace(file_obj)
- if not c == '{':
- print "ERROR: invalid common statement"
- return
- permissions = expand_brackets(file_obj)
- permissions = permissions.split()
- for p in permissions:
- self.common_classes[declared_common_class].add(p)
- return
-
- def process_avc_rule_line(self, line, file_obj):
- match = re.search(r'^(never)?allow\s(.*$)', line)
- if match:
- if(match.group(1)):
- rule_type = 'neverallow'
- else:
- rule_type = 'allow'
- #need to parse file from after class name until end of '{ }'s
- file_obj.seek(-(len(match.group(2)) + 1), 1)
-
- #grab source type(s)
- source_types = get_avc_rule_component(file_obj)
- if len(source_types['set']) == 0:
- print "ERROR: no source types for avc rule at line: " + line
- return
-
- #grab target type(s)
- target_types = get_avc_rule_component(file_obj)
- if len(target_types['set']) == 0:
- print "ERROR: no target types for avc rule at line: " + line
- return
-
- #skip ':' potentially already handled by advance_until_whitespace
- c = advance_past_whitespace(file_obj)
- if c == ':':
- file_obj.read(1)
-
- #grab class(es)
- classes = get_avc_rule_component(file_obj)
- if len(classes['set']) == 0:
- print "ERROR: no classes for avc rule at line: " + line
- return
-
- #grab permission(s)
- permissions = get_avc_rule_component(file_obj)
- if len(permissions['set']) == 0:
- print "ERROR: no permissions for avc rule at line: " + line
- return
- rule_dict = {
- 'source_types': source_types,
- 'target_types': target_types,
- 'classes': classes,
- 'permissions': permissions }
-
- if rule_type == 'allow':
- self.allow_rules.append(rule_dict)
- elif rule_type == 'neverallow':
- self.neverallow_rules.append(rule_dict)
-
- def process_type_line(self, line):
- #TODO: add support for aliases (not yet in current policy.conf)
- match = re.search(r'^type\s([^,]+),?(.*);', line)
- if match:
- declared_type = match.group(1)
- self.types.add(declared_type)
- if match.group(2):
- declared_attributes = match.group(2)
- declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
- declared_attributes = declared_attributes.split(',') #separate based on delimiter
- for a in declared_attributes:
- if not a in self.attributes:
- #TODO: hanlde error? attribute should already exist
- self.attributes[a] = set()
- self.attributes[a].add(declared_type)
- else:
- #TODO: handle error? (no state changed)
- return
-
- def process_typeattribute_line(self, line):
- match = re.search(r'^typeattribute\s([^\s]+)\s(.*);', line)
- if match:
- declared_type = match.group(1)
- if not declared_type in self.types:
- #TODO: handle error? type should already exist
- self.types.add(declared_type)
- if match.group(2):
- declared_attributes = match.group(2)
- declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
- declared_attributes = declared_attributes.split(',') #separate based on delimiter
- for a in declared_attributes:
- if not a in self.attributes:
- #TODO: hanlde error? attribute should already exist
- self.attributes[a] = set()
- self.attributes[a].add(declared_type)
- else:
- return
- else:
- #TODO: handle error? (no state changed)
- return
diff --git a/tools/selinux/src/example_input_policy.conf b/tools/selinux/src/example_input_policy.conf
deleted file mode 100644
index aeef5f8..0000000
--- a/tools/selinux/src/example_input_policy.conf
+++ /dev/null
@@ -1,9850 +0,0 @@
-#line 1 "external/sepolicy/security_classes"
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd # userspace
-
-# SE-X Windows stuff (more classes below)
-class x_drawable # userspace
-class x_screen # userspace
-class x_gc # userspace
-class x_font # userspace
-class x_colormap # userspace
-class x_property # userspace
-class x_selection # userspace
-class x_cursor # userspace
-class x_client # userspace
-class x_device # userspace
-class x_server # userspace
-class x_extension # userspace
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-class dbus # userspace
-class nscd # userspace
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class context # userspace
-
-class dccp_socket
-
-class memprotect
-
-class db_database # userspace
-class db_table # userspace
-class db_procedure # userspace
-class db_column # userspace
-class db_tuple # userspace
-class db_blob # userspace
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# More SE-X Windows stuff
-class x_resource # userspace
-class x_event # userspace
-class x_synthetic_event # userspace
-class x_application_data # userspace
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-# Still More SE-X Windows stuff
-class x_pointer # userspace
-class x_keyboard # userspace
-
-# More Database stuff
-class db_schema # userspace
-class db_view # userspace
-class db_sequence # userspace
-class db_language # userspace
-
-class binder
-class zygote
-
-# Property service
-class property_service # userspace
-
-# FLASK
-#line 1 "external/sepolicy/initial_sids"
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
-#line 1 "external/sepolicy/access_vectors"
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- recv_msg
- send_msg
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common prefix for userspace database object access vectors.
-#
-
-common database
-{
- create
- drop
- getattr
- setattr
- relabelfrom
- relabelto
-}
-
-#
-# Define a common prefix for pointer and keyboard access vectors.
-#
-
-common x_device
-{
- getattr
- setattr
- use
- read
- write
- getfocus
- setfocus
- bell
- force_cursor
- freeze
- grab
- manage
- list_property
- get_property
- set_property
- add
- remove
- create
- destroy
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- transition
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
- open
- audit_access
- execmod
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class lnk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class blk_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class sock_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fifo_file
-inherits file
-{
- open
- audit_access
- execmod
-}
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
- dccp_recv
- dccp_send
- recvfrom
- sendto
-}
-
-class netif
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- dccp_recv
- dccp_send
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the capability2 class.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-class capability2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
-}
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
- passwd # change another user passwd
- chfn # change another user finger info
- chsh # change another user shell
- rootok # pam_rootok check (skip auth)
- crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class x_drawable
-{
- create
- destroy
- read
- write
- blend
- getattr
- setattr
- list_child
- add_child
- remove_child
- list_property
- get_property
- set_property
- manage
- override
- show
- hide
- send
- receive
-}
-
-class x_screen
-{
- getattr
- setattr
- hide_cursor
- show_cursor
- saver_getattr
- saver_setattr
- saver_hide
- saver_show
-}
-
-class x_gc
-{
- create
- destroy
- getattr
- setattr
- use
-}
-
-class x_font
-{
- create
- destroy
- getattr
- add_glyph
- remove_glyph
- use
-}
-
-class x_colormap
-{
- create
- destroy
- read
- write
- getattr
- add_color
- remove_color
- install
- uninstall
- use
-}
-
-class x_property
-{
- create
- destroy
- read
- write
- append
- getattr
- setattr
-}
-
-class x_selection
-{
- read
- write
- getattr
- setattr
-}
-
-class x_cursor
-{
- create
- destroy
- read
- write
- getattr
- setattr
- use
-}
-
-class x_client
-{
- destroy
- getattr
- setattr
- manage
-}
-
-class x_device
-inherits x_device
-
-class x_server
-{
- getattr
- setattr
- record
- debug
- grab
- manage
-}
-
-class x_extension
-{
- query
- use
-}
-
-class x_resource
-{
- read
- write
-}
-
-class x_event
-{
- send
- receive
-}
-
-class x_synthetic_event
-{
- send
- receive
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
- acquire_svc
- send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
- getpwd
- getgrp
- gethost
- getstat
- admin
- shmempwd
- shmemgrp
- shmemhost
- getserv
- shmemserv
-}
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- flow_in # deprecated
- flow_out # deprecated
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class context
-{
- translate
- contains
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-class db_database
-inherits database
-{
- access
- install_module
- load_module
- get_param # deprecated
- set_param # deprecated
-}
-
-class db_table
-inherits database
-{
- use # deprecated
- select
- update
- insert
- delete
- lock
-}
-
-class db_procedure
-inherits database
-{
- execute
- entrypoint
- install
-}
-
-class db_column
-inherits database
-{
- use # deprecated
- select
- update
- insert
-}
-
-class db_tuple
-{
- relabelfrom
- relabelto
- use # deprecated
- select
- update
- insert
- delete
-}
-
-class db_blob
-inherits database
-{
- read
- write
- import
- export
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class x_application_data
-{
- paste
- paste_after_confirm
- copy
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-
-class x_pointer
-inherits x_device
-
-class x_keyboard
-inherits x_device
-
-class db_schema
-inherits database
-{
- search
- add_name
- remove_name
-}
-
-class db_view
-inherits database
-{
- expand
-}
-
-class db_sequence
-inherits database
-{
- get_value
- next_value
- set_value
-}
-
-class db_language
-inherits database
-{
- implement
- execute
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class zygote
-{
- specifyids
- specifyrlimits
- specifycapabilities
- specifyinvokewith
- specifyseinfo
-}
-
-class property_service
-{
- set
-}
-#line 1 "external/sepolicy/global_macros"
-#####################################
-# Common groupings of object classes.
-#
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-#####################################
-# Common groupings of permissions.
-#
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-#####################################
-# Common socket permission sets.
-
-
-#line 1 "external/sepolicy/mls_macros"
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-#line 10
-
-
-
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-#line 24
-
-
-
-
-#line 34
-
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-#line 45
-
-
-
-
-########################################
-#
-# Basic level names for system low and high
-#
-
-
-#line 1 "external/sepolicy/mls"
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-
-#line 6
-# Each sensitivity has a name and zero or more aliases.
-#line 6
-sensitivity s0;
-#line 6
-
-#line 6
-
-#line 6
-# Define the ordering of the sensitivity levels (least to greatest)
-#line 6
-dominance { s0 }
-#line 6
-
-category c0;
-#line 7
-category c1;
-#line 7
-category c2;
-#line 7
-category c3;
-#line 7
-category c4;
-#line 7
-category c5;
-#line 7
-category c6;
-#line 7
-category c7;
-#line 7
-category c8;
-#line 7
-category c9;
-#line 7
-category c10;
-#line 7
-category c11;
-#line 7
-category c12;
-#line 7
-category c13;
-#line 7
-category c14;
-#line 7
-category c15;
-#line 7
-category c16;
-#line 7
-category c17;
-#line 7
-category c18;
-#line 7
-category c19;
-#line 7
-category c20;
-#line 7
-category c21;
-#line 7
-category c22;
-#line 7
-category c23;
-#line 7
-category c24;
-#line 7
-category c25;
-#line 7
-category c26;
-#line 7
-category c27;
-#line 7
-category c28;
-#line 7
-category c29;
-#line 7
-category c30;
-#line 7
-category c31;
-#line 7
-category c32;
-#line 7
-category c33;
-#line 7
-category c34;
-#line 7
-category c35;
-#line 7
-category c36;
-#line 7
-category c37;
-#line 7
-category c38;
-#line 7
-category c39;
-#line 7
-category c40;
-#line 7
-category c41;
-#line 7
-category c42;
-#line 7
-category c43;
-#line 7
-category c44;
-#line 7
-category c45;
-#line 7
-category c46;
-#line 7
-category c47;
-#line 7
-category c48;
-#line 7
-category c49;
-#line 7
-category c50;
-#line 7
-category c51;
-#line 7
-category c52;
-#line 7
-category c53;
-#line 7
-category c54;
-#line 7
-category c55;
-#line 7
-category c56;
-#line 7
-category c57;
-#line 7
-category c58;
-#line 7
-category c59;
-#line 7
-category c60;
-#line 7
-category c61;
-#line 7
-category c62;
-#line 7
-category c63;
-#line 7
-category c64;
-#line 7
-category c65;
-#line 7
-category c66;
-#line 7
-category c67;
-#line 7
-category c68;
-#line 7
-category c69;
-#line 7
-category c70;
-#line 7
-category c71;
-#line 7
-category c72;
-#line 7
-category c73;
-#line 7
-category c74;
-#line 7
-category c75;
-#line 7
-category c76;
-#line 7
-category c77;
-#line 7
-category c78;
-#line 7
-category c79;
-#line 7
-category c80;
-#line 7
-category c81;
-#line 7
-category c82;
-#line 7
-category c83;
-#line 7
-category c84;
-#line 7
-category c85;
-#line 7
-category c86;
-#line 7
-category c87;
-#line 7
-category c88;
-#line 7
-category c89;
-#line 7
-category c90;
-#line 7
-category c91;
-#line 7
-category c92;
-#line 7
-category c93;
-#line 7
-category c94;
-#line 7
-category c95;
-#line 7
-category c96;
-#line 7
-category c97;
-#line 7
-category c98;
-#line 7
-category c99;
-#line 7
-category c100;
-#line 7
-category c101;
-#line 7
-category c102;
-#line 7
-category c103;
-#line 7
-category c104;
-#line 7
-category c105;
-#line 7
-category c106;
-#line 7
-category c107;
-#line 7
-category c108;
-#line 7
-category c109;
-#line 7
-category c110;
-#line 7
-category c111;
-#line 7
-category c112;
-#line 7
-category c113;
-#line 7
-category c114;
-#line 7
-category c115;
-#line 7
-category c116;
-#line 7
-category c117;
-#line 7
-category c118;
-#line 7
-category c119;
-#line 7
-category c120;
-#line 7
-category c121;
-#line 7
-category c122;
-#line 7
-category c123;
-#line 7
-category c124;
-#line 7
-category c125;
-#line 7
-category c126;
-#line 7
-category c127;
-#line 7
-category c128;
-#line 7
-category c129;
-#line 7
-category c130;
-#line 7
-category c131;
-#line 7
-category c132;
-#line 7
-category c133;
-#line 7
-category c134;
-#line 7
-category c135;
-#line 7
-category c136;
-#line 7
-category c137;
-#line 7
-category c138;
-#line 7
-category c139;
-#line 7
-category c140;
-#line 7
-category c141;
-#line 7
-category c142;
-#line 7
-category c143;
-#line 7
-category c144;
-#line 7
-category c145;
-#line 7
-category c146;
-#line 7
-category c147;
-#line 7
-category c148;
-#line 7
-category c149;
-#line 7
-category c150;
-#line 7
-category c151;
-#line 7
-category c152;
-#line 7
-category c153;
-#line 7
-category c154;
-#line 7
-category c155;
-#line 7
-category c156;
-#line 7
-category c157;
-#line 7
-category c158;
-#line 7
-category c159;
-#line 7
-category c160;
-#line 7
-category c161;
-#line 7
-category c162;
-#line 7
-category c163;
-#line 7
-category c164;
-#line 7
-category c165;
-#line 7
-category c166;
-#line 7
-category c167;
-#line 7
-category c168;
-#line 7
-category c169;
-#line 7
-category c170;
-#line 7
-category c171;
-#line 7
-category c172;
-#line 7
-category c173;
-#line 7
-category c174;
-#line 7
-category c175;
-#line 7
-category c176;
-#line 7
-category c177;
-#line 7
-category c178;
-#line 7
-category c179;
-#line 7
-category c180;
-#line 7
-category c181;
-#line 7
-category c182;
-#line 7
-category c183;
-#line 7
-category c184;
-#line 7
-category c185;
-#line 7
-category c186;
-#line 7
-category c187;
-#line 7
-category c188;
-#line 7
-category c189;
-#line 7
-category c190;
-#line 7
-category c191;
-#line 7
-category c192;
-#line 7
-category c193;
-#line 7
-category c194;
-#line 7
-category c195;
-#line 7
-category c196;
-#line 7
-category c197;
-#line 7
-category c198;
-#line 7
-category c199;
-#line 7
-category c200;
-#line 7
-category c201;
-#line 7
-category c202;
-#line 7
-category c203;
-#line 7
-category c204;
-#line 7
-category c205;
-#line 7
-category c206;
-#line 7
-category c207;
-#line 7
-category c208;
-#line 7
-category c209;
-#line 7
-category c210;
-#line 7
-category c211;
-#line 7
-category c212;
-#line 7
-category c213;
-#line 7
-category c214;
-#line 7
-category c215;
-#line 7
-category c216;
-#line 7
-category c217;
-#line 7
-category c218;
-#line 7
-category c219;
-#line 7
-category c220;
-#line 7
-category c221;
-#line 7
-category c222;
-#line 7
-category c223;
-#line 7
-category c224;
-#line 7
-category c225;
-#line 7
-category c226;
-#line 7
-category c227;
-#line 7
-category c228;
-#line 7
-category c229;
-#line 7
-category c230;
-#line 7
-category c231;
-#line 7
-category c232;
-#line 7
-category c233;
-#line 7
-category c234;
-#line 7
-category c235;
-#line 7
-category c236;
-#line 7
-category c237;
-#line 7
-category c238;
-#line 7
-category c239;
-#line 7
-category c240;
-#line 7
-category c241;
-#line 7
-category c242;
-#line 7
-category c243;
-#line 7
-category c244;
-#line 7
-category c245;
-#line 7
-category c246;
-#line 7
-category c247;
-#line 7
-category c248;
-#line 7
-category c249;
-#line 7
-category c250;
-#line 7
-category c251;
-#line 7
-category c252;
-#line 7
-category c253;
-#line 7
-category c254;
-#line 7
-category c255;
-#line 7
-category c256;
-#line 7
-category c257;
-#line 7
-category c258;
-#line 7
-category c259;
-#line 7
-category c260;
-#line 7
-category c261;
-#line 7
-category c262;
-#line 7
-category c263;
-#line 7
-category c264;
-#line 7
-category c265;
-#line 7
-category c266;
-#line 7
-category c267;
-#line 7
-category c268;
-#line 7
-category c269;
-#line 7
-category c270;
-#line 7
-category c271;
-#line 7
-category c272;
-#line 7
-category c273;
-#line 7
-category c274;
-#line 7
-category c275;
-#line 7
-category c276;
-#line 7
-category c277;
-#line 7
-category c278;
-#line 7
-category c279;
-#line 7
-category c280;
-#line 7
-category c281;
-#line 7
-category c282;
-#line 7
-category c283;
-#line 7
-category c284;
-#line 7
-category c285;
-#line 7
-category c286;
-#line 7
-category c287;
-#line 7
-category c288;
-#line 7
-category c289;
-#line 7
-category c290;
-#line 7
-category c291;
-#line 7
-category c292;
-#line 7
-category c293;
-#line 7
-category c294;
-#line 7
-category c295;
-#line 7
-category c296;
-#line 7
-category c297;
-#line 7
-category c298;
-#line 7
-category c299;
-#line 7
-category c300;
-#line 7
-category c301;
-#line 7
-category c302;
-#line 7
-category c303;
-#line 7
-category c304;
-#line 7
-category c305;
-#line 7
-category c306;
-#line 7
-category c307;
-#line 7
-category c308;
-#line 7
-category c309;
-#line 7
-category c310;
-#line 7
-category c311;
-#line 7
-category c312;
-#line 7
-category c313;
-#line 7
-category c314;
-#line 7
-category c315;
-#line 7
-category c316;
-#line 7
-category c317;
-#line 7
-category c318;
-#line 7
-category c319;
-#line 7
-category c320;
-#line 7
-category c321;
-#line 7
-category c322;
-#line 7
-category c323;
-#line 7
-category c324;
-#line 7
-category c325;
-#line 7
-category c326;
-#line 7
-category c327;
-#line 7
-category c328;
-#line 7
-category c329;
-#line 7
-category c330;
-#line 7
-category c331;
-#line 7
-category c332;
-#line 7
-category c333;
-#line 7
-category c334;
-#line 7
-category c335;
-#line 7
-category c336;
-#line 7
-category c337;
-#line 7
-category c338;
-#line 7
-category c339;
-#line 7
-category c340;
-#line 7
-category c341;
-#line 7
-category c342;
-#line 7
-category c343;
-#line 7
-category c344;
-#line 7
-category c345;
-#line 7
-category c346;
-#line 7
-category c347;
-#line 7
-category c348;
-#line 7
-category c349;
-#line 7
-category c350;
-#line 7
-category c351;
-#line 7
-category c352;
-#line 7
-category c353;
-#line 7
-category c354;
-#line 7
-category c355;
-#line 7
-category c356;
-#line 7
-category c357;
-#line 7
-category c358;
-#line 7
-category c359;
-#line 7
-category c360;
-#line 7
-category c361;
-#line 7
-category c362;
-#line 7
-category c363;
-#line 7
-category c364;
-#line 7
-category c365;
-#line 7
-category c366;
-#line 7
-category c367;
-#line 7
-category c368;
-#line 7
-category c369;
-#line 7
-category c370;
-#line 7
-category c371;
-#line 7
-category c372;
-#line 7
-category c373;
-#line 7
-category c374;
-#line 7
-category c375;
-#line 7
-category c376;
-#line 7
-category c377;
-#line 7
-category c378;
-#line 7
-category c379;
-#line 7
-category c380;
-#line 7
-category c381;
-#line 7
-category c382;
-#line 7
-category c383;
-#line 7
-category c384;
-#line 7
-category c385;
-#line 7
-category c386;
-#line 7
-category c387;
-#line 7
-category c388;
-#line 7
-category c389;
-#line 7
-category c390;
-#line 7
-category c391;
-#line 7
-category c392;
-#line 7
-category c393;
-#line 7
-category c394;
-#line 7
-category c395;
-#line 7
-category c396;
-#line 7
-category c397;
-#line 7
-category c398;
-#line 7
-category c399;
-#line 7
-category c400;
-#line 7
-category c401;
-#line 7
-category c402;
-#line 7
-category c403;
-#line 7
-category c404;
-#line 7
-category c405;
-#line 7
-category c406;
-#line 7
-category c407;
-#line 7
-category c408;
-#line 7
-category c409;
-#line 7
-category c410;
-#line 7
-category c411;
-#line 7
-category c412;
-#line 7
-category c413;
-#line 7
-category c414;
-#line 7
-category c415;
-#line 7
-category c416;
-#line 7
-category c417;
-#line 7
-category c418;
-#line 7
-category c419;
-#line 7
-category c420;
-#line 7
-category c421;
-#line 7
-category c422;
-#line 7
-category c423;
-#line 7
-category c424;
-#line 7
-category c425;
-#line 7
-category c426;
-#line 7
-category c427;
-#line 7
-category c428;
-#line 7
-category c429;
-#line 7
-category c430;
-#line 7
-category c431;
-#line 7
-category c432;
-#line 7
-category c433;
-#line 7
-category c434;
-#line 7
-category c435;
-#line 7
-category c436;
-#line 7
-category c437;
-#line 7
-category c438;
-#line 7
-category c439;
-#line 7
-category c440;
-#line 7
-category c441;
-#line 7
-category c442;
-#line 7
-category c443;
-#line 7
-category c444;
-#line 7
-category c445;
-#line 7
-category c446;
-#line 7
-category c447;
-#line 7
-category c448;
-#line 7
-category c449;
-#line 7
-category c450;
-#line 7
-category c451;
-#line 7
-category c452;
-#line 7
-category c453;
-#line 7
-category c454;
-#line 7
-category c455;
-#line 7
-category c456;
-#line 7
-category c457;
-#line 7
-category c458;
-#line 7
-category c459;
-#line 7
-category c460;
-#line 7
-category c461;
-#line 7
-category c462;
-#line 7
-category c463;
-#line 7
-category c464;
-#line 7
-category c465;
-#line 7
-category c466;
-#line 7
-category c467;
-#line 7
-category c468;
-#line 7
-category c469;
-#line 7
-category c470;
-#line 7
-category c471;
-#line 7
-category c472;
-#line 7
-category c473;
-#line 7
-category c474;
-#line 7
-category c475;
-#line 7
-category c476;
-#line 7
-category c477;
-#line 7
-category c478;
-#line 7
-category c479;
-#line 7
-category c480;
-#line 7
-category c481;
-#line 7
-category c482;
-#line 7
-category c483;
-#line 7
-category c484;
-#line 7
-category c485;
-#line 7
-category c486;
-#line 7
-category c487;
-#line 7
-category c488;
-#line 7
-category c489;
-#line 7
-category c490;
-#line 7
-category c491;
-#line 7
-category c492;
-#line 7
-category c493;
-#line 7
-category c494;
-#line 7
-category c495;
-#line 7
-category c496;
-#line 7
-category c497;
-#line 7
-category c498;
-#line 7
-category c499;
-#line 7
-category c500;
-#line 7
-category c501;
-#line 7
-category c502;
-#line 7
-category c503;
-#line 7
-category c504;
-#line 7
-category c505;
-#line 7
-category c506;
-#line 7
-category c507;
-#line 7
-category c508;
-#line 7
-category c509;
-#line 7
-category c510;
-#line 7
-category c511;
-#line 7
-category c512;
-#line 7
-category c513;
-#line 7
-category c514;
-#line 7
-category c515;
-#line 7
-category c516;
-#line 7
-category c517;
-#line 7
-category c518;
-#line 7
-category c519;
-#line 7
-category c520;
-#line 7
-category c521;
-#line 7
-category c522;
-#line 7
-category c523;
-#line 7
-category c524;
-#line 7
-category c525;
-#line 7
-category c526;
-#line 7
-category c527;
-#line 7
-category c528;
-#line 7
-category c529;
-#line 7
-category c530;
-#line 7
-category c531;
-#line 7
-category c532;
-#line 7
-category c533;
-#line 7
-category c534;
-#line 7
-category c535;
-#line 7
-category c536;
-#line 7
-category c537;
-#line 7
-category c538;
-#line 7
-category c539;
-#line 7
-category c540;
-#line 7
-category c541;
-#line 7
-category c542;
-#line 7
-category c543;
-#line 7
-category c544;
-#line 7
-category c545;
-#line 7
-category c546;
-#line 7
-category c547;
-#line 7
-category c548;
-#line 7
-category c549;
-#line 7
-category c550;
-#line 7
-category c551;
-#line 7
-category c552;
-#line 7
-category c553;
-#line 7
-category c554;
-#line 7
-category c555;
-#line 7
-category c556;
-#line 7
-category c557;
-#line 7
-category c558;
-#line 7
-category c559;
-#line 7
-category c560;
-#line 7
-category c561;
-#line 7
-category c562;
-#line 7
-category c563;
-#line 7
-category c564;
-#line 7
-category c565;
-#line 7
-category c566;
-#line 7
-category c567;
-#line 7
-category c568;
-#line 7
-category c569;
-#line 7
-category c570;
-#line 7
-category c571;
-#line 7
-category c572;
-#line 7
-category c573;
-#line 7
-category c574;
-#line 7
-category c575;
-#line 7
-category c576;
-#line 7
-category c577;
-#line 7
-category c578;
-#line 7
-category c579;
-#line 7
-category c580;
-#line 7
-category c581;
-#line 7
-category c582;
-#line 7
-category c583;
-#line 7
-category c584;
-#line 7
-category c585;
-#line 7
-category c586;
-#line 7
-category c587;
-#line 7
-category c588;
-#line 7
-category c589;
-#line 7
-category c590;
-#line 7
-category c591;
-#line 7
-category c592;
-#line 7
-category c593;
-#line 7
-category c594;
-#line 7
-category c595;
-#line 7
-category c596;
-#line 7
-category c597;
-#line 7
-category c598;
-#line 7
-category c599;
-#line 7
-category c600;
-#line 7
-category c601;
-#line 7
-category c602;
-#line 7
-category c603;
-#line 7
-category c604;
-#line 7
-category c605;
-#line 7
-category c606;
-#line 7
-category c607;
-#line 7
-category c608;
-#line 7
-category c609;
-#line 7
-category c610;
-#line 7
-category c611;
-#line 7
-category c612;
-#line 7
-category c613;
-#line 7
-category c614;
-#line 7
-category c615;
-#line 7
-category c616;
-#line 7
-category c617;
-#line 7
-category c618;
-#line 7
-category c619;
-#line 7
-category c620;
-#line 7
-category c621;
-#line 7
-category c622;
-#line 7
-category c623;
-#line 7
-category c624;
-#line 7
-category c625;
-#line 7
-category c626;
-#line 7
-category c627;
-#line 7
-category c628;
-#line 7
-category c629;
-#line 7
-category c630;
-#line 7
-category c631;
-#line 7
-category c632;
-#line 7
-category c633;
-#line 7
-category c634;
-#line 7
-category c635;
-#line 7
-category c636;
-#line 7
-category c637;
-#line 7
-category c638;
-#line 7
-category c639;
-#line 7
-category c640;
-#line 7
-category c641;
-#line 7
-category c642;
-#line 7
-category c643;
-#line 7
-category c644;
-#line 7
-category c645;
-#line 7
-category c646;
-#line 7
-category c647;
-#line 7
-category c648;
-#line 7
-category c649;
-#line 7
-category c650;
-#line 7
-category c651;
-#line 7
-category c652;
-#line 7
-category c653;
-#line 7
-category c654;
-#line 7
-category c655;
-#line 7
-category c656;
-#line 7
-category c657;
-#line 7
-category c658;
-#line 7
-category c659;
-#line 7
-category c660;
-#line 7
-category c661;
-#line 7
-category c662;
-#line 7
-category c663;
-#line 7
-category c664;
-#line 7
-category c665;
-#line 7
-category c666;
-#line 7
-category c667;
-#line 7
-category c668;
-#line 7
-category c669;
-#line 7
-category c670;
-#line 7
-category c671;
-#line 7
-category c672;
-#line 7
-category c673;
-#line 7
-category c674;
-#line 7
-category c675;
-#line 7
-category c676;
-#line 7
-category c677;
-#line 7
-category c678;
-#line 7
-category c679;
-#line 7
-category c680;
-#line 7
-category c681;
-#line 7
-category c682;
-#line 7
-category c683;
-#line 7
-category c684;
-#line 7
-category c685;
-#line 7
-category c686;
-#line 7
-category c687;
-#line 7
-category c688;
-#line 7
-category c689;
-#line 7
-category c690;
-#line 7
-category c691;
-#line 7
-category c692;
-#line 7
-category c693;
-#line 7
-category c694;
-#line 7
-category c695;
-#line 7
-category c696;
-#line 7
-category c697;
-#line 7
-category c698;
-#line 7
-category c699;
-#line 7
-category c700;
-#line 7
-category c701;
-#line 7
-category c702;
-#line 7
-category c703;
-#line 7
-category c704;
-#line 7
-category c705;
-#line 7
-category c706;
-#line 7
-category c707;
-#line 7
-category c708;
-#line 7
-category c709;
-#line 7
-category c710;
-#line 7
-category c711;
-#line 7
-category c712;
-#line 7
-category c713;
-#line 7
-category c714;
-#line 7
-category c715;
-#line 7
-category c716;
-#line 7
-category c717;
-#line 7
-category c718;
-#line 7
-category c719;
-#line 7
-category c720;
-#line 7
-category c721;
-#line 7
-category c722;
-#line 7
-category c723;
-#line 7
-category c724;
-#line 7
-category c725;
-#line 7
-category c726;
-#line 7
-category c727;
-#line 7
-category c728;
-#line 7
-category c729;
-#line 7
-category c730;
-#line 7
-category c731;
-#line 7
-category c732;
-#line 7
-category c733;
-#line 7
-category c734;
-#line 7
-category c735;
-#line 7
-category c736;
-#line 7
-category c737;
-#line 7
-category c738;
-#line 7
-category c739;
-#line 7
-category c740;
-#line 7
-category c741;
-#line 7
-category c742;
-#line 7
-category c743;
-#line 7
-category c744;
-#line 7
-category c745;
-#line 7
-category c746;
-#line 7
-category c747;
-#line 7
-category c748;
-#line 7
-category c749;
-#line 7
-category c750;
-#line 7
-category c751;
-#line 7
-category c752;
-#line 7
-category c753;
-#line 7
-category c754;
-#line 7
-category c755;
-#line 7
-category c756;
-#line 7
-category c757;
-#line 7
-category c758;
-#line 7
-category c759;
-#line 7
-category c760;
-#line 7
-category c761;
-#line 7
-category c762;
-#line 7
-category c763;
-#line 7
-category c764;
-#line 7
-category c765;
-#line 7
-category c766;
-#line 7
-category c767;
-#line 7
-category c768;
-#line 7
-category c769;
-#line 7
-category c770;
-#line 7
-category c771;
-#line 7
-category c772;
-#line 7
-category c773;
-#line 7
-category c774;
-#line 7
-category c775;
-#line 7
-category c776;
-#line 7
-category c777;
-#line 7
-category c778;
-#line 7
-category c779;
-#line 7
-category c780;
-#line 7
-category c781;
-#line 7
-category c782;
-#line 7
-category c783;
-#line 7
-category c784;
-#line 7
-category c785;
-#line 7
-category c786;
-#line 7
-category c787;
-#line 7
-category c788;
-#line 7
-category c789;
-#line 7
-category c790;
-#line 7
-category c791;
-#line 7
-category c792;
-#line 7
-category c793;
-#line 7
-category c794;
-#line 7
-category c795;
-#line 7
-category c796;
-#line 7
-category c797;
-#line 7
-category c798;
-#line 7
-category c799;
-#line 7
-category c800;
-#line 7
-category c801;
-#line 7
-category c802;
-#line 7
-category c803;
-#line 7
-category c804;
-#line 7
-category c805;
-#line 7
-category c806;
-#line 7
-category c807;
-#line 7
-category c808;
-#line 7
-category c809;
-#line 7
-category c810;
-#line 7
-category c811;
-#line 7
-category c812;
-#line 7
-category c813;
-#line 7
-category c814;
-#line 7
-category c815;
-#line 7
-category c816;
-#line 7
-category c817;
-#line 7
-category c818;
-#line 7
-category c819;
-#line 7
-category c820;
-#line 7
-category c821;
-#line 7
-category c822;
-#line 7
-category c823;
-#line 7
-category c824;
-#line 7
-category c825;
-#line 7
-category c826;
-#line 7
-category c827;
-#line 7
-category c828;
-#line 7
-category c829;
-#line 7
-category c830;
-#line 7
-category c831;
-#line 7
-category c832;
-#line 7
-category c833;
-#line 7
-category c834;
-#line 7
-category c835;
-#line 7
-category c836;
-#line 7
-category c837;
-#line 7
-category c838;
-#line 7
-category c839;
-#line 7
-category c840;
-#line 7
-category c841;
-#line 7
-category c842;
-#line 7
-category c843;
-#line 7
-category c844;
-#line 7
-category c845;
-#line 7
-category c846;
-#line 7
-category c847;
-#line 7
-category c848;
-#line 7
-category c849;
-#line 7
-category c850;
-#line 7
-category c851;
-#line 7
-category c852;
-#line 7
-category c853;
-#line 7
-category c854;
-#line 7
-category c855;
-#line 7
-category c856;
-#line 7
-category c857;
-#line 7
-category c858;
-#line 7
-category c859;
-#line 7
-category c860;
-#line 7
-category c861;
-#line 7
-category c862;
-#line 7
-category c863;
-#line 7
-category c864;
-#line 7
-category c865;
-#line 7
-category c866;
-#line 7
-category c867;
-#line 7
-category c868;
-#line 7
-category c869;
-#line 7
-category c870;
-#line 7
-category c871;
-#line 7
-category c872;
-#line 7
-category c873;
-#line 7
-category c874;
-#line 7
-category c875;
-#line 7
-category c876;
-#line 7
-category c877;
-#line 7
-category c878;
-#line 7
-category c879;
-#line 7
-category c880;
-#line 7
-category c881;
-#line 7
-category c882;
-#line 7
-category c883;
-#line 7
-category c884;
-#line 7
-category c885;
-#line 7
-category c886;
-#line 7
-category c887;
-#line 7
-category c888;
-#line 7
-category c889;
-#line 7
-category c890;
-#line 7
-category c891;
-#line 7
-category c892;
-#line 7
-category c893;
-#line 7
-category c894;
-#line 7
-category c895;
-#line 7
-category c896;
-#line 7
-category c897;
-#line 7
-category c898;
-#line 7
-category c899;
-#line 7
-category c900;
-#line 7
-category c901;
-#line 7
-category c902;
-#line 7
-category c903;
-#line 7
-category c904;
-#line 7
-category c905;
-#line 7
-category c906;
-#line 7
-category c907;
-#line 7
-category c908;
-#line 7
-category c909;
-#line 7
-category c910;
-#line 7
-category c911;
-#line 7
-category c912;
-#line 7
-category c913;
-#line 7
-category c914;
-#line 7
-category c915;
-#line 7
-category c916;
-#line 7
-category c917;
-#line 7
-category c918;
-#line 7
-category c919;
-#line 7
-category c920;
-#line 7
-category c921;
-#line 7
-category c922;
-#line 7
-category c923;
-#line 7
-category c924;
-#line 7
-category c925;
-#line 7
-category c926;
-#line 7
-category c927;
-#line 7
-category c928;
-#line 7
-category c929;
-#line 7
-category c930;
-#line 7
-category c931;
-#line 7
-category c932;
-#line 7
-category c933;
-#line 7
-category c934;
-#line 7
-category c935;
-#line 7
-category c936;
-#line 7
-category c937;
-#line 7
-category c938;
-#line 7
-category c939;
-#line 7
-category c940;
-#line 7
-category c941;
-#line 7
-category c942;
-#line 7
-category c943;
-#line 7
-category c944;
-#line 7
-category c945;
-#line 7
-category c946;
-#line 7
-category c947;
-#line 7
-category c948;
-#line 7
-category c949;
-#line 7
-category c950;
-#line 7
-category c951;
-#line 7
-category c952;
-#line 7
-category c953;
-#line 7
-category c954;
-#line 7
-category c955;
-#line 7
-category c956;
-#line 7
-category c957;
-#line 7
-category c958;
-#line 7
-category c959;
-#line 7
-category c960;
-#line 7
-category c961;
-#line 7
-category c962;
-#line 7
-category c963;
-#line 7
-category c964;
-#line 7
-category c965;
-#line 7
-category c966;
-#line 7
-category c967;
-#line 7
-category c968;
-#line 7
-category c969;
-#line 7
-category c970;
-#line 7
-category c971;
-#line 7
-category c972;
-#line 7
-category c973;
-#line 7
-category c974;
-#line 7
-category c975;
-#line 7
-category c976;
-#line 7
-category c977;
-#line 7
-category c978;
-#line 7
-category c979;
-#line 7
-category c980;
-#line 7
-category c981;
-#line 7
-category c982;
-#line 7
-category c983;
-#line 7
-category c984;
-#line 7
-category c985;
-#line 7
-category c986;
-#line 7
-category c987;
-#line 7
-category c988;
-#line 7
-category c989;
-#line 7
-category c990;
-#line 7
-category c991;
-#line 7
-category c992;
-#line 7
-category c993;
-#line 7
-category c994;
-#line 7
-category c995;
-#line 7
-category c996;
-#line 7
-category c997;
-#line 7
-category c998;
-#line 7
-category c999;
-#line 7
-category c1000;
-#line 7
-category c1001;
-#line 7
-category c1002;
-#line 7
-category c1003;
-#line 7
-category c1004;
-#line 7
-category c1005;
-#line 7
-category c1006;
-#line 7
-category c1007;
-#line 7
-category c1008;
-#line 7
-category c1009;
-#line 7
-category c1010;
-#line 7
-category c1011;
-#line 7
-category c1012;
-#line 7
-category c1013;
-#line 7
-category c1014;
-#line 7
-category c1015;
-#line 7
-category c1016;
-#line 7
-category c1017;
-#line 7
-category c1018;
-#line 7
-category c1019;
-#line 7
-category c1020;
-#line 7
-category c1021;
-#line 7
-category c1022;
-#line 7
-category c1023;
-#line 7
-
-
-# Generate level definitions for each sensitivity and category.
-level s0:c0.c1023;
-#line 10
-
-
-
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: No write down unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 domby l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be dominated by receiver unless one of them is
-# trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be dominated by the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a MLS trusted subject and can receive data at any level.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
-
-#
-# IPC constraints
-#
-
-# Create/destroy: equivalence or trusted.
-mlsconstrain { sem msgq shm ipc } { create destroy }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-# Read ops: No read up unless trusted.
-mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Write ops: No write down unless trusted.
-mlsconstrain { sem msgq shm ipc } { write unix_write }
- (l1 domby l2 or t1 == mlstrustedsubject);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-#line 1 "external/sepolicy/policy_capabilities"
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-#line 1 "external/sepolicy/te_macros"
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-#line 21
-
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-#line 33
-
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-#line 49
-
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-#line 62
-
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-#line 71
-
-
-#####################################
-# unconfined_domain(domain)
-# Allow the specified domain to perform more privileged operations
-# than would be typically allowed. Please see the comments at the
-# top of unconfined.te.
-#
-#line 82
-
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-#line 92
-
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-#line 101
-
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-#line 112
-
-
-#####################################
-# relabelto_domain(domain)
-# Allows this domain to use the relabelto permission
-#line 119
-
-
-#####################################
-# platform_app_domain(domain)
-# Allow permissions specific to platform apps.
-#line 127
-
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-#line 134
-
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-#line 141
-
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#line 150
-
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-#line 159
-
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-#line 169
-
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-#line 181
-
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-#line 189
-
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-#line 199
-
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-#line 208
-
-
-#####################################
-# selinux_getenforce(domain)
-# Allow domain to check whether SELinux is enforcing.
-#line 216
-
-
-#####################################
-# selinux_setenforce(domain)
-# Allow domain to set SELinux to enforcing.
-#line 225
-
-
-#####################################
-# selinux_setbool(domain)
-# Allow domain to set SELinux booleans.
-#line 234
-
-
-#####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-#line 248
-
-
-#####################################
-# selinux_manage_policy(domain)
-# Ability to manage policy files and
-# trigger runtime reload.
-#line 261
-
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-#line 274
-
-
-#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-#line 284
-
-
-#####################################
-# write_klog(domain)
-# Ability to write to kernel log via
-# klog_write()
-# See system/core/libcutil/klog.c
-#line 295
-
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-#line 309
-
-
-#####################################
-# Non system_app application set
-#
-
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-
-
-#####################################
-# permissive_or_unconfined
-# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
-# and "unconfined($1)" otherwise.
-#
-# This is used for experimental domains, where we want to ensure
-# the domain is unconfined+enforcing once new SELinux policy development
-# has ceased.
-#
-
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-#line 345
-
-
-#####################################
-# read_logd(domain)
-# Ability to read from android
-# log daemon via sockets
-#line 353
-
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-#line 363
-
-#line 1 "external/sepolicy/attributes"
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-attribute fs_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-attribute property_type;
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
-# All domains used for shells.
-attribute shelldomain;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# Allow domains used for platform (signed by build key) apps.
-attribute platformappdomain;
-
-# All domains which are allowed the "relabelto" permission
-attribute relabeltodomain;
-#line 1 "external/sepolicy/adbd.te"
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain;
-
-#line 7
-
-
-
-#line 9
-# Allow the necessary permissions.
-#line 9
-
-#line 9
-# Old domain may exec the file and transition to the new domain.
-#line 9
-allow adbd shell_exec:file { getattr open read execute };
-#line 9
-allow adbd shell:process transition;
-#line 9
-# New domain is entered by executing the file.
-#line 9
-allow shell shell_exec:file { entrypoint read execute };
-#line 9
-# New domain can send SIGCHLD to its caller.
-#line 9
-allow shell adbd:process sigchld;
-#line 9
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 9
-dontaudit adbd shell:process noatsecure;
-#line 9
-# XXX dontaudit candidate but requires further study.
-#line 9
-allow adbd shell:process { siginh rlimitinh };
-#line 9
-
-#line 9
-# Make the transition occur by default.
-#line 9
-type_transition adbd shell_exec:process shell;
-#line 9
-
-# this is an entrypoint
-allow adbd rootfs:file entrypoint;
-
-# Do not sanitize the environment or open fds of the shell.
-allow adbd shell:process noatsecure;
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-
-#line 23
-typeattribute adbd netdomain;
-#line 23
-
-
-# Access /dev/android_adb.
-allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# On emulator, access /dev/qemu*.
-allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# adb push/pull sdcard.
-allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Set service.adb.*, sys.powerctl properties.
-
-#line 43
-allow adbd property_socket:sock_file write;
-#line 43
-allow adbd init:unix_stream_socket connectto;
-#line 43
-
-allow adbd shell_prop:property_service set;
-allow adbd powerctl_prop:property_service set;
-
-# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
-# Also covers running /system/bin/bu.
-allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-#line 50
-allow adbd vold_socket:sock_file write;
-#line 50
-allow adbd vold:unix_stream_socket connectto;
-#line 50
-
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-
-#line 54
-# Call the servicemanager and transfer references to it.
-#line 54
-allow adbd servicemanager:binder { call transfer };
-#line 54
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 54
-# all domains in domain.te.
-#line 54
-
-
-#line 55
-# Call the server domain and optionally transfer references to it.
-#line 55
-allow adbd surfaceflinger:binder { call transfer };
-#line 55
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 55
-allow surfaceflinger adbd:binder transfer;
-#line 55
-# Receive and use open files from the server.
-#line 55
-allow adbd surfaceflinger:fd use;
-#line 55
-
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file { getattr open read ioctl lock };
-
-# Allow access in case /data/misc/adb still has the old type.
-allow adbd system_data_file:dir search;
-allow adbd system_data_file:file { getattr open read ioctl lock };
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file { getattr open read ioctl lock };
-allow adbd system_file:file { getattr open read ioctl lock };
-#line 1 "external/sepolicy/app.te"
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
-# Dalvik Compiler JIT Mapping.
-allow appdomain self:process execmem;
-allow appdomain ashmem_device:chr_file execute;
-
-# Allow apps to connect to the keystore
-
-#line 15
-allow appdomain keystore_socket:sock_file write;
-#line 15
-allow appdomain keystore:unix_stream_socket connectto;
-#line 15
-
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-allow appdomain zygote_exec:file { getattr open read ioctl lock };
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow appdomain self:process ptrace;
-
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Communicate with system_server.
-allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } };
-allow appdomain system_server:unix_stream_socket { read write setopt };
-
-#line 42
-# Call the server domain and optionally transfer references to it.
-#line 42
-allow appdomain system_server:binder { call transfer };
-#line 42
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 42
-allow system_server appdomain:binder transfer;
-#line 42
-# Receive and use open files from the server.
-#line 42
-allow appdomain system_server:fd use;
-#line 42
-
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } };
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-
-#line 49
-# Call the server domain and optionally transfer references to it.
-#line 49
-allow appdomain surfaceflinger:binder { call transfer };
-#line 49
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 49
-allow surfaceflinger appdomain:binder transfer;
-#line 49
-# Receive and use open files from the server.
-#line 49
-allow appdomain surfaceflinger:fd use;
-#line 49
-
-
-# App sandbox file accesses.
-allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC. Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir { open getattr read search ioctl };
-allow appdomain system_data_file:file { execute execute_no_trans open };
-
-# Execute the shell or other system executables.
-allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock };
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute };
-
-# Use the Binder.
-
-#line 90
-# Call the servicemanager and transfer references to it.
-#line 90
-allow appdomain servicemanager:binder { call transfer };
-#line 90
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 90
-# all domains in domain.te.
-#line 90
-
-# Perform binder IPC to binder services.
-
-#line 92
-# Call the server domain and optionally transfer references to it.
-#line 92
-allow appdomain binderservicedomain:binder { call transfer };
-#line 92
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 92
-allow binderservicedomain appdomain:binder transfer;
-#line 92
-# Receive and use open files from the server.
-#line 92
-allow appdomain binderservicedomain:fd use;
-#line 92
-
-# Perform binder IPC to other apps.
-
-#line 94
-# Call the server domain and optionally transfer references to it.
-#line 94
-allow appdomain appdomain:binder { call transfer };
-#line 94
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 94
-allow appdomain appdomain:binder transfer;
-#line 94
-# Receive and use open files from the server.
-#line 94
-allow appdomain appdomain:fd use;
-#line 94
-
-
-# Appdomain interaction with isolated apps
-
-#line 97
-allow appdomain isolated_app:dir { open getattr read search ioctl };
-#line 97
-allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock };
-#line 97
-
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file getattr;
-
-# Allow all applications to read downloaded files
-allow appdomain download_file:dir search;
-allow appdomain download_file:file { getattr open read ioctl lock };
-
-# Allow applications to communicate with netd via /dev/socket/dnsproxyd
-# to do DNS resolution
-
-#line 118
-allow appdomain dnsproxyd_socket:sock_file write;
-#line 118
-allow appdomain netd:unix_stream_socket connectto;
-#line 118
-
-
-# Allow applications to communicate with drmserver over binder
-
-#line 121
-# Call the server domain and optionally transfer references to it.
-#line 121
-allow appdomain drmserver:binder { call transfer };
-#line 121
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 121
-allow drmserver appdomain:binder transfer;
-#line 121
-# Receive and use open files from the server.
-#line 121
-allow appdomain drmserver:fd use;
-#line 121
-
-
-# Allow applications to communicate with mediaserver over binder
-
-#line 124
-# Call the server domain and optionally transfer references to it.
-#line 124
-allow appdomain mediaserver:binder { call transfer };
-#line 124
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 124
-allow mediaserver appdomain:binder transfer;
-#line 124
-# Receive and use open files from the server.
-#line 124
-allow appdomain mediaserver:fd use;
-#line 124
-
-
-# Allow applications to make outbound tcp connections to any port
-allow appdomain port_type:tcp_socket name_connect;
-
-# Allow apps to see changes to the routing table.
-allow appdomain self:netlink_route_socket {
- read
- bind
- create
- nlmsg_read
- ioctl
- getattr
- setattr
- getopt
- setopt
- shutdown
-};
-
-# Allow apps to use rawip sockets. This is needed for apps which execute
-# /system/bin/ping, for example.
-allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow appdomain usb_device:chr_file { read write getattr ioctl };
-allow appdomain usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-allow appdomain unlabeled:file { getattr execute execute_no_trans };
-
-###
-### CTS-specific rules
-###
-
-# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
-# Reads /proc/pid/status and statm entries to check that
-# no unexpected root processes are running.
-# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
-# Reads /proc/pid/cmdline of vold.
-allow appdomain domain:dir { open read search getattr };
-allow appdomain domain:{ file lnk_file } { open read getattr };
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-
-#line 181
-allow appdomain selinuxfs:dir { open getattr read search ioctl };
-#line 181
-allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 181
-allow appdomain kernel:security compute_av;
-#line 181
-allow appdomain self:netlink_selinux_socket *;
-#line 181
-
-
-#line 182
-allow appdomain selinuxfs:dir { open getattr read search ioctl };
-#line 182
-allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 182
-allow appdomain kernel:security check_context;
-#line 182
-
-# Validate that each process is running in the correct security context.
-allow appdomain domain:process getattr;
-
-# logd access
-
-#line 187
-
-#line 187
-allow appdomain logdr_socket:sock_file write;
-#line 187
-allow appdomain logd:unix_stream_socket connectto;
-#line 187
-
-#line 187
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { appdomain -unconfineddomain } self:capability2 *;
-
-# Block device access.
-neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow { appdomain -unconfineddomain } {
- audio_device
- camera_device
- dm_device
- radio_device
- gps_device
- rpmsg_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell -unconfineddomain }
- graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
- { read write };
-neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
-
-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
- { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
-# Privileged netlink socket interfaces.
-neverallow { appdomain -unconfineddomain }
- self:{
- netlink_socket
- netlink_firewall_socket
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_ip6fw_socket
- netlink_dnrt_socket
- netlink_kobject_uevent_socket
- } *;
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
-neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
- property_socket:sock_file write;
-neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
- { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
- { transition dyntransition };
-
-# Map low memory.
-# Note: Take to domain.te and apply to all domains in the future.
-neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
-
-# Write to rootfs.
-neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow { appdomain -unconfineddomain } exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -unconfineddomain -system_app }
- system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow { appdomain -system_app -unconfineddomain }
- security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
- apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
- apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
- apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
- apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell -unconfineddomain }
- shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth -unconfineddomain }
- bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
- keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
- systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
- wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
- dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Access to factory files.
-neverallow { appdomain -unconfineddomain }
- efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write };
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc -unconfineddomain }
- sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-neverallow { appdomain -unconfineddomain }
- proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app -unconfineddomain }
- kernel:system { syslog_read syslog_mod syslog_console };
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
-
-# Ability to set system properties.
-neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
- property_type:property_service set;
-#line 1 "external/sepolicy/binderservicedomain.te"
-# Rules common to all binder service domains
-
-# Allow dumpstate to collect information from binder services
-allow binderservicedomain dumpstate:fd use;
-allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell
-allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
-#line 1 "external/sepolicy/bluetooth.te"
-# bluetooth subsystem
-type bluetooth, domain;
-
-#line 3
-typeattribute bluetooth appdomain;
-#line 3
-# Label ashmem objects with our own unique type.
-#line 3
-
-#line 3
-type bluetooth_tmpfs, file_type;
-#line 3
-type_transition bluetooth tmpfs:file bluetooth_tmpfs;
-#line 3
-allow bluetooth bluetooth_tmpfs:file { read write };
-#line 3
-
-#line 3
-# Map with PROT_EXEC.
-#line 3
-allow bluetooth bluetooth_tmpfs:file execute;
-#line 3
-
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# bluetooth factory file accesses.
-
-#line 14
-allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl };
-#line 14
-allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 14
-
-
-# Device accesses.
-allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Other domains that can create and use bluetooth sockets.
-# SELinux does not presently define a specific socket class for
-# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
-
-# sysfs access.
-allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
-allow bluetooth self:capability net_admin;
-
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
-
-# tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
-allow bluetooth efs_file:dir search;
-
-# Talk to init over the property socket.
-
-#line 36
-allow bluetooth property_socket:sock_file write;
-#line 36
-allow bluetooth init:unix_stream_socket connectto;
-#line 36
-
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
-
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Allow reading of media_rw_data_file file descriptors
-# passed to bluetooth
-allow bluetooth media_rw_data_file:file { read getattr };
-
-# Allow write access to bluetooth specific properties
-allow bluetooth bluetooth_prop:property_service set;
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
-#line 1 "external/sepolicy/bootanim.te"
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init bootanim_exec:file { getattr open read execute };
-#line 5
-allow init bootanim:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow bootanim bootanim_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow bootanim init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init bootanim:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init bootanim:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init bootanim_exec:process bootanim;
-#line 5
-
-#line 5
-
-#line 5
-type bootanim_tmpfs, file_type;
-#line 5
-type_transition bootanim tmpfs:file bootanim_tmpfs;
-#line 5
-allow bootanim bootanim_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-
-#line 7
-# Call the servicemanager and transfer references to it.
-#line 7
-allow bootanim servicemanager:binder { call transfer };
-#line 7
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 7
-# all domains in domain.te.
-#line 7
-
-
-#line 8
-# Call the server domain and optionally transfer references to it.
-#line 8
-allow bootanim surfaceflinger:binder { call transfer };
-#line 8
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 8
-allow surfaceflinger bootanim:binder transfer;
-#line 8
-# Receive and use open files from the server.
-#line 8
-allow bootanim surfaceflinger:fd use;
-#line 8
-
-
-allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-#line 1 "external/sepolicy/clatd.te"
-# 464xlat daemon
-type clatd, domain;
-
-#line 3
-typeattribute clatd mlstrustedsubject;
-#line 3
-typeattribute clatd unconfineddomain;
-#line 3
-
-type clatd_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init clatd_exec:file { getattr open read execute };
-#line 6
-allow init clatd:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow clatd clatd_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow clatd init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init clatd:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init clatd:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init clatd_exec:process clatd;
-#line 6
-
-#line 6
-
-#line 6
-type clatd_tmpfs, file_type;
-#line 6
-type_transition clatd tmpfs:file clatd_tmpfs;
-#line 6
-allow clatd clatd_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute clatd netdomain;
-#line 7
-
-#line 1 "external/sepolicy/debuggerd.te"
-# debugger interface
-type debuggerd, domain;
-type debuggerd_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init debuggerd_exec:file { getattr open read execute };
-#line 5
-allow init debuggerd:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow debuggerd debuggerd_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow debuggerd init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init debuggerd:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init debuggerd:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init debuggerd_exec:process debuggerd;
-#line 5
-
-#line 5
-
-#line 5
-type debuggerd_tmpfs, file_type;
-#line 5
-type_transition debuggerd tmpfs:file debuggerd_tmpfs;
-#line 5
-allow debuggerd debuggerd_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir { open getattr read search ioctl };
-allow debuggerd domain:file { getattr open read ioctl lock };
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
-
-#line 12
-allow debuggerd security_file:dir { open getattr read search ioctl };
-#line 12
-allow debuggerd security_file:file { getattr open read ioctl lock };
-#line 12
-allow debuggerd security_file:lnk_file { getattr open read ioctl lock };
-#line 12
-allow debuggerd selinuxfs:dir { open getattr read search ioctl };
-#line 12
-allow debuggerd selinuxfs:file { getattr open read ioctl lock };
-#line 12
-allow debuggerd rootfs:dir { open getattr read search ioctl };
-#line 12
-allow debuggerd rootfs:file { getattr open read ioctl lock };
-#line 12
-
-allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow debuggerd system_data_file:dir relabelfrom;
-
-#line 15
-typeattribute debuggerd relabeltodomain;
-#line 15
-
-allow debuggerd tombstone_data_file:dir relabelto;
-allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow debuggerd domain:process { sigstop signal };
-allow debuggerd exec_type:file { getattr open read ioctl lock };
-# Access app library
-allow debuggerd system_data_file:file open;
-
-# Connect to system_server via /data/system/ndebugsocket.
-
-#line 25
-allow debuggerd system_ndebug_socket:sock_file write;
-#line 25
-allow debuggerd system_server:unix_stream_socket connectto;
-#line 25
-
-
-#line 30
-
-
-# logd access
-
-#line 33
-
-#line 33
-allow debuggerd logdr_socket:sock_file write;
-#line 33
-allow debuggerd logd:unix_stream_socket connectto;
-#line 33
-
-#line 33
-
-#line 1 "external/sepolicy/device.te"
-# Device types
-type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
-type adb_device, dev_type;
-type ashmem_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type;
-type camera_device, dev_type;
-type dm_device, dev_type;
-type loop_device, dev_type;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type console_device, dev_type;
-type cpuctl_device, dev_type;
-type fscklogs, dev_type;
-type full_device, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type kmem_device, dev_type;
-type log_device, dev_type, mlstrustedobject;
-type mtd_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type qemu_device, dev_type;
-type kmsg_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type urandom_device, dev_type;
-type video_device, dev_type;
-type vcs_device, dev_type;
-type zero_device, dev_type;
-type fuse_device, dev_type;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type gps_device, dev_type;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type;
-type usb_device, dev_type;
-type klog_device, dev_type;
-type properties_device, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-#line 1 "external/sepolicy/dhcp.te"
-type dhcp, domain;
-
-#line 2
-typeattribute dhcp mlstrustedsubject;
-#line 2
-typeattribute dhcp unconfineddomain;
-#line 2
-
-type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init dhcp_exec:file { getattr open read execute };
-#line 6
-allow init dhcp:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow dhcp dhcp_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow dhcp init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init dhcp:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init dhcp:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init dhcp_exec:process dhcp;
-#line 6
-
-#line 6
-
-#line 6
-type dhcp_tmpfs, file_type;
-#line 6
-type_transition dhcp tmpfs:file dhcp_tmpfs;
-#line 6
-allow dhcp dhcp_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute dhcp netdomain;
-#line 7
-
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write };
-allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
-
-#line 19
-allow dhcp property_socket:sock_file write;
-#line 19
-allow dhcp init:unix_stream_socket connectto;
-#line 19
-
-allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } };
-allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
-#line 1 "external/sepolicy/dnsmasq.te"
-# DNS, DHCP services
-type dnsmasq, domain;
-
-#line 3
-typeattribute dnsmasq mlstrustedsubject;
-#line 3
-typeattribute dnsmasq unconfineddomain;
-#line 3
-
-type dnsmasq_exec, exec_type, file_type;
-
-allow dnsmasq self:capability { net_bind_service setgid setuid };
-allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-
-allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name };
-allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow dnsmasq port:tcp_socket name_bind;
-allow dnsmasq node:tcp_socket node_bind;
-#line 1 "external/sepolicy/domain.te"
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Read access to properties mapping.
-allow domain kernel:fd use;
-allow domain tmpfs:file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain tmpfs:dir { open getattr read search ioctl };
-
-# Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace };
-allow domain self:fd use;
-allow domain self:dir { open getattr read search ioctl };
-allow domain self:lnk_file { getattr open read ioctl lock };
-allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-allow domain system_server:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain adbd:unix_stream_socket connectto;
-allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
-
-#line 43
-
-
-###
-### Talk to debuggerd.
-###
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
-# Root fs.
-allow domain rootfs:dir { open getattr read search ioctl };
-allow domain rootfs:file { getattr open read ioctl lock };
-allow domain rootfs:lnk_file { getattr open read ioctl lock };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file { getattr open read ioctl lock };
-allow domain devpts:dir search;
-allow domain device:file read;
-allow domain socket_device:dir search;
-allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain zero_device:chr_file { getattr open read ioctl lock };
-allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain log_device:dir search;
-allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain alarm_device:chr_file { getattr open read ioctl lock };
-allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow domain properties_device:file { getattr open read ioctl lock };
-
-# logd access
-
-#line 76
-
-#line 76
-
-#line 76
-allow domain logdw_socket:sock_file write;
-#line 76
-allow domain logd:unix_dgram_socket sendto;
-#line 76
-
-#line 76
-
-
-# Filesystem accesses.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# System file accesses.
-allow domain system_file:dir { open getattr read search ioctl };
-allow domain system_file:file { getattr open read ioctl lock };
-allow domain system_file:file execute;
-allow domain system_file:lnk_file { getattr open read ioctl lock };
-
-# Read files already opened under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file { getattr open read ioctl lock };
-
-# Read apk files under /data/app.
-allow domain apk_data_file:dir { getattr search };
-allow domain apk_data_file:file { getattr open read ioctl lock };
-
-# Read /data/dalvik-cache.
-allow domain dalvikcache_data_file:dir { search getattr };
-allow domain dalvikcache_data_file:file { getattr open read ioctl lock };
-
-# Read already opened /cache files.
-allow domain cache_file:dir { open getattr read search ioctl };
-allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file { getattr open read ioctl lock };
-
-# Read timezone related information
-
-#line 107
-allow domain zoneinfo_data_file:dir { open getattr read search ioctl };
-#line 107
-allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 107
-
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file { open append write };
-
-#Allow access to ion memory allocation device
-allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Read access to pseudo filesystems.
-
-#line 117
-allow domain proc:dir { open getattr read search ioctl };
-#line 117
-allow domain proc:{ file lnk_file } { getattr open read ioctl lock };
-#line 117
-
-
-#line 118
-allow domain sysfs:dir { open getattr read search ioctl };
-#line 118
-allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock };
-#line 118
-
-
-#line 119
-allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl };
-#line 119
-allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock };
-#line 119
-
-
-#line 120
-allow domain inotify:dir { open getattr read search ioctl };
-#line 120
-allow domain inotify:{ file lnk_file } { getattr open read ioctl lock };
-#line 120
-
-
-#line 121
-allow domain cgroup:dir { open getattr read search ioctl };
-#line 121
-allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock };
-#line 121
-
-
-#line 122
-allow domain proc_net:dir { open getattr read search ioctl };
-#line 122
-allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock };
-#line 122
-
-
-# debugfs access
-allow domain debugfs:dir { open getattr read search ioctl };
-allow domain debugfs:file { open append write };
-
-# Get SELinux enforcing status.
-
-#line 129
-allow domain selinuxfs:dir { open getattr read search ioctl };
-#line 129
-allow domain selinuxfs:file { getattr open read ioctl lock };
-#line 129
-
-
-# security files
-allow domain security_file:dir { search getattr };
-allow domain security_file:file getattr;
-
-# World readable asec image contents
-allow domain asec_public_file:file { getattr open read ioctl lock };
-allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl };
-
-######## Backwards compatibility - Unlabeled files ############
-
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
-# capability, it's essentially useless. This is needed to allow an app with
-# relabelto to relabel unlabeled files.
-#
-allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom };
-allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
-neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
-
-###
-### neverallow rules
-###
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
-neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
-
-# Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow domain self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
-
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type.
-neverallow domain { file_type -exec_type }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
-
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
-
-# No domain should be allowed to ptrace init.
-neverallow domain init:process ptrace;
-
-# Init can't receive binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow domain init:binder call;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-# ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-#line 1 "external/sepolicy/drmserver.te"
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init drmserver_exec:file { getattr open read execute };
-#line 5
-allow init drmserver:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow drmserver drmserver_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow drmserver init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init drmserver:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init drmserver:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init drmserver_exec:process drmserver;
-#line 5
-
-#line 5
-
-#line 5
-type drmserver_tmpfs, file_type;
-#line 5
-type_transition drmserver tmpfs:file drmserver_tmpfs;
-#line 5
-allow drmserver drmserver_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-typeattribute drmserver mlstrustedsubject;
-
-# Perform Binder IPC to system server.
-
-#line 9
-# Call the servicemanager and transfer references to it.
-#line 9
-allow drmserver servicemanager:binder { call transfer };
-#line 9
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 9
-# all domains in domain.te.
-#line 9
-
-
-#line 10
-# Call the server domain and optionally transfer references to it.
-#line 10
-allow drmserver system_server:binder { call transfer };
-#line 10
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 10
-allow system_server drmserver:binder transfer;
-#line 10
-# Receive and use open files from the server.
-#line 10
-allow drmserver system_server:fd use;
-#line 10
-
-
-#line 11
-# Call the server domain and optionally transfer references to it.
-#line 11
-allow drmserver appdomain:binder { call transfer };
-#line 11
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 11
-allow appdomain drmserver:binder transfer;
-#line 11
-# Receive and use open files from the server.
-#line 11
-allow drmserver appdomain:fd use;
-#line 11
-
-
-#line 12
-typeattribute drmserver binderservicedomain;
-#line 12
-
-
-# Perform Binder IPC to mediaserver
-
-#line 15
-# Call the server domain and optionally transfer references to it.
-#line 15
-allow drmserver mediaserver:binder { call transfer };
-#line 15
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 15
-allow mediaserver drmserver:binder transfer;
-#line 15
-# Receive and use open files from the server.
-#line 15
-allow drmserver mediaserver:fd use;
-#line 15
-
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
-allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
-
-#line 26
-allow drmserver efs_file:dir { open getattr read search ioctl };
-#line 26
-allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 26
-
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow drmserver tee:unix_stream_socket connectto;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-
-#line 40
-allow drmserver media_rw_data_file:dir { open getattr read search ioctl };
-#line 40
-allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 40
-
-#line 1 "external/sepolicy/dumpstate.te"
-# dumpstate
-type dumpstate, domain;
-
-#line 3
-typeattribute dumpstate mlstrustedsubject;
-#line 3
-typeattribute dumpstate unconfineddomain;
-#line 3
-
-type dumpstate_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init dumpstate_exec:file { getattr open read execute };
-#line 6
-allow init dumpstate:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow dumpstate dumpstate_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow dumpstate init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init dumpstate:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init dumpstate:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init dumpstate_exec:process dumpstate;
-#line 6
-
-#line 6
-
-#line 6
-type dumpstate_tmpfs, file_type;
-#line 6
-type_transition dumpstate tmpfs:file dumpstate_tmpfs;
-#line 6
-allow dumpstate dumpstate_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute dumpstate netdomain;
-#line 7
-
-
-#line 8
-typeattribute dumpstate relabeltodomain;
-#line 8
-
-
-#line 9
-# Call the servicemanager and transfer references to it.
-#line 9
-allow dumpstate servicemanager:binder { call transfer };
-#line 9
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 9
-# all domains in domain.te.
-#line 9
-
-
-# Drop privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-
-#line 15
-allow dumpstate domain:dir { open getattr read search ioctl };
-#line 15
-allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock };
-#line 15
-
-
-# Send signals to processes
-allow dumpstate self:capability kill;
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-
-# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto };
-allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file { getattr open read ioctl lock };
-
-# Read dmesg
-allow dumpstate self:capability2 syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
-
-# The /system/bin/ip command needs this for routing table information.
-allow dumpstate self:netlink_route_socket { write getattr setopt };
-
-# The vdc command needs to talk to the vold socket.
-
-#line 54
-allow dumpstate vold_socket:sock_file write;
-#line 54
-allow dumpstate vold:unix_stream_socket connectto;
-#line 54
-
-
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file { open append write };
-
-# Other random bits of data we want to collect
-allow dumpstate qtaguid_proc:file { getattr open read ioctl lock };
-allow dumpstate debugfs:file { getattr open read ioctl lock };
-
-# Allow dumpstate to make binder calls to any binder service
-
-#line 66
-# Call the server domain and optionally transfer references to it.
-#line 66
-allow dumpstate binderservicedomain:binder { call transfer };
-#line 66
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 66
-allow binderservicedomain dumpstate:binder transfer;
-#line 66
-# Receive and use open files from the server.
-#line 66
-allow dumpstate binderservicedomain:fd use;
-#line 66
-
-
-#line 67
-# Call the server domain and optionally transfer references to it.
-#line 67
-allow dumpstate appdomain:binder { call transfer };
-#line 67
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 67
-allow appdomain dumpstate:binder transfer;
-#line 67
-# Receive and use open files from the server.
-#line 67
-allow dumpstate appdomain:fd use;
-#line 67
-
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Run a shell.
-allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate dumpstate_tmpfs:file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:file execute;
-
-# logd access
-
-#line 91
-
-#line 91
-allow dumpstate logdr_socket:sock_file write;
-#line 91
-allow dumpstate logd:unix_stream_socket connectto;
-#line 91
-
-#line 91
-
-
-#line 92
-# Group AID_LOG checked by filesystem & logd
-#line 92
-# to permit control commands
-#line 92
-
-#line 92
-allow dumpstate logd_socket:sock_file write;
-#line 92
-allow dumpstate logd:unix_stream_socket connectto;
-#line 92
-
-#line 92
-
-#line 1 "external/sepolicy/file.te"
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_net, fs_type;
-type selinuxfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, mlstrustedobject;
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
-type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, mlstrustedobject;
-
-# File types
-type unlabeled, file_type;
-# Default type for anything under /system.
-type system_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type;
-# /data/gps
-type gps_data_file, file_type, data_file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
-type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
-# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
-# Type for /cache/.*\.{data|restore} and default
-# type for anything under /cache/backup
-type cache_backup_file, file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Downloaded files
-type download_file, file_type;
-
-# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type gps_socket, file_type;
-type installd_socket, file_type;
-type keystore_socket, file_type;
-type lmkd_socket, file_type;
-type logd_debug, file_type;
-type logd_socket, file_type;
-type logdr_socket, file_type;
-type logdw_socket, file_type;
-type mdns_socket, file_type;
-type netd_socket, file_type;
-type property_socket, file_type;
-type qemud_socket, file_type;
-type racoon_socket, file_type;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
-type vold_socket, file_type;
-type wpa_socket, file_type;
-type zygote_socket, file_type;
-
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-#line 1 "external/sepolicy/gpsd.te"
-# gpsd - GPS daemon
-type gpsd, domain;
-
-#line 3
-typeattribute gpsd mlstrustedsubject;
-#line 3
-typeattribute gpsd unconfineddomain;
-#line 3
-
-type gpsd_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init gpsd_exec:file { getattr open read execute };
-#line 6
-allow init gpsd:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow gpsd gpsd_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow gpsd init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init gpsd:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init gpsd:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init gpsd_exec:process gpsd;
-#line 6
-
-#line 6
-
-#line 6
-type gpsd_tmpfs, file_type;
-#line 6
-type_transition gpsd tmpfs:file gpsd_tmpfs;
-#line 6
-allow gpsd gpsd_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute gpsd netdomain;
-#line 7
-
-allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Socket is created by the daemon, not by init, and under /data/gps,
-# not under /dev/socket.
-type_transition gpsd gps_data_file:sock_file gps_socket;
-allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# XXX Label sysfs files with a specific type?
-allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } };
-
-allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Execute the shell or system commands.
-allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-#line 1 "external/sepolicy/hci_attach.te"
-type hci_attach, domain;
-type hci_attach_exec, exec_type, file_type;
-
-
-#line 4
-
-#line 4
-# Allow the necessary permissions.
-#line 4
-
-#line 4
-# Old domain may exec the file and transition to the new domain.
-#line 4
-allow init hci_attach_exec:file { getattr open read execute };
-#line 4
-allow init hci_attach:process transition;
-#line 4
-# New domain is entered by executing the file.
-#line 4
-allow hci_attach hci_attach_exec:file { entrypoint read execute };
-#line 4
-# New domain can send SIGCHLD to its caller.
-#line 4
-allow hci_attach init:process sigchld;
-#line 4
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 4
-dontaudit init hci_attach:process noatsecure;
-#line 4
-# XXX dontaudit candidate but requires further study.
-#line 4
-allow init hci_attach:process { siginh rlimitinh };
-#line 4
-
-#line 4
-# Make the transition occur by default.
-#line 4
-type_transition init hci_attach_exec:process hci_attach;
-#line 4
-
-#line 4
-
-#line 4
-type hci_attach_tmpfs, file_type;
-#line 4
-type_transition hci_attach tmpfs:file hci_attach_tmpfs;
-#line 4
-allow hci_attach hci_attach_tmpfs:file { read write };
-#line 4
-
-#line 4
-
-
-allow hci_attach kernel:system module_request;
-allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } };
-allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl };
-allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock };
-#line 1 "external/sepolicy/healthd.te"
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain;
-
-allow healthd rootfs:file { read entrypoint };
-
-#line 6
-type_transition healthd device:chr_file klog_device "__kmsg__";
-#line 6
-allow healthd klog_device:chr_file { create open write unlink };
-#line 6
-allow healthd device:dir { write add_name remove_name };
-#line 6
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by healthd.
-allow healthd tmpfs:chr_file { read write };
-
-allow healthd self:capability { net_admin mknod };
-allow healthd self:capability2 block_suspend;
-allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-
-#line 14
-# Call the servicemanager and transfer references to it.
-#line 14
-allow healthd servicemanager:binder { call transfer };
-#line 14
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 14
-# all domains in domain.te.
-#line 14
-
-
-#line 15
-typeattribute healthd binderservicedomain;
-#line 15
-
-
-#line 16
-# Call the server domain and optionally transfer references to it.
-#line 16
-allow healthd system_server:binder { call transfer };
-#line 16
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 16
-allow system_server healthd:binder transfer;
-#line 16
-# Receive and use open files from the server.
-#line 16
-allow healthd system_server:fd use;
-#line 16
-
-
-###
-### healthd: charger mode
-###
-
-allow healthd graphics_device:dir { open getattr read search ioctl };
-allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow healthd input_device:dir { open getattr read search ioctl };
-allow healthd input_device:chr_file { getattr open read ioctl lock };
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-#line 1 "external/sepolicy/hostapd.te"
-# userspace wifi access points
-type hostapd, domain;
-
-#line 3
-typeattribute hostapd mlstrustedsubject;
-#line 3
-typeattribute hostapd unconfineddomain;
-#line 3
-
-type hostapd_exec, exec_type, file_type;
-
-allow hostapd self:capability { net_admin net_raw setuid setgid };
-allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow hostapd self:packet_socket { create write read };
-allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
-allow hostapd self:udp_socket { create ioctl };
-
-allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } };
-allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow hostapd netd:fd use;
-allow hostapd netd:udp_socket { read write };
-allow hostapd netd:netlink_kobject_uevent_socket { read write };
-allow hostapd netd:netlink_nflog_socket { read write };
-allow hostapd netd:netlink_route_socket { read write };
-allow hostapd netd:unix_stream_socket { read write };
-allow hostapd netd:fifo_file { read write };
-#line 1 "external/sepolicy/init_shell.te"
-# Restricted domain for shell processes spawned by init
-type init_shell, domain, shelldomain;
-
-#line 3
-# Allow the necessary permissions.
-#line 3
-
-#line 3
-# Old domain may exec the file and transition to the new domain.
-#line 3
-allow init shell_exec:file { getattr open read execute };
-#line 3
-allow init init_shell:process transition;
-#line 3
-# New domain is entered by executing the file.
-#line 3
-allow init_shell shell_exec:file { entrypoint read execute };
-#line 3
-# New domain can send SIGCHLD to its caller.
-#line 3
-allow init_shell init:process sigchld;
-#line 3
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 3
-dontaudit init init_shell:process noatsecure;
-#line 3
-# XXX dontaudit candidate but requires further study.
-#line 3
-allow init init_shell:process { siginh rlimitinh };
-#line 3
-
-#line 3
-# Make the transition occur by default.
-#line 3
-type_transition init shell_exec:process init_shell;
-#line 3
-
-
-#line 4
-typeattribute init_shell mlstrustedsubject;
-#line 4
-typeattribute init_shell unconfineddomain;
-#line 4
-
-
-# inherits from shelldomain.te
-#line 1 "external/sepolicy/init.te"
-# init switches to init domain (via init.rc).
-type init, domain;
-# init is unconfined.
-
-#line 4
-typeattribute init mlstrustedsubject;
-#line 4
-typeattribute init unconfineddomain;
-#line 4
-
-
-#line 5
-type init_tmpfs, file_type;
-#line 5
-type_transition init tmpfs:file init_tmpfs;
-#line 5
-allow init init_tmpfs:file { read write };
-#line 5
-
-
-#line 6
-typeattribute init relabeltodomain;
-#line 6
-
-# add a rule to handle unlabelled mounts
-allow init unlabeled:filesystem mount;
-
-allow init self:capability { sys_rawio mknod };
-
-allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
-allow init fs_type:filesystem *;
-allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
-allow init kernel:security load_policy;
-allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } };
-allow init proc_security:file { { getattr open read ioctl lock } { open append write } };
-
-# Transitions to seclabel processes in init.rc
-allow init adbd:process transition;
-allow init healthd:process transition;
-allow init recovery:process transition;
-allow init shell:process transition;
-allow init ueventd:process transition;
-allow init watchdogd:process transition;
-#line 1 "external/sepolicy/inputflinger.te"
-# inputflinger
-type inputflinger, domain;
-
-#line 3
-typeattribute inputflinger mlstrustedsubject;
-#line 3
-typeattribute inputflinger unconfineddomain;
-#line 3
-
-type inputflinger_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init inputflinger_exec:file { getattr open read execute };
-#line 6
-allow init inputflinger:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow inputflinger inputflinger_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow inputflinger init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init inputflinger:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init inputflinger:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init inputflinger_exec:process inputflinger;
-#line 6
-
-#line 6
-
-#line 6
-type inputflinger_tmpfs, file_type;
-#line 6
-type_transition inputflinger tmpfs:file inputflinger_tmpfs;
-#line 6
-allow inputflinger inputflinger_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-# Call the servicemanager and transfer references to it.
-#line 7
-allow inputflinger servicemanager:binder { call transfer };
-#line 7
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 7
-# all domains in domain.te.
-#line 7
-
-
-#line 8
-typeattribute inputflinger binderservicedomain;
-#line 8
-
-#line 1 "external/sepolicy/installd.te"
-# installer daemon
-type installd, domain;
-type installd_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init installd_exec:file { getattr open read execute };
-#line 5
-allow init installd:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow installd installd_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow installd init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init installd:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init installd:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init installd_exec:process installd;
-#line 5
-
-#line 5
-
-#line 5
-type installd_tmpfs, file_type;
-#line 5
-type_transition installd tmpfs:file installd_tmpfs;
-#line 5
-allow installd installd_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-#line 6
-typeattribute installd relabeltodomain;
-#line 6
-
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow installd system_data_file:lnk_file create;
-allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink };
-allow installd apk_data_file:file { getattr open read ioctl lock };
-allow installd apk_tmp_file:file { getattr open read ioctl lock };
-allow installd system_file:file { getattr execute execute_no_trans };
-allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow installd download_file:dir { { open getattr read search ioctl } write remove_name };
-allow installd download_file:file { { getattr open read ioctl lock } unlink };
-dontaudit installd self:capability sys_admin;
-# Check validity of SELinux context before use.
-
-#line 23
-allow installd selinuxfs:dir { open getattr read search ioctl };
-#line 23
-allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 23
-allow installd kernel:security check_context;
-#line 23
-
-# Read /seapp_contexts and /data/security/seapp_contexts
-
-#line 25
-allow installd security_file:dir { open getattr read search ioctl };
-#line 25
-allow installd security_file:file { getattr open read ioctl lock };
-#line 25
-allow installd security_file:lnk_file { getattr open read ioctl lock };
-#line 25
-allow installd selinuxfs:dir { open getattr read search ioctl };
-#line 25
-allow installd selinuxfs:file { getattr open read ioctl lock };
-#line 25
-allow installd rootfs:dir { open getattr read search ioctl };
-#line 25
-allow installd rootfs:file { getattr open read ioctl lock };
-#line 25
-
-# ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
-allow installd app_data_file:lnk_file { create setattr };
-allow installd asec_apk_file:file { getattr open read ioctl lock };
-allow installd bluetooth_data_file:lnk_file { create setattr };
-allow installd nfc_data_file:lnk_file { create setattr };
-allow installd radio_data_file:lnk_file { create setattr };
-allow installd shell_data_file:lnk_file { create setattr };
-#line 1 "external/sepolicy/isolated_app.te"
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-### isolated_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type isolated_app, domain;
-
-#line 13
-typeattribute isolated_app appdomain;
-#line 13
-# Label ashmem objects with our own unique type.
-#line 13
-
-#line 13
-type isolated_app_tmpfs, file_type;
-#line 13
-type_transition isolated_app tmpfs:file isolated_app_tmpfs;
-#line 13
-allow isolated_app isolated_app_tmpfs:file { read write };
-#line 13
-
-#line 13
-# Map with PROT_EXEC.
-#line 13
-allow isolated_app isolated_app_tmpfs:file execute;
-#line 13
-
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
-#line 1 "external/sepolicy/kernel.te"
-# Life begins with the kernel.
-type kernel, domain;
-
-allow kernel init:process dyntransition;
-
-# The kernel is unconfined.
-
-#line 7
-typeattribute kernel mlstrustedsubject;
-#line 7
-typeattribute kernel unconfineddomain;
-#line 7
-
-
-#line 8
-typeattribute kernel relabeltodomain;
-#line 8
-
-
-allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
-allow kernel unlabeled:filesystem mount;
-allow kernel fs_type:filesystem *;
-
-# Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel self:security setcheckreqprot;
-
-# For operations performed by kernel or init prior to switching to init domain.
-## TODO: Investigate whether it is safe to remove these
-allow kernel self:capability { sys_rawio mknod };
-auditallow kernel self:capability { sys_rawio mknod };
-allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
-auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
-#line 1 "external/sepolicy/keystore.te"
-type keystore, domain;
-type keystore_exec, exec_type, file_type;
-
-# keystore daemon
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init keystore_exec:file { getattr open read execute };
-#line 5
-allow init keystore:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow keystore keystore_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow keystore init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init keystore:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init keystore:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init keystore_exec:process keystore;
-#line 5
-
-#line 5
-
-#line 5
-type keystore_tmpfs, file_type;
-#line 5
-type_transition keystore tmpfs:file keystore_tmpfs;
-#line 5
-allow keystore keystore_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-typeattribute keystore mlstrustedsubject;
-
-#line 7
-# Call the servicemanager and transfer references to it.
-#line 7
-allow keystore servicemanager:binder { call transfer };
-#line 7
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 7
-# all domains in domain.te.
-#line 7
-
-
-#line 8
-typeattribute keystore binderservicedomain;
-#line 8
-
-allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow keystore tee:unix_stream_socket connectto;
-#line 1 "external/sepolicy/lmkd.te"
-# lmkd low memory killer daemon
-type lmkd, domain;
-type lmkd_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init lmkd_exec:file { getattr open read execute };
-#line 5
-allow init lmkd:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow lmkd lmkd_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow lmkd init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init lmkd:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init lmkd:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init lmkd_exec:process lmkd;
-#line 5
-
-#line 5
-
-#line 5
-type lmkd_tmpfs, file_type;
-#line 5
-type_transition lmkd tmpfs:file lmkd_tmpfs;
-#line 5
-allow lmkd lmkd_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-allow lmkd self:capability { dac_override sys_resource };
-
-## Open and write to /proc/PID/oom_score_adj
-## TODO: maybe scope this down?
-
-#line 11
-allow lmkd appdomain:dir { open getattr read search ioctl };
-#line 11
-allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock };
-#line 11
-
-allow lmkd appdomain:file write;
-
-#line 13
-allow lmkd system_server:dir { open getattr read search ioctl };
-#line 13
-allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock };
-#line 13
-
-allow lmkd system_server:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-allow lmkd sysfs_lowmemorykiller:file { open append write };
-#line 1 "external/sepolicy/logd.te"
-# android user-space log manager
-type logd, domain;
-type logd_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init logd_exec:file { getattr open read execute };
-#line 5
-allow init logd:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow logd logd_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow logd init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init logd:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init logd:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init logd_exec:process logd;
-#line 5
-
-#line 5
-
-#line 5
-type logd_tmpfs, file_type;
-#line 5
-type_transition logd tmpfs:file logd_tmpfs;
-#line 5
-allow logd logd_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-allow logd self:unix_stream_socket *;
-
-allow logd self:capability { setuid setgid sys_nice };
-
-
-#line 10
-allow logd domain:dir { open getattr read search ioctl };
-#line 10
-allow logd domain:{ file lnk_file } { getattr open read ioctl lock };
-#line 10
-
-
-#line 17
-
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-#line 1 "external/sepolicy/media_app.te"
-###
-### Apps signed with the media key.
-###
-
-type media_app, domain;
-
-#line 6
-typeattribute media_app appdomain;
-#line 6
-# Label ashmem objects with our own unique type.
-#line 6
-
-#line 6
-type media_app_tmpfs, file_type;
-#line 6
-type_transition media_app tmpfs:file media_app_tmpfs;
-#line 6
-allow media_app media_app_tmpfs:file { read write };
-#line 6
-
-#line 6
-# Map with PROT_EXEC.
-#line 6
-allow media_app media_app_tmpfs:file execute;
-#line 6
-
-
-#line 7
-typeattribute media_app platformappdomain;
-#line 7
-typeattribute media_app mlstrustedsubject;
-#line 7
-
-
-#line 8
-typeattribute media_app binderservicedomain;
-#line 8
-
-# Access the network.
-
-#line 10
-typeattribute media_app netdomain;
-#line 10
-
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } };
-# Write to /cache.
-allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file { getattr open read ioctl lock };
-allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Allow platform apps to mark platform app data files as download files
-
-#line 27
-typeattribute media_app relabeltodomain;
-#line 27
-
-allow media_app platform_app_data_file:dir relabelfrom;
-allow media_app download_file:dir relabelto;
-#line 1 "external/sepolicy/mediaserver.te"
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-
-#line 3
-typeattribute mediaserver mlstrustedsubject;
-#line 3
-typeattribute mediaserver unconfineddomain;
-#line 3
-
-type mediaserver_exec, exec_type, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-
-#line 8
-typeattribute mediaserver netdomain;
-#line 8
-
-
-#line 9
-
-#line 9
-# Allow the necessary permissions.
-#line 9
-
-#line 9
-# Old domain may exec the file and transition to the new domain.
-#line 9
-allow init mediaserver_exec:file { getattr open read execute };
-#line 9
-allow init mediaserver:process transition;
-#line 9
-# New domain is entered by executing the file.
-#line 9
-allow mediaserver mediaserver_exec:file { entrypoint read execute };
-#line 9
-# New domain can send SIGCHLD to its caller.
-#line 9
-allow mediaserver init:process sigchld;
-#line 9
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 9
-dontaudit init mediaserver:process noatsecure;
-#line 9
-# XXX dontaudit candidate but requires further study.
-#line 9
-allow init mediaserver:process { siginh rlimitinh };
-#line 9
-
-#line 9
-# Make the transition occur by default.
-#line 9
-type_transition init mediaserver_exec:process mediaserver;
-#line 9
-
-#line 9
-
-#line 9
-type mediaserver_tmpfs, file_type;
-#line 9
-type_transition mediaserver tmpfs:file mediaserver_tmpfs;
-#line 9
-allow mediaserver mediaserver_tmpfs:file { read write };
-#line 9
-
-#line 9
-
-
-#line 10
-allow mediaserver property_socket:sock_file write;
-#line 10
-allow mediaserver init:unix_stream_socket connectto;
-#line 10
-
-
-
-#line 12
-allow mediaserver sdcard_type:dir { open getattr read search ioctl };
-#line 12
-allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock };
-#line 12
-
-
-
-#line 14
-# Call the servicemanager and transfer references to it.
-#line 14
-allow mediaserver servicemanager:binder { call transfer };
-#line 14
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 14
-# all domains in domain.te.
-#line 14
-
-
-#line 15
-# Call the server domain and optionally transfer references to it.
-#line 15
-allow mediaserver binderservicedomain:binder { call transfer };
-#line 15
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 15
-allow binderservicedomain mediaserver:binder transfer;
-#line 15
-# Receive and use open files from the server.
-#line 15
-allow mediaserver binderservicedomain:fd use;
-#line 15
-
-
-#line 16
-# Call the server domain and optionally transfer references to it.
-#line 16
-allow mediaserver appdomain:binder { call transfer };
-#line 16
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 16
-allow appdomain mediaserver:binder transfer;
-#line 16
-# Receive and use open files from the server.
-#line 16
-allow mediaserver appdomain:fd use;
-#line 16
-
-
-#line 17
-typeattribute mediaserver binderservicedomain;
-#line 17
-
-
-allow mediaserver self:process execmem;
-allow mediaserver kernel:system module_request;
-allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver platform_app_data_file:file { getattr read };
-allow mediaserver sdcard_type:file write;
-allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver video_device:dir { open getattr read search ioctl };
-allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver audio_device:dir { open getattr read search ioctl };
-allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver audio_prop:property_service set;
-
-# Access audio devices at all.
-allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } };
-
-# XXX Why?
-allow mediaserver apk_data_file:file { read getattr };
-
-# Access camera device.
-allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file { getattr open read ioctl lock };
-
-# Camera data
-
-#line 52
-allow mediaserver camera_data_file:dir { open getattr read search ioctl };
-#line 52
-allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 52
-
-
-#line 53
-allow mediaserver media_rw_data_file:dir { open getattr read search ioctl };
-#line 53
-allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 53
-
-
-# Grant access to audio files to mediaserver
-allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write };
-allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
-allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock };
-
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-
-#line 68
-allow mediaserver drmserver_socket:sock_file write;
-#line 68
-allow mediaserver drmserver:unix_stream_socket connectto;
-#line 68
-
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-
-#line 72
-allow mediaserver bluetooth_socket:sock_file write;
-#line 72
-allow mediaserver bluetooth:unix_stream_socket connectto;
-#line 72
-
-#line 1 "external/sepolicy/mtp.te"
-# vpn tunneling protocol manager
-type mtp, domain;
-
-#line 3
-typeattribute mtp mlstrustedsubject;
-#line 3
-typeattribute mtp unconfineddomain;
-#line 3
-
-type mtp_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init mtp_exec:file { getattr open read execute };
-#line 6
-allow init mtp:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow mtp mtp_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow mtp init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init mtp:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init mtp:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init mtp_exec:process mtp;
-#line 6
-
-#line 6
-
-#line 6
-type mtp_tmpfs, file_type;
-#line 6
-type_transition mtp tmpfs:file mtp_tmpfs;
-#line 6
-allow mtp mtp_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute mtp netdomain;
-#line 7
-
-
-# pptp policy
-allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
-allow mtp vpn_data_file:dir search;
-#line 1 "external/sepolicy/netd.te"
-# network manager
-type netd, domain;
-type netd_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init netd_exec:file { getattr open read execute };
-#line 5
-allow init netd:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow netd netd_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow netd init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init netd:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init netd:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init netd_exec:process netd;
-#line 5
-
-#line 5
-
-#line 5
-type netd_tmpfs, file_type;
-#line 5
-type_transition netd tmpfs:file netd_tmpfs;
-#line 5
-allow netd netd_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-#line 6
-typeattribute netd netdomain;
-#line 6
-
-
-allow netd self:capability { net_admin net_raw kill fsetid };
-allow netd self:netlink_kobject_uevent_socket *;
-allow netd self:netlink_route_socket *;
-allow netd self:netlink_nflog_socket *;
-allow netd self:rawip_socket *;
-allow netd self:unix_stream_socket *;
-allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow netd system_file:file { getattr execute execute_no_trans };
-allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file write;
-
-# For /sys/modules/bcmdhd/parameters/firmware_path
-# XXX Split into its own type.
-allow netd sysfs:file write;
-
-# Set dhcp lease for PAN connection
-
-#line 26
-allow netd property_socket:sock_file write;
-#line 26
-allow netd init:unix_stream_socket connectto;
-#line 26
-
-allow netd system_prop:property_service set;
-
-# Connect to PAN
-
-#line 30
-# Allow the necessary permissions.
-#line 30
-
-#line 30
-# Old domain may exec the file and transition to the new domain.
-#line 30
-allow netd dhcp_exec:file { getattr open read execute };
-#line 30
-allow netd dhcp:process transition;
-#line 30
-# New domain is entered by executing the file.
-#line 30
-allow dhcp dhcp_exec:file { entrypoint read execute };
-#line 30
-# New domain can send SIGCHLD to its caller.
-#line 30
-allow dhcp netd:process sigchld;
-#line 30
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 30
-dontaudit netd dhcp:process noatsecure;
-#line 30
-# XXX dontaudit candidate but requires further study.
-#line 30
-allow netd dhcp:process { siginh rlimitinh };
-#line 30
-
-#line 30
-# Make the transition occur by default.
-#line 30
-type_transition netd dhcp_exec:process dhcp;
-#line 30
-
-allow netd dhcp:process signal;
-
-# Needed to update /data/misc/wifi/hostapd.conf
-# TODO: See what we can do to reduce the need for
-# these capabilities
-allow netd self:capability { dac_override chown fowner };
-allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-
-# Allow netd to spawn hostapd in it's own domain
-
-#line 41
-# Allow the necessary permissions.
-#line 41
-
-#line 41
-# Old domain may exec the file and transition to the new domain.
-#line 41
-allow netd hostapd_exec:file { getattr open read execute };
-#line 41
-allow netd hostapd:process transition;
-#line 41
-# New domain is entered by executing the file.
-#line 41
-allow hostapd hostapd_exec:file { entrypoint read execute };
-#line 41
-# New domain can send SIGCHLD to its caller.
-#line 41
-allow hostapd netd:process sigchld;
-#line 41
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 41
-dontaudit netd hostapd:process noatsecure;
-#line 41
-# XXX dontaudit candidate but requires further study.
-#line 41
-allow netd hostapd:process { siginh rlimitinh };
-#line 41
-
-#line 41
-# Make the transition occur by default.
-#line 41
-type_transition netd hostapd_exec:process hostapd;
-#line 41
-
-allow netd hostapd:process signal;
-
-# Allow netd to spawn dnsmasq in it's own domain
-
-#line 45
-# Allow the necessary permissions.
-#line 45
-
-#line 45
-# Old domain may exec the file and transition to the new domain.
-#line 45
-allow netd dnsmasq_exec:file { getattr open read execute };
-#line 45
-allow netd dnsmasq:process transition;
-#line 45
-# New domain is entered by executing the file.
-#line 45
-allow dnsmasq dnsmasq_exec:file { entrypoint read execute };
-#line 45
-# New domain can send SIGCHLD to its caller.
-#line 45
-allow dnsmasq netd:process sigchld;
-#line 45
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 45
-dontaudit netd dnsmasq:process noatsecure;
-#line 45
-# XXX dontaudit candidate but requires further study.
-#line 45
-allow netd dnsmasq:process { siginh rlimitinh };
-#line 45
-
-#line 45
-# Make the transition occur by default.
-#line 45
-type_transition netd dnsmasq_exec:process dnsmasq;
-#line 45
-
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-
-#line 49
-# Allow the necessary permissions.
-#line 49
-
-#line 49
-# Old domain may exec the file and transition to the new domain.
-#line 49
-allow netd clatd_exec:file { getattr open read execute };
-#line 49
-allow netd clatd:process transition;
-#line 49
-# New domain is entered by executing the file.
-#line 49
-allow clatd clatd_exec:file { entrypoint read execute };
-#line 49
-# New domain can send SIGCHLD to its caller.
-#line 49
-allow clatd netd:process sigchld;
-#line 49
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 49
-dontaudit netd clatd:process noatsecure;
-#line 49
-# XXX dontaudit candidate but requires further study.
-#line 49
-allow netd clatd:process { siginh rlimitinh };
-#line 49
-
-#line 49
-# Make the transition occur by default.
-#line 49
-type_transition netd clatd_exec:process clatd;
-#line 49
-
-allow netd clatd:process signal;
-
-# Support netd running mdnsd
-# TODO: prune this back further
-allow netd ctl_default_prop:property_service set;
-allow netd device:sock_file write;
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
-#line 1 "external/sepolicy/net.te"
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-# Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-
-#line 18
-allow netdomain dnsproxyd_socket:sock_file write;
-#line 18
-allow netdomain netd:unix_stream_socket connectto;
-#line 18
-
-#line 1 "external/sepolicy/nfc.te"
-# nfc subsystem
-type nfc, domain;
-
-#line 3
-typeattribute nfc appdomain;
-#line 3
-# Label ashmem objects with our own unique type.
-#line 3
-
-#line 3
-type nfc_tmpfs, file_type;
-#line 3
-type_transition nfc tmpfs:file nfc_tmpfs;
-#line 3
-allow nfc nfc_tmpfs:file { read write };
-#line 3
-
-#line 3
-# Map with PROT_EXEC.
-#line 3
-allow nfc nfc_tmpfs:file execute;
-#line 3
-
-
-#line 4
-typeattribute nfc binderservicedomain;
-#line 4
-
-
-# NFC device access.
-allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Data file accesses.
-allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
-allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-#line 1 "external/sepolicy/platform_app.te"
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
-
-#line 6
-typeattribute platform_app mlstrustedsubject;
-#line 6
-typeattribute platform_app unconfineddomain;
-#line 6
-
-
-#line 7
-typeattribute platform_app appdomain;
-#line 7
-# Label ashmem objects with our own unique type.
-#line 7
-
-#line 7
-type platform_app_tmpfs, file_type;
-#line 7
-type_transition platform_app tmpfs:file platform_app_tmpfs;
-#line 7
-allow platform_app platform_app_tmpfs:file { read write };
-#line 7
-
-#line 7
-# Map with PROT_EXEC.
-#line 7
-allow platform_app platform_app_tmpfs:file execute;
-#line 7
-
-
-#line 8
-typeattribute platform_app platformappdomain;
-#line 8
-typeattribute platform_app mlstrustedsubject;
-#line 8
-
-# Access the network.
-
-#line 10
-typeattribute platform_app netdomain;
-#line 10
-
-# Access bluetooth.
-
-#line 12
-typeattribute platform_app bluetoothdomain;
-#line 12
-
-# Write to /cache.
-allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Read from /data/local.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app shell_data_file:lnk_file read;
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } };
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Access download files.
-allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } };
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
-
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-#line 1 "external/sepolicy/ppp.te"
-# Point to Point Protocol daemon
-type ppp, domain;
-
-#line 3
-typeattribute ppp mlstrustedsubject;
-#line 3
-typeattribute ppp unconfineddomain;
-#line 3
-
-type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow mtp ppp_exec:file { getattr open read execute };
-#line 6
-allow mtp ppp:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow ppp ppp_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow ppp mtp:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit mtp ppp:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow mtp ppp:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition mtp ppp_exec:process ppp;
-#line 6
-
-
-allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow ppp self:capability net_admin;
-allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow ppp vpn_data_file:dir { open search write add_name remove_name };
-allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow ppp mtp:fd use;
-#line 1 "external/sepolicy/property.te"
-type default_prop, property_type;
-type shell_prop, property_type;
-type debug_prop, property_type;
-type debuggerd_prop, property_type;
-type radio_prop, property_type;
-type system_prop, property_type;
-type vold_prop, property_type;
-type rild_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type audio_prop, property_type;
-type security_prop, property_type;
-type bluetooth_prop, property_type;
-type powerctl_prop, property_type;
-#line 1 "external/sepolicy/qemud.te"
-# qemu support daemon
-type qemud, domain;
-type qemud_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init qemud_exec:file { getattr open read execute };
-#line 5
-allow init qemud:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow qemud qemud_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow qemud init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init qemud:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init qemud:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init qemud_exec:process qemud;
-#line 5
-
-#line 5
-
-#line 5
-type qemud_tmpfs, file_type;
-#line 5
-type_transition qemud tmpfs:file qemud_tmpfs;
-#line 5
-allow qemud qemud_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-#line 6
-typeattribute qemud mlstrustedsubject;
-#line 6
-typeattribute qemud unconfineddomain;
-#line 1 "external/sepolicy/racoon.te"
-# IKE key management daemon
-type racoon, domain;
-
-#line 3
-typeattribute racoon mlstrustedsubject;
-#line 3
-typeattribute racoon unconfineddomain;
-#line 3
-
-type racoon_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init racoon_exec:file { getattr open read execute };
-#line 6
-allow init racoon:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow racoon racoon_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow racoon init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init racoon:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init racoon:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init racoon_exec:process racoon;
-#line 6
-
-#line 6
-
-#line 6
-type racoon_tmpfs, file_type;
-#line 6
-type_transition racoon tmpfs:file racoon_tmpfs;
-#line 6
-allow racoon racoon_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-typeattribute racoon mlstrustedsubject;
-
-
-#line 9
-# Call the server domain and optionally transfer references to it.
-#line 9
-allow racoon servicemanager:binder { call transfer };
-#line 9
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 9
-allow servicemanager racoon:binder transfer;
-#line 9
-# Receive and use open files from the server.
-#line 9
-allow racoon servicemanager:fd use;
-#line 9
-
-
-#line 10
-# Call the server domain and optionally transfer references to it.
-#line 10
-allow racoon keystore:binder { call transfer };
-#line 10
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 10
-allow keystore racoon:binder transfer;
-#line 10
-# Receive and use open files from the server.
-#line 10
-allow racoon keystore:fd use;
-#line 10
-
-
-allow racoon tun_device:chr_file { getattr open read ioctl lock };
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
-
-allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-allow racoon self:tun_socket create;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow racoon vpn_data_file:dir { open search write add_name remove_name };
-#line 1 "external/sepolicy/radio.te"
-# phone subsystem
-type radio, domain;
-
-#line 3
-typeattribute radio appdomain;
-#line 3
-# Label ashmem objects with our own unique type.
-#line 3
-
-#line 3
-type radio_tmpfs, file_type;
-#line 3
-type_transition radio tmpfs:file radio_tmpfs;
-#line 3
-allow radio radio_tmpfs:file { read write };
-#line 3
-
-#line 3
-# Map with PROT_EXEC.
-#line 3
-allow radio radio_tmpfs:file execute;
-#line 3
-
-
-#line 4
-typeattribute radio netdomain;
-#line 4
-
-
-#line 5
-typeattribute radio bluetoothdomain;
-#line 5
-
-
-#line 6
-typeattribute radio binderservicedomain;
-#line 6
-
-
-# Talks to init via the property socket.
-
-#line 9
-allow radio property_socket:sock_file write;
-#line 9
-allow radio init:unix_stream_socket connectto;
-#line 9
-
-
-# Talks to rild via the rild socket.
-
-#line 12
-allow radio rild_socket:sock_file write;
-#line 12
-allow radio rild:unix_stream_socket connectto;
-#line 12
-
-
-# Data file accesses.
-allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Property service
-allow radio radio_prop:property_service set;
-
-# ctl interface
-allow radio ctl_rildaemon_prop:property_service set;
-#line 1 "external/sepolicy/recovery.te"
-# recovery console (used in recovery init.rc for /sbin/recovery)
-type recovery, domain;
-allow recovery rootfs:file entrypoint;
-
-#line 4
-typeattribute recovery mlstrustedsubject;
-#line 4
-typeattribute recovery unconfineddomain;
-#line 4
-
-
-#line 5
-typeattribute recovery relabeltodomain;
-#line 5
-
-
-allow recovery self:capability2 mac_admin;
-
-allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
-allow recovery unlabeled:filesystem mount;
-allow recovery fs_type:filesystem *;
-
-# Required to e.g. wipe userdata/cache.
-allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
-
-allow recovery self:process execmem;
-allow recovery ashmem_device:chr_file execute;
-allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-## TODO: Investigate whether it is safe to remove these
-allow recovery self:capability { sys_rawio mknod };
-auditallow recovery self:capability { sys_rawio mknod };
-#line 1 "external/sepolicy/release_app.te"
-###
-### Apps signed with the release key (testkey in AOSP).
-###
-
-type release_app, domain;
-
-#line 6
-typeattribute release_app mlstrustedsubject;
-#line 6
-typeattribute release_app unconfineddomain;
-#line 6
-
-
-#line 7
-typeattribute release_app appdomain;
-#line 7
-# Label ashmem objects with our own unique type.
-#line 7
-
-#line 7
-type release_app_tmpfs, file_type;
-#line 7
-type_transition release_app tmpfs:file release_app_tmpfs;
-#line 7
-allow release_app release_app_tmpfs:file { read write };
-#line 7
-
-#line 7
-# Map with PROT_EXEC.
-#line 7
-allow release_app release_app_tmpfs:file execute;
-#line 7
-
-
-#line 8
-typeattribute release_app platformappdomain;
-#line 8
-typeattribute release_app mlstrustedsubject;
-#line 8
-
-# Access the network.
-
-#line 10
-typeattribute release_app netdomain;
-#line 10
-
-# Access bluetooth.
-
-#line 12
-typeattribute release_app bluetoothdomain;
-#line 12
-
-
-# Write to /cache.
-allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-#line 1 "external/sepolicy/rild.te"
-# rild - radio interface layer daemon
-type rild, domain;
-
-#line 3
-typeattribute rild mlstrustedsubject;
-#line 3
-typeattribute rild unconfineddomain;
-#line 3
-
-type rild_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init rild_exec:file { getattr open read execute };
-#line 6
-allow init rild:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow rild rild_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow rild init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init rild:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init rild:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init rild_exec:process rild;
-#line 6
-
-#line 6
-
-#line 6
-type rild_tmpfs, file_type;
-#line 6
-type_transition rild tmpfs:file rild_tmpfs;
-#line 6
-allow rild rild_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-
-#line 7
-typeattribute rild netdomain;
-#line 7
-
-allow rild self:netlink_route_socket { setopt write };
-allow rild kernel:system module_request;
-
-#line 10
-allow rild property_socket:sock_file write;
-#line 10
-allow rild init:unix_stream_socket connectto;
-#line 10
-
-
-#line 11
-allow rild qemud_socket:sock_file write;
-#line 11
-allow rild qemud:unix_stream_socket connectto;
-#line 11
-
-allow rild self:capability { setuid net_admin net_raw };
-allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow rild radio_device:blk_file { getattr open read ioctl lock };
-allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow rild mtd_device:dir search;
-allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow rild bluetooth_efs_file:file { getattr open read ioctl lock };
-allow rild bluetooth_efs_file:dir { open getattr read search ioctl };
-allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow rild sdcard_type:dir { open getattr read search ioctl };
-allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow rild system_file:file { getattr execute execute_no_trans };
-dontaudit rild self:capability sys_admin;
-
-# property service
-allow rild rild_prop:property_service set;
-allow rild radio_prop:property_service set;
-
-# Read/Write to uart driver (for GPS)
-allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Allow rild to create, bind, read, write to itself through a netlink socket
-allow rild self:netlink_socket { create bind read write };
-
-allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
-
-# Access to wake locks
-allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
-
-allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
-#line 1 "external/sepolicy/runas.te"
-type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
-
-# ndk-gdb invokes adb shell run-as.
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow shell runas_exec:file { getattr open read execute };
-#line 5
-allow shell runas:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow runas runas_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow runas shell:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit shell runas:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow shell runas:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition shell runas_exec:process runas;
-#line 5
-
-allow runas adbd:process sigchld;
-allow runas shell:fd use;
-allow runas devpts:chr_file { read write ioctl };
-
-# run-as reads package information.
-allow runas system_data_file:file { getattr open read ioctl lock };
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-
-#line 22
-allow runas security_file:dir { open getattr read search ioctl };
-#line 22
-allow runas security_file:file { getattr open read ioctl lock };
-#line 22
-allow runas security_file:lnk_file { getattr open read ioctl lock };
-#line 22
-allow runas selinuxfs:dir { open getattr read search ioctl };
-#line 22
-allow runas selinuxfs:file { getattr open read ioctl lock };
-#line 22
-allow runas rootfs:dir { open getattr read search ioctl };
-#line 22
-allow runas rootfs:file { getattr open read ioctl lock };
-#line 22
-
-
-#line 23
-allow runas selinuxfs:dir { open getattr read search ioctl };
-#line 23
-allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 23
-allow runas kernel:security check_context;
-#line 23
- # validate context
-allow runas { appdomain -system_app }:process dyntransition; # setcon
-#line 1 "external/sepolicy/sdcardd.te"
-type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
-
-
-#line 4
-
-#line 4
-# Allow the necessary permissions.
-#line 4
-
-#line 4
-# Old domain may exec the file and transition to the new domain.
-#line 4
-allow init sdcardd_exec:file { getattr open read execute };
-#line 4
-allow init sdcardd:process transition;
-#line 4
-# New domain is entered by executing the file.
-#line 4
-allow sdcardd sdcardd_exec:file { entrypoint read execute };
-#line 4
-# New domain can send SIGCHLD to its caller.
-#line 4
-allow sdcardd init:process sigchld;
-#line 4
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 4
-dontaudit init sdcardd:process noatsecure;
-#line 4
-# XXX dontaudit candidate but requires further study.
-#line 4
-allow init sdcardd:process { siginh rlimitinh };
-#line 4
-
-#line 4
-# Make the transition occur by default.
-#line 4
-type_transition init sdcardd_exec:process sdcardd;
-#line 4
-
-#line 4
-
-#line 4
-type sdcardd_tmpfs, file_type;
-#line 4
-type_transition sdcardd tmpfs:file sdcardd_tmpfs;
-#line 4
-allow sdcardd sdcardd_tmpfs:file { read write };
-#line 4
-
-#line 4
-
-
-allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard_type:filesystem mount;
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
-allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file { getattr open read ioctl lock };
-
-# Compatibility for existing devices with /data/media in system_data_file.
-# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
-allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-#line 1 "external/sepolicy/servicemanager.te"
-# servicemanager - the Binder context manager
-type servicemanager, domain;
-type servicemanager_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init servicemanager_exec:file { getattr open read execute };
-#line 5
-allow init servicemanager:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow servicemanager servicemanager_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow servicemanager init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init servicemanager:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init servicemanager:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init servicemanager_exec:process servicemanager;
-#line 5
-
-#line 5
-
-#line 5
-type servicemanager_tmpfs, file_type;
-#line 5
-type_transition servicemanager tmpfs:file servicemanager_tmpfs;
-#line 5
-allow servicemanager servicemanager_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder transfer;
-#line 1 "external/sepolicy/shared_app.te"
-###
-### Apps signed with the shared key.
-###
-
-type shared_app, domain;
-
-#line 6
-typeattribute shared_app mlstrustedsubject;
-#line 6
-typeattribute shared_app unconfineddomain;
-#line 6
-
-
-#line 7
-typeattribute shared_app appdomain;
-#line 7
-# Label ashmem objects with our own unique type.
-#line 7
-
-#line 7
-type shared_app_tmpfs, file_type;
-#line 7
-type_transition shared_app tmpfs:file shared_app_tmpfs;
-#line 7
-allow shared_app shared_app_tmpfs:file { read write };
-#line 7
-
-#line 7
-# Map with PROT_EXEC.
-#line 7
-allow shared_app shared_app_tmpfs:file execute;
-#line 7
-
-
-#line 8
-typeattribute shared_app platformappdomain;
-#line 8
-typeattribute shared_app mlstrustedsubject;
-#line 8
-
-# Access the network.
-
-#line 10
-typeattribute shared_app netdomain;
-#line 10
-
-# Access bluetooth.
-
-#line 12
-typeattribute shared_app bluetoothdomain;
-#line 12
-
-#line 1 "external/sepolicy/shelldomain.te"
-# Rules for all shell domains (e.g. console service and adb shell).
-
-# Access /data/local/tmp.
-allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-# Access sdcard.
-allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# adb bugreport
-
-#line 13
-allow shelldomain dumpstate_socket:sock_file write;
-#line 13
-allow shelldomain dumpstate:unix_stream_socket connectto;
-#line 13
-
-
-allow shelldomain rootfs:dir { open getattr read search ioctl };
-allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
-allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow shelldomain system_file:file { getattr execute execute_no_trans };
-allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-
-#line 24
-allow shelldomain apk_data_file:dir { open getattr read search ioctl };
-#line 24
-allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 24
-
-
-# Set properties.
-
-#line 27
-allow shelldomain property_socket:sock_file write;
-#line 27
-allow shelldomain init:unix_stream_socket connectto;
-#line 27
-
-allow shelldomain shell_prop:property_service set;
-allow shelldomain ctl_dumpstate_prop:property_service set;
-allow shelldomain debug_prop:property_service set;
-allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-
-#line 34
-allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl };
-#line 34
-allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock };
-#line 34
-
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-
-#line 40
-allow shelldomain appdomain:dir { open getattr read search ioctl };
-#line 40
-allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock };
-#line 40
-
-allow shelldomain appdomain:process getattr;
-#line 1 "external/sepolicy/shell.te"
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-
-#line 6
-typeattribute shell netdomain;
-#line 6
-
-
-# Run app_process.
-# XXX Transition into its own domain?
-
-#line 10
-typeattribute shell appdomain;
-#line 10
-# Label ashmem objects with our own unique type.
-#line 10
-
-#line 10
-type shell_tmpfs, file_type;
-#line 10
-type_transition shell tmpfs:file shell_tmpfs;
-#line 10
-allow shell shell_tmpfs:file { read write };
-#line 10
-
-#line 10
-# Map with PROT_EXEC.
-#line 10
-allow shell shell_tmpfs:file execute;
-#line 10
-
-
-# inherits from shelldomain.te
-#line 1 "external/sepolicy/surfaceflinger.te"
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
-
-#line 3
-typeattribute surfaceflinger mlstrustedsubject;
-#line 3
-typeattribute surfaceflinger unconfineddomain;
-#line 3
-
-type surfaceflinger_exec, exec_type, file_type;
-
-
-#line 6
-
-#line 6
-# Allow the necessary permissions.
-#line 6
-
-#line 6
-# Old domain may exec the file and transition to the new domain.
-#line 6
-allow init surfaceflinger_exec:file { getattr open read execute };
-#line 6
-allow init surfaceflinger:process transition;
-#line 6
-# New domain is entered by executing the file.
-#line 6
-allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute };
-#line 6
-# New domain can send SIGCHLD to its caller.
-#line 6
-allow surfaceflinger init:process sigchld;
-#line 6
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 6
-dontaudit init surfaceflinger:process noatsecure;
-#line 6
-# XXX dontaudit candidate but requires further study.
-#line 6
-allow init surfaceflinger:process { siginh rlimitinh };
-#line 6
-
-#line 6
-# Make the transition occur by default.
-#line 6
-type_transition init surfaceflinger_exec:process surfaceflinger;
-#line 6
-
-#line 6
-
-#line 6
-type surfaceflinger_tmpfs, file_type;
-#line 6
-type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs;
-#line 6
-allow surfaceflinger surfaceflinger_tmpfs:file { read write };
-#line 6
-
-#line 6
-
-typeattribute surfaceflinger mlstrustedsubject;
-
-# Talk to init over the property socket.
-
-#line 10
-allow surfaceflinger property_socket:sock_file write;
-#line 10
-allow surfaceflinger init:unix_stream_socket connectto;
-#line 10
-
-
-# Perform Binder IPC.
-
-#line 13
-# Call the servicemanager and transfer references to it.
-#line 13
-allow surfaceflinger servicemanager:binder { call transfer };
-#line 13
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 13
-# all domains in domain.te.
-#line 13
-
-
-#line 14
-# Call the server domain and optionally transfer references to it.
-#line 14
-allow surfaceflinger system_server:binder { call transfer };
-#line 14
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 14
-allow system_server surfaceflinger:binder transfer;
-#line 14
-# Receive and use open files from the server.
-#line 14
-allow surfaceflinger system_server:fd use;
-#line 14
-
-
-#line 15
-# Call the server domain and optionally transfer references to it.
-#line 15
-allow surfaceflinger nfc:binder { call transfer };
-#line 15
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 15
-allow nfc surfaceflinger:binder transfer;
-#line 15
-# Receive and use open files from the server.
-#line 15
-allow surfaceflinger nfc:fd use;
-#line 15
-
-
-#line 16
-# Call the server domain and optionally transfer references to it.
-#line 16
-allow surfaceflinger mediaserver:binder { call transfer };
-#line 16
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 16
-allow mediaserver surfaceflinger:binder transfer;
-#line 16
-# Receive and use open files from the server.
-#line 16
-allow surfaceflinger mediaserver:fd use;
-#line 16
-
-
-#line 17
-typeattribute surfaceflinger binderservicedomain;
-#line 17
-
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir { open getattr read search ioctl };
-allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket *;
-
-# Set properties.
-allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
-allow surfaceflinger app_data_file:file { read write };
-
-# Use open file provided by bootanim.
-allow surfaceflinger bootanim:fd use;
-
-# Allow a dumpstate triggered screenshot
-
-#line 46
-# Call the server domain and optionally transfer references to it.
-#line 46
-allow surfaceflinger dumpstate:binder { call transfer };
-#line 46
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 46
-allow dumpstate surfaceflinger:binder transfer;
-#line 46
-# Receive and use open files from the server.
-#line 46
-allow surfaceflinger dumpstate:fd use;
-#line 46
-
-
-#line 47
-# Call the server domain and optionally transfer references to it.
-#line 47
-allow surfaceflinger shell:binder { call transfer };
-#line 47
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 47
-allow shell surfaceflinger:binder transfer;
-#line 47
-# Receive and use open files from the server.
-#line 47
-allow surfaceflinger shell:fd use;
-#line 47
-
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
-allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
-#line 1 "external/sepolicy/su.te"
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-#line 23
-
-#line 1 "external/sepolicy/system_app.te"
-#
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings. These are not as privileged as the system
-# server.
-#
-type system_app, domain;
-
-#line 7
-typeattribute system_app mlstrustedsubject;
-#line 7
-typeattribute system_app unconfineddomain;
-#line 7
-
-
-#line 8
-typeattribute system_app appdomain;
-#line 8
-# Label ashmem objects with our own unique type.
-#line 8
-
-#line 8
-type system_app_tmpfs, file_type;
-#line 8
-type_transition system_app tmpfs:file system_app_tmpfs;
-#line 8
-allow system_app system_app_tmpfs:file { read write };
-#line 8
-
-#line 8
-# Map with PROT_EXEC.
-#line 8
-allow system_app system_app_tmpfs:file execute;
-#line 8
-
-
-#line 9
-typeattribute system_app binderservicedomain;
-#line 9
-
-
-# Perform binder IPC to any app domain.
-
-#line 12
-# Call the server domain and optionally transfer references to it.
-#line 12
-allow system_app appdomain:binder { call transfer };
-#line 12
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 12
-allow appdomain system_app:binder transfer;
-#line 12
-# Receive and use open files from the server.
-#line 12
-allow system_app appdomain:fd use;
-#line 12
-
-
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file { getattr open read ioctl lock };
-
-# Write to dalvikcache.
-allow system_app dalvikcache_data_file:file { write setattr };
-
-# Talk to keystore.
-
-#line 26
-allow system_app keystore_socket:sock_file write;
-#line 26
-allow system_app keystore:unix_stream_socket connectto;
-#line 26
-
-
-# Read SELinux enforcing status.
-
-#line 29
-allow system_app selinuxfs:dir { open getattr read search ioctl };
-#line 29
-allow system_app selinuxfs:file { getattr open read ioctl lock };
-#line 29
-
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir { open getattr read search ioctl };
-
-# Write to properties
-
-#line 35
-allow system_app property_socket:sock_file write;
-#line 35
-allow system_app init:unix_stream_socket connectto;
-#line 35
-
-allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
-allow system_app system_prop:property_service set;
-#line 1 "external/sepolicy/system_server.te"
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain, mlstrustedsubject;
-
-#line 6
-typeattribute system_server mlstrustedsubject;
-#line 6
-typeattribute system_server unconfineddomain;
-#line 6
-
-
-# Define a type for tmpfs-backed ashmem regions.
-
-#line 9
-type system_server_tmpfs, file_type;
-#line 9
-type_transition system_server tmpfs:file system_server_tmpfs;
-#line 9
-allow system_server system_server_tmpfs:file { read write };
-#line 9
-
-
-# Dalvik Compiler JIT Mapping.
-allow system_server self:process execmem;
-allow system_server ashmem_device:chr_file execute;
-allow system_server system_server_tmpfs:file execute;
-
-# For art.
-allow system_server dalvikcache_data_file:file execute;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-allow system_server zygote_tmpfs:file read;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-
-#line 29
-typeattribute system_server netdomain;
-#line 29
-
-
-#line 30
-typeattribute system_server bluetoothdomain;
-#line 30
-
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_module
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
-};
-
-allow system_server self:capability2 block_suspend;
-
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket *;
-
-# Kill apps.
-allow system_server appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-
-# Read /proc data for apps.
-allow system_server appdomain:dir { open getattr read search ioctl };
-allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } };
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
-allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file { getattr open read ioctl lock };
-
-# WifiWatchdog uses a packet_socket
-allow system_server self:packet_socket *;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create;
-
-# Notify init of death.
-allow system_server init:process sigchld;
-
-# Talk to init and various daemons via sockets.
-
-#line 87
-allow system_server property_socket:sock_file write;
-#line 87
-allow system_server init:unix_stream_socket connectto;
-#line 87
-
-
-#line 88
-allow system_server qemud_socket:sock_file write;
-#line 88
-allow system_server qemud:unix_stream_socket connectto;
-#line 88
-
-
-#line 89
-allow system_server installd_socket:sock_file write;
-#line 89
-allow system_server installd:unix_stream_socket connectto;
-#line 89
-
-
-#line 90
-allow system_server lmkd_socket:sock_file write;
-#line 90
-allow system_server lmkd:unix_stream_socket connectto;
-#line 90
-
-
-#line 91
-allow system_server netd_socket:sock_file write;
-#line 91
-allow system_server netd:unix_stream_socket connectto;
-#line 91
-
-
-#line 92
-allow system_server vold_socket:sock_file write;
-#line 92
-allow system_server vold:unix_stream_socket connectto;
-#line 92
-
-
-#line 93
-allow system_server zygote_socket:sock_file write;
-#line 93
-allow system_server zygote:unix_stream_socket connectto;
-#line 93
-
-
-#line 94
-allow system_server keystore_socket:sock_file write;
-#line 94
-allow system_server keystore:unix_stream_socket connectto;
-#line 94
-
-
-#line 95
-allow system_server gps_socket:sock_file write;
-#line 95
-allow system_server gpsd:unix_stream_socket connectto;
-#line 95
-
-
-#line 96
-allow system_server racoon_socket:sock_file write;
-#line 96
-allow system_server racoon:unix_stream_socket connectto;
-#line 96
-
-
-#line 97
-allow system_server wpa_socket:sock_file write;
-#line 97
-allow system_server wpa:unix_dgram_socket sendto;
-#line 97
-
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-
-#line 103
-# Call the servicemanager and transfer references to it.
-#line 103
-allow system_server servicemanager:binder { call transfer };
-#line 103
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-#line 103
-# all domains in domain.te.
-#line 103
-
-
-#line 104
-# Call the server domain and optionally transfer references to it.
-#line 104
-allow system_server binderservicedomain:binder { call transfer };
-#line 104
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 104
-allow binderservicedomain system_server:binder transfer;
-#line 104
-# Receive and use open files from the server.
-#line 104
-allow system_server binderservicedomain:fd use;
-#line 104
-
-
-#line 105
-# Call the server domain and optionally transfer references to it.
-#line 105
-allow system_server appdomain:binder { call transfer };
-#line 105
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 105
-allow appdomain system_server:binder transfer;
-#line 105
-# Receive and use open files from the server.
-#line 105
-allow system_server appdomain:fd use;
-#line 105
-
-
-#line 106
-# Call the server domain and optionally transfer references to it.
-#line 106
-allow system_server healthd:binder { call transfer };
-#line 106
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 106
-allow healthd system_server:binder transfer;
-#line 106
-# Receive and use open files from the server.
-#line 106
-allow system_server healthd:fd use;
-#line 106
-
-
-#line 107
-# Call the server domain and optionally transfer references to it.
-#line 107
-allow system_server dumpstate:binder { call transfer };
-#line 107
-# Allow the serverdomain to transfer references to the client on the reply.
-#line 107
-allow dumpstate system_server:binder transfer;
-#line 107
-# Receive and use open files from the server.
-#line 107
-allow system_server dumpstate:fd use;
-#line 107
-
-
-#line 108
-typeattribute system_server binderservicedomain;
-#line 108
-
-
-# Read /proc/pid files for Binder clients.
-
-#line 111
-allow system_server appdomain:dir { open getattr read search ioctl };
-#line 111
-allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock };
-#line 111
-
-
-#line 112
-allow system_server mediaserver:dir { open getattr read search ioctl };
-#line 112
-allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock };
-#line 112
-
-allow system_server appdomain:process getattr;
-allow system_server mediaserver:process getattr;
-
-# Check SELinux permissions.
-
-#line 117
-allow system_server selinuxfs:dir { open getattr read search ioctl };
-#line 117
-allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 117
-allow system_server kernel:security compute_av;
-#line 117
-allow system_server self:netlink_selinux_socket *;
-#line 117
-
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } };
-allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
-
-# Access devices.
-allow system_server device:dir { open getattr read search ioctl };
-allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } };
-allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server graphics_device:dir search;
-allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server input_device:dir { open getattr read search ioctl };
-allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server video_device:dir { open getattr read search ioctl };
-allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } };
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Manage data files.
-allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Read /file_contexts and /data/security/file_contexts
-
-#line 149
-allow system_server security_file:dir { open getattr read search ioctl };
-#line 149
-allow system_server security_file:file { getattr open read ioctl lock };
-#line 149
-allow system_server security_file:lnk_file { getattr open read ioctl lock };
-#line 149
-allow system_server selinuxfs:dir { open getattr read search ioctl };
-#line 149
-allow system_server selinuxfs:file { getattr open read ioctl lock };
-#line 149
-allow system_server rootfs:dir { open getattr read search ioctl };
-#line 149
-allow system_server rootfs:file { getattr open read ioctl lock };
-#line 149
-
-
-# Relabel apk files.
-
-#line 152
-typeattribute system_server relabeltodomain;
-#line 152
-
-allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } };
-
-# Relabel /data/anr.
-allow system_server system_data_file:dir relabelfrom;
-allow system_server anr_data_file:dir relabelto;
-
-# Property Service write
-allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
-allow system_server debug_prop:property_service set;
-allow system_server powerctl_prop:property_service set;
-
-# ctl interface
-allow system_server ctl_default_prop:property_service set;
-
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
-# Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Specify any arguments to zygote.
-allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
-
-# Manage cache files.
-allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
-allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } };
-
-# Run system programs, e.g. dexopt.
-allow system_server system_file:file { getattr execute execute_no_trans };
-
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system_server domain:dir { open getattr read search ioctl };
-allow system_server domain:file { getattr open read ioctl lock };
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } };
-
-# Allow system_server to use app-created sockets.
-allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
-
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
-# connect to vpn tunnel
-allow system_server mtp:unix_stream_socket { connectto };
-
-# BackupManagerService lets PMS create a data backup file
-allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# Relabel /data/backup
-allow system_server backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system_server cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow system_server usb_device:dir { open getattr read search ioctl };
-
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file { getattr open read ioctl lock };
-
-# Access to wake locks
-allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
-
-# Read and delete files under /dev/fscklogs.
-
-#line 239
-allow system_server fscklogs:dir { open getattr read search ioctl };
-#line 239
-allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock };
-#line 239
-
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# For SELinuxPolicyInstallReceiver
-
-#line 244
-
-#line 244
-allow system_server security_file:dir { open getattr read search ioctl };
-#line 244
-allow system_server security_file:file { getattr open read ioctl lock };
-#line 244
-allow system_server security_file:lnk_file { getattr open read ioctl lock };
-#line 244
-allow system_server selinuxfs:dir { open getattr read search ioctl };
-#line 244
-allow system_server selinuxfs:file { getattr open read ioctl lock };
-#line 244
-allow system_server rootfs:dir { open getattr read search ioctl };
-#line 244
-allow system_server rootfs:file { getattr open read ioctl lock };
-#line 244
-
-#line 244
-
-#line 244
-allow system_server property_socket:sock_file write;
-#line 244
-allow system_server init:unix_stream_socket connectto;
-#line 244
-
-#line 244
-allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-#line 244
-allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-#line 244
-allow system_server security_file:lnk_file { create rename unlink };
-#line 244
-allow system_server security_prop:property_service set;
-#line 244
-
-
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow system_server unlabeled:file execute;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { open append write };
-#line 1 "external/sepolicy/tee.te"
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
-
-
-#line 9
-
-#line 9
-# Allow the necessary permissions.
-#line 9
-
-#line 9
-# Old domain may exec the file and transition to the new domain.
-#line 9
-allow init tee_exec:file { getattr open read execute };
-#line 9
-allow init tee:process transition;
-#line 9
-# New domain is entered by executing the file.
-#line 9
-allow tee tee_exec:file { entrypoint read execute };
-#line 9
-# New domain can send SIGCHLD to its caller.
-#line 9
-allow tee init:process sigchld;
-#line 9
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 9
-dontaudit init tee:process noatsecure;
-#line 9
-# XXX dontaudit candidate but requires further study.
-#line 9
-allow init tee:process { siginh rlimitinh };
-#line 9
-
-#line 9
-# Make the transition occur by default.
-#line 9
-type_transition init tee_exec:process tee;
-#line 9
-
-#line 9
-
-#line 9
-type tee_tmpfs, file_type;
-#line 9
-type_transition tee tmpfs:file tee_tmpfs;
-#line 9
-allow tee tee_tmpfs:file { read write };
-#line 9
-
-#line 9
-
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow tee self:netlink_socket { create bind read };
-#line 1 "external/sepolicy/ueventd.te"
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-
-#line 4
-type ueventd_tmpfs, file_type;
-#line 4
-type_transition ueventd tmpfs:file ueventd_tmpfs;
-#line 4
-allow ueventd ueventd_tmpfs:file { read write };
-#line 4
-
-
-#line 5
-type_transition ueventd device:chr_file klog_device "__kmsg__";
-#line 5
-allow ueventd klog_device:chr_file { create open write unlink };
-#line 5
-allow ueventd device:dir { write add_name remove_name };
-#line 5
-
-
-#line 6
-allow ueventd security_file:dir { open getattr read search ioctl };
-#line 6
-allow ueventd security_file:file { getattr open read ioctl lock };
-#line 6
-allow ueventd security_file:lnk_file { getattr open read ioctl lock };
-#line 6
-allow ueventd selinuxfs:dir { open getattr read search ioctl };
-#line 6
-allow ueventd selinuxfs:file { getattr open read ioctl lock };
-#line 6
-allow ueventd rootfs:dir { open getattr read search ioctl };
-#line 6
-allow ueventd rootfs:file { getattr open read ioctl lock };
-#line 6
-
-
-#line 7
-typeattribute ueventd relabeltodomain;
-#line 7
-
-allow ueventd rootfs:file entrypoint;
-allow ueventd init:process sigchld;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } };
-allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } };
-allow ueventd sysfs:file setattr;
-allow ueventd sysfs_type:file { relabelfrom relabelto };
-allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } };
-allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } };
-allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket *;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file { getattr open read ioctl lock };
-#line 1 "external/sepolicy/unconfined.te"
-#######################################################
-#
-# This is the unconfined template. This template is the base policy
-# which is used by daemons and other privileged components of
-# Android.
-#
-# Historically, this template was called "unconfined" because it
-# allowed the domain to do anything it wanted. Over time,
-# this has changed, and will continue to change in the future.
-# The rules in this file will be removed when no remaining
-# unconfined domains require it, or when the rules contradict
-# Android security best practices. Domains which need rules not
-# provided by the unconfined template should add them directly to
-# the relevant policy.
-#
-# The use of this template is discouraged.
-######################################################
-
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
-allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
-allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
-allow unconfineddomain domain:fd *;
-allow unconfineddomain domain:dir { open getattr read search ioctl };
-allow unconfineddomain domain:lnk_file { getattr open read ioctl lock };
-allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
-allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *;
-allow unconfineddomain domain:{ sem msgq shm ipc } *;
-allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
-allow unconfineddomain node_type:node *;
-allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-allow unconfineddomain netif_type:netif *;
-allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind;
-allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
-allow unconfineddomain domain:peer recv;
-allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain property_type:property_service set;
-#line 1 "external/sepolicy/uncrypt.te"
-# uncrypt
-type uncrypt, domain;
-type uncrypt_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init uncrypt_exec:file { getattr open read execute };
-#line 5
-allow init uncrypt:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow uncrypt uncrypt_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow uncrypt init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init uncrypt:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init uncrypt:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init uncrypt_exec:process uncrypt;
-#line 5
-
-#line 5
-
-#line 5
-type uncrypt_tmpfs, file_type;
-#line 5
-type_transition uncrypt tmpfs:file uncrypt_tmpfs;
-#line 5
-allow uncrypt uncrypt_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-#line 6
-typeattribute uncrypt mlstrustedsubject;
-#line 6
-typeattribute uncrypt unconfineddomain;
-#line 6
-
-
-allow uncrypt self:capability dac_override;
-
-# Read OTA zip file from /data/data/com.google.android.gsf/app_download
-
-#line 11
-allow uncrypt app_data_file:dir { open getattr read search ioctl };
-#line 11
-allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock };
-#line 11
-
-
-#line 16
-
-
-# Create tmp file /cache/recovery/command.tmp
-# Read /cache/recovery/command
-# Rename /cache/recovery/command.tmp to /cache/recovery/command
-allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Set a property to reboot the device.
-
-#line 25
-allow uncrypt property_socket:sock_file write;
-#line 25
-allow uncrypt init:unix_stream_socket connectto;
-#line 25
-
-allow uncrypt powerctl_prop:property_service set;
-
-# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file { open append write };
-#line 1 "external/sepolicy/untrusted_app.te"
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps. An "untrusted
-### app" is an APP with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000).
-###
-### untrusted_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type untrusted_app, domain;
-
-#line 13
-typeattribute untrusted_app mlstrustedsubject;
-#line 13
-typeattribute untrusted_app unconfineddomain;
-#line 13
-
-
-#line 14
-typeattribute untrusted_app appdomain;
-#line 14
-# Label ashmem objects with our own unique type.
-#line 14
-
-#line 14
-type untrusted_app_tmpfs, file_type;
-#line 14
-type_transition untrusted_app tmpfs:file untrusted_app_tmpfs;
-#line 14
-allow untrusted_app untrusted_app_tmpfs:file { read write };
-#line 14
-
-#line 14
-# Map with PROT_EXEC.
-#line 14
-allow untrusted_app untrusted_app_tmpfs:file execute;
-#line 14
-
-
-#line 15
-typeattribute untrusted_app netdomain;
-#line 15
-
-
-#line 16
-typeattribute untrusted_app bluetoothdomain;
-#line 16
-
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
-
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# ASEC
-allow untrusted_app asec_apk_file:dir { getattr };
-allow untrusted_app asec_apk_file:file { getattr open read ioctl lock };
-# Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
-
-# Create tcp/udp sockets
-allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
-allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen };
-# Bind to a particular hostname/address/interface (e.g., localhost) instead of
-# ANY. Normally, apps should not be listening on all interfaces.
-allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-
-#line 47
-# Each domain gets a unique devpts type.
-#line 47
-type untrusted_app_devpts, fs_type;
-#line 47
-# Label the pty with the unique type when created.
-#line 47
-type_transition untrusted_app devpts:chr_file untrusted_app_devpts;
-#line 47
-# Allow use of the pty after creation.
-#line 47
-allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl };
-#line 47
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-#line 47
-# allowed to everyone via domain.te.
-#line 47
-
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app shell_data_file:file { getattr open read ioctl lock };
-allow untrusted_app shell_data_file:dir { open getattr read search ioctl };
-#line 1 "external/sepolicy/vold.te"
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init vold_exec:file { getattr open read execute };
-#line 5
-allow init vold:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow vold vold_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow vold init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init vold:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init vold:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init vold_exec:process vold;
-#line 5
-
-#line 5
-
-#line 5
-type vold_tmpfs, file_type;
-#line 5
-type_transition vold tmpfs:file vold_tmpfs;
-#line 5
-allow vold vold_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-
-typeattribute vold mlstrustedsubject;
-allow vold system_file:file { getattr execute execute_no_trans };
-allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow vold device:dir write;
-allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } };
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton;
-allow vold sdcard_type:filesystem { mount remount unmount };
-allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket *;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } };
-allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } };
-allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } };
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir { open getattr read search ioctl };
-allow vold domain:{ file lnk_file } { getattr open read ioctl lock };
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# For blkid
-allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file { { getattr open read ioctl lock } { open append write } };
-
-
-#line 39
-type_transition vold device:chr_file klog_device "__kmsg__";
-#line 39
-allow vold klog_device:chr_file { create open write unlink };
-#line 39
-allow vold device:dir { write add_name remove_name };
-#line 39
-
-
-# Log fsck results
-allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Set property.
-
-#line 50
-allow vold property_socket:sock_file write;
-#line 50
-allow vold init:unix_stream_socket connectto;
-#line 50
-
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file { { getattr open read ioctl lock } { open append write } };
-
-# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-allow vold vold_prop:property_service set;
-allow vold powerctl_prop:property_service set;
-allow vold ctl_default_prop:property_service set;
-
-# ASEC
-allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-
-#line 73
-allow vold security_file:dir { open getattr read search ioctl };
-#line 73
-allow vold security_file:file { getattr open read ioctl lock };
-#line 73
-allow vold security_file:lnk_file { getattr open read ioctl lock };
-#line 73
-allow vold selinuxfs:dir { open getattr read search ioctl };
-#line 73
-allow vold selinuxfs:file { getattr open read ioctl lock };
-#line 73
-allow vold rootfs:dir { open getattr read search ioctl };
-#line 73
-allow vold rootfs:file { getattr open read ioctl lock };
-#line 73
-
-
-#line 74
-typeattribute vold relabeltodomain;
-#line 74
-
-allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom };
-allow vold asec_public_file:file { relabelto setattr };
-
-# Handle wake locks (used for device encryption)
-allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
-allow vold self:capability2 block_suspend;
-#line 1 "external/sepolicy/watchdogd.te"
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } };
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
-allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } };
-# because of /dev/__kmsg__ and /dev/__null__
-
-#line 8
-type_transition watchdogd device:chr_file klog_device "__kmsg__";
-#line 8
-allow watchdogd klog_device:chr_file { create open write unlink };
-#line 8
-allow watchdogd device:dir { write add_name remove_name };
-#line 8
-
-type_transition watchdogd device:chr_file null_device "__null__";
-allow watchdogd null_device:chr_file { create unlink };
-#line 1 "external/sepolicy/wpa_supplicant.te"
-# wpa - wpa supplicant or equivalent
-type wpa, domain;
-type wpa_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init wpa_exec:file { getattr open read execute };
-#line 5
-allow init wpa:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow wpa wpa_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow wpa init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init wpa:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init wpa:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init wpa_exec:process wpa;
-#line 5
-
-#line 5
-
-#line 5
-type wpa_tmpfs, file_type;
-#line 5
-type_transition wpa tmpfs:file wpa_tmpfs;
-#line 5
-allow wpa wpa_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-allow wpa kernel:system module_request;
-allow wpa self:capability { setuid net_admin setgid net_raw };
-allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow wpa self:netlink_route_socket *;
-allow wpa self:netlink_socket *;
-allow wpa self:packet_socket *;
-allow wpa self:udp_socket *;
-allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-#line 15
-allow wpa system_wpa_socket:sock_file write;
-#line 15
-allow wpa system_server:unix_dgram_socket sendto;
-#line 15
-
-allow wpa random_device:chr_file { getattr open read ioctl lock };
-
-# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr };
-allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which wpa supplicant communicates with.
-#line 27
-
-#line 1 "external/sepolicy/zygote.te"
-# zygote
-type zygote, domain;
-type zygote_exec, exec_type, file_type;
-
-
-#line 5
-
-#line 5
-# Allow the necessary permissions.
-#line 5
-
-#line 5
-# Old domain may exec the file and transition to the new domain.
-#line 5
-allow init zygote_exec:file { getattr open read execute };
-#line 5
-allow init zygote:process transition;
-#line 5
-# New domain is entered by executing the file.
-#line 5
-allow zygote zygote_exec:file { entrypoint read execute };
-#line 5
-# New domain can send SIGCHLD to its caller.
-#line 5
-allow zygote init:process sigchld;
-#line 5
-# Enable AT_SECURE, i.e. libc secure mode.
-#line 5
-dontaudit init zygote:process noatsecure;
-#line 5
-# XXX dontaudit candidate but requires further study.
-#line 5
-allow init zygote:process { siginh rlimitinh };
-#line 5
-
-#line 5
-# Make the transition occur by default.
-#line 5
-type_transition init zygote_exec:process zygote;
-#line 5
-
-#line 5
-
-#line 5
-type zygote_tmpfs, file_type;
-#line 5
-type_transition zygote tmpfs:file zygote_tmpfs;
-#line 5
-allow zygote zygote_tmpfs:file { read write };
-#line 5
-
-#line 5
-
-typeattribute zygote mlstrustedsubject;
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner };
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
-# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { { getattr open read ioctl lock } };
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-# Write to system data.
-allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
-allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
-# For art.
-allow zygote dalvikcache_data_file:file execute;
-# Execute dexopt.
-allow zygote system_file:file { getattr execute execute_no_trans };
-# Control cgroups.
-allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
-allow zygote self:capability sys_admin;
-# Check validity of SELinux context before use.
-
-#line 33
-allow zygote selinuxfs:dir { open getattr read search ioctl };
-#line 33
-allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 33
-allow zygote kernel:security check_context;
-#line 33
-
-# Check SELinux permissions.
-
-#line 35
-allow zygote selinuxfs:dir { open getattr read search ioctl };
-#line 35
-allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
-#line 35
-allow zygote kernel:security compute_av;
-#line 35
-allow zygote self:netlink_selinux_socket *;
-#line 35
-
-# Read /seapp_contexts and /data/security/seapp_contexts
-
-#line 37
-allow zygote security_file:dir { open getattr read search ioctl };
-#line 37
-allow zygote security_file:file { getattr open read ioctl lock };
-#line 37
-allow zygote security_file:lnk_file { getattr open read ioctl lock };
-#line 37
-allow zygote selinuxfs:dir { open getattr read search ioctl };
-#line 37
-allow zygote selinuxfs:file { getattr open read ioctl lock };
-#line 37
-allow zygote rootfs:dir { open getattr read search ioctl };
-#line 37
-allow zygote rootfs:file { getattr open read ioctl lock };
-#line 37
-
-
-# Setting up /storage/emulated.
-allow zygote rootfs:dir mounton;
-allow zygote sdcard_type:dir { write search setattr create add_name mounton };
-dontaudit zygote self:capability fsetid;
-allow zygote tmpfs:dir { write create add_name setattr mounton search };
-allow zygote tmpfs:filesystem mount;
-allow zygote labeledfs:filesystem remount;
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
-
-# handle bugreports b/10498304
-allow zygote ashmem_device:chr_file execute;
-allow zygote shell_data_file:file { write getattr };
-allow zygote system_server:binder { transfer call };
-allow zygote servicemanager:binder { call };
-
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow zygote unlabeled:file execute;
-#line 1 "build/target/board/generic/sepolicy/bootanim.te"
-allow bootanim self:process execmem;
-allow bootanim ashmem_device:chr_file execute;
-#line 1 "build/target/board/generic/sepolicy/domain.te"
-# For /sys/qemu_trace files in the emulator.
-allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } };
-#line 1 "build/target/board/generic/sepolicy/surfaceflinger.te"
-allow surfaceflinger self:process execmem;
-allow surfaceflinger ashmem_device:chr_file execute;
-#line 1 "external/sepolicy/roles"
-role r;
-role r types domain;
-#line 1 "external/sepolicy/users"
-user u roles { r } level s0 range s0 - s0:c0.c1023;
-#line 1 "external/sepolicy/initial_sid_contexts"
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
-#line 1 "external/sepolicy/fs_use"
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
-#line 1 "external/sepolicy/genfs_contexts"
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard_external:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard_internal:s0
-#line 1 "external/sepolicy/port_contexts"
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
diff --git a/tools/selinux/src/gen_SELinux_CTS.py b/tools/selinux/src/gen_SELinux_CTS.py
deleted file mode 100755
index 85d49a8..0000000
--- a/tools/selinux/src/gen_SELinux_CTS.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/python
-# genCheckAccessCTS.py - takes an input SELinux policy.conf file and generates
-# an XML file based on the allow and neverallow rules. The file contains rules,
-# which are created by expanding the SELinux rule notation into the individual
-# components which a checkAccess() check, that a policy manager would have to
-# perform, needs.
-#
-# This test does not work with all valid SELinux policy.conf files. It is meant
-# to simply use a given AOSP generated policy.conf file to create sets
-# representing the policy's types, attributes, classes and permissions, which
-# are used to expand the allow and neverallow rules found. For a full parser
-# and compiler of SELinux, see external/checkpolicy.
-# @dcashman
-
-import pdb
-import re
-import sys
-from xml.etree.ElementTree import Element, SubElement, tostring
-from xml.dom import minidom
-
-import SELinux_CTS
-from SELinux_CTS import SELinuxPolicy
-
-usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file neverallow_only=[t/f]"
-
-if __name__ == "__main__":
- # check usage
- if len(sys.argv) != 4:
- print usage
- exit()
- input_file = sys.argv[1]
- output_file = sys.argv[2]
- neverallow_only = (sys.argv[3] == "neverallow_only=t")
- policy = SELinuxPolicy()
- policy.from_file_name(input_file) #load data from file
-
- # expand rules into 4-tuples for SELinux.h checkAccess() check
- xml_root = Element('SELinux_AVC_Rules')
- if not neverallow_only:
- count = 1
- for a in policy.allow_rules:
- expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
- if len(expanded_xml):
- xml_root.append(expanded_xml)
- count += 1
- count = 1
- for n in policy.neverallow_rules:
- expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
- if len(expanded_xml):
- xml_root.append(expanded_xml)
- count += 1
-
- #print out the xml file
- s = tostring(xml_root)
- s_parsed = minidom.parseString(s)
- output = s_parsed.toprettyxml(indent=" ")
- with open(output_file, 'w') as out_file:
- out_file.write(output)
diff --git a/tools/selinux/test/policy_clean_test.conf b/tools/selinux/test/policy_clean_test.conf
deleted file mode 100644
index 074a63b..0000000
--- a/tools/selinux/test/policy_clean_test.conf
+++ /dev/null
@@ -1,2230 +0,0 @@
-#line 1 "external/sepolicy/security_classes"
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class capability
-
-# file-related classes
-class file
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the capability2 class.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-########################################
-#
-# Basic level names for system low and high
-#
-
-
-#line 1 "external/sepolicy/mls"
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-
-#line 6
-# Each sensitivity has a name and zero or more aliases.
-#line 6
-sensitivity s0;
-#line 6
-
-#line 6
-
-#line 6
-# Define the ordering of the sensitivity levels (least to greatest)
-#line 6
-dominance { s0 }
-#line 6
-
-category c0;
-#line 7
-category c1;
-#line 7
-category c2;
-#line 7
-category c3;
-#line 7
-category c4;
-#line 7
-category c5;
-#line 7
-category c6;
-#line 7
-category c7;
-#line 7
-category c8;
-#line 7
-category c9;
-#line 7
-category c10;
-#line 7
-category c11;
-#line 7
-category c12;
-#line 7
-category c13;
-#line 7
-category c14;
-#line 7
-category c15;
-#line 7
-category c16;
-#line 7
-category c17;
-#line 7
-category c18;
-#line 7
-category c19;
-#line 7
-category c20;
-#line 7
-category c21;
-#line 7
-category c22;
-#line 7
-category c23;
-#line 7
-category c24;
-#line 7
-category c25;
-#line 7
-category c26;
-#line 7
-category c27;
-#line 7
-category c28;
-#line 7
-category c29;
-#line 7
-category c30;
-#line 7
-category c31;
-#line 7
-category c32;
-#line 7
-category c33;
-#line 7
-category c34;
-#line 7
-category c35;
-#line 7
-category c36;
-#line 7
-category c37;
-#line 7
-category c38;
-#line 7
-category c39;
-#line 7
-category c40;
-#line 7
-category c41;
-#line 7
-category c42;
-#line 7
-category c43;
-#line 7
-category c44;
-#line 7
-category c45;
-#line 7
-category c46;
-#line 7
-category c47;
-#line 7
-category c48;
-#line 7
-category c49;
-#line 7
-category c50;
-#line 7
-category c51;
-#line 7
-category c52;
-#line 7
-category c53;
-#line 7
-category c54;
-#line 7
-category c55;
-#line 7
-category c56;
-#line 7
-category c57;
-#line 7
-category c58;
-#line 7
-category c59;
-#line 7
-category c60;
-#line 7
-category c61;
-#line 7
-category c62;
-#line 7
-category c63;
-#line 7
-category c64;
-#line 7
-category c65;
-#line 7
-category c66;
-#line 7
-category c67;
-#line 7
-category c68;
-#line 7
-category c69;
-#line 7
-category c70;
-#line 7
-category c71;
-#line 7
-category c72;
-#line 7
-category c73;
-#line 7
-category c74;
-#line 7
-category c75;
-#line 7
-category c76;
-#line 7
-category c77;
-#line 7
-category c78;
-#line 7
-category c79;
-#line 7
-category c80;
-#line 7
-category c81;
-#line 7
-category c82;
-#line 7
-category c83;
-#line 7
-category c84;
-#line 7
-category c85;
-#line 7
-category c86;
-#line 7
-category c87;
-#line 7
-category c88;
-#line 7
-category c89;
-#line 7
-category c90;
-#line 7
-category c91;
-#line 7
-category c92;
-#line 7
-category c93;
-#line 7
-category c94;
-#line 7
-category c95;
-#line 7
-category c96;
-#line 7
-category c97;
-#line 7
-category c98;
-#line 7
-category c99;
-#line 7
-category c100;
-#line 7
-category c101;
-#line 7
-category c102;
-#line 7
-category c103;
-#line 7
-category c104;
-#line 7
-category c105;
-#line 7
-category c106;
-#line 7
-category c107;
-#line 7
-category c108;
-#line 7
-category c109;
-#line 7
-category c110;
-#line 7
-category c111;
-#line 7
-category c112;
-#line 7
-category c113;
-#line 7
-category c114;
-#line 7
-category c115;
-#line 7
-category c116;
-#line 7
-category c117;
-#line 7
-category c118;
-#line 7
-category c119;
-#line 7
-category c120;
-#line 7
-category c121;
-#line 7
-category c122;
-#line 7
-category c123;
-#line 7
-category c124;
-#line 7
-category c125;
-#line 7
-category c126;
-#line 7
-category c127;
-#line 7
-category c128;
-#line 7
-category c129;
-#line 7
-category c130;
-#line 7
-category c131;
-#line 7
-category c132;
-#line 7
-category c133;
-#line 7
-category c134;
-#line 7
-category c135;
-#line 7
-category c136;
-#line 7
-category c137;
-#line 7
-category c138;
-#line 7
-category c139;
-#line 7
-category c140;
-#line 7
-category c141;
-#line 7
-category c142;
-#line 7
-category c143;
-#line 7
-category c144;
-#line 7
-category c145;
-#line 7
-category c146;
-#line 7
-category c147;
-#line 7
-category c148;
-#line 7
-category c149;
-#line 7
-category c150;
-#line 7
-category c151;
-#line 7
-category c152;
-#line 7
-category c153;
-#line 7
-category c154;
-#line 7
-category c155;
-#line 7
-category c156;
-#line 7
-category c157;
-#line 7
-category c158;
-#line 7
-category c159;
-#line 7
-category c160;
-#line 7
-category c161;
-#line 7
-category c162;
-#line 7
-category c163;
-#line 7
-category c164;
-#line 7
-category c165;
-#line 7
-category c166;
-#line 7
-category c167;
-#line 7
-category c168;
-#line 7
-category c169;
-#line 7
-category c170;
-#line 7
-category c171;
-#line 7
-category c172;
-#line 7
-category c173;
-#line 7
-category c174;
-#line 7
-category c175;
-#line 7
-category c176;
-#line 7
-category c177;
-#line 7
-category c178;
-#line 7
-category c179;
-#line 7
-category c180;
-#line 7
-category c181;
-#line 7
-category c182;
-#line 7
-category c183;
-#line 7
-category c184;
-#line 7
-category c185;
-#line 7
-category c186;
-#line 7
-category c187;
-#line 7
-category c188;
-#line 7
-category c189;
-#line 7
-category c190;
-#line 7
-category c191;
-#line 7
-category c192;
-#line 7
-category c193;
-#line 7
-category c194;
-#line 7
-category c195;
-#line 7
-category c196;
-#line 7
-category c197;
-#line 7
-category c198;
-#line 7
-category c199;
-#line 7
-category c200;
-#line 7
-category c201;
-#line 7
-category c202;
-#line 7
-category c203;
-#line 7
-category c204;
-#line 7
-category c205;
-#line 7
-category c206;
-#line 7
-category c207;
-#line 7
-category c208;
-#line 7
-category c209;
-#line 7
-category c210;
-#line 7
-category c211;
-#line 7
-category c212;
-#line 7
-category c213;
-#line 7
-category c214;
-#line 7
-category c215;
-#line 7
-category c216;
-#line 7
-category c217;
-#line 7
-category c218;
-#line 7
-category c219;
-#line 7
-category c220;
-#line 7
-category c221;
-#line 7
-category c222;
-#line 7
-category c223;
-#line 7
-category c224;
-#line 7
-category c225;
-#line 7
-category c226;
-#line 7
-category c227;
-#line 7
-category c228;
-#line 7
-category c229;
-#line 7
-category c230;
-#line 7
-category c231;
-#line 7
-category c232;
-#line 7
-category c233;
-#line 7
-category c234;
-#line 7
-category c235;
-#line 7
-category c236;
-#line 7
-category c237;
-#line 7
-category c238;
-#line 7
-category c239;
-#line 7
-category c240;
-#line 7
-category c241;
-#line 7
-category c242;
-#line 7
-category c243;
-#line 7
-category c244;
-#line 7
-category c245;
-#line 7
-category c246;
-#line 7
-category c247;
-#line 7
-category c248;
-#line 7
-category c249;
-#line 7
-category c250;
-#line 7
-category c251;
-#line 7
-category c252;
-#line 7
-category c253;
-#line 7
-category c254;
-#line 7
-category c255;
-#line 7
-category c256;
-#line 7
-category c257;
-#line 7
-category c258;
-#line 7
-category c259;
-#line 7
-category c260;
-#line 7
-category c261;
-#line 7
-category c262;
-#line 7
-category c263;
-#line 7
-category c264;
-#line 7
-category c265;
-#line 7
-category c266;
-#line 7
-category c267;
-#line 7
-category c268;
-#line 7
-category c269;
-#line 7
-category c270;
-#line 7
-category c271;
-#line 7
-category c272;
-#line 7
-category c273;
-#line 7
-category c274;
-#line 7
-category c275;
-#line 7
-category c276;
-#line 7
-category c277;
-#line 7
-category c278;
-#line 7
-category c279;
-#line 7
-category c280;
-#line 7
-category c281;
-#line 7
-category c282;
-#line 7
-category c283;
-#line 7
-category c284;
-#line 7
-category c285;
-#line 7
-category c286;
-#line 7
-category c287;
-#line 7
-category c288;
-#line 7
-category c289;
-#line 7
-category c290;
-#line 7
-category c291;
-#line 7
-category c292;
-#line 7
-category c293;
-#line 7
-category c294;
-#line 7
-category c295;
-#line 7
-category c296;
-#line 7
-category c297;
-#line 7
-category c298;
-#line 7
-category c299;
-#line 7
-category c300;
-#line 7
-category c301;
-#line 7
-category c302;
-#line 7
-category c303;
-#line 7
-category c304;
-#line 7
-category c305;
-#line 7
-category c306;
-#line 7
-category c307;
-#line 7
-category c308;
-#line 7
-category c309;
-#line 7
-category c310;
-#line 7
-category c311;
-#line 7
-category c312;
-#line 7
-category c313;
-#line 7
-category c314;
-#line 7
-category c315;
-#line 7
-category c316;
-#line 7
-category c317;
-#line 7
-category c318;
-#line 7
-category c319;
-#line 7
-category c320;
-#line 7
-category c321;
-#line 7
-category c322;
-#line 7
-category c323;
-#line 7
-category c324;
-#line 7
-category c325;
-#line 7
-category c326;
-#line 7
-category c327;
-#line 7
-category c328;
-#line 7
-category c329;
-#line 7
-category c330;
-#line 7
-category c331;
-#line 7
-category c332;
-#line 7
-category c333;
-#line 7
-category c334;
-#line 7
-category c335;
-#line 7
-category c336;
-#line 7
-category c337;
-#line 7
-category c338;
-#line 7
-category c339;
-#line 7
-category c340;
-#line 7
-category c341;
-#line 7
-category c342;
-#line 7
-category c343;
-#line 7
-category c344;
-#line 7
-category c345;
-#line 7
-category c346;
-#line 7
-category c347;
-#line 7
-category c348;
-#line 7
-category c349;
-#line 7
-category c350;
-#line 7
-category c351;
-#line 7
-category c352;
-#line 7
-category c353;
-#line 7
-category c354;
-#line 7
-category c355;
-#line 7
-category c356;
-#line 7
-category c357;
-#line 7
-category c358;
-#line 7
-category c359;
-#line 7
-category c360;
-#line 7
-category c361;
-#line 7
-category c362;
-#line 7
-category c363;
-#line 7
-category c364;
-#line 7
-category c365;
-#line 7
-category c366;
-#line 7
-category c367;
-#line 7
-category c368;
-#line 7
-category c369;
-#line 7
-category c370;
-#line 7
-category c371;
-#line 7
-category c372;
-#line 7
-category c373;
-#line 7
-category c374;
-#line 7
-category c375;
-#line 7
-category c376;
-#line 7
-category c377;
-#line 7
-category c378;
-#line 7
-category c379;
-#line 7
-category c380;
-#line 7
-category c381;
-#line 7
-category c382;
-#line 7
-category c383;
-#line 7
-category c384;
-#line 7
-category c385;
-#line 7
-category c386;
-#line 7
-category c387;
-#line 7
-category c388;
-#line 7
-category c389;
-#line 7
-category c390;
-#line 7
-category c391;
-#line 7
-category c392;
-#line 7
-category c393;
-#line 7
-category c394;
-#line 7
-category c395;
-#line 7
-category c396;
-#line 7
-category c397;
-#line 7
-category c398;
-#line 7
-category c399;
-#line 7
-category c400;
-#line 7
-category c401;
-#line 7
-category c402;
-#line 7
-category c403;
-#line 7
-category c404;
-#line 7
-category c405;
-#line 7
-category c406;
-#line 7
-category c407;
-#line 7
-category c408;
-#line 7
-category c409;
-#line 7
-category c410;
-#line 7
-category c411;
-#line 7
-category c412;
-#line 7
-category c413;
-#line 7
-category c414;
-#line 7
-category c415;
-#line 7
-category c416;
-#line 7
-category c417;
-#line 7
-category c418;
-#line 7
-category c419;
-#line 7
-category c420;
-#line 7
-category c421;
-#line 7
-category c422;
-#line 7
-category c423;
-#line 7
-category c424;
-#line 7
-category c425;
-#line 7
-category c426;
-#line 7
-category c427;
-#line 7
-category c428;
-#line 7
-category c429;
-#line 7
-category c430;
-#line 7
-category c431;
-#line 7
-category c432;
-#line 7
-category c433;
-#line 7
-category c434;
-#line 7
-category c435;
-#line 7
-category c436;
-#line 7
-category c437;
-#line 7
-category c438;
-#line 7
-category c439;
-#line 7
-category c440;
-#line 7
-category c441;
-#line 7
-category c442;
-#line 7
-category c443;
-#line 7
-category c444;
-#line 7
-category c445;
-#line 7
-category c446;
-#line 7
-category c447;
-#line 7
-category c448;
-#line 7
-category c449;
-#line 7
-category c450;
-#line 7
-category c451;
-#line 7
-category c452;
-#line 7
-category c453;
-#line 7
-category c454;
-#line 7
-category c455;
-#line 7
-category c456;
-#line 7
-category c457;
-#line 7
-category c458;
-#line 7
-category c459;
-#line 7
-category c460;
-#line 7
-category c461;
-#line 7
-category c462;
-#line 7
-category c463;
-#line 7
-category c464;
-#line 7
-category c465;
-#line 7
-category c466;
-#line 7
-category c467;
-#line 7
-category c468;
-#line 7
-category c469;
-#line 7
-category c470;
-#line 7
-category c471;
-#line 7
-category c472;
-#line 7
-category c473;
-#line 7
-category c474;
-#line 7
-category c475;
-#line 7
-category c476;
-#line 7
-category c477;
-#line 7
-category c478;
-#line 7
-category c479;
-#line 7
-category c480;
-#line 7
-category c481;
-#line 7
-category c482;
-#line 7
-category c483;
-#line 7
-category c484;
-#line 7
-category c485;
-#line 7
-category c486;
-#line 7
-category c487;
-#line 7
-category c488;
-#line 7
-category c489;
-#line 7
-category c490;
-#line 7
-category c491;
-#line 7
-category c492;
-#line 7
-category c493;
-#line 7
-category c494;
-#line 7
-category c495;
-#line 7
-category c496;
-#line 7
-category c497;
-#line 7
-category c498;
-#line 7
-category c499;
-#line 7
-category c500;
-#line 7
-category c501;
-#line 7
-category c502;
-#line 7
-category c503;
-#line 7
-category c504;
-#line 7
-category c505;
-#line 7
-category c506;
-#line 7
-category c507;
-#line 7
-category c508;
-#line 7
-category c509;
-#line 7
-category c510;
-#line 7
-category c511;
-#line 7
-category c512;
-#line 7
-category c513;
-#line 7
-category c514;
-#line 7
-category c515;
-#line 7
-category c516;
-#line 7
-category c517;
-#line 7
-category c518;
-#line 7
-category c519;
-#line 7
-category c520;
-#line 7
-category c521;
-#line 7
-category c522;
-#line 7
-category c523;
-#line 7
-category c524;
-#line 7
-category c525;
-#line 7
-category c526;
-#line 7
-category c527;
-#line 7
-category c528;
-#line 7
-category c529;
-#line 7
-category c530;
-#line 7
-category c531;
-#line 7
-category c532;
-#line 7
-category c533;
-#line 7
-category c534;
-#line 7
-category c535;
-#line 7
-category c536;
-#line 7
-category c537;
-#line 7
-category c538;
-#line 7
-category c539;
-#line 7
-category c540;
-#line 7
-category c541;
-#line 7
-category c542;
-#line 7
-category c543;
-#line 7
-category c544;
-#line 7
-category c545;
-#line 7
-category c546;
-#line 7
-category c547;
-#line 7
-category c548;
-#line 7
-category c549;
-#line 7
-category c550;
-#line 7
-category c551;
-#line 7
-category c552;
-#line 7
-category c553;
-#line 7
-category c554;
-#line 7
-category c555;
-#line 7
-category c556;
-#line 7
-category c557;
-#line 7
-category c558;
-#line 7
-category c559;
-#line 7
-category c560;
-#line 7
-category c561;
-#line 7
-category c562;
-#line 7
-category c563;
-#line 7
-category c564;
-#line 7
-category c565;
-#line 7
-category c566;
-#line 7
-category c567;
-#line 7
-category c568;
-#line 7
-category c569;
-#line 7
-category c570;
-#line 7
-category c571;
-#line 7
-category c572;
-#line 7
-category c573;
-#line 7
-category c574;
-#line 7
-category c575;
-#line 7
-category c576;
-#line 7
-category c577;
-#line 7
-category c578;
-#line 7
-category c579;
-#line 7
-category c580;
-#line 7
-category c581;
-#line 7
-category c582;
-#line 7
-category c583;
-#line 7
-category c584;
-#line 7
-category c585;
-#line 7
-category c586;
-#line 7
-category c587;
-#line 7
-category c588;
-#line 7
-category c589;
-#line 7
-category c590;
-#line 7
-category c591;
-#line 7
-category c592;
-#line 7
-category c593;
-#line 7
-category c594;
-#line 7
-category c595;
-#line 7
-category c596;
-#line 7
-category c597;
-#line 7
-category c598;
-#line 7
-category c599;
-#line 7
-category c600;
-#line 7
-category c601;
-#line 7
-category c602;
-#line 7
-category c603;
-#line 7
-category c604;
-#line 7
-category c605;
-#line 7
-category c606;
-#line 7
-category c607;
-#line 7
-category c608;
-#line 7
-category c609;
-#line 7
-category c610;
-#line 7
-category c611;
-#line 7
-category c612;
-#line 7
-category c613;
-#line 7
-category c614;
-#line 7
-category c615;
-#line 7
-category c616;
-#line 7
-category c617;
-#line 7
-category c618;
-#line 7
-category c619;
-#line 7
-category c620;
-#line 7
-category c621;
-#line 7
-category c622;
-#line 7
-category c623;
-#line 7
-category c624;
-#line 7
-category c625;
-#line 7
-category c626;
-#line 7
-category c627;
-#line 7
-category c628;
-#line 7
-category c629;
-#line 7
-category c630;
-#line 7
-category c631;
-#line 7
-category c632;
-#line 7
-category c633;
-#line 7
-category c634;
-#line 7
-category c635;
-#line 7
-category c636;
-#line 7
-category c637;
-#line 7
-category c638;
-#line 7
-category c639;
-#line 7
-category c640;
-#line 7
-category c641;
-#line 7
-category c642;
-#line 7
-category c643;
-#line 7
-category c644;
-#line 7
-category c645;
-#line 7
-category c646;
-#line 7
-category c647;
-#line 7
-category c648;
-#line 7
-category c649;
-#line 7
-category c650;
-#line 7
-category c651;
-#line 7
-category c652;
-#line 7
-category c653;
-#line 7
-category c654;
-#line 7
-category c655;
-#line 7
-category c656;
-#line 7
-category c657;
-#line 7
-category c658;
-#line 7
-category c659;
-#line 7
-category c660;
-#line 7
-category c661;
-#line 7
-category c662;
-#line 7
-category c663;
-#line 7
-category c664;
-#line 7
-category c665;
-#line 7
-category c666;
-#line 7
-category c667;
-#line 7
-category c668;
-#line 7
-category c669;
-#line 7
-category c670;
-#line 7
-category c671;
-#line 7
-category c672;
-#line 7
-category c673;
-#line 7
-category c674;
-#line 7
-category c675;
-#line 7
-category c676;
-#line 7
-category c677;
-#line 7
-category c678;
-#line 7
-category c679;
-#line 7
-category c680;
-#line 7
-category c681;
-#line 7
-category c682;
-#line 7
-category c683;
-#line 7
-category c684;
-#line 7
-category c685;
-#line 7
-category c686;
-#line 7
-category c687;
-#line 7
-category c688;
-#line 7
-category c689;
-#line 7
-category c690;
-#line 7
-category c691;
-#line 7
-category c692;
-#line 7
-category c693;
-#line 7
-category c694;
-#line 7
-category c695;
-#line 7
-category c696;
-#line 7
-category c697;
-#line 7
-category c698;
-#line 7
-category c699;
-#line 7
-category c700;
-#line 7
-category c701;
-#line 7
-category c702;
-#line 7
-category c703;
-#line 7
-category c704;
-#line 7
-category c705;
-#line 7
-category c706;
-#line 7
-category c707;
-#line 7
-category c708;
-#line 7
-category c709;
-#line 7
-category c710;
-#line 7
-category c711;
-#line 7
-category c712;
-#line 7
-category c713;
-#line 7
-category c714;
-#line 7
-category c715;
-#line 7
-category c716;
-#line 7
-category c717;
-#line 7
-category c718;
-#line 7
-category c719;
-#line 7
-category c720;
-#line 7
-category c721;
-#line 7
-category c722;
-#line 7
-category c723;
-#line 7
-category c724;
-#line 7
-category c725;
-#line 7
-category c726;
-#line 7
-category c727;
-#line 7
-category c728;
-#line 7
-category c729;
-#line 7
-category c730;
-#line 7
-category c731;
-#line 7
-category c732;
-#line 7
-category c733;
-#line 7
-category c734;
-#line 7
-category c735;
-#line 7
-category c736;
-#line 7
-category c737;
-#line 7
-category c738;
-#line 7
-category c739;
-#line 7
-category c740;
-#line 7
-category c741;
-#line 7
-category c742;
-#line 7
-category c743;
-#line 7
-category c744;
-#line 7
-category c745;
-#line 7
-category c746;
-#line 7
-category c747;
-#line 7
-category c748;
-#line 7
-category c749;
-#line 7
-category c750;
-#line 7
-category c751;
-#line 7
-category c752;
-#line 7
-category c753;
-#line 7
-category c754;
-#line 7
-category c755;
-#line 7
-category c756;
-#line 7
-category c757;
-#line 7
-category c758;
-#line 7
-category c759;
-#line 7
-category c760;
-#line 7
-category c761;
-#line 7
-category c762;
-#line 7
-category c763;
-#line 7
-category c764;
-#line 7
-category c765;
-#line 7
-category c766;
-#line 7
-category c767;
-#line 7
-category c768;
-#line 7
-category c769;
-#line 7
-category c770;
-#line 7
-category c771;
-#line 7
-category c772;
-#line 7
-category c773;
-#line 7
-category c774;
-#line 7
-category c775;
-#line 7
-category c776;
-#line 7
-category c777;
-#line 7
-category c778;
-#line 7
-category c779;
-#line 7
-category c780;
-#line 7
-category c781;
-#line 7
-category c782;
-#line 7
-category c783;
-#line 7
-category c784;
-#line 7
-category c785;
-#line 7
-category c786;
-#line 7
-category c787;
-#line 7
-category c788;
-#line 7
-category c789;
-#line 7
-category c790;
-#line 7
-category c791;
-#line 7
-category c792;
-#line 7
-category c793;
-#line 7
-category c794;
-#line 7
-category c795;
-#line 7
-category c796;
-#line 7
-category c797;
-#line 7
-category c798;
-#line 7
-category c799;
-#line 7
-category c800;
-#line 7
-category c801;
-#line 7
-category c802;
-#line 7
-category c803;
-#line 7
-category c804;
-#line 7
-category c805;
-#line 7
-category c806;
-#line 7
-category c807;
-#line 7
-category c808;
-#line 7
-category c809;
-#line 7
-category c810;
-#line 7
-category c811;
-#line 7
-category c812;
-#line 7
-category c813;
-#line 7
-category c814;
-#line 7
-category c815;
-#line 7
-category c816;
-#line 7
-category c817;
-#line 7
-category c818;
-#line 7
-category c819;
-#line 7
-category c820;
-#line 7
-category c821;
-#line 7
-category c822;
-#line 7
-category c823;
-#line 7
-category c824;
-#line 7
-category c825;
-#line 7
-category c826;
-#line 7
-category c827;
-#line 7
-category c828;
-#line 7
-category c829;
-#line 7
-category c830;
-#line 7
-category c831;
-#line 7
-category c832;
-#line 7
-category c833;
-#line 7
-category c834;
-#line 7
-category c835;
-#line 7
-category c836;
-#line 7
-category c837;
-#line 7
-category c838;
-#line 7
-category c839;
-#line 7
-category c840;
-#line 7
-category c841;
-#line 7
-category c842;
-#line 7
-category c843;
-#line 7
-category c844;
-#line 7
-category c845;
-#line 7
-category c846;
-#line 7
-category c847;
-#line 7
-category c848;
-#line 7
-category c849;
-#line 7
-category c850;
-#line 7
-category c851;
-#line 7
-category c852;
-#line 7
-category c853;
-#line 7
-category c854;
-#line 7
-category c855;
-#line 7
-category c856;
-#line 7
-category c857;
-#line 7
-category c858;
-#line 7
-category c859;
-#line 7
-category c860;
-#line 7
-category c861;
-#line 7
-category c862;
-#line 7
-category c863;
-#line 7
-category c864;
-#line 7
-category c865;
-#line 7
-category c866;
-#line 7
-category c867;
-#line 7
-category c868;
-#line 7
-category c869;
-#line 7
-category c870;
-#line 7
-category c871;
-#line 7
-category c872;
-#line 7
-category c873;
-#line 7
-category c874;
-#line 7
-category c875;
-#line 7
-category c876;
-#line 7
-category c877;
-#line 7
-category c878;
-#line 7
-category c879;
-#line 7
-category c880;
-#line 7
-category c881;
-#line 7
-category c882;
-#line 7
-category c883;
-#line 7
-category c884;
-#line 7
-category c885;
-#line 7
-category c886;
-#line 7
-category c887;
-#line 7
-category c888;
-#line 7
-category c889;
-#line 7
-category c890;
-#line 7
-category c891;
-#line 7
-category c892;
-#line 7
-category c893;
-#line 7
-category c894;
-#line 7
-category c895;
-#line 7
-category c896;
-#line 7
-category c897;
-#line 7
-category c898;
-#line 7
-category c899;
-#line 7
-category c900;
-#line 7
-category c901;
-#line 7
-category c902;
-#line 7
-category c903;
-#line 7
-category c904;
-#line 7
-category c905;
-#line 7
-category c906;
-#line 7
-category c907;
-#line 7
-category c908;
-#line 7
-category c909;
-#line 7
-category c910;
-#line 7
-category c911;
-#line 7
-category c912;
-#line 7
-category c913;
-#line 7
-category c914;
-#line 7
-category c915;
-#line 7
-category c916;
-#line 7
-category c917;
-#line 7
-category c918;
-#line 7
-category c919;
-#line 7
-category c920;
-#line 7
-category c921;
-#line 7
-category c922;
-#line 7
-category c923;
-#line 7
-category c924;
-#line 7
-category c925;
-#line 7
-category c926;
-#line 7
-category c927;
-#line 7
-category c928;
-#line 7
-category c929;
-#line 7
-category c930;
-#line 7
-category c931;
-#line 7
-category c932;
-#line 7
-category c933;
-#line 7
-category c934;
-#line 7
-category c935;
-#line 7
-category c936;
-#line 7
-category c937;
-#line 7
-category c938;
-#line 7
-category c939;
-#line 7
-category c940;
-#line 7
-category c941;
-#line 7
-category c942;
-#line 7
-category c943;
-#line 7
-category c944;
-#line 7
-category c945;
-#line 7
-category c946;
-#line 7
-category c947;
-#line 7
-category c948;
-#line 7
-category c949;
-#line 7
-category c950;
-#line 7
-category c951;
-#line 7
-category c952;
-#line 7
-category c953;
-#line 7
-category c954;
-#line 7
-category c955;
-#line 7
-category c956;
-#line 7
-category c957;
-#line 7
-category c958;
-#line 7
-category c959;
-#line 7
-category c960;
-#line 7
-category c961;
-#line 7
-category c962;
-#line 7
-category c963;
-#line 7
-category c964;
-#line 7
-category c965;
-#line 7
-category c966;
-#line 7
-category c967;
-#line 7
-category c968;
-#line 7
-category c969;
-#line 7
-category c970;
-#line 7
-category c971;
-#line 7
-category c972;
-#line 7
-category c973;
-#line 7
-category c974;
-#line 7
-category c975;
-#line 7
-category c976;
-#line 7
-category c977;
-#line 7
-category c978;
-#line 7
-category c979;
-#line 7
-category c980;
-#line 7
-category c981;
-#line 7
-category c982;
-#line 7
-category c983;
-#line 7
-category c984;
-#line 7
-category c985;
-#line 7
-category c986;
-#line 7
-category c987;
-#line 7
-category c988;
-#line 7
-category c989;
-#line 7
-category c990;
-#line 7
-category c991;
-#line 7
-category c992;
-#line 7
-category c993;
-#line 7
-category c994;
-#line 7
-category c995;
-#line 7
-category c996;
-#line 7
-category c997;
-#line 7
-category c998;
-#line 7
-category c999;
-#line 7
-category c1000;
-#line 7
-category c1001;
-#line 7
-category c1002;
-#line 7
-category c1003;
-#line 7
-category c1004;
-#line 7
-category c1005;
-#line 7
-category c1006;
-#line 7
-category c1007;
-#line 7
-category c1008;
-#line 7
-category c1009;
-#line 7
-category c1010;
-#line 7
-category c1011;
-#line 7
-category c1012;
-#line 7
-category c1013;
-#line 7
-category c1014;
-#line 7
-category c1015;
-#line 7
-category c1016;
-#line 7
-category c1017;
-#line 7
-category c1018;
-#line 7
-category c1019;
-#line 7
-category c1020;
-#line 7
-category c1021;
-#line 7
-category c1022;
-#line 7
-category c1023;
-#line 7
-
-
-# Generate level definitions for each sensitivity and category.
-level s0:c0.c1023;
-#line 10
-
-######################################
-# Attribute declarations
-#
-
-# All types used for processes.
-attribute domain;
-
-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-#line 1 "external/sepolicy/bluetooth.te"
-# bluetooth subsystem
-type bluetooth, domain;
-permissive bluetooth;
-
-#line 4
-typeattribute bluetooth appdomain;
-
-#line 5
-typeattribute bluetooth unconfineddomain;
-#line 5
-
-#line 1 "external/sepolicy/healthd.te"
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain;
-permissive healthd;
-type healthd_exec, exec_type, file_type;
-
-# New domain is entered by executing the file.
-#line 7
-allow healthd healthd_exec:file { entrypoint read execute };
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-
-# Added to make the neverallow rule make sense in a limited environment.
-# Added at the bottom to not throw off file seek numbers in test suite.
-# This is not a problem, because allow rules are processed after all types
-# are gathered.
-type testTYPE, appdomain, domain;
diff --git a/tools/selinux/test/policy_test.conf b/tools/selinux/test/policy_test.conf
deleted file mode 100644
index d0962cd..0000000
--- a/tools/selinux/test/policy_test.conf
+++ /dev/null
@@ -1,2244 +0,0 @@
-#line 1 "external/sepolicy/security_classes"
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class capability
-
-# file-related classes
-class file
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
- open
- audit_access
-}
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the capability2 class.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-########################################
-#
-# Basic level names for system low and high
-#
-
-
-#line 1 "external/sepolicy/mls"
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-
-#line 6
-# Each sensitivity has a name and zero or more aliases.
-#line 6
-sensitivity s0;
-#line 6
-
-#line 6
-
-#line 6
-# Define the ordering of the sensitivity levels (least to greatest)
-#line 6
-dominance { s0 }
-#line 6
-
-category c0;
-#line 7
-category c1;
-#line 7
-category c2;
-#line 7
-category c3;
-#line 7
-category c4;
-#line 7
-category c5;
-#line 7
-category c6;
-#line 7
-category c7;
-#line 7
-category c8;
-#line 7
-category c9;
-#line 7
-category c10;
-#line 7
-category c11;
-#line 7
-category c12;
-#line 7
-category c13;
-#line 7
-category c14;
-#line 7
-category c15;
-#line 7
-category c16;
-#line 7
-category c17;
-#line 7
-category c18;
-#line 7
-category c19;
-#line 7
-category c20;
-#line 7
-category c21;
-#line 7
-category c22;
-#line 7
-category c23;
-#line 7
-category c24;
-#line 7
-category c25;
-#line 7
-category c26;
-#line 7
-category c27;
-#line 7
-category c28;
-#line 7
-category c29;
-#line 7
-category c30;
-#line 7
-category c31;
-#line 7
-category c32;
-#line 7
-category c33;
-#line 7
-category c34;
-#line 7
-category c35;
-#line 7
-category c36;
-#line 7
-category c37;
-#line 7
-category c38;
-#line 7
-category c39;
-#line 7
-category c40;
-#line 7
-category c41;
-#line 7
-category c42;
-#line 7
-category c43;
-#line 7
-category c44;
-#line 7
-category c45;
-#line 7
-category c46;
-#line 7
-category c47;
-#line 7
-category c48;
-#line 7
-category c49;
-#line 7
-category c50;
-#line 7
-category c51;
-#line 7
-category c52;
-#line 7
-category c53;
-#line 7
-category c54;
-#line 7
-category c55;
-#line 7
-category c56;
-#line 7
-category c57;
-#line 7
-category c58;
-#line 7
-category c59;
-#line 7
-category c60;
-#line 7
-category c61;
-#line 7
-category c62;
-#line 7
-category c63;
-#line 7
-category c64;
-#line 7
-category c65;
-#line 7
-category c66;
-#line 7
-category c67;
-#line 7
-category c68;
-#line 7
-category c69;
-#line 7
-category c70;
-#line 7
-category c71;
-#line 7
-category c72;
-#line 7
-category c73;
-#line 7
-category c74;
-#line 7
-category c75;
-#line 7
-category c76;
-#line 7
-category c77;
-#line 7
-category c78;
-#line 7
-category c79;
-#line 7
-category c80;
-#line 7
-category c81;
-#line 7
-category c82;
-#line 7
-category c83;
-#line 7
-category c84;
-#line 7
-category c85;
-#line 7
-category c86;
-#line 7
-category c87;
-#line 7
-category c88;
-#line 7
-category c89;
-#line 7
-category c90;
-#line 7
-category c91;
-#line 7
-category c92;
-#line 7
-category c93;
-#line 7
-category c94;
-#line 7
-category c95;
-#line 7
-category c96;
-#line 7
-category c97;
-#line 7
-category c98;
-#line 7
-category c99;
-#line 7
-category c100;
-#line 7
-category c101;
-#line 7
-category c102;
-#line 7
-category c103;
-#line 7
-category c104;
-#line 7
-category c105;
-#line 7
-category c106;
-#line 7
-category c107;
-#line 7
-category c108;
-#line 7
-category c109;
-#line 7
-category c110;
-#line 7
-category c111;
-#line 7
-category c112;
-#line 7
-category c113;
-#line 7
-category c114;
-#line 7
-category c115;
-#line 7
-category c116;
-#line 7
-category c117;
-#line 7
-category c118;
-#line 7
-category c119;
-#line 7
-category c120;
-#line 7
-category c121;
-#line 7
-category c122;
-#line 7
-category c123;
-#line 7
-category c124;
-#line 7
-category c125;
-#line 7
-category c126;
-#line 7
-category c127;
-#line 7
-category c128;
-#line 7
-category c129;
-#line 7
-category c130;
-#line 7
-category c131;
-#line 7
-category c132;
-#line 7
-category c133;
-#line 7
-category c134;
-#line 7
-category c135;
-#line 7
-category c136;
-#line 7
-category c137;
-#line 7
-category c138;
-#line 7
-category c139;
-#line 7
-category c140;
-#line 7
-category c141;
-#line 7
-category c142;
-#line 7
-category c143;
-#line 7
-category c144;
-#line 7
-category c145;
-#line 7
-category c146;
-#line 7
-category c147;
-#line 7
-category c148;
-#line 7
-category c149;
-#line 7
-category c150;
-#line 7
-category c151;
-#line 7
-category c152;
-#line 7
-category c153;
-#line 7
-category c154;
-#line 7
-category c155;
-#line 7
-category c156;
-#line 7
-category c157;
-#line 7
-category c158;
-#line 7
-category c159;
-#line 7
-category c160;
-#line 7
-category c161;
-#line 7
-category c162;
-#line 7
-category c163;
-#line 7
-category c164;
-#line 7
-category c165;
-#line 7
-category c166;
-#line 7
-category c167;
-#line 7
-category c168;
-#line 7
-category c169;
-#line 7
-category c170;
-#line 7
-category c171;
-#line 7
-category c172;
-#line 7
-category c173;
-#line 7
-category c174;
-#line 7
-category c175;
-#line 7
-category c176;
-#line 7
-category c177;
-#line 7
-category c178;
-#line 7
-category c179;
-#line 7
-category c180;
-#line 7
-category c181;
-#line 7
-category c182;
-#line 7
-category c183;
-#line 7
-category c184;
-#line 7
-category c185;
-#line 7
-category c186;
-#line 7
-category c187;
-#line 7
-category c188;
-#line 7
-category c189;
-#line 7
-category c190;
-#line 7
-category c191;
-#line 7
-category c192;
-#line 7
-category c193;
-#line 7
-category c194;
-#line 7
-category c195;
-#line 7
-category c196;
-#line 7
-category c197;
-#line 7
-category c198;
-#line 7
-category c199;
-#line 7
-category c200;
-#line 7
-category c201;
-#line 7
-category c202;
-#line 7
-category c203;
-#line 7
-category c204;
-#line 7
-category c205;
-#line 7
-category c206;
-#line 7
-category c207;
-#line 7
-category c208;
-#line 7
-category c209;
-#line 7
-category c210;
-#line 7
-category c211;
-#line 7
-category c212;
-#line 7
-category c213;
-#line 7
-category c214;
-#line 7
-category c215;
-#line 7
-category c216;
-#line 7
-category c217;
-#line 7
-category c218;
-#line 7
-category c219;
-#line 7
-category c220;
-#line 7
-category c221;
-#line 7
-category c222;
-#line 7
-category c223;
-#line 7
-category c224;
-#line 7
-category c225;
-#line 7
-category c226;
-#line 7
-category c227;
-#line 7
-category c228;
-#line 7
-category c229;
-#line 7
-category c230;
-#line 7
-category c231;
-#line 7
-category c232;
-#line 7
-category c233;
-#line 7
-category c234;
-#line 7
-category c235;
-#line 7
-category c236;
-#line 7
-category c237;
-#line 7
-category c238;
-#line 7
-category c239;
-#line 7
-category c240;
-#line 7
-category c241;
-#line 7
-category c242;
-#line 7
-category c243;
-#line 7
-category c244;
-#line 7
-category c245;
-#line 7
-category c246;
-#line 7
-category c247;
-#line 7
-category c248;
-#line 7
-category c249;
-#line 7
-category c250;
-#line 7
-category c251;
-#line 7
-category c252;
-#line 7
-category c253;
-#line 7
-category c254;
-#line 7
-category c255;
-#line 7
-category c256;
-#line 7
-category c257;
-#line 7
-category c258;
-#line 7
-category c259;
-#line 7
-category c260;
-#line 7
-category c261;
-#line 7
-category c262;
-#line 7
-category c263;
-#line 7
-category c264;
-#line 7
-category c265;
-#line 7
-category c266;
-#line 7
-category c267;
-#line 7
-category c268;
-#line 7
-category c269;
-#line 7
-category c270;
-#line 7
-category c271;
-#line 7
-category c272;
-#line 7
-category c273;
-#line 7
-category c274;
-#line 7
-category c275;
-#line 7
-category c276;
-#line 7
-category c277;
-#line 7
-category c278;
-#line 7
-category c279;
-#line 7
-category c280;
-#line 7
-category c281;
-#line 7
-category c282;
-#line 7
-category c283;
-#line 7
-category c284;
-#line 7
-category c285;
-#line 7
-category c286;
-#line 7
-category c287;
-#line 7
-category c288;
-#line 7
-category c289;
-#line 7
-category c290;
-#line 7
-category c291;
-#line 7
-category c292;
-#line 7
-category c293;
-#line 7
-category c294;
-#line 7
-category c295;
-#line 7
-category c296;
-#line 7
-category c297;
-#line 7
-category c298;
-#line 7
-category c299;
-#line 7
-category c300;
-#line 7
-category c301;
-#line 7
-category c302;
-#line 7
-category c303;
-#line 7
-category c304;
-#line 7
-category c305;
-#line 7
-category c306;
-#line 7
-category c307;
-#line 7
-category c308;
-#line 7
-category c309;
-#line 7
-category c310;
-#line 7
-category c311;
-#line 7
-category c312;
-#line 7
-category c313;
-#line 7
-category c314;
-#line 7
-category c315;
-#line 7
-category c316;
-#line 7
-category c317;
-#line 7
-category c318;
-#line 7
-category c319;
-#line 7
-category c320;
-#line 7
-category c321;
-#line 7
-category c322;
-#line 7
-category c323;
-#line 7
-category c324;
-#line 7
-category c325;
-#line 7
-category c326;
-#line 7
-category c327;
-#line 7
-category c328;
-#line 7
-category c329;
-#line 7
-category c330;
-#line 7
-category c331;
-#line 7
-category c332;
-#line 7
-category c333;
-#line 7
-category c334;
-#line 7
-category c335;
-#line 7
-category c336;
-#line 7
-category c337;
-#line 7
-category c338;
-#line 7
-category c339;
-#line 7
-category c340;
-#line 7
-category c341;
-#line 7
-category c342;
-#line 7
-category c343;
-#line 7
-category c344;
-#line 7
-category c345;
-#line 7
-category c346;
-#line 7
-category c347;
-#line 7
-category c348;
-#line 7
-category c349;
-#line 7
-category c350;
-#line 7
-category c351;
-#line 7
-category c352;
-#line 7
-category c353;
-#line 7
-category c354;
-#line 7
-category c355;
-#line 7
-category c356;
-#line 7
-category c357;
-#line 7
-category c358;
-#line 7
-category c359;
-#line 7
-category c360;
-#line 7
-category c361;
-#line 7
-category c362;
-#line 7
-category c363;
-#line 7
-category c364;
-#line 7
-category c365;
-#line 7
-category c366;
-#line 7
-category c367;
-#line 7
-category c368;
-#line 7
-category c369;
-#line 7
-category c370;
-#line 7
-category c371;
-#line 7
-category c372;
-#line 7
-category c373;
-#line 7
-category c374;
-#line 7
-category c375;
-#line 7
-category c376;
-#line 7
-category c377;
-#line 7
-category c378;
-#line 7
-category c379;
-#line 7
-category c380;
-#line 7
-category c381;
-#line 7
-category c382;
-#line 7
-category c383;
-#line 7
-category c384;
-#line 7
-category c385;
-#line 7
-category c386;
-#line 7
-category c387;
-#line 7
-category c388;
-#line 7
-category c389;
-#line 7
-category c390;
-#line 7
-category c391;
-#line 7
-category c392;
-#line 7
-category c393;
-#line 7
-category c394;
-#line 7
-category c395;
-#line 7
-category c396;
-#line 7
-category c397;
-#line 7
-category c398;
-#line 7
-category c399;
-#line 7
-category c400;
-#line 7
-category c401;
-#line 7
-category c402;
-#line 7
-category c403;
-#line 7
-category c404;
-#line 7
-category c405;
-#line 7
-category c406;
-#line 7
-category c407;
-#line 7
-category c408;
-#line 7
-category c409;
-#line 7
-category c410;
-#line 7
-category c411;
-#line 7
-category c412;
-#line 7
-category c413;
-#line 7
-category c414;
-#line 7
-category c415;
-#line 7
-category c416;
-#line 7
-category c417;
-#line 7
-category c418;
-#line 7
-category c419;
-#line 7
-category c420;
-#line 7
-category c421;
-#line 7
-category c422;
-#line 7
-category c423;
-#line 7
-category c424;
-#line 7
-category c425;
-#line 7
-category c426;
-#line 7
-category c427;
-#line 7
-category c428;
-#line 7
-category c429;
-#line 7
-category c430;
-#line 7
-category c431;
-#line 7
-category c432;
-#line 7
-category c433;
-#line 7
-category c434;
-#line 7
-category c435;
-#line 7
-category c436;
-#line 7
-category c437;
-#line 7
-category c438;
-#line 7
-category c439;
-#line 7
-category c440;
-#line 7
-category c441;
-#line 7
-category c442;
-#line 7
-category c443;
-#line 7
-category c444;
-#line 7
-category c445;
-#line 7
-category c446;
-#line 7
-category c447;
-#line 7
-category c448;
-#line 7
-category c449;
-#line 7
-category c450;
-#line 7
-category c451;
-#line 7
-category c452;
-#line 7
-category c453;
-#line 7
-category c454;
-#line 7
-category c455;
-#line 7
-category c456;
-#line 7
-category c457;
-#line 7
-category c458;
-#line 7
-category c459;
-#line 7
-category c460;
-#line 7
-category c461;
-#line 7
-category c462;
-#line 7
-category c463;
-#line 7
-category c464;
-#line 7
-category c465;
-#line 7
-category c466;
-#line 7
-category c467;
-#line 7
-category c468;
-#line 7
-category c469;
-#line 7
-category c470;
-#line 7
-category c471;
-#line 7
-category c472;
-#line 7
-category c473;
-#line 7
-category c474;
-#line 7
-category c475;
-#line 7
-category c476;
-#line 7
-category c477;
-#line 7
-category c478;
-#line 7
-category c479;
-#line 7
-category c480;
-#line 7
-category c481;
-#line 7
-category c482;
-#line 7
-category c483;
-#line 7
-category c484;
-#line 7
-category c485;
-#line 7
-category c486;
-#line 7
-category c487;
-#line 7
-category c488;
-#line 7
-category c489;
-#line 7
-category c490;
-#line 7
-category c491;
-#line 7
-category c492;
-#line 7
-category c493;
-#line 7
-category c494;
-#line 7
-category c495;
-#line 7
-category c496;
-#line 7
-category c497;
-#line 7
-category c498;
-#line 7
-category c499;
-#line 7
-category c500;
-#line 7
-category c501;
-#line 7
-category c502;
-#line 7
-category c503;
-#line 7
-category c504;
-#line 7
-category c505;
-#line 7
-category c506;
-#line 7
-category c507;
-#line 7
-category c508;
-#line 7
-category c509;
-#line 7
-category c510;
-#line 7
-category c511;
-#line 7
-category c512;
-#line 7
-category c513;
-#line 7
-category c514;
-#line 7
-category c515;
-#line 7
-category c516;
-#line 7
-category c517;
-#line 7
-category c518;
-#line 7
-category c519;
-#line 7
-category c520;
-#line 7
-category c521;
-#line 7
-category c522;
-#line 7
-category c523;
-#line 7
-category c524;
-#line 7
-category c525;
-#line 7
-category c526;
-#line 7
-category c527;
-#line 7
-category c528;
-#line 7
-category c529;
-#line 7
-category c530;
-#line 7
-category c531;
-#line 7
-category c532;
-#line 7
-category c533;
-#line 7
-category c534;
-#line 7
-category c535;
-#line 7
-category c536;
-#line 7
-category c537;
-#line 7
-category c538;
-#line 7
-category c539;
-#line 7
-category c540;
-#line 7
-category c541;
-#line 7
-category c542;
-#line 7
-category c543;
-#line 7
-category c544;
-#line 7
-category c545;
-#line 7
-category c546;
-#line 7
-category c547;
-#line 7
-category c548;
-#line 7
-category c549;
-#line 7
-category c550;
-#line 7
-category c551;
-#line 7
-category c552;
-#line 7
-category c553;
-#line 7
-category c554;
-#line 7
-category c555;
-#line 7
-category c556;
-#line 7
-category c557;
-#line 7
-category c558;
-#line 7
-category c559;
-#line 7
-category c560;
-#line 7
-category c561;
-#line 7
-category c562;
-#line 7
-category c563;
-#line 7
-category c564;
-#line 7
-category c565;
-#line 7
-category c566;
-#line 7
-category c567;
-#line 7
-category c568;
-#line 7
-category c569;
-#line 7
-category c570;
-#line 7
-category c571;
-#line 7
-category c572;
-#line 7
-category c573;
-#line 7
-category c574;
-#line 7
-category c575;
-#line 7
-category c576;
-#line 7
-category c577;
-#line 7
-category c578;
-#line 7
-category c579;
-#line 7
-category c580;
-#line 7
-category c581;
-#line 7
-category c582;
-#line 7
-category c583;
-#line 7
-category c584;
-#line 7
-category c585;
-#line 7
-category c586;
-#line 7
-category c587;
-#line 7
-category c588;
-#line 7
-category c589;
-#line 7
-category c590;
-#line 7
-category c591;
-#line 7
-category c592;
-#line 7
-category c593;
-#line 7
-category c594;
-#line 7
-category c595;
-#line 7
-category c596;
-#line 7
-category c597;
-#line 7
-category c598;
-#line 7
-category c599;
-#line 7
-category c600;
-#line 7
-category c601;
-#line 7
-category c602;
-#line 7
-category c603;
-#line 7
-category c604;
-#line 7
-category c605;
-#line 7
-category c606;
-#line 7
-category c607;
-#line 7
-category c608;
-#line 7
-category c609;
-#line 7
-category c610;
-#line 7
-category c611;
-#line 7
-category c612;
-#line 7
-category c613;
-#line 7
-category c614;
-#line 7
-category c615;
-#line 7
-category c616;
-#line 7
-category c617;
-#line 7
-category c618;
-#line 7
-category c619;
-#line 7
-category c620;
-#line 7
-category c621;
-#line 7
-category c622;
-#line 7
-category c623;
-#line 7
-category c624;
-#line 7
-category c625;
-#line 7
-category c626;
-#line 7
-category c627;
-#line 7
-category c628;
-#line 7
-category c629;
-#line 7
-category c630;
-#line 7
-category c631;
-#line 7
-category c632;
-#line 7
-category c633;
-#line 7
-category c634;
-#line 7
-category c635;
-#line 7
-category c636;
-#line 7
-category c637;
-#line 7
-category c638;
-#line 7
-category c639;
-#line 7
-category c640;
-#line 7
-category c641;
-#line 7
-category c642;
-#line 7
-category c643;
-#line 7
-category c644;
-#line 7
-category c645;
-#line 7
-category c646;
-#line 7
-category c647;
-#line 7
-category c648;
-#line 7
-category c649;
-#line 7
-category c650;
-#line 7
-category c651;
-#line 7
-category c652;
-#line 7
-category c653;
-#line 7
-category c654;
-#line 7
-category c655;
-#line 7
-category c656;
-#line 7
-category c657;
-#line 7
-category c658;
-#line 7
-category c659;
-#line 7
-category c660;
-#line 7
-category c661;
-#line 7
-category c662;
-#line 7
-category c663;
-#line 7
-category c664;
-#line 7
-category c665;
-#line 7
-category c666;
-#line 7
-category c667;
-#line 7
-category c668;
-#line 7
-category c669;
-#line 7
-category c670;
-#line 7
-category c671;
-#line 7
-category c672;
-#line 7
-category c673;
-#line 7
-category c674;
-#line 7
-category c675;
-#line 7
-category c676;
-#line 7
-category c677;
-#line 7
-category c678;
-#line 7
-category c679;
-#line 7
-category c680;
-#line 7
-category c681;
-#line 7
-category c682;
-#line 7
-category c683;
-#line 7
-category c684;
-#line 7
-category c685;
-#line 7
-category c686;
-#line 7
-category c687;
-#line 7
-category c688;
-#line 7
-category c689;
-#line 7
-category c690;
-#line 7
-category c691;
-#line 7
-category c692;
-#line 7
-category c693;
-#line 7
-category c694;
-#line 7
-category c695;
-#line 7
-category c696;
-#line 7
-category c697;
-#line 7
-category c698;
-#line 7
-category c699;
-#line 7
-category c700;
-#line 7
-category c701;
-#line 7
-category c702;
-#line 7
-category c703;
-#line 7
-category c704;
-#line 7
-category c705;
-#line 7
-category c706;
-#line 7
-category c707;
-#line 7
-category c708;
-#line 7
-category c709;
-#line 7
-category c710;
-#line 7
-category c711;
-#line 7
-category c712;
-#line 7
-category c713;
-#line 7
-category c714;
-#line 7
-category c715;
-#line 7
-category c716;
-#line 7
-category c717;
-#line 7
-category c718;
-#line 7
-category c719;
-#line 7
-category c720;
-#line 7
-category c721;
-#line 7
-category c722;
-#line 7
-category c723;
-#line 7
-category c724;
-#line 7
-category c725;
-#line 7
-category c726;
-#line 7
-category c727;
-#line 7
-category c728;
-#line 7
-category c729;
-#line 7
-category c730;
-#line 7
-category c731;
-#line 7
-category c732;
-#line 7
-category c733;
-#line 7
-category c734;
-#line 7
-category c735;
-#line 7
-category c736;
-#line 7
-category c737;
-#line 7
-category c738;
-#line 7
-category c739;
-#line 7
-category c740;
-#line 7
-category c741;
-#line 7
-category c742;
-#line 7
-category c743;
-#line 7
-category c744;
-#line 7
-category c745;
-#line 7
-category c746;
-#line 7
-category c747;
-#line 7
-category c748;
-#line 7
-category c749;
-#line 7
-category c750;
-#line 7
-category c751;
-#line 7
-category c752;
-#line 7
-category c753;
-#line 7
-category c754;
-#line 7
-category c755;
-#line 7
-category c756;
-#line 7
-category c757;
-#line 7
-category c758;
-#line 7
-category c759;
-#line 7
-category c760;
-#line 7
-category c761;
-#line 7
-category c762;
-#line 7
-category c763;
-#line 7
-category c764;
-#line 7
-category c765;
-#line 7
-category c766;
-#line 7
-category c767;
-#line 7
-category c768;
-#line 7
-category c769;
-#line 7
-category c770;
-#line 7
-category c771;
-#line 7
-category c772;
-#line 7
-category c773;
-#line 7
-category c774;
-#line 7
-category c775;
-#line 7
-category c776;
-#line 7
-category c777;
-#line 7
-category c778;
-#line 7
-category c779;
-#line 7
-category c780;
-#line 7
-category c781;
-#line 7
-category c782;
-#line 7
-category c783;
-#line 7
-category c784;
-#line 7
-category c785;
-#line 7
-category c786;
-#line 7
-category c787;
-#line 7
-category c788;
-#line 7
-category c789;
-#line 7
-category c790;
-#line 7
-category c791;
-#line 7
-category c792;
-#line 7
-category c793;
-#line 7
-category c794;
-#line 7
-category c795;
-#line 7
-category c796;
-#line 7
-category c797;
-#line 7
-category c798;
-#line 7
-category c799;
-#line 7
-category c800;
-#line 7
-category c801;
-#line 7
-category c802;
-#line 7
-category c803;
-#line 7
-category c804;
-#line 7
-category c805;
-#line 7
-category c806;
-#line 7
-category c807;
-#line 7
-category c808;
-#line 7
-category c809;
-#line 7
-category c810;
-#line 7
-category c811;
-#line 7
-category c812;
-#line 7
-category c813;
-#line 7
-category c814;
-#line 7
-category c815;
-#line 7
-category c816;
-#line 7
-category c817;
-#line 7
-category c818;
-#line 7
-category c819;
-#line 7
-category c820;
-#line 7
-category c821;
-#line 7
-category c822;
-#line 7
-category c823;
-#line 7
-category c824;
-#line 7
-category c825;
-#line 7
-category c826;
-#line 7
-category c827;
-#line 7
-category c828;
-#line 7
-category c829;
-#line 7
-category c830;
-#line 7
-category c831;
-#line 7
-category c832;
-#line 7
-category c833;
-#line 7
-category c834;
-#line 7
-category c835;
-#line 7
-category c836;
-#line 7
-category c837;
-#line 7
-category c838;
-#line 7
-category c839;
-#line 7
-category c840;
-#line 7
-category c841;
-#line 7
-category c842;
-#line 7
-category c843;
-#line 7
-category c844;
-#line 7
-category c845;
-#line 7
-category c846;
-#line 7
-category c847;
-#line 7
-category c848;
-#line 7
-category c849;
-#line 7
-category c850;
-#line 7
-category c851;
-#line 7
-category c852;
-#line 7
-category c853;
-#line 7
-category c854;
-#line 7
-category c855;
-#line 7
-category c856;
-#line 7
-category c857;
-#line 7
-category c858;
-#line 7
-category c859;
-#line 7
-category c860;
-#line 7
-category c861;
-#line 7
-category c862;
-#line 7
-category c863;
-#line 7
-category c864;
-#line 7
-category c865;
-#line 7
-category c866;
-#line 7
-category c867;
-#line 7
-category c868;
-#line 7
-category c869;
-#line 7
-category c870;
-#line 7
-category c871;
-#line 7
-category c872;
-#line 7
-category c873;
-#line 7
-category c874;
-#line 7
-category c875;
-#line 7
-category c876;
-#line 7
-category c877;
-#line 7
-category c878;
-#line 7
-category c879;
-#line 7
-category c880;
-#line 7
-category c881;
-#line 7
-category c882;
-#line 7
-category c883;
-#line 7
-category c884;
-#line 7
-category c885;
-#line 7
-category c886;
-#line 7
-category c887;
-#line 7
-category c888;
-#line 7
-category c889;
-#line 7
-category c890;
-#line 7
-category c891;
-#line 7
-category c892;
-#line 7
-category c893;
-#line 7
-category c894;
-#line 7
-category c895;
-#line 7
-category c896;
-#line 7
-category c897;
-#line 7
-category c898;
-#line 7
-category c899;
-#line 7
-category c900;
-#line 7
-category c901;
-#line 7
-category c902;
-#line 7
-category c903;
-#line 7
-category c904;
-#line 7
-category c905;
-#line 7
-category c906;
-#line 7
-category c907;
-#line 7
-category c908;
-#line 7
-category c909;
-#line 7
-category c910;
-#line 7
-category c911;
-#line 7
-category c912;
-#line 7
-category c913;
-#line 7
-category c914;
-#line 7
-category c915;
-#line 7
-category c916;
-#line 7
-category c917;
-#line 7
-category c918;
-#line 7
-category c919;
-#line 7
-category c920;
-#line 7
-category c921;
-#line 7
-category c922;
-#line 7
-category c923;
-#line 7
-category c924;
-#line 7
-category c925;
-#line 7
-category c926;
-#line 7
-category c927;
-#line 7
-category c928;
-#line 7
-category c929;
-#line 7
-category c930;
-#line 7
-category c931;
-#line 7
-category c932;
-#line 7
-category c933;
-#line 7
-category c934;
-#line 7
-category c935;
-#line 7
-category c936;
-#line 7
-category c937;
-#line 7
-category c938;
-#line 7
-category c939;
-#line 7
-category c940;
-#line 7
-category c941;
-#line 7
-category c942;
-#line 7
-category c943;
-#line 7
-category c944;
-#line 7
-category c945;
-#line 7
-category c946;
-#line 7
-category c947;
-#line 7
-category c948;
-#line 7
-category c949;
-#line 7
-category c950;
-#line 7
-category c951;
-#line 7
-category c952;
-#line 7
-category c953;
-#line 7
-category c954;
-#line 7
-category c955;
-#line 7
-category c956;
-#line 7
-category c957;
-#line 7
-category c958;
-#line 7
-category c959;
-#line 7
-category c960;
-#line 7
-category c961;
-#line 7
-category c962;
-#line 7
-category c963;
-#line 7
-category c964;
-#line 7
-category c965;
-#line 7
-category c966;
-#line 7
-category c967;
-#line 7
-category c968;
-#line 7
-category c969;
-#line 7
-category c970;
-#line 7
-category c971;
-#line 7
-category c972;
-#line 7
-category c973;
-#line 7
-category c974;
-#line 7
-category c975;
-#line 7
-category c976;
-#line 7
-category c977;
-#line 7
-category c978;
-#line 7
-category c979;
-#line 7
-category c980;
-#line 7
-category c981;
-#line 7
-category c982;
-#line 7
-category c983;
-#line 7
-category c984;
-#line 7
-category c985;
-#line 7
-category c986;
-#line 7
-category c987;
-#line 7
-category c988;
-#line 7
-category c989;
-#line 7
-category c990;
-#line 7
-category c991;
-#line 7
-category c992;
-#line 7
-category c993;
-#line 7
-category c994;
-#line 7
-category c995;
-#line 7
-category c996;
-#line 7
-category c997;
-#line 7
-category c998;
-#line 7
-category c999;
-#line 7
-category c1000;
-#line 7
-category c1001;
-#line 7
-category c1002;
-#line 7
-category c1003;
-#line 7
-category c1004;
-#line 7
-category c1005;
-#line 7
-category c1006;
-#line 7
-category c1007;
-#line 7
-category c1008;
-#line 7
-category c1009;
-#line 7
-category c1010;
-#line 7
-category c1011;
-#line 7
-category c1012;
-#line 7
-category c1013;
-#line 7
-category c1014;
-#line 7
-category c1015;
-#line 7
-category c1016;
-#line 7
-category c1017;
-#line 7
-category c1018;
-#line 7
-category c1019;
-#line 7
-category c1020;
-#line 7
-category c1021;
-#line 7
-category c1022;
-#line 7
-category c1023;
-#line 7
-
-
-# Generate level definitions for each sensitivity and category.
-level s0:c0.c1023;
-#line 10
-
-######################################
-# Attribute declarations
-#
-
-# All types used for processes.
-attribute domain;
-
-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-#line 1 "external/sepolicy/bluetooth.te"
-# bluetooth subsystem
-type bluetooth, domain;
-permissive bluetooth;
-
-#line 4
-typeattribute bluetooth appdomain;
-
-#line 5
-typeattribute bluetooth unconfineddomain;
-#line 5
-
-#line 1 "external/sepolicy/healthd.te"
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain;
-permissive healthd;
-type healthd_exec, exec_type, file_type;
-
-# New domain is entered by executing the file.
-#line 7
-allow healthd healthd_exec:file { entrypoint read execute };
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-
-# Added to make the neverallow rule make sense in a limited environment.
-# Added at the bottom to not throw off file seek numbers in test suite.
-# This is not a problem, because allow rules are processed after all types
-# are gathered.
-type testTYPE, appdomain, domain;
-
-# added rules for further testing (display full range of needed functionality)
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
-
-allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
-
-neverallow { appdomain -unconfineddomain } {
- audio_device
- camera_device
- dm_device
- radio_device
- gps_device
- rpmsg_device
-}:chr_file { read write };
\ No newline at end of file
diff --git a/tools/selinux/test/testrunner.py b/tools/selinux/test/testrunner.py
deleted file mode 100755
index bc424e9..0000000
--- a/tools/selinux/test/testrunner.py
+++ /dev/null
@@ -1,442 +0,0 @@
-#!/usr/bin/python
-import sys
-sys.path.append('../src')
-import unittest
-import SELinux_CTS
-from SELinux_CTS import SELinuxPolicy
-
-policy_file_name = 'policy_test.conf'
-types = set([
- 'bluetooth',
- 'healthd',
- 'healthd_exec',
- 'testTYPE' ]) #testTYPE added for neverallow rule to make sense
-attributes = {
- 'domain': set(['bluetooth', 'healthd', 'testTYPE']),
- 'unconfineddomain': set(['bluetooth']),
- 'appdomain': set(['bluetooth', 'testTYPE']),
- 'file_type': set(['healthd_exec']),
- 'exec_type': set(['healthd_exec']) }
-common_classes = {
- 'file': set([
- 'ioctl',
- 'read',
- 'write',
- 'create',
- 'getattr',
- 'setattr',
- 'lock',
- 'relabelfrom',
- 'relabelto',
- 'append',
- 'unlink',
- 'link',
- 'rename',
- 'execute',
- 'swapon',
- 'quotaon',
- 'mounton' ]) }
-classes = {
- 'capability': set([
- 'chown',
- 'dac_override',
- 'dac_read_search',
- 'fowner',
- 'fsetid',
- 'kill',
- 'setgid',
- 'setuid',
- 'setpcap',
- 'linux_immutable',
- 'net_bind_service',
- 'net_broadcast',
- 'net_admin',
- 'net_raw',
- 'ipc_lock',
- 'ipc_owner',
- 'sys_module',
- 'sys_rawio',
- 'sys_chroot',
- 'sys_ptrace',
- 'sys_pacct',
- 'sys_admin',
- 'sys_boot',
- 'sys_nice',
- 'sys_resource',
- 'sys_time',
- 'sys_tty_config',
- 'mknod',
- 'lease',
- 'audit_write',
- 'audit_control',
- 'setfcap' ]),
- 'file': (set([
- 'execute_no_trans',
- 'entrypoint',
- 'execmod',
- 'open',
- 'audit_access' ]) | common_classes['file']) }
-
-# allow healthd healthd_exec:file { entrypoint read execute };
-allow_rules = [
- { 'source_types': {
- 'set': set([
- 'healthd']),
- 'flags': { 'complement': False } },
- 'target_types': {
- 'set': set([
- 'healthd_exec']),
- 'flags': { 'complement': False } },
- 'classes': {
- 'set': set([
- 'file']),
- 'flags': { 'complement': False } },
- 'permissions': {
- 'set': set([
- 'entrypoint',
- 'read',
- 'execute' ]),
- 'flags': { 'complement': False } } } ]
-
-# neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow_rules = [
- { 'source_types': {
- 'set': set([
- 'appdomain',
- '-unconfineddomain',
- '-bluetooth' ]),
- 'flags': { 'complement': False } },
- 'target_types': {
- 'set': set([
- 'self']),
- 'flags': { 'complement': False } },
- 'classes': {
- 'set': set([
- 'capability']),
- 'flags': { 'complement': False } },
- 'permissions': {
- 'set': set([
- '*' ]),
- 'flags': { 'complement': False } } } ]
-
-expected_final_allow_list = [
- [ ('healthd', 'healthd_exec', 'file', 'entrypoint'),
- ('healthd', 'healthd_exec', 'file', 'read'),
- ('healthd', 'healthd_exec', 'file', 'execute') ] ]
-
-expected_final_neverallow_list = [
- [ ('testTYPE', 'testTYPE', 'capability', 'chown'),
- ('testTYPE', 'testTYPE', 'capability', 'dac_override'),
- ('testTYPE', 'testTYPE', 'capability', 'dac_read_search'),
- ('testTYPE', 'testTYPE', 'capability', 'fowner'),
- ('testTYPE', 'testTYPE', 'capability', 'fsetid'),
- ('testTYPE', 'testTYPE', 'capability', 'kill'),
- ('testTYPE', 'testTYPE', 'capability', 'setgid'),
- ('testTYPE', 'testTYPE', 'capability', 'setuid'),
- ('testTYPE', 'testTYPE', 'capability', 'setpcap'),
- ('testTYPE', 'testTYPE', 'capability', 'linux_immutable'),
- ('testTYPE', 'testTYPE', 'capability', 'net_bind_service'),
- ('testTYPE', 'testTYPE', 'capability', 'net_broadcast'),
- ('testTYPE', 'testTYPE', 'capability', 'net_admin'),
- ('testTYPE', 'testTYPE', 'capability', 'net_raw'),
- ('testTYPE', 'testTYPE', 'capability', 'ipc_lock'),
- ('testTYPE', 'testTYPE', 'capability', 'ipc_owner'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_module'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_rawio'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_chroot'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_ptrace'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_pacct'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_admin'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_boot'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_nice'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_resource'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_time'),
- ('testTYPE', 'testTYPE', 'capability', 'sys_tty_config'),
- ('testTYPE', 'testTYPE', 'capability', 'mknod'),
- ('testTYPE', 'testTYPE', 'capability', 'lease'),
- ('testTYPE', 'testTYPE', 'capability', 'audit_write'),
- ('testTYPE', 'testTYPE', 'capability', 'audit_control'),
- ('testTYPE', 'testTYPE', 'capability', 'setfcap') ] ]
-
-
-class SELinuxPolicyTests(unittest.TestCase):
-
-
- def setUp(self):
- self.test_policy = SELinuxPolicy()
- self.test_file = open(policy_file_name, 'r')
- self.test_policy.types = types
- self.test_policy.attributes = attributes
- self.test_policy.common_classes = common_classes
- self.test_policy.classes = classes
- self.test_policy.allow_rules = allow_rules
- self.test_policy.neverallow_rules = neverallow_rules
- return
-
- def testExpandAvcRule(self):
- #TODO: add more examples here to cover different cases
- expanded_allow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.allow_rules[0])
- for a in expected_final_allow_list[0]:
- self.failUnless(a in expanded_allow_list)
- expanded_neverallow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.neverallow_rules[0])
- for n in expected_final_neverallow_list[0]:
- self.failUnless(n in expanded_neverallow_list)
-
- def testExpandBrackets(self):
- #test position without bracket:
- self.test_file.seek(279)
- self.failIf(SELinux_CTS.expand_brackets(self.test_file))
-
- #test position with bracket:
- self.test_file.seek(26123)
- self.failUnless(SELinux_CTS.expand_brackets(self.test_file) == " entrypoint read execute ")
-
- #test position with nested brackets:
- self.test_file.seek(26873)
- self.failUnless(SELinux_CTS.expand_brackets(self.test_file)
- == " dir chr_file blk_file file lnk_file sock_file fifo_file ")
-
- def testGetAvcRuleComponent(self):
- #test against normal ('allow healthd healthd_exec:file ...)
- self.test_file.seek(26096)
- normal_src = { 'flags': { 'complement': False },
- 'set': set(['healthd']) }
- normal_tgt = { 'flags': { 'complement': False },
- 'set': set(['healthd_exec']) }
- normal_class = { 'flags': { 'complement': False },
- 'set': set(['file']) }
- normal_perm = { 'flags': { 'complement': False },
- 'set': set(['entrypoint', 'read', 'execute']) }
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == normal_src)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == normal_tgt)
- c = SELinux_CTS.advance_past_whitespace(self.test_file)
- if c == ':':
- self.test_file.read(1)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == normal_class)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == normal_perm)
-
- #test against 'hard' ('init {fs_type ...' )
- self.test_file.seek(26838)
- hard_src = { 'flags': { 'complement': False },
- 'set': set(['init']) }
- hard_tgt = { 'flags': { 'complement': False },
- 'set': set(['fs_type', 'dev_type', 'file_type']) }
- hard_class = { 'flags': { 'complement': False },
- 'set': set(['dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file', 'fifo_file']) }
- hard_perm = { 'flags': { 'complement': False },
- 'set': set(['relabelto']) }
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == hard_src)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == hard_tgt)
- #mimic ':' check:
- c = SELinux_CTS.advance_past_whitespace(self.test_file)
- if c == ':':
- self.test_file.read(1)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == hard_class)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == hard_perm)
-
- #test against 'multi-line' ('init {fs_type ...' )
- self.test_file.seek(26967)
- multi_src = { 'flags': { 'complement': False },
- 'set': set(['appdomain', '-unconfineddomain']) }
- multi_tgt = { 'flags': { 'complement': False },
- 'set': set(['audio_device', 'camera_device', 'dm_device', 'radio_device', 'gps_device', 'rpmsg_device']) }
- multi_class = { 'flags': { 'complement': False },
- 'set': set(['chr_file']) }
- multi_perm = { 'flags': { 'complement': False },
- 'set': set(['read', 'write']) }
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == multi_src)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == multi_tgt)
- c = SELinux_CTS.advance_past_whitespace(self.test_file)
- if c == ':':
- self.test_file.read(1)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == multi_class)
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == multi_perm)
-
- #test against 'complement'
- self.test_file.seek(26806)
- complement = { 'flags': { 'complement': True },
- 'set': set(['entrypoint', 'relabelto']) }
- self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
- == complement)
-
- def testGetLineType(self):
- self.failUnless(SELinux_CTS.get_line_type('type bluetooth, domain;')
- == SELinux_CTS.TYPE)
- self.failUnless(SELinux_CTS.get_line_type('attribute unconfineddomain;')
- == SELinux_CTS.ATTRIBUTE)
- self.failUnless(SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;')
- == SELinux_CTS.TYPEATTRIBUTE)
- self.failUnless(SELinux_CTS.get_line_type('class file')
- == SELinux_CTS.CLASS)
- self.failUnless(SELinux_CTS.get_line_type('common file')
- == SELinux_CTS.COMMON)
- self.failUnless(SELinux_CTS.get_line_type('allow healthd healthd_exec:file { entrypoint read execute };')
- == SELinux_CTS.ALLOW_RULE)
- self.failUnless(SELinux_CTS.get_line_type('neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;')
- == SELinux_CTS.NEVERALLOW_RULE)
- self.failUnless(SELinux_CTS.get_line_type('# FLASK')
- == SELinux_CTS.OTHER)
-
- def testIsMultiLine(self):
- self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE))
- self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE))
- self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE))
- self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS))
- self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON))
- self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE))
- self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE))
- self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER))
-
- def testProcessInheritsSegment(self):
- inherit_offset = 448 # needs changing if file changes
- self.test_file.seek(inherit_offset, 0)
- inherit_result = SELinux_CTS.process_inherits_segment(self.test_file)
- self.failUnless(inherit_result == 'file')
- return
-
- def testFromFileName(self):
- #using a special file, since the test_file has some lines which don't 'jive'
- clean_policy_file = 'policy_clean_test.conf'
- from_file_policy = SELinuxPolicy()
- from_file_policy.from_file_name(clean_policy_file)
- self.failUnless(from_file_policy.types == self.test_policy.types)
- self.failUnless(from_file_policy.attributes == self.test_policy.attributes)
- self.failUnless(from_file_policy.classes == self.test_policy.classes)
- self.failUnless(from_file_policy.common_classes == self.test_policy.common_classes)
- self.failUnless(from_file_policy.allow_rules == self.test_policy.allow_rules)
- self.failUnless(from_file_policy.neverallow_rules == self.test_policy.neverallow_rules)
-
- def testExpandPermissions(self):
- #test general case
- test_class_obj = 'file'
- general_set = set(['read', 'write', 'execute'])
- expanded_general_set = general_set
- self.failUnless(self.test_policy.expand_permissions(test_class_obj, general_set)
- == general_set)
- star_set = set(['*'])
- expanded_star_set = self.test_policy.classes['file'] #everything in the class
- self.failUnless(self.test_policy.expand_permissions(test_class_obj, star_set)
- == expanded_star_set)
- complement_set = set(['*', '-open'])
- expanded_complement_set = self.test_policy.classes['file'] - set(['open'])
- self.failUnless(self.test_policy.expand_permissions(test_class_obj, complement_set)
- == expanded_complement_set)
-
- def testExpandTypes(self):
-
- #test general case and '-' handling
- test_source_set = set([
- 'domain',
- '-bluetooth' ])
- expanded_test_source_set = set([
- 'healthd', 'testTYPE' ])
- self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
-
- #test '*' handling
- test_source_set = set([ '*' ])
- expanded_test_source_set = set([
- 'bluetooth', 'healthd', 'testTYPE' ])
- self.failUnless(self.test_policy.expand_types(test_source_set) == types)
- #test - handling
- test_source_set = set([
- '*',
- '-bluetooth'])
- expanded_test_source_set = set([
- 'healthd', 'healthd_exec', 'testTYPE' ])
- self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
-
- def testProcessAttributeLine(self):
- attribute_policy = SELinuxPolicy()
- #test with 'normal input'
- test_normal_string = 'attribute TEST_att;'
- test_attribute = 'TEST_att'
- attribute_policy.process_attribute_line(test_normal_string)
- self.failUnless( test_attribute in attribute_policy.attributes)
- #TODO: test on bogus inputs
-
- def testProcessClassLine(self):
- class_policy = SELinuxPolicy()
- #offsets need changing if test file changes
- common_offset = 279
- class_initial_offset = 212
- class_perm_offset = 437
- self.test_file.seek(common_offset, 0)
- line = self.test_file.readline()
- class_policy.process_common_line(line, self.test_file)
- self.test_file.seek(class_initial_offset, 0)
- line = self.test_file.readline()
- class_policy.process_class_line(line, self.test_file)
- self.failUnless('file' in class_policy.classes)
- self.test_file.seek(class_perm_offset, 0)
- line = self.test_file.readline()
- class_policy.process_class_line(line, self.test_file)
- self.failUnless(class_policy.classes['file'] == classes['file'])
-
- def testProcessCommonLine(self):
- common_policy = SELinuxPolicy()
- common_offset = 279 # needs changing if file changes
- self.test_file.seek(common_offset, 0)
- line = self.test_file.readline()
- common_policy.process_common_line(line, self.test_file)
- self.failUnless('file' in common_policy.common_classes )
- self.failUnless(common_policy.common_classes['file'] == common_classes['file'])
-
- def testProcessAvcRuleLine(self):
- avc_policy = SELinuxPolicy()
- allow_offset = 26091 # needs changing if file changes
- neverallow_offset = 26311 # needs changing if file changes
- self.test_file.seek(allow_offset, 0)
- line = self.test_file.readline()
- avc_policy.process_avc_rule_line(line, self.test_file)
- self.failUnless(avc_policy.allow_rules[0] == allow_rules[0] ) # always '0'?
- self.test_file.seek(neverallow_offset, 0)
- line = self.test_file.readline()
- avc_policy.process_avc_rule_line(line, self.test_file)
- self.failUnless(avc_policy.neverallow_rules[0] == neverallow_rules[0] ) # always '0'?
-
- def testProcessTypeLine(self):
- type_policy = SELinuxPolicy()
- test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;'
- test_type = 'TEST_type'
- test_atts = ['TEST_att1', 'TEST_att2']
- #test with 'normal input'
- type_policy.process_type_line(test_normal_string)
- self.failUnless(test_type in type_policy.types)
- for a in test_atts:
- self.failUnless(a in type_policy.attributes)
- self.failUnless(test_type in type_policy.attributes[a])
- #TODO: test with domain only, no attributes
- # and test on bogus inputs
-
- def testProcessTypeattributeLine(self):
- typ_att_policy = SELinuxPolicy()
- test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;'
- test_type = 'TEST_type'
- test_atts = ['TEST_att1', 'TEST_att2']
- #test with 'normal input' (type should already be declared)
- typ_att_policy.process_type_line('type ' + test_type + ';')
- typ_att_policy.process_typeattribute_line(test_normal_string)
- self.failUnless(test_type in typ_att_policy.types)
- for a in test_atts:
- self.failUnless(a in typ_att_policy.attributes)
- self.failUnless(test_type in typ_att_policy.attributes[a])
- #TODO: test with domain only, no attributes
- # and test on bogus inputs
-
-def main():
- unittest.main()
-
-if __name__ == '__main__':
- main()