Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/heads/fp2-sibon / . / file.te
blob: 9e56d7f651939b03dae09ca5f3e3d647fc505653 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1# Filesystem types
2type labeledfs, fs_type;
3type pipefs, fs_type;
4type sockfs, fs_type;
5type rootfs, fs_type;
6type proc, fs_type;
Stephen Smalley7adb9992013-12-06 09:31:40 -0500[diff] [blame]7# Security-sensitive proc nodes that should not be writable to most.
8type proc_security, fs_type;
9# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
10type usermodehelper, fs_type, sysfs_type;
hqjiang4c06d272012-07-19 11:07:04 -0700[diff] [blame]11type qtaguid_proc, fs_type, mlstrustedobject;
Robert Craig65d4f442013-03-27 06:30:25 -0400[diff] [blame]12type proc_bluetooth_writable, fs_type;
Nick Kralevichf2c01182014-09-26 10:51:12 -0700[diff] [blame]13type proc_cpuinfo, fs_type;
Robert Craig529fcbe2014-01-07 13:46:56 -0500[diff] [blame]14type proc_net, fs_type;
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500[diff] [blame]15type proc_sysrq, fs_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]16type selinuxfs, fs_type;
17type cgroup, fs_type, mlstrustedobject;
Stephen Smalley9add1f02014-05-08 13:18:52 -0400[diff] [blame]18type sysfs, fs_type, sysfs_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]19type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
Stephen Smalley61c80d52012-11-16 09:06:47 -0500[diff] [blame]20type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
Stephen Smalleyf7948232012-03-19 15:56:01 -0400[diff] [blame]21type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
William Robertsec7d39b2013-09-28 18:46:21 -0400[diff] [blame]22type sysfs_wake_lock, fs_type, sysfs_type;
Nick Kralevichc4a3b512013-10-23 09:08:23 -0700[diff] [blame]23# /sys/devices/system/cpu
24type sysfs_devices_system_cpu, fs_type, sysfs_type;
Nick Kralevich5467fce2014-02-13 12:19:50 -0800[diff] [blame]25# /sys/module/lowmemorykiller
26type sysfs_lowmemorykiller, fs_type, sysfs_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]27type inotify, fs_type, mlstrustedobject;
Stephen Smalleye8848722012-11-13 13:00:05 -0500[diff] [blame]28type devpts, fs_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]29type tmpfs, fs_type;
30type shm, fs_type;
31type mqueue, fs_type;
Ed Heyle9c90bd2014-07-14 23:29:21 -0700[diff] [blame]32type fuse, sdcard_type, fs_type, mlstrustedobject;
33type vfat, sdcard_type, fs_type, mlstrustedobject;
34typealias fuse alias sdcard_internal;
35typealias vfat alias sdcard_external;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]36type debugfs, fs_type, mlstrustedobject;
jaejyn.shin318e0c92014-04-10 13:32:54 +0900[diff] [blame]37type pstorefs, fs_type;
Nick Kralevich77cc0552014-04-15 14:53:05 -0700[diff] [blame]38type functionfs, fs_type;
Stephen Smalleyd2503ba2014-05-30 08:49:51 -0400[diff] [blame]39type oemfs, fs_type, contextmount_type;
Nick Kralevich5a5fb852014-06-07 07:31:31 -0700[diff] [blame]40type usbfs, fs_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]41
42# File types
43type unlabeled, file_type;
44# Default type for anything under /system.
45type system_file, file_type;
Nick Kralevichd7e004e2014-10-31 12:40:12 -0700[diff] [blame]46# /cores for coredumps on userdebug / eng builds
47type coredump_file, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]48# Default type for anything under /data.
49type system_data_file, file_type, data_file_type;
Stephen Smalleybaf49bd2014-05-12 11:18:21 -0400[diff] [blame]50# /data/.layout_version or other installd-created files that
51# are created in a system_data_file directory.
52type install_data_file, file_type, data_file_type;
Stephen Smalleyc83d0082012-03-07 14:59:01 -0500[diff] [blame]53# /data/drm - DRM plugin data
54type drm_data_file, file_type, data_file_type;
Nick Kralevich7adc8cf2014-10-20 21:56:02 -0700[diff] [blame]55# /data/adb - adb debugging files
56type adb_data_file, file_type, data_file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]57# /data/anr - ANR traces
Stephen Smalleya883c382012-04-04 16:00:11 -0400[diff] [blame]58type anr_data_file, file_type, data_file_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]59# /data/tombstones - core dumps
60type tombstone_data_file, file_type, data_file_type;
61# /data/app - user-installed apps
Stephen Smalley59d28032012-03-19 10:24:52 -0400[diff] [blame]62type apk_data_file, file_type, data_file_type;
63type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
Robert Craigffd8c442013-04-03 14:21:46 -0400[diff] [blame]64# /data/app-private - forward-locked apps
65type apk_private_data_file, file_type, data_file_type;
66type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]67# /data/dalvik-cache
68type dalvikcache_data_file, file_type, data_file_type;
Stephen Smalley19c50902014-04-09 14:24:33 -0400[diff] [blame]69# /data/dalvik-cache/profiles
70type dalvikcache_profiles_data_file, file_type, data_file_type;
Nick Kralevichfad4d5f2014-06-16 14:19:31 -0700[diff] [blame]71# /data/resource-cache
72type resourcecache_data_file, file_type, data_file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]73# /data/local - writable by shell
74type shell_data_file, file_type, data_file_type;
75# /data/gps
76type gps_data_file, file_type, data_file_type;
Stephen Smalleyad0d0fc2014-05-29 09:22:16 -0400[diff] [blame]77# /data/property
78type property_data_file, file_type, data_file_type;
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]79
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]80# /data/misc subdirectories
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]81type adb_keys_file, file_type, data_file_type;
Stephen Smalley8510d312013-11-07 13:42:46 -0500[diff] [blame]82type audio_data_file, file_type, data_file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]83type bluetooth_data_file, file_type, data_file_type;
Stephen Smalley8510d312013-11-07 13:42:46 -0500[diff] [blame]84type camera_data_file, file_type, data_file_type;
Robin Lee51bfecf2014-10-13 12:10:08 +0100[diff] [blame]85type keychain_data_file, file_type, data_file_type;
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]86type keystore_data_file, file_type, data_file_type;
87type media_data_file, file_type, data_file_type;
Stephen Smalleye13fabd2013-12-17 14:39:35 -0500[diff] [blame]88type media_rw_data_file, file_type, data_file_type;
Robin Lee51bfecf2014-10-13 12:10:08 +0100[diff] [blame]89type misc_user_data_file, file_type, data_file_type;
Sreeram Ramachandran65edb752014-07-07 22:04:57 -0700[diff] [blame]90type net_data_file, file_type, data_file_type;
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]91type nfc_data_file, file_type, data_file_type;
92type radio_data_file, file_type, data_file_type;
Torne (Richard Coles)9786af22014-05-23 11:01:58 +0100[diff] [blame]93type shared_relro_file, file_type, data_file_type;
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]94type systemkeys_data_file, file_type, data_file_type;
95type vpn_data_file, file_type, data_file_type;
96type wifi_data_file, file_type, data_file_type;
Nick Kralevich7466f9b2013-12-12 15:32:42 -0800[diff] [blame]97type zoneinfo_data_file, file_type, data_file_type;
Nick Kralevich6a32eec2013-12-12 15:23:10 -0800[diff] [blame]98
Stephen Smalley8510d312013-11-07 13:42:46 -0500[diff] [blame]99# Compatibility with type names used in vanilla Android 4.3 and 4.4.
100typealias audio_data_file alias audio_firmware_file;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]101# /data/data subdirectories - app sandboxes
102type app_data_file, file_type, data_file_type;
Stephen Smalley91a4f8d2014-05-07 13:10:02 -0400[diff] [blame]103# /data/data subdirectory for system UID apps.
104type system_app_data_file, file_type, data_file_type;
Stephen Smalleydc88dca2014-03-12 13:31:14 -0400[diff] [blame]105# Compatibility with type name used in Android 4.3 and 4.4.
106typealias app_data_file alias platform_app_data_file;
Stephen Smalleyf9c32572014-03-12 13:39:38 -0400[diff] [blame]107typealias app_data_file alias download_file;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]108# Default type for anything under /cache
109type cache_file, file_type, mlstrustedobject;
rpcraig1c8464e2012-12-04 08:13:58 -0500[diff] [blame]110# Type for /cache/.*\.{data|restore} and default
111# type for anything under /cache/backup
112type cache_backup_file, file_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]113# Default type for anything under /efs
114type efs_file, file_type;
Stephen Smalleyf6cbbe22012-03-19 10:29:36 -0400[diff] [blame]115# Type for wallpaper file.
Stephen Smalley6c39ee02012-06-27 08:50:27 -0400[diff] [blame]116type wallpaper_file, file_type, mlstrustedobject;
rpcraig7672eac2012-10-22 13:50:01 -0400[diff] [blame]117# /mnt/asec
118type asec_apk_file, file_type, data_file_type;
Robert Craig48b18832014-02-04 11:36:41 -0500[diff] [blame]119# Elements of asec files (/mnt/asec) that are world readable
120type asec_public_file, file_type, data_file_type;
rpcraig7672eac2012-10-22 13:50:01 -0400[diff] [blame]121# /data/app-asec
122type asec_image_file, file_type, data_file_type;
rpcraig1c8464e2012-12-04 08:13:58 -0500[diff] [blame]123# /data/backup and /data/secure/backup
124type backup_data_file, file_type, data_file_type, mlstrustedobject;
William Roberts9e70c8b2013-01-23 14:02:43 -0800[diff] [blame]125# For /data/security
126type security_file, file_type;
William Roberts7fa2f9e2012-05-31 09:40:12 -0400[diff] [blame]127# All devices have bluetooth efs files. But they
128# vary per device, so this type is used in per
William Robertsc27d30a2012-09-06 18:50:35 -0700[diff] [blame]129# device policy
William Roberts7fa2f9e2012-05-31 09:40:12 -0400[diff] [blame]130type bluetooth_efs_file, file_type;
131
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]132# Socket types
Stephen Smalley61c80d52012-11-16 09:06:47 -0500[diff] [blame]133type adbd_socket, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]134type bluetooth_socket, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]135type dnsproxyd_socket, file_type, mlstrustedobject;
Nick Kralevich09e6abd2013-12-13 22:19:45 -0800[diff] [blame]136type dumpstate_socket, file_type;
Sreeram Ramachandran56ecf4b2014-05-01 11:12:10 -0700[diff] [blame]137type fwmarkd_socket, file_type, mlstrustedobject;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]138type gps_socket, file_type;
139type installd_socket, file_type;
Nick Kralevich2b392fc2013-12-05 16:55:34 -0800[diff] [blame]140type lmkd_socket, file_type;
Mark Salyzyn8ed750e2013-11-12 15:34:52 -0800[diff] [blame]141type logd_debug, file_type;
142type logd_socket, file_type;
143type logdr_socket, file_type;
144type logdw_socket, file_type;
Stephen Smalley4caf8c92013-09-19 15:09:38 -0400[diff] [blame]145type mdns_socket, file_type;
Stephen Smalley96ff4c02014-02-24 13:04:49 -0500[diff] [blame]146type mdnsd_socket, file_type;
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500[diff] [blame]147type mtpd_socket, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]148type netd_socket, file_type;
149type property_socket, file_type;
Robert Craig18b5f872013-01-07 09:21:18 -0500[diff] [blame]150type racoon_socket, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]151type rild_socket, file_type;
152type rild_debug_socket, file_type;
153type system_wpa_socket, file_type;
Stephen Smalley45ba6652013-09-27 10:24:49 -0400[diff] [blame]154type system_ndebug_socket, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]155type vold_socket, file_type;
156type wpa_socket, file_type;
157type zygote_socket, file_type;
158
hqjiang81039ab2012-07-10 14:36:22 -0700[diff] [blame]159# UART (for GPS) control proc file
160type gps_control, file_type;
161
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]162# Allow files to be created in their appropriate filesystems.
163allow fs_type self:filesystem associate;
164allow sysfs_type sysfs:filesystem associate;
165allow file_type labeledfs:filesystem associate;
166allow file_type tmpfs:filesystem associate;
Stephen Smalley7aba0bc2013-05-10 11:29:35 -0400[diff] [blame]167allow file_type rootfs:filesystem associate;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]168allow dev_type tmpfs:filesystem associate;
Nick Kralevich48212742014-06-15 08:41:55 -0700[diff] [blame]169
170# It's a bug to assign the file_type attribute and fs_type attribute
171# to any type. Do not allow it.
172#
173# For example, the following is a bug:
174# type apk_data_file, file_type, data_file_type, fs_type;
175# Should be:
176# type apk_data_file, file_type, data_file_type;
Stephen Smalleyd990a782014-07-29 14:50:30 -0400[diff] [blame]177neverallow fs_type file_type:filesystem associate;