Blame - unconfined.te - fp2-dev/platform/external/sepolicy

blob: a76c3d8a9a3ab272bc16ce365491ab4b0bfcfeec [file] [log] [blame]

Nick Kralevich	84d8831	2013-10-21 13:32:31 -0700	[diff] [blame]	1	#######################################################
				2	#
				3	# This is the unconfined template. This template is the base policy
				4	# which is used by daemons and other privileged components of
				5	# Android.
				6	#
				7	# Historically, this template was called "unconfined" because it
				8	# allowed the domain to do anything it wanted. Over time,
				9	# this has changed, and will continue to change in the future.
				10	# The rules in this file will be removed when no remaining
				11	# unconfined domains require it, or when the rules contradict
				12	# Android security best practices. Domains which need rules not
				13	# provided by the unconfined template should add them directly to
				14	# the relevant policy.
				15	#
				16	# The use of this template is discouraged.
				17	######################################################
				18
Nick Kralevich	fa34d47	2014-05-19 22:54:07 -0700	[diff] [blame]	19	allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
Stephen Smalley	04ee5df	2014-01-30 13:23:08 -0500	[diff] [blame]	20	allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
Stephen Smalley	853ffaa	2014-03-06 13:02:50 -0500	[diff] [blame]	21	allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
Nick Kralevich	685e2f9	2014-05-28 13:48:52 -0700	[diff] [blame]	22	allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	23	allow unconfineddomain domain:fd *;
				24	allow unconfineddomain domain:dir r_dir_perms;
				25	allow unconfineddomain domain:lnk_file r_file_perms;
				26	allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
Nick Kralevich	0db95cc	2014-06-20 21:15:56 -0700	[diff] [blame]	27	allow unconfineddomain domain:{
				28	socket
				29	netlink_socket
				30	key_socket
				31	unix_stream_socket
				32	unix_dgram_socket
				33	netlink_route_socket
				34	netlink_firewall_socket
				35	netlink_tcpdiag_socket
				36	netlink_nflog_socket
				37	netlink_xfrm_socket
				38	netlink_selinux_socket
				39	netlink_audit_socket
				40	netlink_ip6fw_socket
				41	netlink_dnrt_socket
				42	netlink_kobject_uevent_socket
				43	tun_socket
				44	} *;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	45	allow unconfineddomain domain:ipc_class_set *;
				46	allow unconfineddomain domain:key *;
Stephen Smalley	ee61528	2014-06-20 14:03:20 -0400	[diff] [blame]	47	allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
Stephen Smalley	75e2ef9	2014-06-16 13:05:38 -0400	[diff] [blame]	48	allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
Nick Kralevich	ee49c0e	2014-06-07 10:00:59 -0700	[diff] [blame]	49	allow unconfineddomain {
				50	file_type
				51	-keystore_data_file
				52	-property_data_file
				53	-system_file
				54	-exec_type
				55	-security_file
				56	-shell_data_file
Stephen Smalley	631a5a8	2014-06-20 13:54:10 -0400	[diff] [blame]	57	-app_data_file
Nick Kralevich	ee49c0e	2014-06-07 10:00:59 -0700	[diff] [blame]	58	}:{ dir lnk_file sock_file fifo_file } ~relabelto;
Stephen Smalley	5622cca	2014-06-17 15:59:58 -0400	[diff] [blame]	59	allow unconfineddomain exec_type:dir r_dir_perms;
Stephen Smalley	a893eda	2014-06-23 12:47:16 -0400	[diff] [blame]	60	allow unconfineddomain exec_type:file { r_file_perms execute };
Stephen Smalley	5622cca	2014-06-17 15:59:58 -0400	[diff] [blame]	61	allow unconfineddomain exec_type:lnk_file r_file_perms;
				62	allow unconfineddomain system_file:dir r_dir_perms;
Stephen Smalley	a893eda	2014-06-23 12:47:16 -0400	[diff] [blame]	63	allow unconfineddomain system_file:file { r_file_perms execute };
Stephen Smalley	5622cca	2014-06-17 15:59:58 -0400	[diff] [blame]	64	allow unconfineddomain system_file:lnk_file r_file_perms;
Stephen Smalley	75e2ef9	2014-06-16 13:05:38 -0400	[diff] [blame]	65	allow unconfineddomain {
				66	fs_type
				67	-usermodehelper
				68	-proc_security
				69	-contextmount_type
Stephen Smalley	04b8a75	2014-06-19 11:26:22 -0400	[diff] [blame]	70	-rootfs
Stephen Smalley	ee61528	2014-06-20 14:03:20 -0400	[diff] [blame]	71	-sdcard_type
Stephen Smalley	f3c3a1a	2014-06-19 09:07:17 -0400	[diff] [blame]	72	}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
				73	allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
Nick Kralevich	ee49c0e	2014-06-07 10:00:59 -0700	[diff] [blame]	74	allow unconfineddomain {
				75	file_type
				76	-keystore_data_file
				77	-property_data_file
				78	-system_file
				79	-exec_type
				80	-security_file
				81	-shell_data_file
Stephen Smalley	631a5a8	2014-06-20 13:54:10 -0400	[diff] [blame]	82	-app_data_file
Stephen Smalley	f3c3a1a	2014-06-19 09:07:17 -0400	[diff] [blame]	83	}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
Stephen Smalley	5622cca	2014-06-17 15:59:58 -0400	[diff] [blame]	84	allow unconfineddomain rootfs:file execute;
Stephen Smalley	75e2ef9	2014-06-16 13:05:38 -0400	[diff] [blame]	85	allow unconfineddomain contextmount_type:dir r_dir_perms;
				86	allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	87	allow unconfineddomain node_type:node *;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	88	allow unconfineddomain netif_type:netif *;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	89	allow unconfineddomain domain:peer recv;
Nick Kralevich	a730e50	2014-01-03 20:44:07 -0800	[diff] [blame]	90	allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };