Merge tag android-5.1.0_r1 into AOSP_5.1_MERGE
Change-Id: I7dca0b40bc7aa72cbf15f3a7d87e4aa879a661a2
diff --git a/SELinux/CTS/src/SELinux_CTS.py b/SELinux/CTS/src/SELinux_CTS.py
new file mode 100644
index 0000000..ec12be0
--- /dev/null
+++ b/SELinux/CTS/src/SELinux_CTS.py
@@ -0,0 +1,542 @@
+import pdb
+import re
+from xml.etree.ElementTree import Element, SubElement, tostring
+
+#define equivalents
+TYPE = 0
+ATTRIBUTE = 1
+TYPEATTRIBUTE = 2
+CLASS = 3
+COMMON = 4
+ALLOW_RULE = 5
+NEVERALLOW_RULE = 6
+OTHER = 7
+
+#define helper methods
+# advance_past_whitespace(): helper function to skip whitespace at current
+# position in file.
+# returns: the non-whitespace character at the file's new position
+#TODO: should I deal with comments here as well?
+def advance_past_whitespace(file_obj):
+ c = file_obj.read(1)
+ while c.isspace():
+ c = file_obj.read(1)
+ file_obj.seek(-1, 1)
+ return c
+
+# advance_until_whitespace(): helper function to grab the string represented
+# by the current position in file until next whitespace.
+# returns: string until next whitespace. overlooks comments.
+def advance_until_whitespace(file_obj):
+ ret_string = ""
+ c = file_obj.read(1)
+ #TODO: make a better way to deal with ':' and ';'
+ while not (c.isspace() or c == ':' or c == '' or c == ';'):
+ #don't count comments
+ if c == '#':
+ file_obj.readline()
+ return ret_string
+ else:
+ ret_string+=c
+ c = file_obj.read(1)
+ if not c == ':':
+ file_obj.seek(-1, 1)
+ return ret_string
+
+# expand_avc_rule - takes a processed avc rule and converts it into a list of
+# 4-tuples for use in an access check of form:
+ # (source_type, target_type, class, permission)
+def expand_avc_rule(policy, avc_rule):
+ ret_list = [ ]
+
+ #expand source_types
+ source_types = avc_rule['source_types']['set']
+ source_types = policy.expand_types(source_types)
+ if(avc_rule['source_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ source_types = policy.types - source_types #complement these types
+ if len(source_types) == 0:
+ print "ERROR: source_types empty after expansion"
+ print "Before: "
+ print avc_rule['source_types']['set']
+ return
+
+ #expand target_types
+ target_types = avc_rule['target_types']['set']
+ target_types = policy.expand_types(target_types)
+ if(avc_rule['target_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ target_types = policy.types - target_types #complement these types
+ if len(target_types) == 0:
+ print "ERROR: target_types empty after expansion"
+ print "Before: "
+ print avc_rule['target_types']['set']
+ return
+
+ # get classes
+ rule_classes = avc_rule['classes']['set']
+ if '' in rule_classes:
+ print "FOUND EMPTY STRING IN CLASSES"
+ print "Total sets:"
+ print avc_rule['source_types']['set']
+ print avc_rule['target_types']['set']
+ print rule_classes
+ print avc_rule['permissions']['set']
+
+ if len(rule_classes) == 0:
+ print "ERROR: empy set of object classes in avc rule"
+ return
+
+ # get permissions
+ permissions = avc_rule['permissions']['set']
+ if len(permissions) == 0:
+ print "ERROR: empy set of permissions in avc rule\n"
+ return
+
+ #create the list with collosal nesting, n^4 baby!
+ for s in source_types:
+ for t in target_types:
+ for c in rule_classes:
+ if c == '':
+ continue
+ #expand permissions on a per-class basis
+ exp_permissions = policy.expand_permissions(c, permissions)
+ if(avc_rule['permissions']['flags']['complement']):
+ exp_permissions = policy.classes[c] - exp_permissions
+ if len(exp_permissions) == 0:
+ print "ERROR: permissions empty after expansion\n"
+ print "Before: "
+ print avc_rule['permissions']['set']
+ return
+ for p in exp_permissions:
+ source = s
+ if t == 'self':
+ target = s
+ else:
+ target = t
+ obj_class = c
+ permission = p
+ ret_list.append((source, target, obj_class, permission))
+ return ret_list
+
+# expand_avc_rule - takes a processed avc rule and converts it into an xml
+# representation with the information needed in a checkSELinuxAccess() call.
+# (source_type, target_type, class, permission)
+def expand_avc_rule_to_xml(policy, avc_rule, rule_name, rule_type):
+ rule_xml = Element('avc_rule')
+ rule_xml.set('name', rule_name)
+ rule_xml.set('type', rule_type)
+
+ #expand source_types
+ source_types = avc_rule['source_types']['set']
+ source_types = policy.expand_types(source_types)
+ if(avc_rule['source_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ source_types = policy.types - source_types #complement these types
+ if len(source_types) == 0:
+ print "ERROR: source_types empty after expansion"
+ print "Before: "
+ print avc_rule['source_types']['set']
+ return
+ for s in source_types:
+ elem = SubElement(rule_xml, 'type')
+ elem.set('type', 'source')
+ elem.text = s
+
+ #expand target_types
+ target_types = avc_rule['target_types']['set']
+ target_types = policy.expand_types(target_types)
+ if(avc_rule['target_types']['flags']['complement']):
+ #TODO: deal with negated 'self', not present in current policy.conf, though (I think)
+ target_types = policy.types - target_types #complement these types
+ if len(target_types) == 0:
+ print "ERROR: target_types empty after expansion"
+ print "Before: "
+ print avc_rule['target_types']['set']
+ return
+ for t in target_types:
+ elem = SubElement(rule_xml, 'type')
+ elem.set('type', 'target')
+ elem.text = t
+
+ # get classes
+ rule_classes = avc_rule['classes']['set']
+
+ if len(rule_classes) == 0:
+ print "ERROR: empy set of object classes in avc rule"
+ return
+
+ # get permissions
+ permissions = avc_rule['permissions']['set']
+ if len(permissions) == 0:
+ print "ERROR: empy set of permissions in avc rule\n"
+ return
+
+ # permissions are class-dependent, so bundled together
+ for c in rule_classes:
+ if c == '':
+ print "AH!!! empty class found!\n"
+ continue
+ c_elem = SubElement(rule_xml, 'obj_class')
+ c_elem.set('name', c)
+ #expand permissions on a per-class basis
+ exp_permissions = policy.expand_permissions(c, permissions)
+ if(avc_rule['permissions']['flags']['complement']):
+ exp_permissions = policy.classes[c] - exp_permissions
+ if len(exp_permissions) == 0:
+ print "ERROR: permissions empty after expansion\n"
+ print "Before: "
+ print avc_rule['permissions']['set']
+ return
+
+ for p in exp_permissions:
+ p_elem = SubElement(c_elem, 'permission')
+ p_elem.text = p
+
+ return rule_xml
+
+# expand_brackets - helper function which reads a file into a string until '{ }'s
+# are balanced. Brackets are removed from the string. This function is based
+# on the understanding that nested brackets in our policy.conf file occur only due
+# to macro expansion, and we just need to know how much is included in a given
+# policy sub-component.
+def expand_brackets(file_obj):
+ ret_string = ""
+ c = file_obj.read(1)
+ if not c == '{':
+ print "Invalid bracket expression: " + c + "\n"
+ file_obj.seek(-1, 1)
+ return ""
+ else:
+ bracket_count = 1
+ while bracket_count > 0:
+ c = file_obj.read(1)
+ if c == '{':
+ bracket_count+=1
+ elif c == '}':
+ bracket_count-=1
+ elif c == '#':
+ #get rid of comment and replace with whitespace
+ file_obj.readline()
+ ret_string+=' '
+ else:
+ ret_string+=c
+ return ret_string
+
+# get_avc_rule_component - grabs the next component from an avc rule. Basically,
+# just reads the next word or bracketed set of words.
+# returns - a set of the word, or words with metadata
+def get_avc_rule_component(file_obj):
+ ret_dict = { 'flags': {}, 'set': set() }
+ c = advance_past_whitespace(file_obj)
+ if c == '~':
+ ret_dict['flags']['complement'] = True
+ file_obj.read(1) #move to next char
+ c = advance_past_whitespace(file_obj)
+ else:
+ ret_dict['flags']['complement'] = False
+ if not c == '{':
+ #TODO: change operations on file to operations on string?
+ single_type = advance_until_whitespace(file_obj)
+ ret_dict['set'].add(single_type)
+ else:
+ mult_types = expand_brackets(file_obj)
+ mult_types = mult_types.split()
+ for t in mult_types:
+ ret_dict['set'].add(t)
+ return ret_dict
+
+def get_line_type(line):
+ if re.search(r'^type\s', line):
+ return TYPE
+ if re.search(r'^attribute\s', line):
+ return ATTRIBUTE
+ if re.search(r'^typeattribute\s', line):
+ return TYPEATTRIBUTE
+ if re.search(r'^class\s', line):
+ return CLASS
+ if re.search(r'^common\s', line):
+ return COMMON
+ if re.search(r'^allow\s', line):
+ return ALLOW_RULE
+ if re.search(r'^neverallow\s', line):
+ return NEVERALLOW_RULE
+ else:
+ return OTHER
+
+def is_multi_line(line_type):
+ if line_type == CLASS:
+ return True
+ elif line_type == COMMON:
+ return True
+ elif line_type == ALLOW_RULE:
+ return True
+ elif line_type == NEVERALLOW_RULE:
+ return True
+ else:
+ return False
+
+
+#should only be called with file pointing to the 'i' in 'inherits' segment
+def process_inherits_segment(file_obj):
+ inherit_keyword = file_obj.read(8)
+ if not inherit_keyword == 'inherits':
+ #TODO: handle error, invalid class statement
+ print "ERROR: invalid inherits statement"
+ return
+ else:
+ advance_past_whitespace(file_obj)
+ ret_inherited_common = advance_until_whitespace(file_obj)
+ return ret_inherited_common
+
+class SELinuxPolicy:
+
+ def __init__(self):
+ self.types = set()
+ self.attributes = { }
+ self.classes = { }
+ self.common_classes = { }
+ self.allow_rules = [ ]
+ self.neverallow_rules = [ ]
+
+ # create policy directly from policy file
+ #@classmethod
+ def from_file_name(self, policy_file_name):
+ self.types = set()
+ self.attributes = { }
+ self.classes = { }
+ self.common_classes = { }
+ self.allow_rules = [ ]
+ self.neverallow_rules = [ ]
+ with open(policy_file_name, 'r') as policy_file:
+ line = policy_file.readline()
+ while line:
+ line_type = get_line_type(line)
+ if is_multi_line(line_type):
+ self.parse_multi_line(line, line_type, policy_file)
+ else:
+ self.parse_single_line(line, line_type)
+ line = policy_file.readline()
+
+ # expand_permissions - generates the actual permission set based on the listed
+ # permissions with wildcards and the given class on which they're based.
+ def expand_permissions(self, obj_class, permission_set):
+ ret_set = set()
+ neg_set = set()
+ for p in permission_set:
+ if p[0] == '-':
+ real_p = p[1:]
+ if real_p in self.classes[obj_class]:
+ neg_set.add(real_p)
+ else:
+ print "ERROR: invalid permission in avc rule " + real_t + "\n"
+ return
+ else:
+ if p in self.classes[obj_class]:
+ ret_set.add(p)
+ elif p == '*': #pretty sure this can't be negated? eg -*
+ ret_set |= self.classes[obj_class] #All of the permissions
+ else:
+ print "ERROR: invalid permission in avc rule " + p + "\n"
+ return
+ return ret_set - neg_set
+
+ # expand_types - generates the actual type set based on the listed types,
+ # attributes, wildcards and negation. self is left as-is, and is processed
+ # specially when generating checkAccess() 4-tuples
+ def expand_types(self, type_set):
+ ret_set = set()
+ neg_set = set()
+ for t in type_set:
+ if t[0] == '-':
+ real_t = t[1:]
+ if real_t in self.attributes:
+ neg_set |= self.attributes[real_t]
+ elif real_t in self.types:
+ neg_set.add(real_t)
+ elif real_t == 'self':
+ ret_set |= real_t
+ else:
+ print "ERROR: invalid type in avc rule " + real_t + "\nTYPE SET:"
+ print type_set
+ return
+ else:
+ if t in self.attributes:
+ ret_set |= self.attributes[t]
+ elif t in self.types:
+ ret_set.add(t)
+ elif t == 'self':
+ ret_set.add(t)
+ elif t == '*': #pretty sure this can't be negated?
+ ret_set |= self.types #All of the types
+ else:
+ print "ERROR: invalid type in avc rule " + t + "\nTYPE SET"
+ print type_set
+ return
+ return ret_set - neg_set
+
+ def parse_multi_line(self, line, line_type, file_obj):
+ if line_type == CLASS:
+ self.process_class_line(line, file_obj)
+ elif line_type == COMMON:
+ self.process_common_line(line, file_obj)
+ elif line_type == ALLOW_RULE:
+ self.process_avc_rule_line(line, file_obj)
+ elif line_type == NEVERALLOW_RULE:
+ self.process_avc_rule_line(line, file_obj)
+ else:
+ print "Error: This is not a multi-line input"
+
+ def parse_single_line(self, line, line_type):
+ if line_type == TYPE:
+ self.process_type_line(line)
+ elif line_type == ATTRIBUTE:
+ self.process_attribute_line(line)
+ elif line_type == TYPEATTRIBUTE:
+ self.process_typeattribute_line(line)
+ return
+
+ def process_attribute_line(self, line):
+ match = re.search(r'^attribute\s+(.+);', line)
+ if match:
+ declared_attribute = match.group(1)
+ self.attributes[declared_attribute] = set()
+ else:
+ #TODO: handle error? (no state changed)
+ return
+
+ def process_class_line(self, line, file_obj):
+ match = re.search(r'^class\s([^\s]+)\s(.*$)', line)
+ if match:
+ declared_class = match.group(1)
+ #first class declaration has no perms
+ if not declared_class in self.classes:
+ self.classes[declared_class] = set()
+ return
+ else:
+ #need to parse file from after class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+ c = advance_past_whitespace(file_obj)
+ if not (c == 'i' or c == '{'):
+ print "ERROR: invalid class statement"
+ return
+ elif c == 'i':
+ #add inherited permissions
+ inherited = process_inherits_segment(file_obj)
+ self.classes[declared_class] |= self.common_classes[inherited]
+ c = advance_past_whitespace(file_obj)
+ if c == '{':
+ permissions = expand_brackets(file_obj)
+ permissions = re.sub(r'#[^\n]*\n','\n' , permissions) #get rid of all comments
+ permissions = permissions.split()
+ for p in permissions:
+ self.classes[declared_class].add(p)
+
+ def process_common_line(self, line, file_obj):
+ match = re.search(r'^common\s([^\s]+)(.*$)', line)
+ if match:
+ declared_common_class = match.group(1)
+ #TODO: common classes should only be declared once...
+ if not declared_common_class in self.common_classes:
+ self.common_classes[declared_common_class] = set()
+ #need to parse file from after common_class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+ c = advance_past_whitespace(file_obj)
+ if not c == '{':
+ print "ERROR: invalid common statement"
+ return
+ permissions = expand_brackets(file_obj)
+ permissions = permissions.split()
+ for p in permissions:
+ self.common_classes[declared_common_class].add(p)
+ return
+
+ def process_avc_rule_line(self, line, file_obj):
+ match = re.search(r'^(never)?allow\s(.*$)', line)
+ if match:
+ if(match.group(1)):
+ rule_type = 'neverallow'
+ else:
+ rule_type = 'allow'
+ #need to parse file from after class name until end of '{ }'s
+ file_obj.seek(-(len(match.group(2)) + 1), 1)
+
+ #grab source type(s)
+ source_types = get_avc_rule_component(file_obj)
+ if len(source_types['set']) == 0:
+ print "ERROR: no source types for avc rule at line: " + line
+ return
+
+ #grab target type(s)
+ target_types = get_avc_rule_component(file_obj)
+ if len(target_types['set']) == 0:
+ print "ERROR: no target types for avc rule at line: " + line
+ return
+
+ #skip ':' potentially already handled by advance_until_whitespace
+ c = advance_past_whitespace(file_obj)
+ if c == ':':
+ file_obj.read(1)
+
+ #grab class(es)
+ classes = get_avc_rule_component(file_obj)
+ if len(classes['set']) == 0:
+ print "ERROR: no classes for avc rule at line: " + line
+ return
+
+ #grab permission(s)
+ permissions = get_avc_rule_component(file_obj)
+ if len(permissions['set']) == 0:
+ print "ERROR: no permissions for avc rule at line: " + line
+ return
+ rule_dict = {
+ 'source_types': source_types,
+ 'target_types': target_types,
+ 'classes': classes,
+ 'permissions': permissions }
+
+ if rule_type == 'allow':
+ self.allow_rules.append(rule_dict)
+ elif rule_type == 'neverallow':
+ self.neverallow_rules.append(rule_dict)
+
+ def process_type_line(self, line):
+ #TODO: add support for aliases (not yet in current policy.conf)
+ match = re.search(r'^type\s([^,]+),?(.*);', line)
+ if match:
+ declared_type = match.group(1)
+ self.types.add(declared_type)
+ if match.group(2):
+ declared_attributes = match.group(2)
+ declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
+ declared_attributes = declared_attributes.split(',') #separate based on delimiter
+ for a in declared_attributes:
+ if not a in self.attributes:
+ #TODO: hanlde error? attribute should already exist
+ self.attributes[a] = set()
+ self.attributes[a].add(declared_type)
+ else:
+ #TODO: handle error? (no state changed)
+ return
+
+ def process_typeattribute_line(self, line):
+ match = re.search(r'^typeattribute\s([^\s]+)\s(.*);', line)
+ if match:
+ declared_type = match.group(1)
+ if not declared_type in self.types:
+ #TODO: handle error? type should already exist
+ self.types.add(declared_type)
+ if match.group(2):
+ declared_attributes = match.group(2)
+ declared_attributes = declared_attributes.replace(" ", "") #remove whitespace
+ declared_attributes = declared_attributes.split(',') #separate based on delimiter
+ for a in declared_attributes:
+ if not a in self.attributes:
+ #TODO: hanlde error? attribute should already exist
+ self.attributes[a] = set()
+ self.attributes[a].add(declared_type)
+ else:
+ return
+ else:
+ #TODO: handle error? (no state changed)
+ return
diff --git a/SELinux/CTS/src/example_input_policy.conf b/SELinux/CTS/src/example_input_policy.conf
new file mode 100644
index 0000000..aeef5f8
--- /dev/null
+++ b/SELinux/CTS/src/example_input_policy.conf
@@ -0,0 +1,9850 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd # userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable # userspace
+class x_screen # userspace
+class x_gc # userspace
+class x_font # userspace
+class x_colormap # userspace
+class x_property # userspace
+class x_selection # userspace
+class x_cursor # userspace
+class x_client # userspace
+class x_device # userspace
+class x_server # userspace
+class x_extension # userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus # userspace
+class nscd # userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context # userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database # userspace
+class db_table # userspace
+class db_procedure # userspace
+class db_column # userspace
+class db_tuple # userspace
+class db_blob # userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource # userspace
+class x_event # userspace
+class x_synthetic_event # userspace
+class x_application_data # userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
+# More Database stuff
+class db_schema # userspace
+class db_view # userspace
+class db_sequence # userspace
+class db_language # userspace
+
+class binder
+class zygote
+
+# Property service
+class property_service # userspace
+
+# FLASK
+#line 1 "external/sepolicy/initial_sids"
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
+#line 1 "external/sepolicy/access_vectors"
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+ create
+ drop
+ getattr
+ setattr
+ relabelfrom
+ relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+ dccp_recv
+ dccp_send
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ dccp_recv
+ dccp_send
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+class capability2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+ create
+ destroy
+ read
+ write
+ blend
+ getattr
+ setattr
+ list_child
+ add_child
+ remove_child
+ list_property
+ get_property
+ set_property
+ manage
+ override
+ show
+ hide
+ send
+ receive
+}
+
+class x_screen
+{
+ getattr
+ setattr
+ hide_cursor
+ show_cursor
+ saver_getattr
+ saver_setattr
+ saver_hide
+ saver_show
+}
+
+class x_gc
+{
+ create
+ destroy
+ getattr
+ setattr
+ use
+}
+
+class x_font
+{
+ create
+ destroy
+ getattr
+ add_glyph
+ remove_glyph
+ use
+}
+
+class x_colormap
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ add_color
+ remove_color
+ install
+ uninstall
+ use
+}
+
+class x_property
+{
+ create
+ destroy
+ read
+ write
+ append
+ getattr
+ setattr
+}
+
+class x_selection
+{
+ read
+ write
+ getattr
+ setattr
+}
+
+class x_cursor
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ setattr
+ use
+}
+
+class x_client
+{
+ destroy
+ getattr
+ setattr
+ manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+ getattr
+ setattr
+ record
+ debug
+ grab
+ manage
+}
+
+class x_extension
+{
+ query
+ use
+}
+
+class x_resource
+{
+ read
+ write
+}
+
+class x_event
+{
+ send
+ receive
+}
+
+class x_synthetic_event
+{
+ send
+ receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+ getserv
+ shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class context
+{
+ translate
+ contains
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+class db_database
+inherits database
+{
+ access
+ install_module
+ load_module
+ get_param # deprecated
+ set_param # deprecated
+}
+
+class db_table
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+ delete
+ lock
+}
+
+class db_procedure
+inherits database
+{
+ execute
+ entrypoint
+ install
+}
+
+class db_column
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+}
+
+class db_tuple
+{
+ relabelfrom
+ relabelto
+ use # deprecated
+ select
+ update
+ insert
+ delete
+}
+
+class db_blob
+inherits database
+{
+ read
+ write
+ import
+ export
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class x_application_data
+{
+ paste
+ paste_after_confirm
+ copy
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+ search
+ add_name
+ remove_name
+}
+
+class db_view
+inherits database
+{
+ expand
+}
+
+class db_sequence
+inherits database
+{
+ get_value
+ next_value
+ set_value
+}
+
+class db_language
+inherits database
+{
+ implement
+ execute
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class zygote
+{
+ specifyids
+ specifyrlimits
+ specifycapabilities
+ specifyinvokewith
+ specifyseinfo
+}
+
+class property_service
+{
+ set
+}
+#line 1 "external/sepolicy/global_macros"
+#####################################
+# Common groupings of object classes.
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#####################################
+# Common groupings of permissions.
+#
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#####################################
+# Common socket permission sets.
+
+
+#line 1 "external/sepolicy/mls_macros"
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+#line 10
+
+
+
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+#line 24
+
+
+
+
+#line 34
+
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+#line 45
+
+
+
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+
+
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: No write down unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be dominated by receiver unless one of them is
+# trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain { dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be dominated by the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a MLS trusted subject and can receive data at any level.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+
+#
+# IPC constraints
+#
+
+# Create/destroy: equivalence or trusted.
+mlsconstrain { sem msgq shm ipc } { create destroy }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+# Read ops: No read up unless trusted.
+mlsconstrain { sem msgq shm ipc } { getattr read associate unix_read }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Write ops: No write down unless trusted.
+mlsconstrain { sem msgq shm ipc } { write unix_write }
+ (l1 domby l2 or t1 == mlstrustedsubject);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+#line 1 "external/sepolicy/policy_capabilities"
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+#line 1 "external/sepolicy/te_macros"
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+#line 21
+
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+#line 33
+
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+#line 49
+
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+#line 62
+
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+#line 71
+
+
+#####################################
+# unconfined_domain(domain)
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
+#
+#line 82
+
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+#line 92
+
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+#line 101
+
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+#line 112
+
+
+#####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+#line 119
+
+
+#####################################
+# platform_app_domain(domain)
+# Allow permissions specific to platform apps.
+#line 127
+
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+#line 134
+
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+#line 141
+
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#line 150
+
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+#line 159
+
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+#line 169
+
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+#line 181
+
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+#line 189
+
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+#line 199
+
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+#line 208
+
+
+#####################################
+# selinux_getenforce(domain)
+# Allow domain to check whether SELinux is enforcing.
+#line 216
+
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+#line 225
+
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+#line 234
+
+
+#####################################
+# security_access_policy(domain)
+# Read only access to all policy files and
+# selinuxfs
+#line 248
+
+
+#####################################
+# selinux_manage_policy(domain)
+# Ability to manage policy files and
+# trigger runtime reload.
+#line 261
+
+
+#####################################
+# mmac_manage_policy(domain)
+# Ability to manage mmac policy files,
+# trigger runtime reload, change
+# mmac enforcing mode and access logcat.
+#line 274
+
+
+#####################################
+# access_kmsg(domain)
+# Ability to read from kernel logs
+# and execute the klogctl syscall
+# in a non destructive manner. See
+# man 2 klogctl
+#line 284
+
+
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+#line 295
+
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+#line 309
+
+
+#####################################
+# Non system_app application set
+#
+
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+
+
+#####################################
+# permissive_or_unconfined
+# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
+# and "unconfined($1)" otherwise.
+#
+# This is used for experimental domains, where we want to ensure
+# the domain is unconfined+enforcing once new SELinux policy development
+# has ceased.
+#
+
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+#line 345
+
+
+#####################################
+# read_logd(domain)
+# Ability to read from android
+# log daemon via sockets
+#line 353
+
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+#line 363
+
+#line 1 "external/sepolicy/attributes"
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+attribute fs_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+attribute property_type;
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for shells.
+attribute shelldomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;
+#line 1 "external/sepolicy/adbd.te"
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+
+#line 7
+
+
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow adbd shell_exec:file { getattr open read execute };
+#line 9
+allow adbd shell:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow shell shell_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow shell adbd:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit adbd shell:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow adbd shell:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition adbd shell_exec:process shell;
+#line 9
+
+# this is an entrypoint
+allow adbd rootfs:file entrypoint;
+
+# Do not sanitize the environment or open fds of the shell.
+allow adbd shell:process noatsecure;
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+
+#line 23
+typeattribute adbd netdomain;
+#line 23
+
+
+# Access /dev/android_adb.
+allow adbd adb_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# On emulator, access /dev/qemu*.
+allow adbd qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow adbd shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# adb push/pull sdcard.
+allow adbd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow adbd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Set service.adb.*, sys.powerctl properties.
+
+#line 43
+allow adbd property_socket:sock_file write;
+#line 43
+allow adbd init:unix_stream_socket connectto;
+#line 43
+
+allow adbd shell_prop:property_service set;
+allow adbd powerctl_prop:property_service set;
+
+# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
+# Also covers running /system/bin/bu.
+allow adbd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+#line 50
+allow adbd vold_socket:sock_file write;
+#line 50
+allow adbd vold:unix_stream_socket connectto;
+#line 50
+
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+
+#line 54
+# Call the servicemanager and transfer references to it.
+#line 54
+allow adbd servicemanager:binder { call transfer };
+#line 54
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 54
+# all domains in domain.te.
+#line 54
+
+
+#line 55
+# Call the server domain and optionally transfer references to it.
+#line 55
+allow adbd surfaceflinger:binder { call transfer };
+#line 55
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 55
+allow surfaceflinger adbd:binder transfer;
+#line 55
+# Receive and use open files from the server.
+#line 55
+allow adbd surfaceflinger:fd use;
+#line 55
+
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file { getattr open read ioctl lock };
+
+# Allow access in case /data/misc/adb still has the old type.
+allow adbd system_data_file:dir search;
+allow adbd system_data_file:file { getattr open read ioctl lock };
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file { getattr open read ioctl lock };
+allow adbd system_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/app.te"
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
+
+# Allow apps to connect to the keystore
+
+#line 15
+allow appdomain keystore_socket:sock_file write;
+#line 15
+allow appdomain keystore:unix_stream_socket connectto;
+#line 15
+
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+allow appdomain zygote_exec:file { getattr open read ioctl lock };
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow appdomain self:process ptrace;
+
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Communicate with system_server.
+allow appdomain system_server:fifo_file { { getattr open read ioctl lock } { open append write } };
+allow appdomain system_server:unix_stream_socket { read write setopt };
+
+#line 42
+# Call the server domain and optionally transfer references to it.
+#line 42
+allow appdomain system_server:binder { call transfer };
+#line 42
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 42
+allow system_server appdomain:binder transfer;
+#line 42
+# Receive and use open files from the server.
+#line 42
+allow appdomain system_server:fd use;
+#line 42
+
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file { { getattr open read ioctl lock } { open append write } };
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+
+#line 49
+# Call the server domain and optionally transfer references to it.
+#line 49
+allow appdomain surfaceflinger:binder { call transfer };
+#line 49
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 49
+allow surfaceflinger appdomain:binder transfer;
+#line 49
+# Receive and use open files from the server.
+#line 49
+allow appdomain surfaceflinger:fd use;
+#line 49
+
+
+# App sandbox file accesses.
+allow appdomain app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow appdomain app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC. Do not allow open.
+allow appdomain platform_app_data_file:file { getattr read write };
+
+# lib subdirectory of /data/data dir is system-owned.
+allow appdomain system_data_file:dir { open getattr read search ioctl };
+allow appdomain system_data_file:file { execute execute_no_trans open };
+
+# Execute the shell or other system executables.
+allow appdomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow appdomain system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file { getattr open read ioctl lock };
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { { { getattr open read ioctl lock } { open append write } } execute };
+
+# Use the Binder.
+
+#line 90
+# Call the servicemanager and transfer references to it.
+#line 90
+allow appdomain servicemanager:binder { call transfer };
+#line 90
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 90
+# all domains in domain.te.
+#line 90
+
+# Perform binder IPC to binder services.
+
+#line 92
+# Call the server domain and optionally transfer references to it.
+#line 92
+allow appdomain binderservicedomain:binder { call transfer };
+#line 92
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 92
+allow binderservicedomain appdomain:binder transfer;
+#line 92
+# Receive and use open files from the server.
+#line 92
+allow appdomain binderservicedomain:fd use;
+#line 92
+
+# Perform binder IPC to other apps.
+
+#line 94
+# Call the server domain and optionally transfer references to it.
+#line 94
+allow appdomain appdomain:binder { call transfer };
+#line 94
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 94
+allow appdomain appdomain:binder transfer;
+#line 94
+# Receive and use open files from the server.
+#line 94
+allow appdomain appdomain:fd use;
+#line 94
+
+
+# Appdomain interaction with isolated apps
+
+#line 97
+allow appdomain isolated_app:dir { open getattr read search ioctl };
+#line 97
+allow appdomain isolated_app:{ file lnk_file } { getattr open read ioctl lock };
+#line 97
+
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain isolated_app:unix_stream_socket { read write };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file getattr;
+
+# Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
+allow appdomain download_file:file { getattr open read ioctl lock };
+
+# Allow applications to communicate with netd via /dev/socket/dnsproxyd
+# to do DNS resolution
+
+#line 118
+allow appdomain dnsproxyd_socket:sock_file write;
+#line 118
+allow appdomain netd:unix_stream_socket connectto;
+#line 118
+
+
+# Allow applications to communicate with drmserver over binder
+
+#line 121
+# Call the server domain and optionally transfer references to it.
+#line 121
+allow appdomain drmserver:binder { call transfer };
+#line 121
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 121
+allow drmserver appdomain:binder transfer;
+#line 121
+# Receive and use open files from the server.
+#line 121
+allow appdomain drmserver:fd use;
+#line 121
+
+
+# Allow applications to communicate with mediaserver over binder
+
+#line 124
+# Call the server domain and optionally transfer references to it.
+#line 124
+allow appdomain mediaserver:binder { call transfer };
+#line 124
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 124
+allow mediaserver appdomain:binder transfer;
+#line 124
+# Receive and use open files from the server.
+#line 124
+allow appdomain mediaserver:fd use;
+#line 124
+
+
+# Allow applications to make outbound tcp connections to any port
+allow appdomain port_type:tcp_socket name_connect;
+
+# Allow apps to see changes to the routing table.
+allow appdomain self:netlink_route_socket {
+ read
+ bind
+ create
+ nlmsg_read
+ ioctl
+ getattr
+ setattr
+ getopt
+ setopt
+ shutdown
+};
+
+# Allow apps to use rawip sockets. This is needed for apps which execute
+# /system/bin/ping, for example.
+allow appdomain self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow appdomain usb_device:chr_file { read write getattr ioctl };
+allow appdomain usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file { getattr execute execute_no_trans };
+
+###
+### CTS-specific rules
+###
+
+# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+# Reads /proc/pid/cmdline of vold.
+allow appdomain domain:dir { open read search getattr };
+allow appdomain domain:{ file lnk_file } { open read getattr };
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+
+#line 181
+allow appdomain selinuxfs:dir { open getattr read search ioctl };
+#line 181
+allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 181
+allow appdomain kernel:security compute_av;
+#line 181
+allow appdomain self:netlink_selinux_socket *;
+#line 181
+
+
+#line 182
+allow appdomain selinuxfs:dir { open getattr read search ioctl };
+#line 182
+allow appdomain selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 182
+allow appdomain kernel:security check_context;
+#line 182
+
+# Validate that each process is running in the correct security context.
+allow appdomain domain:process getattr;
+
+# logd access
+
+#line 187
+
+#line 187
+allow appdomain logdr_socket:sock_file write;
+#line 187
+allow appdomain logd:unix_stream_socket connectto;
+#line 187
+
+#line 187
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow { appdomain -unconfineddomain } self:capability2 *;
+
+# Block device access.
+neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow { appdomain -unconfineddomain } {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ gps_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell -unconfineddomain }
+ graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
+ { read write };
+neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
+
+# Set SELinux enforcing mode, booleans or any other SELinux settings.
+neverallow { appdomain -unconfineddomain } kernel:security
+ { setenforce setbool setsecparam setcheckreqprot };
+
+# Load security policy.
+neverallow appdomain kernel:security load_policy;
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -unconfineddomain }
+ self:{
+ netlink_socket
+ netlink_firewall_socket
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_ip6fw_socket
+ netlink_dnrt_socket
+ netlink_kobject_uevent_socket
+ } *;
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
+neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
+ property_socket:sock_file write;
+neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
+
+# Write access to /proc/pid entries for any non-app domain.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell domain, can transition to runas, etc.
+neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
+ { transition dyntransition };
+
+# Map low memory.
+# Note: Take to domain.te and apply to all domains in the future.
+neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
+
+# Write to rootfs.
+neverallow { appdomain -unconfineddomain } rootfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow { appdomain -unconfineddomain } system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow { appdomain -unconfineddomain } exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+# Exception for system_app for Settings.
+neverallow { appdomain -unconfineddomain -system_app }
+ system_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow { appdomain -system_app -unconfineddomain }
+ security_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } drm_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } gps_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_tmp_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell -unconfineddomain }
+ shell_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth -unconfineddomain }
+ bluetooth_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ keystore_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ systemkeys_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ wifi_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ dhcp_data_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } }
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Access to factory files.
+neverallow { appdomain -unconfineddomain }
+ efs_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { read write };
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc -unconfineddomain }
+ sysfs:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+neverallow { appdomain -unconfineddomain }
+ proc:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow { appdomain -system_app -unconfineddomain }
+ kernel:system { syslog_read syslog_mod syslog_console };
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
+
+# Ability to set system properties.
+neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
+ property_type:property_service set;
+#line 1 "external/sepolicy/binderservicedomain.te"
+# Rules common to all binder service domains
+
+# Allow dumpstate to collect information from binder services
+allow binderservicedomain dumpstate:fd use;
+allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell
+allow binderservicedomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+
+#line 3
+typeattribute bluetooth appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type bluetooth_tmpfs, file_type;
+#line 3
+type_transition bluetooth tmpfs:file bluetooth_tmpfs;
+#line 3
+allow bluetooth bluetooth_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow bluetooth bluetooth_tmpfs:file execute;
+#line 3
+
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow bluetooth bluetooth_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+allow bluetooth bluetooth_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# bluetooth factory file accesses.
+
+#line 14
+allow bluetooth bluetooth_efs_file:dir { open getattr read search ioctl };
+#line 14
+allow bluetooth bluetooth_efs_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 14
+
+
+# Device accesses.
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Other domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
+allow bluetooth self:capability net_admin;
+
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
+
+# Talk to init over the property socket.
+
+#line 36
+allow bluetooth property_socket:sock_file write;
+#line 36
+allow bluetooth init:unix_stream_socket connectto;
+#line 36
+
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file { { getattr open read ioctl lock } { open append write } };
+
+# bluetooth file transfers
+allow bluetooth sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow bluetooth sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Allow reading of media_rw_data_file file descriptors
+# passed to bluetooth
+allow bluetooth media_rw_data_file:file { read getattr };
+
+# Allow write access to bluetooth specific properties
+allow bluetooth bluetooth_prop:property_service set;
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+#line 1 "external/sepolicy/bootanim.te"
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init bootanim_exec:file { getattr open read execute };
+#line 5
+allow init bootanim:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow bootanim bootanim_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow bootanim init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init bootanim:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init bootanim:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init bootanim_exec:process bootanim;
+#line 5
+
+#line 5
+
+#line 5
+type bootanim_tmpfs, file_type;
+#line 5
+type_transition bootanim tmpfs:file bootanim_tmpfs;
+#line 5
+allow bootanim bootanim_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow bootanim servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+# Call the server domain and optionally transfer references to it.
+#line 8
+allow bootanim surfaceflinger:binder { call transfer };
+#line 8
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 8
+allow surfaceflinger bootanim:binder transfer;
+#line 8
+# Receive and use open files from the server.
+#line 8
+allow bootanim surfaceflinger:fd use;
+#line 8
+
+
+allow bootanim gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/clatd.te"
+# 464xlat daemon
+type clatd, domain;
+
+#line 3
+typeattribute clatd mlstrustedsubject;
+#line 3
+typeattribute clatd unconfineddomain;
+#line 3
+
+type clatd_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init clatd_exec:file { getattr open read execute };
+#line 6
+allow init clatd:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow clatd clatd_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow clatd init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init clatd:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init clatd:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init clatd_exec:process clatd;
+#line 6
+
+#line 6
+
+#line 6
+type clatd_tmpfs, file_type;
+#line 6
+type_transition clatd tmpfs:file clatd_tmpfs;
+#line 6
+allow clatd clatd_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute clatd netdomain;
+#line 7
+
+#line 1 "external/sepolicy/debuggerd.te"
+# debugger interface
+type debuggerd, domain;
+type debuggerd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init debuggerd_exec:file { getattr open read execute };
+#line 5
+allow init debuggerd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow debuggerd debuggerd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow debuggerd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init debuggerd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init debuggerd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init debuggerd_exec:process debuggerd;
+#line 5
+
+#line 5
+
+#line 5
+type debuggerd_tmpfs, file_type;
+#line 5
+type_transition debuggerd tmpfs:file debuggerd_tmpfs;
+#line 5
+allow debuggerd debuggerd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
+allow debuggerd domain:dir { open getattr read search ioctl };
+allow debuggerd domain:file { getattr open read ioctl lock };
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
+
+#line 12
+allow debuggerd security_file:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd security_file:file { getattr open read ioctl lock };
+#line 12
+allow debuggerd security_file:lnk_file { getattr open read ioctl lock };
+#line 12
+allow debuggerd selinuxfs:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd selinuxfs:file { getattr open read ioctl lock };
+#line 12
+allow debuggerd rootfs:dir { open getattr read search ioctl };
+#line 12
+allow debuggerd rootfs:file { getattr open read ioctl lock };
+#line 12
+
+allow debuggerd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow debuggerd system_data_file:dir relabelfrom;
+
+#line 15
+typeattribute debuggerd relabeltodomain;
+#line 15
+
+allow debuggerd tombstone_data_file:dir relabelto;
+allow debuggerd tombstone_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow debuggerd tombstone_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file { getattr open read ioctl lock };
+# Access app library
+allow debuggerd system_data_file:file open;
+
+# Connect to system_server via /data/system/ndebugsocket.
+
+#line 25
+allow debuggerd system_ndebug_socket:sock_file write;
+#line 25
+allow debuggerd system_server:unix_stream_socket connectto;
+#line 25
+
+
+#line 30
+
+
+# logd access
+
+#line 33
+
+#line 33
+allow debuggerd logdr_socket:sock_file write;
+#line 33
+allow debuggerd logd:unix_stream_socket connectto;
+#line 33
+
+#line 33
+
+#line 1 "external/sepolicy/device.te"
+# Device types
+type device, dev_type, fs_type;
+type alarm_device, dev_type, mlstrustedobject;
+type adb_device, dev_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type loop_device, dev_type;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type fscklogs, dev_type;
+type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type log_device, dev_type, mlstrustedobject;
+type mtd_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type qemu_device, dev_type;
+type kmsg_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type urandom_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type;
+type fuse_device, dev_type;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type gps_device, dev_type;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type;
+type usb_device, dev_type;
+type klog_device, dev_type;
+type properties_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+#line 1 "external/sepolicy/dhcp.te"
+type dhcp, domain;
+
+#line 2
+typeattribute dhcp mlstrustedsubject;
+#line 2
+typeattribute dhcp unconfineddomain;
+#line 2
+
+type dhcp_exec, exec_type, file_type;
+type dhcp_data_file, file_type, data_file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init dhcp_exec:file { getattr open read execute };
+#line 6
+allow init dhcp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow dhcp dhcp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow dhcp init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init dhcp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init dhcp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init dhcp_exec:process dhcp;
+#line 6
+
+#line 6
+
+#line 6
+type dhcp_tmpfs, file_type;
+#line 6
+type_transition dhcp tmpfs:file dhcp_tmpfs;
+#line 6
+allow dhcp dhcp_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute dhcp netdomain;
+#line 7
+
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow dhcp self:netlink_route_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_write };
+allow dhcp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow dhcp shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow dhcp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
+allow dhcp system_prop:property_service set ;
+
+#line 19
+allow dhcp property_socket:sock_file write;
+#line 19
+allow dhcp init:unix_stream_socket connectto;
+#line 19
+
+allow dhcp owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+allow dhcp dhcp_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow dhcp dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file { { getattr open read ioctl lock } { open append write } };
+allow dhcp netd:{ { udp_socket unix_dgram_socket } unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+#line 1 "external/sepolicy/dnsmasq.te"
+# DNS, DHCP services
+type dnsmasq, domain;
+
+#line 3
+typeattribute dnsmasq mlstrustedsubject;
+#line 3
+typeattribute dnsmasq unconfineddomain;
+#line 3
+
+type dnsmasq_exec, exec_type, file_type;
+
+allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+allow dnsmasq dhcp_data_file:dir { open search write add_name remove_name };
+allow dnsmasq dhcp_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow dnsmasq port:tcp_socket name_bind;
+allow dnsmasq node:tcp_socket node_bind;
+#line 1 "external/sepolicy/domain.te"
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file { read getattr };
+
+# Search /storage/emulated tmpfs mount.
+allow domain tmpfs:dir { open getattr read search ioctl };
+
+# Intra-domain accesses.
+allow domain self:process ~{ execmem execstack execheap ptrace };
+allow domain self:fd use;
+allow domain self:dir { open getattr read search ioctl };
+allow domain self:lnk_file { getattr open read ioctl lock };
+allow domain self:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system_server:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
+
+#line 43
+
+
+###
+### Talk to debuggerd.
+###
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir { open getattr read search ioctl };
+allow domain rootfs:file { getattr open read ioctl lock };
+allow domain rootfs:lnk_file { getattr open read ioctl lock };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file { getattr open read ioctl lock };
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain owntty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain null_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain zero_device:chr_file { getattr open read ioctl lock };
+allow domain ashmem_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain binder_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain ptmx_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain log_device:dir search;
+allow domain log_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain alarm_device:chr_file { getattr open read ioctl lock };
+allow domain urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain random_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow domain properties_device:file { getattr open read ioctl lock };
+
+# logd access
+
+#line 76
+
+#line 76
+
+#line 76
+allow domain logdw_socket:sock_file write;
+#line 76
+allow domain logd:unix_dgram_socket sendto;
+#line 76
+
+#line 76
+
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# System file accesses.
+allow domain system_file:dir { open getattr read search ioctl };
+allow domain system_file:file { getattr open read ioctl lock };
+allow domain system_file:file execute;
+allow domain system_file:lnk_file { getattr open read ioctl lock };
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file { getattr open read ioctl lock };
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir { getattr search };
+allow domain apk_data_file:file { getattr open read ioctl lock };
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file { getattr open read ioctl lock };
+
+# Read already opened /cache files.
+allow domain cache_file:dir { open getattr read search ioctl };
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file { getattr open read ioctl lock };
+
+# Read timezone related information
+
+#line 107
+allow domain zoneinfo_data_file:dir { open getattr read search ioctl };
+#line 107
+allow domain zoneinfo_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 107
+
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file { open append write };
+
+#Allow access to ion memory allocation device
+allow domain ion_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read access to pseudo filesystems.
+
+#line 117
+allow domain proc:dir { open getattr read search ioctl };
+#line 117
+allow domain proc:{ file lnk_file } { getattr open read ioctl lock };
+#line 117
+
+
+#line 118
+allow domain sysfs:dir { open getattr read search ioctl };
+#line 118
+allow domain sysfs:{ file lnk_file } { getattr open read ioctl lock };
+#line 118
+
+
+#line 119
+allow domain sysfs_devices_system_cpu:dir { open getattr read search ioctl };
+#line 119
+allow domain sysfs_devices_system_cpu:{ file lnk_file } { getattr open read ioctl lock };
+#line 119
+
+
+#line 120
+allow domain inotify:dir { open getattr read search ioctl };
+#line 120
+allow domain inotify:{ file lnk_file } { getattr open read ioctl lock };
+#line 120
+
+
+#line 121
+allow domain cgroup:dir { open getattr read search ioctl };
+#line 121
+allow domain cgroup:{ file lnk_file } { getattr open read ioctl lock };
+#line 121
+
+
+#line 122
+allow domain proc_net:dir { open getattr read search ioctl };
+#line 122
+allow domain proc_net:{ file lnk_file } { getattr open read ioctl lock };
+#line 122
+
+
+# debugfs access
+allow domain debugfs:dir { open getattr read search ioctl };
+allow domain debugfs:file { open append write };
+
+# Get SELinux enforcing status.
+
+#line 129
+allow domain selinuxfs:dir { open getattr read search ioctl };
+#line 129
+allow domain selinuxfs:file { getattr open read ioctl lock };
+#line 129
+
+
+# security files
+allow domain security_file:dir { search getattr };
+allow domain security_file:file getattr;
+
+# World readable asec image contents
+allow domain asec_public_file:file { getattr open read ioctl lock };
+allow domain { asec_public_file asec_apk_file }:dir { open getattr read search ioctl };
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:{ file lnk_file sock_file fifo_file } { { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } relabelfrom };
+allow domain unlabeled:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
+neverallow { domain -relabeltodomain } *:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+
+###
+### neverallow rules
+###
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+
+# Limit device node creation and raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow domain self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
+neverallow { domain -recovery } self:capability2 mac_admin;
+
+# Only init should be able to load SELinux policies.
+# The first load technically occurs while still in the kernel domain,
+# but this does not trigger a denial since there is no policy yet.
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+
+# Only init, ueventd and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow domain { file_type -exec_type }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
+
+# Init can't receive binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+# ueventd is exempt from this, as its managing these devices.
+neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+#line 1 "external/sepolicy/drmserver.te"
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init drmserver_exec:file { getattr open read execute };
+#line 5
+allow init drmserver:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow drmserver drmserver_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow drmserver init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init drmserver:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init drmserver:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init drmserver_exec:process drmserver;
+#line 5
+
+#line 5
+
+#line 5
+type drmserver_tmpfs, file_type;
+#line 5
+type_transition drmserver tmpfs:file drmserver_tmpfs;
+#line 5
+allow drmserver drmserver_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+
+#line 9
+# Call the servicemanager and transfer references to it.
+#line 9
+allow drmserver servicemanager:binder { call transfer };
+#line 9
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 9
+# all domains in domain.te.
+#line 9
+
+
+#line 10
+# Call the server domain and optionally transfer references to it.
+#line 10
+allow drmserver system_server:binder { call transfer };
+#line 10
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 10
+allow system_server drmserver:binder transfer;
+#line 10
+# Receive and use open files from the server.
+#line 10
+allow drmserver system_server:fd use;
+#line 10
+
+
+#line 11
+# Call the server domain and optionally transfer references to it.
+#line 11
+allow drmserver appdomain:binder { call transfer };
+#line 11
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 11
+allow appdomain drmserver:binder transfer;
+#line 11
+# Receive and use open files from the server.
+#line 11
+allow drmserver appdomain:fd use;
+#line 11
+
+
+#line 12
+typeattribute drmserver binderservicedomain;
+#line 12
+
+
+# Perform Binder IPC to mediaserver
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow drmserver mediaserver:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow mediaserver drmserver:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow drmserver mediaserver:fd use;
+#line 15
+
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow drmserver drm_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
+allow drmserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+
+#line 26
+allow drmserver efs_file:dir { open getattr read search ioctl };
+#line 26
+allow drmserver efs_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 26
+
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+allow drmserver drmserver_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow drmserver tee:unix_stream_socket connectto;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+
+#line 40
+allow drmserver media_rw_data_file:dir { open getattr read search ioctl };
+#line 40
+allow drmserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 40
+
+#line 1 "external/sepolicy/dumpstate.te"
+# dumpstate
+type dumpstate, domain;
+
+#line 3
+typeattribute dumpstate mlstrustedsubject;
+#line 3
+typeattribute dumpstate unconfineddomain;
+#line 3
+
+type dumpstate_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init dumpstate_exec:file { getattr open read execute };
+#line 6
+allow init dumpstate:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow dumpstate dumpstate_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow dumpstate init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init dumpstate:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init dumpstate:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init dumpstate_exec:process dumpstate;
+#line 6
+
+#line 6
+
+#line 6
+type dumpstate_tmpfs, file_type;
+#line 6
+type_transition dumpstate tmpfs:file dumpstate_tmpfs;
+#line 6
+allow dumpstate dumpstate_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute dumpstate netdomain;
+#line 7
+
+
+#line 8
+typeattribute dumpstate relabeltodomain;
+#line 8
+
+
+#line 9
+# Call the servicemanager and transfer references to it.
+#line 9
+allow dumpstate servicemanager:binder { call transfer };
+#line 9
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 9
+# all domains in domain.te.
+#line 9
+
+
+# Drop privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+
+#line 15
+allow dumpstate domain:dir { open getattr read search ioctl };
+#line 15
+allow dumpstate domain:{ file lnk_file } { getattr open read ioctl lock };
+#line 15
+
+
+# Send signals to processes
+allow dumpstate self:capability kill;
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+
+# Create and write into /data/anr/
+allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } relabelto };
+allow dumpstate anr_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow dumpstate system_data_file:dir { { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } relabelfrom };
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file { getattr open read ioctl lock };
+
+# Read dmesg
+allow dumpstate self:capability2 syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in dumpstate/utils.c
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+
+# The /system/bin/ip command needs this for routing table information.
+allow dumpstate self:netlink_route_socket { write getattr setopt };
+
+# The vdc command needs to talk to the vold socket.
+
+#line 54
+allow dumpstate vold_socket:sock_file write;
+#line 54
+allow dumpstate vold:unix_stream_socket connectto;
+#line 54
+
+
+# Vibrate the device after we're done collecting the bugreport
+# /sys/class/timed_output/vibrator/enable
+# TODO: create a new file class, instead of allowing write access to all of /sys
+allow dumpstate sysfs:file { open append write };
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file { getattr open read ioctl lock };
+allow dumpstate debugfs:file { getattr open read ioctl lock };
+
+# Allow dumpstate to make binder calls to any binder service
+
+#line 66
+# Call the server domain and optionally transfer references to it.
+#line 66
+allow dumpstate binderservicedomain:binder { call transfer };
+#line 66
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 66
+allow binderservicedomain dumpstate:binder transfer;
+#line 66
+# Receive and use open files from the server.
+#line 66
+allow dumpstate binderservicedomain:fd use;
+#line 66
+
+
+#line 67
+# Call the server domain and optionally transfer references to it.
+#line 67
+allow dumpstate appdomain:binder { call transfer };
+#line 67
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 67
+allow appdomain dumpstate:binder transfer;
+#line 67
+# Receive and use open files from the server.
+#line 67
+allow dumpstate appdomain:fd use;
+#line 67
+
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:capability sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow dumpstate shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Run a shell.
+allow dumpstate shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate dumpstate_tmpfs:file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:file execute;
+
+# logd access
+
+#line 91
+
+#line 91
+allow dumpstate logdr_socket:sock_file write;
+#line 91
+allow dumpstate logd:unix_stream_socket connectto;
+#line 91
+
+#line 91
+
+
+#line 92
+# Group AID_LOG checked by filesystem & logd
+#line 92
+# to permit control commands
+#line 92
+
+#line 92
+allow dumpstate logd_socket:sock_file write;
+#line 92
+allow dumpstate logd:unix_stream_socket connectto;
+#line 92
+
+#line 92
+
+#line 1 "external/sepolicy/file.te"
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
+type selinuxfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, mlstrustedobject;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, mlstrustedobject;
+
+# File types
+type unlabeled, file_type;
+# Default type for anything under /system.
+type system_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type;
+# /data/gps
+type gps_data_file, file_type, data_file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type;
+type audio_data_file, file_type, data_file_type;
+type bluetooth_data_file, file_type, data_file_type;
+type camera_data_file, file_type, data_file_type;
+type keystore_data_file, file_type, data_file_type;
+type media_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type;
+type nfc_data_file, file_type, data_file_type;
+type radio_data_file, file_type, data_file_type;
+type systemkeys_data_file, file_type, data_file_type;
+type vpn_data_file, file_type, data_file_type;
+type wifi_data_file, file_type, data_file_type;
+type zoneinfo_data_file, file_type, data_file_type;
+
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# Default type for anything under /cache
+type cache_file, file_type, mlstrustedobject;
+# Type for /cache/.*\.{data|restore} and default
+# type for anything under /cache/backup
+type cache_backup_file, file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, mlstrustedobject;
+# For /data/security
+type security_file, file_type;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Downloaded files
+type download_file, file_type;
+
+# Socket types
+type adbd_socket, file_type;
+type bluetooth_socket, file_type;
+type dnsproxyd_socket, file_type, mlstrustedobject;
+type dumpstate_socket, file_type;
+type gps_socket, file_type;
+type installd_socket, file_type;
+type keystore_socket, file_type;
+type lmkd_socket, file_type;
+type logd_debug, file_type;
+type logd_socket, file_type;
+type logdr_socket, file_type;
+type logdw_socket, file_type;
+type mdns_socket, file_type;
+type netd_socket, file_type;
+type property_socket, file_type;
+type qemud_socket, file_type;
+type racoon_socket, file_type;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type;
+type system_ndebug_socket, file_type;
+type vold_socket, file_type;
+type wpa_socket, file_type;
+type zygote_socket, file_type;
+
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+#line 1 "external/sepolicy/gpsd.te"
+# gpsd - GPS daemon
+type gpsd, domain;
+
+#line 3
+typeattribute gpsd mlstrustedsubject;
+#line 3
+typeattribute gpsd unconfineddomain;
+#line 3
+
+type gpsd_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init gpsd_exec:file { getattr open read execute };
+#line 6
+allow init gpsd:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow gpsd gpsd_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow gpsd init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init gpsd:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init gpsd:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init gpsd_exec:process gpsd;
+#line 6
+
+#line 6
+
+#line 6
+type gpsd_tmpfs, file_type;
+#line 6
+type_transition gpsd tmpfs:file gpsd_tmpfs;
+#line 6
+allow gpsd gpsd_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute gpsd netdomain;
+#line 7
+
+allow gpsd gps_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow gpsd gps_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd gps_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# XXX Label sysfs files with a specific type?
+allow gpsd sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+allow gpsd gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Execute the shell or system commands.
+allow gpsd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow gpsd system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+#line 1 "external/sepolicy/hci_attach.te"
+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+
+#line 4
+
+#line 4
+# Allow the necessary permissions.
+#line 4
+
+#line 4
+# Old domain may exec the file and transition to the new domain.
+#line 4
+allow init hci_attach_exec:file { getattr open read execute };
+#line 4
+allow init hci_attach:process transition;
+#line 4
+# New domain is entered by executing the file.
+#line 4
+allow hci_attach hci_attach_exec:file { entrypoint read execute };
+#line 4
+# New domain can send SIGCHLD to its caller.
+#line 4
+allow hci_attach init:process sigchld;
+#line 4
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 4
+dontaudit init hci_attach:process noatsecure;
+#line 4
+# XXX dontaudit candidate but requires further study.
+#line 4
+allow init hci_attach:process { siginh rlimitinh };
+#line 4
+
+#line 4
+# Make the transition occur by default.
+#line 4
+type_transition init hci_attach_exec:process hci_attach;
+#line 4
+
+#line 4
+
+#line 4
+type hci_attach_tmpfs, file_type;
+#line 4
+type_transition hci_attach tmpfs:file hci_attach_tmpfs;
+#line 4
+allow hci_attach hci_attach_tmpfs:file { read write };
+#line 4
+
+#line 4
+
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file { { getattr open read ioctl lock } { open append write } };
+allow hci_attach bluetooth_efs_file:dir { open getattr read search ioctl };
+allow hci_attach bluetooth_efs_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+
+allow healthd rootfs:file { read entrypoint };
+
+#line 6
+type_transition healthd device:chr_file klog_device "__kmsg__";
+#line 6
+allow healthd klog_device:chr_file { create open write unlink };
+#line 6
+allow healthd device:dir { write add_name remove_name };
+#line 6
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by healthd.
+allow healthd tmpfs:chr_file { read write };
+
+allow healthd self:capability { net_admin mknod };
+allow healthd self:capability2 block_suspend;
+allow healthd self:netlink_kobject_uevent_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+
+#line 14
+# Call the servicemanager and transfer references to it.
+#line 14
+allow healthd servicemanager:binder { call transfer };
+#line 14
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 14
+# all domains in domain.te.
+#line 14
+
+
+#line 15
+typeattribute healthd binderservicedomain;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow healthd system_server:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow system_server healthd:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow healthd system_server:fd use;
+#line 16
+
+
+###
+### healthd: charger mode
+###
+
+allow healthd graphics_device:dir { open getattr read search ioctl };
+allow healthd graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow healthd input_device:dir { open getattr read search ioctl };
+allow healthd input_device:chr_file { getattr open read ioctl lock };
+allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
+#line 1 "external/sepolicy/hostapd.te"
+# userspace wifi access points
+type hostapd, domain;
+
+#line 3
+typeattribute hostapd mlstrustedsubject;
+#line 3
+typeattribute hostapd unconfineddomain;
+#line 3
+
+type hostapd_exec, exec_type, file_type;
+
+allow hostapd self:capability { net_admin net_raw setuid setgid };
+allow hostapd self:netlink_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow hostapd self:packet_socket { create write read };
+allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
+allow hostapd self:udp_socket { create ioctl };
+
+allow hostapd wifi_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow hostapd wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow hostapd wpa_socket:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow hostapd wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow hostapd netd:fd use;
+allow hostapd netd:udp_socket { read write };
+allow hostapd netd:netlink_kobject_uevent_socket { read write };
+allow hostapd netd:netlink_nflog_socket { read write };
+allow hostapd netd:netlink_route_socket { read write };
+allow hostapd netd:unix_stream_socket { read write };
+allow hostapd netd:fifo_file { read write };
+#line 1 "external/sepolicy/init_shell.te"
+# Restricted domain for shell processes spawned by init
+type init_shell, domain, shelldomain;
+
+#line 3
+# Allow the necessary permissions.
+#line 3
+
+#line 3
+# Old domain may exec the file and transition to the new domain.
+#line 3
+allow init shell_exec:file { getattr open read execute };
+#line 3
+allow init init_shell:process transition;
+#line 3
+# New domain is entered by executing the file.
+#line 3
+allow init_shell shell_exec:file { entrypoint read execute };
+#line 3
+# New domain can send SIGCHLD to its caller.
+#line 3
+allow init_shell init:process sigchld;
+#line 3
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 3
+dontaudit init init_shell:process noatsecure;
+#line 3
+# XXX dontaudit candidate but requires further study.
+#line 3
+allow init init_shell:process { siginh rlimitinh };
+#line 3
+
+#line 3
+# Make the transition occur by default.
+#line 3
+type_transition init shell_exec:process init_shell;
+#line 3
+
+
+#line 4
+typeattribute init_shell mlstrustedsubject;
+#line 4
+typeattribute init_shell unconfineddomain;
+#line 4
+
+
+# inherits from shelldomain.te
+#line 1 "external/sepolicy/init.te"
+# init switches to init domain (via init.rc).
+type init, domain;
+# init is unconfined.
+
+#line 4
+typeattribute init mlstrustedsubject;
+#line 4
+typeattribute init unconfineddomain;
+#line 4
+
+
+#line 5
+type init_tmpfs, file_type;
+#line 5
+type_transition init tmpfs:file init_tmpfs;
+#line 5
+allow init init_tmpfs:file { read write };
+#line 5
+
+
+#line 6
+typeattribute init relabeltodomain;
+#line 6
+
+# add a rule to handle unlabelled mounts
+allow init unlabeled:filesystem mount;
+
+allow init self:capability { sys_rawio mknod };
+
+allow init dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+allow init fs_type:filesystem *;
+allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow init kernel:security load_policy;
+allow init usermodehelper:file { { getattr open read ioctl lock } { open append write } };
+allow init proc_security:file { { getattr open read ioctl lock } { open append write } };
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;
+#line 1 "external/sepolicy/inputflinger.te"
+# inputflinger
+type inputflinger, domain;
+
+#line 3
+typeattribute inputflinger mlstrustedsubject;
+#line 3
+typeattribute inputflinger unconfineddomain;
+#line 3
+
+type inputflinger_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init inputflinger_exec:file { getattr open read execute };
+#line 6
+allow init inputflinger:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow inputflinger inputflinger_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow inputflinger init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init inputflinger:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init inputflinger:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init inputflinger_exec:process inputflinger;
+#line 6
+
+#line 6
+
+#line 6
+type inputflinger_tmpfs, file_type;
+#line 6
+type_transition inputflinger tmpfs:file inputflinger_tmpfs;
+#line 6
+allow inputflinger inputflinger_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow inputflinger servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+typeattribute inputflinger binderservicedomain;
+#line 8
+
+#line 1 "external/sepolicy/installd.te"
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init installd_exec:file { getattr open read execute };
+#line 5
+allow init installd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow installd installd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow installd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init installd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init installd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init installd_exec:process installd;
+#line 5
+
+#line 5
+
+#line 5
+type installd_tmpfs, file_type;
+#line 5
+type_transition installd tmpfs:file installd_tmpfs;
+#line 5
+allow installd installd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute installd relabeltodomain;
+#line 6
+
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow installd data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:{ { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } { getattr unlink };
+allow installd apk_data_file:file { getattr open read ioctl lock };
+allow installd apk_tmp_file:file { getattr open read ioctl lock };
+allow installd system_file:file { getattr execute execute_no_trans };
+allow installd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow installd download_file:dir { { open getattr read search ioctl } write remove_name };
+allow installd download_file:file { { getattr open read ioctl lock } unlink };
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+
+#line 23
+allow installd selinuxfs:dir { open getattr read search ioctl };
+#line 23
+allow installd selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 23
+allow installd kernel:security check_context;
+#line 23
+
+# Read /seapp_contexts and /data/security/seapp_contexts
+
+#line 25
+allow installd security_file:dir { open getattr read search ioctl };
+#line 25
+allow installd security_file:file { getattr open read ioctl lock };
+#line 25
+allow installd security_file:lnk_file { getattr open read ioctl lock };
+#line 25
+allow installd selinuxfs:dir { open getattr read search ioctl };
+#line 25
+allow installd selinuxfs:file { getattr open read ioctl lock };
+#line 25
+allow installd rootfs:dir { open getattr read search ioctl };
+#line 25
+allow installd rootfs:file { getattr open read ioctl lock };
+#line 25
+
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file { getattr open read ioctl lock };
+allow installd bluetooth_data_file:lnk_file { create setattr };
+allow installd nfc_data_file:lnk_file { create setattr };
+allow installd radio_data_file:lnk_file { create setattr };
+allow installd shell_data_file:lnk_file { create setattr };
+#line 1 "external/sepolicy/isolated_app.te"
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+
+#line 13
+typeattribute isolated_app appdomain;
+#line 13
+# Label ashmem objects with our own unique type.
+#line 13
+
+#line 13
+type isolated_app_tmpfs, file_type;
+#line 13
+type_transition isolated_app tmpfs:file isolated_app_tmpfs;
+#line 13
+allow isolated_app isolated_app_tmpfs:file { read write };
+#line 13
+
+#line 13
+# Map with PROT_EXEC.
+#line 13
+allow isolated_app isolated_app_tmpfs:file execute;
+#line 13
+
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow isolated_app appdomain:unix_stream_socket { read write };
+
+allow isolated_app dalvikcache_data_file:file execute;
+allow isolated_app apk_data_file:dir getattr;
+#line 1 "external/sepolicy/kernel.te"
+# Life begins with the kernel.
+type kernel, domain;
+
+allow kernel init:process dyntransition;
+
+# The kernel is unconfined.
+
+#line 7
+typeattribute kernel mlstrustedsubject;
+#line 7
+typeattribute kernel unconfineddomain;
+#line 7
+
+
+#line 8
+typeattribute kernel relabeltodomain;
+#line 8
+
+
+allow kernel {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
+
+# Initial setenforce by init prior to switching to init domain.
+allow kernel self:security setenforce;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel self:security setcheckreqprot;
+
+# For operations performed by kernel or init prior to switching to init domain.
+## TODO: Investigate whether it is safe to remove these
+allow kernel self:capability { sys_rawio mknod };
+auditallow kernel self:capability { sys_rawio mknod };
+allow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+auditallow kernel dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/keystore.te"
+type keystore, domain;
+type keystore_exec, exec_type, file_type;
+
+# keystore daemon
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init keystore_exec:file { getattr open read execute };
+#line 5
+allow init keystore:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow keystore keystore_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow keystore init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init keystore:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init keystore:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init keystore_exec:process keystore;
+#line 5
+
+#line 5
+
+#line 5
+type keystore_tmpfs, file_type;
+#line 5
+type_transition keystore tmpfs:file keystore_tmpfs;
+#line 5
+allow keystore keystore_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute keystore mlstrustedsubject;
+
+#line 7
+# Call the servicemanager and transfer references to it.
+#line 7
+allow keystore servicemanager:binder { call transfer };
+#line 7
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 7
+# all domains in domain.te.
+#line 7
+
+
+#line 8
+typeattribute keystore binderservicedomain;
+#line 8
+
+allow keystore keystore_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow keystore keystore_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow keystore tee:unix_stream_socket connectto;
+#line 1 "external/sepolicy/lmkd.te"
+# lmkd low memory killer daemon
+type lmkd, domain;
+type lmkd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init lmkd_exec:file { getattr open read execute };
+#line 5
+allow init lmkd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow lmkd lmkd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow lmkd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init lmkd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init lmkd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init lmkd_exec:process lmkd;
+#line 5
+
+#line 5
+
+#line 5
+type lmkd_tmpfs, file_type;
+#line 5
+type_transition lmkd tmpfs:file lmkd_tmpfs;
+#line 5
+allow lmkd lmkd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+allow lmkd self:capability { dac_override sys_resource };
+
+## Open and write to /proc/PID/oom_score_adj
+## TODO: maybe scope this down?
+
+#line 11
+allow lmkd appdomain:dir { open getattr read search ioctl };
+#line 11
+allow lmkd appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 11
+
+allow lmkd appdomain:file write;
+
+#line 13
+allow lmkd system_server:dir { open getattr read search ioctl };
+#line 13
+allow lmkd system_server:{ file lnk_file } { getattr open read ioctl lock };
+#line 13
+
+allow lmkd system_server:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+allow lmkd sysfs_lowmemorykiller:file { open append write };
+#line 1 "external/sepolicy/logd.te"
+# android user-space log manager
+type logd, domain;
+type logd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init logd_exec:file { getattr open read execute };
+#line 5
+allow init logd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow logd logd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow logd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init logd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init logd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init logd_exec:process logd;
+#line 5
+
+#line 5
+
+#line 5
+type logd_tmpfs, file_type;
+#line 5
+type_transition logd tmpfs:file logd_tmpfs;
+#line 5
+allow logd logd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+allow logd self:unix_stream_socket *;
+
+allow logd self:capability { setuid setgid sys_nice };
+
+
+#line 10
+allow logd domain:dir { open getattr read search ioctl };
+#line 10
+allow logd domain:{ file lnk_file } { getattr open read ioctl lock };
+#line 10
+
+
+#line 17
+
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+#line 1 "external/sepolicy/media_app.te"
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+
+#line 6
+typeattribute media_app appdomain;
+#line 6
+# Label ashmem objects with our own unique type.
+#line 6
+
+#line 6
+type media_app_tmpfs, file_type;
+#line 6
+type_transition media_app tmpfs:file media_app_tmpfs;
+#line 6
+allow media_app media_app_tmpfs:file { read write };
+#line 6
+
+#line 6
+# Map with PROT_EXEC.
+#line 6
+allow media_app media_app_tmpfs:file execute;
+#line 6
+
+
+#line 7
+typeattribute media_app platformappdomain;
+#line 7
+typeattribute media_app mlstrustedsubject;
+#line 7
+
+
+#line 8
+typeattribute media_app binderservicedomain;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute media_app netdomain;
+#line 10
+
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# Write to /cache.
+allow media_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow media_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file { getattr open read ioctl lock };
+allow media_app download_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow media_app download_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Allow platform apps to mark platform app data files as download files
+
+#line 27
+typeattribute media_app relabeltodomain;
+#line 27
+
+allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app download_file:dir relabelto;
+#line 1 "external/sepolicy/mediaserver.te"
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+
+#line 3
+typeattribute mediaserver mlstrustedsubject;
+#line 3
+typeattribute mediaserver unconfineddomain;
+#line 3
+
+type mediaserver_exec, exec_type, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+
+#line 8
+typeattribute mediaserver netdomain;
+#line 8
+
+
+#line 9
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow init mediaserver_exec:file { getattr open read execute };
+#line 9
+allow init mediaserver:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow mediaserver mediaserver_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow mediaserver init:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit init mediaserver:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow init mediaserver:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition init mediaserver_exec:process mediaserver;
+#line 9
+
+#line 9
+
+#line 9
+type mediaserver_tmpfs, file_type;
+#line 9
+type_transition mediaserver tmpfs:file mediaserver_tmpfs;
+#line 9
+allow mediaserver mediaserver_tmpfs:file { read write };
+#line 9
+
+#line 9
+
+
+#line 10
+allow mediaserver property_socket:sock_file write;
+#line 10
+allow mediaserver init:unix_stream_socket connectto;
+#line 10
+
+
+
+#line 12
+allow mediaserver sdcard_type:dir { open getattr read search ioctl };
+#line 12
+allow mediaserver sdcard_type:{ file lnk_file } { getattr open read ioctl lock };
+#line 12
+
+
+
+#line 14
+# Call the servicemanager and transfer references to it.
+#line 14
+allow mediaserver servicemanager:binder { call transfer };
+#line 14
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 14
+# all domains in domain.te.
+#line 14
+
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow mediaserver binderservicedomain:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow binderservicedomain mediaserver:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow mediaserver binderservicedomain:fd use;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow mediaserver appdomain:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow appdomain mediaserver:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow mediaserver appdomain:fd use;
+#line 16
+
+
+#line 17
+typeattribute mediaserver binderservicedomain;
+#line 17
+
+
+allow mediaserver self:process execmem;
+allow mediaserver kernel:system module_request;
+allow mediaserver media_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow mediaserver media_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver sdcard_type:file write;
+allow mediaserver { gpu_device graphics_device }:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver video_device:dir { open getattr read search ioctl };
+allow mediaserver video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver audio_device:dir { open getattr read search ioctl };
+allow mediaserver qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver audio_prop:property_service set;
+
+# Access audio devices at all.
+allow mediaserver audio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# XXX Label with a specific type?
+allow mediaserver sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+# XXX Why?
+allow mediaserver apk_data_file:file { read getattr };
+
+# Access camera device.
+allow mediaserver camera_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver rpmsg_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file { getattr open read ioctl lock };
+
+# Camera data
+
+#line 52
+allow mediaserver camera_data_file:dir { open getattr read search ioctl };
+#line 52
+allow mediaserver camera_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 52
+
+
+#line 53
+allow mediaserver media_rw_data_file:dir { open getattr read search ioctl };
+#line 53
+allow mediaserver media_rw_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 53
+
+
+# Grant access to audio files to mediaserver
+allow mediaserver audio_data_file:dir { { open getattr read search ioctl } add_name write };
+allow mediaserver audio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+allow mediaserver qtaguid_device:chr_file { getattr open read ioctl lock };
+
+# Allow abstract socket connection
+allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+
+#line 68
+allow mediaserver drmserver_socket:sock_file write;
+#line 68
+allow mediaserver drmserver:unix_stream_socket connectto;
+#line 68
+
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+
+#line 72
+allow mediaserver bluetooth_socket:sock_file write;
+#line 72
+allow mediaserver bluetooth:unix_stream_socket connectto;
+#line 72
+
+#line 1 "external/sepolicy/mtp.te"
+# vpn tunneling protocol manager
+type mtp, domain;
+
+#line 3
+typeattribute mtp mlstrustedsubject;
+#line 3
+typeattribute mtp unconfineddomain;
+#line 3
+
+type mtp_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init mtp_exec:file { getattr open read execute };
+#line 6
+allow init mtp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow mtp mtp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow mtp init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init mtp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init mtp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init mtp_exec:process mtp;
+#line 6
+
+#line 6
+
+#line 6
+type mtp_tmpfs, file_type;
+#line 6
+type_transition mtp tmpfs:file mtp_tmpfs;
+#line 6
+allow mtp mtp_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute mtp netdomain;
+#line 7
+
+
+# pptp policy
+allow mtp self:tcp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:rawip_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow mtp self:capability net_raw;
+allow mtp ppp:process signal;
+allow mtp port:tcp_socket name_connect;
+allow mtp vpn_data_file:dir search;
+#line 1 "external/sepolicy/netd.te"
+# network manager
+type netd, domain;
+type netd_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init netd_exec:file { getattr open read execute };
+#line 5
+allow init netd:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow netd netd_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow netd init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init netd:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init netd:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init netd_exec:process netd;
+#line 5
+
+#line 5
+
+#line 5
+type netd_tmpfs, file_type;
+#line 5
+type_transition netd tmpfs:file netd_tmpfs;
+#line 5
+allow netd netd_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute netd netdomain;
+#line 6
+
+
+allow netd self:capability { net_admin net_raw kill fsetid };
+allow netd self:netlink_kobject_uevent_socket *;
+allow netd self:netlink_route_socket *;
+allow netd self:netlink_nflog_socket *;
+allow netd self:rawip_socket *;
+allow netd self:unix_stream_socket *;
+allow netd shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow netd system_file:file { getattr execute execute_no_trans };
+allow netd devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net:file write;
+
+# For /sys/modules/bcmdhd/parameters/firmware_path
+# XXX Split into its own type.
+allow netd sysfs:file write;
+
+# Set dhcp lease for PAN connection
+
+#line 26
+allow netd property_socket:sock_file write;
+#line 26
+allow netd init:unix_stream_socket connectto;
+#line 26
+
+allow netd system_prop:property_service set;
+
+# Connect to PAN
+
+#line 30
+# Allow the necessary permissions.
+#line 30
+
+#line 30
+# Old domain may exec the file and transition to the new domain.
+#line 30
+allow netd dhcp_exec:file { getattr open read execute };
+#line 30
+allow netd dhcp:process transition;
+#line 30
+# New domain is entered by executing the file.
+#line 30
+allow dhcp dhcp_exec:file { entrypoint read execute };
+#line 30
+# New domain can send SIGCHLD to its caller.
+#line 30
+allow dhcp netd:process sigchld;
+#line 30
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 30
+dontaudit netd dhcp:process noatsecure;
+#line 30
+# XXX dontaudit candidate but requires further study.
+#line 30
+allow netd dhcp:process { siginh rlimitinh };
+#line 30
+
+#line 30
+# Make the transition occur by default.
+#line 30
+type_transition netd dhcp_exec:process dhcp;
+#line 30
+
+allow netd dhcp:process signal;
+
+# Needed to update /data/misc/wifi/hostapd.conf
+# TODO: See what we can do to reduce the need for
+# these capabilities
+allow netd self:capability { dac_override chown fowner };
+allow netd wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow netd wifi_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+
+# Allow netd to spawn hostapd in it's own domain
+
+#line 41
+# Allow the necessary permissions.
+#line 41
+
+#line 41
+# Old domain may exec the file and transition to the new domain.
+#line 41
+allow netd hostapd_exec:file { getattr open read execute };
+#line 41
+allow netd hostapd:process transition;
+#line 41
+# New domain is entered by executing the file.
+#line 41
+allow hostapd hostapd_exec:file { entrypoint read execute };
+#line 41
+# New domain can send SIGCHLD to its caller.
+#line 41
+allow hostapd netd:process sigchld;
+#line 41
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 41
+dontaudit netd hostapd:process noatsecure;
+#line 41
+# XXX dontaudit candidate but requires further study.
+#line 41
+allow netd hostapd:process { siginh rlimitinh };
+#line 41
+
+#line 41
+# Make the transition occur by default.
+#line 41
+type_transition netd hostapd_exec:process hostapd;
+#line 41
+
+allow netd hostapd:process signal;
+
+# Allow netd to spawn dnsmasq in it's own domain
+
+#line 45
+# Allow the necessary permissions.
+#line 45
+
+#line 45
+# Old domain may exec the file and transition to the new domain.
+#line 45
+allow netd dnsmasq_exec:file { getattr open read execute };
+#line 45
+allow netd dnsmasq:process transition;
+#line 45
+# New domain is entered by executing the file.
+#line 45
+allow dnsmasq dnsmasq_exec:file { entrypoint read execute };
+#line 45
+# New domain can send SIGCHLD to its caller.
+#line 45
+allow dnsmasq netd:process sigchld;
+#line 45
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 45
+dontaudit netd dnsmasq:process noatsecure;
+#line 45
+# XXX dontaudit candidate but requires further study.
+#line 45
+allow netd dnsmasq:process { siginh rlimitinh };
+#line 45
+
+#line 45
+# Make the transition occur by default.
+#line 45
+type_transition netd dnsmasq_exec:process dnsmasq;
+#line 45
+
+allow netd dnsmasq:process signal;
+
+# Allow netd to start clatd in its own domain
+
+#line 49
+# Allow the necessary permissions.
+#line 49
+
+#line 49
+# Old domain may exec the file and transition to the new domain.
+#line 49
+allow netd clatd_exec:file { getattr open read execute };
+#line 49
+allow netd clatd:process transition;
+#line 49
+# New domain is entered by executing the file.
+#line 49
+allow clatd clatd_exec:file { entrypoint read execute };
+#line 49
+# New domain can send SIGCHLD to its caller.
+#line 49
+allow clatd netd:process sigchld;
+#line 49
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 49
+dontaudit netd clatd:process noatsecure;
+#line 49
+# XXX dontaudit candidate but requires further study.
+#line 49
+allow netd clatd:process { siginh rlimitinh };
+#line 49
+
+#line 49
+# Make the transition occur by default.
+#line 49
+type_transition netd clatd_exec:process clatd;
+#line 49
+
+allow netd clatd:process signal;
+
+# Support netd running mdnsd
+# TODO: prune this back further
+allow netd ctl_default_prop:property_service set;
+allow netd device:sock_file write;
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+neverallow netd kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow netd kernel:security load_policy;
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } write;
+#line 1 "external/sepolicy/net.te"
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+# Use network sockets.
+allow netdomain self:{ tcp_socket udp_socket } *;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
+# Get route information.
+allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+
+#line 18
+allow netdomain dnsproxyd_socket:sock_file write;
+#line 18
+allow netdomain netd:unix_stream_socket connectto;
+#line 18
+
+#line 1 "external/sepolicy/nfc.te"
+# nfc subsystem
+type nfc, domain;
+
+#line 3
+typeattribute nfc appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type nfc_tmpfs, file_type;
+#line 3
+type_transition nfc tmpfs:file nfc_tmpfs;
+#line 3
+allow nfc nfc_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow nfc nfc_tmpfs:file execute;
+#line 3
+
+
+#line 4
+typeattribute nfc binderservicedomain;
+#line 4
+
+
+# NFC device access.
+allow nfc nfc_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Data file accesses.
+allow nfc nfc_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow nfc nfc_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+allow nfc sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
+allow nfc sysfs:file write;
+
+allow nfc sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow nfc sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/platform_app.te"
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+
+#line 6
+typeattribute platform_app mlstrustedsubject;
+#line 6
+typeattribute platform_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute platform_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type platform_app_tmpfs, file_type;
+#line 7
+type_transition platform_app tmpfs:file platform_app_tmpfs;
+#line 7
+allow platform_app platform_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow platform_app platform_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute platform_app platformappdomain;
+#line 8
+typeattribute platform_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute platform_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute platform_app bluetoothdomain;
+#line 12
+
+# Write to /cache.
+allow platform_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow platform_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Read from /data/local.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file { { getattr open read ioctl lock } { open append write } };
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platform_app asec_apk_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Access download files.
+allow platform_app download_file:file { { getattr open read ioctl lock } { open append write } };
+# Allow BackupManagerService to backup all app domains
+allow platform_app appdomain:fifo_file write;
+
+#
+# Rules for all platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain platform_app_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow platformappdomain platform_app_data_file:file execute;
+# App sdcard file accesses
+allow platformappdomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow platformappdomain media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/ppp.te"
+# Point to Point Protocol daemon
+type ppp, domain;
+
+#line 3
+typeattribute ppp mlstrustedsubject;
+#line 3
+typeattribute ppp unconfineddomain;
+#line 3
+
+type ppp_device, dev_type;
+type ppp_exec, exec_type, file_type;
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow mtp ppp_exec:file { getattr open read execute };
+#line 6
+allow mtp ppp:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow ppp ppp_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow ppp mtp:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit mtp ppp:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow mtp ppp:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition mtp ppp_exec:process ppp;
+#line 6
+
+
+allow ppp mtp:socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow ppp ppp_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ppp self:capability net_admin;
+allow ppp self:udp_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow ppp system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow ppp vpn_data_file:dir { open search write add_name remove_name };
+allow ppp vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow ppp mtp:fd use;
+#line 1 "external/sepolicy/property.te"
+type default_prop, property_type;
+type shell_prop, property_type;
+type debug_prop, property_type;
+type debuggerd_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;
+type audio_prop, property_type;
+type security_prop, property_type;
+type bluetooth_prop, property_type;
+type powerctl_prop, property_type;
+#line 1 "external/sepolicy/qemud.te"
+# qemu support daemon
+type qemud, domain;
+type qemud_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init qemud_exec:file { getattr open read execute };
+#line 5
+allow init qemud:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow qemud qemud_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow qemud init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init qemud:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init qemud:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init qemud_exec:process qemud;
+#line 5
+
+#line 5
+
+#line 5
+type qemud_tmpfs, file_type;
+#line 5
+type_transition qemud tmpfs:file qemud_tmpfs;
+#line 5
+allow qemud qemud_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute qemud mlstrustedsubject;
+#line 6
+typeattribute qemud unconfineddomain;
+#line 1 "external/sepolicy/racoon.te"
+# IKE key management daemon
+type racoon, domain;
+
+#line 3
+typeattribute racoon mlstrustedsubject;
+#line 3
+typeattribute racoon unconfineddomain;
+#line 3
+
+type racoon_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init racoon_exec:file { getattr open read execute };
+#line 6
+allow init racoon:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow racoon racoon_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow racoon init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init racoon:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init racoon:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init racoon_exec:process racoon;
+#line 6
+
+#line 6
+
+#line 6
+type racoon_tmpfs, file_type;
+#line 6
+type_transition racoon tmpfs:file racoon_tmpfs;
+#line 6
+allow racoon racoon_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+typeattribute racoon mlstrustedsubject;
+
+
+#line 9
+# Call the server domain and optionally transfer references to it.
+#line 9
+allow racoon servicemanager:binder { call transfer };
+#line 9
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 9
+allow servicemanager racoon:binder transfer;
+#line 9
+# Receive and use open files from the server.
+#line 9
+allow racoon servicemanager:fd use;
+#line 9
+
+
+#line 10
+# Call the server domain and optionally transfer references to it.
+#line 10
+allow racoon keystore:binder { call transfer };
+#line 10
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 10
+allow keystore racoon:binder transfer;
+#line 10
+# Receive and use open files from the server.
+#line 10
+allow racoon keystore:fd use;
+#line 10
+
+
+allow racoon tun_device:chr_file { getattr open read ioctl lock };
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow racoon vpn_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow racoon vpn_data_file:dir { open search write add_name remove_name };
+#line 1 "external/sepolicy/radio.te"
+# phone subsystem
+type radio, domain;
+
+#line 3
+typeattribute radio appdomain;
+#line 3
+# Label ashmem objects with our own unique type.
+#line 3
+
+#line 3
+type radio_tmpfs, file_type;
+#line 3
+type_transition radio tmpfs:file radio_tmpfs;
+#line 3
+allow radio radio_tmpfs:file { read write };
+#line 3
+
+#line 3
+# Map with PROT_EXEC.
+#line 3
+allow radio radio_tmpfs:file execute;
+#line 3
+
+
+#line 4
+typeattribute radio netdomain;
+#line 4
+
+
+#line 5
+typeattribute radio bluetoothdomain;
+#line 5
+
+
+#line 6
+typeattribute radio binderservicedomain;
+#line 6
+
+
+# Talks to init via the property socket.
+
+#line 9
+allow radio property_socket:sock_file write;
+#line 9
+allow radio init:unix_stream_socket connectto;
+#line 9
+
+
+# Talks to rild via the rild socket.
+
+#line 12
+allow radio rild_socket:sock_file write;
+#line 12
+allow radio rild:unix_stream_socket connectto;
+#line 12
+
+
+# Data file accesses.
+allow radio radio_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow radio radio_data_file:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+allow radio alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
+#line 1 "external/sepolicy/recovery.te"
+# recovery console (used in recovery init.rc for /sbin/recovery)
+type recovery, domain;
+allow recovery rootfs:file entrypoint;
+
+#line 4
+typeattribute recovery mlstrustedsubject;
+#line 4
+typeattribute recovery unconfineddomain;
+#line 4
+
+
+#line 5
+typeattribute recovery relabeltodomain;
+#line 5
+
+
+allow recovery self:capability2 mac_admin;
+
+allow recovery {fs_type dev_type -kmem_device file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
+
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file { { getattr open read ioctl lock } { open append write } };
+
+allow recovery self:process execmem;
+allow recovery ashmem_device:chr_file execute;
+allow recovery tmpfs:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
+#line 1 "external/sepolicy/release_app.te"
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+
+#line 6
+typeattribute release_app mlstrustedsubject;
+#line 6
+typeattribute release_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute release_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type release_app_tmpfs, file_type;
+#line 7
+type_transition release_app tmpfs:file release_app_tmpfs;
+#line 7
+allow release_app release_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow release_app release_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute release_app platformappdomain;
+#line 8
+typeattribute release_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute release_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute release_app bluetoothdomain;
+#line 12
+
+
+# Write to /cache.
+allow release_app cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow release_app cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/rild.te"
+# rild - radio interface layer daemon
+type rild, domain;
+
+#line 3
+typeattribute rild mlstrustedsubject;
+#line 3
+typeattribute rild unconfineddomain;
+#line 3
+
+type rild_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init rild_exec:file { getattr open read execute };
+#line 6
+allow init rild:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow rild rild_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow rild init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init rild:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init rild:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init rild_exec:process rild;
+#line 6
+
+#line 6
+
+#line 6
+type rild_tmpfs, file_type;
+#line 6
+type_transition rild tmpfs:file rild_tmpfs;
+#line 6
+allow rild rild_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+
+#line 7
+typeattribute rild netdomain;
+#line 7
+
+allow rild self:netlink_route_socket { setopt write };
+allow rild kernel:system module_request;
+
+#line 10
+allow rild property_socket:sock_file write;
+#line 10
+allow rild init:unix_stream_socket connectto;
+#line 10
+
+
+#line 11
+allow rild qemud_socket:sock_file write;
+#line 11
+allow rild qemud:unix_stream_socket connectto;
+#line 11
+
+allow rild self:capability { setuid net_admin net_raw };
+allow rild alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild radio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild radio_device:blk_file { getattr open read ioctl lock };
+allow rild qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow rild mtd_device:dir search;
+allow rild efs_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild efs_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow rild bluetooth_efs_file:file { getattr open read ioctl lock };
+allow rild bluetooth_efs_file:dir { open getattr read search ioctl };
+allow rild radio_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow rild radio_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild sdcard_type:dir { open getattr read search ioctl };
+allow rild system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow rild system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow rild system_file:file { getattr execute execute_no_trans };
+dontaudit rild self:capability sys_admin;
+
+# property service
+allow rild rild_prop:property_service set;
+allow rild radio_prop:property_service set;
+
+# Read/Write to uart driver (for GPS)
+allow rild gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+allow rild tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Allow rild to create, bind, read, write to itself through a netlink socket
+allow rild self:netlink_socket { create bind read write };
+
+allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+
+# Access to wake locks
+allow rild sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+
+allow rild self:socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+#line 1 "external/sepolicy/runas.te"
+type runas, domain, mlstrustedsubject;
+type runas_exec, exec_type, file_type;
+
+# ndk-gdb invokes adb shell run-as.
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow shell runas_exec:file { getattr open read execute };
+#line 5
+allow shell runas:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow runas runas_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow runas shell:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit shell runas:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow shell runas:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition shell runas_exec:process runas;
+#line 5
+
+allow runas adbd:process sigchld;
+allow runas shell:fd use;
+allow runas devpts:chr_file { read write ioctl };
+
+# run-as reads package information.
+allow runas system_data_file:file { getattr open read ioctl lock };
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+# read /seapp_contexts and /data/security/seapp_contexts
+
+#line 22
+allow runas security_file:dir { open getattr read search ioctl };
+#line 22
+allow runas security_file:file { getattr open read ioctl lock };
+#line 22
+allow runas security_file:lnk_file { getattr open read ioctl lock };
+#line 22
+allow runas selinuxfs:dir { open getattr read search ioctl };
+#line 22
+allow runas selinuxfs:file { getattr open read ioctl lock };
+#line 22
+allow runas rootfs:dir { open getattr read search ioctl };
+#line 22
+allow runas rootfs:file { getattr open read ioctl lock };
+#line 22
+
+
+#line 23
+allow runas selinuxfs:dir { open getattr read search ioctl };
+#line 23
+allow runas selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 23
+allow runas kernel:security check_context;
+#line 23
+ # validate context
+allow runas { appdomain -system_app }:process dyntransition; # setcon
+#line 1 "external/sepolicy/sdcardd.te"
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+
+
+#line 4
+
+#line 4
+# Allow the necessary permissions.
+#line 4
+
+#line 4
+# Old domain may exec the file and transition to the new domain.
+#line 4
+allow init sdcardd_exec:file { getattr open read execute };
+#line 4
+allow init sdcardd:process transition;
+#line 4
+# New domain is entered by executing the file.
+#line 4
+allow sdcardd sdcardd_exec:file { entrypoint read execute };
+#line 4
+# New domain can send SIGCHLD to its caller.
+#line 4
+allow sdcardd init:process sigchld;
+#line 4
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 4
+dontaudit init sdcardd:process noatsecure;
+#line 4
+# XXX dontaudit candidate but requires further study.
+#line 4
+allow init sdcardd:process { siginh rlimitinh };
+#line 4
+
+#line 4
+# Make the transition occur by default.
+#line 4
+type_transition init sdcardd_exec:process sdcardd;
+#line 4
+
+#line 4
+
+#line 4
+type sdcardd_tmpfs, file_type;
+#line 4
+type_transition sdcardd tmpfs:file sdcardd_tmpfs;
+#line 4
+allow sdcardd sdcardd_tmpfs:file { read write };
+#line 4
+
+#line 4
+
+
+allow sdcardd cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd fuse_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+
+allow sdcardd sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd media_rw_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file { getattr open read ioctl lock };
+
+# Compatibility for existing devices with /data/media in system_data_file.
+# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
+allow sdcardd system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow sdcardd system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 1 "external/sepolicy/servicemanager.te"
+# servicemanager - the Binder context manager
+type servicemanager, domain;
+type servicemanager_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init servicemanager_exec:file { getattr open read execute };
+#line 5
+allow init servicemanager:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow servicemanager servicemanager_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow servicemanager init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init servicemanager:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init servicemanager:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init servicemanager_exec:process servicemanager;
+#line 5
+
+#line 5
+
+#line 5
+type servicemanager_tmpfs, file_type;
+#line 5
+type_transition servicemanager tmpfs:file servicemanager_tmpfs;
+#line 5
+allow servicemanager servicemanager_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager domain:binder transfer;
+#line 1 "external/sepolicy/shared_app.te"
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+
+#line 6
+typeattribute shared_app mlstrustedsubject;
+#line 6
+typeattribute shared_app unconfineddomain;
+#line 6
+
+
+#line 7
+typeattribute shared_app appdomain;
+#line 7
+# Label ashmem objects with our own unique type.
+#line 7
+
+#line 7
+type shared_app_tmpfs, file_type;
+#line 7
+type_transition shared_app tmpfs:file shared_app_tmpfs;
+#line 7
+allow shared_app shared_app_tmpfs:file { read write };
+#line 7
+
+#line 7
+# Map with PROT_EXEC.
+#line 7
+allow shared_app shared_app_tmpfs:file execute;
+#line 7
+
+
+#line 8
+typeattribute shared_app platformappdomain;
+#line 8
+typeattribute shared_app mlstrustedsubject;
+#line 8
+
+# Access the network.
+
+#line 10
+typeattribute shared_app netdomain;
+#line 10
+
+# Access bluetooth.
+
+#line 12
+typeattribute shared_app bluetoothdomain;
+#line 12
+
+#line 1 "external/sepolicy/shelldomain.te"
+# Rules for all shell domains (e.g. console service and adb shell).
+
+# Access /data/local/tmp.
+allow shelldomain shell_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow shelldomain shell_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow shelldomain shell_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# Access sdcard.
+allow shelldomain sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow shelldomain sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# adb bugreport
+
+#line 13
+allow shelldomain dumpstate_socket:sock_file write;
+#line 13
+allow shelldomain dumpstate:unix_stream_socket connectto;
+#line 13
+
+
+allow shelldomain rootfs:dir { open getattr read search ioctl };
+allow shelldomain devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain console_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain input_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow shelldomain system_file:file { getattr execute execute_no_trans };
+allow shelldomain shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+allow shelldomain zygote_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+
+#line 24
+allow shelldomain apk_data_file:dir { open getattr read search ioctl };
+#line 24
+allow shelldomain apk_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 24
+
+
+# Set properties.
+
+#line 27
+allow shelldomain property_socket:sock_file write;
+#line 27
+allow shelldomain init:unix_stream_socket connectto;
+#line 27
+
+allow shelldomain shell_prop:property_service set;
+allow shelldomain ctl_dumpstate_prop:property_service set;
+allow shelldomain debug_prop:property_service set;
+allow shelldomain powerctl_prop:property_service set;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+
+#line 34
+allow shelldomain { appdomain -system_app }:dir { open getattr read search ioctl };
+#line 34
+allow shelldomain { appdomain -system_app }:{ file lnk_file } { getattr open read ioctl lock };
+#line 34
+
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shelldomain app_data_file:dir search;
+
+# ps and ps -Z output for app processes.
+
+#line 40
+allow shelldomain appdomain:dir { open getattr read search ioctl };
+#line 40
+allow shelldomain appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 40
+
+allow shelldomain appdomain:process getattr;
+#line 1 "external/sepolicy/shell.te"
+# Domain for shell processes spawned by ADB
+type shell, domain, shelldomain, mlstrustedsubject;
+type shell_exec, exec_type, file_type;
+
+# Create and use network sockets.
+
+#line 6
+typeattribute shell netdomain;
+#line 6
+
+
+# Run app_process.
+# XXX Transition into its own domain?
+
+#line 10
+typeattribute shell appdomain;
+#line 10
+# Label ashmem objects with our own unique type.
+#line 10
+
+#line 10
+type shell_tmpfs, file_type;
+#line 10
+type_transition shell tmpfs:file shell_tmpfs;
+#line 10
+allow shell shell_tmpfs:file { read write };
+#line 10
+
+#line 10
+# Map with PROT_EXEC.
+#line 10
+allow shell shell_tmpfs:file execute;
+#line 10
+
+
+# inherits from shelldomain.te
+#line 1 "external/sepolicy/surfaceflinger.te"
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
+
+#line 3
+typeattribute surfaceflinger mlstrustedsubject;
+#line 3
+typeattribute surfaceflinger unconfineddomain;
+#line 3
+
+type surfaceflinger_exec, exec_type, file_type;
+
+
+#line 6
+
+#line 6
+# Allow the necessary permissions.
+#line 6
+
+#line 6
+# Old domain may exec the file and transition to the new domain.
+#line 6
+allow init surfaceflinger_exec:file { getattr open read execute };
+#line 6
+allow init surfaceflinger:process transition;
+#line 6
+# New domain is entered by executing the file.
+#line 6
+allow surfaceflinger surfaceflinger_exec:file { entrypoint read execute };
+#line 6
+# New domain can send SIGCHLD to its caller.
+#line 6
+allow surfaceflinger init:process sigchld;
+#line 6
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 6
+dontaudit init surfaceflinger:process noatsecure;
+#line 6
+# XXX dontaudit candidate but requires further study.
+#line 6
+allow init surfaceflinger:process { siginh rlimitinh };
+#line 6
+
+#line 6
+# Make the transition occur by default.
+#line 6
+type_transition init surfaceflinger_exec:process surfaceflinger;
+#line 6
+
+#line 6
+
+#line 6
+type surfaceflinger_tmpfs, file_type;
+#line 6
+type_transition surfaceflinger tmpfs:file surfaceflinger_tmpfs;
+#line 6
+allow surfaceflinger surfaceflinger_tmpfs:file { read write };
+#line 6
+
+#line 6
+
+typeattribute surfaceflinger mlstrustedsubject;
+
+# Talk to init over the property socket.
+
+#line 10
+allow surfaceflinger property_socket:sock_file write;
+#line 10
+allow surfaceflinger init:unix_stream_socket connectto;
+#line 10
+
+
+# Perform Binder IPC.
+
+#line 13
+# Call the servicemanager and transfer references to it.
+#line 13
+allow surfaceflinger servicemanager:binder { call transfer };
+#line 13
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 13
+# all domains in domain.te.
+#line 13
+
+
+#line 14
+# Call the server domain and optionally transfer references to it.
+#line 14
+allow surfaceflinger system_server:binder { call transfer };
+#line 14
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 14
+allow system_server surfaceflinger:binder transfer;
+#line 14
+# Receive and use open files from the server.
+#line 14
+allow surfaceflinger system_server:fd use;
+#line 14
+
+
+#line 15
+# Call the server domain and optionally transfer references to it.
+#line 15
+allow surfaceflinger nfc:binder { call transfer };
+#line 15
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 15
+allow nfc surfaceflinger:binder transfer;
+#line 15
+# Receive and use open files from the server.
+#line 15
+allow surfaceflinger nfc:fd use;
+#line 15
+
+
+#line 16
+# Call the server domain and optionally transfer references to it.
+#line 16
+allow surfaceflinger mediaserver:binder { call transfer };
+#line 16
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 16
+allow mediaserver surfaceflinger:binder transfer;
+#line 16
+# Receive and use open files from the server.
+#line 16
+allow surfaceflinger mediaserver:fd use;
+#line 16
+
+
+#line 17
+typeattribute surfaceflinger binderservicedomain;
+#line 17
+
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir { open getattr read search ioctl };
+allow surfaceflinger video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
+allow surfaceflinger ctl_default_prop:property_service set;
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };
+
+# Use open file provided by bootanim.
+allow surfaceflinger bootanim:fd use;
+
+# Allow a dumpstate triggered screenshot
+
+#line 46
+# Call the server domain and optionally transfer references to it.
+#line 46
+allow surfaceflinger dumpstate:binder { call transfer };
+#line 46
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 46
+allow dumpstate surfaceflinger:binder transfer;
+#line 46
+# Receive and use open files from the server.
+#line 46
+allow surfaceflinger dumpstate:fd use;
+#line 46
+
+
+#line 47
+# Call the server domain and optionally transfer references to it.
+#line 47
+allow surfaceflinger shell:binder { call transfer };
+#line 47
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 47
+allow shell surfaceflinger:binder transfer;
+#line 47
+# Receive and use open files from the server.
+#line 47
+allow surfaceflinger shell:fd use;
+#line 47
+
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee:unix_stream_socket connectto;
+allow surfaceflinger tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+#line 1 "external/sepolicy/su.te"
+# File types must be defined for file_contexts.
+type su_exec, exec_type, file_type;
+
+#line 23
+
+#line 1 "external/sepolicy/system_app.te"
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings. These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+
+#line 7
+typeattribute system_app mlstrustedsubject;
+#line 7
+typeattribute system_app unconfineddomain;
+#line 7
+
+
+#line 8
+typeattribute system_app appdomain;
+#line 8
+# Label ashmem objects with our own unique type.
+#line 8
+
+#line 8
+type system_app_tmpfs, file_type;
+#line 8
+type_transition system_app tmpfs:file system_app_tmpfs;
+#line 8
+allow system_app system_app_tmpfs:file { read write };
+#line 8
+
+#line 8
+# Map with PROT_EXEC.
+#line 8
+allow system_app system_app_tmpfs:file execute;
+#line 8
+
+
+#line 9
+typeattribute system_app binderservicedomain;
+#line 9
+
+
+# Perform binder IPC to any app domain.
+
+#line 12
+# Call the server domain and optionally transfer references to it.
+#line 12
+allow system_app appdomain:binder { call transfer };
+#line 12
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 12
+allow appdomain system_app:binder transfer;
+#line 12
+# Receive and use open files from the server.
+#line 12
+allow system_app appdomain:fd use;
+#line 12
+
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow system_app system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file { getattr open read ioctl lock };
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+
+#line 26
+allow system_app keystore_socket:sock_file write;
+#line 26
+allow system_app keystore:unix_stream_socket connectto;
+#line 26
+
+
+# Read SELinux enforcing status.
+
+#line 29
+allow system_app selinuxfs:dir { open getattr read search ioctl };
+#line 29
+allow system_app selinuxfs:file { getattr open read ioctl lock };
+#line 29
+
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir { open getattr read search ioctl };
+
+# Write to properties
+
+#line 35
+allow system_app property_socket:sock_file write;
+#line 35
+allow system_app init:unix_stream_socket connectto;
+#line 35
+
+allow system_app debug_prop:property_service set;
+allow system_app radio_prop:property_service set;
+allow system_app system_prop:property_service set;
+#line 1 "external/sepolicy/system_server.te"
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain, mlstrustedsubject;
+
+#line 6
+typeattribute system_server mlstrustedsubject;
+#line 6
+typeattribute system_server unconfineddomain;
+#line 6
+
+
+# Define a type for tmpfs-backed ashmem regions.
+
+#line 9
+type system_server_tmpfs, file_type;
+#line 9
+type_transition system_server tmpfs:file system_server_tmpfs;
+#line 9
+allow system_server system_server_tmpfs:file { read write };
+#line 9
+
+
+# Dalvik Compiler JIT Mapping.
+allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
+
+# For art.
+allow system_server dalvikcache_data_file:file execute;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+allow system_server zygote_tmpfs:file read;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+# This should be deleted after b/12061011 is fixed
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+
+#line 29
+typeattribute system_server netdomain;
+#line 29
+
+
+#line 30
+typeattribute system_server bluetoothdomain;
+#line 30
+
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_module
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+};
+
+allow system_server self:capability2 block_suspend;
+
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system_server self:capability sys_ptrace;
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket *;
+
+# Kill apps.
+allow system_server appdomain:process { sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+
+# Read /proc data for apps.
+allow system_server appdomain:dir { open getattr read search ioctl };
+allow system_server appdomain:{ file lnk_file } { { getattr open read ioctl lock } { open append write } };
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file { { getattr open read ioctl lock } { open append write } };
+allow system_server qtaguid_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file { getattr open read ioctl lock };
+
+# WifiWatchdog uses a packet_socket
+allow system_server self:packet_socket *;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create;
+
+# Notify init of death.
+allow system_server init:process sigchld;
+
+# Talk to init and various daemons via sockets.
+
+#line 87
+allow system_server property_socket:sock_file write;
+#line 87
+allow system_server init:unix_stream_socket connectto;
+#line 87
+
+
+#line 88
+allow system_server qemud_socket:sock_file write;
+#line 88
+allow system_server qemud:unix_stream_socket connectto;
+#line 88
+
+
+#line 89
+allow system_server installd_socket:sock_file write;
+#line 89
+allow system_server installd:unix_stream_socket connectto;
+#line 89
+
+
+#line 90
+allow system_server lmkd_socket:sock_file write;
+#line 90
+allow system_server lmkd:unix_stream_socket connectto;
+#line 90
+
+
+#line 91
+allow system_server netd_socket:sock_file write;
+#line 91
+allow system_server netd:unix_stream_socket connectto;
+#line 91
+
+
+#line 92
+allow system_server vold_socket:sock_file write;
+#line 92
+allow system_server vold:unix_stream_socket connectto;
+#line 92
+
+
+#line 93
+allow system_server zygote_socket:sock_file write;
+#line 93
+allow system_server zygote:unix_stream_socket connectto;
+#line 93
+
+
+#line 94
+allow system_server keystore_socket:sock_file write;
+#line 94
+allow system_server keystore:unix_stream_socket connectto;
+#line 94
+
+
+#line 95
+allow system_server gps_socket:sock_file write;
+#line 95
+allow system_server gpsd:unix_stream_socket connectto;
+#line 95
+
+
+#line 96
+allow system_server racoon_socket:sock_file write;
+#line 96
+allow system_server racoon:unix_stream_socket connectto;
+#line 96
+
+
+#line 97
+allow system_server wpa_socket:sock_file write;
+#line 97
+allow system_server wpa:unix_dgram_socket sendto;
+#line 97
+
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+
+#line 103
+# Call the servicemanager and transfer references to it.
+#line 103
+allow system_server servicemanager:binder { call transfer };
+#line 103
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+#line 103
+# all domains in domain.te.
+#line 103
+
+
+#line 104
+# Call the server domain and optionally transfer references to it.
+#line 104
+allow system_server binderservicedomain:binder { call transfer };
+#line 104
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 104
+allow binderservicedomain system_server:binder transfer;
+#line 104
+# Receive and use open files from the server.
+#line 104
+allow system_server binderservicedomain:fd use;
+#line 104
+
+
+#line 105
+# Call the server domain and optionally transfer references to it.
+#line 105
+allow system_server appdomain:binder { call transfer };
+#line 105
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 105
+allow appdomain system_server:binder transfer;
+#line 105
+# Receive and use open files from the server.
+#line 105
+allow system_server appdomain:fd use;
+#line 105
+
+
+#line 106
+# Call the server domain and optionally transfer references to it.
+#line 106
+allow system_server healthd:binder { call transfer };
+#line 106
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 106
+allow healthd system_server:binder transfer;
+#line 106
+# Receive and use open files from the server.
+#line 106
+allow system_server healthd:fd use;
+#line 106
+
+
+#line 107
+# Call the server domain and optionally transfer references to it.
+#line 107
+allow system_server dumpstate:binder { call transfer };
+#line 107
+# Allow the serverdomain to transfer references to the client on the reply.
+#line 107
+allow dumpstate system_server:binder transfer;
+#line 107
+# Receive and use open files from the server.
+#line 107
+allow system_server dumpstate:fd use;
+#line 107
+
+
+#line 108
+typeattribute system_server binderservicedomain;
+#line 108
+
+
+# Read /proc/pid files for Binder clients.
+
+#line 111
+allow system_server appdomain:dir { open getattr read search ioctl };
+#line 111
+allow system_server appdomain:{ file lnk_file } { getattr open read ioctl lock };
+#line 111
+
+
+#line 112
+allow system_server mediaserver:dir { open getattr read search ioctl };
+#line 112
+allow system_server mediaserver:{ file lnk_file } { getattr open read ioctl lock };
+#line 112
+
+allow system_server appdomain:process getattr;
+allow system_server mediaserver:process getattr;
+
+# Check SELinux permissions.
+
+#line 117
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 117
+allow system_server selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 117
+allow system_server kernel:security compute_av;
+#line 117
+allow system_server self:netlink_selinux_socket *;
+#line 117
+
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file { { getattr open read ioctl lock } { open append write } };
+allow system_server sysfs_nfc_power_writable:file { { getattr open read ioctl lock } { open append write } };
+
+# Access devices.
+allow system_server device:dir { open getattr read search ioctl };
+allow system_server mdns_socket:sock_file { { getattr open read ioctl lock } { open append write } };
+allow system_server alarm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server gpu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server graphics_device:dir search;
+allow system_server graphics_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server iio_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server input_device:dir { open getattr read search ioctl };
+allow system_server input_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server tty_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server urandom_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server usbaccessory_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server video_device:dir { open getattr read search ioctl };
+allow system_server video_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server qemu_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server adbd_socket:sock_file { { getattr open read ioctl lock } { open append write } };
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Manage data files.
+allow system_server data_file_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow system_server data_file_type:{ file lnk_file sock_file fifo_file } { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Read /file_contexts and /data/security/file_contexts
+
+#line 149
+allow system_server security_file:dir { open getattr read search ioctl };
+#line 149
+allow system_server security_file:file { getattr open read ioctl lock };
+#line 149
+allow system_server security_file:lnk_file { getattr open read ioctl lock };
+#line 149
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 149
+allow system_server selinuxfs:file { getattr open read ioctl lock };
+#line 149
+allow system_server rootfs:dir { open getattr read search ioctl };
+#line 149
+allow system_server rootfs:file { getattr open read ioctl lock };
+#line 149
+
+
+# Relabel apk files.
+
+#line 152
+typeattribute system_server relabeltodomain;
+#line 152
+
+allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { { getattr open read ioctl lock } { open append write } };
+
+# Relabel /data/anr.
+allow system_server system_data_file:dir relabelfrom;
+allow system_server anr_data_file:dir relabelto;
+
+# Property Service write
+allow system_server system_prop:property_service set;
+allow system_server radio_prop:property_service set;
+allow system_server debug_prop:property_service set;
+allow system_server powerctl_prop:property_service set;
+
+# ctl interface
+allow system_server ctl_default_prop:property_service set;
+
+# Create a socket for receiving info from wpa.
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+type_transition system_server wpa_socket:sock_file system_wpa_socket;
+allow system_server wpa_socket:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow system_server system_wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Remove sockets created by wpa_supplicant
+allow system_server wpa_socket:sock_file unlink;
+
+# Create a socket for connections from debuggerd.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+allow system_server system_ndebug_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Specify any arguments to zygote.
+allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
+
+# Manage cache files.
+allow system_server cache_file:dir { relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
+allow system_server cache_file:file { relabelfrom { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } } };
+
+# Run system programs, e.g. dexopt.
+allow system_server system_file:file { getattr execute execute_no_trans };
+
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system_server domain:dir { open getattr read search ioctl };
+allow system_server domain:file { getattr open read ioctl lock };
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server gps_control:file { { getattr open read ioctl lock } { open append write } };
+
+# Allow system_server to use app-created sockets.
+allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+
+# Allow abstract socket connection
+allow system_server rild:unix_stream_socket connectto;
+
+# connect to vpn tunnel
+allow system_server mtp:unix_stream_socket { connectto };
+
+# BackupManagerService lets PMS create a data backup file
+allow system_server cache_backup_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# Relabel /data/backup
+allow system_server backup_data_file:dir { relabelto relabelfrom };
+# Relabel /cache/.*\.{data|restore}
+allow system_server cache_backup_file:file { relabelto relabelfrom };
+# LocalTransport creates and relabels /cache/backup
+allow system_server cache_backup_file:dir { relabelto relabelfrom { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } } };
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow system_server usb_device:dir { open getattr read search ioctl };
+
+# Allow system to talk to sensors
+allow system_server sensors_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file { getattr open read ioctl lock };
+
+# Access to wake locks
+allow system_server sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+
+# Read and delete files under /dev/fscklogs.
+
+#line 239
+allow system_server fscklogs:dir { open getattr read search ioctl };
+#line 239
+allow system_server fscklogs:{ file lnk_file } { getattr open read ioctl lock };
+#line 239
+
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# For SELinuxPolicyInstallReceiver
+
+#line 244
+
+#line 244
+allow system_server security_file:dir { open getattr read search ioctl };
+#line 244
+allow system_server security_file:file { getattr open read ioctl lock };
+#line 244
+allow system_server security_file:lnk_file { getattr open read ioctl lock };
+#line 244
+allow system_server selinuxfs:dir { open getattr read search ioctl };
+#line 244
+allow system_server selinuxfs:file { getattr open read ioctl lock };
+#line 244
+allow system_server rootfs:dir { open getattr read search ioctl };
+#line 244
+allow system_server rootfs:file { getattr open read ioctl lock };
+#line 244
+
+#line 244
+
+#line 244
+allow system_server property_socket:sock_file write;
+#line 244
+allow system_server init:unix_stream_socket connectto;
+#line 244
+
+#line 244
+allow system_server security_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+#line 244
+allow system_server security_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+#line 244
+allow system_server security_file:lnk_file { create rename unlink };
+#line 244
+allow system_server security_prop:property_service set;
+#line 244
+
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { open append write };
+#line 1 "external/sepolicy/tee.te"
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+type tee_exec, exec_type, file_type;
+type tee_device, dev_type;
+type tee_data_file, file_type, data_file_type;
+
+
+#line 9
+
+#line 9
+# Allow the necessary permissions.
+#line 9
+
+#line 9
+# Old domain may exec the file and transition to the new domain.
+#line 9
+allow init tee_exec:file { getattr open read execute };
+#line 9
+allow init tee:process transition;
+#line 9
+# New domain is entered by executing the file.
+#line 9
+allow tee tee_exec:file { entrypoint read execute };
+#line 9
+# New domain can send SIGCHLD to its caller.
+#line 9
+allow tee init:process sigchld;
+#line 9
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 9
+dontaudit init tee:process noatsecure;
+#line 9
+# XXX dontaudit candidate but requires further study.
+#line 9
+allow init tee:process { siginh rlimitinh };
+#line 9
+
+#line 9
+# Make the transition occur by default.
+#line 9
+type_transition init tee_exec:process tee;
+#line 9
+
+#line 9
+
+#line 9
+type tee_tmpfs, file_type;
+#line 9
+type_transition tee tmpfs:file tee_tmpfs;
+#line 9
+allow tee tee_tmpfs:file { read write };
+#line 9
+
+#line 9
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow tee tee_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow tee tee_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow tee self:netlink_socket { create bind read };
+#line 1 "external/sepolicy/ueventd.te"
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+
+#line 4
+type ueventd_tmpfs, file_type;
+#line 4
+type_transition ueventd tmpfs:file ueventd_tmpfs;
+#line 4
+allow ueventd ueventd_tmpfs:file { read write };
+#line 4
+
+
+#line 5
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+#line 5
+allow ueventd klog_device:chr_file { create open write unlink };
+#line 5
+allow ueventd device:dir { write add_name remove_name };
+#line 5
+
+
+#line 6
+allow ueventd security_file:dir { open getattr read search ioctl };
+#line 6
+allow ueventd security_file:file { getattr open read ioctl lock };
+#line 6
+allow ueventd security_file:lnk_file { getattr open read ioctl lock };
+#line 6
+allow ueventd selinuxfs:dir { open getattr read search ioctl };
+#line 6
+allow ueventd selinuxfs:file { getattr open read ioctl lock };
+#line 6
+allow ueventd rootfs:dir { open getattr read search ioctl };
+#line 6
+allow ueventd rootfs:file { getattr open read ioctl lock };
+#line 6
+
+
+#line 7
+typeattribute ueventd relabeltodomain;
+#line 7
+
+allow ueventd rootfs:file entrypoint;
+allow ueventd init:process sigchld;
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow ueventd device:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ueventd sysfs:file { { getattr open read ioctl lock } { open append write } };
+allow ueventd sysfs:file setattr;
+allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd sysfs_devices_system_cpu:file { { getattr open read ioctl lock } { open append write } };
+allow ueventd tmpfs:chr_file { { getattr open read ioctl lock } { open append write } };
+allow ueventd dev_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { create setattr unlink };
+allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file { getattr open read ioctl lock };
+#line 1 "external/sepolicy/unconfined.te"
+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:system *;
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
+allow unconfineddomain domain:fd *;
+allow unconfineddomain domain:dir { open getattr read search ioctl };
+allow unconfineddomain domain:lnk_file { getattr open read ioctl lock };
+allow unconfineddomain domain:{ fifo_file file } { { getattr open read ioctl lock } { open append write } };
+allow unconfineddomain domain:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } *;
+allow unconfineddomain domain:{ sem msgq shm ipc } *;
+allow unconfineddomain domain:key *;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain node_type:node *;
+allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow unconfineddomain netif_type:netif *;
+allow unconfineddomain port_type:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket } name_bind;
+allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
+allow unconfineddomain domain:peer recv;
+allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
+allow unconfineddomain property_type:property_service set;
+#line 1 "external/sepolicy/uncrypt.te"
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init uncrypt_exec:file { getattr open read execute };
+#line 5
+allow init uncrypt:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow uncrypt uncrypt_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow uncrypt init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init uncrypt:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init uncrypt:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init uncrypt_exec:process uncrypt;
+#line 5
+
+#line 5
+
+#line 5
+type uncrypt_tmpfs, file_type;
+#line 5
+type_transition uncrypt tmpfs:file uncrypt_tmpfs;
+#line 5
+allow uncrypt uncrypt_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+#line 6
+typeattribute uncrypt mlstrustedsubject;
+#line 6
+typeattribute uncrypt unconfineddomain;
+#line 6
+
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+
+#line 11
+allow uncrypt app_data_file:dir { open getattr read search ioctl };
+#line 11
+allow uncrypt app_data_file:{ file lnk_file } { getattr open read ioctl lock };
+#line 11
+
+
+#line 16
+
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow uncrypt cache_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Set a property to reboot the device.
+
+#line 25
+allow uncrypt property_socket:sock_file write;
+#line 25
+allow uncrypt init:unix_stream_socket connectto;
+#line 25
+
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file { open append write };
+#line 1 "external/sepolicy/untrusted_app.te"
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+
+#line 13
+typeattribute untrusted_app mlstrustedsubject;
+#line 13
+typeattribute untrusted_app unconfineddomain;
+#line 13
+
+
+#line 14
+typeattribute untrusted_app appdomain;
+#line 14
+# Label ashmem objects with our own unique type.
+#line 14
+
+#line 14
+type untrusted_app_tmpfs, file_type;
+#line 14
+type_transition untrusted_app tmpfs:file untrusted_app_tmpfs;
+#line 14
+allow untrusted_app untrusted_app_tmpfs:file { read write };
+#line 14
+
+#line 14
+# Map with PROT_EXEC.
+#line 14
+allow untrusted_app untrusted_app_tmpfs:file execute;
+#line 14
+
+
+#line 15
+typeattribute untrusted_app netdomain;
+#line 15
+
+
+#line 16
+typeattribute untrusted_app bluetoothdomain;
+#line 16
+
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+allow untrusted_app tun_device:chr_file { { getattr open read ioctl lock } { open append write } };
+
+# Internal SDCard rw access.
+allow untrusted_app sdcard_internal:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow untrusted_app sdcard_internal:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# External SDCard rw access.
+allow untrusted_app sdcard_external:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow untrusted_app sdcard_external:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# ASEC
+allow untrusted_app asec_apk_file:dir { getattr };
+allow untrusted_app asec_apk_file:file { getattr open read ioctl lock };
+# Execute libs in asec containers.
+allow untrusted_app asec_public_file:file execute;
+
+# Create tcp/udp sockets
+allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
+allow untrusted_app self:{ tcp_socket udp_socket } { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } accept listen };
+# Bind to a particular hostname/address/interface (e.g., localhost) instead of
+# ANY. Normally, apps should not be listening on all interfaces.
+allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+
+#line 47
+# Each domain gets a unique devpts type.
+#line 47
+type untrusted_app_devpts, fs_type;
+#line 47
+# Label the pty with the unique type when created.
+#line 47
+type_transition untrusted_app devpts:chr_file untrusted_app_devpts;
+#line 47
+# Allow use of the pty after creation.
+#line 47
+allow untrusted_app untrusted_app_devpts:chr_file { open getattr read write ioctl };
+#line 47
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+#line 47
+# allowed to everyone via domain.te.
+#line 47
+
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app shell_data_file:file { getattr open read ioctl lock };
+allow untrusted_app shell_data_file:dir { open getattr read search ioctl };
+#line 1 "external/sepolicy/vold.te"
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init vold_exec:file { getattr open read execute };
+#line 5
+allow init vold:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow vold vold_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow vold init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init vold:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init vold:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init vold_exec:process vold;
+#line 5
+
+#line 5
+
+#line 5
+type vold_tmpfs, file_type;
+#line 5
+type_transition vold tmpfs:file vold_tmpfs;
+#line 5
+allow vold vold_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+
+typeattribute vold mlstrustedsubject;
+allow vold system_file:file { getattr execute execute_no_trans };
+allow vold block_device:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold block_device:blk_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold device:dir write;
+allow vold devpts:chr_file { { getattr open read ioctl lock } { open append write } };
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold sdcard_type:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow vold tmpfs:dir mounton;
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket *;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file { { getattr open read ioctl lock } { open append write } };
+allow vold loop_device:blk_file { { getattr open read ioctl lock } { open append write } };
+allow vold dm_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir { open getattr read search ioctl };
+allow vold domain:{ file lnk_file } { getattr open read ioctl lock };
+allow vold domain:process { signal sigkill };
+allow vold self:capability { sys_ptrace kill };
+
+# For blkid
+allow vold shell_exec:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };
+
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file { { getattr open read ioctl lock } { open append write } };
+
+
+#line 39
+type_transition vold device:chr_file klog_device "__kmsg__";
+#line 39
+allow vold klog_device:chr_file { create open write unlink };
+#line 39
+allow vold device:dir { write add_name remove_name };
+#line 39
+
+
+# Log fsck results
+allow vold fscklogs:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow vold fscklogs:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Set property.
+
+#line 50
+allow vold property_socket:sock_file write;
+#line 50
+allow vold init:unix_stream_socket connectto;
+#line 50
+
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file { { getattr open read ioctl lock } { open append write } };
+
+# Create and mount on /data/tmp_mnt.
+allow vold system_data_file:dir { create { { open getattr read search ioctl } { open search write add_name remove_name } } mounton };
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# Property Service
+allow vold vold_prop:property_service set;
+allow vold powerctl_prop:property_service set;
+allow vold ctl_default_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow vold asec_image_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+
+#line 73
+allow vold security_file:dir { open getattr read search ioctl };
+#line 73
+allow vold security_file:file { getattr open read ioctl lock };
+#line 73
+allow vold security_file:lnk_file { getattr open read ioctl lock };
+#line 73
+allow vold selinuxfs:dir { open getattr read search ioctl };
+#line 73
+allow vold selinuxfs:file { getattr open read ioctl lock };
+#line 73
+allow vold rootfs:dir { open getattr read search ioctl };
+#line 73
+allow vold rootfs:file { getattr open read ioctl lock };
+#line 73
+
+
+#line 74
+typeattribute vold relabeltodomain;
+#line 74
+
+allow vold asec_apk_file:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr relabelfrom };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { { getattr open read ioctl lock } setattr relabelfrom };
+allow vold asec_public_file:file { relabelto setattr };
+
+# Handle wake locks (used for device encryption)
+allow vold sysfs_wake_lock:file { { getattr open read ioctl lock } { open append write } };
+allow vold self:capability2 block_suspend;
+#line 1 "external/sepolicy/watchdogd.te"
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+allow watchdogd rootfs:file { entrypoint { getattr open read ioctl lock } };
+allow watchdogd self:capability mknod;
+allow watchdogd device:dir { add_name write remove_name };
+allow watchdogd watchdog_device:chr_file { { getattr open read ioctl lock } { open append write } };
+# because of /dev/__kmsg__ and /dev/__null__
+
+#line 8
+type_transition watchdogd device:chr_file klog_device "__kmsg__";
+#line 8
+allow watchdogd klog_device:chr_file { create open write unlink };
+#line 8
+allow watchdogd device:dir { write add_name remove_name };
+#line 8
+
+type_transition watchdogd device:chr_file null_device "__null__";
+allow watchdogd null_device:chr_file { create unlink };
+#line 1 "external/sepolicy/wpa_supplicant.te"
+# wpa - wpa supplicant or equivalent
+type wpa, domain;
+type wpa_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init wpa_exec:file { getattr open read execute };
+#line 5
+allow init wpa:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow wpa wpa_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow wpa init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init wpa:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init wpa:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init wpa_exec:process wpa;
+#line 5
+
+#line 5
+
+#line 5
+type wpa_tmpfs, file_type;
+#line 5
+type_transition wpa tmpfs:file wpa_tmpfs;
+#line 5
+allow wpa wpa_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+allow wpa kernel:system module_request;
+allow wpa self:capability { setuid net_admin setgid net_raw };
+allow wpa cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow wpa self:netlink_route_socket *;
+allow wpa self:netlink_socket *;
+allow wpa self:packet_socket *;
+allow wpa self:udp_socket *;
+allow wpa wifi_data_file:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow wpa wifi_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+#line 15
+allow wpa system_wpa_socket:sock_file write;
+#line 15
+allow wpa system_server:unix_dgram_socket sendto;
+#line 15
+
+allow wpa random_device:chr_file { getattr open read ioctl lock };
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:dir { { { open getattr read search ioctl } { open search write add_name remove_name } } setattr };
+allow wpa wpa_socket:sock_file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which wpa supplicant communicates with.
+#line 27
+
+#line 1 "external/sepolicy/zygote.te"
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
+
+
+#line 5
+
+#line 5
+# Allow the necessary permissions.
+#line 5
+
+#line 5
+# Old domain may exec the file and transition to the new domain.
+#line 5
+allow init zygote_exec:file { getattr open read execute };
+#line 5
+allow init zygote:process transition;
+#line 5
+# New domain is entered by executing the file.
+#line 5
+allow zygote zygote_exec:file { entrypoint read execute };
+#line 5
+# New domain can send SIGCHLD to its caller.
+#line 5
+allow zygote init:process sigchld;
+#line 5
+# Enable AT_SECURE, i.e. libc secure mode.
+#line 5
+dontaudit init zygote:process noatsecure;
+#line 5
+# XXX dontaudit candidate but requires further study.
+#line 5
+allow init zygote:process { siginh rlimitinh };
+#line 5
+
+#line 5
+# Make the transition occur by default.
+#line 5
+type_transition init zygote_exec:process zygote;
+#line 5
+
+#line 5
+
+#line 5
+type zygote_tmpfs, file_type;
+#line 5
+type_transition zygote tmpfs:file zygote_tmpfs;
+#line 5
+allow zygote zygote_tmpfs:file { read write };
+#line 5
+
+#line 5
+
+typeattribute zygote mlstrustedsubject;
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid fowner };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow zygote system_server:process dyntransition;
+allow zygote appdomain:process dyntransition;
+# Allow zygote to read app /proc/pid dirs (b/10455872)
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { { getattr open read ioctl lock } };
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+# Write to system data.
+allow zygote system_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow zygote system_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+allow zygote dalvikcache_data_file:dir { { open getattr read search ioctl } { open search write add_name remove_name } };
+allow zygote dalvikcache_data_file:file { create setattr { { getattr open read ioctl lock } { open append write } } { getattr link unlink rename } };
+# For art.
+allow zygote dalvikcache_data_file:file execute;
+# Execute dexopt.
+allow zygote system_file:file { getattr execute execute_no_trans };
+# Control cgroups.
+allow zygote cgroup:dir { create reparent rmdir setattr { { open getattr read search ioctl } { open search write add_name remove_name } } { getattr link unlink rename } };
+allow zygote self:capability sys_admin;
+# Check validity of SELinux context before use.
+
+#line 33
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 33
+allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 33
+allow zygote kernel:security check_context;
+#line 33
+
+# Check SELinux permissions.
+
+#line 35
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 35
+allow zygote selinuxfs:file { { getattr open read ioctl lock } { open append write } };
+#line 35
+allow zygote kernel:security compute_av;
+#line 35
+allow zygote self:netlink_selinux_socket *;
+#line 35
+
+# Read /seapp_contexts and /data/security/seapp_contexts
+
+#line 37
+allow zygote security_file:dir { open getattr read search ioctl };
+#line 37
+allow zygote security_file:file { getattr open read ioctl lock };
+#line 37
+allow zygote security_file:lnk_file { getattr open read ioctl lock };
+#line 37
+allow zygote selinuxfs:dir { open getattr read search ioctl };
+#line 37
+allow zygote selinuxfs:file { getattr open read ioctl lock };
+#line 37
+allow zygote rootfs:dir { open getattr read search ioctl };
+#line 37
+allow zygote rootfs:file { getattr open read ioctl lock };
+#line 37
+
+
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton search };
+allow zygote tmpfs:filesystem mount;
+allow zygote labeledfs:filesystem remount;
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file { execute_no_trans open };
+
+# handle bugreports b/10498304
+allow zygote ashmem_device:chr_file execute;
+allow zygote shell_data_file:file { write getattr };
+allow zygote system_server:binder { transfer call };
+allow zygote servicemanager:binder { call };
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;
+#line 1 "build/target/board/generic/sepolicy/bootanim.te"
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+#line 1 "build/target/board/generic/sepolicy/domain.te"
+# For /sys/qemu_trace files in the emulator.
+allow domain sysfs_writable:file { { getattr open read ioctl lock } { open append write } };
+#line 1 "build/target/board/generic/sepolicy/surfaceflinger.te"
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
+#line 1 "external/sepolicy/roles"
+role r;
+role r types domain;
+#line 1 "external/sepolicy/users"
+user u roles { r } level s0 range s0 - s0:c0.c1023;
+#line 1 "external/sepolicy/initial_sid_contexts"
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
+#line 1 "external/sepolicy/fs_use"
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
+#line 1 "external/sepolicy/genfs_contexts"
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:sdcard_external:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:sdcard_internal:s0
+#line 1 "external/sepolicy/port_contexts"
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/SELinux/CTS/src/gen_SELinux_CTS.py b/SELinux/CTS/src/gen_SELinux_CTS.py
new file mode 100755
index 0000000..832e602
--- /dev/null
+++ b/SELinux/CTS/src/gen_SELinux_CTS.py
@@ -0,0 +1,56 @@
+#!/usr/bin/python
+# genCheckAccessCTS.py - takes an input SELinux policy.conf file and generates
+# an XML file based on the allow and neverallow rules. The file contains rules,
+# which are created by expanding the SELinux rule notation into the individual
+# components which a checkAccess() check, that a policy manager would have to
+# perform, needs.
+#
+# This test does not work with all valid SELinux policy.conf files. It is meant
+# to simply use a given AOSP generated policy.conf file to create sets
+# representing the policy's types, attributes, classes and permissions, which
+# are used to expand the allow and neverallow rules found. For a full parser
+# and compiler of SELinux, see external/checkpolicy.
+# @dcashman
+
+import pdb
+import re
+import sys
+from xml.etree.ElementTree import Element, SubElement, tostring
+from xml.dom import minidom
+
+import SELinux_CTS
+from SELinux_CTS import SELinuxPolicy
+
+usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file"
+
+if __name__ == "__main__":
+ # check usage
+ if len(sys.argv) != 3:
+ print usage
+ exit()
+ input_file = sys.argv[1]
+ output_file = sys.argv[2]
+ policy = SELinuxPolicy()
+ policy.from_file_name(input_file) #load data from file
+
+ # expand rules into 4-tuples for SELinux.h checkAccess() check
+ xml_root = Element('SELinux_AVC_Rules')
+ count = 1
+ for a in policy.allow_rules:
+ expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
+ if len(expanded_xml):
+ xml_root.append(expanded_xml)
+ count += 1
+ count = 1
+ for n in policy.neverallow_rules:
+ expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
+ if len(expanded_xml):
+ xml_root.append(expanded_xml)
+ count += 1
+
+ #print out the xml file
+ s = tostring(xml_root)
+ s_parsed = minidom.parseString(s)
+ output = s_parsed.toprettyxml(indent=" ")
+ with open(output_file, 'w') as out_file:
+ out_file.write(output)
diff --git a/SELinux/CTS/test/policy_clean_test.conf b/SELinux/CTS/test/policy_clean_test.conf
new file mode 100644
index 0000000..074a63b
--- /dev/null
+++ b/SELinux/CTS/test/policy_clean_test.conf
@@ -0,0 +1,2230 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class capability
+
+# file-related classes
+class file
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+######################################
+# Attribute declarations
+#
+
+# All types used for processes.
+attribute domain;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+permissive bluetooth;
+
+#line 4
+typeattribute bluetooth appdomain;
+
+#line 5
+typeattribute bluetooth unconfineddomain;
+#line 5
+
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+permissive healthd;
+type healthd_exec, exec_type, file_type;
+
+# New domain is entered by executing the file.
+#line 7
+allow healthd healthd_exec:file { entrypoint read execute };
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+
+# Added to make the neverallow rule make sense in a limited environment.
+# Added at the bottom to not throw off file seek numbers in test suite.
+# This is not a problem, because allow rules are processed after all types
+# are gathered.
+type testTYPE, appdomain, domain;
diff --git a/SELinux/CTS/test/policy_test.conf b/SELinux/CTS/test/policy_test.conf
new file mode 100644
index 0000000..d0962cd
--- /dev/null
+++ b/SELinux/CTS/test/policy_test.conf
@@ -0,0 +1,2244 @@
+#line 1 "external/sepolicy/security_classes"
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class capability
+
+# file-related classes
+class file
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+########################################
+#
+# Basic level names for system low and high
+#
+
+
+#line 1 "external/sepolicy/mls"
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+
+#line 6
+# Each sensitivity has a name and zero or more aliases.
+#line 6
+sensitivity s0;
+#line 6
+
+#line 6
+
+#line 6
+# Define the ordering of the sensitivity levels (least to greatest)
+#line 6
+dominance { s0 }
+#line 6
+
+category c0;
+#line 7
+category c1;
+#line 7
+category c2;
+#line 7
+category c3;
+#line 7
+category c4;
+#line 7
+category c5;
+#line 7
+category c6;
+#line 7
+category c7;
+#line 7
+category c8;
+#line 7
+category c9;
+#line 7
+category c10;
+#line 7
+category c11;
+#line 7
+category c12;
+#line 7
+category c13;
+#line 7
+category c14;
+#line 7
+category c15;
+#line 7
+category c16;
+#line 7
+category c17;
+#line 7
+category c18;
+#line 7
+category c19;
+#line 7
+category c20;
+#line 7
+category c21;
+#line 7
+category c22;
+#line 7
+category c23;
+#line 7
+category c24;
+#line 7
+category c25;
+#line 7
+category c26;
+#line 7
+category c27;
+#line 7
+category c28;
+#line 7
+category c29;
+#line 7
+category c30;
+#line 7
+category c31;
+#line 7
+category c32;
+#line 7
+category c33;
+#line 7
+category c34;
+#line 7
+category c35;
+#line 7
+category c36;
+#line 7
+category c37;
+#line 7
+category c38;
+#line 7
+category c39;
+#line 7
+category c40;
+#line 7
+category c41;
+#line 7
+category c42;
+#line 7
+category c43;
+#line 7
+category c44;
+#line 7
+category c45;
+#line 7
+category c46;
+#line 7
+category c47;
+#line 7
+category c48;
+#line 7
+category c49;
+#line 7
+category c50;
+#line 7
+category c51;
+#line 7
+category c52;
+#line 7
+category c53;
+#line 7
+category c54;
+#line 7
+category c55;
+#line 7
+category c56;
+#line 7
+category c57;
+#line 7
+category c58;
+#line 7
+category c59;
+#line 7
+category c60;
+#line 7
+category c61;
+#line 7
+category c62;
+#line 7
+category c63;
+#line 7
+category c64;
+#line 7
+category c65;
+#line 7
+category c66;
+#line 7
+category c67;
+#line 7
+category c68;
+#line 7
+category c69;
+#line 7
+category c70;
+#line 7
+category c71;
+#line 7
+category c72;
+#line 7
+category c73;
+#line 7
+category c74;
+#line 7
+category c75;
+#line 7
+category c76;
+#line 7
+category c77;
+#line 7
+category c78;
+#line 7
+category c79;
+#line 7
+category c80;
+#line 7
+category c81;
+#line 7
+category c82;
+#line 7
+category c83;
+#line 7
+category c84;
+#line 7
+category c85;
+#line 7
+category c86;
+#line 7
+category c87;
+#line 7
+category c88;
+#line 7
+category c89;
+#line 7
+category c90;
+#line 7
+category c91;
+#line 7
+category c92;
+#line 7
+category c93;
+#line 7
+category c94;
+#line 7
+category c95;
+#line 7
+category c96;
+#line 7
+category c97;
+#line 7
+category c98;
+#line 7
+category c99;
+#line 7
+category c100;
+#line 7
+category c101;
+#line 7
+category c102;
+#line 7
+category c103;
+#line 7
+category c104;
+#line 7
+category c105;
+#line 7
+category c106;
+#line 7
+category c107;
+#line 7
+category c108;
+#line 7
+category c109;
+#line 7
+category c110;
+#line 7
+category c111;
+#line 7
+category c112;
+#line 7
+category c113;
+#line 7
+category c114;
+#line 7
+category c115;
+#line 7
+category c116;
+#line 7
+category c117;
+#line 7
+category c118;
+#line 7
+category c119;
+#line 7
+category c120;
+#line 7
+category c121;
+#line 7
+category c122;
+#line 7
+category c123;
+#line 7
+category c124;
+#line 7
+category c125;
+#line 7
+category c126;
+#line 7
+category c127;
+#line 7
+category c128;
+#line 7
+category c129;
+#line 7
+category c130;
+#line 7
+category c131;
+#line 7
+category c132;
+#line 7
+category c133;
+#line 7
+category c134;
+#line 7
+category c135;
+#line 7
+category c136;
+#line 7
+category c137;
+#line 7
+category c138;
+#line 7
+category c139;
+#line 7
+category c140;
+#line 7
+category c141;
+#line 7
+category c142;
+#line 7
+category c143;
+#line 7
+category c144;
+#line 7
+category c145;
+#line 7
+category c146;
+#line 7
+category c147;
+#line 7
+category c148;
+#line 7
+category c149;
+#line 7
+category c150;
+#line 7
+category c151;
+#line 7
+category c152;
+#line 7
+category c153;
+#line 7
+category c154;
+#line 7
+category c155;
+#line 7
+category c156;
+#line 7
+category c157;
+#line 7
+category c158;
+#line 7
+category c159;
+#line 7
+category c160;
+#line 7
+category c161;
+#line 7
+category c162;
+#line 7
+category c163;
+#line 7
+category c164;
+#line 7
+category c165;
+#line 7
+category c166;
+#line 7
+category c167;
+#line 7
+category c168;
+#line 7
+category c169;
+#line 7
+category c170;
+#line 7
+category c171;
+#line 7
+category c172;
+#line 7
+category c173;
+#line 7
+category c174;
+#line 7
+category c175;
+#line 7
+category c176;
+#line 7
+category c177;
+#line 7
+category c178;
+#line 7
+category c179;
+#line 7
+category c180;
+#line 7
+category c181;
+#line 7
+category c182;
+#line 7
+category c183;
+#line 7
+category c184;
+#line 7
+category c185;
+#line 7
+category c186;
+#line 7
+category c187;
+#line 7
+category c188;
+#line 7
+category c189;
+#line 7
+category c190;
+#line 7
+category c191;
+#line 7
+category c192;
+#line 7
+category c193;
+#line 7
+category c194;
+#line 7
+category c195;
+#line 7
+category c196;
+#line 7
+category c197;
+#line 7
+category c198;
+#line 7
+category c199;
+#line 7
+category c200;
+#line 7
+category c201;
+#line 7
+category c202;
+#line 7
+category c203;
+#line 7
+category c204;
+#line 7
+category c205;
+#line 7
+category c206;
+#line 7
+category c207;
+#line 7
+category c208;
+#line 7
+category c209;
+#line 7
+category c210;
+#line 7
+category c211;
+#line 7
+category c212;
+#line 7
+category c213;
+#line 7
+category c214;
+#line 7
+category c215;
+#line 7
+category c216;
+#line 7
+category c217;
+#line 7
+category c218;
+#line 7
+category c219;
+#line 7
+category c220;
+#line 7
+category c221;
+#line 7
+category c222;
+#line 7
+category c223;
+#line 7
+category c224;
+#line 7
+category c225;
+#line 7
+category c226;
+#line 7
+category c227;
+#line 7
+category c228;
+#line 7
+category c229;
+#line 7
+category c230;
+#line 7
+category c231;
+#line 7
+category c232;
+#line 7
+category c233;
+#line 7
+category c234;
+#line 7
+category c235;
+#line 7
+category c236;
+#line 7
+category c237;
+#line 7
+category c238;
+#line 7
+category c239;
+#line 7
+category c240;
+#line 7
+category c241;
+#line 7
+category c242;
+#line 7
+category c243;
+#line 7
+category c244;
+#line 7
+category c245;
+#line 7
+category c246;
+#line 7
+category c247;
+#line 7
+category c248;
+#line 7
+category c249;
+#line 7
+category c250;
+#line 7
+category c251;
+#line 7
+category c252;
+#line 7
+category c253;
+#line 7
+category c254;
+#line 7
+category c255;
+#line 7
+category c256;
+#line 7
+category c257;
+#line 7
+category c258;
+#line 7
+category c259;
+#line 7
+category c260;
+#line 7
+category c261;
+#line 7
+category c262;
+#line 7
+category c263;
+#line 7
+category c264;
+#line 7
+category c265;
+#line 7
+category c266;
+#line 7
+category c267;
+#line 7
+category c268;
+#line 7
+category c269;
+#line 7
+category c270;
+#line 7
+category c271;
+#line 7
+category c272;
+#line 7
+category c273;
+#line 7
+category c274;
+#line 7
+category c275;
+#line 7
+category c276;
+#line 7
+category c277;
+#line 7
+category c278;
+#line 7
+category c279;
+#line 7
+category c280;
+#line 7
+category c281;
+#line 7
+category c282;
+#line 7
+category c283;
+#line 7
+category c284;
+#line 7
+category c285;
+#line 7
+category c286;
+#line 7
+category c287;
+#line 7
+category c288;
+#line 7
+category c289;
+#line 7
+category c290;
+#line 7
+category c291;
+#line 7
+category c292;
+#line 7
+category c293;
+#line 7
+category c294;
+#line 7
+category c295;
+#line 7
+category c296;
+#line 7
+category c297;
+#line 7
+category c298;
+#line 7
+category c299;
+#line 7
+category c300;
+#line 7
+category c301;
+#line 7
+category c302;
+#line 7
+category c303;
+#line 7
+category c304;
+#line 7
+category c305;
+#line 7
+category c306;
+#line 7
+category c307;
+#line 7
+category c308;
+#line 7
+category c309;
+#line 7
+category c310;
+#line 7
+category c311;
+#line 7
+category c312;
+#line 7
+category c313;
+#line 7
+category c314;
+#line 7
+category c315;
+#line 7
+category c316;
+#line 7
+category c317;
+#line 7
+category c318;
+#line 7
+category c319;
+#line 7
+category c320;
+#line 7
+category c321;
+#line 7
+category c322;
+#line 7
+category c323;
+#line 7
+category c324;
+#line 7
+category c325;
+#line 7
+category c326;
+#line 7
+category c327;
+#line 7
+category c328;
+#line 7
+category c329;
+#line 7
+category c330;
+#line 7
+category c331;
+#line 7
+category c332;
+#line 7
+category c333;
+#line 7
+category c334;
+#line 7
+category c335;
+#line 7
+category c336;
+#line 7
+category c337;
+#line 7
+category c338;
+#line 7
+category c339;
+#line 7
+category c340;
+#line 7
+category c341;
+#line 7
+category c342;
+#line 7
+category c343;
+#line 7
+category c344;
+#line 7
+category c345;
+#line 7
+category c346;
+#line 7
+category c347;
+#line 7
+category c348;
+#line 7
+category c349;
+#line 7
+category c350;
+#line 7
+category c351;
+#line 7
+category c352;
+#line 7
+category c353;
+#line 7
+category c354;
+#line 7
+category c355;
+#line 7
+category c356;
+#line 7
+category c357;
+#line 7
+category c358;
+#line 7
+category c359;
+#line 7
+category c360;
+#line 7
+category c361;
+#line 7
+category c362;
+#line 7
+category c363;
+#line 7
+category c364;
+#line 7
+category c365;
+#line 7
+category c366;
+#line 7
+category c367;
+#line 7
+category c368;
+#line 7
+category c369;
+#line 7
+category c370;
+#line 7
+category c371;
+#line 7
+category c372;
+#line 7
+category c373;
+#line 7
+category c374;
+#line 7
+category c375;
+#line 7
+category c376;
+#line 7
+category c377;
+#line 7
+category c378;
+#line 7
+category c379;
+#line 7
+category c380;
+#line 7
+category c381;
+#line 7
+category c382;
+#line 7
+category c383;
+#line 7
+category c384;
+#line 7
+category c385;
+#line 7
+category c386;
+#line 7
+category c387;
+#line 7
+category c388;
+#line 7
+category c389;
+#line 7
+category c390;
+#line 7
+category c391;
+#line 7
+category c392;
+#line 7
+category c393;
+#line 7
+category c394;
+#line 7
+category c395;
+#line 7
+category c396;
+#line 7
+category c397;
+#line 7
+category c398;
+#line 7
+category c399;
+#line 7
+category c400;
+#line 7
+category c401;
+#line 7
+category c402;
+#line 7
+category c403;
+#line 7
+category c404;
+#line 7
+category c405;
+#line 7
+category c406;
+#line 7
+category c407;
+#line 7
+category c408;
+#line 7
+category c409;
+#line 7
+category c410;
+#line 7
+category c411;
+#line 7
+category c412;
+#line 7
+category c413;
+#line 7
+category c414;
+#line 7
+category c415;
+#line 7
+category c416;
+#line 7
+category c417;
+#line 7
+category c418;
+#line 7
+category c419;
+#line 7
+category c420;
+#line 7
+category c421;
+#line 7
+category c422;
+#line 7
+category c423;
+#line 7
+category c424;
+#line 7
+category c425;
+#line 7
+category c426;
+#line 7
+category c427;
+#line 7
+category c428;
+#line 7
+category c429;
+#line 7
+category c430;
+#line 7
+category c431;
+#line 7
+category c432;
+#line 7
+category c433;
+#line 7
+category c434;
+#line 7
+category c435;
+#line 7
+category c436;
+#line 7
+category c437;
+#line 7
+category c438;
+#line 7
+category c439;
+#line 7
+category c440;
+#line 7
+category c441;
+#line 7
+category c442;
+#line 7
+category c443;
+#line 7
+category c444;
+#line 7
+category c445;
+#line 7
+category c446;
+#line 7
+category c447;
+#line 7
+category c448;
+#line 7
+category c449;
+#line 7
+category c450;
+#line 7
+category c451;
+#line 7
+category c452;
+#line 7
+category c453;
+#line 7
+category c454;
+#line 7
+category c455;
+#line 7
+category c456;
+#line 7
+category c457;
+#line 7
+category c458;
+#line 7
+category c459;
+#line 7
+category c460;
+#line 7
+category c461;
+#line 7
+category c462;
+#line 7
+category c463;
+#line 7
+category c464;
+#line 7
+category c465;
+#line 7
+category c466;
+#line 7
+category c467;
+#line 7
+category c468;
+#line 7
+category c469;
+#line 7
+category c470;
+#line 7
+category c471;
+#line 7
+category c472;
+#line 7
+category c473;
+#line 7
+category c474;
+#line 7
+category c475;
+#line 7
+category c476;
+#line 7
+category c477;
+#line 7
+category c478;
+#line 7
+category c479;
+#line 7
+category c480;
+#line 7
+category c481;
+#line 7
+category c482;
+#line 7
+category c483;
+#line 7
+category c484;
+#line 7
+category c485;
+#line 7
+category c486;
+#line 7
+category c487;
+#line 7
+category c488;
+#line 7
+category c489;
+#line 7
+category c490;
+#line 7
+category c491;
+#line 7
+category c492;
+#line 7
+category c493;
+#line 7
+category c494;
+#line 7
+category c495;
+#line 7
+category c496;
+#line 7
+category c497;
+#line 7
+category c498;
+#line 7
+category c499;
+#line 7
+category c500;
+#line 7
+category c501;
+#line 7
+category c502;
+#line 7
+category c503;
+#line 7
+category c504;
+#line 7
+category c505;
+#line 7
+category c506;
+#line 7
+category c507;
+#line 7
+category c508;
+#line 7
+category c509;
+#line 7
+category c510;
+#line 7
+category c511;
+#line 7
+category c512;
+#line 7
+category c513;
+#line 7
+category c514;
+#line 7
+category c515;
+#line 7
+category c516;
+#line 7
+category c517;
+#line 7
+category c518;
+#line 7
+category c519;
+#line 7
+category c520;
+#line 7
+category c521;
+#line 7
+category c522;
+#line 7
+category c523;
+#line 7
+category c524;
+#line 7
+category c525;
+#line 7
+category c526;
+#line 7
+category c527;
+#line 7
+category c528;
+#line 7
+category c529;
+#line 7
+category c530;
+#line 7
+category c531;
+#line 7
+category c532;
+#line 7
+category c533;
+#line 7
+category c534;
+#line 7
+category c535;
+#line 7
+category c536;
+#line 7
+category c537;
+#line 7
+category c538;
+#line 7
+category c539;
+#line 7
+category c540;
+#line 7
+category c541;
+#line 7
+category c542;
+#line 7
+category c543;
+#line 7
+category c544;
+#line 7
+category c545;
+#line 7
+category c546;
+#line 7
+category c547;
+#line 7
+category c548;
+#line 7
+category c549;
+#line 7
+category c550;
+#line 7
+category c551;
+#line 7
+category c552;
+#line 7
+category c553;
+#line 7
+category c554;
+#line 7
+category c555;
+#line 7
+category c556;
+#line 7
+category c557;
+#line 7
+category c558;
+#line 7
+category c559;
+#line 7
+category c560;
+#line 7
+category c561;
+#line 7
+category c562;
+#line 7
+category c563;
+#line 7
+category c564;
+#line 7
+category c565;
+#line 7
+category c566;
+#line 7
+category c567;
+#line 7
+category c568;
+#line 7
+category c569;
+#line 7
+category c570;
+#line 7
+category c571;
+#line 7
+category c572;
+#line 7
+category c573;
+#line 7
+category c574;
+#line 7
+category c575;
+#line 7
+category c576;
+#line 7
+category c577;
+#line 7
+category c578;
+#line 7
+category c579;
+#line 7
+category c580;
+#line 7
+category c581;
+#line 7
+category c582;
+#line 7
+category c583;
+#line 7
+category c584;
+#line 7
+category c585;
+#line 7
+category c586;
+#line 7
+category c587;
+#line 7
+category c588;
+#line 7
+category c589;
+#line 7
+category c590;
+#line 7
+category c591;
+#line 7
+category c592;
+#line 7
+category c593;
+#line 7
+category c594;
+#line 7
+category c595;
+#line 7
+category c596;
+#line 7
+category c597;
+#line 7
+category c598;
+#line 7
+category c599;
+#line 7
+category c600;
+#line 7
+category c601;
+#line 7
+category c602;
+#line 7
+category c603;
+#line 7
+category c604;
+#line 7
+category c605;
+#line 7
+category c606;
+#line 7
+category c607;
+#line 7
+category c608;
+#line 7
+category c609;
+#line 7
+category c610;
+#line 7
+category c611;
+#line 7
+category c612;
+#line 7
+category c613;
+#line 7
+category c614;
+#line 7
+category c615;
+#line 7
+category c616;
+#line 7
+category c617;
+#line 7
+category c618;
+#line 7
+category c619;
+#line 7
+category c620;
+#line 7
+category c621;
+#line 7
+category c622;
+#line 7
+category c623;
+#line 7
+category c624;
+#line 7
+category c625;
+#line 7
+category c626;
+#line 7
+category c627;
+#line 7
+category c628;
+#line 7
+category c629;
+#line 7
+category c630;
+#line 7
+category c631;
+#line 7
+category c632;
+#line 7
+category c633;
+#line 7
+category c634;
+#line 7
+category c635;
+#line 7
+category c636;
+#line 7
+category c637;
+#line 7
+category c638;
+#line 7
+category c639;
+#line 7
+category c640;
+#line 7
+category c641;
+#line 7
+category c642;
+#line 7
+category c643;
+#line 7
+category c644;
+#line 7
+category c645;
+#line 7
+category c646;
+#line 7
+category c647;
+#line 7
+category c648;
+#line 7
+category c649;
+#line 7
+category c650;
+#line 7
+category c651;
+#line 7
+category c652;
+#line 7
+category c653;
+#line 7
+category c654;
+#line 7
+category c655;
+#line 7
+category c656;
+#line 7
+category c657;
+#line 7
+category c658;
+#line 7
+category c659;
+#line 7
+category c660;
+#line 7
+category c661;
+#line 7
+category c662;
+#line 7
+category c663;
+#line 7
+category c664;
+#line 7
+category c665;
+#line 7
+category c666;
+#line 7
+category c667;
+#line 7
+category c668;
+#line 7
+category c669;
+#line 7
+category c670;
+#line 7
+category c671;
+#line 7
+category c672;
+#line 7
+category c673;
+#line 7
+category c674;
+#line 7
+category c675;
+#line 7
+category c676;
+#line 7
+category c677;
+#line 7
+category c678;
+#line 7
+category c679;
+#line 7
+category c680;
+#line 7
+category c681;
+#line 7
+category c682;
+#line 7
+category c683;
+#line 7
+category c684;
+#line 7
+category c685;
+#line 7
+category c686;
+#line 7
+category c687;
+#line 7
+category c688;
+#line 7
+category c689;
+#line 7
+category c690;
+#line 7
+category c691;
+#line 7
+category c692;
+#line 7
+category c693;
+#line 7
+category c694;
+#line 7
+category c695;
+#line 7
+category c696;
+#line 7
+category c697;
+#line 7
+category c698;
+#line 7
+category c699;
+#line 7
+category c700;
+#line 7
+category c701;
+#line 7
+category c702;
+#line 7
+category c703;
+#line 7
+category c704;
+#line 7
+category c705;
+#line 7
+category c706;
+#line 7
+category c707;
+#line 7
+category c708;
+#line 7
+category c709;
+#line 7
+category c710;
+#line 7
+category c711;
+#line 7
+category c712;
+#line 7
+category c713;
+#line 7
+category c714;
+#line 7
+category c715;
+#line 7
+category c716;
+#line 7
+category c717;
+#line 7
+category c718;
+#line 7
+category c719;
+#line 7
+category c720;
+#line 7
+category c721;
+#line 7
+category c722;
+#line 7
+category c723;
+#line 7
+category c724;
+#line 7
+category c725;
+#line 7
+category c726;
+#line 7
+category c727;
+#line 7
+category c728;
+#line 7
+category c729;
+#line 7
+category c730;
+#line 7
+category c731;
+#line 7
+category c732;
+#line 7
+category c733;
+#line 7
+category c734;
+#line 7
+category c735;
+#line 7
+category c736;
+#line 7
+category c737;
+#line 7
+category c738;
+#line 7
+category c739;
+#line 7
+category c740;
+#line 7
+category c741;
+#line 7
+category c742;
+#line 7
+category c743;
+#line 7
+category c744;
+#line 7
+category c745;
+#line 7
+category c746;
+#line 7
+category c747;
+#line 7
+category c748;
+#line 7
+category c749;
+#line 7
+category c750;
+#line 7
+category c751;
+#line 7
+category c752;
+#line 7
+category c753;
+#line 7
+category c754;
+#line 7
+category c755;
+#line 7
+category c756;
+#line 7
+category c757;
+#line 7
+category c758;
+#line 7
+category c759;
+#line 7
+category c760;
+#line 7
+category c761;
+#line 7
+category c762;
+#line 7
+category c763;
+#line 7
+category c764;
+#line 7
+category c765;
+#line 7
+category c766;
+#line 7
+category c767;
+#line 7
+category c768;
+#line 7
+category c769;
+#line 7
+category c770;
+#line 7
+category c771;
+#line 7
+category c772;
+#line 7
+category c773;
+#line 7
+category c774;
+#line 7
+category c775;
+#line 7
+category c776;
+#line 7
+category c777;
+#line 7
+category c778;
+#line 7
+category c779;
+#line 7
+category c780;
+#line 7
+category c781;
+#line 7
+category c782;
+#line 7
+category c783;
+#line 7
+category c784;
+#line 7
+category c785;
+#line 7
+category c786;
+#line 7
+category c787;
+#line 7
+category c788;
+#line 7
+category c789;
+#line 7
+category c790;
+#line 7
+category c791;
+#line 7
+category c792;
+#line 7
+category c793;
+#line 7
+category c794;
+#line 7
+category c795;
+#line 7
+category c796;
+#line 7
+category c797;
+#line 7
+category c798;
+#line 7
+category c799;
+#line 7
+category c800;
+#line 7
+category c801;
+#line 7
+category c802;
+#line 7
+category c803;
+#line 7
+category c804;
+#line 7
+category c805;
+#line 7
+category c806;
+#line 7
+category c807;
+#line 7
+category c808;
+#line 7
+category c809;
+#line 7
+category c810;
+#line 7
+category c811;
+#line 7
+category c812;
+#line 7
+category c813;
+#line 7
+category c814;
+#line 7
+category c815;
+#line 7
+category c816;
+#line 7
+category c817;
+#line 7
+category c818;
+#line 7
+category c819;
+#line 7
+category c820;
+#line 7
+category c821;
+#line 7
+category c822;
+#line 7
+category c823;
+#line 7
+category c824;
+#line 7
+category c825;
+#line 7
+category c826;
+#line 7
+category c827;
+#line 7
+category c828;
+#line 7
+category c829;
+#line 7
+category c830;
+#line 7
+category c831;
+#line 7
+category c832;
+#line 7
+category c833;
+#line 7
+category c834;
+#line 7
+category c835;
+#line 7
+category c836;
+#line 7
+category c837;
+#line 7
+category c838;
+#line 7
+category c839;
+#line 7
+category c840;
+#line 7
+category c841;
+#line 7
+category c842;
+#line 7
+category c843;
+#line 7
+category c844;
+#line 7
+category c845;
+#line 7
+category c846;
+#line 7
+category c847;
+#line 7
+category c848;
+#line 7
+category c849;
+#line 7
+category c850;
+#line 7
+category c851;
+#line 7
+category c852;
+#line 7
+category c853;
+#line 7
+category c854;
+#line 7
+category c855;
+#line 7
+category c856;
+#line 7
+category c857;
+#line 7
+category c858;
+#line 7
+category c859;
+#line 7
+category c860;
+#line 7
+category c861;
+#line 7
+category c862;
+#line 7
+category c863;
+#line 7
+category c864;
+#line 7
+category c865;
+#line 7
+category c866;
+#line 7
+category c867;
+#line 7
+category c868;
+#line 7
+category c869;
+#line 7
+category c870;
+#line 7
+category c871;
+#line 7
+category c872;
+#line 7
+category c873;
+#line 7
+category c874;
+#line 7
+category c875;
+#line 7
+category c876;
+#line 7
+category c877;
+#line 7
+category c878;
+#line 7
+category c879;
+#line 7
+category c880;
+#line 7
+category c881;
+#line 7
+category c882;
+#line 7
+category c883;
+#line 7
+category c884;
+#line 7
+category c885;
+#line 7
+category c886;
+#line 7
+category c887;
+#line 7
+category c888;
+#line 7
+category c889;
+#line 7
+category c890;
+#line 7
+category c891;
+#line 7
+category c892;
+#line 7
+category c893;
+#line 7
+category c894;
+#line 7
+category c895;
+#line 7
+category c896;
+#line 7
+category c897;
+#line 7
+category c898;
+#line 7
+category c899;
+#line 7
+category c900;
+#line 7
+category c901;
+#line 7
+category c902;
+#line 7
+category c903;
+#line 7
+category c904;
+#line 7
+category c905;
+#line 7
+category c906;
+#line 7
+category c907;
+#line 7
+category c908;
+#line 7
+category c909;
+#line 7
+category c910;
+#line 7
+category c911;
+#line 7
+category c912;
+#line 7
+category c913;
+#line 7
+category c914;
+#line 7
+category c915;
+#line 7
+category c916;
+#line 7
+category c917;
+#line 7
+category c918;
+#line 7
+category c919;
+#line 7
+category c920;
+#line 7
+category c921;
+#line 7
+category c922;
+#line 7
+category c923;
+#line 7
+category c924;
+#line 7
+category c925;
+#line 7
+category c926;
+#line 7
+category c927;
+#line 7
+category c928;
+#line 7
+category c929;
+#line 7
+category c930;
+#line 7
+category c931;
+#line 7
+category c932;
+#line 7
+category c933;
+#line 7
+category c934;
+#line 7
+category c935;
+#line 7
+category c936;
+#line 7
+category c937;
+#line 7
+category c938;
+#line 7
+category c939;
+#line 7
+category c940;
+#line 7
+category c941;
+#line 7
+category c942;
+#line 7
+category c943;
+#line 7
+category c944;
+#line 7
+category c945;
+#line 7
+category c946;
+#line 7
+category c947;
+#line 7
+category c948;
+#line 7
+category c949;
+#line 7
+category c950;
+#line 7
+category c951;
+#line 7
+category c952;
+#line 7
+category c953;
+#line 7
+category c954;
+#line 7
+category c955;
+#line 7
+category c956;
+#line 7
+category c957;
+#line 7
+category c958;
+#line 7
+category c959;
+#line 7
+category c960;
+#line 7
+category c961;
+#line 7
+category c962;
+#line 7
+category c963;
+#line 7
+category c964;
+#line 7
+category c965;
+#line 7
+category c966;
+#line 7
+category c967;
+#line 7
+category c968;
+#line 7
+category c969;
+#line 7
+category c970;
+#line 7
+category c971;
+#line 7
+category c972;
+#line 7
+category c973;
+#line 7
+category c974;
+#line 7
+category c975;
+#line 7
+category c976;
+#line 7
+category c977;
+#line 7
+category c978;
+#line 7
+category c979;
+#line 7
+category c980;
+#line 7
+category c981;
+#line 7
+category c982;
+#line 7
+category c983;
+#line 7
+category c984;
+#line 7
+category c985;
+#line 7
+category c986;
+#line 7
+category c987;
+#line 7
+category c988;
+#line 7
+category c989;
+#line 7
+category c990;
+#line 7
+category c991;
+#line 7
+category c992;
+#line 7
+category c993;
+#line 7
+category c994;
+#line 7
+category c995;
+#line 7
+category c996;
+#line 7
+category c997;
+#line 7
+category c998;
+#line 7
+category c999;
+#line 7
+category c1000;
+#line 7
+category c1001;
+#line 7
+category c1002;
+#line 7
+category c1003;
+#line 7
+category c1004;
+#line 7
+category c1005;
+#line 7
+category c1006;
+#line 7
+category c1007;
+#line 7
+category c1008;
+#line 7
+category c1009;
+#line 7
+category c1010;
+#line 7
+category c1011;
+#line 7
+category c1012;
+#line 7
+category c1013;
+#line 7
+category c1014;
+#line 7
+category c1015;
+#line 7
+category c1016;
+#line 7
+category c1017;
+#line 7
+category c1018;
+#line 7
+category c1019;
+#line 7
+category c1020;
+#line 7
+category c1021;
+#line 7
+category c1022;
+#line 7
+category c1023;
+#line 7
+
+
+# Generate level definitions for each sensitivity and category.
+level s0:c0.c1023;
+#line 10
+
+######################################
+# Attribute declarations
+#
+
+# All types used for processes.
+attribute domain;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+#line 1 "external/sepolicy/bluetooth.te"
+# bluetooth subsystem
+type bluetooth, domain;
+permissive bluetooth;
+
+#line 4
+typeattribute bluetooth appdomain;
+
+#line 5
+typeattribute bluetooth unconfineddomain;
+#line 5
+
+#line 1 "external/sepolicy/healthd.te"
+# healthd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type healthd, domain;
+permissive healthd;
+type healthd_exec, exec_type, file_type;
+
+# New domain is entered by executing the file.
+#line 7
+allow healthd healthd_exec:file { entrypoint read execute };
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+
+# Added to make the neverallow rule make sense in a limited environment.
+# Added at the bottom to not throw off file seek numbers in test suite.
+# This is not a problem, because allow rules are processed after all types
+# are gathered.
+type testTYPE, appdomain, domain;
+
+# added rules for further testing (display full range of needed functionality)
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
+
+allow init {fs_type dev_type file_type}:{ dir { { chr_file blk_file } { file lnk_file sock_file fifo_file } } } relabelto;
+
+neverallow { appdomain -unconfineddomain } {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ gps_device
+ rpmsg_device
+}:chr_file { read write };
\ No newline at end of file
diff --git a/SELinux/CTS/test/testrunner.py b/SELinux/CTS/test/testrunner.py
new file mode 100755
index 0000000..bc424e9
--- /dev/null
+++ b/SELinux/CTS/test/testrunner.py
@@ -0,0 +1,442 @@
+#!/usr/bin/python
+import sys
+sys.path.append('../src')
+import unittest
+import SELinux_CTS
+from SELinux_CTS import SELinuxPolicy
+
+policy_file_name = 'policy_test.conf'
+types = set([
+ 'bluetooth',
+ 'healthd',
+ 'healthd_exec',
+ 'testTYPE' ]) #testTYPE added for neverallow rule to make sense
+attributes = {
+ 'domain': set(['bluetooth', 'healthd', 'testTYPE']),
+ 'unconfineddomain': set(['bluetooth']),
+ 'appdomain': set(['bluetooth', 'testTYPE']),
+ 'file_type': set(['healthd_exec']),
+ 'exec_type': set(['healthd_exec']) }
+common_classes = {
+ 'file': set([
+ 'ioctl',
+ 'read',
+ 'write',
+ 'create',
+ 'getattr',
+ 'setattr',
+ 'lock',
+ 'relabelfrom',
+ 'relabelto',
+ 'append',
+ 'unlink',
+ 'link',
+ 'rename',
+ 'execute',
+ 'swapon',
+ 'quotaon',
+ 'mounton' ]) }
+classes = {
+ 'capability': set([
+ 'chown',
+ 'dac_override',
+ 'dac_read_search',
+ 'fowner',
+ 'fsetid',
+ 'kill',
+ 'setgid',
+ 'setuid',
+ 'setpcap',
+ 'linux_immutable',
+ 'net_bind_service',
+ 'net_broadcast',
+ 'net_admin',
+ 'net_raw',
+ 'ipc_lock',
+ 'ipc_owner',
+ 'sys_module',
+ 'sys_rawio',
+ 'sys_chroot',
+ 'sys_ptrace',
+ 'sys_pacct',
+ 'sys_admin',
+ 'sys_boot',
+ 'sys_nice',
+ 'sys_resource',
+ 'sys_time',
+ 'sys_tty_config',
+ 'mknod',
+ 'lease',
+ 'audit_write',
+ 'audit_control',
+ 'setfcap' ]),
+ 'file': (set([
+ 'execute_no_trans',
+ 'entrypoint',
+ 'execmod',
+ 'open',
+ 'audit_access' ]) | common_classes['file']) }
+
+# allow healthd healthd_exec:file { entrypoint read execute };
+allow_rules = [
+ { 'source_types': {
+ 'set': set([
+ 'healthd']),
+ 'flags': { 'complement': False } },
+ 'target_types': {
+ 'set': set([
+ 'healthd_exec']),
+ 'flags': { 'complement': False } },
+ 'classes': {
+ 'set': set([
+ 'file']),
+ 'flags': { 'complement': False } },
+ 'permissions': {
+ 'set': set([
+ 'entrypoint',
+ 'read',
+ 'execute' ]),
+ 'flags': { 'complement': False } } } ]
+
+# neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow_rules = [
+ { 'source_types': {
+ 'set': set([
+ 'appdomain',
+ '-unconfineddomain',
+ '-bluetooth' ]),
+ 'flags': { 'complement': False } },
+ 'target_types': {
+ 'set': set([
+ 'self']),
+ 'flags': { 'complement': False } },
+ 'classes': {
+ 'set': set([
+ 'capability']),
+ 'flags': { 'complement': False } },
+ 'permissions': {
+ 'set': set([
+ '*' ]),
+ 'flags': { 'complement': False } } } ]
+
+expected_final_allow_list = [
+ [ ('healthd', 'healthd_exec', 'file', 'entrypoint'),
+ ('healthd', 'healthd_exec', 'file', 'read'),
+ ('healthd', 'healthd_exec', 'file', 'execute') ] ]
+
+expected_final_neverallow_list = [
+ [ ('testTYPE', 'testTYPE', 'capability', 'chown'),
+ ('testTYPE', 'testTYPE', 'capability', 'dac_override'),
+ ('testTYPE', 'testTYPE', 'capability', 'dac_read_search'),
+ ('testTYPE', 'testTYPE', 'capability', 'fowner'),
+ ('testTYPE', 'testTYPE', 'capability', 'fsetid'),
+ ('testTYPE', 'testTYPE', 'capability', 'kill'),
+ ('testTYPE', 'testTYPE', 'capability', 'setgid'),
+ ('testTYPE', 'testTYPE', 'capability', 'setuid'),
+ ('testTYPE', 'testTYPE', 'capability', 'setpcap'),
+ ('testTYPE', 'testTYPE', 'capability', 'linux_immutable'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_bind_service'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_broadcast'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_admin'),
+ ('testTYPE', 'testTYPE', 'capability', 'net_raw'),
+ ('testTYPE', 'testTYPE', 'capability', 'ipc_lock'),
+ ('testTYPE', 'testTYPE', 'capability', 'ipc_owner'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_module'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_rawio'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_chroot'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_ptrace'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_pacct'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_admin'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_boot'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_nice'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_resource'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_time'),
+ ('testTYPE', 'testTYPE', 'capability', 'sys_tty_config'),
+ ('testTYPE', 'testTYPE', 'capability', 'mknod'),
+ ('testTYPE', 'testTYPE', 'capability', 'lease'),
+ ('testTYPE', 'testTYPE', 'capability', 'audit_write'),
+ ('testTYPE', 'testTYPE', 'capability', 'audit_control'),
+ ('testTYPE', 'testTYPE', 'capability', 'setfcap') ] ]
+
+
+class SELinuxPolicyTests(unittest.TestCase):
+
+
+ def setUp(self):
+ self.test_policy = SELinuxPolicy()
+ self.test_file = open(policy_file_name, 'r')
+ self.test_policy.types = types
+ self.test_policy.attributes = attributes
+ self.test_policy.common_classes = common_classes
+ self.test_policy.classes = classes
+ self.test_policy.allow_rules = allow_rules
+ self.test_policy.neverallow_rules = neverallow_rules
+ return
+
+ def testExpandAvcRule(self):
+ #TODO: add more examples here to cover different cases
+ expanded_allow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.allow_rules[0])
+ for a in expected_final_allow_list[0]:
+ self.failUnless(a in expanded_allow_list)
+ expanded_neverallow_list = SELinux_CTS.expand_avc_rule(self.test_policy, self.test_policy.neverallow_rules[0])
+ for n in expected_final_neverallow_list[0]:
+ self.failUnless(n in expanded_neverallow_list)
+
+ def testExpandBrackets(self):
+ #test position without bracket:
+ self.test_file.seek(279)
+ self.failIf(SELinux_CTS.expand_brackets(self.test_file))
+
+ #test position with bracket:
+ self.test_file.seek(26123)
+ self.failUnless(SELinux_CTS.expand_brackets(self.test_file) == " entrypoint read execute ")
+
+ #test position with nested brackets:
+ self.test_file.seek(26873)
+ self.failUnless(SELinux_CTS.expand_brackets(self.test_file)
+ == " dir chr_file blk_file file lnk_file sock_file fifo_file ")
+
+ def testGetAvcRuleComponent(self):
+ #test against normal ('allow healthd healthd_exec:file ...)
+ self.test_file.seek(26096)
+ normal_src = { 'flags': { 'complement': False },
+ 'set': set(['healthd']) }
+ normal_tgt = { 'flags': { 'complement': False },
+ 'set': set(['healthd_exec']) }
+ normal_class = { 'flags': { 'complement': False },
+ 'set': set(['file']) }
+ normal_perm = { 'flags': { 'complement': False },
+ 'set': set(['entrypoint', 'read', 'execute']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_tgt)
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == normal_perm)
+
+ #test against 'hard' ('init {fs_type ...' )
+ self.test_file.seek(26838)
+ hard_src = { 'flags': { 'complement': False },
+ 'set': set(['init']) }
+ hard_tgt = { 'flags': { 'complement': False },
+ 'set': set(['fs_type', 'dev_type', 'file_type']) }
+ hard_class = { 'flags': { 'complement': False },
+ 'set': set(['dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file', 'fifo_file']) }
+ hard_perm = { 'flags': { 'complement': False },
+ 'set': set(['relabelto']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_tgt)
+ #mimic ':' check:
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == hard_perm)
+
+ #test against 'multi-line' ('init {fs_type ...' )
+ self.test_file.seek(26967)
+ multi_src = { 'flags': { 'complement': False },
+ 'set': set(['appdomain', '-unconfineddomain']) }
+ multi_tgt = { 'flags': { 'complement': False },
+ 'set': set(['audio_device', 'camera_device', 'dm_device', 'radio_device', 'gps_device', 'rpmsg_device']) }
+ multi_class = { 'flags': { 'complement': False },
+ 'set': set(['chr_file']) }
+ multi_perm = { 'flags': { 'complement': False },
+ 'set': set(['read', 'write']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_src)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_tgt)
+ c = SELinux_CTS.advance_past_whitespace(self.test_file)
+ if c == ':':
+ self.test_file.read(1)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_class)
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == multi_perm)
+
+ #test against 'complement'
+ self.test_file.seek(26806)
+ complement = { 'flags': { 'complement': True },
+ 'set': set(['entrypoint', 'relabelto']) }
+ self.failUnless(SELinux_CTS.get_avc_rule_component(self.test_file)
+ == complement)
+
+ def testGetLineType(self):
+ self.failUnless(SELinux_CTS.get_line_type('type bluetooth, domain;')
+ == SELinux_CTS.TYPE)
+ self.failUnless(SELinux_CTS.get_line_type('attribute unconfineddomain;')
+ == SELinux_CTS.ATTRIBUTE)
+ self.failUnless(SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;')
+ == SELinux_CTS.TYPEATTRIBUTE)
+ self.failUnless(SELinux_CTS.get_line_type('class file')
+ == SELinux_CTS.CLASS)
+ self.failUnless(SELinux_CTS.get_line_type('common file')
+ == SELinux_CTS.COMMON)
+ self.failUnless(SELinux_CTS.get_line_type('allow healthd healthd_exec:file { entrypoint read execute };')
+ == SELinux_CTS.ALLOW_RULE)
+ self.failUnless(SELinux_CTS.get_line_type('neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;')
+ == SELinux_CTS.NEVERALLOW_RULE)
+ self.failUnless(SELinux_CTS.get_line_type('# FLASK')
+ == SELinux_CTS.OTHER)
+
+ def testIsMultiLine(self):
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE))
+ self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE))
+ self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER))
+
+ def testProcessInheritsSegment(self):
+ inherit_offset = 448 # needs changing if file changes
+ self.test_file.seek(inherit_offset, 0)
+ inherit_result = SELinux_CTS.process_inherits_segment(self.test_file)
+ self.failUnless(inherit_result == 'file')
+ return
+
+ def testFromFileName(self):
+ #using a special file, since the test_file has some lines which don't 'jive'
+ clean_policy_file = 'policy_clean_test.conf'
+ from_file_policy = SELinuxPolicy()
+ from_file_policy.from_file_name(clean_policy_file)
+ self.failUnless(from_file_policy.types == self.test_policy.types)
+ self.failUnless(from_file_policy.attributes == self.test_policy.attributes)
+ self.failUnless(from_file_policy.classes == self.test_policy.classes)
+ self.failUnless(from_file_policy.common_classes == self.test_policy.common_classes)
+ self.failUnless(from_file_policy.allow_rules == self.test_policy.allow_rules)
+ self.failUnless(from_file_policy.neverallow_rules == self.test_policy.neverallow_rules)
+
+ def testExpandPermissions(self):
+ #test general case
+ test_class_obj = 'file'
+ general_set = set(['read', 'write', 'execute'])
+ expanded_general_set = general_set
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, general_set)
+ == general_set)
+ star_set = set(['*'])
+ expanded_star_set = self.test_policy.classes['file'] #everything in the class
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, star_set)
+ == expanded_star_set)
+ complement_set = set(['*', '-open'])
+ expanded_complement_set = self.test_policy.classes['file'] - set(['open'])
+ self.failUnless(self.test_policy.expand_permissions(test_class_obj, complement_set)
+ == expanded_complement_set)
+
+ def testExpandTypes(self):
+
+ #test general case and '-' handling
+ test_source_set = set([
+ 'domain',
+ '-bluetooth' ])
+ expanded_test_source_set = set([
+ 'healthd', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
+
+ #test '*' handling
+ test_source_set = set([ '*' ])
+ expanded_test_source_set = set([
+ 'bluetooth', 'healthd', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == types)
+ #test - handling
+ test_source_set = set([
+ '*',
+ '-bluetooth'])
+ expanded_test_source_set = set([
+ 'healthd', 'healthd_exec', 'testTYPE' ])
+ self.failUnless(self.test_policy.expand_types(test_source_set) == expanded_test_source_set)
+
+ def testProcessAttributeLine(self):
+ attribute_policy = SELinuxPolicy()
+ #test with 'normal input'
+ test_normal_string = 'attribute TEST_att;'
+ test_attribute = 'TEST_att'
+ attribute_policy.process_attribute_line(test_normal_string)
+ self.failUnless( test_attribute in attribute_policy.attributes)
+ #TODO: test on bogus inputs
+
+ def testProcessClassLine(self):
+ class_policy = SELinuxPolicy()
+ #offsets need changing if test file changes
+ common_offset = 279
+ class_initial_offset = 212
+ class_perm_offset = 437
+ self.test_file.seek(common_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_common_line(line, self.test_file)
+ self.test_file.seek(class_initial_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_class_line(line, self.test_file)
+ self.failUnless('file' in class_policy.classes)
+ self.test_file.seek(class_perm_offset, 0)
+ line = self.test_file.readline()
+ class_policy.process_class_line(line, self.test_file)
+ self.failUnless(class_policy.classes['file'] == classes['file'])
+
+ def testProcessCommonLine(self):
+ common_policy = SELinuxPolicy()
+ common_offset = 279 # needs changing if file changes
+ self.test_file.seek(common_offset, 0)
+ line = self.test_file.readline()
+ common_policy.process_common_line(line, self.test_file)
+ self.failUnless('file' in common_policy.common_classes )
+ self.failUnless(common_policy.common_classes['file'] == common_classes['file'])
+
+ def testProcessAvcRuleLine(self):
+ avc_policy = SELinuxPolicy()
+ allow_offset = 26091 # needs changing if file changes
+ neverallow_offset = 26311 # needs changing if file changes
+ self.test_file.seek(allow_offset, 0)
+ line = self.test_file.readline()
+ avc_policy.process_avc_rule_line(line, self.test_file)
+ self.failUnless(avc_policy.allow_rules[0] == allow_rules[0] ) # always '0'?
+ self.test_file.seek(neverallow_offset, 0)
+ line = self.test_file.readline()
+ avc_policy.process_avc_rule_line(line, self.test_file)
+ self.failUnless(avc_policy.neverallow_rules[0] == neverallow_rules[0] ) # always '0'?
+
+ def testProcessTypeLine(self):
+ type_policy = SELinuxPolicy()
+ test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;'
+ test_type = 'TEST_type'
+ test_atts = ['TEST_att1', 'TEST_att2']
+ #test with 'normal input'
+ type_policy.process_type_line(test_normal_string)
+ self.failUnless(test_type in type_policy.types)
+ for a in test_atts:
+ self.failUnless(a in type_policy.attributes)
+ self.failUnless(test_type in type_policy.attributes[a])
+ #TODO: test with domain only, no attributes
+ # and test on bogus inputs
+
+ def testProcessTypeattributeLine(self):
+ typ_att_policy = SELinuxPolicy()
+ test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;'
+ test_type = 'TEST_type'
+ test_atts = ['TEST_att1', 'TEST_att2']
+ #test with 'normal input' (type should already be declared)
+ typ_att_policy.process_type_line('type ' + test_type + ';')
+ typ_att_policy.process_typeattribute_line(test_normal_string)
+ self.failUnless(test_type in typ_att_policy.types)
+ for a in test_atts:
+ self.failUnless(a in typ_att_policy.attributes)
+ self.failUnless(test_type in typ_att_policy.attributes[a])
+ #TODO: test with domain only, no attributes
+ # and test on bogus inputs
+
+def main():
+ unittest.main()
+
+if __name__ == '__main__':
+ main()