Leave minimal sepolicy for microdroid Steps taken: 1) Grab remaining types in contexts files. 2) Leave such types and remove all other types. 3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil. 4) Repeat booting and adding missing types, rules, and attributes. 5) Organize types and allow rules. Bug: 191131624 Test: atest MicrodroidHostTestCases Change-Id: I1302701f67e61795474c667e8e6094d67912eea0

commit: 4eb5660c52a5966374c9d810550e3ae0069bd50f [log] [tgz]
author: Inseob Kim <inseob@google.com> Fri Jul 09 15:51:12 2021 +0900
committer: Inseob Kim <inseob@google.com> Tue Jul 13 14:06:58 2021 +0900
tree: 11a87447d96b7949e5da2a64cd76aa1271f897b1
parent: 32ea89af9e9846a9865d85389bed271423b173a7 [diff] [blame]
diff --git a/microdroid/sepolicy/system/public/file.te b/microdroid/sepolicy/system/public/file.te
index 20348b5..67d5068 100644
--- a/microdroid/sepolicy/system/public/file.te
+++ b/microdroid/sepolicy/system/public/file.te

@@ -1,24 +1,92 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type, proc_type;
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apc_service, service_manager_type;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type hwservice_contexts_file, file_type, system_file_type;
+type keystore2_key_contexts_file, file_type, system_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type mac_perms_file, file_type, system_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type seapp_contexts_file, file_type, system_file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
 type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, proc_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
-type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
-type proc_bluetooth_writable, fs_type, proc_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type, mlstrustedobject;
+type devtmpfs;
+type exfat, fs_type, sdcard_type, mlstrustedobject;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type inotify, fs_type, mlstrustedobject;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
 type proc_abi, fs_type, proc_type;
 type proc_asound, fs_type, proc_type;
 type proc_bootconfig, fs_type, proc_type;
@@ -27,6 +95,7 @@
 type proc_cpuinfo, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
 type proc_fs_verity, fs_type, proc_type;
@@ -37,16 +106,19 @@
 type proc_kallsyms, fs_type, proc_type;
 type proc_keys, fs_type, proc_type;
 type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
 type proc_loadavg, fs_type, proc_type;
 type proc_locks, fs_type, proc_type;
 type proc_lowmemorykiller, fs_type, proc_type;
 type proc_max_map_count, fs_type, proc_type;
 type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
 type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
 type proc_net, fs_type, proc_type, proc_net_type;
 type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;
@@ -56,545 +128,77 @@
 type proc_pressure_cpu, fs_type, proc_type;
 type proc_pressure_io, fs_type, proc_type;
 type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
 type proc_random, fs_type, proc_type;
 type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
 type proc_slabinfo, fs_type, proc_type;
 type proc_stat, fs_type, proc_type;
 type proc_swaps, fs_type, proc_type;
 type proc_sysrq, fs_type, proc_type;
 type proc_timer, fs_type, proc_type;
 type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
 type proc_uid_concurrent_active_time, fs_type, proc_type;
 type proc_uid_concurrent_policy_time, fs_type, proc_type;
 type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
 type proc_uptime, fs_type, proc_type;
 type proc_version, fs_type, proc_type;
 type proc_vmallocinfo, fs_type, proc_type;
 type proc_vmstat, fs_type, proc_type;
 type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type securityfs, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
-type fusectlfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
+type shm, fs_type;
+type sockfs, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devfreq_cur, fs_type, sysfs_type;
-type sysfs_devfreq_dir, fs_type, sysfs_type;
 type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
 type sysfs_dm, fs_type, sysfs_type;
 type sysfs_dm_verity, fs_type, sysfs_type;
 type sysfs_dma_heap, fs_type, sysfs_type;
 type sysfs_dmabuf_stats, fs_type, sysfs_type;
 type sysfs_dt_firmware_android, fs_type, sysfs_type;
 type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_ion, fs_type, sysfs_type;
 type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_loop, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
 type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
 type sysfs_suspend_stats, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
 type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_usb, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
 type sysfs_wakeup, fs_type, sysfs_type;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type sysfs_fs_f2fs, sysfs_type, fs_type;
-type sysfs_fs_incfs_features, sysfs_type, fs_type;
-type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type configfs, fs_type;
-# /sys/devices/cs_etm
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
 type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_thermal, sysfs_type, fs_type;
-
 type sysfs_zram, fs_type, sysfs_type;
 type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type exfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type securityfs, fs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, system_file_type, file_type;
-# Default type for /system/asan.options
-type system_asan_options_file, system_file_type, file_type;
-# Type for /system/etc/event-log-tags (liblog implementation detail)
-type system_event_log_tags_file, system_file_type, file_type;
-# Default type for anything under /system/lib[64].
-type system_lib_file, system_file_type, file_type;
-# system libraries that are available only to bootstrap processes
-type system_bootstrap_lib_file, system_file_type, file_type;
-# Default type for the group file /system/etc/group.
-type system_group_file, system_file_type, file_type;
-# Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, system_file_type, file_type;
-# Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, system_file_type, file_type;
-# Default type for the passwd file /system/etc/passwd.
-type system_passwd_file, system_file_type, file_type;
-# Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, system_file_type, file_type;
-# Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, system_file_type, file_type;
-# Default type for /system/bin/tcpdump.
-type tcpdump_exec, system_file_type, exec_type, file_type;
-# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
-type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
-# Vendor cgroups description file under /vendor/etc/cgroups.json
-type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
-type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
-# Vendor task profiles file under /vendor/etc/task_profiles.json
-type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.art
-type art_apex_dir, system_file_type, file_type;
-# /linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-# Control files under /data/incremental
-type incremental_control_file, file_type, data_file_type, core_data_file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs and their lib/bin dependencies.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-# Type for all vendor public libraries. These libs should only be exposed to
-# apps. ABI stability of these libs is vendor's responsibility.
-type vendor_public_lib_file, vendor_file_type, file_type;
-# Type for all vendor public libraries for system. These libs should only be exposed to
-# system. ABI stability of these libs is vendor's responsibility.
-type vendor_public_framework_file, vendor_file_type, file_type;
-
-# Input configuration
-type vendor_keylayout_file, vendor_file_type, file_type;
-type vendor_keychars_file, vendor_file_type, file_type;
-type vendor_idc_file, vendor_file_type, file_type;
-
-# /metadata partition itself
-type metadata_file, file_type;
-# Vold files within /metadata
-type vold_metadata_file, file_type;
-# GSI files within /metadata
-type gsi_metadata_file, gsi_metadata_file_type, file_type;
-# DSU (GSI) files within /metadata that are globally readable.
-type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
-# system_server shares Weaver slot information in /metadata
-type password_slot_metadata_file, file_type;
-# APEX files within /metadata
-type apex_metadata_file, file_type;
-# libsnapshot files within /metadata
-type ota_metadata_file, file_type;
-# property files within /metadata/bootstat
-type metadata_bootstat_file, file_type;
-# userspace reboot files within /metadata/userspacereboot
-type userspace_reboot_metadata_file, file_type;
-# Staged install files within /metadata/staged-install
-type staged_install_file, file_type;
-# Metadata information within /metadata/watchdog
-type watchdog_metadata_file, file_type;
-
-# Type for /dev/cpu_variant:.*.
-type dev_cpu_variant, file_type;
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, system_file_type, exec_type, file_type;
-# Speedup access to cgroup map file
-type cgroup_rc_file, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Type of /data itself
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Type for /data/system/packages.list.
-# TODO(b/129332765): Narrow down permissions to this.
-# Find out users of system_data_file that should be granted only this.
-type packages_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
-type vendor_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# installd-create files in /data/misc/installd such as layout_version
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/vendor/tombstones/wifi - vendor wifi dumps
-type tombstone_wifi_data_file, file_type, data_file_type;
-# /data/apex - APEX data files
-type apex_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_root_file, file_type, data_file_type, core_data_file_type;
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/prereboot
-type prereboot_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/dropbox
-type dropbox_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local/tests
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-# /data/server_configurable_flags
-type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app-staging
-type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
-type vendor_apex_file, vendor_file_type, file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_pass_through_file, file_type;
-type mnt_expand_file, file_type;
-type mnt_sdcard_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# Mount location for read-write vendor partitions.
-type mnt_vendor_file, file_type;
-
-# Mount location for read-write product partitions.
-type mnt_product_file, file_type;
-
-# Mount point used for APEX images
-type apex_mnt_dir, file_type;
-
-# /apex/apex-info-list.xml created by apexd
-type apex_info_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-# /postinstall/apex: Mount point used for APEX images within /postinstall.
-type postinstall_apex_mnt_dir, file_type;
-
-# /data_mirror: Contains mirror directory for storing all apps data.
-type mirror_data_file, file_type, core_data_file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
-type apex_module_data_file, file_type, data_file_type, core_data_file_type;
-type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
-type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
-type appcompat_data_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type credstore_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type gsi_data_file, file_type, data_file_type, core_data_file_type;
-type radio_core_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for /cache/overlay /mnt/scratch/overlay
-type overlayfs_file, file_type, data_file_type, core_data_file_type;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for _new_ fingerprint template file
-type fingerprint_vendor_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for face template file
-type face_vendor_data_file, file_type, data_file_type;
-# Type for iris template file
-type iris_vendor_data_file, file_type, data_file_type;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type recovery_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type snapuserd_socket, file_type, coredomain_socket;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
-type uncrypt_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type, core_data_file_type;
-type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, system_file_type, file_type;
-
-# mac_permissions file
-type mac_perms_file, system_file_type, file_type;
-
-# property_contexts file
-type property_contexts_file, system_file_type, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, system_file_type, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, system_file_type, file_type;
-
-# service_contexts file
-type service_contexts_file, system_file_type, file_type;
-
-# keystore2_key_contexts_file
-type keystore2_key_contexts_file, system_file_type, file_type;
-
-# vendor service_contexts file
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, system_file_type, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
-
-# asanwrapper (run a sanitized app_process, to be used with wrap properties)
-with_asan(`type asanwrapper_exec, exec_type, file_type;')
-
-# Deprecated in SDK version 28
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-#   type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-#   type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type, mlstrustedobject;
commit	4eb5660c52a5966374c9d810550e3ae0069bd50f	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Fri Jul 09 15:51:12 2021 +0900
committer	Inseob Kim <inseob@google.com>	Tue Jul 13 14:06:58 2021 +0900
tree	11a87447d96b7949e5da2a64cd76aa1271f897b1
parent	32ea89af9e9846a9865d85389bed271423b173a7 [diff] [blame]