Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # Filesystem types |
| 2 | type labeledfs, fs_type; |
| 3 | type pipefs, fs_type; |
| 4 | type sockfs, fs_type; |
| 5 | type rootfs, fs_type; |
| 6 | type proc, fs_type, proc_type; |
| 7 | type binderfs, fs_type; |
| 8 | type binderfs_logs, fs_type; |
| 9 | type binderfs_logs_proc, fs_type; |
| 10 | # Security-sensitive proc nodes that should not be writable to most. |
| 11 | type proc_security, fs_type, proc_type; |
| 12 | type proc_drop_caches, fs_type, proc_type; |
| 13 | type proc_overcommit_memory, fs_type, proc_type; |
| 14 | type proc_min_free_order_shift, fs_type, proc_type; |
| 15 | type proc_kpageflags, fs_type, proc_type; |
| 16 | # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. |
| 17 | type usermodehelper, fs_type, proc_type; |
| 18 | type sysfs_usermodehelper, fs_type, sysfs_type; |
| 19 | type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; |
| 20 | type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; |
| 21 | type proc_bluetooth_writable, fs_type, proc_type; |
| 22 | type proc_abi, fs_type, proc_type; |
| 23 | type proc_asound, fs_type, proc_type; |
| 24 | type proc_bootconfig, fs_type, proc_type; |
| 25 | type proc_buddyinfo, fs_type, proc_type; |
| 26 | type proc_cmdline, fs_type, proc_type; |
| 27 | type proc_cpuinfo, fs_type, proc_type; |
| 28 | type proc_dirty, fs_type, proc_type; |
| 29 | type proc_diskstats, fs_type, proc_type; |
| 30 | type proc_extra_free_kbytes, fs_type, proc_type; |
| 31 | type proc_filesystems, fs_type, proc_type; |
| 32 | type proc_fs_verity, fs_type, proc_type; |
| 33 | type proc_hostname, fs_type, proc_type; |
| 34 | type proc_hung_task, fs_type, proc_type; |
| 35 | type proc_interrupts, fs_type, proc_type; |
| 36 | type proc_iomem, fs_type, proc_type; |
| 37 | type proc_kallsyms, fs_type, proc_type; |
| 38 | type proc_keys, fs_type, proc_type; |
| 39 | type proc_kmsg, fs_type, proc_type; |
| 40 | type proc_loadavg, fs_type, proc_type; |
| 41 | type proc_locks, fs_type, proc_type; |
| 42 | type proc_lowmemorykiller, fs_type, proc_type; |
| 43 | type proc_max_map_count, fs_type, proc_type; |
| 44 | type proc_meminfo, fs_type, proc_type; |
| 45 | type proc_misc, fs_type, proc_type; |
| 46 | type proc_modules, fs_type, proc_type; |
| 47 | type proc_mounts, fs_type, proc_type; |
| 48 | type proc_net, fs_type, proc_type, proc_net_type; |
| 49 | type proc_net_tcp_udp, fs_type, proc_type; |
| 50 | type proc_page_cluster, fs_type, proc_type; |
| 51 | type proc_pagetypeinfo, fs_type, proc_type; |
| 52 | type proc_panic, fs_type, proc_type; |
| 53 | type proc_perf, fs_type, proc_type; |
| 54 | type proc_pid_max, fs_type, proc_type; |
| 55 | type proc_pipe_conf, fs_type, proc_type; |
| 56 | type proc_pressure_cpu, fs_type, proc_type; |
| 57 | type proc_pressure_io, fs_type, proc_type; |
| 58 | type proc_pressure_mem, fs_type, proc_type; |
| 59 | type proc_random, fs_type, proc_type; |
| 60 | type proc_sched, fs_type, proc_type; |
| 61 | type proc_slabinfo, fs_type, proc_type; |
| 62 | type proc_stat, fs_type, proc_type; |
| 63 | type proc_swaps, fs_type, proc_type; |
| 64 | type proc_sysrq, fs_type, proc_type; |
| 65 | type proc_timer, fs_type, proc_type; |
| 66 | type proc_tty_drivers, fs_type, proc_type; |
| 67 | type proc_uid_cputime_showstat, fs_type, proc_type; |
| 68 | type proc_uid_cputime_removeuid, fs_type, proc_type; |
| 69 | type proc_uid_io_stats, fs_type, proc_type; |
| 70 | type proc_uid_procstat_set, fs_type, proc_type; |
| 71 | type proc_uid_time_in_state, fs_type, proc_type; |
| 72 | type proc_uid_concurrent_active_time, fs_type, proc_type; |
| 73 | type proc_uid_concurrent_policy_time, fs_type, proc_type; |
| 74 | type proc_uid_cpupower, fs_type, proc_type; |
| 75 | type proc_uptime, fs_type, proc_type; |
| 76 | type proc_version, fs_type, proc_type; |
| 77 | type proc_vmallocinfo, fs_type, proc_type; |
| 78 | type proc_vmstat, fs_type, proc_type; |
| 79 | type proc_zoneinfo, fs_type, proc_type; |
| 80 | type selinuxfs, fs_type, mlstrustedobject; |
| 81 | type fusectlfs, fs_type; |
| 82 | type cgroup, fs_type, mlstrustedobject; |
| 83 | type cgroup_v2, fs_type; |
| 84 | type sysfs, fs_type, sysfs_type, mlstrustedobject; |
| 85 | type sysfs_android_usb, fs_type, sysfs_type; |
| 86 | type sysfs_uio, sysfs_type, fs_type; |
| 87 | type sysfs_batteryinfo, fs_type, sysfs_type; |
| 88 | type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; |
| 89 | type sysfs_devfreq_cur, fs_type, sysfs_type; |
| 90 | type sysfs_devfreq_dir, fs_type, sysfs_type; |
| 91 | type sysfs_devices_block, fs_type, sysfs_type; |
| 92 | type sysfs_dm, fs_type, sysfs_type; |
| 93 | type sysfs_dm_verity, fs_type, sysfs_type; |
| 94 | type sysfs_dma_heap, fs_type, sysfs_type; |
| 95 | type sysfs_dmabuf_stats, fs_type, sysfs_type; |
| 96 | type sysfs_dt_firmware_android, fs_type, sysfs_type; |
| 97 | type sysfs_extcon, fs_type, sysfs_type; |
| 98 | type sysfs_ion, fs_type, sysfs_type; |
| 99 | type sysfs_ipv4, fs_type, sysfs_type; |
| 100 | type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; |
| 101 | type sysfs_leds, fs_type, sysfs_type; |
| 102 | type sysfs_loop, fs_type, sysfs_type; |
| 103 | type sysfs_hwrandom, fs_type, sysfs_type; |
| 104 | type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; |
| 105 | type sysfs_wake_lock, fs_type, sysfs_type; |
| 106 | type sysfs_net, fs_type, sysfs_type; |
| 107 | type sysfs_power, fs_type, sysfs_type; |
| 108 | type sysfs_rtc, fs_type, sysfs_type; |
| 109 | type sysfs_suspend_stats, fs_type, sysfs_type; |
| 110 | type sysfs_switch, fs_type, sysfs_type; |
| 111 | type sysfs_transparent_hugepage, fs_type, sysfs_type; |
| 112 | type sysfs_usb, fs_type, sysfs_type; |
| 113 | type sysfs_wakeup, fs_type, sysfs_type; |
| 114 | type sysfs_wakeup_reasons, fs_type, sysfs_type; |
| 115 | type sysfs_fs_ext4_features, sysfs_type, fs_type; |
| 116 | type sysfs_fs_f2fs, sysfs_type, fs_type; |
| 117 | type sysfs_fs_incfs_features, sysfs_type, fs_type; |
| 118 | type sysfs_fs_incfs_metrics, sysfs_type, fs_type; |
| 119 | type fs_bpf, fs_type; |
| 120 | type fs_bpf_tethering, fs_type; |
| 121 | type configfs, fs_type; |
| 122 | # /sys/devices/cs_etm |
| 123 | type sysfs_devices_cs_etm, fs_type, sysfs_type; |
| 124 | # /sys/devices/system/cpu |
| 125 | type sysfs_devices_system_cpu, fs_type, sysfs_type; |
| 126 | # /sys/module/lowmemorykiller |
| 127 | type sysfs_lowmemorykiller, fs_type, sysfs_type; |
| 128 | # /sys/module/wlan/parameters/fwpath |
| 129 | type sysfs_wlan_fwpath, fs_type, sysfs_type; |
| 130 | type sysfs_vibrator, fs_type, sysfs_type; |
| 131 | type sysfs_uhid, fs_type, sysfs_type; |
| 132 | type sysfs_thermal, sysfs_type, fs_type; |
| 133 | |
| 134 | type sysfs_zram, fs_type, sysfs_type; |
| 135 | type sysfs_zram_uevent, fs_type, sysfs_type; |
| 136 | type inotify, fs_type, mlstrustedobject; |
| 137 | type devpts, fs_type, mlstrustedobject; |
| 138 | type tmpfs, fs_type; |
| 139 | type shm, fs_type; |
| 140 | type mqueue, fs_type; |
| 141 | type fuse, sdcard_type, fs_type, mlstrustedobject; |
| 142 | type sdcardfs, sdcard_type, fs_type, mlstrustedobject; |
| 143 | type vfat, sdcard_type, fs_type, mlstrustedobject; |
| 144 | type exfat, sdcard_type, fs_type, mlstrustedobject; |
| 145 | type debugfs, fs_type, debugfs_type; |
| 146 | type debugfs_kprobes, fs_type, debugfs_type; |
| 147 | type debugfs_mmc, fs_type, debugfs_type; |
| 148 | type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type; |
| 149 | type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type; |
| 150 | type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type; |
| 151 | type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type; |
| 152 | type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type; |
| 153 | type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type; |
| 154 | type debugfs_wakeup_sources, fs_type, debugfs_type; |
| 155 | type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type; |
| 156 | type securityfs, fs_type; |
| 157 | |
| 158 | type pstorefs, fs_type; |
| 159 | type functionfs, fs_type, mlstrustedobject; |
| 160 | type oemfs, fs_type, contextmount_type; |
| 161 | type usbfs, fs_type; |
| 162 | type binfmt_miscfs, fs_type; |
| 163 | type app_fusefs, fs_type, contextmount_type; |
| 164 | |
| 165 | # File types |
| 166 | type unlabeled, file_type; |
| 167 | |
| 168 | # Default type for anything under /system. |
| 169 | type system_file, system_file_type, file_type; |
| 170 | # Default type for /system/asan.options |
| 171 | type system_asan_options_file, system_file_type, file_type; |
| 172 | # Type for /system/etc/event-log-tags (liblog implementation detail) |
| 173 | type system_event_log_tags_file, system_file_type, file_type; |
| 174 | # Default type for anything under /system/lib[64]. |
| 175 | type system_lib_file, system_file_type, file_type; |
| 176 | # system libraries that are available only to bootstrap processes |
| 177 | type system_bootstrap_lib_file, system_file_type, file_type; |
| 178 | # Default type for the group file /system/etc/group. |
| 179 | type system_group_file, system_file_type, file_type; |
| 180 | # Default type for linker executable /system/bin/linker[64]. |
| 181 | type system_linker_exec, system_file_type, file_type; |
| 182 | # Default type for linker config /system/etc/ld.config.*. |
| 183 | type system_linker_config_file, system_file_type, file_type; |
| 184 | # Default type for the passwd file /system/etc/passwd. |
| 185 | type system_passwd_file, system_file_type, file_type; |
| 186 | # Default type for linker config /system/etc/seccomp_policy/*. |
| 187 | type system_seccomp_policy_file, system_file_type, file_type; |
| 188 | # Default type for cacerts in /system/etc/security/cacerts/*. |
| 189 | type system_security_cacerts_file, system_file_type, file_type; |
| 190 | # Default type for /system/bin/tcpdump. |
| 191 | type tcpdump_exec, system_file_type, exec_type, file_type; |
| 192 | # Default type for zoneinfo files in /system/usr/share/zoneinfo/*. |
| 193 | type system_zoneinfo_file, system_file_type, file_type; |
| 194 | # Cgroups description file under /system/etc/cgroups.json |
| 195 | type cgroup_desc_file, system_file_type, file_type; |
| 196 | # Cgroups description file under /system/etc/task_profiles/cgroups_*.json |
| 197 | type cgroup_desc_api_file, system_file_type, file_type; |
| 198 | # Vendor cgroups description file under /vendor/etc/cgroups.json |
| 199 | type vendor_cgroup_desc_file, vendor_file_type, file_type; |
| 200 | # Task profiles file under /system/etc/task_profiles.json |
| 201 | type task_profiles_file, system_file_type, file_type; |
| 202 | # Task profiles file under /system/etc/task_profiles/task_profiles_*.json |
| 203 | type task_profiles_api_file, system_file_type, file_type; |
| 204 | # Vendor task profiles file under /vendor/etc/task_profiles.json |
| 205 | type vendor_task_profiles_file, vendor_file_type, file_type; |
| 206 | # Type for /system/apex/com.android.art |
| 207 | type art_apex_dir, system_file_type, file_type; |
| 208 | # /linkerconfig(/.*)? |
| 209 | type linkerconfig_file, file_type; |
| 210 | # Control files under /data/incremental |
| 211 | type incremental_control_file, file_type, data_file_type, core_data_file_type; |
| 212 | |
| 213 | # Default type for directories search for |
| 214 | # HAL implementations |
| 215 | type vendor_hal_file, vendor_file_type, file_type; |
| 216 | # Default type for under /vendor or /system/vendor |
| 217 | type vendor_file, vendor_file_type, file_type; |
| 218 | # Default type for everything in /vendor/app |
| 219 | type vendor_app_file, vendor_file_type, file_type; |
| 220 | # Default type for everything under /vendor/etc/ |
| 221 | type vendor_configs_file, vendor_file_type, file_type; |
| 222 | # Default type for all *same process* HALs and their lib/bin dependencies. |
| 223 | # e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so |
| 224 | type same_process_hal_file, vendor_file_type, file_type; |
| 225 | # Default type for vndk-sp libs. /vendor/lib/vndk-sp |
| 226 | type vndk_sp_file, vendor_file_type, file_type; |
| 227 | # Default type for everything in /vendor/framework |
| 228 | type vendor_framework_file, vendor_file_type, file_type; |
| 229 | # Default type for everything in /vendor/overlay |
| 230 | type vendor_overlay_file, vendor_file_type, file_type; |
| 231 | # Type for all vendor public libraries. These libs should only be exposed to |
| 232 | # apps. ABI stability of these libs is vendor's responsibility. |
| 233 | type vendor_public_lib_file, vendor_file_type, file_type; |
| 234 | # Type for all vendor public libraries for system. These libs should only be exposed to |
| 235 | # system. ABI stability of these libs is vendor's responsibility. |
| 236 | type vendor_public_framework_file, vendor_file_type, file_type; |
| 237 | |
| 238 | # Input configuration |
| 239 | type vendor_keylayout_file, vendor_file_type, file_type; |
| 240 | type vendor_keychars_file, vendor_file_type, file_type; |
| 241 | type vendor_idc_file, vendor_file_type, file_type; |
| 242 | |
| 243 | # /metadata partition itself |
| 244 | type metadata_file, file_type; |
| 245 | # Vold files within /metadata |
| 246 | type vold_metadata_file, file_type; |
| 247 | # GSI files within /metadata |
| 248 | type gsi_metadata_file, gsi_metadata_file_type, file_type; |
| 249 | # DSU (GSI) files within /metadata that are globally readable. |
| 250 | type gsi_public_metadata_file, gsi_metadata_file_type, file_type; |
| 251 | # system_server shares Weaver slot information in /metadata |
| 252 | type password_slot_metadata_file, file_type; |
| 253 | # APEX files within /metadata |
| 254 | type apex_metadata_file, file_type; |
| 255 | # libsnapshot files within /metadata |
| 256 | type ota_metadata_file, file_type; |
| 257 | # property files within /metadata/bootstat |
| 258 | type metadata_bootstat_file, file_type; |
| 259 | # userspace reboot files within /metadata/userspacereboot |
| 260 | type userspace_reboot_metadata_file, file_type; |
| 261 | # Staged install files within /metadata/staged-install |
| 262 | type staged_install_file, file_type; |
| 263 | # Metadata information within /metadata/watchdog |
| 264 | type watchdog_metadata_file, file_type; |
| 265 | |
| 266 | # Type for /dev/cpu_variant:.*. |
| 267 | type dev_cpu_variant, file_type; |
| 268 | # Speedup access for trusted applications to the runtime event tags |
| 269 | type runtime_event_log_tags_file, file_type; |
| 270 | # Type for /system/bin/logcat. |
| 271 | type logcat_exec, system_file_type, exec_type, file_type; |
| 272 | # Speedup access to cgroup map file |
| 273 | type cgroup_rc_file, file_type; |
| 274 | # /cores for coredumps on userdebug / eng builds |
| 275 | type coredump_file, file_type; |
| 276 | # Type of /data itself |
| 277 | type system_data_root_file, file_type, data_file_type, core_data_file_type; |
| 278 | # Default type for anything under /data. |
| 279 | type system_data_file, file_type, data_file_type, core_data_file_type; |
| 280 | # Type for /data/system/packages.list. |
| 281 | # TODO(b/129332765): Narrow down permissions to this. |
| 282 | # Find out users of system_data_file that should be granted only this. |
| 283 | type packages_list_file, file_type, data_file_type, core_data_file_type; |
| 284 | # Default type for anything under /data/vendor{_ce,_de}. |
| 285 | type vendor_data_file, file_type, data_file_type; |
| 286 | # Unencrypted data |
| 287 | type unencrypted_data_file, file_type, data_file_type, core_data_file_type; |
| 288 | # installd-create files in /data/misc/installd such as layout_version |
| 289 | type install_data_file, file_type, data_file_type, core_data_file_type; |
| 290 | # /data/drm - DRM plugin data |
| 291 | type drm_data_file, file_type, data_file_type, core_data_file_type; |
| 292 | # /data/adb - adb debugging files |
| 293 | type adb_data_file, file_type, data_file_type, core_data_file_type; |
| 294 | # /data/anr - ANR traces |
| 295 | type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 296 | # /data/tombstones - core dumps |
| 297 | type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 298 | # /data/vendor/tombstones/wifi - vendor wifi dumps |
| 299 | type tombstone_wifi_data_file, file_type, data_file_type; |
| 300 | # /data/apex - APEX data files |
| 301 | type apex_data_file, file_type, data_file_type, core_data_file_type; |
| 302 | # /data/app - user-installed apps |
| 303 | type apk_data_file, file_type, data_file_type, core_data_file_type; |
| 304 | type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 305 | # /data/app-private - forward-locked apps |
| 306 | type apk_private_data_file, file_type, data_file_type, core_data_file_type; |
| 307 | type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 308 | # /data/dalvik-cache |
| 309 | type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; |
| 310 | # /data/ota |
| 311 | type ota_data_file, file_type, data_file_type, core_data_file_type; |
| 312 | # /data/ota_package |
| 313 | type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 314 | # /data/misc/profiles |
| 315 | type user_profile_root_file, file_type, data_file_type, core_data_file_type; |
| 316 | type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 317 | # /data/misc/profman |
| 318 | type profman_dump_data_file, file_type, data_file_type, core_data_file_type; |
| 319 | # /data/misc/prereboot |
| 320 | type prereboot_data_file, file_type, data_file_type, core_data_file_type; |
| 321 | # /data/resource-cache |
| 322 | type resourcecache_data_file, file_type, data_file_type, core_data_file_type; |
| 323 | # /data/local - writable by shell |
| 324 | type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; |
| 325 | # /data/property |
| 326 | type property_data_file, file_type, data_file_type, core_data_file_type; |
| 327 | # /data/bootchart |
| 328 | type bootchart_data_file, file_type, data_file_type, core_data_file_type; |
| 329 | # /data/system/dropbox |
| 330 | type dropbox_data_file, file_type, data_file_type, core_data_file_type; |
| 331 | # /data/system/heapdump |
| 332 | type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 333 | # /data/nativetest |
| 334 | type nativetest_data_file, file_type, data_file_type, core_data_file_type; |
| 335 | # /data/local/tests |
| 336 | type shell_test_data_file, file_type, data_file_type, core_data_file_type; |
| 337 | # /data/system_de/0/ringtones |
| 338 | type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 339 | # /data/preloads |
| 340 | type preloads_data_file, file_type, data_file_type, core_data_file_type; |
| 341 | # /data/preloads/media |
| 342 | type preloads_media_file, file_type, data_file_type, core_data_file_type; |
| 343 | # /data/misc/dhcp and /data/misc/dhcp-6.8.2 |
| 344 | type dhcp_data_file, file_type, data_file_type, core_data_file_type; |
| 345 | # /data/server_configurable_flags |
| 346 | type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; |
| 347 | # /data/app-staging |
| 348 | type staging_data_file, file_type, data_file_type, core_data_file_type; |
| 349 | # /vendor/apex |
| 350 | type vendor_apex_file, vendor_file_type, file_type; |
| 351 | |
| 352 | # Mount locations managed by vold |
| 353 | type mnt_media_rw_file, file_type; |
| 354 | type mnt_user_file, file_type; |
| 355 | type mnt_pass_through_file, file_type; |
| 356 | type mnt_expand_file, file_type; |
| 357 | type mnt_sdcard_file, file_type; |
| 358 | type storage_file, file_type; |
| 359 | |
| 360 | # Label for storage dirs which are just mount stubs |
| 361 | type mnt_media_rw_stub_file, file_type; |
| 362 | type storage_stub_file, file_type; |
| 363 | |
| 364 | # Mount location for read-write vendor partitions. |
| 365 | type mnt_vendor_file, file_type; |
| 366 | |
| 367 | # Mount location for read-write product partitions. |
| 368 | type mnt_product_file, file_type; |
| 369 | |
| 370 | # Mount point used for APEX images |
| 371 | type apex_mnt_dir, file_type; |
| 372 | |
| 373 | # /apex/apex-info-list.xml created by apexd |
| 374 | type apex_info_file, file_type; |
| 375 | |
| 376 | # /postinstall: Mount point used by update_engine to run postinstall. |
| 377 | type postinstall_mnt_dir, file_type; |
| 378 | # Files inside the /postinstall mountpoint are all labeled as postinstall_file. |
| 379 | type postinstall_file, file_type; |
| 380 | # /postinstall/apex: Mount point used for APEX images within /postinstall. |
| 381 | type postinstall_apex_mnt_dir, file_type; |
| 382 | |
| 383 | # /data_mirror: Contains mirror directory for storing all apps data. |
| 384 | type mirror_data_file, file_type, core_data_file_type; |
| 385 | |
| 386 | # /data/misc subdirectories |
| 387 | type adb_keys_file, file_type, data_file_type, core_data_file_type; |
| 388 | type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type; |
| 389 | type apex_module_data_file, file_type, data_file_type, core_data_file_type; |
| 390 | type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type; |
| 391 | type apex_permission_data_file, file_type, data_file_type, core_data_file_type; |
| 392 | type apex_rollback_data_file, file_type, data_file_type, core_data_file_type; |
| 393 | type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type; |
| 394 | type apex_wifi_data_file, file_type, data_file_type, core_data_file_type; |
| 395 | type appcompat_data_file, file_type, data_file_type, core_data_file_type; |
| 396 | type audio_data_file, file_type, data_file_type, core_data_file_type; |
| 397 | type audioserver_data_file, file_type, data_file_type, core_data_file_type; |
| 398 | type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; |
| 399 | type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; |
| 400 | type bootstat_data_file, file_type, data_file_type, core_data_file_type; |
| 401 | type boottrace_data_file, file_type, data_file_type, core_data_file_type; |
| 402 | type camera_data_file, file_type, data_file_type, core_data_file_type; |
| 403 | type credstore_data_file, file_type, data_file_type, core_data_file_type; |
| 404 | type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; |
| 405 | type incident_data_file, file_type, data_file_type, core_data_file_type; |
| 406 | type keychain_data_file, file_type, data_file_type, core_data_file_type; |
| 407 | type keystore_data_file, file_type, data_file_type, core_data_file_type; |
| 408 | type media_data_file, file_type, data_file_type, core_data_file_type; |
| 409 | type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 410 | type misc_user_data_file, file_type, data_file_type, core_data_file_type; |
| 411 | type net_data_file, file_type, data_file_type, core_data_file_type; |
| 412 | type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; |
| 413 | type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; |
| 414 | type nfc_logs_data_file, file_type, data_file_type, core_data_file_type; |
| 415 | type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; |
| 416 | type recovery_data_file, file_type, data_file_type, core_data_file_type; |
| 417 | type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 418 | type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type; |
| 419 | type stats_data_file, file_type, data_file_type, core_data_file_type; |
| 420 | type systemkeys_data_file, file_type, data_file_type, core_data_file_type; |
| 421 | type textclassifier_data_file, file_type, data_file_type, core_data_file_type; |
| 422 | type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 423 | type vpn_data_file, file_type, data_file_type, core_data_file_type; |
| 424 | type wifi_data_file, file_type, data_file_type, core_data_file_type; |
| 425 | type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; |
| 426 | type vold_data_file, file_type, data_file_type, core_data_file_type; |
| 427 | type iorapd_data_file, file_type, data_file_type, core_data_file_type; |
| 428 | type tee_data_file, file_type, data_file_type; |
| 429 | type update_engine_data_file, file_type, data_file_type, core_data_file_type; |
| 430 | type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; |
| 431 | # /data/misc/trace for method traces on userdebug / eng builds |
| 432 | type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 433 | type gsi_data_file, file_type, data_file_type, core_data_file_type; |
| 434 | type radio_core_data_file, file_type, data_file_type, core_data_file_type; |
| 435 | |
| 436 | # /data/data subdirectories - app sandboxes |
| 437 | type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; |
| 438 | # /data/data subdirectories - priv-app sandboxes |
| 439 | type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; |
| 440 | # /data/data subdirectory for system UID apps. |
| 441 | type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; |
| 442 | # Compatibility with type name used in Android 4.3 and 4.4. |
| 443 | # Default type for anything under /cache |
| 444 | type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 445 | # Type for /cache/overlay /mnt/scratch/overlay |
| 446 | type overlayfs_file, file_type, data_file_type, core_data_file_type; |
| 447 | # Type for /cache/backup_stage/* (fd interchange with apps) |
| 448 | type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 449 | # type for anything under /cache/backup (local transport storage) |
| 450 | type cache_private_backup_file, file_type, data_file_type, core_data_file_type; |
| 451 | # Type for anything under /cache/recovery |
| 452 | type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 453 | # Default type for anything under /efs |
| 454 | type efs_file, file_type; |
| 455 | # Type for wallpaper file. |
| 456 | type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 457 | # Type for shortcut manager icon file. |
| 458 | type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 459 | # Type for user icon file. |
| 460 | type icon_file, file_type, data_file_type, core_data_file_type; |
| 461 | # /mnt/asec |
| 462 | type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 463 | # Elements of asec files (/mnt/asec) that are world readable |
| 464 | type asec_public_file, file_type, data_file_type, core_data_file_type; |
| 465 | # /data/app-asec |
| 466 | type asec_image_file, file_type, data_file_type, core_data_file_type; |
| 467 | # /data/backup and /data/secure/backup |
| 468 | type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 469 | # All devices have bluetooth efs files. But they |
| 470 | # vary per device, so this type is used in per |
| 471 | # device policy |
| 472 | type bluetooth_efs_file, file_type; |
| 473 | # Type for fingerprint template file |
| 474 | type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; |
| 475 | # Type for _new_ fingerprint template file |
| 476 | type fingerprint_vendor_data_file, file_type, data_file_type; |
| 477 | # Type for appfuse file. |
| 478 | type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; |
| 479 | # Type for face template file |
| 480 | type face_vendor_data_file, file_type, data_file_type; |
| 481 | # Type for iris template file |
| 482 | type iris_vendor_data_file, file_type, data_file_type; |
| 483 | |
| 484 | # Socket types |
| 485 | type adbd_socket, file_type, coredomain_socket; |
| 486 | type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; |
| 487 | type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; |
| 488 | type dumpstate_socket, file_type, coredomain_socket; |
| 489 | type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; |
| 490 | type lmkd_socket, file_type, coredomain_socket; |
| 491 | type logd_socket, file_type, coredomain_socket, mlstrustedobject; |
| 492 | type logdr_socket, file_type, coredomain_socket, mlstrustedobject; |
| 493 | type logdw_socket, file_type, coredomain_socket, mlstrustedobject; |
| 494 | type mdns_socket, file_type, coredomain_socket; |
| 495 | type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; |
| 496 | type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; |
| 497 | type mtpd_socket, file_type, coredomain_socket; |
| 498 | type property_socket, file_type, coredomain_socket, mlstrustedobject; |
| 499 | type racoon_socket, file_type, coredomain_socket; |
| 500 | type recovery_socket, file_type, coredomain_socket; |
| 501 | type rild_socket, file_type; |
| 502 | type rild_debug_socket, file_type; |
| 503 | type snapuserd_socket, file_type, coredomain_socket; |
| 504 | type statsdw_socket, file_type, coredomain_socket, mlstrustedobject; |
| 505 | type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; |
| 506 | type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; |
| 507 | type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; |
| 508 | type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; |
| 509 | type tombstoned_java_trace_socket, file_type, mlstrustedobject; |
| 510 | type tombstoned_intercept_socket, file_type, coredomain_socket; |
| 511 | type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject; |
| 512 | type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject; |
| 513 | type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; |
| 514 | type uncrypt_socket, file_type, coredomain_socket; |
| 515 | type wpa_socket, file_type, data_file_type, core_data_file_type; |
| 516 | type zygote_socket, file_type, coredomain_socket; |
| 517 | type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject; |
| 518 | # UART (for GPS) control proc file |
| 519 | type gps_control, file_type; |
| 520 | |
| 521 | # PDX endpoint types |
| 522 | type pdx_display_dir, pdx_endpoint_dir_type, file_type; |
| 523 | type pdx_performance_dir, pdx_endpoint_dir_type, file_type; |
| 524 | type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; |
| 525 | |
| 526 | pdx_service_socket_types(display_client, pdx_display_dir) |
| 527 | pdx_service_socket_types(display_manager, pdx_display_dir) |
| 528 | pdx_service_socket_types(display_screenshot, pdx_display_dir) |
| 529 | pdx_service_socket_types(display_vsync, pdx_display_dir) |
| 530 | pdx_service_socket_types(performance_client, pdx_performance_dir) |
| 531 | pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) |
| 532 | |
| 533 | # file_contexts files |
| 534 | type file_contexts_file, system_file_type, file_type; |
| 535 | |
| 536 | # mac_permissions file |
| 537 | type mac_perms_file, system_file_type, file_type; |
| 538 | |
| 539 | # property_contexts file |
| 540 | type property_contexts_file, system_file_type, file_type; |
| 541 | |
| 542 | # seapp_contexts file |
| 543 | type seapp_contexts_file, system_file_type, file_type; |
| 544 | |
| 545 | # sepolicy files binary and others |
| 546 | type sepolicy_file, system_file_type, file_type; |
| 547 | |
| 548 | # service_contexts file |
| 549 | type service_contexts_file, system_file_type, file_type; |
| 550 | |
| 551 | # keystore2_key_contexts_file |
| 552 | type keystore2_key_contexts_file, system_file_type, file_type; |
| 553 | |
| 554 | # vendor service_contexts file |
| 555 | type vendor_service_contexts_file, vendor_file_type, file_type; |
| 556 | |
| 557 | # nonplat service_contexts file (only accessible on non full-treble devices) |
| 558 | type nonplat_service_contexts_file, vendor_file_type, file_type; |
| 559 | |
| 560 | # hwservice_contexts file |
| 561 | type hwservice_contexts_file, system_file_type, file_type; |
| 562 | |
| 563 | # vndservice_contexts file |
| 564 | type vndservice_contexts_file, file_type; |
| 565 | |
| 566 | # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions. |
| 567 | type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; |
| 568 | |
| 569 | # kernel modules |
| 570 | type vendor_kernel_modules, vendor_file_type, file_type; |
| 571 | |
| 572 | # Allow files to be created in their appropriate filesystems. |
| 573 | allow fs_type self:filesystem associate; |
| 574 | allow cgroup tmpfs:filesystem associate; |
| 575 | allow cgroup_v2 tmpfs:filesystem associate; |
| 576 | allow cgroup_rc_file tmpfs:filesystem associate; |
| 577 | allow sysfs_type sysfs:filesystem associate; |
| 578 | allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; |
| 579 | allow file_type labeledfs:filesystem associate; |
| 580 | allow file_type tmpfs:filesystem associate; |
| 581 | allow file_type rootfs:filesystem associate; |
| 582 | allow dev_type tmpfs:filesystem associate; |
| 583 | allow app_fuse_file app_fusefs:filesystem associate; |
| 584 | allow postinstall_file self:filesystem associate; |
| 585 | allow proc_net proc:filesystem associate; |
| 586 | |
| 587 | # asanwrapper (run a sanitized app_process, to be used with wrap properties) |
| 588 | with_asan(`type asanwrapper_exec, exec_type, file_type;') |
| 589 | |
| 590 | # Deprecated in SDK version 28 |
| 591 | type audiohal_data_file, file_type, data_file_type, core_data_file_type; |
| 592 | |
| 593 | # It's a bug to assign the file_type attribute and fs_type attribute |
| 594 | # to any type. Do not allow it. |
| 595 | # |
| 596 | # For example, the following is a bug: |
| 597 | # type apk_data_file, file_type, data_file_type, fs_type; |
| 598 | # Should be: |
| 599 | # type apk_data_file, file_type, data_file_type; |
| 600 | neverallow fs_type file_type:filesystem associate; |