blob: 20348b5d1a59b160eecca41f70dfafc72baa5020 [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +09001# Filesystem types
2type labeledfs, fs_type;
3type pipefs, fs_type;
4type sockfs, fs_type;
5type rootfs, fs_type;
6type proc, fs_type, proc_type;
7type binderfs, fs_type;
8type binderfs_logs, fs_type;
9type binderfs_logs_proc, fs_type;
10# Security-sensitive proc nodes that should not be writable to most.
11type proc_security, fs_type, proc_type;
12type proc_drop_caches, fs_type, proc_type;
13type proc_overcommit_memory, fs_type, proc_type;
14type proc_min_free_order_shift, fs_type, proc_type;
15type proc_kpageflags, fs_type, proc_type;
16# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
17type usermodehelper, fs_type, proc_type;
18type sysfs_usermodehelper, fs_type, sysfs_type;
19type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
20type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
21type proc_bluetooth_writable, fs_type, proc_type;
22type proc_abi, fs_type, proc_type;
23type proc_asound, fs_type, proc_type;
24type proc_bootconfig, fs_type, proc_type;
25type proc_buddyinfo, fs_type, proc_type;
26type proc_cmdline, fs_type, proc_type;
27type proc_cpuinfo, fs_type, proc_type;
28type proc_dirty, fs_type, proc_type;
29type proc_diskstats, fs_type, proc_type;
30type proc_extra_free_kbytes, fs_type, proc_type;
31type proc_filesystems, fs_type, proc_type;
32type proc_fs_verity, fs_type, proc_type;
33type proc_hostname, fs_type, proc_type;
34type proc_hung_task, fs_type, proc_type;
35type proc_interrupts, fs_type, proc_type;
36type proc_iomem, fs_type, proc_type;
37type proc_kallsyms, fs_type, proc_type;
38type proc_keys, fs_type, proc_type;
39type proc_kmsg, fs_type, proc_type;
40type proc_loadavg, fs_type, proc_type;
41type proc_locks, fs_type, proc_type;
42type proc_lowmemorykiller, fs_type, proc_type;
43type proc_max_map_count, fs_type, proc_type;
44type proc_meminfo, fs_type, proc_type;
45type proc_misc, fs_type, proc_type;
46type proc_modules, fs_type, proc_type;
47type proc_mounts, fs_type, proc_type;
48type proc_net, fs_type, proc_type, proc_net_type;
49type proc_net_tcp_udp, fs_type, proc_type;
50type proc_page_cluster, fs_type, proc_type;
51type proc_pagetypeinfo, fs_type, proc_type;
52type proc_panic, fs_type, proc_type;
53type proc_perf, fs_type, proc_type;
54type proc_pid_max, fs_type, proc_type;
55type proc_pipe_conf, fs_type, proc_type;
56type proc_pressure_cpu, fs_type, proc_type;
57type proc_pressure_io, fs_type, proc_type;
58type proc_pressure_mem, fs_type, proc_type;
59type proc_random, fs_type, proc_type;
60type proc_sched, fs_type, proc_type;
61type proc_slabinfo, fs_type, proc_type;
62type proc_stat, fs_type, proc_type;
63type proc_swaps, fs_type, proc_type;
64type proc_sysrq, fs_type, proc_type;
65type proc_timer, fs_type, proc_type;
66type proc_tty_drivers, fs_type, proc_type;
67type proc_uid_cputime_showstat, fs_type, proc_type;
68type proc_uid_cputime_removeuid, fs_type, proc_type;
69type proc_uid_io_stats, fs_type, proc_type;
70type proc_uid_procstat_set, fs_type, proc_type;
71type proc_uid_time_in_state, fs_type, proc_type;
72type proc_uid_concurrent_active_time, fs_type, proc_type;
73type proc_uid_concurrent_policy_time, fs_type, proc_type;
74type proc_uid_cpupower, fs_type, proc_type;
75type proc_uptime, fs_type, proc_type;
76type proc_version, fs_type, proc_type;
77type proc_vmallocinfo, fs_type, proc_type;
78type proc_vmstat, fs_type, proc_type;
79type proc_zoneinfo, fs_type, proc_type;
80type selinuxfs, fs_type, mlstrustedobject;
81type fusectlfs, fs_type;
82type cgroup, fs_type, mlstrustedobject;
83type cgroup_v2, fs_type;
84type sysfs, fs_type, sysfs_type, mlstrustedobject;
85type sysfs_android_usb, fs_type, sysfs_type;
86type sysfs_uio, sysfs_type, fs_type;
87type sysfs_batteryinfo, fs_type, sysfs_type;
88type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
89type sysfs_devfreq_cur, fs_type, sysfs_type;
90type sysfs_devfreq_dir, fs_type, sysfs_type;
91type sysfs_devices_block, fs_type, sysfs_type;
92type sysfs_dm, fs_type, sysfs_type;
93type sysfs_dm_verity, fs_type, sysfs_type;
94type sysfs_dma_heap, fs_type, sysfs_type;
95type sysfs_dmabuf_stats, fs_type, sysfs_type;
96type sysfs_dt_firmware_android, fs_type, sysfs_type;
97type sysfs_extcon, fs_type, sysfs_type;
98type sysfs_ion, fs_type, sysfs_type;
99type sysfs_ipv4, fs_type, sysfs_type;
100type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
101type sysfs_leds, fs_type, sysfs_type;
102type sysfs_loop, fs_type, sysfs_type;
103type sysfs_hwrandom, fs_type, sysfs_type;
104type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
105type sysfs_wake_lock, fs_type, sysfs_type;
106type sysfs_net, fs_type, sysfs_type;
107type sysfs_power, fs_type, sysfs_type;
108type sysfs_rtc, fs_type, sysfs_type;
109type sysfs_suspend_stats, fs_type, sysfs_type;
110type sysfs_switch, fs_type, sysfs_type;
111type sysfs_transparent_hugepage, fs_type, sysfs_type;
112type sysfs_usb, fs_type, sysfs_type;
113type sysfs_wakeup, fs_type, sysfs_type;
114type sysfs_wakeup_reasons, fs_type, sysfs_type;
115type sysfs_fs_ext4_features, sysfs_type, fs_type;
116type sysfs_fs_f2fs, sysfs_type, fs_type;
117type sysfs_fs_incfs_features, sysfs_type, fs_type;
118type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
119type fs_bpf, fs_type;
120type fs_bpf_tethering, fs_type;
121type configfs, fs_type;
122# /sys/devices/cs_etm
123type sysfs_devices_cs_etm, fs_type, sysfs_type;
124# /sys/devices/system/cpu
125type sysfs_devices_system_cpu, fs_type, sysfs_type;
126# /sys/module/lowmemorykiller
127type sysfs_lowmemorykiller, fs_type, sysfs_type;
128# /sys/module/wlan/parameters/fwpath
129type sysfs_wlan_fwpath, fs_type, sysfs_type;
130type sysfs_vibrator, fs_type, sysfs_type;
131type sysfs_uhid, fs_type, sysfs_type;
132type sysfs_thermal, sysfs_type, fs_type;
133
134type sysfs_zram, fs_type, sysfs_type;
135type sysfs_zram_uevent, fs_type, sysfs_type;
136type inotify, fs_type, mlstrustedobject;
137type devpts, fs_type, mlstrustedobject;
138type tmpfs, fs_type;
139type shm, fs_type;
140type mqueue, fs_type;
141type fuse, sdcard_type, fs_type, mlstrustedobject;
142type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
143type vfat, sdcard_type, fs_type, mlstrustedobject;
144type exfat, sdcard_type, fs_type, mlstrustedobject;
145type debugfs, fs_type, debugfs_type;
146type debugfs_kprobes, fs_type, debugfs_type;
147type debugfs_mmc, fs_type, debugfs_type;
148type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
149type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
150type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
151type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
152type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
153type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
154type debugfs_wakeup_sources, fs_type, debugfs_type;
155type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
156type securityfs, fs_type;
157
158type pstorefs, fs_type;
159type functionfs, fs_type, mlstrustedobject;
160type oemfs, fs_type, contextmount_type;
161type usbfs, fs_type;
162type binfmt_miscfs, fs_type;
163type app_fusefs, fs_type, contextmount_type;
164
165# File types
166type unlabeled, file_type;
167
168# Default type for anything under /system.
169type system_file, system_file_type, file_type;
170# Default type for /system/asan.options
171type system_asan_options_file, system_file_type, file_type;
172# Type for /system/etc/event-log-tags (liblog implementation detail)
173type system_event_log_tags_file, system_file_type, file_type;
174# Default type for anything under /system/lib[64].
175type system_lib_file, system_file_type, file_type;
176# system libraries that are available only to bootstrap processes
177type system_bootstrap_lib_file, system_file_type, file_type;
178# Default type for the group file /system/etc/group.
179type system_group_file, system_file_type, file_type;
180# Default type for linker executable /system/bin/linker[64].
181type system_linker_exec, system_file_type, file_type;
182# Default type for linker config /system/etc/ld.config.*.
183type system_linker_config_file, system_file_type, file_type;
184# Default type for the passwd file /system/etc/passwd.
185type system_passwd_file, system_file_type, file_type;
186# Default type for linker config /system/etc/seccomp_policy/*.
187type system_seccomp_policy_file, system_file_type, file_type;
188# Default type for cacerts in /system/etc/security/cacerts/*.
189type system_security_cacerts_file, system_file_type, file_type;
190# Default type for /system/bin/tcpdump.
191type tcpdump_exec, system_file_type, exec_type, file_type;
192# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
193type system_zoneinfo_file, system_file_type, file_type;
194# Cgroups description file under /system/etc/cgroups.json
195type cgroup_desc_file, system_file_type, file_type;
196# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
197type cgroup_desc_api_file, system_file_type, file_type;
198# Vendor cgroups description file under /vendor/etc/cgroups.json
199type vendor_cgroup_desc_file, vendor_file_type, file_type;
200# Task profiles file under /system/etc/task_profiles.json
201type task_profiles_file, system_file_type, file_type;
202# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
203type task_profiles_api_file, system_file_type, file_type;
204# Vendor task profiles file under /vendor/etc/task_profiles.json
205type vendor_task_profiles_file, vendor_file_type, file_type;
206# Type for /system/apex/com.android.art
207type art_apex_dir, system_file_type, file_type;
208# /linkerconfig(/.*)?
209type linkerconfig_file, file_type;
210# Control files under /data/incremental
211type incremental_control_file, file_type, data_file_type, core_data_file_type;
212
213# Default type for directories search for
214# HAL implementations
215type vendor_hal_file, vendor_file_type, file_type;
216# Default type for under /vendor or /system/vendor
217type vendor_file, vendor_file_type, file_type;
218# Default type for everything in /vendor/app
219type vendor_app_file, vendor_file_type, file_type;
220# Default type for everything under /vendor/etc/
221type vendor_configs_file, vendor_file_type, file_type;
222# Default type for all *same process* HALs and their lib/bin dependencies.
223# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
224type same_process_hal_file, vendor_file_type, file_type;
225# Default type for vndk-sp libs. /vendor/lib/vndk-sp
226type vndk_sp_file, vendor_file_type, file_type;
227# Default type for everything in /vendor/framework
228type vendor_framework_file, vendor_file_type, file_type;
229# Default type for everything in /vendor/overlay
230type vendor_overlay_file, vendor_file_type, file_type;
231# Type for all vendor public libraries. These libs should only be exposed to
232# apps. ABI stability of these libs is vendor's responsibility.
233type vendor_public_lib_file, vendor_file_type, file_type;
234# Type for all vendor public libraries for system. These libs should only be exposed to
235# system. ABI stability of these libs is vendor's responsibility.
236type vendor_public_framework_file, vendor_file_type, file_type;
237
238# Input configuration
239type vendor_keylayout_file, vendor_file_type, file_type;
240type vendor_keychars_file, vendor_file_type, file_type;
241type vendor_idc_file, vendor_file_type, file_type;
242
243# /metadata partition itself
244type metadata_file, file_type;
245# Vold files within /metadata
246type vold_metadata_file, file_type;
247# GSI files within /metadata
248type gsi_metadata_file, gsi_metadata_file_type, file_type;
249# DSU (GSI) files within /metadata that are globally readable.
250type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
251# system_server shares Weaver slot information in /metadata
252type password_slot_metadata_file, file_type;
253# APEX files within /metadata
254type apex_metadata_file, file_type;
255# libsnapshot files within /metadata
256type ota_metadata_file, file_type;
257# property files within /metadata/bootstat
258type metadata_bootstat_file, file_type;
259# userspace reboot files within /metadata/userspacereboot
260type userspace_reboot_metadata_file, file_type;
261# Staged install files within /metadata/staged-install
262type staged_install_file, file_type;
263# Metadata information within /metadata/watchdog
264type watchdog_metadata_file, file_type;
265
266# Type for /dev/cpu_variant:.*.
267type dev_cpu_variant, file_type;
268# Speedup access for trusted applications to the runtime event tags
269type runtime_event_log_tags_file, file_type;
270# Type for /system/bin/logcat.
271type logcat_exec, system_file_type, exec_type, file_type;
272# Speedup access to cgroup map file
273type cgroup_rc_file, file_type;
274# /cores for coredumps on userdebug / eng builds
275type coredump_file, file_type;
276# Type of /data itself
277type system_data_root_file, file_type, data_file_type, core_data_file_type;
278# Default type for anything under /data.
279type system_data_file, file_type, data_file_type, core_data_file_type;
280# Type for /data/system/packages.list.
281# TODO(b/129332765): Narrow down permissions to this.
282# Find out users of system_data_file that should be granted only this.
283type packages_list_file, file_type, data_file_type, core_data_file_type;
284# Default type for anything under /data/vendor{_ce,_de}.
285type vendor_data_file, file_type, data_file_type;
286# Unencrypted data
287type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
288# installd-create files in /data/misc/installd such as layout_version
289type install_data_file, file_type, data_file_type, core_data_file_type;
290# /data/drm - DRM plugin data
291type drm_data_file, file_type, data_file_type, core_data_file_type;
292# /data/adb - adb debugging files
293type adb_data_file, file_type, data_file_type, core_data_file_type;
294# /data/anr - ANR traces
295type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
296# /data/tombstones - core dumps
297type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
298# /data/vendor/tombstones/wifi - vendor wifi dumps
299type tombstone_wifi_data_file, file_type, data_file_type;
300# /data/apex - APEX data files
301type apex_data_file, file_type, data_file_type, core_data_file_type;
302# /data/app - user-installed apps
303type apk_data_file, file_type, data_file_type, core_data_file_type;
304type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
305# /data/app-private - forward-locked apps
306type apk_private_data_file, file_type, data_file_type, core_data_file_type;
307type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
308# /data/dalvik-cache
309type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
310# /data/ota
311type ota_data_file, file_type, data_file_type, core_data_file_type;
312# /data/ota_package
313type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
314# /data/misc/profiles
315type user_profile_root_file, file_type, data_file_type, core_data_file_type;
316type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
317# /data/misc/profman
318type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
319# /data/misc/prereboot
320type prereboot_data_file, file_type, data_file_type, core_data_file_type;
321# /data/resource-cache
322type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
323# /data/local - writable by shell
324type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
325# /data/property
326type property_data_file, file_type, data_file_type, core_data_file_type;
327# /data/bootchart
328type bootchart_data_file, file_type, data_file_type, core_data_file_type;
329# /data/system/dropbox
330type dropbox_data_file, file_type, data_file_type, core_data_file_type;
331# /data/system/heapdump
332type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
333# /data/nativetest
334type nativetest_data_file, file_type, data_file_type, core_data_file_type;
335# /data/local/tests
336type shell_test_data_file, file_type, data_file_type, core_data_file_type;
337# /data/system_de/0/ringtones
338type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
339# /data/preloads
340type preloads_data_file, file_type, data_file_type, core_data_file_type;
341# /data/preloads/media
342type preloads_media_file, file_type, data_file_type, core_data_file_type;
343# /data/misc/dhcp and /data/misc/dhcp-6.8.2
344type dhcp_data_file, file_type, data_file_type, core_data_file_type;
345# /data/server_configurable_flags
346type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
347# /data/app-staging
348type staging_data_file, file_type, data_file_type, core_data_file_type;
349# /vendor/apex
350type vendor_apex_file, vendor_file_type, file_type;
351
352# Mount locations managed by vold
353type mnt_media_rw_file, file_type;
354type mnt_user_file, file_type;
355type mnt_pass_through_file, file_type;
356type mnt_expand_file, file_type;
357type mnt_sdcard_file, file_type;
358type storage_file, file_type;
359
360# Label for storage dirs which are just mount stubs
361type mnt_media_rw_stub_file, file_type;
362type storage_stub_file, file_type;
363
364# Mount location for read-write vendor partitions.
365type mnt_vendor_file, file_type;
366
367# Mount location for read-write product partitions.
368type mnt_product_file, file_type;
369
370# Mount point used for APEX images
371type apex_mnt_dir, file_type;
372
373# /apex/apex-info-list.xml created by apexd
374type apex_info_file, file_type;
375
376# /postinstall: Mount point used by update_engine to run postinstall.
377type postinstall_mnt_dir, file_type;
378# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
379type postinstall_file, file_type;
380# /postinstall/apex: Mount point used for APEX images within /postinstall.
381type postinstall_apex_mnt_dir, file_type;
382
383# /data_mirror: Contains mirror directory for storing all apps data.
384type mirror_data_file, file_type, core_data_file_type;
385
386# /data/misc subdirectories
387type adb_keys_file, file_type, data_file_type, core_data_file_type;
388type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
389type apex_module_data_file, file_type, data_file_type, core_data_file_type;
390type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
391type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
392type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
393type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
394type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
395type appcompat_data_file, file_type, data_file_type, core_data_file_type;
396type audio_data_file, file_type, data_file_type, core_data_file_type;
397type audioserver_data_file, file_type, data_file_type, core_data_file_type;
398type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
399type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
400type bootstat_data_file, file_type, data_file_type, core_data_file_type;
401type boottrace_data_file, file_type, data_file_type, core_data_file_type;
402type camera_data_file, file_type, data_file_type, core_data_file_type;
403type credstore_data_file, file_type, data_file_type, core_data_file_type;
404type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
405type incident_data_file, file_type, data_file_type, core_data_file_type;
406type keychain_data_file, file_type, data_file_type, core_data_file_type;
407type keystore_data_file, file_type, data_file_type, core_data_file_type;
408type media_data_file, file_type, data_file_type, core_data_file_type;
409type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
410type misc_user_data_file, file_type, data_file_type, core_data_file_type;
411type net_data_file, file_type, data_file_type, core_data_file_type;
412type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
413type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
414type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
415type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
416type recovery_data_file, file_type, data_file_type, core_data_file_type;
417type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
418type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
419type stats_data_file, file_type, data_file_type, core_data_file_type;
420type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
421type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
422type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
423type vpn_data_file, file_type, data_file_type, core_data_file_type;
424type wifi_data_file, file_type, data_file_type, core_data_file_type;
425type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
426type vold_data_file, file_type, data_file_type, core_data_file_type;
427type iorapd_data_file, file_type, data_file_type, core_data_file_type;
428type tee_data_file, file_type, data_file_type;
429type update_engine_data_file, file_type, data_file_type, core_data_file_type;
430type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
431# /data/misc/trace for method traces on userdebug / eng builds
432type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
433type gsi_data_file, file_type, data_file_type, core_data_file_type;
434type radio_core_data_file, file_type, data_file_type, core_data_file_type;
435
436# /data/data subdirectories - app sandboxes
437type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
438# /data/data subdirectories - priv-app sandboxes
439type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
440# /data/data subdirectory for system UID apps.
441type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
442# Compatibility with type name used in Android 4.3 and 4.4.
443# Default type for anything under /cache
444type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
445# Type for /cache/overlay /mnt/scratch/overlay
446type overlayfs_file, file_type, data_file_type, core_data_file_type;
447# Type for /cache/backup_stage/* (fd interchange with apps)
448type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
449# type for anything under /cache/backup (local transport storage)
450type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
451# Type for anything under /cache/recovery
452type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
453# Default type for anything under /efs
454type efs_file, file_type;
455# Type for wallpaper file.
456type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
457# Type for shortcut manager icon file.
458type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
459# Type for user icon file.
460type icon_file, file_type, data_file_type, core_data_file_type;
461# /mnt/asec
462type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
463# Elements of asec files (/mnt/asec) that are world readable
464type asec_public_file, file_type, data_file_type, core_data_file_type;
465# /data/app-asec
466type asec_image_file, file_type, data_file_type, core_data_file_type;
467# /data/backup and /data/secure/backup
468type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
469# All devices have bluetooth efs files. But they
470# vary per device, so this type is used in per
471# device policy
472type bluetooth_efs_file, file_type;
473# Type for fingerprint template file
474type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
475# Type for _new_ fingerprint template file
476type fingerprint_vendor_data_file, file_type, data_file_type;
477# Type for appfuse file.
478type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
479# Type for face template file
480type face_vendor_data_file, file_type, data_file_type;
481# Type for iris template file
482type iris_vendor_data_file, file_type, data_file_type;
483
484# Socket types
485type adbd_socket, file_type, coredomain_socket;
486type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
487type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
488type dumpstate_socket, file_type, coredomain_socket;
489type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
490type lmkd_socket, file_type, coredomain_socket;
491type logd_socket, file_type, coredomain_socket, mlstrustedobject;
492type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
493type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
494type mdns_socket, file_type, coredomain_socket;
495type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
496type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
497type mtpd_socket, file_type, coredomain_socket;
498type property_socket, file_type, coredomain_socket, mlstrustedobject;
499type racoon_socket, file_type, coredomain_socket;
500type recovery_socket, file_type, coredomain_socket;
501type rild_socket, file_type;
502type rild_debug_socket, file_type;
503type snapuserd_socket, file_type, coredomain_socket;
504type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
505type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
506type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
507type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
508type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
509type tombstoned_java_trace_socket, file_type, mlstrustedobject;
510type tombstoned_intercept_socket, file_type, coredomain_socket;
511type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
512type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
513type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
514type uncrypt_socket, file_type, coredomain_socket;
515type wpa_socket, file_type, data_file_type, core_data_file_type;
516type zygote_socket, file_type, coredomain_socket;
517type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
518# UART (for GPS) control proc file
519type gps_control, file_type;
520
521# PDX endpoint types
522type pdx_display_dir, pdx_endpoint_dir_type, file_type;
523type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
524type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
525
526pdx_service_socket_types(display_client, pdx_display_dir)
527pdx_service_socket_types(display_manager, pdx_display_dir)
528pdx_service_socket_types(display_screenshot, pdx_display_dir)
529pdx_service_socket_types(display_vsync, pdx_display_dir)
530pdx_service_socket_types(performance_client, pdx_performance_dir)
531pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
532
533# file_contexts files
534type file_contexts_file, system_file_type, file_type;
535
536# mac_permissions file
537type mac_perms_file, system_file_type, file_type;
538
539# property_contexts file
540type property_contexts_file, system_file_type, file_type;
541
542# seapp_contexts file
543type seapp_contexts_file, system_file_type, file_type;
544
545# sepolicy files binary and others
546type sepolicy_file, system_file_type, file_type;
547
548# service_contexts file
549type service_contexts_file, system_file_type, file_type;
550
551# keystore2_key_contexts_file
552type keystore2_key_contexts_file, system_file_type, file_type;
553
554# vendor service_contexts file
555type vendor_service_contexts_file, vendor_file_type, file_type;
556
557# nonplat service_contexts file (only accessible on non full-treble devices)
558type nonplat_service_contexts_file, vendor_file_type, file_type;
559
560# hwservice_contexts file
561type hwservice_contexts_file, system_file_type, file_type;
562
563# vndservice_contexts file
564type vndservice_contexts_file, file_type;
565
566# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
567type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
568
569# kernel modules
570type vendor_kernel_modules, vendor_file_type, file_type;
571
572# Allow files to be created in their appropriate filesystems.
573allow fs_type self:filesystem associate;
574allow cgroup tmpfs:filesystem associate;
575allow cgroup_v2 tmpfs:filesystem associate;
576allow cgroup_rc_file tmpfs:filesystem associate;
577allow sysfs_type sysfs:filesystem associate;
578allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
579allow file_type labeledfs:filesystem associate;
580allow file_type tmpfs:filesystem associate;
581allow file_type rootfs:filesystem associate;
582allow dev_type tmpfs:filesystem associate;
583allow app_fuse_file app_fusefs:filesystem associate;
584allow postinstall_file self:filesystem associate;
585allow proc_net proc:filesystem associate;
586
587# asanwrapper (run a sanitized app_process, to be used with wrap properties)
588with_asan(`type asanwrapper_exec, exec_type, file_type;')
589
590# Deprecated in SDK version 28
591type audiohal_data_file, file_type, data_file_type, core_data_file_type;
592
593# It's a bug to assign the file_type attribute and fs_type attribute
594# to any type. Do not allow it.
595#
596# For example, the following is a bug:
597# type apk_data_file, file_type, data_file_type, fs_type;
598# Should be:
599# type apk_data_file, file_type, data_file_type;
600neverallow fs_type file_type:filesystem associate;