blob: 6de346a50730ac930e2a96425c89eb3207e43ee4 [file] [log] [blame]
Alessio Balsini419f7a72024-12-11 13:43:58 +00001# /proc/allocinfo
2type proc_allocinfo, fs_type, proc_type;
3
Nick Kralevich929da012017-02-16 12:04:40 -08004# /proc/config.gz
Tri Vo41bf08e2018-02-15 18:07:18 -08005type config_gz, fs_type, proc_type;
Dan Cashman91d398d2017-09-26 12:58:29 -07006
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -07007# /sys/fs/bpf/<dir> for mainline tethering use
8# TODO: move S+ fs_bpf_tethering here from public/file.te
9type fs_bpf_net_private, fs_type, bpffs_type;
10type fs_bpf_net_shared, fs_type, bpffs_type;
11type fs_bpf_netd_readonly, fs_type, bpffs_type;
12type fs_bpf_netd_shared, fs_type, bpffs_type;
Maciej Żenczykowskie14e69a2022-12-01 14:45:35 +000013type fs_bpf_loader, fs_type, bpffs_type;
Yu-Ting Tsengbaea6412024-01-16 14:02:59 -080014type fs_bpf_uprobestats, fs_type, bpffs_type;
Carlos Galo63880c52024-09-04 16:14:54 +000015type fs_bpf_memevents, fs_type, bpffs_type;
Maciej Żenczykowskib13921c2022-05-21 05:03:29 -070016
Armelle Laine967f7182025-03-17 10:28:50 +000017# /data/system/mediadrm
18type mediadrm_system_data_file, file_type, data_file_type, core_data_file_type;
19
Dan Cashman91d398d2017-09-26 12:58:29 -070020# /data/misc/storaged
21type storaged_data_file, file_type, data_file_type, core_data_file_type;
Vishnu Nair2d6942d2017-11-17 08:23:32 -080022
23# /data/misc/wmtrace for wm traces
Hongwei Wang93720262023-01-20 12:14:31 -080024type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000025
Hongming Jin58f83412021-02-09 12:03:40 -080026# /data/misc/a11ytrace for accessibility traces
27type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
28
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000029# /data/misc/perfetto-traces for perfetto traces
30type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
Dan Austin55d90962018-11-29 10:37:18 -080031
Primiano Tucci2f998092021-01-07 17:12:21 +000032# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
33type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
34
Yisroel Fortac5cb5a22024-02-15 20:16:46 +000035# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
36type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
37
Primiano Tucci512bdb92020-10-13 21:13:09 +010038# /data/misc/perfetto-configs for perfetto configs
39type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
40
Daniele Di Proietto9a997592024-02-16 17:51:49 +000041# /system/etc/perfetto for perfetto configs
42type system_perfetto_config_file, file_type, system_file_type;
43
Yu-Ting Tseng43cae4e2023-12-15 00:48:23 +000044# /data/misc/uprobestats-configs for uprobestats configs
45type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
46
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +000047# /apex/com.android.art/bin/oatdump
Yu-Ting Tseng46e40492024-07-09 19:03:39 -070048# TODO (b/350628688): Remove this once it's safe to do so.
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +000049type oatdump_exec, system_file_type, exec_type, file_type;
50
Mohammad Samiul Islamd2ffd352022-05-11 21:43:54 +010051# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
52type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
Bram Bonneb93f26f2022-03-15 18:28:02 +010053# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
54type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
55
Dan Austin55d90962018-11-29 10:37:18 -080056# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
57type debugfs_kcov, fs_type, debugfs_type;
58
Nick Kralevichfb66c6f2019-01-11 09:37:46 -080059# App executable files in /data/data directories
60type app_exec_data_file, file_type, data_file_type, core_data_file_type;
61typealias app_exec_data_file alias rs_data_file;
Narayan Kamath2ad229c2019-01-14 15:02:12 +000062
63# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
64# of application data.
65type rollback_data_file, file_type, data_file_type, core_data_file_type;
Kiyoung Kimaffa6f32019-07-08 19:02:05 +090066
Tianjieb729aa62021-10-05 22:13:20 -070067# /data/misc_ce/checkin for checkin apps.
68type checkin_data_file, file_type, data_file_type, core_data_file_type;
69
Yifan Hong07a99e12019-08-07 13:01:15 -070070# /data/gsi/ota
71type ota_image_data_file, file_type, data_file_type, core_data_file_type;
Shuo Qian9322cb02019-10-15 13:13:56 -070072
Howard Chen55665d62020-12-25 17:32:13 +080073# /data/gsi_persistent_data
74type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
75
Shuo Qian9322cb02019-10-15 13:13:56 -070076# /data/misc/emergencynumberdb
77type emergency_data_file, file_type, data_file_type, core_data_file_type;
Yi Kong239c85d2020-06-18 12:43:23 +080078
79# /data/misc/profcollectd
80type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
Orion Hodson8f75f762020-10-16 15:29:55 +010081
82# /data/misc/apexdata/com.android.art
Alan Stokesfa10a142021-07-12 14:21:48 +010083type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
Orion Hodson8f75f762020-10-16 15:29:55 +010084
85# /data/misc/apexdata/com.android.art/staging
86type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
Seigo Nonaka9c3707f2021-01-21 13:08:31 -080087
Alan Stokes10fbf232021-07-12 15:12:37 +010088# /data/misc/apexdata/com.android.compos
89type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
90
Alice Wang40519f72023-08-31 11:37:30 +000091# /data/misc/apexdata/com.android.virt
92type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
93
Kangping Donge21496b2024-01-02 15:10:27 +080094# /data/misc/apexdata/com.android.tethering
95type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
96
Nattharat Jariyanuntanaetdd2e2ba2024-05-15 08:16:16 +000097# /data/misc/apexdata/com.android.uwb
98type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
99
Alan Stokes53c76a22022-02-08 15:44:06 +0000100# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
101# for backward compatibility b/217581286
102type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
103type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
104type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
105type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
106
Seigo Nonaka9c3707f2021-01-21 13:08:31 -0800107# /data/font/files
108type font_data_file, file_type, data_file_type, core_data_file_type;
Martijn Coenen6afdb722020-11-27 12:23:54 +0100109
Alexander Potapenko0a64d102022-01-28 19:48:27 +0100110# /data/misc/dmesgd
111type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
112
Orion Hodson7c6b3eb2021-04-09 15:17:38 +0100113# /data/misc/odrefresh
114type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
115
Martijn Coenen6afdb722020-11-27 12:23:54 +0100116# /data/misc/odsign
117type odsign_data_file, file_type, data_file_type, core_data_file_type;
satayevafc97912021-03-19 11:08:49 +0000118
Shikha Panwar36daf982022-02-24 11:50:35 +0000119# /data/misc/odsign_metrics
120type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
121
Andrew Walbran654c5b02021-05-19 17:10:43 +0000122# /data/misc/virtualizationservice
David Brazdil55d808c2022-12-15 13:38:42 +0000123# The type needs to be mlstrustedobject to allow for being accessed from
124# virtualizationmanager, which runs at a more constrained MLS level.
125type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
Andrew Walbran654c5b02021-05-19 17:10:43 +0000126
Inseob Kim0b9625d2024-07-31 17:42:23 +0900127# /mnt/vm
128type vm_data_file, file_type, core_data_file_type;
129
satayevafc97912021-03-19 11:08:49 +0000130# /data/system/environ
131type environ_system_data_file, file_type, data_file_type, core_data_file_type;
Andrew Walbrana995e842021-03-29 17:19:12 +0000132
Lee George Thomas407e1cf2023-07-25 15:02:33 -0700133# /data/misc/bootanim
Josh Yang1d967dd2021-12-23 14:37:41 -0800134type bootanim_data_file, file_type, data_file_type, core_data_file_type;
135
Andrew Walbrana995e842021-03-29 17:19:12 +0000136# /dev/kvm
David Brazdil55d808c2022-12-15 13:38:42 +0000137# The type needs to be mlstrustedobject to allow for being accessed from
138# crosvm, which runs at a more constrained MLS level.
Elliot Bermanae5869a2023-03-22 17:31:35 -0700139type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
Alan Stokesec4a90f2021-09-21 13:32:24 +0100140
141# /apex/com.android.virt/bin/fd_server
142type fd_server_exec, system_file_type, exec_type, file_type;
Jeff Vander Stoep5aa5e5e2021-11-17 08:51:11 +0100143
Alan Stokes766caba2022-02-14 14:33:37 +0000144# /apex/com.android.compos/bin/compsvc
145type compos_exec, exec_type, file_type, system_file_type;
146# /apex/com.android.compos/bin/compos_key_helper
147type compos_key_helper_exec, exec_type, file_type, system_file_type;
148
Pete Bentleye6da3b82022-09-16 15:31:39 +0100149# Filesystem entry for for PRNG seeder socket. Processes require
150# write permission on this to connect, and needs to be mlstrustedobject
151# in to satisfy MLS constraints for trusted domains.
152type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
Jaewan Kim93f57882023-02-07 01:49:24 +0900153
Jaewan Kim2141ad52024-01-31 05:56:43 +0000154# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
Jaewan Kim93f57882023-02-07 01:49:24 +0900155type sysfs_dt_avf, fs_type, sysfs_type;
Jaewan Kim2141ad52024-01-31 05:56:43 +0000156type proc_dt_avf, fs_type, proc_type;
Seigo Nonakad570a5c2023-07-21 14:29:24 +0900157
158# Type for /system/fonts/font_fallback.xm
159type system_font_fallback_file, system_file_type, file_type;
Yu-Ting Tseng3e8e8ea2023-09-25 18:42:03 +0000160
161# Type for /sys/devices/uprobe.
162type sysfs_uprobe, fs_type, sysfs_type;
Dennis Shen26592572024-02-25 15:44:51 +0000163
164# Type for aconfig daemon socket
Ted Bauerffa04932024-10-04 20:32:36 +0000165type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
Dennis Shenf008c292024-02-28 18:08:10 +0000166
Dennis Shen27783692024-09-26 13:56:08 +0000167# Type for aconfig mainline daemon socket
168type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
169
Dennis Shenf008c292024-02-28 18:08:10 +0000170# Type for /(system|system_ext|product)/etc/aconfig
171type system_aconfig_storage_file, system_file_type, file_type;
172
173# Type for /vendor/etc/aconfig
174type vendor_aconfig_storage_file, vendor_file_type, file_type;
Hansen Kurli0e638112023-12-14 16:30:26 +0800175
176# /data/misc/connectivityblobdb
177type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000178
Gabriel Bireneb5872e2024-08-15 22:29:02 +0000179# /data/misc/wifi/mainline_supplicant
180type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;
181
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000182# Type for /mnt/pre_reboot_dexopt
183type pre_reboot_dexopt_file, file_type;
184
185# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
186# This type is set on the directory through the `rootcontext=` mount option.
187type pre_reboot_dexopt_artd_file, file_type;
Inseob Kim75806ef2024-03-27 17:18:41 +0900188
William Loh38b57bc2024-04-24 22:31:06 +0000189# /data/app-metadata - extracted app metadata bundles from APKs
190type apk_metadata_file, file_type, data_file_type, core_data_file_type;
191
Kalesh Singh3a4c68d2024-04-09 16:24:48 -0700192# Type for /sys/kernel/mm/pgsize_migration/enabled
193type sysfs_pgsize_migration, fs_type, sysfs_type;
194
Rob Barnes8afcd7b2024-09-18 00:59:51 +0000195# /sys/firmware/acpi/tables
196type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
197
Mohamad Mahmoud7dcac6c2024-10-28 12:50:09 +0000198# Type for /system/bin/pbtombstone.
199type pbtombstone_exec, system_file_type, exec_type, file_type;
200
Inseob Kim75806ef2024-03-27 17:18:41 +0900201# Allow files to be created in their appropriate filesystems.
202allow fs_type self:filesystem associate;
203allow cgroup tmpfs:filesystem associate;
204allow cgroup_v2 tmpfs:filesystem associate;
205allow cgroup_rc_file tmpfs:filesystem associate;
206allow sysfs_type sysfs:filesystem associate;
207allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
208allow file_type labeledfs:filesystem associate;
209allow file_type tmpfs:filesystem associate;
210allow file_type rootfs:filesystem associate;
211allow dev_type tmpfs:filesystem associate;
212allow app_fuse_file app_fusefs:filesystem associate;
213allow postinstall_file self:filesystem associate;
214allow proc_net proc:filesystem associate;
215
216# It's a bug to assign the file_type attribute and fs_type attribute
217# to any type. Do not allow it.
218#
219# For example, the following is a bug:
220# type apk_data_file, file_type, data_file_type, fs_type;
221# Should be:
222# type apk_data_file, file_type, data_file_type;
223neverallow fs_type file_type:filesystem associate;
Ellen Arteca27b515e2024-04-30 20:26:55 +0000224# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
225type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
226# app storage areas: /data/storage_area/userId/pkgName/storageAreaName
227type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
228# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/*
229type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
230
231# /data/misc_ce/userId/storage_area_keys
Nattharat Jariyanuntanaetdd2e2ba2024-05-15 08:16:16 +0000232type storage_area_key_file, file_type, data_file_type, core_data_file_type;
Vadim Caen1d81f872024-08-19 15:08:35 +0200233
David Anderson2f31d932024-10-02 20:22:17 -0700234# /metadata/tradeinmode files
235type tradeinmode_metadata_file, file_type;
Vadim Caen1d81f872024-08-19 15:08:35 +0200236
Akilesh Kailashdd8c0902024-11-11 15:49:46 -0800237# /metadata/prefetch files
238type prefetch_metadata_file, file_type;
239
T.J. Mercier3cf9a7b2024-12-26 23:02:09 +0000240# /metadata/libprocessgroup files
241type libprocessgroup_metadata_file, file_type;
242
Vadim Caen1d81f872024-08-19 15:08:35 +0200243# Types added in 202504 in public/file.te
244until_board_api(202504, `
245 type binderfs_logs_transactions, fs_type;
246 type binderfs_logs_transaction_history, fs_type;
247')
248
249until_board_api(202504, `
250 type proc_cgroups, fs_type, proc_type;
251')
252
253until_board_api(202504, `
254 type sysfs_udc, fs_type, sysfs_type;
255')
256
257until_board_api(202504, `
258 type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
259 type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
260')
261
262until_board_api(202504, `
263 # boot otas for 16KB developer option
264 type vendor_boot_ota_file, vendor_file_type, file_type;
265')
Nikita Ioffe48966b62024-10-22 14:01:17 +0000266
267until_board_api(202504, `
268 type tee_service_contexts_file, system_file_type, file_type;
269')
270
Vilas Bhatf0d74d62024-12-09 11:22:14 +0000271until_board_api(202504, `
272 type sysfs_mem_sleep, fs_type, sysfs_type;
273')
274
Vadim Caen1d81f872024-08-19 15:08:35 +0200275## END Types added in 202504 in public/file.te