blob: 596cd428e0c1a5cb6f01d38fa941a0f6132ff9be [file] [log] [blame]
# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
# binder adjusts the nice value during IPC.
allow domain self:capability sys_nice;
# Intra-domain accesses.
allow domain self:process ~{ execstack execheap };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:{ unix_dgram_socket unix_stream_socket } *;
# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system:fd use;
# Connect to adbd and use a socket transferred from it.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr read write shutdown };
# Talk to debuggerd.
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir r_dir_perms;
allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
allow domain devpts:dir search;
allow domain device:file read;
allow domain socket_device:dir search;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file r_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain powervr_device:chr_file rw_file_perms;
allow domain log_device:dir search;
allow domain log_device:chr_file w_file_perms;
allow domain nv_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file r_file_perms;
allow domain random_device:chr_file r_file_perms;
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# System file accesses.
allow domain system_file:dir r_dir_perms;
allow domain system_file:file r_file_perms;
allow domain system_file:file execute;
allow domain system_file:lnk_file read;
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
allow domain system_data_file:lnk_file read;
# Read apk files under /data/app.
allow domain apk_data_file:dir search;
allow domain apk_data_file:file r_file_perms;
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
allow domain cache_file:lnk_file read;
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;
# For /sys/qemu_trace files in the emulator.
bool in_qemu false;
if (in_qemu) {
allow domain sysfs:file rw_file_perms;
}
allow domain sysfs_writable:file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
# debugfs access
bool debugfs false;
if (debugfs) {
allow domain debugfs:dir r_dir_perms;
allow domain debugfs:file rw_file_perms;
} else {
dontaudit domain debugfs:dir r_dir_perms;
dontaudit domain debugfs:file rw_file_perms;
}
# security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;