domain.te revision 61362840813c3a396339a7f7b5d73ca825a83748 
1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Read access to properties mapping.
7allow domain kernel:fd use;
8allow domain tmpfs:file { read getattr };
9
10# binder adjusts the nice value during IPC.
11allow domain self:capability sys_nice;
12
13# Intra-domain accesses.
14allow domain self:process ~{ execstack execheap };
15allow domain self:fd use;
16allow domain self:dir r_dir_perms;
17allow domain self:lnk_file r_file_perms;
18allow domain self:{ fifo_file file } rw_file_perms;
19allow domain self:{ unix_dgram_socket unix_stream_socket } *;
20
21# Inherit or receive open files from others.
22allow domain init:fd use;
23allow domain system:fd use;
24
25# Connect to adbd and use a socket transferred from it.
26allow domain adbd:unix_stream_socket connectto;
27allow domain adbd:fd use;
28allow domain adbd:unix_stream_socket { getattr read write shutdown };
29
30# Talk to debuggerd.
31allow domain debuggerd:process sigchld;
32allow domain debuggerd:unix_stream_socket connectto;
33
34# Root fs.
35allow domain rootfs:dir r_dir_perms;
36allow domain rootfs:lnk_file { read getattr };
37
38# Device accesses.
39allow domain device:dir search;
40allow domain devpts:dir search;
41allow domain device:file read;
42allow domain socket_device:dir search;
43allow domain null_device:chr_file rw_file_perms;
44allow domain zero_device:chr_file r_file_perms;
45allow domain ashmem_device:chr_file rw_file_perms;
46allow domain binder_device:chr_file rw_file_perms;
47allow domain ptmx_device:chr_file rw_file_perms;
48allow domain powervr_device:chr_file rw_file_perms;
49allow domain log_device:dir search;
50allow domain log_device:chr_file w_file_perms;
51allow domain nv_device:chr_file rw_file_perms;
52allow domain alarm_device:chr_file r_file_perms;
53allow domain urandom_device:chr_file r_file_perms;
54allow domain random_device:chr_file r_file_perms;
55
56# Filesystem accesses.
57allow domain fs_type:filesystem getattr;
58allow domain fs_type:dir getattr;
59
60# System file accesses.
61allow domain system_file:dir r_dir_perms;
62allow domain system_file:file r_file_perms;
63allow domain system_file:file execute;
64allow domain system_file:lnk_file read;
65
66# Read files already opened under /data.
67allow domain system_data_file:dir { search getattr };
68allow domain system_data_file:file { getattr read };
69allow domain system_data_file:lnk_file read;
70
71# Read apk files under /data/app.
72allow domain apk_data_file:dir search;
73allow domain apk_data_file:file r_file_perms;
74
75# Read /data/dalvik-cache.
76allow domain dalvikcache_data_file:dir { search getattr };
77allow domain dalvikcache_data_file:file r_file_perms;
78
79# Read already opened /cache files.
80allow domain cache_file:dir r_dir_perms;
81allow domain cache_file:file { getattr read };
82allow domain cache_file:lnk_file read;
83
84# For /acct/uid/*/tasks.
85allow domain cgroup:dir { search write };
86allow domain cgroup:file w_file_perms;
87
88#Allow access to ion memory allocation device
89allow domain ion_device:chr_file rw_file_perms;
90
91# For /sys/qemu_trace files in the emulator.
92bool in_qemu false;
93if (in_qemu) {
94allow domain sysfs:file rw_file_perms;
95}
96allow domain sysfs_writable:file rw_file_perms;
97
98# Read access to pseudo filesystems.
99r_dir_file(domain, proc)
100r_dir_file(domain, sysfs)
101r_dir_file(domain, inotify)
102r_dir_file(domain, cgroup)
103
104# debugfs access
105bool debugfs false;
106if (debugfs) {
107allow domain debugfs:dir r_dir_perms;
108allow domain debugfs:file rw_file_perms;
109} else {
110dontaudit domain debugfs:dir r_dir_perms;
111dontaudit domain debugfs:file  rw_file_perms;
112}
113