1#######################################################
2#
3# This is the unconfined template. This template is the base policy
4# which is used by daemons and other privileged components of
5# Android.
6#
7# Historically, this template was called "unconfined" because it
8# allowed the domain to do anything it wanted. Over time,
9# this has changed, and will continue to change in the future.
10# The rules in this file will be removed when no remaining
11# unconfined domains require it, or when the rules contradict
12# Android security best practices. Domains which need rules not
13# provided by the unconfined template should add them directly to
14# the relevant policy.
15#
16# The use of this template is discouraged.
17######################################################
18
19allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
20allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
21allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
22allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
23allow unconfineddomain domain:fd *;
24allow unconfineddomain domain:dir r_dir_perms;
25allow unconfineddomain domain:lnk_file r_file_perms;
26allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
27allow unconfineddomain domain:{
28    socket
29    netlink_socket
30    key_socket
31    unix_stream_socket
32    unix_dgram_socket
33    netlink_route_socket
34    netlink_firewall_socket
35    netlink_tcpdiag_socket
36    netlink_nflog_socket
37    netlink_xfrm_socket
38    netlink_selinux_socket
39    netlink_audit_socket
40    netlink_ip6fw_socket
41    netlink_dnrt_socket
42    netlink_kobject_uevent_socket
43    tun_socket
44} *;
45allow unconfineddomain domain:ipc_class_set *;
46allow unconfineddomain domain:key *;
47allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
48allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
49allow unconfineddomain {
50    file_type
51    -keystore_data_file
52    -property_data_file
53    -system_file
54    -exec_type
55    -security_file
56    -shell_data_file
57    -app_data_file
58}:{ dir lnk_file sock_file fifo_file } ~relabelto;
59allow unconfineddomain exec_type:dir r_dir_perms;
60allow unconfineddomain exec_type:file { r_file_perms execute };
61allow unconfineddomain exec_type:lnk_file r_file_perms;
62allow unconfineddomain system_file:dir r_dir_perms;
63allow unconfineddomain system_file:file { r_file_perms execute };
64allow unconfineddomain system_file:lnk_file r_file_perms;
65allow unconfineddomain {
66    fs_type
67    -usermodehelper
68    -proc_security
69    -contextmount_type
70    -rootfs
71    -sdcard_type
72}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
73allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
74allow unconfineddomain {
75    file_type
76    -keystore_data_file
77    -property_data_file
78    -system_file
79    -exec_type
80    -security_file
81    -shell_data_file
82    -app_data_file
83}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
84allow unconfineddomain rootfs:file execute;
85allow unconfineddomain contextmount_type:dir r_dir_perms;
86allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
87allow unconfineddomain node_type:node *;
88allow unconfineddomain netif_type:netif *;
89allow unconfineddomain domain:peer recv;
90allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
91