unconfined.te revision 5622cca0807eec1460ede5aea1ff1759d5e9e824
1####################################################### 2# 3# This is the unconfined template. This template is the base policy 4# which is used by daemons and other privileged components of 5# Android. 6# 7# Historically, this template was called "unconfined" because it 8# allowed the domain to do anything it wanted. Over time, 9# this has changed, and will continue to change in the future. 10# The rules in this file will be removed when no remaining 11# unconfined domains require it, or when the rules contradict 12# Android security best practices. Domains which need rules not 13# provided by the unconfined template should add them directly to 14# the relevant policy. 15# 16# The use of this template is discouraged. 17###################################################### 18 19allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; 20allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; 21allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; 22allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; 23allow unconfineddomain domain:process { 24 fork 25 sigchld 26 sigkill 27 sigstop 28 signull 29 signal 30 getsched 31 setsched 32 getsession 33 getpgid 34 setpgid 35 getcap 36 setcap 37 share 38 getattr 39 noatsecure 40 siginh 41 setrlimit 42 rlimitinh 43}; 44allow unconfineddomain domain:fd *; 45allow unconfineddomain domain:dir r_dir_perms; 46allow unconfineddomain domain:lnk_file r_file_perms; 47allow unconfineddomain domain:{ fifo_file file } rw_file_perms; 48allow unconfineddomain domain:socket_class_set *; 49allow unconfineddomain domain:ipc_class_set *; 50allow unconfineddomain domain:key *; 51allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; 52allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; 53allow unconfineddomain { 54 file_type 55 -keystore_data_file 56 -property_data_file 57 -system_file 58 -exec_type 59 -security_file 60 -shell_data_file 61}:{ dir lnk_file sock_file fifo_file } ~relabelto; 62allow unconfineddomain exec_type:dir r_dir_perms; 63allow unconfineddomain exec_type:file { rx_file_perms execmod }; 64allow unconfineddomain exec_type:lnk_file r_file_perms; 65allow unconfineddomain system_file:dir r_dir_perms; 66allow unconfineddomain system_file:file { rx_file_perms execmod }; 67allow unconfineddomain system_file:lnk_file r_file_perms; 68allow unconfineddomain { 69 fs_type 70 -usermodehelper 71 -proc_security 72 -contextmount_type 73}:{ chr_file file } ~{entrypoint execmod execute relabelto}; 74allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto}; 75allow unconfineddomain { 76 file_type 77 -keystore_data_file 78 -property_data_file 79 -system_file 80 -exec_type 81 -security_file 82 -shell_data_file 83}:{ chr_file file } ~{entrypoint execmod execute relabelto}; 84allow unconfineddomain rootfs:file execute; 85allow unconfineddomain contextmount_type:dir r_dir_perms; 86allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; 87allow unconfineddomain node_type:node *; 88allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; 89allow unconfineddomain netif_type:netif *; 90allow unconfineddomain port_type:socket_class_set name_bind; 91allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; 92allow unconfineddomain domain:peer recv; 93allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; 94allow unconfineddomain { property_type -security_prop }:property_service set; 95