1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type; 9type proc_drop_caches, fs_type; 10type proc_overcommit_memory, fs_type; 11# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12type usermodehelper, fs_type, sysfs_type; 13type qtaguid_proc, fs_type, mlstrustedobject; 14type proc_bluetooth_writable, fs_type; 15type proc_cpuinfo, fs_type; 16type proc_interrupts, fs_type; 17type proc_iomem, fs_type; 18type proc_meminfo, fs_type; 19type proc_misc, fs_type; 20type proc_modules, fs_type; 21type proc_net, fs_type; 22type proc_perf, fs_type; 23type proc_stat, fs_type; 24type proc_sysrq, fs_type; 25type proc_timer, fs_type; 26type proc_tty_drivers, fs_type; 27type proc_uid_cputime_showstat, fs_type; 28type proc_uid_cputime_removeuid, fs_type; 29type proc_uid_io_stats, fs_type; 30type proc_uid_procstat_set, fs_type; 31type proc_zoneinfo, fs_type; 32type selinuxfs, fs_type, mlstrustedobject; 33type cgroup, fs_type, mlstrustedobject; 34type sysfs, fs_type, sysfs_type, mlstrustedobject; 35type sysfs_uio, sysfs_type, fs_type; 36type sysfs_batteryinfo, fs_type, sysfs_type; 37type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 38type sysfs_leds, fs_type, sysfs_type; 39type sysfs_hwrandom, fs_type, sysfs_type; 40type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 41type sysfs_wake_lock, fs_type, sysfs_type; 42type sysfs_mac_address, fs_type, sysfs_type; 43type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 44type configfs, fs_type; 45# /sys/devices/system/cpu 46type sysfs_devices_system_cpu, fs_type, sysfs_type; 47# /sys/module/lowmemorykiller 48type sysfs_lowmemorykiller, fs_type, sysfs_type; 49# /sys/module/wlan/parameters/fwpath 50type sysfs_wlan_fwpath, fs_type, sysfs_type; 51type sysfs_vibrator, fs_type, sysfs_type; 52 53type sysfs_thermal, sysfs_type, fs_type; 54 55type sysfs_zram, fs_type, sysfs_type; 56type sysfs_zram_uevent, fs_type, sysfs_type; 57type inotify, fs_type, mlstrustedobject; 58type devpts, fs_type, mlstrustedobject; 59type tmpfs, fs_type; 60type shm, fs_type; 61type mqueue, fs_type; 62type fuse, sdcard_type, fs_type, mlstrustedobject; 63type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 64type vfat, sdcard_type, fs_type, mlstrustedobject; 65type debugfs, fs_type; 66type debugfs_mmc, fs_type, debugfs_type; 67type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 68type debugfs_tracing, fs_type, debugfs_type; 69type debugfs_tracing_instances, fs_type, debugfs_type; 70type debugfs_wifi_tracing, fs_type, debugfs_type; 71type tracing_shell_writable, fs_type, debugfs_type; 72type tracing_shell_writable_debug, fs_type, debugfs_type; 73 74type pstorefs, fs_type; 75type functionfs, fs_type, mlstrustedobject; 76type oemfs, fs_type, contextmount_type; 77type usbfs, fs_type; 78type binfmt_miscfs, fs_type; 79type app_fusefs, fs_type, contextmount_type; 80 81# File types 82type unlabeled, file_type; 83 84# Default type for anything under /system. 85type system_file, file_type; 86 87# Default type for directories search for 88# HAL implementations 89type vendor_hal_file, vendor_file_type, file_type; 90# Default type for under /vendor or /system/vendor 91type vendor_file, vendor_file_type, file_type; 92# Default type for everything in /vendor/app 93type vendor_app_file, vendor_file_type, file_type; 94# Default type for everything under /vendor/etc/ 95type vendor_configs_file, vendor_file_type, file_type; 96# Default type for all *same process* HALs. 97# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so 98type same_process_hal_file, vendor_file_type, file_type; 99# Default type for vndk-sp libs. /vendor/lib/vndk-sp 100type vndk_sp_file, vendor_file_type, file_type; 101# Default type for everything in /vendor/framework 102type vendor_framework_file, vendor_file_type, file_type; 103# Default type for everything in /vendor/overlay 104type vendor_overlay_file, vendor_file_type, file_type; 105 106# Speedup access for trusted applications to the runtime event tags 107type runtime_event_log_tags_file, file_type; 108# Type for /system/bin/logcat. 109type logcat_exec, exec_type, file_type; 110# /cores for coredumps on userdebug / eng builds 111type coredump_file, file_type; 112# Default type for anything under /data. 113type system_data_file, file_type, data_file_type, core_data_file_type; 114# Unencrypted data 115type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 116# /data/.layout_version or other installd-created files that 117# are created in a system_data_file directory. 118type install_data_file, file_type, data_file_type, core_data_file_type; 119# /data/drm - DRM plugin data 120type drm_data_file, file_type, data_file_type, core_data_file_type; 121# /data/adb - adb debugging files 122type adb_data_file, file_type, data_file_type, core_data_file_type; 123# /data/anr - ANR traces 124type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 125# /data/tombstones - core dumps 126type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 127# /data/app - user-installed apps 128type apk_data_file, file_type, data_file_type, core_data_file_type; 129type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 130# /data/app-private - forward-locked apps 131type apk_private_data_file, file_type, data_file_type, core_data_file_type; 132type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 133# /data/dalvik-cache 134type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 135# /data/ota 136type ota_data_file, file_type, data_file_type, core_data_file_type; 137# /data/ota_package 138type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 139# /data/misc/profiles 140type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 141# /data/misc/profman 142type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 143# /data/resource-cache 144type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 145# /data/local - writable by shell 146type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 147# /data/property 148type property_data_file, file_type, data_file_type, core_data_file_type; 149# /data/bootchart 150type bootchart_data_file, file_type, data_file_type, core_data_file_type; 151# /data/system/heapdump 152type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 153# /data/nativetest 154type nativetest_data_file, file_type, data_file_type, core_data_file_type; 155# /data/system_de/0/ringtones 156type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 157# /data/preloads 158type preloads_data_file, file_type, data_file_type, core_data_file_type; 159# /data/preloads/media 160type preloads_media_file, file_type, data_file_type, core_data_file_type; 161# /data/misc/dhcp and /data/misc/dhcp-6.8.2 162type dhcp_data_file, file_type, data_file_type, core_data_file_type; 163 164# Mount locations managed by vold 165type mnt_media_rw_file, file_type; 166type mnt_user_file, file_type; 167type mnt_expand_file, file_type; 168type storage_file, file_type; 169 170# Label for storage dirs which are just mount stubs 171type mnt_media_rw_stub_file, file_type; 172type storage_stub_file, file_type; 173 174# /postinstall: Mount point used by update_engine to run postinstall. 175type postinstall_mnt_dir, file_type; 176# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 177type postinstall_file, file_type; 178 179# /data/misc subdirectories 180type adb_keys_file, file_type, data_file_type, core_data_file_type; 181type audio_data_file, file_type, data_file_type, core_data_file_type; 182type audiohal_data_file, file_type, data_file_type, core_data_file_type; 183type audioserver_data_file, file_type, data_file_type, core_data_file_type; 184type bluetooth_data_file, file_type, data_file_type, core_data_file_type; 185type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 186type bootstat_data_file, file_type, data_file_type, core_data_file_type; 187type boottrace_data_file, file_type, data_file_type, core_data_file_type; 188type camera_data_file, file_type, data_file_type, core_data_file_type; 189type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 190type incident_data_file, file_type, data_file_type, core_data_file_type; 191type keychain_data_file, file_type, data_file_type, core_data_file_type; 192type keystore_data_file, file_type, data_file_type, core_data_file_type; 193type media_data_file, file_type, data_file_type, core_data_file_type; 194type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 195type misc_user_data_file, file_type, data_file_type, core_data_file_type; 196type net_data_file, file_type, data_file_type, core_data_file_type; 197type nfc_data_file, file_type, data_file_type, core_data_file_type; 198type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 199type reboot_data_file, file_type, data_file_type, core_data_file_type; 200type recovery_data_file, file_type, data_file_type, core_data_file_type; 201type shared_relro_file, file_type, data_file_type, core_data_file_type; 202type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 203type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 204type vpn_data_file, file_type, data_file_type, core_data_file_type; 205type wifi_data_file, file_type, data_file_type, core_data_file_type; 206type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 207type vold_data_file, file_type, data_file_type, core_data_file_type; 208type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 209type tee_data_file, file_type, data_file_type; 210type update_engine_data_file, file_type, data_file_type, core_data_file_type; 211# /data/misc/trace for method traces on userdebug / eng builds 212type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 213 214# /data/data subdirectories - app sandboxes 215type app_data_file, file_type, data_file_type, core_data_file_type; 216# /data/data subdirectory for system UID apps. 217type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 218# Compatibility with type name used in Android 4.3 and 4.4. 219# Default type for anything under /cache 220type cache_file, file_type, mlstrustedobject; 221# Type for /cache/backup_stage/* (fd interchange with apps) 222type cache_backup_file, file_type, mlstrustedobject; 223# type for anything under /cache/backup (local transport storage) 224type cache_private_backup_file, file_type; 225# Type for anything under /cache/recovery 226type cache_recovery_file, file_type, mlstrustedobject; 227# Default type for anything under /efs 228type efs_file, file_type; 229# Type for wallpaper file. 230type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 231# Type for shortcut manager icon file. 232type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 233# Type for user icon file. 234type icon_file, file_type, data_file_type, core_data_file_type; 235# /mnt/asec 236type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 237# Elements of asec files (/mnt/asec) that are world readable 238type asec_public_file, file_type, data_file_type, core_data_file_type; 239# /data/app-asec 240type asec_image_file, file_type, data_file_type, core_data_file_type; 241# /data/backup and /data/secure/backup 242type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 243# All devices have bluetooth efs files. But they 244# vary per device, so this type is used in per 245# device policy 246type bluetooth_efs_file, file_type; 247# Type for fingerprint template file 248type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 249# Type for appfuse file. 250type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 251 252# Socket types 253type adbd_socket, file_type, coredomain_socket; 254type bluetooth_socket, file_type, coredomain_socket; 255type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 256type dumpstate_socket, file_type, coredomain_socket; 257type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 258type lmkd_socket, file_type, coredomain_socket; 259type logd_socket, file_type, coredomain_socket, mlstrustedobject; 260type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 261type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 262type mdns_socket, file_type, coredomain_socket; 263type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 264type misc_logd_file, coredomain_socket, file_type; 265type mtpd_socket, file_type, coredomain_socket; 266type netd_socket, file_type, coredomain_socket; 267type property_socket, file_type, coredomain_socket, mlstrustedobject; 268type racoon_socket, file_type, coredomain_socket; 269type rild_socket, file_type; 270type rild_debug_socket, file_type; 271type system_wpa_socket, file_type, coredomain_socket; 272type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject; 273type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 274type tombstoned_intercept_socket, file_type, coredomain_socket; 275type uncrypt_socket, file_type, coredomain_socket; 276type vold_socket, file_type, coredomain_socket; 277type webview_zygote_socket, file_type, coredomain_socket; 278type wpa_socket, file_type; 279type zygote_socket, file_type, coredomain_socket; 280# UART (for GPS) control proc file 281type gps_control, file_type; 282 283# PDX endpoint types 284type pdx_display_dir, pdx_endpoint_dir_type, file_type; 285type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 286type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 287 288pdx_service_socket_types(display_client, pdx_display_dir) 289pdx_service_socket_types(display_manager, pdx_display_dir) 290pdx_service_socket_types(display_screenshot, pdx_display_dir) 291pdx_service_socket_types(display_vsync, pdx_display_dir) 292pdx_service_socket_types(performance_client, pdx_performance_dir) 293pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 294 295# file_contexts files 296type file_contexts_file, file_type; 297 298# mac_permissions file 299type mac_perms_file, file_type; 300 301# property_contexts file 302type property_contexts_file, file_type; 303 304# seapp_contexts file 305type seapp_contexts_file, file_type; 306 307# sepolicy files binary and others 308type sepolicy_file, file_type; 309 310# service_contexts file 311type service_contexts_file, file_type; 312 313# hwservice_contexts file 314type hwservice_contexts_file, file_type; 315 316# vndservice_contexts file 317type vndservice_contexts_file, file_type; 318 319# Allow files to be created in their appropriate filesystems. 320allow fs_type self:filesystem associate; 321allow sysfs_type sysfs:filesystem associate; 322allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 323allow file_type labeledfs:filesystem associate; 324allow file_type tmpfs:filesystem associate; 325allow file_type rootfs:filesystem associate; 326allow dev_type tmpfs:filesystem associate; 327allow app_fuse_file app_fusefs:filesystem associate; 328allow postinstall_file self:filesystem associate; 329 330# It's a bug to assign the file_type attribute and fs_type attribute 331# to any type. Do not allow it. 332# 333# For example, the following is a bug: 334# type apk_data_file, file_type, data_file_type, fs_type; 335# Should be: 336# type apk_data_file, file_type, data_file_type; 337neverallow fs_type file_type:filesystem associate; 338