149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### A domain for further sandboxing privileged apps. 349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaletypeattribute priv_app coredomain; 649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleapp_domain(priv_app) 749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Access the network. 949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalenet_domain(priv_app) 1049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Access bluetooth. 1149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalebluetooth_domain(priv_app) 1249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 1349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow the allocation and use of ptys 1449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm 1549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalecreate_pty(priv_app) 1649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 1749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) 1849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app self:process ptrace; 1949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Some apps ship with shared libraries that they write out 2149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# to their sandbox directory and then dlopen(). 2249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app app_data_file:file execute; 2349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app app_api_service:service_manager find; 2549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app audioserver_service:service_manager find; 2649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app cameraserver_service:service_manager find; 2749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app drmserver_service:service_manager find; 2849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app mediacodec_service:service_manager find; 2949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app mediadrmserver_service:service_manager find; 3049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app mediaextractor_service:service_manager find; 3149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app mediametrics_service:service_manager find; 3249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app mediaserver_service:service_manager find; 3349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app network_watchlist_service:service_manager find; 3449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app nfc_service:service_manager find; 3549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app oem_lock_service:service_manager find; 3649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app persistent_data_block_service:service_manager find; 3749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app radio_service:service_manager find; 3849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app recovery_service:service_manager find; 3949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app stats_service:service_manager find; 4049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app system_api_service:service_manager find; 4149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 4249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Write to /cache. 4349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; 4449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app { cache_file cache_recovery_file }:file create_file_perms; 4549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# /cache is a symlink to /data/cache on some devices. Allow reading the link. 4649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app cache_file:lnk_file r_file_perms; 4749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 4849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Write to /data/ota_package for OTA packages. 4949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app ota_package_file:dir rw_dir_perms; 5049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app ota_package_file:file create_file_perms; 5149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 5249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Access to /data/media. 5349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app media_rw_data_file:dir create_dir_perms; 5449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app media_rw_data_file:file create_file_perms; 5549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 5649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Used by Finsky / Android "Verify Apps" functionality when 5749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# running "adb install foo.apk". 5849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app shell_data_file:file r_file_perms; 5949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app shell_data_file:dir r_dir_perms; 6049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traceur to pass file descriptors through a content provider to betterbug 6249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app trace_data_file:file { getattr read }; 6349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow verifier to access staged apks. 6549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; 6649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; 6749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# b/18504118: Allow reads from /data/anr/traces.txt 6949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app anr_data_file:file r_file_perms; 7049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 7149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to access perfprofd output, which is stored 7249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# in /data/misc/perfprofd/. GMS core will need to list all 7349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# data stored in that directory to process them one by one. 7449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleuserdebug_or_eng(` 7549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale allow priv_app perfprofd_data_file:file r_file_perms; 7649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale allow priv_app perfprofd_data_file:dir r_dir_perms; 7749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale') 7849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 7949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# For AppFuse. 8049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app vold:fd use; 8149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app fuse_device:chr_file { read write }; 8249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 8349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# /proc access 8449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app { 8549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_vmstat 8649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:file r_file_perms; 8749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 8849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app sysfs_type:dir search; 8949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Read access to /sys/class/net/wlan*/address 9049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaler_dir_file(priv_app, sysfs_net) 9149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Read access to /sys/block/zram*/mm_stat 9249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaler_dir_file(priv_app, sysfs_zram) 9349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 9449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaler_dir_file(priv_app, rootfs) 9549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 9649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to open kernel config for OTA matching through libvintf 9749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app config_gz:file { open read getattr }; 9849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 9949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# access the mac address 10049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; 10149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 10249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to communicate with update_engine for A/B update. 10349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalebinder_call(priv_app, update_engine) 10449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app update_engine_service:service_manager find; 10549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 10649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to communicate with dumpsys storaged. 10749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalebinder_call(priv_app, storaged) 10849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app storaged_service:service_manager find; 10949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to access system_update_service (e.g. to publish pending 11149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# system update info). 11249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app system_update_service:service_manager find; 11349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to communicate with statsd. 11549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalebinder_call(priv_app, statsd) 11649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow Phone to read/write cached ringtones (opened by system). 11849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app ringtone_file:file { getattr read write }; 11949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 12049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Access to /data/preloads 12149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app preloads_data_file:file r_file_perms; 12249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app preloads_data_file:dir r_dir_perms; 12349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app preloads_media_file:file r_file_perms; 12449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app preloads_media_file:dir r_dir_perms; 12549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 12649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs 12749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app keystore:keystore_key gen_unique_id; 12849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 12949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check 13049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app selinuxfs:file r_file_perms; 13149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 13249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleread_runtime_log_tags(priv_app) 13349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 13449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Write app-specific trace data to the Perfetto traced damon. This requires 13549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 13649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app traced:fd use; 13749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app traced_tmpfs:file { read write getattr map }; 13849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleunix_socket_connect(priv_app, traced_producer, traced) 13949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 14049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# suppress denials for non-API accesses. 14149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app exec_type:file getattr; 14249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app device:dir read; 143763dcc317556b9c9d3137641d2ed86232bb189f9Ian Pedowitzdontaudit priv_app fs_bpf:dir search; 14449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app net_dns_prop:file read; 14549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app proc:file read; 14649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app proc_interrupts:file read; 14749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app proc_modules:file read; 14849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app proc_stat:file read; 14949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app proc_version:file read; 15049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app sysfs:dir read; 15149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app sysfs_android_usb:file read; 15249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app wifi_prop:file read; 15349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledontaudit priv_app { wifi_prop exported_wifi_prop }:file read; 15449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 15549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# allow privileged apps to use UDP sockets provided by the system server but not 15649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# modify them other than to connect 15749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow priv_app system_server:udp_socket { 15849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale connect getattr read recvfrom sendto write getopt setopt }; 15949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 16049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 16149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### neverallow rules 16249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 16349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 16449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Receive or send uevent messages. 16549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app domain:netlink_kobject_uevent_socket *; 16649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 16749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Receive or send generic netlink messages 16849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app domain:netlink_socket *; 16949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 17049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Too much leaky information in debugfs. It's a security 17149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# best practice to ensure these files aren't readable. 17249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app debugfs:file read; 17349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 17449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow privileged apps to register services. 17549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Only trusted components of Android should be registering 17649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# services. 17749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app service_manager_type:service_manager add; 17849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 17949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow privileged apps to connect to the property service 18049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# or set properties. b/10243159 18149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app property_socket:sock_file write; 18249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app init:unix_stream_socket connectto; 18349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app property_type:property_service set; 18449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 18549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow priv_app to be assigned mlstrustedsubject. 18649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# This would undermine the per-user isolation model being 18749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# enforced via levelFrom=user in seapp_contexts and the mls 18849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# constraints. As there is no direct way to specify a neverallow 18949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# on attribute assignment, this relies on the fact that fork 19049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# permission only makes sense within a domain (hence should 19149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# never be granted to any other domain within mlstrustedsubject) 19249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# and priv_app is allowed fork permission to itself. 19349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app mlstrustedsubject:process fork; 19449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 19549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow priv_app to hard link to any files. 19649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# In particular, if priv_app links to other app data 19749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# files, installd will not be able to guarantee the deletion 19849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# of the linked to file. Hard links also contribute to security 19949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# bugs, so we want to ensure priv_app never has this 20049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# capability. 20149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app file_type:file link; 20249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 20349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# priv apps should not be able to open trace data files, they should depend 20449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# upon traceur to pass a file descriptor which they can then read 20549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app trace_data_file:dir *; 20649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow priv_app trace_data_file:file { no_w_file_perms open }; 207