1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type, proc_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type, proc_type; 9type proc_drop_caches, fs_type, proc_type; 10type proc_overcommit_memory, fs_type, proc_type; 11type proc_min_free_order_shift, fs_type, proc_type; 12# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 13type usermodehelper, fs_type, proc_type; 14type sysfs_usermodehelper, fs_type, sysfs_type; 15type qtaguid_proc, fs_type, mlstrustedobject, proc_type; 16type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; 17type proc_bluetooth_writable, fs_type, proc_type; 18type proc_abi, fs_type, proc_type; 19type proc_asound, fs_type, proc_type; 20type proc_buddyinfo, fs_type, proc_type; 21type proc_cmdline, fs_type, proc_type; 22type proc_cpuinfo, fs_type, proc_type; 23type proc_dirty, fs_type, proc_type; 24type proc_diskstats, fs_type, proc_type; 25type proc_extra_free_kbytes, fs_type, proc_type; 26type proc_filesystems, fs_type, proc_type; 27type proc_hostname, fs_type, proc_type; 28type proc_hung_task, fs_type, proc_type; 29type proc_interrupts, fs_type, proc_type; 30type proc_iomem, fs_type, proc_type; 31type proc_kmsg, fs_type, proc_type; 32type proc_loadavg, fs_type, proc_type; 33type proc_max_map_count, fs_type, proc_type; 34type proc_meminfo, fs_type, proc_type; 35type proc_misc, fs_type, proc_type; 36type proc_modules, fs_type, proc_type; 37type proc_mounts, fs_type, proc_type; 38type proc_net, fs_type, proc_type; 39type proc_page_cluster, fs_type, proc_type; 40type proc_pagetypeinfo, fs_type, proc_type; 41type proc_panic, fs_type, proc_type; 42type proc_perf, fs_type, proc_type; 43type proc_pid_max, fs_type, proc_type; 44type proc_pipe_conf, fs_type, proc_type; 45type proc_random, fs_type, proc_type; 46type proc_sched, fs_type, proc_type; 47type proc_stat, fs_type, proc_type; 48type proc_swaps, fs_type, proc_type; 49type proc_sysrq, fs_type, proc_type; 50type proc_timer, fs_type, proc_type; 51type proc_tty_drivers, fs_type, proc_type; 52type proc_uid_cputime_showstat, fs_type, proc_type; 53type proc_uid_cputime_removeuid, fs_type, proc_type; 54type proc_uid_io_stats, fs_type, proc_type; 55type proc_uid_procstat_set, fs_type, proc_type; 56type proc_uid_time_in_state, fs_type, proc_type; 57type proc_uid_concurrent_active_time, fs_type, proc_type; 58type proc_uid_concurrent_policy_time, fs_type, proc_type; 59type proc_uid_cpupower, fs_type, proc_type; 60type proc_uptime, fs_type, proc_type; 61type proc_version, fs_type, proc_type; 62type proc_vmallocinfo, fs_type, proc_type; 63type proc_vmstat, fs_type, proc_type; 64type proc_zoneinfo, fs_type, proc_type; 65type selinuxfs, fs_type, mlstrustedobject; 66type cgroup, fs_type, mlstrustedobject; 67type cgroup_bpf, fs_type; 68type sysfs, fs_type, sysfs_type, mlstrustedobject; 69type sysfs_android_usb, fs_type, sysfs_type; 70type sysfs_uio, sysfs_type, fs_type; 71type sysfs_batteryinfo, fs_type, sysfs_type; 72type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 73type sysfs_dm, fs_type, sysfs_type; 74type sysfs_dt_firmware_android, fs_type, sysfs_type; 75type sysfs_ipv4, fs_type, sysfs_type; 76type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; 77type sysfs_leds, fs_type, sysfs_type; 78type sysfs_hwrandom, fs_type, sysfs_type; 79type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 80type sysfs_wake_lock, fs_type, sysfs_type; 81type sysfs_mac_address, fs_type, sysfs_type; 82type sysfs_net, fs_type, sysfs_type; 83type sysfs_power, fs_type, sysfs_type; 84type sysfs_rtc, fs_type, sysfs_type; 85type sysfs_switch, fs_type, sysfs_type; 86type sysfs_usb, fs_type, sysfs_type; 87type sysfs_wakeup_reasons, fs_type, sysfs_type; 88type sysfs_fs_ext4_features, sysfs_type, fs_type; 89type fs_bpf, fs_type; 90type configfs, fs_type; 91# /sys/devices/system/cpu 92type sysfs_devices_system_cpu, fs_type, sysfs_type; 93# /sys/module/lowmemorykiller 94type sysfs_lowmemorykiller, fs_type, sysfs_type; 95# /sys/module/wlan/parameters/fwpath 96type sysfs_wlan_fwpath, fs_type, sysfs_type; 97type sysfs_vibrator, fs_type, sysfs_type; 98 99type sysfs_thermal, sysfs_type, fs_type; 100 101type sysfs_zram, fs_type, sysfs_type; 102type sysfs_zram_uevent, fs_type, sysfs_type; 103type inotify, fs_type, mlstrustedobject; 104type devpts, fs_type, mlstrustedobject; 105type tmpfs, fs_type; 106type shm, fs_type; 107type mqueue, fs_type; 108type fuse, sdcard_type, fs_type, mlstrustedobject; 109type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 110type vfat, sdcard_type, fs_type, mlstrustedobject; 111type exfat, sdcard_type, fs_type, mlstrustedobject; 112type debugfs, fs_type, debugfs_type; 113type debugfs_mmc, fs_type, debugfs_type; 114type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 115type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject; 116type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject; 117type debugfs_tracing_instances, fs_type, debugfs_type; 118type debugfs_wakeup_sources, fs_type, debugfs_type; 119type debugfs_wifi_tracing, fs_type, debugfs_type; 120 121type pstorefs, fs_type; 122type functionfs, fs_type, mlstrustedobject; 123type oemfs, fs_type, contextmount_type; 124type usbfs, fs_type; 125type binfmt_miscfs, fs_type; 126type app_fusefs, fs_type, contextmount_type; 127 128# File types 129type unlabeled, file_type; 130 131# Default type for anything under /system. 132type system_file, file_type; 133 134# Default type for directories search for 135# HAL implementations 136type vendor_hal_file, vendor_file_type, file_type; 137# Default type for under /vendor or /system/vendor 138type vendor_file, vendor_file_type, file_type; 139# Default type for everything in /vendor/app 140type vendor_app_file, vendor_file_type, file_type; 141# Default type for everything under /vendor/etc/ 142type vendor_configs_file, vendor_file_type, file_type; 143# Default type for all *same process* HALs. 144# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so 145type same_process_hal_file, vendor_file_type, file_type; 146# Default type for vndk-sp libs. /vendor/lib/vndk-sp 147type vndk_sp_file, vendor_file_type, file_type; 148# Default type for everything in /vendor/framework 149type vendor_framework_file, vendor_file_type, file_type; 150# Default type for everything in /vendor/overlay 151type vendor_overlay_file, vendor_file_type, file_type; 152 153# /metadata partition itself 154type metadata_file, file_type; 155# Vold files within /metadata 156type vold_metadata_file, file_type; 157 158# Speedup access for trusted applications to the runtime event tags 159type runtime_event_log_tags_file, file_type; 160# Type for /system/bin/logcat. 161type logcat_exec, exec_type, file_type; 162# /cores for coredumps on userdebug / eng builds 163type coredump_file, file_type; 164# Default type for anything under /data. 165type system_data_file, file_type, data_file_type, core_data_file_type; 166# Default type for anything under /data/vendor{_ce,_de}. 167type vendor_data_file, file_type, data_file_type; 168# Unencrypted data 169type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 170# /data/.layout_version or other installd-created files that 171# are created in a system_data_file directory. 172type install_data_file, file_type, data_file_type, core_data_file_type; 173# /data/drm - DRM plugin data 174type drm_data_file, file_type, data_file_type, core_data_file_type; 175# /data/adb - adb debugging files 176type adb_data_file, file_type, data_file_type, core_data_file_type; 177# /data/anr - ANR traces 178type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 179# /data/tombstones - core dumps 180type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 181# /data/vendor/tombstones/wifi - vendor wifi dumps 182type tombstone_wifi_data_file, file_type, data_file_type; 183# /data/app - user-installed apps 184type apk_data_file, file_type, data_file_type, core_data_file_type; 185type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 186# /data/app-private - forward-locked apps 187type apk_private_data_file, file_type, data_file_type, core_data_file_type; 188type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 189# /data/dalvik-cache 190type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 191# /data/ota 192type ota_data_file, file_type, data_file_type, core_data_file_type; 193# /data/ota_package 194type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 195# /data/misc/profiles 196type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 197# /data/misc/profman 198type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 199# /data/resource-cache 200type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 201# /data/local - writable by shell 202type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 203# /data/property 204type property_data_file, file_type, data_file_type, core_data_file_type; 205# /data/bootchart 206type bootchart_data_file, file_type, data_file_type, core_data_file_type; 207# /data/system/heapdump 208type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 209# /data/nativetest 210type nativetest_data_file, file_type, data_file_type, core_data_file_type; 211# /data/system_de/0/ringtones 212type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 213# /data/preloads 214type preloads_data_file, file_type, data_file_type, core_data_file_type; 215# /data/preloads/media 216type preloads_media_file, file_type, data_file_type, core_data_file_type; 217# /data/misc/dhcp and /data/misc/dhcp-6.8.2 218type dhcp_data_file, file_type, data_file_type, core_data_file_type; 219 220# Mount locations managed by vold 221type mnt_media_rw_file, file_type; 222type mnt_user_file, file_type; 223type mnt_expand_file, file_type; 224type storage_file, file_type; 225 226# Label for storage dirs which are just mount stubs 227type mnt_media_rw_stub_file, file_type; 228type storage_stub_file, file_type; 229 230# Mount location for read-write vendor partitions. 231type mnt_vendor_file, file_type; 232 233# /postinstall: Mount point used by update_engine to run postinstall. 234type postinstall_mnt_dir, file_type; 235# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 236type postinstall_file, file_type; 237 238# /data/misc subdirectories 239type adb_keys_file, file_type, data_file_type, core_data_file_type; 240type audio_data_file, file_type, data_file_type, core_data_file_type; 241type audioserver_data_file, file_type, data_file_type, core_data_file_type; 242type bluetooth_data_file, file_type, data_file_type, core_data_file_type; 243type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 244type bootstat_data_file, file_type, data_file_type, core_data_file_type; 245type boottrace_data_file, file_type, data_file_type, core_data_file_type; 246type camera_data_file, file_type, data_file_type, core_data_file_type; 247type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 248type incident_data_file, file_type, data_file_type, core_data_file_type; 249type keychain_data_file, file_type, data_file_type, core_data_file_type; 250type keystore_data_file, file_type, data_file_type, core_data_file_type; 251type media_data_file, file_type, data_file_type, core_data_file_type; 252type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 253type misc_user_data_file, file_type, data_file_type, core_data_file_type; 254type net_data_file, file_type, data_file_type, core_data_file_type; 255type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; 256type nfc_data_file, file_type, data_file_type, core_data_file_type; 257type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 258type recovery_data_file, file_type, data_file_type, core_data_file_type; 259type shared_relro_file, file_type, data_file_type, core_data_file_type; 260type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 261type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 262type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 263type vpn_data_file, file_type, data_file_type, core_data_file_type; 264type wifi_data_file, file_type, data_file_type, core_data_file_type; 265type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 266type vold_data_file, file_type, data_file_type, core_data_file_type; 267type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 268type tee_data_file, file_type, data_file_type; 269type update_engine_data_file, file_type, data_file_type, core_data_file_type; 270type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; 271# /data/misc/trace for method traces on userdebug / eng builds 272type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 273 274# /data/data subdirectories - app sandboxes 275type app_data_file, file_type, data_file_type, core_data_file_type; 276# /data/data subdirectory for system UID apps. 277type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 278# Compatibility with type name used in Android 4.3 and 4.4. 279# Default type for anything under /cache 280type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 281# Type for /cache/backup_stage/* (fd interchange with apps) 282type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 283# type for anything under /cache/backup (local transport storage) 284type cache_private_backup_file, file_type, data_file_type, core_data_file_type; 285# Type for anything under /cache/recovery 286type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 287# Default type for anything under /efs 288type efs_file, file_type; 289# Type for wallpaper file. 290type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 291# Type for shortcut manager icon file. 292type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 293# Type for user icon file. 294type icon_file, file_type, data_file_type, core_data_file_type; 295# /mnt/asec 296type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 297# Elements of asec files (/mnt/asec) that are world readable 298type asec_public_file, file_type, data_file_type, core_data_file_type; 299# /data/app-asec 300type asec_image_file, file_type, data_file_type, core_data_file_type; 301# /data/backup and /data/secure/backup 302type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 303# All devices have bluetooth efs files. But they 304# vary per device, so this type is used in per 305# device policy 306type bluetooth_efs_file, file_type; 307# Type for fingerprint template file 308type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 309# Type for _new_ fingerprint template file 310type fingerprint_vendor_data_file, file_type, data_file_type; 311# Type for appfuse file. 312type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 313 314# Socket types 315type adbd_socket, file_type, coredomain_socket; 316type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 317type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 318type dumpstate_socket, file_type, coredomain_socket; 319type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 320type lmkd_socket, file_type, coredomain_socket; 321type logd_socket, file_type, coredomain_socket, mlstrustedobject; 322type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 323type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 324type mdns_socket, file_type, coredomain_socket; 325type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 326type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; 327type mtpd_socket, file_type, coredomain_socket; 328type netd_socket, file_type, coredomain_socket; 329type property_socket, file_type, coredomain_socket, mlstrustedobject; 330type racoon_socket, file_type, coredomain_socket; 331type rild_socket, file_type; 332type rild_debug_socket, file_type; 333type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 334type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 335type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 336type tombstoned_java_trace_socket, file_type, mlstrustedobject; 337type tombstoned_intercept_socket, file_type, coredomain_socket; 338type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; 339type traced_consumer_socket, file_type, coredomain_socket; 340type uncrypt_socket, file_type, coredomain_socket; 341type wpa_socket, file_type, data_file_type, core_data_file_type; 342type zygote_socket, file_type, coredomain_socket; 343# UART (for GPS) control proc file 344type gps_control, file_type; 345 346# PDX endpoint types 347type pdx_display_dir, pdx_endpoint_dir_type, file_type; 348type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 349type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 350 351pdx_service_socket_types(display_client, pdx_display_dir) 352pdx_service_socket_types(display_manager, pdx_display_dir) 353pdx_service_socket_types(display_screenshot, pdx_display_dir) 354pdx_service_socket_types(display_vsync, pdx_display_dir) 355pdx_service_socket_types(performance_client, pdx_performance_dir) 356pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 357 358# file_contexts files 359type file_contexts_file, file_type; 360 361# mac_permissions file 362type mac_perms_file, file_type; 363 364# property_contexts file 365type property_contexts_file, file_type; 366 367# seapp_contexts file 368type seapp_contexts_file, file_type; 369 370# sepolicy files binary and others 371type sepolicy_file, file_type; 372 373# service_contexts file 374type service_contexts_file, file_type; 375 376# nonplat service_contexts file (only accessible on non full-treble devices) 377type nonplat_service_contexts_file, file_type; 378 379# hwservice_contexts file 380type hwservice_contexts_file, file_type; 381 382# vndservice_contexts file 383type vndservice_contexts_file, file_type; 384 385# Allow files to be created in their appropriate filesystems. 386allow fs_type self:filesystem associate; 387allow cgroup tmpfs:filesystem associate; 388allow cgroup_bpf tmpfs:filesystem associate; 389allow sysfs_type sysfs:filesystem associate; 390allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 391allow file_type labeledfs:filesystem associate; 392allow file_type tmpfs:filesystem associate; 393allow file_type rootfs:filesystem associate; 394allow dev_type tmpfs:filesystem associate; 395allow app_fuse_file app_fusefs:filesystem associate; 396allow postinstall_file self:filesystem associate; 397 398# asanwrapper (run a sanitized app_process, to be used with wrap properties) 399with_asan(`type asanwrapper_exec, exec_type, file_type;') 400 401# Deprecated in SDK version 28 402type audiohal_data_file, file_type, data_file_type, core_data_file_type; 403 404# It's a bug to assign the file_type attribute and fs_type attribute 405# to any type. Do not allow it. 406# 407# For example, the following is a bug: 408# type apk_data_file, file_type, data_file_type, fs_type; 409# Should be: 410# type apk_data_file, file_type, data_file_type; 411neverallow fs_type file_type:filesystem associate; 412