| # Rules for bootable/userfastboot which pretty much does |
| # everything the neverallow's catch in external/sepolicy |
| userfastboot_only(` |
| |
| # Keep the type from infiltrating non-userfastboot |
| # builds. |
| type userfastboot, domain; |
| permissive userfastboot; |
| |
| # For silence |
| dontaudit userfastboot self:capability_class_set *; |
| dontaudit userfastboot kernel:security *; |
| dontaudit userfastboot kernel:system *; |
| dontaudit userfastboot self:memprotect *; |
| dontaudit userfastboot domain:process *; |
| dontaudit userfastboot domain:fd *; |
| dontaudit userfastboot domain:dir r_dir_perms; |
| dontaudit userfastboot domain:lnk_file r_file_perms; |
| dontaudit userfastboot domain:{ fifo_file file } rw_file_perms; |
| dontaudit userfastboot domain:socket_class_set *; |
| dontaudit userfastboot domain:ipc_class_set *; |
| dontaudit userfastboot domain:key *; |
| dontaudit userfastboot fs_type:filesystem *; |
| dontaudit userfastboot fs_type:dir_file_class_set *; |
| dontaudit userfastboot dev_type:dir_file_class_set *; |
| dontaudit userfastboot file_type:dir_file_class_set *; |
| dontaudit userfastboot node_type:node *; |
| dontaudit userfastboot node_type:{ tcp_socket udp_socket } node_bind; |
| dontaudit userfastboot netif_type:netif *; |
| dontaudit userfastboot port_type:socket_class_set name_bind; |
| dontaudit userfastboot port_type:{ tcp_socket dccp_socket } name_connect; |
| dontaudit userfastboot domain:peer recv; |
| dontaudit userfastboot domain:binder *; |
| dontaudit userfastboot property_type:property_service set; |
| ') |