sepolicy/compatibility.te - device/asus/grouper - Git at Google

 # This file contains autogenerated policy based on
 # denials seen in the wild.
 #
 # As a general rule, you should not add policy to
 # this file. You SHOULD treat this policy very
 # skeptically- while it does preserve compatibility,
 # it is also extremely overbroad.
 #
 # Over time this list should trend to size 0. Your
 # assistance in bringing it to 0 is highly appreciated.

 #============= adbd ==============
 allow adbd app_data_file:dir { write add_name };
 allow adbd app_data_file:file { write create open setattr };
 allow adbd proc:file write;
 allow adbd system_data_file:file open;

 #============= drmserver ==============
 allow drmserver init:unix_stream_socket { read write };

 #============= init ==============
 allow init node:rawip_socket node_bind;

 #============= keystore ==============
 allow keystore init:unix_stream_socket { read write };

 #============= media_app ==============
 allow media_app system_data_file:file append;

 #============= mediaserver ==============
 allow mediaserver init:unix_stream_socket { read write };
 allow mediaserver system_data_file:file open;

 #============= nfc ==============
 allow nfc system_data_file:file append;

 #============= ping ==============
 allow ping adbd:process sigchld;

 #============= platform_app ==============
 allow platform_app init:unix_stream_socket { read write };
 #allow platform_app system_data_file:file append;
 allow platform_app unlabeled:file { read getattr open };

 #============= radio ==============
 allow radio init:unix_stream_socket { read write };
 allow radio system_data_file:file append;

 #============= release_app ==============
 allow release_app init:unix_stream_socket { read write };
 allow release_app system_data_file:file append;

 #============= shared_app ==============
 allow shared_app init:unix_stream_socket { read write };
 #allow shared_app system_data_file:file append;
 allow shared_app unlabeled:file { read getattr open };

 #============= shell ==============
 allow shell apk_private_data_file:dir getattr;
 allow shell asec_image_file:dir getattr;
 allow shell backup_data_file:dir getattr;
 allow shell device:sock_file write;
 allow shell drm_data_file:dir getattr;
 allow shell gps_data_file:dir getattr;
 allow shell rootfs:file getattr;
 allow shell sdcard_internal:dir { create rmdir };
 #allow shell self:capability { fowner fsetid dac_override };
 #allow shell self:capability2 syslog;
 #allow shell system_data_file:dir { write add_name };
 #allow shell system_data_file:file { write create setattr };
 allow shell vold:unix_stream_socket connectto;
 allow shell vold_socket:sock_file write;

 #============= surfaceflinger ==============
 allow surfaceflinger adbd:binder call;
 allow surfaceflinger init:unix_stream_socket { read write };
 allow surfaceflinger nfc:binder call;
 allow surfaceflinger sysfs:file write;

 #============= system_server ==============
 allow system_server adbd_socket:sock_file write;
 allow system_server init:unix_stream_socket { read write };
 allow system_server proc:file write;
 allow system_server security_file:lnk_file read;
 allow system_server unlabeled:file { read getattr open };

 #============= system_app ==============
 allow system_app unlabeled:file { read getattr open };

 #============= untrusted_app ==============
 allow untrusted_app init:dir { getattr search };
 allow untrusted_app init:file { read getattr open };
 allow untrusted_app init:unix_stream_socket { read write };
 allow untrusted_app kernel:dir { search getattr };
 allow untrusted_app kernel:file { read getattr open };
 allow untrusted_app servicemanager:dir { search getattr };
 allow untrusted_app servicemanager:file { read getattr open };
 allow untrusted_app shared_app:fifo_file write;
 #allow untrusted_app system_data_file:file append;
 allow untrusted_app unlabeled:dir getattr;
 allow untrusted_app unlabeled:file { read getattr open };

 #============= vold ==============
 allow vold unlabeled:dir { read getattr open };

 #============= wpa ==============
 allow wpa init:unix_dgram_socket sendto;
 allow wpa wifi_data_file:sock_file write;

 #============= zygote ==============
 allow zygote security_file:lnk_file read;
	# This file contains autogenerated policy based on
	# denials seen in the wild.
	#
	# As a general rule, you should not add policy to
	# this file. You SHOULD treat this policy very
	# skeptically- while it does preserve compatibility,
	# it is also extremely overbroad.
	#
	# Over time this list should trend to size 0. Your
	# assistance in bringing it to 0 is highly appreciated.

	#============= adbd ==============
	allow adbd app_data_file:dir { write add_name };
	allow adbd app_data_file:file { write create open setattr };
	allow adbd proc:file write;
	allow adbd system_data_file:file open;

	#============= drmserver ==============
	allow drmserver init:unix_stream_socket { read write };

	#============= init ==============
	allow init node:rawip_socket node_bind;

	#============= keystore ==============
	allow keystore init:unix_stream_socket { read write };

	#============= media_app ==============
	allow media_app system_data_file:file append;

	#============= mediaserver ==============
	allow mediaserver init:unix_stream_socket { read write };
	allow mediaserver system_data_file:file open;

	#============= nfc ==============
	allow nfc system_data_file:file append;

	#============= ping ==============
	allow ping adbd:process sigchld;

	#============= platform_app ==============
	allow platform_app init:unix_stream_socket { read write };
	#allow platform_app system_data_file:file append;
	allow platform_app unlabeled:file { read getattr open };

	#============= radio ==============
	allow radio init:unix_stream_socket { read write };
	allow radio system_data_file:file append;

	#============= release_app ==============
	allow release_app init:unix_stream_socket { read write };
	allow release_app system_data_file:file append;

	#============= shared_app ==============
	allow shared_app init:unix_stream_socket { read write };
	#allow shared_app system_data_file:file append;
	allow shared_app unlabeled:file { read getattr open };

	#============= shell ==============
	allow shell apk_private_data_file:dir getattr;
	allow shell asec_image_file:dir getattr;
	allow shell backup_data_file:dir getattr;
	allow shell device:sock_file write;
	allow shell drm_data_file:dir getattr;
	allow shell gps_data_file:dir getattr;
	allow shell rootfs:file getattr;
	allow shell sdcard_internal:dir { create rmdir };
	#allow shell self:capability { fowner fsetid dac_override };
	#allow shell self:capability2 syslog;
	#allow shell system_data_file:dir { write add_name };
	#allow shell system_data_file:file { write create setattr };
	allow shell vold:unix_stream_socket connectto;
	allow shell vold_socket:sock_file write;

	#============= surfaceflinger ==============
	allow surfaceflinger adbd:binder call;
	allow surfaceflinger init:unix_stream_socket { read write };
	allow surfaceflinger nfc:binder call;
	allow surfaceflinger sysfs:file write;

	#============= system_server ==============
	allow system_server adbd_socket:sock_file write;
	allow system_server init:unix_stream_socket { read write };
	allow system_server proc:file write;
	allow system_server security_file:lnk_file read;
	allow system_server unlabeled:file { read getattr open };

	#============= system_app ==============
	allow system_app unlabeled:file { read getattr open };

	#============= untrusted_app ==============
	allow untrusted_app init:dir { getattr search };
	allow untrusted_app init:file { read getattr open };
	allow untrusted_app init:unix_stream_socket { read write };
	allow untrusted_app kernel:dir { search getattr };
	allow untrusted_app kernel:file { read getattr open };
	allow untrusted_app servicemanager:dir { search getattr };
	allow untrusted_app servicemanager:file { read getattr open };
	allow untrusted_app shared_app:fifo_file write;
	#allow untrusted_app system_data_file:file append;
	allow untrusted_app unlabeled:dir getattr;
	allow untrusted_app unlabeled:file { read getattr open };

	#============= vold ==============
	allow vold unlabeled:dir { read getattr open };

	#============= wpa ==============
	allow wpa init:unix_dgram_socket sendto;
	allow wpa wifi_data_file:sock_file write;

	#============= zygote ==============
	allow zygote security_file:lnk_file read;