| # This file contains autogenerated policy based on |
| # denials seen in the wild. |
| # |
| # As a general rule, you should not add policy to |
| # this file. You SHOULD treat this policy very |
| # skeptically- while it does preserve compatibility, |
| # it is also extremely overbroad. |
| # |
| # Over time this list should trend to size 0. Your |
| # assistance in bringing it to 0 is highly appreciated. |
| |
| #============= adbd ============== |
| allow adbd app_data_file:dir { write add_name }; |
| allow adbd app_data_file:file { write create open setattr }; |
| allow adbd proc:file write; |
| allow adbd system_data_file:file open; |
| |
| #============= drmserver ============== |
| allow drmserver init:unix_stream_socket { read write }; |
| |
| #============= init ============== |
| allow init node:rawip_socket node_bind; |
| |
| #============= keystore ============== |
| allow keystore init:unix_stream_socket { read write }; |
| |
| #============= media_app ============== |
| allow media_app system_data_file:file append; |
| |
| #============= mediaserver ============== |
| allow mediaserver init:unix_stream_socket { read write }; |
| allow mediaserver system_data_file:file open; |
| |
| #============= nfc ============== |
| allow nfc system_data_file:file append; |
| |
| #============= ping ============== |
| allow ping adbd:process sigchld; |
| |
| #============= platform_app ============== |
| allow platform_app init:unix_stream_socket { read write }; |
| #allow platform_app system_data_file:file append; |
| allow platform_app unlabeled:file { read getattr open }; |
| |
| #============= radio ============== |
| allow radio init:unix_stream_socket { read write }; |
| allow radio system_data_file:file append; |
| |
| #============= release_app ============== |
| allow release_app init:unix_stream_socket { read write }; |
| allow release_app system_data_file:file append; |
| |
| #============= shared_app ============== |
| allow shared_app init:unix_stream_socket { read write }; |
| #allow shared_app system_data_file:file append; |
| allow shared_app unlabeled:file { read getattr open }; |
| |
| #============= shell ============== |
| allow shell apk_private_data_file:dir getattr; |
| allow shell asec_image_file:dir getattr; |
| allow shell backup_data_file:dir getattr; |
| allow shell device:sock_file write; |
| allow shell drm_data_file:dir getattr; |
| allow shell gps_data_file:dir getattr; |
| allow shell rootfs:file getattr; |
| allow shell sdcard_internal:dir { create rmdir }; |
| #allow shell self:capability { fowner fsetid dac_override }; |
| #allow shell self:capability2 syslog; |
| #allow shell system_data_file:dir { write add_name }; |
| #allow shell system_data_file:file { write create setattr }; |
| allow shell vold:unix_stream_socket connectto; |
| allow shell vold_socket:sock_file write; |
| |
| #============= surfaceflinger ============== |
| allow surfaceflinger adbd:binder call; |
| allow surfaceflinger init:unix_stream_socket { read write }; |
| allow surfaceflinger nfc:binder call; |
| allow surfaceflinger sysfs:file write; |
| |
| #============= system_server ============== |
| allow system_server adbd_socket:sock_file write; |
| allow system_server init:unix_stream_socket { read write }; |
| allow system_server proc:file write; |
| allow system_server security_file:lnk_file read; |
| allow system_server unlabeled:file { read getattr open }; |
| |
| #============= system_app ============== |
| allow system_app unlabeled:file { read getattr open }; |
| |
| #============= untrusted_app ============== |
| allow untrusted_app init:dir { getattr search }; |
| allow untrusted_app init:file { read getattr open }; |
| allow untrusted_app init:unix_stream_socket { read write }; |
| allow untrusted_app kernel:dir { search getattr }; |
| allow untrusted_app kernel:file { read getattr open }; |
| allow untrusted_app servicemanager:dir { search getattr }; |
| allow untrusted_app servicemanager:file { read getattr open }; |
| allow untrusted_app shared_app:fifo_file write; |
| #allow untrusted_app system_data_file:file append; |
| allow untrusted_app unlabeled:dir getattr; |
| allow untrusted_app unlabeled:file { read getattr open }; |
| |
| #============= vold ============== |
| allow vold unlabeled:dir { read getattr open }; |
| |
| #============= wpa ============== |
| allow wpa init:unix_dgram_socket sendto; |
| allow wpa wifi_data_file:sock_file write; |
| |
| #============= zygote ============== |
| allow zygote security_file:lnk_file read; |