| # This file contains autogenerated policy based on |
| # denials seen in the wild. |
| # |
| # As a general rule, you should not add policy to |
| # this file. You SHOULD treat this policy very |
| # skeptically- while it does preserve compatibility, |
| # it is also extremely overbroad. |
| # |
| # Over time this list should trend to size 0. Your |
| # assistance in bringing it to 0 is highly appreciated. |
| |
| #============= adbd ============== |
| allow adbd app_data_file:dir { write add_name }; |
| allow adbd app_data_file:file { write create open setattr }; |
| allow adbd kernel:process setsched; |
| allow adbd proc:file write; |
| allow adbd self:capability setpcap; |
| |
| #============= debuggerd ============== |
| allow debuggerd system:unix_stream_socket connectto; |
| allow debuggerd system_data_file:sock_file write; |
| |
| #============= dhcp ============== |
| allow dhcp system_data_file:file open; |
| allow dhcp unlabeled:file create; |
| |
| #============= drmserver ============== |
| allow drmserver init:unix_stream_socket { read write }; |
| |
| #============= init ============== |
| allow init node:rawip_socket node_bind; |
| |
| #============= init_shell ============== |
| allow init_shell init:fifo_file write; |
| allow init_shell init:netlink_route_socket { read write }; |
| allow init_shell init:netlink_socket { read write }; |
| allow init_shell init:unix_stream_socket { read write }; |
| allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read }; |
| |
| #============= installd ============== |
| allow installd download_file:dir { read search open getattr }; |
| |
| #============= keystore ============== |
| allow keystore init:unix_stream_socket { read write }; |
| |
| #============= media_app ============== |
| allow media_app system_data_file:file append; |
| |
| #============= mediaserver ============== |
| allow mediaserver device:chr_file { read write ioctl open }; |
| allow mediaserver init:unix_dgram_socket sendto; |
| allow mediaserver init:unix_stream_socket { read write }; |
| allow mediaserver system_data_file:file { write open }; |
| allow mediaserver system_data_file:sock_file write; |
| |
| #============= nfc ============== |
| allow nfc device:chr_file { read write open }; |
| allow nfc init:unix_stream_socket { read write }; |
| #allow nfc system_data_file:dir { write remove_name add_name }; |
| #allow nfc system_data_file:file { write create unlink append }; |
| allow nfc unlabeled:file { read write open }; |
| |
| #============= ping ============== |
| allow ping adbd:process sigchld; |
| |
| #============= platform_app ============== |
| allow platform_app device:chr_file { read write ioctl }; |
| allow platform_app init:binder { transfer call }; |
| allow platform_app init:unix_stream_socket { read write }; |
| #allow platform_app system_data_file:file append; |
| allow platform_app unlabeled:file { read getattr open }; |
| |
| #============= radio ============== |
| allow radio init:binder call; |
| allow radio init:unix_stream_socket { read write }; |
| allow radio system_data_file:file append; |
| |
| #============= release_app ============== |
| allow release_app system_data_file:file append; |
| allow release_app unlabeled:lnk_file read; |
| |
| #============= sdcardd ============== |
| allow sdcardd unlabeled:dir { read open }; |
| |
| #============= shared_app ============== |
| allow shared_app device:chr_file { read write }; |
| allow shared_app init:binder call; |
| allow shared_app init:unix_stream_socket { read write }; |
| allow shared_app init_tmpfs:file read; |
| #allow shared_app system_data_file:file append; |
| allow shared_app unlabeled:file { write lock getattr open read }; |
| |
| #============= shell ============== |
| allow shell apk_private_data_file:dir getattr; |
| allow shell asec_image_file:dir getattr; |
| allow shell backup_data_file:dir getattr; |
| allow shell device:sock_file write; |
| allow shell drm_data_file:dir getattr; |
| allow shell nfc_data_file:dir getattr; |
| allow shell rootfs:file getattr; |
| allow shell sdcard_internal:dir { create rmdir }; |
| #allow shell self:capability { fowner fsetid dac_override }; |
| #allow shell self:capability2 syslog; |
| #allow shell system_data_file:dir { write remove_name add_name }; |
| #allow shell system_data_file:file { write create setattr }; |
| allow shell unlabeled:dir getattr; |
| allow shell vold:unix_stream_socket connectto; |
| allow shell vold_socket:sock_file write; |
| |
| #============= surfaceflinger ============== |
| allow surfaceflinger adbd:binder call; |
| allow surfaceflinger device:chr_file { read write ioctl open }; |
| allow surfaceflinger init:dir search; |
| allow surfaceflinger init:file { read open }; |
| allow surfaceflinger init:unix_stream_socket { read write }; |
| allow surfaceflinger platform_app:binder call; |
| allow surfaceflinger shell_data_file:dir search; |
| allow surfaceflinger sysfs:file write; |
| allow surfaceflinger system_app:dir search; |
| allow surfaceflinger system_app:file { read open }; |
| |
| #============= system ============== |
| allow system device:chr_file ioctl; |
| allow system init:binder { transfer call }; |
| allow system init:unix_stream_socket { read write setopt }; |
| allow system proc:file write; |
| allow system security_file:lnk_file read; |
| allow system unlabeled:dir { read remove_name write open add_name }; |
| allow system unlabeled:file { rename getattr read create open ioctl append }; |
| |
| #============= system_app ============== |
| allow system_app init:unix_stream_socket { read write setopt }; |
| allow system_app unlabeled:file { read getattr open }; |
| |
| #============= untrusted_app ============== |
| allow untrusted_app device:chr_file { read write }; |
| allow untrusted_app init:binder { transfer call }; |
| allow untrusted_app init:dir { getattr search }; |
| allow untrusted_app init:file { read getattr open }; |
| allow untrusted_app init:unix_stream_socket { read write connectto }; |
| allow untrusted_app kernel:dir { getattr search }; |
| allow untrusted_app kernel:file { read getattr open }; |
| allow untrusted_app servicemanager:dir { getattr search }; |
| allow untrusted_app servicemanager:file { read getattr open }; |
| allow untrusted_app shell_data_file:dir search; |
| allow untrusted_app shell_data_file:file { read getattr open }; |
| #allow untrusted_app system_data_file:file append; |
| allow untrusted_app ueventd:dir { search getattr }; |
| allow untrusted_app ueventd:file { read getattr open }; |
| allow untrusted_app unlabeled:dir setattr; |
| allow untrusted_app zygote:dir search; |
| |
| #============= vold ============== |
| allow vold unlabeled:dir { read getattr open }; |
| |
| #============= wpa ============== |
| allow wpa init:unix_dgram_socket { read write sendto }; |
| allow wpa wifi_data_file:sock_file write; |
| |
| #============= zygote ============== |
| allow zygote security_file:lnk_file read; |