sepolicy/compatibility.te - device/lge/mako - Git at Google

 # This file contains autogenerated policy based on
 # denials seen in the wild.
 #
 # As a general rule, you should not add policy to
 # this file. You SHOULD treat this policy very
 # skeptically- while it does preserve compatibility,
 # it is also extremely overbroad.
 #
 # Over time this list should trend to size 0. Your
 # assistance in bringing it to 0 is highly appreciated.

 #============= adbd ==============
 allow adbd app_data_file:dir { write add_name };
 allow adbd app_data_file:file { write create open setattr };
 allow adbd kernel:process setsched;
 allow adbd proc:file write;
 allow adbd self:capability setpcap;

 #============= debuggerd ==============
 allow debuggerd system:unix_stream_socket connectto;
 allow debuggerd system_data_file:sock_file write;

 #============= dhcp ==============
 allow dhcp system_data_file:file open;
 allow dhcp unlabeled:file create;

 #============= drmserver ==============
 allow drmserver init:unix_stream_socket { read write };

 #============= init ==============
 allow init node:rawip_socket node_bind;

 #============= init_shell ==============
 allow init_shell init:fifo_file write;
 allow init_shell init:netlink_route_socket { read write };
 allow init_shell init:netlink_socket { read write };
 allow init_shell init:unix_stream_socket { read write };
 allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };

 #============= installd ==============
 allow installd download_file:dir { read search open getattr };

 #============= keystore ==============
 allow keystore init:unix_stream_socket { read write };

 #============= media_app ==============
 allow media_app system_data_file:file append;

 #============= mediaserver ==============
 allow mediaserver device:chr_file { read write ioctl open };
 allow mediaserver init:unix_dgram_socket sendto;
 allow mediaserver init:unix_stream_socket { read write };
 allow mediaserver system_data_file:file { write open };
 allow mediaserver system_data_file:sock_file write;

 #============= nfc ==============
 allow nfc device:chr_file { read write open };
 allow nfc init:unix_stream_socket { read write };
 #allow nfc system_data_file:dir { write remove_name add_name };
 #allow nfc system_data_file:file { write create unlink append };
 allow nfc unlabeled:file { read write open };

 #============= ping ==============
 allow ping adbd:process sigchld;

 #============= platform_app ==============
 allow platform_app device:chr_file { read write ioctl };
 allow platform_app init:binder { transfer call };
 allow platform_app init:unix_stream_socket { read write };
 #allow platform_app system_data_file:file append;
 allow platform_app unlabeled:file { read getattr open };

 #============= radio ==============
 allow radio init:binder call;
 allow radio init:unix_stream_socket { read write };
 allow radio system_data_file:file append;

 #============= release_app ==============
 allow release_app system_data_file:file append;
 allow release_app unlabeled:lnk_file read;

 #============= sdcardd ==============
 allow sdcardd unlabeled:dir { read open };

 #============= shared_app ==============
 allow shared_app device:chr_file { read write };
 allow shared_app init:binder call;
 allow shared_app init:unix_stream_socket { read write };
 allow shared_app init_tmpfs:file read;
 #allow shared_app system_data_file:file append;
 allow shared_app unlabeled:file { write lock getattr open read };

 #============= shell ==============
 allow shell apk_private_data_file:dir getattr;
 allow shell asec_image_file:dir getattr;
 allow shell backup_data_file:dir getattr;
 allow shell device:sock_file write;
 allow shell drm_data_file:dir getattr;
 allow shell nfc_data_file:dir getattr;
 allow shell rootfs:file getattr;
 allow shell sdcard_internal:dir { create rmdir };
 #allow shell self:capability { fowner fsetid dac_override };
 #allow shell self:capability2 syslog;
 #allow shell system_data_file:dir { write remove_name add_name };
 #allow shell system_data_file:file { write create setattr };
 allow shell unlabeled:dir getattr;
 allow shell vold:unix_stream_socket connectto;
 allow shell vold_socket:sock_file write;

 #============= surfaceflinger ==============
 allow surfaceflinger adbd:binder call;
 allow surfaceflinger device:chr_file { read write ioctl open };
 allow surfaceflinger init:dir search;
 allow surfaceflinger init:file { read open };
 allow surfaceflinger init:unix_stream_socket { read write };
 allow surfaceflinger platform_app:binder call;
 allow surfaceflinger shell_data_file:dir search;
 allow surfaceflinger sysfs:file write;
 allow surfaceflinger system_app:dir search;
 allow surfaceflinger system_app:file { read open };

 #============= system ==============
 allow system device:chr_file ioctl;
 allow system init:binder { transfer call };
 allow system init:unix_stream_socket { read write setopt };
 allow system proc:file write;
 allow system security_file:lnk_file read;
 allow system unlabeled:dir { read remove_name write open add_name };
 allow system unlabeled:file { rename getattr read create open ioctl append };

 #============= system_app ==============
 allow system_app init:unix_stream_socket { read write setopt };
 allow system_app unlabeled:file { read getattr open };

 #============= untrusted_app ==============
 allow untrusted_app device:chr_file { read write };
 allow untrusted_app init:binder { transfer call };
 allow untrusted_app init:dir { getattr search };
 allow untrusted_app init:file { read getattr open };
 allow untrusted_app init:unix_stream_socket { read write connectto };
 allow untrusted_app kernel:dir { getattr search };
 allow untrusted_app kernel:file { read getattr open };
 allow untrusted_app servicemanager:dir { getattr search };
 allow untrusted_app servicemanager:file { read getattr open };
 allow untrusted_app shell_data_file:dir search;
 allow untrusted_app shell_data_file:file { read getattr open };
 #allow untrusted_app system_data_file:file append;
 allow untrusted_app ueventd:dir { search getattr };
 allow untrusted_app ueventd:file { read getattr open };
 allow untrusted_app unlabeled:dir setattr;
 allow untrusted_app zygote:dir search;

 #============= vold ==============
 allow vold unlabeled:dir { read getattr open };

 #============= wpa ==============
 allow wpa init:unix_dgram_socket { read write sendto };
 allow wpa wifi_data_file:sock_file write;

 #============= zygote ==============
 allow zygote security_file:lnk_file read;
	# This file contains autogenerated policy based on
	# denials seen in the wild.
	#
	# As a general rule, you should not add policy to
	# this file. You SHOULD treat this policy very
	# skeptically- while it does preserve compatibility,
	# it is also extremely overbroad.
	#
	# Over time this list should trend to size 0. Your
	# assistance in bringing it to 0 is highly appreciated.

	#============= adbd ==============
	allow adbd app_data_file:dir { write add_name };
	allow adbd app_data_file:file { write create open setattr };
	allow adbd kernel:process setsched;
	allow adbd proc:file write;
	allow adbd self:capability setpcap;

	#============= debuggerd ==============
	allow debuggerd system:unix_stream_socket connectto;
	allow debuggerd system_data_file:sock_file write;

	#============= dhcp ==============
	allow dhcp system_data_file:file open;
	allow dhcp unlabeled:file create;

	#============= drmserver ==============
	allow drmserver init:unix_stream_socket { read write };

	#============= init ==============
	allow init node:rawip_socket node_bind;

	#============= init_shell ==============
	allow init_shell init:fifo_file write;
	allow init_shell init:netlink_route_socket { read write };
	allow init_shell init:netlink_socket { read write };
	allow init_shell init:unix_stream_socket { read write };
	allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };

	#============= installd ==============
	allow installd download_file:dir { read search open getattr };

	#============= keystore ==============
	allow keystore init:unix_stream_socket { read write };

	#============= media_app ==============
	allow media_app system_data_file:file append;

	#============= mediaserver ==============
	allow mediaserver device:chr_file { read write ioctl open };
	allow mediaserver init:unix_dgram_socket sendto;
	allow mediaserver init:unix_stream_socket { read write };
	allow mediaserver system_data_file:file { write open };
	allow mediaserver system_data_file:sock_file write;

	#============= nfc ==============
	allow nfc device:chr_file { read write open };
	allow nfc init:unix_stream_socket { read write };
	#allow nfc system_data_file:dir { write remove_name add_name };
	#allow nfc system_data_file:file { write create unlink append };
	allow nfc unlabeled:file { read write open };

	#============= ping ==============
	allow ping adbd:process sigchld;

	#============= platform_app ==============
	allow platform_app device:chr_file { read write ioctl };
	allow platform_app init:binder { transfer call };
	allow platform_app init:unix_stream_socket { read write };
	#allow platform_app system_data_file:file append;
	allow platform_app unlabeled:file { read getattr open };

	#============= radio ==============
	allow radio init:binder call;
	allow radio init:unix_stream_socket { read write };
	allow radio system_data_file:file append;

	#============= release_app ==============
	allow release_app system_data_file:file append;
	allow release_app unlabeled:lnk_file read;

	#============= sdcardd ==============
	allow sdcardd unlabeled:dir { read open };

	#============= shared_app ==============
	allow shared_app device:chr_file { read write };
	allow shared_app init:binder call;
	allow shared_app init:unix_stream_socket { read write };
	allow shared_app init_tmpfs:file read;
	#allow shared_app system_data_file:file append;
	allow shared_app unlabeled:file { write lock getattr open read };

	#============= shell ==============
	allow shell apk_private_data_file:dir getattr;
	allow shell asec_image_file:dir getattr;
	allow shell backup_data_file:dir getattr;
	allow shell device:sock_file write;
	allow shell drm_data_file:dir getattr;
	allow shell nfc_data_file:dir getattr;
	allow shell rootfs:file getattr;
	allow shell sdcard_internal:dir { create rmdir };
	#allow shell self:capability { fowner fsetid dac_override };
	#allow shell self:capability2 syslog;
	#allow shell system_data_file:dir { write remove_name add_name };
	#allow shell system_data_file:file { write create setattr };
	allow shell unlabeled:dir getattr;
	allow shell vold:unix_stream_socket connectto;
	allow shell vold_socket:sock_file write;

	#============= surfaceflinger ==============
	allow surfaceflinger adbd:binder call;
	allow surfaceflinger device:chr_file { read write ioctl open };
	allow surfaceflinger init:dir search;
	allow surfaceflinger init:file { read open };
	allow surfaceflinger init:unix_stream_socket { read write };
	allow surfaceflinger platform_app:binder call;
	allow surfaceflinger shell_data_file:dir search;
	allow surfaceflinger sysfs:file write;
	allow surfaceflinger system_app:dir search;
	allow surfaceflinger system_app:file { read open };

	#============= system ==============
	allow system device:chr_file ioctl;
	allow system init:binder { transfer call };
	allow system init:unix_stream_socket { read write setopt };
	allow system proc:file write;
	allow system security_file:lnk_file read;
	allow system unlabeled:dir { read remove_name write open add_name };
	allow system unlabeled:file { rename getattr read create open ioctl append };

	#============= system_app ==============
	allow system_app init:unix_stream_socket { read write setopt };
	allow system_app unlabeled:file { read getattr open };

	#============= untrusted_app ==============
	allow untrusted_app device:chr_file { read write };
	allow untrusted_app init:binder { transfer call };
	allow untrusted_app init:dir { getattr search };
	allow untrusted_app init:file { read getattr open };
	allow untrusted_app init:unix_stream_socket { read write connectto };
	allow untrusted_app kernel:dir { getattr search };
	allow untrusted_app kernel:file { read getattr open };
	allow untrusted_app servicemanager:dir { getattr search };
	allow untrusted_app servicemanager:file { read getattr open };
	allow untrusted_app shell_data_file:dir search;
	allow untrusted_app shell_data_file:file { read getattr open };
	#allow untrusted_app system_data_file:file append;
	allow untrusted_app ueventd:dir { search getattr };
	allow untrusted_app ueventd:file { read getattr open };
	allow untrusted_app unlabeled:dir setattr;
	allow untrusted_app zygote:dir search;

	#============= vold ==============
	allow vold unlabeled:dir { read getattr open };

	#============= wpa ==============
	allow wpa init:unix_dgram_socket { read write sendto };
	allow wpa wifi_data_file:sock_file write;

	#============= zygote ==============
	allow zygote security_file:lnk_file read;