public/te_macros - platform/system/sepolicy - Git at Google

 #####################################
 # domain_trans(olddomain, type, newdomain)
 # Allow a transition from olddomain to newdomain
 # upon executing a file labeled with type.
 # This only allows the transition; it does not
 # cause it to occur automatically - use domain_auto_trans
 # if that is what you want.
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
 allow $1 $2:file { getattr open read execute };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
 allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.
 dontaudit $1 $3:process noatsecure;
 # XXX dontaudit candidate but requires further study.
 allow $1 $3:process { siginh rlimitinh };
 ')

 #####################################
 # domain_auto_trans(olddomain, type, newdomain)
 # Automatically transition from olddomain to newdomain
 # upon executing a file labeled with type.
 #
 define(`domain_auto_trans', `
 # Allow the necessary permissions.
 domain_trans($1,$2,$3)
 # Make the transition occur by default.
 type_transition $1 $2:process $3;
 ')

 #####################################
 # file_type_trans(domain, dir_type, file_type)
 # Allow domain to create a file labeled file_type in a
 # directory labeled dir_type.
 # This only allows the transition; it does not
 # cause it to occur automatically - use file_type_auto_trans
 # if that is what you want.
 #
 define(`file_type_trans', `
 # Allow the domain to add entries to the directory.
 allow $1 $2:dir ra_dir_perms;
 # Allow the domain to create the file.
 allow $1 $3:notdevfile_class_set create_file_perms;
 allow $1 $3:dir create_dir_perms;
 ')

 #####################################
 # file_type_auto_trans(domain, dir_type, file_type)
 # Automatically label new files with file_type when
 # they are created by domain in directories labeled dir_type.
 #
 define(`file_type_auto_trans', `
 # Allow the necessary permissions.
 file_type_trans($1, $2, $3)
 # Make the transition occur by default.
 type_transition $1 $2:dir $3;
 type_transition $1 $2:notdevfile_class_set $3;
 ')

 #####################################
 # r_dir_file(domain, type)
 # Allow the specified domain to read directories, files
 # and symbolic links of the specified type.
 define(`r_dir_file', `
 allow $1 $2:dir r_dir_perms;
 allow $1 $2:{ file lnk_file } r_file_perms;
 ')

 #####################################
 # tmpfs_domain(domain)
 # Define and allow access to a unique type for
 # this domain when creating tmpfs / shmem / ashmem files.
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
 allow $1 $1_tmpfs:file { read write };
 allow $1 tmpfs:dir { getattr search };
 ')

 # pdx macros for IPC. pdx is a high-level name which contains transport-specific
 # rules from underlying transport (e.g. UDS-based implementation).

 #####################################
 # pdx_server(domain)
 define(`pdx_server', `
 allow $1 pdx_socket:dir create_dir_perms;
 allow $1 pdx_socket:sock_file create_file_perms;
 ')

 #####################################
 # use_pdx(clientdomain, serverdomain)
 define(`use_pdx', `
 # Open the socket.
 allow $1 pdx_socket:dir r_dir_perms;
 allow $1 pdx_socket:sock_file rw_file_perms;
 # Use the socket.
 allow $1 $2:unix_stream_socket { connectto read write shutdown };
 # Clients recieve an event fd from the server.
 allow $1 $2:fd use;
 # Servers may receive sync fences, gralloc buffers, etc, from clients.
 # This could be tightened on a per-server basis, but keeping track of service
 # clients is error prone.
 allow $2 $1:fd use;
 ')

 #####################################
 # init_daemon_domain(domain)
 # Set up a transition from init to the daemon domain
 # upon executing its binary.
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
 ')

 #####################################
 # app_domain(domain)
 # Allow a base set of permissions required for all apps.
 define(`app_domain', `
 typeattribute $1 appdomain;
 # Label ashmem objects with our own unique type.
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
 ')

 #####################################
 # untrusted_app_domain(domain)
 # Allow a base set of permissions required for all untrusted apps.
 define(`untrusted_app_domain', `
 typeattribute $1 untrusted_app_all;
 ')

 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.
 define(`net_domain', `
 typeattribute $1 netdomain;
 ')

 #####################################
 # bluetooth_domain(domain)
 # Allow a base set of permissions required for bluetooth access.
 define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')

 # TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
 #####################################
 # hal_impl_domain(domain[, hal_type_attr])
 # Allow a base set of permissions required for a domain to host a
 # HAL implementation.
 #
 # Optionally, the type of the HAL can be specified as the second
 # argument. This is useful for HALs which may have multiple
 # implementations. Attributes are used to group the various
 # implementations of such HALs.
 #
 # For example, default implementation of Foo HAL:
 #   type hal_foo_default, domain;
 #   hal_impl_domain(hal_foo_default, hal_foo)
 #
 define(`hal_impl_domain', `
 typeattribute $1 halserverdomain;
 ifelse($2, `', `', `typeattribute $1 $2;')
 ')

 #####################################
 # hal_server_domain(domain, hal_type)
 # Allow a base set of permissions required for a domain to offer a
 # HAL implementation of the specified type over HwBinder.
 #
 # For example, default implementation of Foo HAL:
 #   type hal_foo_default, domain;
 #   hal_server_domain(hal_foo_default, hal_foo)
 #
 define(`hal_server_domain', `
 typeattribute $1 halserverdomain;
 typeattribute $1 $2_server;
 typeattribute $1 $2;
 ')

 #####################################
 # hal_client_domain(domain, hal_type)
 # Allow a base set of permissions required for a domain to be a
 # client of a HAL of the specified type.
 #
 # For example, make some_domain a client of Foo HAL:
 #   hal_client_domain(some_domain, hal_foo)
 #
 define(`hal_client_domain', `
 typeattribute $1 halclientdomain;
 typeattribute $1 $2_client;

 # TODO(b/34170079): Make the inclusion of the rules below conditional,
 # once we know at build time whether a HAL is going to run in
 # passthrough or binderized mode.
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 ')

 #####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
 # socket to serverdomain.
 #
 # Note: If you see denial records that distill to the
 # following allow rules:
 # allow clientdomain property_socket:sock_file write;
 # allow clientdomain init:unix_stream_socket connectto;
 # allow clientdomain something_prop:property_service set;
 #
 # This sequence is indicative of attempting to set a property.
 # use set_prop(sourcedomain, targetproperty)
 #
 define(`unix_socket_connect', `
 ifelse($2, `property', `
     ifelse($3,`init', `
        print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
    ')
 ')
 __unix_socket_connect__($1, $2, $3)
 ')

 define(`__unix_socket_connect__', `
 allow $1 $2_socket:sock_file write;
 allow $1 $3:unix_stream_socket connectto;
 ')

 #####################################
 # set_prop(sourcedomain, targetproperty)
 # Allows source domain to set the
 # targetproperty.
 #
 define(`set_prop', `
 __unix_socket_connect__($1, property, init)
 allow $1 $2:property_service set;
 get_prop($1, $2)
 ')

 #####################################
 # get_prop(sourcedomain, targetproperty)
 # Allows source domain to read the
 # targetproperty.
 #
 define(`get_prop', `
 allow $1 $2:file r_file_perms;
 ')

 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via
 # socket to serverdomain.
 define(`unix_socket_send', `
 allow $1 $2_socket:sock_file write;
 allow $1 $3:unix_dgram_socket sendto;
 ')

 #####################################
 # binder_use(domain)
 # Allow domain to use Binder IPC.
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
 # servicemanager performs getpidcon on clients.
 allow servicemanager $1:dir search;
 allow servicemanager $1:file { read open };
 allow servicemanager $1:process getattr;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')

 #####################################
 # hwbinder_use(domain)
 # Allow domain to use HwBinder IPC.
 define(`hwbinder_use', `
 # Call the hwservicemanager and transfer references to it.
 allow $1 hwservicemanager:binder { call transfer };
 # Allow hwservicemanager to send out callbacks
 allow hwservicemanager $1:binder { call transfer };
 # hwservicemanager performs getpidcon on clients.
 allow hwservicemanager $1:dir search;
 allow hwservicemanager $1:file { read open };
 allow hwservicemanager $1:process getattr;
 # TODO(b/34274385): hals wait for data to be mounted so they can
 # start only if persist.hal.binderization is enabled. (for dogfood
 # stability). getService must also check for data to be mounted
 # if the vintf promises the hal will be registered over hwbinder.
 get_prop($1, hal_binderization_prop)
 get_prop($1, persistent_properties_ready_prop)
 get_prop($1, vold_prop)
 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')

 #####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `
 # Call the server domain and optionally transfer references to it.
 allow $1 $2:binder { call transfer };
 # Allow the serverdomain to transfer references to the client on the reply.
 allow $2 $1:binder transfer;
 # Receive and use open files from the server.
 allow $1 $2:fd use;
 ')

 #####################################
 # binder_service(domain)
 # Mark a domain as being a Binder service domain.
 # Used to allow binder IPC to the various system services.
 define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')

 #####################################
 # hwallocator_use(domain)
 # Allow a domain to use Hidl shared memory
 define(`hwallocator_use', `
 # Call into the allocator hal
 binder_call($1, hal_allocator);
 ')

 #####################################
 # wakelock_use(domain)
 # Allow domain to manage wake locks
 define(`wakelock_use', `
 # Access /sys/power/wake_lock and /sys/power/wake_unlock
 allow $1 sysfs_wake_lock:file rw_file_perms;
 # Accessing these files requires CAP_BLOCK_SUSPEND
 allow $1 self:capability2 block_suspend;
 ')

 #####################################
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
 r_dir_file($1, selinuxfs)
 allow $1 selinuxfs:file w_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
 ')

 #####################################
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
 r_dir_file($1, selinuxfs)
 allow $1 selinuxfs:file w_file_perms;
 allow $1 kernel:security check_context;
 ')

 #####################################
 # create_pty(domain)
 # Allow domain to create and use a pty, isolated from any other domain ptys.
 define(`create_pty', `
 # Each domain gets a unique devpts type.
 type $1_devpts, fs_type;
 # Label the pty with the unique type when created.
 type_transition $1 devpts:chr_file $1_devpts;
 # Allow use of the pty after creation.
 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
 allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
 # TIOCSTI is only ever used for exploits. Block it.
 # b/33073072, b/7530569
 # http://www.openwall.com/lists/oss-security/2016/09/26/14
 neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
 # allowed to everyone via domain.te.
 ')

 #####################################
 # Non system_app application set
 #
 define(`non_system_app_set', `{ appdomain -system_app }')

 #####################################
 # Recovery only
 # SELinux rules which apply only to recovery mode
 #
 define(`recovery_only', ifelse(target_recovery, `true', $1, ))

 #####################################
 # Userdebug or eng builds
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))

 ####################################
 # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
 #
 define(`crash_dump_fallback', `
 userdebug_or_eng(`
   allow $1 su:fifo_file append;
 ')
 allow $1 anr_data_file:file append;
 allow $1 tombstoned:unix_stream_socket connectto;
 allow $1 tombstoned_crash_socket:sock_file write;
 ')

 #####################################
 # WITH_DEXPREOPT builds
 # SELinux rules which apply only when pre-opting.
 #
 define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))

 #####################################
 # write_logd(domain)
 # Ability to write to android log
 # daemon via sockets
 define(`write_logd', `
 unix_socket_send($1, logdw, logd)
 allow $1 pmsg_device:chr_file w_file_perms;
 ')

 #####################################
 # read_logd(domain)
 # Ability to run logcat and read from android
 # log daemon via sockets
 define(`read_logd', `
 allow $1 logcat_exec:file rx_file_perms;
 unix_socket_connect($1, logdr, logd)
 ')

 #####################################
 # read_runtime_log_tags(domain)
 # ability to directly map the runtime event log tags
 define(`read_runtime_log_tags', `
 allow $1 runtime_event_log_tags_file:file r_file_perms;
 ')

 #####################################
 # control_logd(domain)
 # Ability to control
 # android log daemon via sockets
 define(`control_logd', `
 # Group AID_LOG checked by filesystem & logd
 # to permit control commands
 unix_socket_connect($1, logd, logd)
 ')

 #####################################
 # use_keystore(domain)
 # Ability to use keystore.
 # Keystore is requires the following permissions
 # to call getpidcon.
 define(`use_keystore', `
   allow keystore $1:dir search;
   allow keystore $1:file { read open };
   allow keystore $1:process getattr;
   allow $1 keystore_service:service_manager find;
   binder_call($1, keystore)
 ')

 ###########################################
 # use_drmservice(domain)
 # Ability to use DrmService which requires
 # DrmService to call getpidcon.
 define(`use_drmservice', `
   allow drmserver $1:dir search;
   allow drmserver $1:file { read open };
   allow drmserver $1:process getattr;
 ')

 ###########################################
 # add_service(domain, service)
 # Ability for domain to add a service to service_manager
 # and find it. It also creates a neverallow preventing
 # others from adding it.
 define(`add_service', `
   allow $1 $2:service_manager { add find };
   neverallow { domain -$1 } $2:service_manager add;
 ')

 ##########################################
 # print a message with a trailing newline
 # print(`args')
 define(`print', `errprint(`m4: '__file__: __line__`: $*
 ')')
	#####################################
	# domain_trans(olddomain, type, newdomain)
	# Allow a transition from olddomain to newdomain
	# upon executing a file labeled with type.
	# This only allows the transition; it does not
	# cause it to occur automatically - use domain_auto_trans
	# if that is what you want.
	#
	define(`domain_trans', `
	# Old domain may exec the file and transition to the new domain.
	allow $1 $2:file { getattr open read execute };
	allow $1 $3:process transition;
	# New domain is entered by executing the file.
	allow $3 $2:file { entrypoint open read execute getattr };
	# New domain can send SIGCHLD to its caller.
	ifelse($1, `init', `', `allow $3 $1:process sigchld;')
	# Enable AT_SECURE, i.e. libc secure mode.
	dontaudit $1 $3:process noatsecure;
	# XXX dontaudit candidate but requires further study.
	allow $1 $3:process { siginh rlimitinh };
	')

	#####################################
	# domain_auto_trans(olddomain, type, newdomain)
	# Automatically transition from olddomain to newdomain
	# upon executing a file labeled with type.
	#
	define(`domain_auto_trans', `
	# Allow the necessary permissions.
	domain_trans($1,$2,$3)
	# Make the transition occur by default.
	type_transition $1 $2:process $3;
	')

	#####################################
	# file_type_trans(domain, dir_type, file_type)
	# Allow domain to create a file labeled file_type in a
	# directory labeled dir_type.
	# This only allows the transition; it does not
	# cause it to occur automatically - use file_type_auto_trans
	# if that is what you want.
	#
	define(`file_type_trans', `
	# Allow the domain to add entries to the directory.
	allow $1 $2:dir ra_dir_perms;
	# Allow the domain to create the file.
	allow $1 $3:notdevfile_class_set create_file_perms;
	allow $1 $3:dir create_dir_perms;
	')

	#####################################
	# file_type_auto_trans(domain, dir_type, file_type)
	# Automatically label new files with file_type when
	# they are created by domain in directories labeled dir_type.
	#
	define(`file_type_auto_trans', `
	# Allow the necessary permissions.
	file_type_trans($1, $2, $3)
	# Make the transition occur by default.
	type_transition $1 $2:dir $3;
	type_transition $1 $2:notdevfile_class_set $3;
	')

	#####################################
	# r_dir_file(domain, type)
	# Allow the specified domain to read directories, files
	# and symbolic links of the specified type.
	define(`r_dir_file', `
	allow $1 $2:dir r_dir_perms;
	allow $1 $2:{ file lnk_file } r_file_perms;
	')

	#####################################
	# tmpfs_domain(domain)
	# Define and allow access to a unique type for
	# this domain when creating tmpfs / shmem / ashmem files.
	define(`tmpfs_domain', `
	type $1_tmpfs, file_type;
	type_transition $1 tmpfs:file $1_tmpfs;
	allow $1 $1_tmpfs:file { read write };
	allow $1 tmpfs:dir { getattr search };
	')

	# pdx macros for IPC. pdx is a high-level name which contains transport-specific
	# rules from underlying transport (e.g. UDS-based implementation).

	#####################################
	# pdx_server(domain)
	define(`pdx_server', `
	allow $1 pdx_socket:dir create_dir_perms;
	allow $1 pdx_socket:sock_file create_file_perms;
	')

	#####################################
	# use_pdx(clientdomain, serverdomain)
	define(`use_pdx', `
	# Open the socket.
	allow $1 pdx_socket:dir r_dir_perms;
	allow $1 pdx_socket:sock_file rw_file_perms;
	# Use the socket.
	allow $1 $2:unix_stream_socket { connectto read write shutdown };
	# Clients recieve an event fd from the server.
	allow $1 $2:fd use;
	# Servers may receive sync fences, gralloc buffers, etc, from clients.
	# This could be tightened on a per-server basis, but keeping track of service
	# clients is error prone.
	allow $2 $1:fd use;
	')

	#####################################
	# init_daemon_domain(domain)
	# Set up a transition from init to the daemon domain
	# upon executing its binary.
	define(`init_daemon_domain', `
	domain_auto_trans(init, $1_exec, $1)
	tmpfs_domain($1)
	')

	#####################################
	# app_domain(domain)
	# Allow a base set of permissions required for all apps.
	define(`app_domain', `
	typeattribute $1 appdomain;
	# Label ashmem objects with our own unique type.
	tmpfs_domain($1)
	# Map with PROT_EXEC.
	allow $1 $1_tmpfs:file execute;
	')

	#####################################
	# untrusted_app_domain(domain)
	# Allow a base set of permissions required for all untrusted apps.
	define(`untrusted_app_domain', `
	typeattribute $1 untrusted_app_all;
	')

	#####################################
	# net_domain(domain)
	# Allow a base set of permissions required for network access.
	define(`net_domain', `
	typeattribute $1 netdomain;
	')

	#####################################
	# bluetooth_domain(domain)
	# Allow a base set of permissions required for bluetooth access.
	define(`bluetooth_domain', `
	typeattribute $1 bluetoothdomain;
	')

	# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
	#####################################
	# hal_impl_domain(domain[, hal_type_attr])
	# Allow a base set of permissions required for a domain to host a
	# HAL implementation.
	#
	# Optionally, the type of the HAL can be specified as the second
	# argument. This is useful for HALs which may have multiple
	# implementations. Attributes are used to group the various
	# implementations of such HALs.
	#
	# For example, default implementation of Foo HAL:
	# type hal_foo_default, domain;
	# hal_impl_domain(hal_foo_default, hal_foo)
	#
	define(`hal_impl_domain', `
	typeattribute $1 halserverdomain;
	ifelse($2, `', `', `typeattribute $1 $2;')
	')

	#####################################
	# hal_server_domain(domain, hal_type)
	# Allow a base set of permissions required for a domain to offer a
	# HAL implementation of the specified type over HwBinder.
	#
	# For example, default implementation of Foo HAL:
	# type hal_foo_default, domain;
	# hal_server_domain(hal_foo_default, hal_foo)
	#
	define(`hal_server_domain', `
	typeattribute $1 halserverdomain;
	typeattribute $1 $2_server;
	typeattribute $1 $2;
	')

	#####################################
	# hal_client_domain(domain, hal_type)
	# Allow a base set of permissions required for a domain to be a
	# client of a HAL of the specified type.
	#
	# For example, make some_domain a client of Foo HAL:
	# hal_client_domain(some_domain, hal_foo)
	#
	define(`hal_client_domain', `
	typeattribute $1 halclientdomain;
	typeattribute $1 $2_client;

	# TODO(b/34170079): Make the inclusion of the rules below conditional,
	# once we know at build time whether a HAL is going to run in
	# passthrough or binderized mode.
	typeattribute $1 $2;
	# Find passthrough HAL implementations
	allow $2 system_file:dir r_dir_perms;
	')

	#####################################
	# unix_socket_connect(clientdomain, socket, serverdomain)
	# Allow a local socket connection from clientdomain via
	# socket to serverdomain.
	#
	# Note: If you see denial records that distill to the
	# following allow rules:
	# allow clientdomain property_socket:sock_file write;
	# allow clientdomain init:unix_stream_socket connectto;
	# allow clientdomain something_prop:property_service set;
	#
	# This sequence is indicative of attempting to set a property.
	# use set_prop(sourcedomain, targetproperty)
	#
	define(`unix_socket_connect', `
	ifelse($2, `property', `
	ifelse($3,`init', `
	print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
	')
	')
	__unix_socket_connect__($1, $2, $3)
	')

	define(`__unix_socket_connect__', `
	allow $1 $2_socket:sock_file write;
	allow $1 $3:unix_stream_socket connectto;
	')

	#####################################
	# set_prop(sourcedomain, targetproperty)
	# Allows source domain to set the
	# targetproperty.
	#
	define(`set_prop', `
	__unix_socket_connect__($1, property, init)
	allow $1 $2:property_service set;
	get_prop($1, $2)
	')

	#####################################
	# get_prop(sourcedomain, targetproperty)
	# Allows source domain to read the
	# targetproperty.
	#
	define(`get_prop', `
	allow $1 $2:file r_file_perms;
	')

	#####################################
	# unix_socket_send(clientdomain, socket, serverdomain)
	# Allow a local socket send from clientdomain via
	# socket to serverdomain.
	define(`unix_socket_send', `
	allow $1 $2_socket:sock_file write;
	allow $1 $3:unix_dgram_socket sendto;
	')

	#####################################
	# binder_use(domain)
	# Allow domain to use Binder IPC.
	define(`binder_use', `
	# Call the servicemanager and transfer references to it.
	allow $1 servicemanager:binder { call transfer };
	# servicemanager performs getpidcon on clients.
	allow servicemanager $1:dir search;
	allow servicemanager $1:file { read open };
	allow servicemanager $1:process getattr;
	# rw access to /dev/binder and /dev/ashmem is presently granted to
	# all domains in domain.te.
	')

	#####################################
	# hwbinder_use(domain)
	# Allow domain to use HwBinder IPC.
	define(`hwbinder_use', `
	# Call the hwservicemanager and transfer references to it.
	allow $1 hwservicemanager:binder { call transfer };
	# Allow hwservicemanager to send out callbacks
	allow hwservicemanager $1:binder { call transfer };
	# hwservicemanager performs getpidcon on clients.
	allow hwservicemanager $1:dir search;
	allow hwservicemanager $1:file { read open };
	allow hwservicemanager $1:process getattr;
	# TODO(b/34274385): hals wait for data to be mounted so they can
	# start only if persist.hal.binderization is enabled. (for dogfood
	# stability). getService must also check for data to be mounted
	# if the vintf promises the hal will be registered over hwbinder.
	get_prop($1, hal_binderization_prop)
	get_prop($1, persistent_properties_ready_prop)
	get_prop($1, vold_prop)
	# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
	# all domains in domain.te.
	')

	#####################################
	# binder_call(clientdomain, serverdomain)
	# Allow clientdomain to perform binder IPC to serverdomain.
	define(`binder_call', `
	# Call the server domain and optionally transfer references to it.
	allow $1 $2:binder { call transfer };
	# Allow the serverdomain to transfer references to the client on the reply.
	allow $2 $1:binder transfer;
	# Receive and use open files from the server.
	allow $1 $2:fd use;
	')

	#####################################
	# binder_service(domain)
	# Mark a domain as being a Binder service domain.
	# Used to allow binder IPC to the various system services.
	define(`binder_service', `
	typeattribute $1 binderservicedomain;
	')

	#####################################
	# hwallocator_use(domain)
	# Allow a domain to use Hidl shared memory
	define(`hwallocator_use', `
	# Call into the allocator hal
	binder_call($1, hal_allocator);
	')

	#####################################
	# wakelock_use(domain)
	# Allow domain to manage wake locks
	define(`wakelock_use', `
	# Access /sys/power/wake_lock and /sys/power/wake_unlock
	allow $1 sysfs_wake_lock:file rw_file_perms;
	# Accessing these files requires CAP_BLOCK_SUSPEND
	allow $1 self:capability2 block_suspend;
	')

	#####################################
	# selinux_check_access(domain)
	# Allow domain to check SELinux permissions via selinuxfs.
	define(`selinux_check_access', `
	r_dir_file($1, selinuxfs)
	allow $1 selinuxfs:file w_file_perms;
	allow $1 kernel:security compute_av;
	allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
	')

	#####################################
	# selinux_check_context(domain)
	# Allow domain to check SELinux contexts via selinuxfs.
	define(`selinux_check_context', `
	r_dir_file($1, selinuxfs)
	allow $1 selinuxfs:file w_file_perms;
	allow $1 kernel:security check_context;
	')

	#####################################
	# create_pty(domain)
	# Allow domain to create and use a pty, isolated from any other domain ptys.
	define(`create_pty', `
	# Each domain gets a unique devpts type.
	type $1_devpts, fs_type;
	# Label the pty with the unique type when created.
	type_transition $1 devpts:chr_file $1_devpts;
	# Allow use of the pty after creation.
	allow $1 $1_devpts:chr_file { open getattr read write ioctl };
	allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
	# TIOCSTI is only ever used for exploits. Block it.
	# b/33073072, b/7530569
	# http://www.openwall.com/lists/oss-security/2016/09/26/14
	neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
	# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
	# allowed to everyone via domain.te.
	')

	#####################################
	# Non system_app application set
	#
	define(`non_system_app_set', `{ appdomain -system_app }')

	#####################################
	# Recovery only
	# SELinux rules which apply only to recovery mode
	#
	define(`recovery_only', ifelse(target_recovery, `true', $1, ))

	#####################################
	# Userdebug or eng builds
	# SELinux rules which apply only to userdebug or eng builds
	#
	define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))

	####################################
	# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
	#
	define(`crash_dump_fallback', `
	userdebug_or_eng(`
	allow $1 su:fifo_file append;
	')
	allow $1 anr_data_file:file append;
	allow $1 tombstoned:unix_stream_socket connectto;
	allow $1 tombstoned_crash_socket:sock_file write;
	')

	#####################################
	# WITH_DEXPREOPT builds
	# SELinux rules which apply only when pre-opting.
	#
	define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))

	#####################################
	# write_logd(domain)
	# Ability to write to android log
	# daemon via sockets
	define(`write_logd', `
	unix_socket_send($1, logdw, logd)
	allow $1 pmsg_device:chr_file w_file_perms;
	')

	#####################################
	# read_logd(domain)
	# Ability to run logcat and read from android
	# log daemon via sockets
	define(`read_logd', `
	allow $1 logcat_exec:file rx_file_perms;
	unix_socket_connect($1, logdr, logd)
	')

	#####################################
	# read_runtime_log_tags(domain)
	# ability to directly map the runtime event log tags
	define(`read_runtime_log_tags', `
	allow $1 runtime_event_log_tags_file:file r_file_perms;
	')

	#####################################
	# control_logd(domain)
	# Ability to control
	# android log daemon via sockets
	define(`control_logd', `
	# Group AID_LOG checked by filesystem & logd
	# to permit control commands
	unix_socket_connect($1, logd, logd)
	')

	#####################################
	# use_keystore(domain)
	# Ability to use keystore.
	# Keystore is requires the following permissions
	# to call getpidcon.
	define(`use_keystore', `
	allow keystore $1:dir search;
	allow keystore $1:file { read open };
	allow keystore $1:process getattr;
	allow $1 keystore_service:service_manager find;
	binder_call($1, keystore)
	')

	###########################################
	# use_drmservice(domain)
	# Ability to use DrmService which requires
	# DrmService to call getpidcon.
	define(`use_drmservice', `
	allow drmserver $1:dir search;
	allow drmserver $1:file { read open };
	allow drmserver $1:process getattr;
	')

	###########################################
	# add_service(domain, service)
	# Ability for domain to add a service to service_manager
	# and find it. It also creates a neverallow preventing
	# others from adding it.
	define(`add_service', `
	allow $1 $2:service_manager { add find };
	neverallow { domain -$1 } $2:service_manager add;
	')

	##########################################
	# print a message with a trailing newline
	# print(`args')
	define(`print', `errprint(`m4: '__file__: __line__`: $*
	')')