private/file.te - platform/system/sepolicy - Git at Google

 # /proc/allocinfo
 type proc_allocinfo, fs_type, proc_type;

 # /proc/config.gz
 type config_gz, fs_type, proc_type;

 # /sys/fs/bpf/<dir> for mainline tethering use
 # TODO: move S+ fs_bpf_tethering here from public/file.te
 type fs_bpf_net_private, fs_type, bpffs_type;
 type fs_bpf_net_shared, fs_type, bpffs_type;
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
 type fs_bpf_loader, fs_type, bpffs_type;
 type fs_bpf_uprobestats, fs_type, bpffs_type;
 type fs_bpf_memevents, fs_type, bpffs_type;

 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/wmtrace for wm traces
 type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;

 # /data/misc/a11ytrace for accessibility traces
 type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/perfetto-traces for perfetto traces
 type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
 type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
 type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;

 # /system/etc/perfetto for perfetto configs
 type system_perfetto_config_file, file_type, system_file_type;

 # /data/misc/uprobestats-configs for uprobestats configs
 type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;

 # /apex/com.android.art/bin/oatdump
 # TODO (b/350628688): Remove this once it's safe to do so.
 type oatdump_exec, system_file_type, exec_type, file_type;

 # /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
 type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

 # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
 type debugfs_kcov, fs_type, debugfs_type;

 # App executable files in /data/data directories
 type app_exec_data_file, file_type, data_file_type, core_data_file_type;
 typealias app_exec_data_file alias rs_data_file;

 # /data/misc_[ce|de]/rollback : Used by installd to store snapshots
 # of application data.
 type rollback_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc_ce/checkin for checkin apps.
 type checkin_data_file, file_type, data_file_type, core_data_file_type;

 # /data/gsi/ota
 type ota_image_data_file, file_type, data_file_type, core_data_file_type;

 # /data/gsi_persistent_data
 type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/emergencynumberdb
 type emergency_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/profcollectd
 type profcollectd_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/apexdata/com.android.art
 type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # /data/misc/apexdata/com.android.art/staging
 type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/apexdata/com.android.compos
 type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # /data/misc/apexdata/com.android.virt
 type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # /data/misc/apexdata/com.android.tethering
 type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # /data/misc/apexdata/com.android.uwb
 type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/dmesgd
 type dmesgd_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/odrefresh
 type odrefresh_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/odsign
 type odsign_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/odsign_metrics
 type odsign_metrics_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/virtualizationservice
 # The type needs to be mlstrustedobject to allow for being accessed from
 # virtualizationmanager, which runs at a more constrained MLS level.
 type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;

 # /mnt/vm
 type vm_data_file, file_type, core_data_file_type;

 # /data/system/environ
 type environ_system_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/bootanim
 type bootanim_data_file, file_type, data_file_type, core_data_file_type;

 # /dev/kvm
 # The type needs to be mlstrustedobject to allow for being accessed from
 # crosvm, which runs at a more constrained MLS level.
 type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;

 # /apex/com.android.virt/bin/fd_server
 type fd_server_exec, system_file_type, exec_type, file_type;

 # /apex/com.android.compos/bin/compsvc
 type compos_exec, exec_type, file_type, system_file_type;
 # /apex/com.android.compos/bin/compos_key_helper
 type compos_key_helper_exec, exec_type, file_type, system_file_type;

 # Filesystem entry for for PRNG seeder socket.  Processes require
 # write permission on this to connect, and needs to be mlstrustedobject
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;

 # /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
 type sysfs_dt_avf, fs_type, sysfs_type;
 type proc_dt_avf, fs_type, proc_type;

 # Type for /system/fonts/font_fallback.xm
 type system_font_fallback_file, system_file_type, file_type;

 # Type for /sys/devices/uprobe.
 type sysfs_uprobe, fs_type, sysfs_type;

 # Type for aconfig daemon socket
 type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;

 # Type for aconfig mainline daemon socket
 type aconfigd_mainline_socket, file_type, coredomain_socket,  mlstrustedobject;

 # Type for /(system|system_ext|product)/etc/aconfig
 type system_aconfig_storage_file, system_file_type, file_type;

 # Type for /vendor/etc/aconfig
 type vendor_aconfig_storage_file, vendor_file_type, file_type;

 # /data/misc/connectivityblobdb
 type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/wifi/mainline_supplicant
 type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;

 # Type for /mnt/pre_reboot_dexopt
 type pre_reboot_dexopt_file, file_type;

 # Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
 # This type is set on the directory through the `rootcontext=` mount option.
 type pre_reboot_dexopt_artd_file, file_type;

 # /data/app-metadata - extracted app metadata bundles from APKs
 type apk_metadata_file, file_type, data_file_type, core_data_file_type;

 # Type for /sys/kernel/mm/pgsize_migration/enabled
 type sysfs_pgsize_migration, fs_type, sysfs_type;

 # /sys/firmware/acpi/tables
 type sysfs_firmware_acpi_tables, fs_type, sysfs_type;

 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
 allow cgroup_v2 tmpfs:filesystem associate;
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
 allow app_fuse_file app_fusefs:filesystem associate;
 allow postinstall_file self:filesystem associate;
 allow proc_net proc:filesystem associate;

 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.
 #
 # For example, the following is a bug:
 #   type apk_data_file, file_type, data_file_type, fs_type;
 # Should be:
 #   type apk_data_file, file_type, data_file_type;
 neverallow fs_type file_type:filesystem associate;
 # app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
 type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
 # app storage areas: /data/storage_area/userId/pkgName/storageAreaName
 type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
 # contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/*
 type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

 # /data/misc_ce/userId/storage_area_keys
 type storage_area_key_file, file_type, data_file_type, core_data_file_type;

 # /metadata/tradeinmode files
 type tradeinmode_metadata_file, file_type;

 # /metadata/prefetch files
 type prefetch_metadata_file, file_type;

 # Types added in 202504 in public/file.te
 until_board_api(202504, `
     type binderfs_logs_transactions, fs_type;
     type binderfs_logs_transaction_history, fs_type;
 ')

 until_board_api(202504, `
     type proc_cgroups, fs_type, proc_type;
 ')

 until_board_api(202504, `
     type sysfs_udc, fs_type, sysfs_type;
 ')

 until_board_api(202504, `
     type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
     type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
 ')

 until_board_api(202504, `
     # boot otas for 16KB developer option
     type vendor_boot_ota_file, vendor_file_type, file_type;
 ')

 until_board_api(202504, `
     type tee_service_contexts_file, system_file_type, file_type;
 ')

 ## END Types added in 202504 in public/file.te
	# /proc/allocinfo
	type proc_allocinfo, fs_type, proc_type;

	# /proc/config.gz
	type config_gz, fs_type, proc_type;

	# /sys/fs/bpf/<dir> for mainline tethering use
	# TODO: move S+ fs_bpf_tethering here from public/file.te
	type fs_bpf_net_private, fs_type, bpffs_type;
	type fs_bpf_net_shared, fs_type, bpffs_type;
	type fs_bpf_netd_readonly, fs_type, bpffs_type;
	type fs_bpf_netd_shared, fs_type, bpffs_type;
	type fs_bpf_loader, fs_type, bpffs_type;
	type fs_bpf_uprobestats, fs_type, bpffs_type;
	type fs_bpf_memevents, fs_type, bpffs_type;

	# /data/misc/storaged
	type storaged_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/wmtrace for wm traces
	type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;

	# /data/misc/a11ytrace for accessibility traces
	type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/perfetto-traces for perfetto traces
	type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
	type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
	type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/perfetto-configs for perfetto configs
	type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;

	# /system/etc/perfetto for perfetto configs
	type system_perfetto_config_file, file_type, system_file_type;

	# /data/misc/uprobestats-configs for uprobestats configs
	type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;

	# /apex/com.android.art/bin/oatdump
	# TODO (b/350628688): Remove this once it's safe to do so.
	type oatdump_exec, system_file_type, exec_type, file_type;

	# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
	type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
	# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
	type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

	# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
	type debugfs_kcov, fs_type, debugfs_type;

	# App executable files in /data/data directories
	type app_exec_data_file, file_type, data_file_type, core_data_file_type;
	typealias app_exec_data_file alias rs_data_file;

	# /data/misc_[ce\|de]/rollback : Used by installd to store snapshots
	# of application data.
	type rollback_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc_ce/checkin for checkin apps.
	type checkin_data_file, file_type, data_file_type, core_data_file_type;

	# /data/gsi/ota
	type ota_image_data_file, file_type, data_file_type, core_data_file_type;

	# /data/gsi_persistent_data
	type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/emergencynumberdb
	type emergency_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/profcollectd
	type profcollectd_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/apexdata/com.android.art
	type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# /data/misc/apexdata/com.android.art/staging
	type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/apexdata/com.android.compos
	type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# /data/misc/apexdata/com.android.virt
	type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# /data/misc/apexdata/com.android.tethering
	type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# /data/misc/apexdata/com.android.uwb
	type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# legacy labels for various /data/misc[_ce\|_de]/*/apexdata directories - retained
	# for backward compatibility b/217581286
	type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
	type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
	type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
	type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

	# /data/font/files
	type font_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/dmesgd
	type dmesgd_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/odrefresh
	type odrefresh_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/odsign
	type odsign_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/odsign_metrics
	type odsign_metrics_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/virtualizationservice
	# The type needs to be mlstrustedobject to allow for being accessed from
	# virtualizationmanager, which runs at a more constrained MLS level.
	type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;

	# /mnt/vm
	type vm_data_file, file_type, core_data_file_type;

	# /data/system/environ
	type environ_system_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/bootanim
	type bootanim_data_file, file_type, data_file_type, core_data_file_type;

	# /dev/kvm
	# The type needs to be mlstrustedobject to allow for being accessed from
	# crosvm, which runs at a more constrained MLS level.
	type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;

	# /apex/com.android.virt/bin/fd_server
	type fd_server_exec, system_file_type, exec_type, file_type;

	# /apex/com.android.compos/bin/compsvc
	type compos_exec, exec_type, file_type, system_file_type;
	# /apex/com.android.compos/bin/compos_key_helper
	type compos_key_helper_exec, exec_type, file_type, system_file_type;

	# Filesystem entry for for PRNG seeder socket. Processes require
	# write permission on this to connect, and needs to be mlstrustedobject
	# in to satisfy MLS constraints for trusted domains.
	type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;

	# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
	type sysfs_dt_avf, fs_type, sysfs_type;
	type proc_dt_avf, fs_type, proc_type;

	# Type for /system/fonts/font_fallback.xm
	type system_font_fallback_file, system_file_type, file_type;

	# Type for /sys/devices/uprobe.
	type sysfs_uprobe, fs_type, sysfs_type;

	# Type for aconfig daemon socket
	type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;

	# Type for aconfig mainline daemon socket
	type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;

	# Type for /(system\|system_ext\|product)/etc/aconfig
	type system_aconfig_storage_file, system_file_type, file_type;

	# Type for /vendor/etc/aconfig
	type vendor_aconfig_storage_file, vendor_file_type, file_type;

	# /data/misc/connectivityblobdb
	type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;

	# /data/misc/wifi/mainline_supplicant
	type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;

	# Type for /mnt/pre_reboot_dexopt
	type pre_reboot_dexopt_file, file_type;

	# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
	# This type is set on the directory through the `rootcontext=` mount option.
	type pre_reboot_dexopt_artd_file, file_type;

	# /data/app-metadata - extracted app metadata bundles from APKs
	type apk_metadata_file, file_type, data_file_type, core_data_file_type;

	# Type for /sys/kernel/mm/pgsize_migration/enabled
	type sysfs_pgsize_migration, fs_type, sysfs_type;

	# /sys/firmware/acpi/tables
	type sysfs_firmware_acpi_tables, fs_type, sysfs_type;

	# Allow files to be created in their appropriate filesystems.
	allow fs_type self:filesystem associate;
	allow cgroup tmpfs:filesystem associate;
	allow cgroup_v2 tmpfs:filesystem associate;
	allow cgroup_rc_file tmpfs:filesystem associate;
	allow sysfs_type sysfs:filesystem associate;
	allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
	allow file_type labeledfs:filesystem associate;
	allow file_type tmpfs:filesystem associate;
	allow file_type rootfs:filesystem associate;
	allow dev_type tmpfs:filesystem associate;
	allow app_fuse_file app_fusefs:filesystem associate;
	allow postinstall_file self:filesystem associate;
	allow proc_net proc:filesystem associate;

	# It's a bug to assign the file_type attribute and fs_type attribute
	# to any type. Do not allow it.
	#
	# For example, the following is a bug:
	# type apk_data_file, file_type, data_file_type, fs_type;
	# Should be:
	# type apk_data_file, file_type, data_file_type;
	neverallow fs_type file_type:filesystem associate;
	# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
	type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
	# app storage areas: /data/storage_area/userId/pkgName/storageAreaName
	type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
	# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/*
	type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

	# /data/misc_ce/userId/storage_area_keys
	type storage_area_key_file, file_type, data_file_type, core_data_file_type;

	# /metadata/tradeinmode files
	type tradeinmode_metadata_file, file_type;

	# /metadata/prefetch files
	type prefetch_metadata_file, file_type;

	# Types added in 202504 in public/file.te
	until_board_api(202504, `
	type binderfs_logs_transactions, fs_type;
	type binderfs_logs_transaction_history, fs_type;
	')

	until_board_api(202504, `
	type proc_cgroups, fs_type, proc_type;
	')

	until_board_api(202504, `
	type sysfs_udc, fs_type, sysfs_type;
	')

	until_board_api(202504, `
	type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
	type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
	')

	until_board_api(202504, `
	# boot otas for 16KB developer option
	type vendor_boot_ota_file, vendor_file_type, file_type;
	')

	until_board_api(202504, `
	type tee_service_contexts_file, system_file_type, file_type;
	')

	## END Types added in 202504 in public/file.te