1# kernel domain is used for all processes started before Android init installs SELinux policy. 2# Normally, no processes should be in this domain because clumping multiple processes into a single 3# SELinux domain overprivileges each of those processes. 4 5# TODO(b/65049764): Get rid of the hostapd instance started before Android init 6net_domain(kernel) 7allow kernel self:capability net_admin; 8allow kernel self:netlink_socket create_socket_perms_no_ioctl; 9allow kernel tmpfs:dir search; 10 11# TODO(b/65049764): Get rid of GCE proxy and similar daemons started before Android init 12# gce.meta.proxy and gce.ex.outer write to /dev/console which for some reason does not appear 13# labelled as console_device although it is labeled as such on the filesystem. 14allow kernel rootfs:chr_file write; 15 16# kdevtmpfs accesses devices before ueventd runs restorecon and relabels devices 17allow kernel device:chr_file { create setattr getattr unlink }; 18allow kernel device:dir create_dir_perms; 19allow kernel self:capability mknod; 20