1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type, proc_type; 7type binderfs, fs_type; 8type binderfs_logs, fs_type; 9type binderfs_logs_proc, fs_type; 10# Security-sensitive proc nodes that should not be writable to most. 11type proc_security, fs_type, proc_type; 12type proc_drop_caches, fs_type, proc_type; 13type proc_overcommit_memory, fs_type, proc_type; 14type proc_min_free_order_shift, fs_type, proc_type; 15type proc_kpageflags, fs_type, proc_type; 16# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 17type usermodehelper, fs_type, proc_type; 18type sysfs_usermodehelper, fs_type, sysfs_type; 19type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; 20type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; 21type proc_bluetooth_writable, fs_type, proc_type; 22type proc_abi, fs_type, proc_type; 23type proc_asound, fs_type, proc_type; 24type proc_bootconfig, fs_type, proc_type; 25type proc_buddyinfo, fs_type, proc_type; 26type proc_cmdline, fs_type, proc_type; 27type proc_cpuinfo, fs_type, proc_type; 28type proc_dirty, fs_type, proc_type; 29type proc_diskstats, fs_type, proc_type; 30type proc_extra_free_kbytes, fs_type, proc_type; 31type proc_filesystems, fs_type, proc_type; 32type proc_fs_verity, fs_type, proc_type; 33type proc_hostname, fs_type, proc_type; 34type proc_hung_task, fs_type, proc_type; 35type proc_interrupts, fs_type, proc_type; 36type proc_iomem, fs_type, proc_type; 37type proc_kallsyms, fs_type, proc_type; 38type proc_keys, fs_type, proc_type; 39type proc_kmsg, fs_type, proc_type; 40type proc_loadavg, fs_type, proc_type; 41type proc_locks, fs_type, proc_type; 42type proc_lowmemorykiller, fs_type, proc_type; 43type proc_max_map_count, fs_type, proc_type; 44type proc_meminfo, fs_type, proc_type; 45type proc_misc, fs_type, proc_type; 46type proc_modules, fs_type, proc_type; 47type proc_mounts, fs_type, proc_type; 48type proc_net, fs_type, proc_type, proc_net_type; 49type proc_net_tcp_udp, fs_type, proc_type; 50type proc_page_cluster, fs_type, proc_type; 51type proc_pagetypeinfo, fs_type, proc_type; 52type proc_panic, fs_type, proc_type; 53type proc_perf, fs_type, proc_type; 54type proc_pid_max, fs_type, proc_type; 55type proc_pipe_conf, fs_type, proc_type; 56type proc_pressure_cpu, fs_type, proc_type; 57type proc_pressure_io, fs_type, proc_type; 58type proc_pressure_mem, fs_type, proc_type; 59type proc_random, fs_type, proc_type; 60type proc_sched, fs_type, proc_type; 61type proc_slabinfo, fs_type, proc_type; 62type proc_stat, fs_type, proc_type; 63type proc_swaps, fs_type, proc_type; 64type proc_sysrq, fs_type, proc_type; 65type proc_timer, fs_type, proc_type; 66type proc_tty_drivers, fs_type, proc_type; 67type proc_uid_cputime_showstat, fs_type, proc_type; 68type proc_uid_cputime_removeuid, fs_type, proc_type; 69type proc_uid_io_stats, fs_type, proc_type; 70type proc_uid_procstat_set, fs_type, proc_type; 71type proc_uid_time_in_state, fs_type, proc_type; 72type proc_uid_concurrent_active_time, fs_type, proc_type; 73type proc_uid_concurrent_policy_time, fs_type, proc_type; 74type proc_uid_cpupower, fs_type, proc_type; 75type proc_uptime, fs_type, proc_type; 76type proc_version, fs_type, proc_type; 77type proc_vmallocinfo, fs_type, proc_type; 78type proc_vmstat, fs_type, proc_type; 79type proc_zoneinfo, fs_type, proc_type; 80type proc_vendor_sched, proc_type, fs_type; 81type selinuxfs, fs_type, mlstrustedobject; 82type fusectlfs, fs_type; 83type cgroup, fs_type, mlstrustedobject; 84type cgroup_v2, fs_type; 85type sysfs, fs_type, sysfs_type, mlstrustedobject; 86type sysfs_android_usb, fs_type, sysfs_type; 87type sysfs_uio, sysfs_type, fs_type; 88type sysfs_batteryinfo, fs_type, sysfs_type; 89type sysfs_block, fs_type, sysfs_type, sysfs_block_type; 90type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 91type sysfs_devfreq_cur, fs_type, sysfs_type; 92type sysfs_devfreq_dir, fs_type, sysfs_type; 93type sysfs_devices_block, fs_type, sysfs_type; 94type sysfs_dm, fs_type, sysfs_type; 95type sysfs_dm_verity, fs_type, sysfs_type; 96type sysfs_dma_heap, fs_type, sysfs_type; 97type sysfs_dmabuf_stats, fs_type, sysfs_type; 98type sysfs_dt_firmware_android, fs_type, sysfs_type; 99type sysfs_extcon, fs_type, sysfs_type; 100type sysfs_ion, fs_type, sysfs_type; 101type sysfs_ipv4, fs_type, sysfs_type; 102type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; 103type sysfs_leds, fs_type, sysfs_type; 104type sysfs_loop, fs_type, sysfs_type; 105type sysfs_hwrandom, fs_type, sysfs_type; 106type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 107type sysfs_wake_lock, fs_type, sysfs_type; 108type sysfs_net, fs_type, sysfs_type; 109type sysfs_power, fs_type, sysfs_type; 110type sysfs_rtc, fs_type, sysfs_type; 111type sysfs_suspend_stats, fs_type, sysfs_type; 112type sysfs_switch, fs_type, sysfs_type; 113type sysfs_transparent_hugepage, fs_type, sysfs_type; 114type sysfs_usb, fs_type, sysfs_type; 115type sysfs_wakeup, fs_type, sysfs_type; 116type sysfs_wakeup_reasons, fs_type, sysfs_type; 117type sysfs_fs_ext4_features, sysfs_type, fs_type; 118type sysfs_fs_f2fs, sysfs_type, fs_type; 119type sysfs_fs_incfs_features, sysfs_type, fs_type; 120type sysfs_fs_incfs_metrics, sysfs_type, fs_type; 121type sysfs_vendor_sched, sysfs_type, fs_type; 122userdebug_or_eng(` 123 typeattribute sysfs_vendor_sched mlstrustedobject; 124') 125type fs_bpf, fs_type; 126type fs_bpf_tethering, fs_type; 127type configfs, fs_type; 128# /sys/devices/cs_etm 129type sysfs_devices_cs_etm, fs_type, sysfs_type; 130# /sys/devices/system/cpu 131type sysfs_devices_system_cpu, fs_type, sysfs_type; 132# /sys/module/lowmemorykiller 133type sysfs_lowmemorykiller, fs_type, sysfs_type; 134# /sys/module/wlan/parameters/fwpath 135type sysfs_wlan_fwpath, fs_type, sysfs_type; 136type sysfs_vibrator, fs_type, sysfs_type; 137type sysfs_uhid, fs_type, sysfs_type; 138type sysfs_thermal, sysfs_type, fs_type; 139 140type sysfs_zram, fs_type, sysfs_type; 141type sysfs_zram_uevent, fs_type, sysfs_type; 142type inotify, fs_type, mlstrustedobject; 143type devpts, fs_type, mlstrustedobject; 144type tmpfs, fs_type; 145type shm, fs_type; 146type mqueue, fs_type; 147type fuse, sdcard_type, fs_type, mlstrustedobject; 148type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 149type vfat, sdcard_type, fs_type, mlstrustedobject; 150type exfat, sdcard_type, fs_type, mlstrustedobject; 151type debugfs, fs_type, debugfs_type; 152type debugfs_kprobes, fs_type, debugfs_type; 153type debugfs_mmc, fs_type, debugfs_type; 154type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type; 155type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 156type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 157type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 158type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type; 159type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type; 160type debugfs_wakeup_sources, fs_type, debugfs_type; 161type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type; 162type securityfs, fs_type; 163 164type pstorefs, fs_type; 165type functionfs, fs_type, mlstrustedobject; 166type oemfs, fs_type, contextmount_type; 167type usbfs, fs_type; 168type binfmt_miscfs, fs_type; 169type app_fusefs, fs_type, contextmount_type; 170 171# File types 172type unlabeled, file_type; 173 174# Default type for anything under /system. 175type system_file, system_file_type, file_type; 176# Default type for /system/asan.options 177type system_asan_options_file, system_file_type, file_type; 178# Type for /system/etc/event-log-tags (liblog implementation detail) 179type system_event_log_tags_file, system_file_type, file_type; 180# Default type for anything under /system/lib[64]. 181type system_lib_file, system_file_type, file_type; 182# system libraries that are available only to bootstrap processes 183type system_bootstrap_lib_file, system_file_type, file_type; 184# Default type for the group file /system/etc/group. 185type system_group_file, system_file_type, file_type; 186# Default type for linker executable /system/bin/linker[64]. 187type system_linker_exec, system_file_type, file_type; 188# Default type for linker config /system/etc/ld.config.*. 189type system_linker_config_file, system_file_type, file_type; 190# Default type for the passwd file /system/etc/passwd. 191type system_passwd_file, system_file_type, file_type; 192# Default type for linker config /system/etc/seccomp_policy/*. 193type system_seccomp_policy_file, system_file_type, file_type; 194# Default type for cacerts in /system/etc/security/cacerts/*. 195type system_security_cacerts_file, system_file_type, file_type; 196# Default type for /system/bin/tcpdump. 197type tcpdump_exec, system_file_type, exec_type, file_type; 198# Default type for zoneinfo files in /system/usr/share/zoneinfo/*. 199type system_zoneinfo_file, system_file_type, file_type; 200# Cgroups description file under /system/etc/cgroups.json 201type cgroup_desc_file, system_file_type, file_type; 202# Cgroups description file under /system/etc/task_profiles/cgroups_*.json 203type cgroup_desc_api_file, system_file_type, file_type; 204# Vendor cgroups description file under /vendor/etc/cgroups.json 205type vendor_cgroup_desc_file, vendor_file_type, file_type; 206# Task profiles file under /system/etc/task_profiles.json 207type task_profiles_file, system_file_type, file_type; 208# Task profiles file under /system/etc/task_profiles/task_profiles_*.json 209type task_profiles_api_file, system_file_type, file_type; 210# Vendor task profiles file under /vendor/etc/task_profiles.json 211type vendor_task_profiles_file, vendor_file_type, file_type; 212# Type for /system/apex/com.android.art 213type art_apex_dir, system_file_type, file_type; 214# /linkerconfig(/.*)? 215type linkerconfig_file, file_type; 216# Control files under /data/incremental 217type incremental_control_file, file_type, data_file_type, core_data_file_type; 218 219# Default type for directories search for 220# HAL implementations 221type vendor_hal_file, vendor_file_type, file_type; 222# Default type for under /vendor or /system/vendor 223type vendor_file, vendor_file_type, file_type; 224# Default type for everything in /vendor/app 225type vendor_app_file, vendor_file_type, file_type; 226# Default type for everything under /vendor/etc/ 227type vendor_configs_file, vendor_file_type, file_type; 228# Default type for all *same process* HALs and their lib/bin dependencies. 229# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so 230type same_process_hal_file, vendor_file_type, file_type; 231# Default type for vndk-sp libs. /vendor/lib/vndk-sp 232type vndk_sp_file, vendor_file_type, file_type; 233# Default type for everything in /vendor/framework 234type vendor_framework_file, vendor_file_type, file_type; 235# Default type for everything in /vendor/overlay 236type vendor_overlay_file, vendor_file_type, file_type; 237# Type for all vendor public libraries. These libs should only be exposed to 238# apps. ABI stability of these libs is vendor's responsibility. 239type vendor_public_lib_file, vendor_file_type, file_type; 240# Type for all vendor public libraries for system. These libs should only be exposed to 241# system. ABI stability of these libs is vendor's responsibility. 242type vendor_public_framework_file, vendor_file_type, file_type; 243 244# Input configuration 245type vendor_keylayout_file, vendor_file_type, file_type; 246type vendor_keychars_file, vendor_file_type, file_type; 247type vendor_idc_file, vendor_file_type, file_type; 248 249# /metadata partition itself 250type metadata_file, file_type; 251# Vold files within /metadata 252type vold_metadata_file, file_type; 253# GSI files within /metadata 254type gsi_metadata_file, gsi_metadata_file_type, file_type; 255# DSU (GSI) files within /metadata that are globally readable. 256type gsi_public_metadata_file, gsi_metadata_file_type, file_type; 257# system_server shares Weaver slot information in /metadata 258type password_slot_metadata_file, file_type; 259# APEX files within /metadata 260type apex_metadata_file, file_type; 261# libsnapshot files within /metadata 262type ota_metadata_file, file_type; 263# property files within /metadata/bootstat 264type metadata_bootstat_file, file_type; 265# userspace reboot files within /metadata/userspacereboot 266type userspace_reboot_metadata_file, file_type; 267# Staged install files within /metadata/staged-install 268type staged_install_file, file_type; 269# Metadata information within /metadata/watchdog 270type watchdog_metadata_file, file_type; 271 272# Type for /dev/cpu_variant:.*. 273type dev_cpu_variant, file_type; 274# Speedup access for trusted applications to the runtime event tags 275type runtime_event_log_tags_file, file_type; 276# Type for /system/bin/logcat. 277type logcat_exec, system_file_type, exec_type, file_type; 278# Speedup access to cgroup map file 279type cgroup_rc_file, file_type; 280# /cores for coredumps on userdebug / eng builds 281type coredump_file, file_type; 282# Type of /data itself 283type system_data_root_file, file_type, data_file_type, core_data_file_type; 284# Default type for anything under /data. 285type system_data_file, file_type, data_file_type, core_data_file_type; 286# Type for /data/system/packages.list. 287# TODO(b/129332765): Narrow down permissions to this. 288# Find out users of system_data_file that should be granted only this. 289type packages_list_file, file_type, data_file_type, core_data_file_type; 290# Default type for anything under /data/vendor{_ce,_de}. 291type vendor_data_file, file_type, data_file_type; 292# Unencrypted data 293type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 294# installd-create files in /data/misc/installd such as layout_version 295type install_data_file, file_type, data_file_type, core_data_file_type; 296# /data/drm - DRM plugin data 297type drm_data_file, file_type, data_file_type, core_data_file_type; 298# /data/adb - adb debugging files 299type adb_data_file, file_type, data_file_type, core_data_file_type; 300# /data/anr - ANR traces 301type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 302# /data/tombstones - core dumps 303type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 304# /data/vendor/tombstones/wifi - vendor wifi dumps 305type tombstone_wifi_data_file, file_type, data_file_type; 306# /data/apex - APEX data files 307type apex_data_file, file_type, data_file_type, core_data_file_type; 308# /data/app - user-installed apps 309type apk_data_file, file_type, data_file_type, core_data_file_type; 310type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 311# /data/app-private - forward-locked apps 312type apk_private_data_file, file_type, data_file_type, core_data_file_type; 313type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 314# /data/dalvik-cache 315type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 316# /data/ota 317type ota_data_file, file_type, data_file_type, core_data_file_type; 318# /data/ota_package 319type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 320# /data/misc/profiles 321type user_profile_root_file, file_type, data_file_type, core_data_file_type; 322type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 323# /data/misc/profman 324type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 325# /data/misc/prereboot 326type prereboot_data_file, file_type, data_file_type, core_data_file_type; 327# /data/resource-cache 328type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 329# /data/local - writable by shell 330type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 331# /data/property 332type property_data_file, file_type, data_file_type, core_data_file_type; 333# /data/bootchart 334type bootchart_data_file, file_type, data_file_type, core_data_file_type; 335# /data/system/dropbox 336type dropbox_data_file, file_type, data_file_type, core_data_file_type; 337# /data/system/heapdump 338type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 339# /data/nativetest 340type nativetest_data_file, file_type, data_file_type, core_data_file_type; 341# /data/local/tests 342type shell_test_data_file, file_type, data_file_type, core_data_file_type; 343# /data/system_de/0/ringtones 344type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 345# /data/preloads 346type preloads_data_file, file_type, data_file_type, core_data_file_type; 347# /data/preloads/media 348type preloads_media_file, file_type, data_file_type, core_data_file_type; 349# /data/misc/dhcp and /data/misc/dhcp-6.8.2 350type dhcp_data_file, file_type, data_file_type, core_data_file_type; 351# /data/server_configurable_flags 352type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; 353# /data/app-staging 354type staging_data_file, file_type, data_file_type, core_data_file_type; 355# /vendor/apex 356type vendor_apex_file, vendor_file_type, file_type; 357 358# Mount locations managed by vold 359type mnt_media_rw_file, file_type; 360type mnt_user_file, file_type; 361type mnt_pass_through_file, file_type; 362type mnt_expand_file, file_type; 363type mnt_sdcard_file, file_type; 364type storage_file, file_type; 365 366# Label for storage dirs which are just mount stubs 367type mnt_media_rw_stub_file, file_type; 368type storage_stub_file, file_type; 369 370# Mount location for read-write vendor partitions. 371type mnt_vendor_file, file_type; 372 373# Mount location for read-write product partitions. 374type mnt_product_file, file_type; 375 376# Mount point used for APEX images 377type apex_mnt_dir, file_type; 378 379# /apex/apex-info-list.xml created by apexd 380type apex_info_file, file_type; 381 382# /postinstall: Mount point used by update_engine to run postinstall. 383type postinstall_mnt_dir, file_type; 384# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 385type postinstall_file, file_type; 386# /postinstall/apex: Mount point used for APEX images within /postinstall. 387type postinstall_apex_mnt_dir, file_type; 388 389# /data_mirror: Contains mirror directory for storing all apps data. 390type mirror_data_file, file_type, core_data_file_type; 391 392# /data/misc subdirectories 393type adb_keys_file, file_type, data_file_type, core_data_file_type; 394type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type; 395type apex_module_data_file, file_type, data_file_type, core_data_file_type; 396type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type; 397type apex_permission_data_file, file_type, data_file_type, core_data_file_type; 398type apex_rollback_data_file, file_type, data_file_type, core_data_file_type; 399type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type; 400type apex_wifi_data_file, file_type, data_file_type, core_data_file_type; 401type appcompat_data_file, file_type, data_file_type, core_data_file_type; 402type audio_data_file, file_type, data_file_type, core_data_file_type; 403type audioserver_data_file, file_type, data_file_type, core_data_file_type; 404type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 405type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 406type bootstat_data_file, file_type, data_file_type, core_data_file_type; 407type boottrace_data_file, file_type, data_file_type, core_data_file_type; 408type camera_data_file, file_type, data_file_type, core_data_file_type; 409type credstore_data_file, file_type, data_file_type, core_data_file_type; 410type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 411type incident_data_file, file_type, data_file_type, core_data_file_type; 412type keychain_data_file, file_type, data_file_type, core_data_file_type; 413type keystore_data_file, file_type, data_file_type, core_data_file_type; 414type media_data_file, file_type, data_file_type, core_data_file_type; 415type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 416type misc_user_data_file, file_type, data_file_type, core_data_file_type; 417type net_data_file, file_type, data_file_type, core_data_file_type; 418type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; 419type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 420type nfc_logs_data_file, file_type, data_file_type, core_data_file_type; 421type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 422type recovery_data_file, file_type, data_file_type, core_data_file_type; 423type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 424type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type; 425type stats_data_file, file_type, data_file_type, core_data_file_type; 426type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 427type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 428type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 429type vpn_data_file, file_type, data_file_type, core_data_file_type; 430type wifi_data_file, file_type, data_file_type, core_data_file_type; 431type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; 432type vold_data_file, file_type, data_file_type, core_data_file_type; 433type iorapd_data_file, file_type, data_file_type, core_data_file_type; 434type tee_data_file, file_type, data_file_type; 435type update_engine_data_file, file_type, data_file_type, core_data_file_type; 436type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; 437# /data/misc/trace for method traces on userdebug / eng builds 438type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 439type gsi_data_file, file_type, data_file_type, core_data_file_type; 440type radio_core_data_file, file_type, data_file_type, core_data_file_type; 441 442# /data/data subdirectories - app sandboxes 443type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 444# /data/data subdirectories - priv-app sandboxes 445type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 446# /data/data subdirectory for system UID apps. 447type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 448# Compatibility with type name used in Android 4.3 and 4.4. 449# Default type for anything under /cache 450type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 451# Type for /cache/overlay /mnt/scratch/overlay 452type overlayfs_file, file_type, data_file_type, core_data_file_type; 453# Type for /cache/backup_stage/* (fd interchange with apps) 454type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 455# type for anything under /cache/backup (local transport storage) 456type cache_private_backup_file, file_type, data_file_type, core_data_file_type; 457# Type for anything under /cache/recovery 458type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 459# Default type for anything under /efs 460type efs_file, file_type; 461# Type for wallpaper file. 462type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 463# Type for shortcut manager icon file. 464type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 465# Type for user icon file. 466type icon_file, file_type, data_file_type, core_data_file_type; 467# /mnt/asec 468type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 469# Elements of asec files (/mnt/asec) that are world readable 470type asec_public_file, file_type, data_file_type, core_data_file_type; 471# /data/app-asec 472type asec_image_file, file_type, data_file_type, core_data_file_type; 473# /data/backup and /data/secure/backup 474type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 475# All devices have bluetooth efs files. But they 476# vary per device, so this type is used in per 477# device policy 478type bluetooth_efs_file, file_type; 479# Type for fingerprint template file 480type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 481# Type for _new_ fingerprint template file 482type fingerprint_vendor_data_file, file_type, data_file_type; 483# Type for appfuse file. 484type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 485# Type for face template file 486type face_vendor_data_file, file_type, data_file_type; 487# Type for iris template file 488type iris_vendor_data_file, file_type, data_file_type; 489 490# Socket types 491type adbd_socket, file_type, coredomain_socket; 492type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 493type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 494type dumpstate_socket, file_type, coredomain_socket; 495type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 496type lmkd_socket, file_type, coredomain_socket; 497type logd_socket, file_type, coredomain_socket, mlstrustedobject; 498type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 499type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 500type mdns_socket, file_type, coredomain_socket; 501type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 502type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; 503type mtpd_socket, file_type, coredomain_socket; 504type property_socket, file_type, coredomain_socket, mlstrustedobject; 505type racoon_socket, file_type, coredomain_socket; 506type recovery_socket, file_type, coredomain_socket; 507type rild_socket, file_type; 508type rild_debug_socket, file_type; 509type snapuserd_socket, file_type, coredomain_socket; 510type statsdw_socket, file_type, coredomain_socket, mlstrustedobject; 511type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 512type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 513type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 514type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 515type tombstoned_java_trace_socket, file_type, mlstrustedobject; 516type tombstoned_intercept_socket, file_type, coredomain_socket; 517type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject; 518type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject; 519type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; 520type uncrypt_socket, file_type, coredomain_socket; 521type wpa_socket, file_type, data_file_type, core_data_file_type; 522type zygote_socket, file_type, coredomain_socket; 523type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject; 524# UART (for GPS) control proc file 525type gps_control, file_type; 526 527# PDX endpoint types 528type pdx_display_dir, pdx_endpoint_dir_type, file_type; 529type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 530type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 531 532pdx_service_socket_types(display_client, pdx_display_dir) 533pdx_service_socket_types(display_manager, pdx_display_dir) 534pdx_service_socket_types(display_screenshot, pdx_display_dir) 535pdx_service_socket_types(display_vsync, pdx_display_dir) 536pdx_service_socket_types(performance_client, pdx_performance_dir) 537pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 538 539# file_contexts files 540type file_contexts_file, system_file_type, file_type; 541 542# mac_permissions file 543type mac_perms_file, system_file_type, file_type; 544 545# property_contexts file 546type property_contexts_file, system_file_type, file_type; 547 548# seapp_contexts file 549type seapp_contexts_file, system_file_type, file_type; 550 551# sepolicy files binary and others 552type sepolicy_file, system_file_type, file_type; 553 554# service_contexts file 555type service_contexts_file, system_file_type, file_type; 556 557# keystore2_key_contexts_file 558type keystore2_key_contexts_file, system_file_type, file_type; 559 560# vendor service_contexts file 561type vendor_service_contexts_file, vendor_file_type, file_type; 562 563# nonplat service_contexts file (only accessible on non full-treble devices) 564type nonplat_service_contexts_file, vendor_file_type, file_type; 565 566# hwservice_contexts file 567type hwservice_contexts_file, system_file_type, file_type; 568 569# vndservice_contexts file 570type vndservice_contexts_file, file_type; 571 572# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions. 573type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; 574 575# kernel modules 576type vendor_kernel_modules, vendor_file_type, file_type; 577 578# Allow files to be created in their appropriate filesystems. 579allow fs_type self:filesystem associate; 580allow cgroup tmpfs:filesystem associate; 581allow cgroup_v2 tmpfs:filesystem associate; 582allow cgroup_rc_file tmpfs:filesystem associate; 583allow sysfs_type sysfs:filesystem associate; 584allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 585allow file_type labeledfs:filesystem associate; 586allow file_type tmpfs:filesystem associate; 587allow file_type rootfs:filesystem associate; 588allow dev_type tmpfs:filesystem associate; 589allow app_fuse_file app_fusefs:filesystem associate; 590allow postinstall_file self:filesystem associate; 591allow proc_net proc:filesystem associate; 592 593# asanwrapper (run a sanitized app_process, to be used with wrap properties) 594with_asan(`type asanwrapper_exec, exec_type, file_type;') 595 596# Deprecated in SDK version 28 597type audiohal_data_file, file_type, data_file_type, core_data_file_type; 598 599# It's a bug to assign the file_type attribute and fs_type attribute 600# to any type. Do not allow it. 601# 602# For example, the following is a bug: 603# type apk_data_file, file_type, data_file_type, fs_type; 604# Should be: 605# type apk_data_file, file_type, data_file_type; 606neverallow fs_type file_type:filesystem associate; 607