Lines Matching full:kernel

1 typeattribute kernel coredomain;
3 domain_auto_trans(kernel, init_exec, init)
4 domain_auto_trans(kernel, snapuserd_exec, snapuserd)
6   domain_auto_trans(kernel, overlay_remounter_exec, overlay_remounter)
9 # Allow the kernel to read otapreopt_chroot's file descriptors and files under
11 allow kernel otapreopt_chroot:fd use;
12 allow kernel postinstall_file:file read;
17 # enabling enforcement, eg, in permissive mode while still in the kernel
19 allow kernel tmpfs:blk_file { getattr relabelfrom };
20 allow kernel tmpfs:chr_file { getattr relabelfrom };
21 allow kernel tmpfs:lnk_file { getattr relabelfrom };
22 allow kernel tmpfs:dir { open read relabelfrom };
24 allow kernel block_device:blk_file relabelto;
25 allow kernel block_device:lnk_file relabelto;
26 allow kernel dm_device:chr_file relabelto;
27 allow kernel dm_device:blk_file relabelto;
28 allow kernel dm_user_device:dir { read open search relabelto };
29 allow kernel dm_user_device:chr_file relabelto;
30 allow kernel kmsg_device:chr_file relabelto;
31 allow kernel null_device:chr_file relabelto;
32 allow kernel random_device:chr_file relabelto;
33 allow kernel snapuserd_exec:file relabelto;
35 allow kernel kmsg_device:chr_file write;
36 allow kernel gsid:fd use;
38 allow kernel self:global_capability_class_set sys_nice;
41 r_dir_file(kernel, rootfs)
44 allow kernel {
50 allow kernel selinuxfs:dir r_dir_perms;
51 allow kernel selinuxfs:file r_file_perms;
54 allow kernel file_contexts_file:file r_file_perms;
57 allow kernel rootfs:file relabelfrom;
58 allow kernel init_exec:file relabelto;
60 allow kernel init:process share;
63 allow kernel unlabeled:dir search;
66 allow kernel usbfs:filesystem mount;
67 allow kernel usbfs:dir search;
70 # We use dontaudit instead of allow to prevent a kernel spawned userspace
72 dontaudit kernel self:security setenforce;
75 allow kernel self:global_capability_class_set sys_resource;
82 allow kernel self:global_capability_class_set sys_boot;
83 allow kernel proc_sysrq:file w_file_perms;
86 allow kernel tmpfs:chr_file write;
89 allow kernel selinuxfs:file write;
90 allow kernel self:security setcheckreqprot;
92 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
93 allow kernel { sdcard_type fuse }:file { read write };
95 # f_mtp driver accesses files from kernel context.
96 allow kernel mediaprovider:fd use;
98 # Allow the kernel to read OBB files from app directories. (b/17428116)
99 # Kernel thread "loop0" reads a vold supplied file descriptor.
103 allow kernel vold:fd use;
104 allow kernel { app_data_file privapp_data_file }:file read;
105 allow kernel asec_image_file:file read;
108 # and for LTP kernel tests (b/73220071)
110   allow kernel update_engine_data_file:file { read write };
111   allow kernel nativetest_data_file:file { read write };
117 allow kernel media_rw_data_file:dir create_dir_perms;
118 allow kernel media_rw_data_file:file create_file_perms;
121 allow kernel vold_data_file:file { read write };
123 # Allow the kernel to read APEX file descriptors and (staged) data files;
125 # a kernel thread in earlier kernel version.
126 allow kernel apexd:fd use;
127 allow kernel {
132 # Also allow the kernel to read/write /data/local/tmp files via loop device
135   allow kernel shell_data_file:file { read write };
138 # Allow the first-stage init (which is running in the kernel domain) to execute the
141 # before the domain is switched to the target domain. So, we need to allow the kernel
144 # kernel older than 4.8.
145 allow kernel system_file:file execute;
150   allow kernel rootfs:file execute;
154 allow kernel appdomain_tmpfs:file { read write };
158   allow kernel tmpfs:dir rw_dir_perms;
159   allow kernel tmpfs:file { create_file_perms relabelfrom };
160   allow kernel overlay_remounter_exec:file { relabelto unlink };
161   allow kernel overlay_remounter:process2 nosuid_transition;
162   allow kernel overlay_remounter:process share;
165 dontaudit kernel metadata_file:dir search;
166 dontaudit kernel ota_metadata_file:dir rw_dir_perms;
167 dontaudit kernel sysfs:dir r_dir_perms;
168 dontaudit kernel sysfs:file { open read write };
169 dontaudit kernel sysfs:chr_file { open read write };
170 dontaudit kernel dm_device:chr_file ioctl;
171 dontaudit kernel self:capability { sys_admin setgid mknod };
173 dontaudit kernel dm_user_device:dir { write add_name };
174 dontaudit kernel dm_user_device:chr_file { create setattr };
175 dontaudit kernel tmpfs:lnk_file read;
176 dontaudit kernel tmpfs:blk_file { open read };
182 # The initial task starts in the kernel domain (assigned via
184 neverallow * kernel:process { transition dyntransition };
186 # The kernel domain is never entered via an exec, nor should it
188 # If you encounter an execute_no_trans denial on the kernel domain, then
190 # - The program is a kernel usermodehelper.  In this case, define a domain
194 neverallow kernel *:file { entrypoint execute_no_trans };
196 # the kernel should not be accessing files owned by other users.
199 neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
201 # Nobody should be ptracing kernel threads
202 neverallow * kernel:process ptrace;