1# /proc/allocinfo 2type proc_allocinfo, fs_type, proc_type; 3 4# /proc/config.gz 5type config_gz, fs_type, proc_type; 6 7# /sys/fs/bpf/<dir> for mainline tethering use 8# TODO: move S+ fs_bpf_tethering here from public/file.te 9type fs_bpf_net_private, fs_type, bpffs_type; 10type fs_bpf_net_shared, fs_type, bpffs_type; 11type fs_bpf_netd_readonly, fs_type, bpffs_type; 12type fs_bpf_netd_shared, fs_type, bpffs_type; 13type fs_bpf_loader, fs_type, bpffs_type; 14type fs_bpf_uprobestats, fs_type, bpffs_type; 15type fs_bpf_memevents, fs_type, bpffs_type; 16 17# /data/system/mediadrm 18type mediadrm_system_data_file, file_type, data_file_type, core_data_file_type; 19 20# /data/misc/storaged 21type storaged_data_file, file_type, data_file_type, core_data_file_type; 22 23# /data/misc/wmtrace for wm traces 24type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 25 26# /data/misc/a11ytrace for accessibility traces 27type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type; 28 29# /data/misc/perfetto-traces for perfetto traces 30type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; 31 32# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports. 33type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type; 34 35# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis. 36type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type; 37 38# /data/misc/perfetto-configs for perfetto configs 39type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; 40 41# /system/etc/perfetto for perfetto configs 42type system_perfetto_config_file, file_type, system_file_type; 43 44# /data/misc/uprobestats-configs for uprobestats configs 45type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type; 46 47# /apex/com.android.art/bin/oatdump 48# TODO (b/350628688): Remove this once it's safe to do so. 49type oatdump_exec, system_file_type, exec_type, file_type; 50 51# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes 52type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type; 53# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes 54type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 55 56# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. 57type debugfs_kcov, fs_type, debugfs_type; 58 59# App executable files in /data/data directories 60type app_exec_data_file, file_type, data_file_type, core_data_file_type; 61typealias app_exec_data_file alias rs_data_file; 62 63# /data/misc_[ce|de]/rollback : Used by installd to store snapshots 64# of application data. 65type rollback_data_file, file_type, data_file_type, core_data_file_type; 66 67# /data/misc_ce/checkin for checkin apps. 68type checkin_data_file, file_type, data_file_type, core_data_file_type; 69 70# /data/gsi/ota 71type ota_image_data_file, file_type, data_file_type, core_data_file_type; 72 73# /data/gsi_persistent_data 74type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type; 75 76# /data/misc/emergencynumberdb 77type emergency_data_file, file_type, data_file_type, core_data_file_type; 78 79# /data/misc/profcollectd 80type profcollectd_data_file, file_type, data_file_type, core_data_file_type; 81 82# /data/misc/apexdata/com.android.art 83type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 84 85# /data/misc/apexdata/com.android.art/staging 86type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; 87 88# /data/misc/apexdata/com.android.compos 89type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 90 91# /data/misc/apexdata/com.android.virt 92type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 93 94# /data/misc/apexdata/com.android.tethering 95type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 96 97# /data/misc/apexdata/com.android.uwb 98type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 99 100# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained 101# for backward compatibility b/217581286 102type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 103type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 104type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 105type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 106 107# /data/font/files 108type font_data_file, file_type, data_file_type, core_data_file_type; 109 110# /data/misc/dmesgd 111type dmesgd_data_file, file_type, data_file_type, core_data_file_type; 112 113# /data/misc/odrefresh 114type odrefresh_data_file, file_type, data_file_type, core_data_file_type; 115 116# /data/misc/odsign 117type odsign_data_file, file_type, data_file_type, core_data_file_type; 118 119# /data/misc/odsign_metrics 120type odsign_metrics_file, file_type, data_file_type, core_data_file_type; 121 122# /data/misc/virtualizationservice 123# The type needs to be mlstrustedobject to allow for being accessed from 124# virtualizationmanager, which runs at a more constrained MLS level. 125type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 126 127# /mnt/vm 128type vm_data_file, file_type, core_data_file_type; 129 130# /data/system/environ 131type environ_system_data_file, file_type, data_file_type, core_data_file_type; 132 133# /data/misc/bootanim 134type bootanim_data_file, file_type, data_file_type, core_data_file_type; 135 136# /dev/kvm 137# The type needs to be mlstrustedobject to allow for being accessed from 138# crosvm, which runs at a more constrained MLS level. 139type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type; 140 141# /apex/com.android.virt/bin/fd_server 142type fd_server_exec, system_file_type, exec_type, file_type; 143 144# /apex/com.android.compos/bin/compsvc 145type compos_exec, exec_type, file_type, system_file_type; 146# /apex/com.android.compos/bin/compos_key_helper 147type compos_key_helper_exec, exec_type, file_type, system_file_type; 148 149# Filesystem entry for for PRNG seeder socket. Processes require 150# write permission on this to connect, and needs to be mlstrustedobject 151# in to satisfy MLS constraints for trusted domains. 152type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject; 153 154# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf 155type sysfs_dt_avf, fs_type, sysfs_type; 156type proc_dt_avf, fs_type, proc_type; 157 158# Type for /system/fonts/font_fallback.xm 159type system_font_fallback_file, system_file_type, file_type; 160 161# Type for /sys/devices/uprobe. 162type sysfs_uprobe, fs_type, sysfs_type; 163 164# Type for aconfig daemon socket 165type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject; 166 167# Type for aconfig mainline daemon socket 168type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject; 169 170# Type for /(system|system_ext|product)/etc/aconfig 171type system_aconfig_storage_file, system_file_type, file_type; 172 173# Type for /vendor/etc/aconfig 174type vendor_aconfig_storage_file, vendor_file_type, file_type; 175 176# /data/misc/connectivityblobdb 177type connectivityblob_data_file, file_type, data_file_type, core_data_file_type; 178 179# /data/misc/wifi/mainline_supplicant 180type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type; 181 182# Type for /mnt/pre_reboot_dexopt 183type pre_reboot_dexopt_file, file_type; 184 185# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot 186# This type is set on the directory through the `rootcontext=` mount option. 187type pre_reboot_dexopt_artd_file, file_type; 188 189# /data/app-metadata - extracted app metadata bundles from APKs 190type apk_metadata_file, file_type, data_file_type, core_data_file_type; 191 192# Type for /sys/kernel/mm/pgsize_migration/enabled 193type sysfs_pgsize_migration, fs_type, sysfs_type; 194 195# /sys/firmware/acpi/tables 196type sysfs_firmware_acpi_tables, fs_type, sysfs_type; 197 198# Type for /system/bin/pbtombstone. 199type pbtombstone_exec, system_file_type, exec_type, file_type; 200 201# Allow files to be created in their appropriate filesystems. 202allow fs_type self:filesystem associate; 203allow cgroup tmpfs:filesystem associate; 204allow cgroup_v2 tmpfs:filesystem associate; 205allow cgroup_rc_file tmpfs:filesystem associate; 206allow sysfs_type sysfs:filesystem associate; 207allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 208allow file_type labeledfs:filesystem associate; 209allow file_type tmpfs:filesystem associate; 210allow file_type rootfs:filesystem associate; 211allow dev_type tmpfs:filesystem associate; 212allow app_fuse_file app_fusefs:filesystem associate; 213allow postinstall_file self:filesystem associate; 214allow proc_net proc:filesystem associate; 215 216# It's a bug to assign the file_type attribute and fs_type attribute 217# to any type. Do not allow it. 218# 219# For example, the following is a bug: 220# type apk_data_file, file_type, data_file_type, fs_type; 221# Should be: 222# type apk_data_file, file_type, data_file_type; 223neverallow fs_type file_type:filesystem associate; 224# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it 225type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type; 226# app storage areas: /data/storage_area/userId/pkgName/storageAreaName 227type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type; 228# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/* 229type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 230 231# /data/misc_ce/userId/storage_area_keys 232type storage_area_key_file, file_type, data_file_type, core_data_file_type; 233 234# /metadata/tradeinmode files 235type tradeinmode_metadata_file, file_type; 236 237# /metadata/prefetch files 238type prefetch_metadata_file, file_type; 239 240# /metadata/libprocessgroup files 241type libprocessgroup_metadata_file, file_type; 242 243# Types added in 202504 in public/file.te 244until_board_api(202504, ` 245 type binderfs_logs_transactions, fs_type; 246 type binderfs_logs_transaction_history, fs_type; 247') 248 249until_board_api(202504, ` 250 type proc_cgroups, fs_type, proc_type; 251') 252 253until_board_api(202504, ` 254 type sysfs_udc, fs_type, sysfs_type; 255') 256 257until_board_api(202504, ` 258 type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type; 259 type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type; 260') 261 262until_board_api(202504, ` 263 # boot otas for 16KB developer option 264 type vendor_boot_ota_file, vendor_file_type, file_type; 265') 266 267until_board_api(202504, ` 268 type tee_service_contexts_file, system_file_type, file_type; 269') 270 271until_board_api(202504, ` 272 type sysfs_mem_sleep, fs_type, sysfs_type; 273') 274 275## END Types added in 202504 in public/file.te 276