• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Rules for all domains.
2
3# Allow reaping by init.
4allow domain init:process sigchld;
5
6# Read access to properties mapping.
7allow domain kernel:fd use;
8allow domain tmpfs:file read;
9
10# binder adjusts the nice value during IPC.
11allow domain self:capability sys_nice;
12
13# Intra-domain accesses.
14allow domain self:process ~{ execstack execheap };
15allow domain self:fd use;
16allow domain self:dir r_dir_perms;
17allow domain self:lnk_file r_file_perms;
18allow domain self:{ fifo_file file } rw_file_perms;
19allow domain self:{ unix_dgram_socket unix_stream_socket } *;
20
21# Inherit or receive open files from others.
22allow domain init:fd use;
23allow domain system:fd use;
24
25# Connect to adbd and use a socket transferred from it.
26allow domain adbd:unix_stream_socket connectto;
27allow domain adbd:fd use;
28allow domain adbd:unix_stream_socket { getattr read write shutdown };
29
30# Talk to debuggerd.
31allow domain debuggerd:process sigchld;
32allow domain debuggerd:unix_stream_socket connectto;
33
34# Root fs.
35allow domain rootfs:dir r_dir_perms;
36allow domain rootfs:lnk_file { read getattr };
37
38# Device accesses.
39allow domain device:dir search;
40allow domain devpts:dir search;
41allow domain device:file read;
42allow domain socket_device:dir search;
43allow domain null_device:chr_file rw_file_perms;
44allow domain zero_device:chr_file r_file_perms;
45allow domain ashmem_device:chr_file rw_file_perms;
46allow domain binder_device:chr_file rw_file_perms;
47allow domain ptmx_device:chr_file rw_file_perms;
48allow domain powervr_device:chr_file rw_file_perms;
49allow domain log_device:dir search;
50allow domain log_device:chr_file w_file_perms;
51allow domain nv_device:chr_file rw_file_perms;
52allow domain alarm_device:chr_file r_file_perms;
53allow domain urandom_device:chr_file r_file_perms;
54
55# Filesystem accesses.
56allow domain fs_type:filesystem getattr;
57
58# System file accesses.
59allow domain system_file:dir r_dir_perms;
60allow domain system_file:file r_file_perms;
61allow domain system_file:file execute;
62allow domain system_file:lnk_file read;
63
64# Read files already opened under /data.
65allow domain system_data_file:dir { search getattr };
66allow domain system_data_file:file { getattr read };
67allow domain system_data_file:lnk_file read;
68
69# Read apk files under /data/app.
70allow domain apk_data_file:dir search;
71allow domain apk_data_file:file r_file_perms;
72
73# Read /data/dalvik-cache.
74allow domain dalvikcache_data_file:dir { search getattr };
75allow domain dalvikcache_data_file:file r_file_perms;
76
77# Read already opened /cache files.
78allow domain cache_file:dir r_dir_perms;
79allow domain cache_file:file { getattr read };
80allow domain cache_file:lnk_file read;
81
82# For /acct/uid/*/tasks.
83allow domain cgroup:dir search;
84allow domain cgroup:file w_file_perms;
85
86# For /sys/qemu_trace files in the emulator.
87bool in_qemu false;
88if (in_qemu) {
89allow domain sysfs:file rw_file_perms;
90}
91allow domain sysfs_writable:file rw_file_perms;
92
93# Read access to pseudo filesystems.
94r_dir_file(domain, proc)
95r_dir_file(domain, sysfs)
96r_dir_file(domain, inotify)
97r_dir_file(domain, cgroup)
98
99# Ignore /sys/kernel/debug
100dontaudit domain debugfs:dir search;
101