1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type; 9# Type for /proc/sys/vm/drop_caches 10type proc_drop_caches, fs_type; 11# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12type usermodehelper, fs_type, sysfs_type; 13type qtaguid_proc, fs_type, mlstrustedobject; 14type proc_bluetooth_writable, fs_type; 15type proc_cpuinfo, fs_type; 16type proc_net, fs_type; 17type proc_sysrq, fs_type; 18type proc_uid_cputime_showstat, fs_type; 19type proc_uid_cputime_removeuid, fs_type; 20type selinuxfs, fs_type, mlstrustedobject; 21type cgroup, fs_type, mlstrustedobject; 22type sysfs, fs_type, sysfs_type, mlstrustedobject; 23type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; 24type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 25type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 26type sysfs_wake_lock, fs_type, sysfs_type; 27# /sys/devices/system/cpu 28type sysfs_devices_system_cpu, fs_type, sysfs_type; 29# /sys/module/lowmemorykiller 30type sysfs_lowmemorykiller, fs_type, sysfs_type; 31type inotify, fs_type, mlstrustedobject; 32type devpts, fs_type, mlstrustedobject; 33type tmpfs, fs_type; 34type shm, fs_type; 35type mqueue, fs_type; 36type fuse, sdcard_type, fs_type, mlstrustedobject; 37type vfat, sdcard_type, fs_type, mlstrustedobject; 38typealias fuse alias sdcard_internal; 39typealias vfat alias sdcard_external; 40type debugfs, fs_type, mlstrustedobject; 41type pstorefs, fs_type; 42type functionfs, fs_type; 43type oemfs, fs_type, contextmount_type; 44type usbfs, fs_type; 45type binfmt_miscfs, fs_type; 46 47# File types 48type unlabeled, file_type; 49# Default type for anything under /system. 50type system_file, file_type; 51# Type for /system/bin/logcat. 52type logcat_exec, exec_type, file_type; 53# /cores for coredumps on userdebug / eng builds 54type coredump_file, file_type; 55# Default type for anything under /data. 56type system_data_file, file_type, data_file_type; 57# Unencrypted data 58type unencrypted_data_file, file_type, data_file_type; 59# /data/.layout_version or other installd-created files that 60# are created in a system_data_file directory. 61type install_data_file, file_type, data_file_type; 62# /data/drm - DRM plugin data 63type drm_data_file, file_type, data_file_type; 64# /data/adb - adb debugging files 65type adb_data_file, file_type, data_file_type; 66# /data/anr - ANR traces 67type anr_data_file, file_type, data_file_type, mlstrustedobject; 68# /data/tombstones - core dumps 69type tombstone_data_file, file_type, data_file_type; 70# /data/app - user-installed apps 71type apk_data_file, file_type, data_file_type; 72type apk_tmp_file, file_type, data_file_type, mlstrustedobject; 73# /data/app-private - forward-locked apps 74type apk_private_data_file, file_type, data_file_type; 75type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; 76# /data/dalvik-cache 77type dalvikcache_data_file, file_type, data_file_type; 78# /data/dalvik-cache/profiles 79type dalvikcache_profiles_data_file, file_type, data_file_type, mlstrustedobject; 80# /data/resource-cache 81type resourcecache_data_file, file_type, data_file_type; 82# /data/local - writable by shell 83type shell_data_file, file_type, data_file_type, mlstrustedobject; 84# /data/gps 85type gps_data_file, file_type, data_file_type; 86# /data/property 87type property_data_file, file_type, data_file_type; 88# /data/bootchart 89type bootchart_data_file, file_type, data_file_type; 90# /data/system/heapdump 91type heapdump_data_file, file_type, data_file_type, mlstrustedobject; 92 93# Mount locations managed by vold 94type mnt_media_rw_file, file_type; 95type mnt_user_file, file_type; 96type mnt_expand_file, file_type; 97type storage_file, file_type; 98 99# Label for storage dirs which are just mount stubs 100type mnt_media_rw_stub_file, file_type; 101type storage_stub_file, file_type; 102 103# /data/misc subdirectories 104type adb_keys_file, file_type, data_file_type; 105type audio_data_file, file_type, data_file_type; 106type bluetooth_data_file, file_type, data_file_type; 107type camera_data_file, file_type, data_file_type; 108type gatekeeper_data_file, file_type, data_file_type; 109type keychain_data_file, file_type, data_file_type; 110type keystore_data_file, file_type, data_file_type; 111type media_data_file, file_type, data_file_type; 112type media_rw_data_file, file_type, data_file_type, mlstrustedobject; 113type misc_user_data_file, file_type, data_file_type; 114type net_data_file, file_type, data_file_type; 115type nfc_data_file, file_type, data_file_type; 116type radio_data_file, file_type, data_file_type, mlstrustedobject; 117type shared_relro_file, file_type, data_file_type; 118type systemkeys_data_file, file_type, data_file_type; 119type vpn_data_file, file_type, data_file_type; 120type wifi_data_file, file_type, data_file_type; 121type zoneinfo_data_file, file_type, data_file_type; 122type vold_data_file, file_type, data_file_type; 123type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; 124 125# Compatibility with type names used in vanilla Android 4.3 and 4.4. 126typealias audio_data_file alias audio_firmware_file; 127# /data/data subdirectories - app sandboxes 128type app_data_file, file_type, data_file_type; 129# /data/data subdirectory for system UID apps. 130type system_app_data_file, file_type, data_file_type, mlstrustedobject; 131# Compatibility with type name used in Android 4.3 and 4.4. 132typealias app_data_file alias platform_app_data_file; 133typealias app_data_file alias download_file; 134# Default type for anything under /cache 135type cache_file, file_type, mlstrustedobject; 136# Type for /cache/.*\.{data|restore} and default 137# type for anything under /cache/backup 138type cache_backup_file, file_type, mlstrustedobject; 139# Default type for anything under /efs 140type efs_file, file_type; 141# Type for wallpaper file. 142type wallpaper_file, file_type, mlstrustedobject; 143# /mnt/asec 144type asec_apk_file, file_type, data_file_type, mlstrustedobject; 145# Elements of asec files (/mnt/asec) that are world readable 146type asec_public_file, file_type, data_file_type; 147# /data/app-asec 148type asec_image_file, file_type, data_file_type; 149# /data/backup and /data/secure/backup 150type backup_data_file, file_type, data_file_type, mlstrustedobject; 151# For /data/security 152type security_file, file_type; 153# All devices have bluetooth efs files. But they 154# vary per device, so this type is used in per 155# device policy 156type bluetooth_efs_file, file_type; 157# Type for fingerprint template file. 158type fingerprintd_data_file, file_type, data_file_type; 159 160# Socket types 161type adbd_socket, file_type; 162type bluetooth_socket, file_type; 163type dnsproxyd_socket, file_type, mlstrustedobject; 164type dumpstate_socket, file_type; 165type fwmarkd_socket, file_type, mlstrustedobject; 166type gps_socket, file_type; 167type installd_socket, file_type; 168type lmkd_socket, file_type; 169type logd_socket, file_type, mlstrustedobject; 170type logdr_socket, file_type, mlstrustedobject; 171type logdw_socket, file_type, mlstrustedobject; 172type mdns_socket, file_type; 173type mdnsd_socket, file_type, mlstrustedobject; 174type misc_logd_file, file_type; 175type mtpd_socket, file_type; 176type netd_socket, file_type; 177type property_socket, file_type; 178type racoon_socket, file_type; 179type rild_socket, file_type; 180type rild_debug_socket, file_type; 181type system_wpa_socket, file_type; 182type system_ndebug_socket, file_type; 183type vold_socket, file_type; 184type wpa_socket, file_type; 185type zygote_socket, file_type; 186type sap_uim_socket, file_type; 187# UART (for GPS) control proc file 188type gps_control, file_type; 189 190# Allow files to be created in their appropriate filesystems. 191allow fs_type self:filesystem associate; 192allow sysfs_type sysfs:filesystem associate; 193allow file_type labeledfs:filesystem associate; 194allow file_type tmpfs:filesystem associate; 195allow file_type rootfs:filesystem associate; 196allow dev_type tmpfs:filesystem associate; 197 198# It's a bug to assign the file_type attribute and fs_type attribute 199# to any type. Do not allow it. 200# 201# For example, the following is a bug: 202# type apk_data_file, file_type, data_file_type, fs_type; 203# Should be: 204# type apk_data_file, file_type, data_file_type; 205neverallow fs_type file_type:filesystem associate; 206