Home
last modified time | relevance | path

Searched refs:domain (Results 1 – 25 of 117) sorted by relevance

12345

/system/sepolicy/
Ddomain.te4 allow domain init:process sigchld;
6 # Intra-domain accesses.
7 allow domain self:process {
24 allow domain self:fd use;
25 allow domain proc:dir r_dir_perms;
26 allow domain proc_net:dir search;
27 r_dir_file(domain, self)
28 allow domain self:{ fifo_file file } rw_file_perms;
29 allow domain self:unix_dgram_socket { create_socket_perms sendto };
30 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
[all …]
Dseapp_contexts39 # domain (string)
43 # Only entries that specify domain= will be used for app process labeling.
59 # only the system server can be in system_server domain
60 neverallow isSystemServer=false domain=system_server
61 neverallow isSystemServer="" domain=system_server
64 neverallow user=((?!system).)* domain=system_app
71 # neverallow shared relro to any other domain
73 neverallow user=shared_relro domain=((?!shared_relro).)*
74 neverallow user=((?!shared_relro).)* domain=shared_relro
76 # neverallow non-isolated uids into isolated_app domain
[all …]
Dsu.te6 # after performing an adb root command. The domain definition is
8 type su, domain, mlstrustedsubject;
15 # Make sure that dumpstate runs the same from the "su" domain as
16 # from the "init" domain.
30 dontaudit su domain:process *;
31 dontaudit su domain:fd *;
32 dontaudit su domain:dir *;
33 dontaudit su domain:lnk_file *;
34 dontaudit su domain:{ fifo_file file } *;
35 dontaudit su domain:socket_class_set *;
[all …]
Dte_macros10 # Old domain may exec the file and transition to the new domain.
13 # New domain is entered by executing the file.
15 # New domain can send SIGCHLD to its caller.
36 # file_type_trans(domain, dir_type, file_type)
37 # Allow domain to create a file labeled file_type in a
44 # Allow the domain to add entries to the directory.
46 # Allow the domain to create the file.
52 # file_type_auto_trans(domain, dir_type, file_type)
54 # they are created by domain in directories labeled dir_type.
65 # r_dir_file(domain, type)
[all …]
Dkeystore.te1 type keystore, domain, domain_deprecated;
26 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search r…
27 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
29 neverallow { domain -keystore -init } keystore_data_file:dir *;
30 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
Ddebuggerd.te2 type debuggerd, domain, domain_deprecated;
9 allow debuggerd domain:dir r_dir_perms;
10 allow debuggerd domain:file r_file_perms;
11 allow debuggerd domain:lnk_file read;
13 domain
27 allow debuggerd domain:process { sigstop sigkill signal };
Dkernel.te2 type kernel, domain, domain_deprecated, mlstrustedsubject;
28 # Initial setenforce by init prior to switching to init domain.
33 # Write to /proc/1/oom_adj prior to switching to init domain.
48 # Set checkreqprot by init.rc prior to switching to init domain.
78 # The initial task starts in the kernel domain (assigned via
82 # The kernel domain is never entered via an exec, nor should it
83 # ever execute a program outside the rootfs without changing to another domain.
84 # If you encounter an execute_no_trans denial on the kernel domain, then
86 # - The program is a kernel usermodehelper. In this case, define a domain
89 # program was left in the kernel domain and is now trying to execute
Dlogd.te2 type logd, domain, domain_deprecated, mlstrustedsubject;
33 r_dir_file(logd, domain)
53 neverallow logd domain:process ptrace;
66 neverallow { domain userdebug_or_eng(`-logd -shell -dumpstate') } misc_logd_file:file no_rw_file_pe…
67 neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remo…
68 neverallow { domain -init } misc_logd_file:dir create;
Dmediaextractor.te2 type mediaextractor, domain, domain_deprecated;
21 # domain transition
25 neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
Dtoolbox.te3 # Do NOT use this domain for toolbox when run by any other domain.
4 type toolbox, domain, domain_deprecated;
24 neverallow { domain -init } toolbox:process transition;
Dnetd.te2 type netd, domain, domain_deprecated, mlstrustedsubject;
49 # Allow netd to spawn hostapd in it's own domain
53 # Allow netd to spawn dnsmasq in it's own domain
57 # Allow netd to start clatd in its own domain
89 neverallow netd { domain }:process ptrace;
98 neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
99 neverallow { domain -system_server -dumpstate } netd:binder call;
100 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
Dmediacodec.te2 type mediacodec, domain;
26 # domain transition
30 neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
Dpostinstall.te2 # Extend the permissions in this domain to allow this program to access other
4 type postinstall, domain;
35 # No domain other than update_engine and recovery (via update_engine_sideload)
38 neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
Drecovery_refresh.te2 type recovery_refresh, domain;
9 # NB: domain inherits write_logd which hands us write to pmsg_device
20 neverallow recovery_refresh domain:process ptrace;
Daudioserver.te2 type audioserver, domain;
24 # ptrace to processes in the same domain for memory leak detection
51 # domain transition
55 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
Dcameraserver.te2 type cameraserver, domain;
35 # domain transition
39 neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
Dcppreopts.te4 # partition. This domain ensures that we are only copying into specific
7 type cppreopts, domain, mlstrustedsubject;
10 # Technically not a daemon but we do want the transition from init domain to
Dvold.te2 type vold, domain, domain_deprecated;
23 # domain when working with untrusted block devices
85 allow vold domain:dir r_dir_perms;
86 allow vold domain:{ file lnk_file } r_file_perms;
87 allow vold domain:process { signal sigkill };
98 # Run fsck in the fsck domain.
198 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto…
199 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
200 neverallow { domain -vold -init } vold_data_file:dir *;
201 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
[all …]
Dattributes11 attribute domain;
13 # Temporary attribute used for migrating permissions out of domain.
15 # from domain and assign them to the domain_deprecated attribute.
16 # Domain_deprecated and domain can initially be assigned to all
19 # reassigning the appropriate permissions to the inheriting domain
37 # All types used for domain entry points.
Dperfprofd.te6 type perfprofd, domain, domain_deprecated, mlstrustedsubject;
17 # simpleperf retains perfprofd domain after exec
40 r_dir_file(perfprofd, domain)
44 neverallow perfprofd domain:process ptrace;
Dshell.te2 type shell, domain, mlstrustedsubject;
9 # XXX Transition into its own domain?
101 allow shell domain:dir { search open read getattr };
102 allow shell domain:{ file lnk_file } { open read getattr };
112 allow shell domain:process getattr;
118 # enable shell domain to read/write files/dirs for bootchart data
153 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Dservicemanager.te2 type servicemanager, domain, domain_deprecated, mlstrustedsubject;
14 allow servicemanager { domain -init }:binder transfer;
Dinit.te1 # init is its own domain.
2 type init, domain, domain_deprecated, mlstrustedsubject;
5 # The init domain is entered by execing init.
190 allow init domain:process { sigkill signal };
212 r_dir_file(init, domain)
217 # setsockcreate is for labeling local/unix domain sockets.
227 allow init domain:unix_stream_socket { create bind };
228 allow init domain:unix_dgram_socket { create bind };
242 # set scheduling parameters for a kernel domain task.
296 # The init domain is only entered via setcon from the kernel domain,
[all …]
/system/netd/server/
DMDnsSdListener.h34 const char *domain, void *inContext);
114 const char *domain, const int requestNumber,
118 const char *serviceName, const char *serviceType, const char *domain,
123 const char *domain);
/system/tpm/attestation/server/
Dattestationd-seccomp-arm.policy14 # Allow socket(domain==PF_LOCAL) or socket(domain==PF_NETLINK)

12345