1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type; 7# Security-sensitive proc nodes that should not be writable to most. 8type proc_security, fs_type; 9# Type for /proc/sys/vm/drop_caches 10type proc_drop_caches, fs_type; 11# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 12type usermodehelper, fs_type, sysfs_type; 13type qtaguid_proc, fs_type, mlstrustedobject; 14type proc_bluetooth_writable, fs_type; 15type proc_cpuinfo, fs_type; 16type proc_iomem, fs_type; 17type proc_meminfo, fs_type; 18type proc_net, fs_type; 19type proc_sysrq, fs_type; 20type proc_uid_cputime_showstat, fs_type; 21type proc_uid_cputime_removeuid, fs_type; 22type selinuxfs, fs_type, mlstrustedobject; 23type cgroup, fs_type, mlstrustedobject; 24type sysfs, fs_type, sysfs_type, mlstrustedobject; 25type sysfs_uio, sysfs_type, fs_type; 26type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; 27type sysfs_batteryinfo, fs_type, sysfs_type; 28type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 29type sysfs_hwrandom, fs_type, sysfs_type; 30type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 31type sysfs_wake_lock, fs_type, sysfs_type; 32type sysfs_mac_address, fs_type, sysfs_type; 33type sysfs_usb, sysfs_type, file_type, mlstrustedobject; 34type configfs, fs_type; 35# /sys/devices/system/cpu 36type sysfs_devices_system_cpu, fs_type, sysfs_type; 37# /sys/module/lowmemorykiller 38type sysfs_lowmemorykiller, fs_type, sysfs_type; 39 40type sysfs_thermal, sysfs_type, fs_type; 41 42type sysfs_zram, fs_type, sysfs_type; 43type sysfs_zram_uevent, fs_type, sysfs_type; 44type inotify, fs_type, mlstrustedobject; 45type devpts, fs_type, mlstrustedobject; 46type tmpfs, fs_type; 47type shm, fs_type; 48type mqueue, fs_type; 49type fuse, sdcard_type, fs_type, mlstrustedobject; 50type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 51type vfat, sdcard_type, fs_type, mlstrustedobject; 52type debugfs, fs_type; 53type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; 54type debugfs_tracing, fs_type, debugfs_type; 55type pstorefs, fs_type; 56type functionfs, fs_type; 57type oemfs, fs_type, contextmount_type; 58type usbfs, fs_type; 59type binfmt_miscfs, fs_type; 60type app_fusefs, fs_type, contextmount_type; 61 62# File types 63type unlabeled, file_type; 64# Default type for anything under /system. 65type system_file, file_type; 66# Type for /system/bin/logcat. 67type logcat_exec, exec_type, file_type; 68# /cores for coredumps on userdebug / eng builds 69type coredump_file, file_type; 70# Default type for anything under /data. 71type system_data_file, file_type, data_file_type; 72# Unencrypted data 73type unencrypted_data_file, file_type, data_file_type; 74# /data/.layout_version or other installd-created files that 75# are created in a system_data_file directory. 76type install_data_file, file_type, data_file_type; 77# /data/drm - DRM plugin data 78type drm_data_file, file_type, data_file_type; 79# /data/adb - adb debugging files 80type adb_data_file, file_type, data_file_type; 81# /data/anr - ANR traces 82type anr_data_file, file_type, data_file_type, mlstrustedobject; 83# /data/tombstones - core dumps 84type tombstone_data_file, file_type, data_file_type; 85# /data/app - user-installed apps 86type apk_data_file, file_type, data_file_type; 87type apk_tmp_file, file_type, data_file_type, mlstrustedobject; 88# /data/app-private - forward-locked apps 89type apk_private_data_file, file_type, data_file_type; 90type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; 91# /data/dalvik-cache 92type dalvikcache_data_file, file_type, data_file_type; 93# /data/ota 94type ota_data_file, file_type, data_file_type; 95# /data/ota_package 96type ota_package_file, file_type, data_file_type, mlstrustedobject; 97# /data/misc/profiles 98type user_profile_data_file, file_type, data_file_type, mlstrustedobject; 99type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject; 100# /data/misc/profman 101type profman_dump_data_file, file_type, data_file_type; 102# /data/resource-cache 103type resourcecache_data_file, file_type, data_file_type; 104# /data/local - writable by shell 105type shell_data_file, file_type, data_file_type, mlstrustedobject; 106# /data/gps 107type gps_data_file, file_type, data_file_type; 108# /data/property 109type property_data_file, file_type, data_file_type; 110# /data/bootchart 111type bootchart_data_file, file_type, data_file_type; 112# /data/system/heapdump 113type heapdump_data_file, file_type, data_file_type, mlstrustedobject; 114# /data/nativetest 115type nativetest_data_file, file_type, data_file_type; 116# /data/system_de/0/ringtones 117type ringtone_file, file_type, data_file_type, mlstrustedobject; 118# /data/preloads 119type preloads_data_file, file_type, data_file_type; 120 121# Mount locations managed by vold 122type mnt_media_rw_file, file_type; 123type mnt_user_file, file_type; 124type mnt_expand_file, file_type; 125type storage_file, file_type; 126 127# Label for storage dirs which are just mount stubs 128type mnt_media_rw_stub_file, file_type; 129type storage_stub_file, file_type; 130 131# /postinstall: Mount point used by update_engine to run postinstall. 132type postinstall_mnt_dir, file_type; 133# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 134type postinstall_file, file_type; 135 136# /data/misc subdirectories 137type adb_keys_file, file_type, data_file_type; 138type audio_data_file, file_type, data_file_type; 139type audioserver_data_file, file_type, data_file_type; 140type bluetooth_data_file, file_type, data_file_type; 141type bluetooth_logs_data_file, file_type, data_file_type; 142type bootstat_data_file, file_type, data_file_type; 143type boottrace_data_file, file_type, data_file_type; 144type camera_data_file, file_type, data_file_type; 145type gatekeeper_data_file, file_type, data_file_type; 146type keychain_data_file, file_type, data_file_type; 147type keystore_data_file, file_type, data_file_type; 148type media_data_file, file_type, data_file_type; 149type media_rw_data_file, file_type, data_file_type, mlstrustedobject; 150type misc_user_data_file, file_type, data_file_type; 151type net_data_file, file_type, data_file_type; 152type nfc_data_file, file_type, data_file_type; 153type radio_data_file, file_type, data_file_type, mlstrustedobject; 154type recovery_data_file, file_type, data_file_type; 155type shared_relro_file, file_type, data_file_type; 156type systemkeys_data_file, file_type, data_file_type; 157type vpn_data_file, file_type, data_file_type; 158type wifi_data_file, file_type, data_file_type; 159type zoneinfo_data_file, file_type, data_file_type; 160type vold_data_file, file_type, data_file_type; 161type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; 162# /data/misc/trace for method traces on userdebug / eng builds 163type method_trace_data_file, file_type, data_file_type, mlstrustedobject; 164 165# Compatibility with type names used in vanilla Android 4.3 and 4.4. 166typealias audio_data_file alias audio_firmware_file; 167# /data/data subdirectories - app sandboxes 168type app_data_file, file_type, data_file_type; 169type autoplay_data_file, file_type, data_file_type; 170# /data/data subdirectory for system UID apps. 171type system_app_data_file, file_type, data_file_type, mlstrustedobject; 172# Compatibility with type name used in Android 4.3 and 4.4. 173typealias app_data_file alias platform_app_data_file; 174typealias app_data_file alias download_file; 175# Default type for anything under /cache 176type cache_file, file_type, mlstrustedobject; 177# Type for /cache/backup_stage/* (fd interchange with apps) 178type cache_backup_file, file_type, mlstrustedobject; 179# type for anything under /cache/backup (local transport storage) 180type cache_private_backup_file, file_type; 181# Type for anything under /cache/recovery 182type cache_recovery_file, file_type, mlstrustedobject; 183# Default type for anything under /efs 184type efs_file, file_type; 185# Type for wallpaper file. 186type wallpaper_file, file_type, data_file_type, mlstrustedobject; 187# Type for shortcut manager icon file. 188type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject; 189# Type for user icon file. 190type icon_file, file_type, data_file_type; 191# /mnt/asec 192type asec_apk_file, file_type, data_file_type, mlstrustedobject; 193# Elements of asec files (/mnt/asec) that are world readable 194type asec_public_file, file_type, data_file_type; 195# /data/app-asec 196type asec_image_file, file_type, data_file_type; 197# /data/backup and /data/secure/backup 198type backup_data_file, file_type, data_file_type, mlstrustedobject; 199# For /data/security 200type security_file, file_type; 201# All devices have bluetooth efs files. But they 202# vary per device, so this type is used in per 203# device policy 204type bluetooth_efs_file, file_type; 205# Type for fingerprint template file. 206type fingerprintd_data_file, file_type, data_file_type; 207# Type for appfuse file. 208type app_fuse_file, file_type, data_file_type, mlstrustedobject; 209 210# Socket types 211type adbd_socket, file_type; 212type bluetooth_socket, file_type; 213type dnsproxyd_socket, file_type, mlstrustedobject; 214type dumpstate_socket, file_type; 215type fwmarkd_socket, file_type, mlstrustedobject; 216type gps_socket, file_type; 217type installd_socket, file_type; 218type lmkd_socket, file_type; 219type logd_socket, file_type, mlstrustedobject; 220type logdr_socket, file_type, mlstrustedobject; 221type logdw_socket, file_type, mlstrustedobject; 222type mdns_socket, file_type; 223type mdnsd_socket, file_type, mlstrustedobject; 224type misc_logd_file, file_type; 225type mtpd_socket, file_type; 226type netd_socket, file_type; 227type property_socket, file_type; 228type racoon_socket, file_type; 229type rild_socket, file_type; 230type rild_debug_socket, file_type; 231type system_wpa_socket, file_type; 232type system_ndebug_socket, file_type; 233type uncrypt_socket, file_type; 234type vold_socket, file_type; 235type wpa_socket, file_type; 236type zygote_socket, file_type; 237type sap_uim_socket, file_type; 238# UART (for GPS) control proc file 239type gps_control, file_type; 240 241# property_contexts file 242type property_contexts, file_type; 243 244# Allow files to be created in their appropriate filesystems. 245allow fs_type self:filesystem associate; 246allow sysfs_type sysfs:filesystem associate; 247allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; 248allow file_type labeledfs:filesystem associate; 249allow file_type tmpfs:filesystem associate; 250allow file_type rootfs:filesystem associate; 251allow dev_type tmpfs:filesystem associate; 252allow app_fuse_file app_fusefs:filesystem associate; 253allow postinstall_file self:filesystem associate; 254 255# It's a bug to assign the file_type attribute and fs_type attribute 256# to any type. Do not allow it. 257# 258# For example, the following is a bug: 259# type apk_data_file, file_type, data_file_type, fs_type; 260# Should be: 261# type apk_data_file, file_type, data_file_type; 262neverallow fs_type file_type:filesystem associate; 263