1# Filesystem types 2type labeledfs, fs_type; 3type pipefs, fs_type; 4type sockfs, fs_type; 5type rootfs, fs_type; 6type proc, fs_type, proc_type; 7type binderfs, fs_type; 8type binderfs_logs, fs_type; 9type binderfs_logs_proc, fs_type; 10type binderfs_logs_stats, fs_type; 11type binderfs_features, fs_type; 12# Security-sensitive proc nodes that should not be writable to most. 13type proc_security, fs_type, proc_type; 14type proc_drop_caches, fs_type, proc_type; 15type proc_overcommit_memory, fs_type, proc_type; 16type proc_min_free_order_shift, fs_type, proc_type; 17type proc_kpageflags, fs_type, proc_type; 18type proc_watermark_boost_factor, fs_type, proc_type; 19type proc_percpu_pagelist_high_fraction, fs_type, proc_type; 20# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. 21type usermodehelper, fs_type, proc_type; 22type sysfs_usermodehelper, fs_type, sysfs_type; 23type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type; 24type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; 25type proc_bluetooth_writable, fs_type, proc_type; 26type proc_abi, fs_type, proc_type; 27type proc_asound, fs_type, proc_type; 28type proc_bootconfig, fs_type, proc_type; 29type proc_bpf, fs_type, proc_type; 30type proc_buddyinfo, fs_type, proc_type; 31type proc_cmdline, fs_type, proc_type; 32type proc_cpu_alignment, fs_type, proc_type; 33type proc_cpuinfo, fs_type, proc_type; 34type proc_dirty, fs_type, proc_type; 35type proc_diskstats, fs_type, proc_type; 36type proc_extra_free_kbytes, fs_type, proc_type; 37type proc_filesystems, fs_type, proc_type; 38type proc_fs_verity, fs_type, proc_type; 39type proc_hostname, fs_type, proc_type; 40type proc_hung_task, fs_type, proc_type; 41type proc_interrupts, fs_type, proc_type; 42type proc_iomem, fs_type, proc_type; 43type proc_kallsyms, fs_type, proc_type; 44type proc_keys, fs_type, proc_type; 45type proc_kmsg, fs_type, proc_type; 46type proc_loadavg, fs_type, proc_type; 47type proc_locks, fs_type, proc_type; 48type proc_lowmemorykiller, fs_type, proc_type; 49type proc_max_map_count, fs_type, proc_type; 50type proc_meminfo, fs_type, proc_type; 51type proc_misc, fs_type, proc_type; 52type proc_modules, fs_type, proc_type; 53type proc_mounts, fs_type, proc_type; 54type proc_net, fs_type, proc_type, proc_net_type; 55type proc_net_tcp_udp, fs_type, proc_type; 56type proc_page_cluster, fs_type, proc_type; 57type proc_pagetypeinfo, fs_type, proc_type; 58type proc_panic, fs_type, proc_type; 59type proc_perf, fs_type, proc_type; 60type proc_pid_max, fs_type, proc_type; 61type proc_pipe_conf, fs_type, proc_type; 62type proc_pressure_cpu, fs_type, proc_type; 63type proc_pressure_io, fs_type, proc_type; 64type proc_pressure_mem, fs_type, proc_type; 65type proc_random, fs_type, proc_type; 66type proc_sched, fs_type, proc_type; 67type proc_slabinfo, fs_type, proc_type; 68type proc_stat, fs_type, proc_type; 69type proc_swaps, fs_type, proc_type; 70type proc_sysrq, fs_type, proc_type; 71type proc_timer, fs_type, proc_type; 72type proc_tty_drivers, fs_type, proc_type; 73type proc_uid_cputime_showstat, fs_type, proc_type; 74type proc_uid_cputime_removeuid, fs_type, proc_type; 75type proc_uid_io_stats, fs_type, proc_type; 76type proc_uid_procstat_set, fs_type, proc_type; 77type proc_uid_time_in_state, fs_type, proc_type; 78type proc_uid_concurrent_active_time, fs_type, proc_type; 79type proc_uid_concurrent_policy_time, fs_type, proc_type; 80type proc_uid_cpupower, fs_type, proc_type; 81type proc_uptime, fs_type, proc_type; 82type proc_version, fs_type, proc_type; 83type proc_vmallocinfo, fs_type, proc_type; 84type proc_vmstat, fs_type, proc_type; 85type proc_watermark_scale_factor, fs_type, proc_type; 86type proc_zoneinfo, fs_type, proc_type; 87type proc_vendor_sched, proc_type, fs_type; 88type selinuxfs, fs_type, mlstrustedobject; 89type fusectlfs, fs_type; 90type cgroup, fs_type, mlstrustedobject; 91type cgroup_v2, fs_type; 92type sysfs, fs_type, sysfs_type, mlstrustedobject; 93type sysfs_android_usb, fs_type, sysfs_type; 94type sysfs_uio, sysfs_type, fs_type; 95type sysfs_batteryinfo, fs_type, sysfs_type; 96type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; 97type sysfs_devfreq_cur, fs_type, sysfs_type; 98type sysfs_devfreq_dir, fs_type, sysfs_type; 99type sysfs_devices_block, fs_type, sysfs_type; 100type sysfs_dm, fs_type, sysfs_type; 101type sysfs_dm_verity, fs_type, sysfs_type; 102type sysfs_dma_heap, fs_type, sysfs_type; 103type sysfs_dmabuf_stats, fs_type, sysfs_type; 104type sysfs_dt_firmware_android, fs_type, sysfs_type; 105type sysfs_extcon, fs_type, sysfs_type; 106type sysfs_ion, fs_type, sysfs_type; 107type sysfs_ipv4, fs_type, sysfs_type; 108type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; 109type sysfs_leds, fs_type, sysfs_type; 110type sysfs_loop, fs_type, sysfs_type; 111type sysfs_gpu, fs_type, sysfs_type; 112type sysfs_hwrandom, fs_type, sysfs_type; 113type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; 114type sysfs_wake_lock, fs_type, sysfs_type; 115type sysfs_net, fs_type, sysfs_type; 116type sysfs_power, fs_type, sysfs_type; 117type sysfs_rtc, fs_type, sysfs_type; 118type sysfs_suspend_stats, fs_type, sysfs_type; 119type sysfs_switch, fs_type, sysfs_type; 120type sysfs_sync_on_suspend, fs_type, sysfs_type; 121type sysfs_transparent_hugepage, fs_type, sysfs_type; 122type sysfs_lru_gen_enabled, fs_type, sysfs_type; 123type sysfs_usb, fs_type, sysfs_type; 124type sysfs_wakeup, fs_type, sysfs_type; 125type sysfs_wakeup_reasons, fs_type, sysfs_type; 126type sysfs_fs_ext4_features, sysfs_type, fs_type; 127type sysfs_fs_f2fs, sysfs_type, fs_type; 128type sysfs_fs_fuse_bpf, sysfs_type, fs_type; 129type sysfs_fs_fuse_features, sysfs_type, fs_type; 130type sysfs_fs_incfs_features, sysfs_type, fs_type; 131type sysfs_fs_incfs_metrics, sysfs_type, fs_type; 132type sysfs_vendor_sched, sysfs_type, fs_type; 133userdebug_or_eng(` 134 typeattribute sysfs_vendor_sched mlstrustedobject; 135') 136type fs_bpf, fs_type, bpffs_type; 137# TODO: S+ fs_bpf_tethering (used by mainline) should be private 138type fs_bpf_tethering, fs_type, bpffs_type; 139type fs_bpf_vendor, fs_type, bpffs_type; 140type configfs, fs_type; 141# /sys/devices/cs_etm 142type sysfs_devices_cs_etm, fs_type, sysfs_type; 143# /sys/devices/system/cpu 144type sysfs_devices_system_cpu, fs_type, sysfs_type; 145# /sys/module/lowmemorykiller 146type sysfs_lowmemorykiller, fs_type, sysfs_type; 147# /sys/module/wlan/parameters/fwpath 148type sysfs_wlan_fwpath, fs_type, sysfs_type; 149type sysfs_vibrator, fs_type, sysfs_type; 150type sysfs_uhid, fs_type, sysfs_type; 151type sysfs_thermal, sysfs_type, fs_type; 152 153type sysfs_zram, fs_type, sysfs_type; 154type sysfs_zram_uevent, fs_type, sysfs_type; 155type inotify, fs_type, mlstrustedobject; 156type devpts, fs_type, mlstrustedobject; 157type tmpfs, fs_type; 158type shm, fs_type; 159type mqueue, fs_type; 160type fuse, fusefs_type, fs_type, mlstrustedobject; 161type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject; 162type sdcardfs, sdcard_type, fs_type, mlstrustedobject; 163type vfat, sdcard_type, fs_type, mlstrustedobject; 164type exfat, sdcard_type, fs_type, mlstrustedobject; 165type debugfs, fs_type, debugfs_type; 166type debugfs_kprobes, fs_type, debugfs_type; 167type debugfs_mmc, fs_type, debugfs_type; 168type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type; 169type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 170type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 171type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type; 172type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type; 173type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type; 174type debugfs_wakeup_sources, fs_type, debugfs_type; 175type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type; 176type securityfs, fs_type; 177 178type pstorefs, fs_type; 179type functionfs, fs_type, mlstrustedobject; 180type oemfs, fs_type, contextmount_type; 181type usbfs, fs_type; 182type binfmt_miscfs, fs_type; 183type app_fusefs, fs_type, fusefs_type, contextmount_type; 184 185# File types 186type unlabeled, file_type; 187 188# Default type for anything under /system. 189type system_file, system_file_type, file_type; 190# Default type for /system/asan.options 191type system_asan_options_file, system_file_type, file_type; 192# Type for /system/etc/event-log-tags (liblog implementation detail) 193type system_event_log_tags_file, system_file_type, file_type; 194# Default type for anything under /system/lib[64]. 195type system_lib_file, system_file_type, file_type; 196# system libraries that are available only to bootstrap processes 197type system_bootstrap_lib_file, system_file_type, file_type; 198# Default type for the group file /system/etc/group. 199type system_group_file, system_file_type, file_type; 200# Default type for linker executable /system/bin/linker[64]. 201type system_linker_exec, system_file_type, file_type; 202# Default type for linker config /system/etc/ld.config.*. 203type system_linker_config_file, system_file_type, file_type; 204# Default type for the passwd file /system/etc/passwd. 205type system_passwd_file, system_file_type, file_type; 206# Default type for linker config /system/etc/seccomp_policy/*. 207type system_seccomp_policy_file, system_file_type, file_type; 208# Default type for cacerts in /system/etc/security/cacerts/*. 209type system_security_cacerts_file, system_file_type, file_type; 210# Default type for /system/bin/tcpdump. 211type tcpdump_exec, system_file_type, exec_type, file_type; 212# Default type for zoneinfo files in /system/usr/share/zoneinfo/*. 213type system_zoneinfo_file, system_file_type, file_type; 214# Cgroups description file under /system/etc/cgroups.json 215type cgroup_desc_file, system_file_type, file_type; 216# Cgroups description file under /system/etc/task_profiles/cgroups_*.json 217type cgroup_desc_api_file, system_file_type, file_type; 218# Vendor cgroups description file under /vendor/etc/cgroups.json 219type vendor_cgroup_desc_file, vendor_file_type, file_type; 220# Task profiles file under /system/etc/task_profiles.json 221type task_profiles_file, system_file_type, file_type; 222# Task profiles file under /system/etc/task_profiles/task_profiles_*.json 223type task_profiles_api_file, system_file_type, file_type; 224# Vendor task profiles file under /vendor/etc/task_profiles.json 225type vendor_task_profiles_file, vendor_file_type, file_type; 226# Type for /system/apex/com.android.art 227type art_apex_dir, system_file_type, file_type; 228# /linkerconfig(/.*)? 229type linkerconfig_file, file_type; 230# Control files under /data/incremental 231type incremental_control_file, file_type, data_file_type, core_data_file_type; 232# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip 233type bootanim_oem_file, file_type, system_file_type; 234 235# Default type for directories search for 236# HAL implementations 237type vendor_hal_file, vendor_file_type, file_type; 238# Default type for under /vendor or /system/vendor 239type vendor_file, vendor_file_type, file_type; 240# Default type for everything in /vendor/app 241type vendor_app_file, vendor_file_type, file_type; 242# Default type for everything under /vendor/etc/ 243type vendor_configs_file, vendor_file_type, file_type; 244# Default type for all *same process* HALs and their lib/bin dependencies. 245# e.g. libEGL_xxx.so, [email protected] 246type same_process_hal_file, vendor_file_type, file_type; 247# Default type for vndk-sp libs. /vendor/lib/vndk-sp 248type vndk_sp_file, vendor_file_type, file_type; 249# Default type for everything in /vendor/framework 250type vendor_framework_file, vendor_file_type, file_type; 251# Default type for everything in /vendor/overlay 252type vendor_overlay_file, vendor_file_type, file_type; 253# Type for all vendor public libraries. These libs should only be exposed to 254# apps. ABI stability of these libs is vendor's responsibility. 255type vendor_public_lib_file, vendor_file_type, file_type; 256# Type for all vendor public libraries for system. These libs should only be exposed to 257# system. ABI stability of these libs is vendor's responsibility. 258type vendor_public_framework_file, vendor_file_type, file_type; 259# Type for all microdroid related files in the vendor partition. 260# Files having this type should be read-only. 261type vendor_microdroid_file, vendor_file_type, file_type; 262 263# Input configuration 264type vendor_keylayout_file, vendor_file_type, file_type; 265type vendor_keychars_file, vendor_file_type, file_type; 266type vendor_idc_file, vendor_file_type, file_type; 267 268# Type for vendor uuid mapping config file 269type vendor_uuid_mapping_config_file, vendor_file_type, file_type; 270 271# SoC-specific virtual machine disk files 272type vendor_vm_file, vendor_file_type, file_type; 273# SoC-specific virtual machine disk files that are mutable 274type vendor_vm_data_file, vendor_file_type, file_type; 275 276# /metadata partition itself 277type metadata_file, file_type; 278# Vold files within /metadata 279type vold_metadata_file, file_type; 280# GSI files within /metadata 281type gsi_metadata_file, gsi_metadata_file_type, file_type; 282# DSU (GSI) files within /metadata that are globally readable. 283type gsi_public_metadata_file, gsi_metadata_file_type, file_type; 284# system_server shares Weaver slot information in /metadata 285type password_slot_metadata_file, file_type; 286# APEX files within /metadata 287type apex_metadata_file, file_type; 288# libsnapshot files within /metadata 289type ota_metadata_file, file_type; 290# property files within /metadata/bootstat 291type metadata_bootstat_file, file_type; 292# userspace reboot files within /metadata/userspacereboot 293type userspace_reboot_metadata_file, file_type; 294# Staged install files within /metadata/staged-install 295type staged_install_file, file_type; 296# Metadata information within /metadata/watchdog 297type watchdog_metadata_file, file_type; 298# Repair mode files within /metadata/repair-mode 299type repair_mode_metadata_file, file_type; 300# Aconfig storage file 301type aconfig_storage_metadata_file, file_type; 302# Aconfig storage flag value persistent copy 303type aconfig_storage_flags_metadata_file, file_type; 304 305# Type for /dev/cpu_variant:.*. 306type dev_cpu_variant, file_type; 307# Speedup access for trusted applications to the runtime event tags 308type runtime_event_log_tags_file, file_type; 309# Type for /system/bin/logcat. 310type logcat_exec, system_file_type, exec_type, file_type; 311# Speedup access to cgroup map file 312type cgroup_rc_file, file_type; 313# /cores for coredumps on userdebug / eng builds 314type coredump_file, file_type; 315# Type of /data itself 316type system_data_root_file, file_type, data_file_type, core_data_file_type; 317# Default type for anything under /data. 318type system_data_file, file_type, data_file_type, core_data_file_type; 319# Default type for directories containing per-user encrypted directories, such 320# as /data/user and /data/user_de. 321type system_userdir_file, file_type, data_file_type, core_data_file_type; 322# Type for /data/system/packages.list. 323# TODO(b/129332765): Narrow down permissions to this. 324# Find out users of system_data_file that should be granted only this. 325type packages_list_file, file_type, data_file_type, core_data_file_type; 326type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type; 327# Default type for anything inside /data/vendor_{ce,de}. 328type vendor_data_file, file_type, data_file_type; 329# Type for /data/vendor_{ce,de} themselves. This has core_data_file_type 330# because these directories themselves are platform-managed; only the files 331# *inside* them are vendor data. (Somewhat similar to system_data_root_file.) 332type vendor_userdir_file, file_type, data_file_type, core_data_file_type; 333# Unencrypted data 334type unencrypted_data_file, file_type, data_file_type, core_data_file_type; 335# installd-create files in /data/misc/installd such as layout_version 336type install_data_file, file_type, data_file_type, core_data_file_type; 337# /data/drm - DRM plugin data 338type drm_data_file, file_type, data_file_type, core_data_file_type; 339# /data/adb - adb debugging files 340type adb_data_file, file_type, data_file_type, core_data_file_type; 341# /data/anr - ANR traces 342type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 343# /data/tombstones - core dumps 344type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 345# /data/vendor/tombstones/wifi - vendor wifi dumps 346type tombstone_wifi_data_file, file_type, data_file_type; 347# /data/apex - APEX data files 348type apex_data_file, file_type, data_file_type, core_data_file_type; 349# /data/app - user-installed apps 350type apk_data_file, file_type, data_file_type, core_data_file_type; 351type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 352# /data/app-private - forward-locked apps 353type apk_private_data_file, file_type, data_file_type, core_data_file_type; 354type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 355# /data/dalvik-cache 356type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; 357# /data/ota 358type ota_data_file, file_type, data_file_type, core_data_file_type; 359# /data/ota_package 360type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 361# /data/misc/profiles 362type user_profile_root_file, file_type, data_file_type, core_data_file_type; 363type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 364# /data/misc/profman 365type profman_dump_data_file, file_type, data_file_type, core_data_file_type; 366# /data/misc/prereboot 367type prereboot_data_file, file_type, data_file_type, core_data_file_type; 368# /data/resource-cache 369type resourcecache_data_file, file_type, data_file_type, core_data_file_type; 370# /data/local - writable by shell 371type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 372# /data/property 373type property_data_file, file_type, data_file_type, core_data_file_type; 374# /data/bootchart 375type bootchart_data_file, file_type, data_file_type, core_data_file_type; 376# /data/system/dropbox 377type dropbox_data_file, file_type, data_file_type, core_data_file_type; 378# /data/system/heapdump 379type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 380# /data/nativetest 381type nativetest_data_file, file_type, data_file_type, core_data_file_type; 382# /data/local/tests 383type shell_test_data_file, file_type, data_file_type, core_data_file_type; 384# /data/system_de/0/ringtones 385type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 386# /data/preloads 387type preloads_data_file, file_type, data_file_type, core_data_file_type; 388# /data/preloads/media 389type preloads_media_file, file_type, data_file_type, core_data_file_type; 390# /data/misc/dhcp and /data/misc/dhcp-6.8.2 391type dhcp_data_file, file_type, data_file_type, core_data_file_type; 392# /data/server_configurable_flags 393type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; 394# /data/app-staging 395type staging_data_file, file_type, data_file_type, core_data_file_type; 396# /vendor/apex 397type vendor_apex_file, vendor_file_type, file_type; 398# apex_manifest.pb in vendor apex 399type vendor_apex_metadata_file, vendor_file_type, file_type; 400# /data/system/shutdown-checkpoints 401type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type; 402 403# Mount locations managed by vold 404type mnt_media_rw_file, file_type; 405type mnt_user_file, file_type; 406type mnt_pass_through_file, file_type; 407type mnt_expand_file, file_type; 408type mnt_sdcard_file, file_type; 409type storage_file, file_type; 410 411# Label for storage dirs which are just mount stubs 412type mnt_media_rw_stub_file, file_type; 413type storage_stub_file, file_type; 414 415# Mount location for read-write vendor partitions. 416type mnt_vendor_file, file_type; 417 418# Mount location for read-write product partitions. 419type mnt_product_file, file_type; 420 421# Mount point used for APEX images 422type apex_mnt_dir, file_type; 423 424# /apex/apex-info-list.xml created by apexd 425type apex_info_file, file_type; 426 427# /postinstall: Mount point used by update_engine to run postinstall. 428type postinstall_mnt_dir, file_type; 429# Files inside the /postinstall mountpoint are all labeled as postinstall_file. 430type postinstall_file, file_type; 431# /postinstall/apex: Mount point used for APEX images within /postinstall. 432type postinstall_apex_mnt_dir, file_type; 433 434# /data_mirror: Contains mirror directory for storing all apps data. 435type mirror_data_file, file_type, core_data_file_type; 436 437# /data/misc subdirectories 438type adb_keys_file, file_type, data_file_type, core_data_file_type; 439type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 440type apex_module_data_file, file_type, data_file_type, core_data_file_type; 441type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type; 442type apex_rollback_data_file, file_type, data_file_type, core_data_file_type; 443type appcompat_data_file, file_type, data_file_type, core_data_file_type; 444type audio_data_file, file_type, data_file_type, core_data_file_type; 445type audioserver_data_file, file_type, data_file_type, core_data_file_type; 446type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 447type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; 448type bootstat_data_file, file_type, data_file_type, core_data_file_type; 449type boottrace_data_file, file_type, data_file_type, core_data_file_type; 450type camera_data_file, file_type, data_file_type, core_data_file_type; 451type credstore_data_file, file_type, data_file_type, core_data_file_type; 452type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; 453type incident_data_file, file_type, data_file_type, core_data_file_type; 454type keychain_data_file, file_type, data_file_type, core_data_file_type; 455type keystore_data_file, file_type, data_file_type, core_data_file_type; 456type media_data_file, file_type, data_file_type, core_data_file_type; 457type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 458type media_userdir_file, file_type, data_file_type, core_data_file_type; 459type misc_user_data_file, file_type, data_file_type, core_data_file_type; 460type net_data_file, file_type, data_file_type, core_data_file_type; 461type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; 462type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 463type nfc_logs_data_file, file_type, data_file_type, core_data_file_type; 464type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 465type recovery_data_file, file_type, data_file_type, core_data_file_type; 466type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 467type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type; 468type stats_config_data_file, file_type, data_file_type, core_data_file_type; 469type stats_data_file, file_type, data_file_type, core_data_file_type; 470type systemkeys_data_file, file_type, data_file_type, core_data_file_type; 471type textclassifier_data_file, file_type, data_file_type, core_data_file_type; 472type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 473type vpn_data_file, file_type, data_file_type, core_data_file_type; 474type wifi_data_file, file_type, data_file_type, core_data_file_type; 475type vold_data_file, file_type, data_file_type, core_data_file_type; 476type tee_data_file, file_type, data_file_type; 477type update_engine_data_file, file_type, data_file_type, core_data_file_type; 478type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; 479type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type; 480# /data/misc/trace for method traces on userdebug / eng builds 481type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 482type gsi_data_file, file_type, data_file_type, core_data_file_type; 483type radio_core_data_file, file_type, data_file_type, core_data_file_type; 484 485# /data/data subdirectories - app sandboxes 486type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 487# /data/data subdirectories - priv-app sandboxes 488type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 489# /data/data subdirectory for system UID apps. 490type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject; 491# Compatibility with type name used in Android 4.3 and 4.4. 492# Default type for anything under /cache 493type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 494# Type for /cache/overlay /mnt/scratch/overlay 495type overlayfs_file, file_type, data_file_type, core_data_file_type; 496# Type for /cache/backup_stage/* (fd interchange with apps) 497type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 498# type for anything under /cache/backup (local transport storage) 499type cache_private_backup_file, file_type, data_file_type, core_data_file_type; 500# Type for anything under /cache/recovery 501type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 502# Default type for anything under /efs 503type efs_file, file_type; 504# Type for wallpaper file. 505type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 506# Type for shortcut manager icon file. 507type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; 508# Type for user icon file. 509type icon_file, file_type, data_file_type, core_data_file_type; 510# /mnt/asec 511type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 512# Elements of asec files (/mnt/asec) that are world readable 513type asec_public_file, file_type, data_file_type, core_data_file_type; 514# /data/app-asec 515type asec_image_file, file_type, data_file_type, core_data_file_type; 516# /data/backup and /data/secure/backup 517type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 518# All devices have bluetooth efs files. But they 519# vary per device, so this type is used in per 520# device policy 521type bluetooth_efs_file, file_type; 522# Type for fingerprint template file 523type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; 524# Type for _new_ fingerprint template file 525type fingerprint_vendor_data_file, file_type, data_file_type; 526# Type for appfuse file. 527type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 528# Type for face template file 529type face_vendor_data_file, file_type, data_file_type; 530# Type for iris template file 531type iris_vendor_data_file, file_type, data_file_type; 532 533# Socket types 534type adbd_socket, file_type, coredomain_socket; 535type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 536type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; 537type dumpstate_socket, file_type, coredomain_socket; 538type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; 539type lmkd_socket, file_type, coredomain_socket; 540type logd_socket, file_type, coredomain_socket, mlstrustedobject; 541type logdr_socket, file_type, coredomain_socket, mlstrustedobject; 542type logdw_socket, file_type, coredomain_socket, mlstrustedobject; 543type mdns_socket, file_type, coredomain_socket; 544type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; 545type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; 546type mtpd_socket, file_type, coredomain_socket; 547type ot_daemon_socket, file_type, coredomain_socket; 548type property_socket, file_type, coredomain_socket, mlstrustedobject; 549type racoon_socket, file_type, coredomain_socket; 550type recovery_socket, file_type, coredomain_socket; 551type rild_socket, file_type; 552type rild_debug_socket, file_type; 553type snapuserd_socket, file_type, coredomain_socket; 554type snapuserd_proxy_socket, file_type, coredomain_socket; 555type statsdw_socket, file_type, coredomain_socket, mlstrustedobject; 556type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; 557type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 558type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; 559type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; 560type tombstoned_java_trace_socket, file_type, mlstrustedobject; 561type tombstoned_intercept_socket, file_type, coredomain_socket; 562type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject; 563type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject; 564type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; 565type uncrypt_socket, file_type, coredomain_socket; 566type wpa_socket, file_type, data_file_type, core_data_file_type; 567type zygote_socket, file_type, coredomain_socket; 568type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject; 569# UART (for GPS) control proc file 570type gps_control, file_type; 571 572# PDX endpoint types 573type pdx_display_dir, pdx_endpoint_dir_type, file_type; 574type pdx_performance_dir, pdx_endpoint_dir_type, file_type; 575type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; 576 577pdx_service_socket_types(display_client, pdx_display_dir) 578pdx_service_socket_types(display_manager, pdx_display_dir) 579pdx_service_socket_types(display_screenshot, pdx_display_dir) 580pdx_service_socket_types(display_vsync, pdx_display_dir) 581pdx_service_socket_types(performance_client, pdx_performance_dir) 582pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) 583 584# file_contexts files 585type file_contexts_file, system_file_type, file_type; 586 587# mac_permissions file 588type mac_perms_file, system_file_type, file_type; 589 590# property_contexts file 591type property_contexts_file, system_file_type, file_type; 592 593# seapp_contexts file 594type seapp_contexts_file, system_file_type, file_type; 595 596# sepolicy files binary and others 597type sepolicy_file, system_file_type, file_type; 598 599# service_contexts file 600type service_contexts_file, system_file_type, file_type; 601 602# keystore2_key_contexts_file 603type keystore2_key_contexts_file, system_file_type, file_type; 604 605# vendor service_contexts file 606type vendor_service_contexts_file, vendor_file_type, file_type; 607 608# hwservice_contexts file 609type hwservice_contexts_file, system_file_type, file_type; 610 611# vndservice_contexts file 612type vndservice_contexts_file, file_type; 613 614# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions. 615type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; 616 617# kernel modules 618type vendor_kernel_modules, vendor_file_type, file_type; 619 620# system_dlkm 621type system_dlkm_file, system_dlkm_file_type, file_type; 622 623# Allow files to be created in their appropriate filesystems. 624allow fs_type self:filesystem associate; 625allow cgroup tmpfs:filesystem associate; 626allow cgroup_v2 tmpfs:filesystem associate; 627allow cgroup_rc_file tmpfs:filesystem associate; 628allow sysfs_type sysfs:filesystem associate; 629allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 630allow file_type labeledfs:filesystem associate; 631allow file_type tmpfs:filesystem associate; 632allow file_type rootfs:filesystem associate; 633allow dev_type tmpfs:filesystem associate; 634allow app_fuse_file app_fusefs:filesystem associate; 635allow postinstall_file self:filesystem associate; 636allow proc_net proc:filesystem associate; 637 638# asanwrapper (run a sanitized app_process, to be used with wrap properties) 639with_asan(`type asanwrapper_exec, exec_type, file_type;') 640 641# Deprecated in SDK version 28 642type audiohal_data_file, file_type, data_file_type, core_data_file_type; 643 644# It's a bug to assign the file_type attribute and fs_type attribute 645# to any type. Do not allow it. 646# 647# For example, the following is a bug: 648# type apk_data_file, file_type, data_file_type, fs_type; 649# Should be: 650# type apk_data_file, file_type, data_file_type; 651neverallow fs_type file_type:filesystem associate; 652