1*e4a36f41SAndroid Build Coastguard Worker# All types must be defined regardless of build variant to ensure 2*e4a36f41SAndroid Build Coastguard Worker# policy compilation succeeds with userdebug/user combination at boot 3*e4a36f41SAndroid Build Coastguard Workertype su, domain; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# File types must be defined for file_contexts. 6*e4a36f41SAndroid Build Coastguard Workertype su_exec, system_file_type, exec_type, file_type; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 9*e4a36f41SAndroid Build Coastguard Worker # Domain used for su processes, as well as for adbd and adb shell 10*e4a36f41SAndroid Build Coastguard Worker # after performing an adb root command. The domain definition is 11*e4a36f41SAndroid Build Coastguard Worker # wrapped to ensure that it does not exist at all on -user builds. 12*e4a36f41SAndroid Build Coastguard Worker typeattribute su mlstrustedsubject; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker # Add su to various domains 15*e4a36f41SAndroid Build Coastguard Worker net_domain(su) 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker # grant su access to vndbinder 18*e4a36f41SAndroid Build Coastguard Worker vndbinder_use(su) 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker dontaudit su self:capability_class_set *; 21*e4a36f41SAndroid Build Coastguard Worker dontaudit su kernel:security *; 22*e4a36f41SAndroid Build Coastguard Worker dontaudit su { kernel file_type }:system *; 23*e4a36f41SAndroid Build Coastguard Worker dontaudit su self:memprotect *; 24*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:{ process process2 } *; 25*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:fd *; 26*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:dir *; 27*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:lnk_file *; 28*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:{ fifo_file file } *; 29*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:socket_class_set *; 30*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:ipc_class_set *; 31*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:key *; 32*e4a36f41SAndroid Build Coastguard Worker dontaudit su fs_type:filesystem *; 33*e4a36f41SAndroid Build Coastguard Worker dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; 34*e4a36f41SAndroid Build Coastguard Worker dontaudit su node_type:node *; 35*e4a36f41SAndroid Build Coastguard Worker dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; 36*e4a36f41SAndroid Build Coastguard Worker dontaudit su netif_type:netif *; 37*e4a36f41SAndroid Build Coastguard Worker dontaudit su port_type:socket_class_set *; 38*e4a36f41SAndroid Build Coastguard Worker dontaudit su port_type:{ tcp_socket dccp_socket } *; 39*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:peer *; 40*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:binder *; 41*e4a36f41SAndroid Build Coastguard Worker dontaudit su property_type:property_service *; 42*e4a36f41SAndroid Build Coastguard Worker dontaudit su property_type:file *; 43*e4a36f41SAndroid Build Coastguard Worker dontaudit su service_manager_type:service_manager *; 44*e4a36f41SAndroid Build Coastguard Worker dontaudit su hwservice_manager_type:hwservice_manager *; 45*e4a36f41SAndroid Build Coastguard Worker dontaudit su vndservice_manager_type:service_manager *; 46*e4a36f41SAndroid Build Coastguard Worker dontaudit su servicemanager:service_manager list; 47*e4a36f41SAndroid Build Coastguard Worker dontaudit su hwservicemanager:hwservice_manager list; 48*e4a36f41SAndroid Build Coastguard Worker dontaudit su vndservicemanager:service_manager list; 49*e4a36f41SAndroid Build Coastguard Worker dontaudit su keystore:keystore_key *; 50*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:drmservice *; 51*e4a36f41SAndroid Build Coastguard Worker dontaudit su unlabeled:filesystem *; 52*e4a36f41SAndroid Build Coastguard Worker dontaudit su postinstall_file:filesystem *; 53*e4a36f41SAndroid Build Coastguard Worker dontaudit su domain:bpf *; 54*e4a36f41SAndroid Build Coastguard Worker dontaudit su unlabeled:vsock_socket *; 55*e4a36f41SAndroid Build Coastguard Worker 56*e4a36f41SAndroid Build Coastguard Worker # VTS tests run in the permissive su domain on debug builds, but the HALs 57*e4a36f41SAndroid Build Coastguard Worker # being tested run in enforcing mode. Because hal_foo_server is enforcing 58*e4a36f41SAndroid Build Coastguard Worker # su needs to be declared as hal_foo_client to grant hal_foo_server 59*e4a36f41SAndroid Build Coastguard Worker # permission to interact with it. 60*e4a36f41SAndroid Build Coastguard Worker typeattribute su halclientdomain; 61*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_allocator_client; 62*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_atrace_client; 63*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_audio_client; 64*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_authsecret_client; 65*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_bluetooth_client; 66*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_bootctl_client; 67*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_camera_client; 68*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_configstore_client; 69*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_confirmationui_client; 70*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_contexthub_client; 71*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_drm_client; 72*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_cas_client; 73*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_dumpstate_client; 74*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_fingerprint_client; 75*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_gatekeeper_client; 76*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_gnss_client; 77*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_graphics_allocator_client; 78*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_graphics_composer_client; 79*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_health_client; 80*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_input_classifier_client; 81*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_ir_client; 82*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_keymaster_client; 83*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_light_client; 84*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_memtrack_client; 85*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_neuralnetworks_client; 86*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_nfc_client; 87*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_oemlock_client; 88*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_power_client; 89*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_secure_element_client; 90*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_sensors_client; 91*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_telephony_client; 92*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_tetheroffload_client; 93*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_thermal_client; 94*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_tv_cec_client; 95*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_tv_input_client; 96*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_usb_client; 97*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_vibrator_client; 98*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_vr_client; 99*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_weaver_client; 100*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_wifi_client; 101*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_wifi_hostapd_client; 102*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_wifi_offload_client; 103*e4a36f41SAndroid Build Coastguard Worker typeattribute su hal_wifi_supplicant_client; 104*e4a36f41SAndroid Build Coastguard Worker') 105