xref: /aosp_15_r20/system/sepolicy/prebuilts/api/33.0/public/attributes (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
11attribute bdev_type;
12
13# Attribute for all bpf filesystem subtypes.
14attribute bpffs_type;
15
16# All types used for processes.
17attribute domain;
18
19# All types used for filesystems.
20# On change, update CHECK_FC_ASSERT_ATTRS
21# definition in tools/checkfc.c.
22attribute fs_type;
23
24# All types used for context= mounts.
25attribute contextmount_type;
26
27# All types referencing a FUSE filesystem.
28# When mounting a new FUSE filesystem, the fscontext= option should be used to
29# set a domain-specific type with this attribute. See app_fusefs for an
30# example.
31attribute fusefs_type;
32
33# All types used for files that can exist on a labeled fs.
34# Do not use for pseudo file types.
35# On change, update CHECK_FC_ASSERT_ATTRS
36# definition in tools/checkfc.c.
37attribute file_type;
38
39# All types used for domain entry points.
40attribute exec_type;
41
42# All types used for /data files.
43attribute data_file_type;
44expandattribute data_file_type false;
45# All types in /data, not in /data/vendor
46attribute core_data_file_type;
47expandattribute core_data_file_type false;
48
49# All types used for app private data files in seapp_contexts.
50# Such types should not be applied to any other files.
51attribute app_data_file_type;
52expandattribute app_data_file_type false;
53
54# All types in /system
55attribute system_file_type;
56
57# All types in /system_dlkm
58attribute system_dlkm_file_type;
59
60# All types in /vendor
61attribute vendor_file_type;
62
63# All types used for procfs files.
64attribute proc_type;
65expandattribute proc_type false;
66
67# Types in /proc/net, excluding qtaguid types.
68# TODO(b/9496886) Lock down access to /proc/net.
69# This attribute is used to audit access to proc_net. it is temporary and will
70# be removed.
71attribute proc_net_type;
72expandattribute proc_net_type true;
73
74# All types used for sysfs files.
75attribute sysfs_type;
76
77# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
78attribute sysfs_block_type;
79
80# All types use for debugfs files.
81attribute debugfs_type;
82
83# All types used for tracefs files.
84attribute tracefs_type;
85
86# Attribute used for all sdcards
87attribute sdcard_type;
88
89# All types used for nodes/hosts.
90attribute node_type;
91
92# All types used for network interfaces.
93attribute netif_type;
94
95# All types used for network ports.
96attribute port_type;
97
98# All types used for property service
99# On change, update CHECK_PC_ASSERT_ATTRS
100# definition in tools/checkfc.c.
101attribute property_type;
102
103# All properties defined in core SELinux policy. Should not be
104# used by device specific properties
105attribute core_property_type;
106
107# All properties used to configure log filtering.
108attribute log_property_type;
109
110# All properties that are not specific to device but are added from
111# outside of AOSP. (e.g. OEM-specific properties)
112# These properties are not accessible from device-specific domains
113attribute extended_core_property_type;
114
115# Properties used for representing ownership. All properties should have one
116# of: system_property_type, product_property_type, or vendor_property_type.
117
118# All properties defined by /system.
119attribute system_property_type;
120expandattribute system_property_type false;
121
122# All /system-defined properties used only in /system.
123attribute system_internal_property_type;
124expandattribute system_internal_property_type false;
125
126# All /system-defined properties which can't be written outside /system.
127attribute system_restricted_property_type;
128expandattribute system_restricted_property_type false;
129
130# All /system-defined properties with no restrictions.
131attribute system_public_property_type;
132expandattribute system_public_property_type false;
133
134# All keystore2_key labels.
135attribute keystore2_key_type;
136
137# All properties defined by /product.
138# Currently there are no enforcements between /system and /product, so for now
139# /product attributes are just replaced to /system attributes.
140define(`product_property_type',   `system_property_type')
141define(`product_internal_property_type',   `system_internal_property_type')
142define(`product_restricted_property_type', `system_restricted_property_type')
143define(`product_public_property_type',     `system_public_property_type')
144
145# All properties defined by /vendor.
146attribute vendor_property_type;
147expandattribute vendor_property_type false;
148
149# All /vendor-defined properties used only in /vendor.
150attribute vendor_internal_property_type;
151expandattribute vendor_internal_property_type false;
152
153# All /vendor-defined properties which can't be written outside /vendor.
154attribute vendor_restricted_property_type;
155expandattribute vendor_restricted_property_type false;
156
157# All /vendor-defined properties with no restrictions.
158attribute vendor_public_property_type;
159expandattribute vendor_public_property_type false;
160
161# All service_manager types created by system_server
162attribute system_server_service;
163
164# services which should be available to all but isolated apps
165attribute app_api_service;
166
167# services which should be available to all ephemeral apps
168attribute ephemeral_app_api_service;
169
170# services which export only system_api
171attribute system_api_service;
172
173# services which are explicitly disallowed for untrusted apps to access
174attribute protected_service;
175
176# services which served by vendor and also using the copy of libbinder on
177# system (for instance via libbinder_ndk). services using a different copy
178# of libbinder currently need their own context manager (e.g.
179# vndservicemanager)
180attribute vendor_service;
181
182# All types used for services managed by servicemanager.
183# On change, update CHECK_SC_ASSERT_ATTRS
184# definition in tools/checkfc.c.
185attribute service_manager_type;
186
187# All types used for services managed by hwservicemanager
188attribute hwservice_manager_type;
189
190# All HwBinder services guaranteed to be passthrough. These services always run
191# in the process of their clients, and thus operate with the same access as
192# their clients.
193attribute same_process_hwservice;
194
195# All HwBinder services guaranteed to be offered only by core domain components
196attribute coredomain_hwservice;
197
198# All HwBinder services that untrusted apps can't directly access
199attribute protected_hwservice;
200
201# All types used for services managed by vndservicemanager
202attribute vndservice_manager_type;
203
204# All services declared as part of an HAL
205attribute hal_service_type;
206
207# All domains that can override MLS restrictions.
208# i.e. processes that can read up and write down.
209attribute mlstrustedsubject;
210
211# All types that can override MLS restrictions.
212# i.e. files that can be read by lower and written by higher
213attribute mlstrustedobject;
214
215# All domains used for apps.
216attribute appdomain;
217
218# All third party apps (except isolated_app and ephemeral_app)
219attribute untrusted_app_all;
220
221# All domains used for apps with network access.
222attribute netdomain;
223
224# All domains used for apps with bluetooth access.
225attribute bluetoothdomain;
226
227# All domains used for binder service domains.
228attribute binderservicedomain;
229
230# All domains which have BPF access.
231attribute bpfdomain;
232expandattribute bpfdomain false;
233
234# update_engine related domains that need to apply an update and run
235# postinstall. This includes the background daemon and the sideload tool from
236# recovery for A/B devices.
237attribute update_engine_common;
238
239# All core domains (as opposed to vendor/device-specific domains)
240attribute coredomain;
241
242# All vendor hwservice.
243attribute vendor_hwservice_type;
244
245# All socket devices owned by core domain components
246attribute coredomain_socket;
247expandattribute coredomain_socket false;
248
249# All vendor domains which violate the requirement of not using sockets for
250# communicating with core components
251# TODO(b/36577153): Remove this once there are no violations
252attribute socket_between_core_and_vendor_violators;
253expandattribute socket_between_core_and_vendor_violators false;
254
255# All vendor domains which violate the requirement of not executing
256# system processes
257# TODO(b/36463595)
258attribute vendor_executes_system_violators;
259expandattribute vendor_executes_system_violators false;
260
261# All domains which violate the requirement of not sharing files by path
262# between between vendor and core domains.
263# TODO(b/34980020)
264attribute data_between_core_and_vendor_violators;
265expandattribute data_between_core_and_vendor_violators false;
266
267# All system domains which violate the requirement of not executing vendor
268# binaries/libraries.
269# TODO(b/62041836)
270attribute system_executes_vendor_violators;
271expandattribute system_executes_vendor_violators false;
272
273# All system domains which violate the requirement of not writing vendor
274# properties.
275# TODO(b/78598545): Remove this once there are no violations
276attribute system_writes_vendor_properties_violators;
277expandattribute system_writes_vendor_properties_violators false;
278
279# All system domains which violate the requirement of not writing to
280# /mnt/vendor/*. Must not be used on devices launched with P or later.
281attribute system_writes_mnt_vendor_violators;
282expandattribute system_writes_mnt_vendor_violators false;
283
284# hwservices that are accessible from untrusted applications
285# WARNING: Use of this attribute should be avoided unless
286# absolutely necessary.  It is a temporary allowance to aid the
287# transition to treble and will be removed in a future platform
288# version, requiring all hwservices that are labeled with this
289# attribute to be submitted to AOSP in order to maintain their
290# app-visibility.
291attribute untrusted_app_visible_hwservice_violators;
292expandattribute untrusted_app_visible_hwservice_violators false;
293
294# halserver domains that are accessible to untrusted applications.  These
295# domains are typically those hosting  hwservices attributed by the
296# untrusted_app_visible_hwservice_violators.
297# WARNING: Use of this attribute should be avoided unless absolutely necessary.
298# It is a temporary allowance to aid the transition to treble and will be
299# removed in the future platform version, requiring all halserver domains that
300# are labeled with this attribute to be submitted to AOSP in order to maintain
301# their app-visibility.
302attribute untrusted_app_visible_halserver_violators;
303expandattribute untrusted_app_visible_halserver_violators false;
304
305# PDX services
306attribute pdx_endpoint_dir_type;
307attribute pdx_endpoint_socket_type;
308expandattribute pdx_endpoint_socket_type false;
309attribute pdx_channel_socket_type;
310expandattribute pdx_channel_socket_type false;
311
312pdx_service_attributes(display_client)
313pdx_service_attributes(display_manager)
314pdx_service_attributes(display_screenshot)
315pdx_service_attributes(display_vsync)
316pdx_service_attributes(performance_client)
317pdx_service_attributes(bufferhub_client)
318
319# All HAL servers
320attribute halserverdomain;
321# All HAL clients
322attribute halclientdomain;
323expandattribute halclientdomain true;
324
325# Exempt for halserverdomain to access sockets. Only builds for automotive
326# device types are allowed to use this attribute (enforced by CTS).
327# Unlike phone, in a car many modules are external from Android perspective and
328# HALs should be able to communicate with those devices through sockets.
329attribute hal_automotive_socket_exemption;
330
331# HALs
332hal_attribute(allocator);
333hal_attribute(atrace);
334hal_attribute(audio);
335hal_attribute(audiocontrol);
336hal_attribute(authsecret);
337hal_attribute(bluetooth);
338hal_attribute(bootctl);
339hal_attribute(broadcastradio);
340hal_attribute(camera);
341hal_attribute(can_bus);
342hal_attribute(can_controller);
343hal_attribute(cas);
344hal_attribute(codec2);
345hal_attribute(configstore);
346hal_attribute(confirmationui);
347hal_attribute(contexthub);
348hal_attribute(dice);
349hal_attribute(drm);
350hal_attribute(dumpstate);
351hal_attribute(evs);
352hal_attribute(face);
353hal_attribute(fingerprint);
354hal_attribute(gatekeeper);
355hal_attribute(gnss);
356hal_attribute(graphics_allocator);
357hal_attribute(graphics_composer);
358hal_attribute(health);
359hal_attribute(health_storage);
360hal_attribute(identity);
361hal_attribute(input_classifier);
362hal_attribute(input_processor);
363hal_attribute(ir);
364hal_attribute(keymaster);
365hal_attribute(keymint);
366hal_attribute(light);
367hal_attribute(lowpan);
368hal_attribute(memtrack);
369hal_attribute(neuralnetworks);
370hal_attribute(nfc);
371hal_attribute(nlinterceptor);
372hal_attribute(oemlock);
373hal_attribute(omx);
374hal_attribute(power);
375hal_attribute(power_stats);
376hal_attribute(rebootescrow);
377hal_attribute(secure_element);
378hal_attribute(sensors);
379hal_attribute(telephony);
380hal_attribute(tetheroffload);
381hal_attribute(thermal);
382hal_attribute(tv_cec);
383hal_attribute(tv_input);
384hal_attribute(tv_tuner);
385hal_attribute(usb);
386hal_attribute(usb_gadget);
387hal_attribute(uwb);
388# TODO(b/196225233): Remove this attribute and its usages elsewhere
389# once all chip vendors integrate to the new UWB stack.
390hal_attribute(uwb_vendor);
391hal_attribute(vehicle);
392hal_attribute(vibrator);
393hal_attribute(vr);
394hal_attribute(weaver);
395hal_attribute(wifi);
396hal_attribute(wifi_hostapd);
397hal_attribute(wifi_supplicant);
398
399# HwBinder services offered across the core-vendor boundary
400#
401# We annotate server domains with x_server  to loosen the coupling between
402# system and vendor images. For example, it should be possible to move a service
403# from one core domain to another, without having to update the vendor image
404# which contains clients of this service.
405
406attribute automotive_display_service_server;
407attribute camera_service_server;
408attribute display_service_server;
409attribute evsmanager_service_server;
410attribute scheduler_service_server;
411attribute sensor_service_server;
412attribute stats_service_server;
413attribute system_suspend_internal_server;
414attribute system_suspend_server;
415attribute wifi_keystore_service_server;
416
417# All types used for super partition block devices.
418attribute super_block_device_type;
419
420# All types used for DMA-BUF heaps
421attribute dmabuf_heap_device_type;
422expandattribute dmabuf_heap_device_type false;
423
424# All types used for DSU metadata files.
425attribute gsi_metadata_file_type;
426
427# Types used for module-specific APEX data directories under
428# /data/{misc,misc_ce,misc_de}/apexdata.
429attribute apex_data_file_type;
430
431# Domains used for charger.
432# This is the common type for domains that executes charger's
433# functionalities, including setting and getting necessary properties,
434# permissions to maintain the health loop, writing to kernel log, handling
435# inputs and drawing screens, etc.
436attribute charger_type;
437