1###################################### 2# Attribute declarations 3# 4 5# All types used for devices. 6# On change, update CHECK_FC_ASSERT_ATTRS 7# in tools/checkfc.c 8attribute dev_type; 9 10# Attribute for all bpf filesystem subtypes. 11attribute bpffs_type; 12 13# All types used for processes. 14attribute domain; 15 16# All types used for filesystems. 17# On change, update CHECK_FC_ASSERT_ATTRS 18# definition in tools/checkfc.c. 19attribute fs_type; 20 21# All types used for context= mounts. 22attribute contextmount_type; 23 24# All types referencing a FUSE filesystem. 25# When mounting a new FUSE filesystem, the fscontext= option should be used to 26# set a domain-specific type with this attribute. See app_fusefs for an 27# example. 28attribute fusefs_type; 29 30# All types used for files that can exist on a labeled fs. 31# Do not use for pseudo file types. 32# On change, update CHECK_FC_ASSERT_ATTRS 33# definition in tools/checkfc.c. 34attribute file_type; 35 36# All types used for domain entry points. 37attribute exec_type; 38 39# All types used for /data files. 40attribute data_file_type; 41expandattribute data_file_type false; 42# All types in /data, not in /data/vendor 43attribute core_data_file_type; 44expandattribute core_data_file_type false; 45 46# All types used for app private data files in seapp_contexts. 47# Such types should not be applied to any other files. 48attribute app_data_file_type; 49expandattribute app_data_file_type false; 50 51# All types in /system 52attribute system_file_type; 53 54# All types in /system_dlkm 55attribute system_dlkm_file_type; 56 57# All types in /vendor 58attribute vendor_file_type; 59 60# All types used for procfs files. 61attribute proc_type; 62expandattribute proc_type false; 63 64# Types in /proc/net, excluding qtaguid types. 65# TODO(b/9496886) Lock down access to /proc/net. 66# This attribute is used to audit access to proc_net. it is temporary and will 67# be removed. 68attribute proc_net_type; 69expandattribute proc_net_type true; 70 71# All types used for sysfs files. 72attribute sysfs_type; 73 74# All types use for debugfs files. 75attribute debugfs_type; 76 77# All types used for tracefs files. 78attribute tracefs_type; 79 80# Attribute used for all sdcards 81attribute sdcard_type; 82 83# All types used for nodes/hosts. 84attribute node_type; 85 86# All types used for network interfaces. 87attribute netif_type; 88 89# All types used for network ports. 90attribute port_type; 91 92# All types used for property service 93# On change, update CHECK_PC_ASSERT_ATTRS 94# definition in tools/checkfc.c. 95attribute property_type; 96 97# All properties defined in core SELinux policy. Should not be 98# used by device specific properties 99attribute core_property_type; 100 101# All properties used to configure log filtering. 102attribute log_property_type; 103 104# All properties that are not specific to device but are added from 105# outside of AOSP. (e.g. OEM-specific properties) 106# These properties are not accessible from device-specific domains 107attribute extended_core_property_type; 108 109# Properties used for representing ownership. All properties should have one 110# of: system_property_type, product_property_type, or vendor_property_type. 111 112# All properties defined by /system. 113attribute system_property_type; 114expandattribute system_property_type false; 115 116# All /system-defined properties used only in /system. 117attribute system_internal_property_type; 118expandattribute system_internal_property_type false; 119 120# All /system-defined properties which can't be written outside /system. 121attribute system_restricted_property_type; 122expandattribute system_restricted_property_type false; 123 124# All /system-defined properties with no restrictions. 125attribute system_public_property_type; 126expandattribute system_public_property_type false; 127 128# All keystore2_key labels. 129attribute keystore2_key_type; 130 131# All properties defined by /product. 132# Currently there are no enforcements between /system and /product, so for now 133# /product attributes are just replaced to /system attributes. 134define(`product_property_type', `system_property_type') 135define(`product_internal_property_type', `system_internal_property_type') 136define(`product_restricted_property_type', `system_restricted_property_type') 137define(`product_public_property_type', `system_public_property_type') 138 139# All properties defined by /vendor. 140attribute vendor_property_type; 141expandattribute vendor_property_type false; 142 143# All /vendor-defined properties used only in /vendor. 144attribute vendor_internal_property_type; 145expandattribute vendor_internal_property_type false; 146 147# All /vendor-defined properties which can't be written outside /vendor. 148attribute vendor_restricted_property_type; 149expandattribute vendor_restricted_property_type false; 150 151# All /vendor-defined properties with no restrictions. 152attribute vendor_public_property_type; 153expandattribute vendor_public_property_type false; 154 155# All service_manager types created by system_server 156attribute system_server_service; 157 158# services which should be available to all but isolated apps 159attribute app_api_service; 160 161# services which should be available to all ephemeral apps 162attribute ephemeral_app_api_service; 163 164# services which export only system_api 165attribute system_api_service; 166 167# services which are explicitly disallowed for untrusted apps to access 168attribute protected_service; 169 170# All types used for services managed by servicemanager. 171# On change, update CHECK_SC_ASSERT_ATTRS 172# definition in tools/checkfc.c. 173attribute service_manager_type; 174 175# All types used for services managed by hwservicemanager 176attribute hwservice_manager_type; 177 178# All HwBinder services guaranteed to be passthrough. These services always run 179# in the process of their clients, and thus operate with the same access as 180# their clients. 181attribute same_process_hwservice; 182 183# All HwBinder services guaranteed to be offered only by core domain components 184attribute coredomain_hwservice; 185 186# All HwBinder services that untrusted apps can't directly access 187attribute protected_hwservice; 188 189# All types used for services managed by vndservicemanager 190attribute vndservice_manager_type; 191 192# All services declared as part of an HAL 193attribute hal_service_type; 194 195# All domains that can override MLS restrictions. 196# i.e. processes that can read up and write down. 197attribute mlstrustedsubject; 198 199# All types that can override MLS restrictions. 200# i.e. files that can be read by lower and written by higher 201attribute mlstrustedobject; 202 203# All domains used for apps. 204attribute appdomain; 205 206# All third party apps (except isolated_app and ephemeral_app) 207attribute untrusted_app_all; 208 209# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999). 210attribute isolated_app_all; 211 212# All service types that would be allowed for isolated_compute_app. 213attribute isolated_compute_allowed_service; 214 215# All device types that would be allowed for isolated_compute_app. 216attribute isolated_compute_allowed_device; 217 218# All domains used for apps with network access. 219attribute netdomain; 220 221# All domains used for apps with bluetooth access. 222attribute bluetoothdomain; 223 224# All domains used for binder service domains. 225attribute binderservicedomain; 226 227# All domains which have BPF access. 228attribute bpfdomain; 229expandattribute bpfdomain false; 230 231# update_engine related domains that need to apply an update and run 232# postinstall. This includes the background daemon and the sideload tool from 233# recovery for A/B devices. 234attribute update_engine_common; 235 236# All core domains (as opposed to vendor/device-specific domains) 237attribute coredomain; 238 239# All vendor hwservice. 240attribute vendor_hwservice_type; 241 242# All socket devices owned by core domain components 243attribute coredomain_socket; 244expandattribute coredomain_socket false; 245 246# All vendor domains which violate the requirement of not using sockets for 247# communicating with core components 248# TODO(b/36577153): Remove this once there are no violations 249attribute socket_between_core_and_vendor_violators; 250expandattribute socket_between_core_and_vendor_violators false; 251 252# All vendor domains which violate the requirement of not executing 253# system processes 254# TODO(b/36463595) 255attribute vendor_executes_system_violators; 256expandattribute vendor_executes_system_violators false; 257 258# All domains which violate the requirement of not sharing files by path 259# between between vendor and core domains. 260# TODO(b/34980020) 261attribute data_between_core_and_vendor_violators; 262expandattribute data_between_core_and_vendor_violators false; 263 264# All system domains which violate the requirement of not executing vendor 265# binaries/libraries. 266# TODO(b/62041836) 267attribute system_executes_vendor_violators; 268expandattribute system_executes_vendor_violators false; 269 270# All system domains which violate the requirement of not writing vendor 271# properties. 272# TODO(b/78598545): Remove this once there are no violations 273attribute system_writes_vendor_properties_violators; 274expandattribute system_writes_vendor_properties_violators false; 275 276# All system domains which violate the requirement of not writing to 277# /mnt/vendor/*. Must not be used on devices launched with P or later. 278attribute system_writes_mnt_vendor_violators; 279expandattribute system_writes_mnt_vendor_violators false; 280 281# hwservices that are accessible from untrusted applications 282# WARNING: Use of this attribute should be avoided unless 283# absolutely necessary. It is a temporary allowance to aid the 284# transition to treble and will be removed in a future platform 285# version, requiring all hwservices that are labeled with this 286# attribute to be submitted to AOSP in order to maintain their 287# app-visibility. 288attribute untrusted_app_visible_hwservice_violators; 289expandattribute untrusted_app_visible_hwservice_violators false; 290 291# halserver domains that are accessible to untrusted applications. These 292# domains are typically those hosting hwservices attributed by the 293# untrusted_app_visible_hwservice_violators. 294# WARNING: Use of this attribute should be avoided unless absolutely necessary. 295# It is a temporary allowance to aid the transition to treble and will be 296# removed in the future platform version, requiring all halserver domains that 297# are labeled with this attribute to be submitted to AOSP in order to maintain 298# their app-visibility. 299attribute untrusted_app_visible_halserver_violators; 300expandattribute untrusted_app_visible_halserver_violators false; 301 302# PDX services 303attribute pdx_endpoint_dir_type; 304attribute pdx_endpoint_socket_type; 305expandattribute pdx_endpoint_socket_type false; 306attribute pdx_channel_socket_type; 307expandattribute pdx_channel_socket_type false; 308 309pdx_service_attributes(display_client) 310pdx_service_attributes(display_manager) 311pdx_service_attributes(display_screenshot) 312pdx_service_attributes(display_vsync) 313pdx_service_attributes(performance_client) 314pdx_service_attributes(bufferhub_client) 315 316# All HAL servers 317attribute halserverdomain; 318# All HAL clients 319attribute halclientdomain; 320expandattribute halclientdomain true; 321 322# Exempt for halserverdomain to access sockets. Only builds for automotive 323# device types are allowed to use this attribute (enforced by CTS). 324# Unlike phone, in a car many modules are external from Android perspective and 325# HALs should be able to communicate with those devices through sockets. 326attribute hal_automotive_socket_exemption; 327 328# HALs 329hal_attribute(allocator); 330hal_attribute(atrace); 331hal_attribute(audio); 332hal_attribute(audiocontrol); 333hal_attribute(authsecret); 334hal_attribute(bluetooth); 335hal_attribute(bootctl); 336hal_attribute(broadcastradio); 337hal_attribute(camera); 338hal_attribute(can_bus); 339hal_attribute(can_controller); 340hal_attribute(cas); 341hal_attribute(codec2); 342hal_attribute(configstore); 343hal_attribute(confirmationui); 344hal_attribute(contexthub); 345hal_attribute(drm); 346hal_attribute(dumpstate); 347hal_attribute(evs); 348hal_attribute(face); 349hal_attribute(fastboot); 350hal_attribute(fingerprint); 351hal_attribute(gatekeeper); 352hal_attribute(gnss); 353hal_attribute(graphics_allocator); 354hal_attribute(graphics_composer); 355hal_attribute(health); 356hal_attribute(health_storage); 357hal_attribute(identity); 358hal_attribute(input_classifier); 359hal_attribute(input_processor); 360hal_attribute(ir); 361hal_attribute(ivn); 362hal_attribute(keymaster); 363hal_attribute(keymint); 364hal_attribute(light); 365hal_attribute(lowpan); 366hal_attribute(memtrack); 367hal_attribute(neuralnetworks); 368hal_attribute(nfc); 369hal_attribute(nlinterceptor); 370hal_attribute(oemlock); 371hal_attribute(omx); 372hal_attribute(power); 373hal_attribute(power_stats); 374hal_attribute(rebootescrow); 375hal_attribute(remoteaccess); 376hal_attribute(secure_element); 377hal_attribute(sensors); 378hal_attribute(telephony); 379hal_attribute(tetheroffload); 380hal_attribute(thermal); 381hal_attribute(tv_cec); 382hal_attribute(tv_hdmi_cec); 383hal_attribute(tv_hdmi_connection); 384hal_attribute(tv_hdmi_earc); 385hal_attribute(tv_input); 386hal_attribute(tv_tuner); 387hal_attribute(usb); 388hal_attribute(usb_gadget); 389hal_attribute(uwb); 390# TODO(b/196225233): Remove this attribute and its usages elsewhere 391# once all chip vendors integrate to the new UWB stack. 392hal_attribute(uwb_vendor); 393hal_attribute(vehicle); 394hal_attribute(vibrator); 395hal_attribute(vr); 396hal_attribute(weaver); 397hal_attribute(wifi); 398hal_attribute(wifi_hostapd); 399hal_attribute(wifi_supplicant); 400 401# HwBinder services offered across the core-vendor boundary 402# 403# We annotate server domains with x_server to loosen the coupling between 404# system and vendor images. For example, it should be possible to move a service 405# from one core domain to another, without having to update the vendor image 406# which contains clients of this service. 407 408attribute automotive_display_service_server; 409attribute camera_service_server; 410attribute display_service_server; 411attribute evsmanager_service_server; 412attribute remote_provisioning_service_server; 413attribute scheduler_service_server; 414attribute sensor_service_server; 415attribute stats_service_server; 416attribute system_suspend_internal_server; 417attribute system_suspend_server; 418attribute wifi_keystore_service_server; 419 420# All types used for super partition block devices. 421attribute super_block_device_type; 422 423# All types used for DMA-BUF heaps 424attribute dmabuf_heap_device_type; 425expandattribute dmabuf_heap_device_type false; 426 427# Types for VM managers 428attribute vm_manager_device_type; 429 430# All types used for DSU metadata files. 431attribute gsi_metadata_file_type; 432 433# Types used for module-specific APEX data directories under 434# /data/{misc,misc_ce,misc_de}/apexdata. 435attribute apex_data_file_type; 436 437# Domains used for charger. 438# This is the common type for domains that executes charger's 439# functionalities, including setting and getting necessary properties, 440# permissions to maintain the health loop, writing to kernel log, handling 441# inputs and drawing screens, etc. 442attribute charger_type; 443 444# All types of ART properties. 445attribute dalvik_config_prop_type; 446