1;; complement CIL file for compatibility between ToT policy and 30.0 vendors. 2;; will be compiled along with other normal policy files, on 30.0 vendors. 3;; 4 5(typeattribute vendordomain) 6(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) 7 8;; TODO: Once 30.0 is no longer supported for vendor images, 9;; mlsvendorcompat can be completely from the system policy. 10(typeattributeset mlsvendorcompat (and appdomain vendordomain)) 11(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) 12(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) 13(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) 14(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) 15 16;; permission for devices (older than S) where debugfs restriction doesn't apply. 17(typeattribute debugfs_file_type) 18(typeattributeset debugfs_file_type (and debugfs_type file_type)) 19(typeattribute debugfs_fs_type) 20(typeattributeset debugfs_fs_type (and debugfs_type fs_type)) 21 22(allow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) 23(allow dumpstate debugfs_mmc (file (ioctl read getattr lock map open watch watch_reads))) 24(allow dumpstate debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) 25(auditallow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) 26 27(allow init debugfs (dir (getattr relabelfrom))) 28(allow init debugfs (file (getattr relabelfrom))) 29(allow init debugfs (lnk_file (getattr relabelfrom))) 30(allow init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) 31(allow init debugfs_fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget watch))) 32(allow init debugfs_type (dir (getattr relabelto))) 33(allow init debugfs_type (file (getattr relabelto))) 34(allow init debugfs_type (lnk_file (getattr relabelto))) 35 36(allow system_server debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) 37 38(allow vendor_init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) 39(allow vendor_init debugfs_fs_type (file (open read setattr map))) 40