SE Android policy.

2dd4e51d · Stephen Smalley · 2dd4e51d · 2dd4e51d · 2dd4e51d · 2dd4e51d
Commit 2dd4e51d authored 13 years ago by Stephen Smalley
20 changed files
--- a/Android.mk
+++ b/Android.mk
+LOCAL_PATH:= $(call my-dir)
+include $(CLEAR_VARS)
+
+# SELinux policy version.
+# Must be <= /selinux/policyvers reported by the Android kernel.
+# Must be within the compatibility range reported by checkpolicy -V.
+POLICYVERS := 24
+
+MLS_SENS=1
+MLS_CATS=1024
+
+file := $(TARGET_ROOT_OUT)/policy.$(POLICYVERS)
+$(file) : $(LOCAL_PATH)/policy.$(POLICYVERS) | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)
+
+$(LOCAL_PATH)/policy.$(POLICYVERS): $(LOCAL_PATH)/policy.conf
+	checkpolicy -M -c $(POLICYVERS) -o $@ $<
+
+$(LOCAL_PATH)/policy.conf: $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts))
+	m4 -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -s $^ > $@
+
+file := $(TARGET_ROOT_OUT)/file_contexts
+$(file) : $(LOCAL_PATH)/file_contexts | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)
+
+file := $(TARGET_ROOT_OUT)/seapp_contexts
+$(file) : $(LOCAL_PATH)/seapp_contexts | $(ACP)
+	$(transform-prebuilt-to-target)
+ALL_PREBUILT += $(file)
+$(INSTALLED_RAMDISK_TARGET): $(file)
--- a/access_vectors
+++ b/access_vectors
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+	open
+	audit_access
+	execmod
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class lnk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class blk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class sock_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fifo_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+	dccp_recv
+	dccp_send
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	dccp_recv
+	dccp_send
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read
+	syslog_mod
+	syslog_console
+	module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the capability2 class.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+class capability2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+	passwd	# change another user passwd
+	chfn	# change another user finger info
+	chsh	# change another user shell
+	rootok  # pam_rootok check (skip auth)
+	crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+	create
+	destroy
+	read
+	write
+	blend
+	getattr
+	setattr
+	list_child
+	add_child
+	remove_child
+	list_property
+	get_property
+	set_property
+	manage
+	override
+	show
+	hide
+	send
+	receive
+}
+
+class x_screen
+{
+	getattr
+	setattr
+	hide_cursor
+	show_cursor
+	saver_getattr
+	saver_setattr
+	saver_hide
+	saver_show
+}
+
+class x_gc
+{
+	create
+	destroy
+	getattr
+	setattr
+	use
+}
+
+class x_font
+{
+	create
+	destroy
+	getattr
+	add_glyph
+	remove_glyph
+	use
+}
+
+class x_colormap
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	add_color
+	remove_color
+	install
+	uninstall
+	use
+}
+
+class x_property
+{
+	create
+	destroy
+	read
+	write
+	append
+	getattr
+	setattr
+}
+
+class x_selection
+{
+	read
+	write
+	getattr
+	setattr
+}
+
+class x_cursor
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	setattr
+	use
+}
+
+class x_client
+{
+	destroy
+	getattr
+	setattr
+	manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+	getattr
+	setattr
+	record
+	debug
+	grab
+	manage
+}
+
+class x_extension
+{
+	query
+	use
+}
+
+class x_resource
+{
+	read
+	write
+}
+
+class x_event
+{
+	send
+	receive
+}
+
+class x_synthetic_event
+{
+	send
+	receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+	acquire_svc
+	send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+	getpwd
+	getgrp
+	gethost
+	getstat
+	admin
+	shmempwd
+	shmemgrp
+	shmemhost
+	getserv
+	shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	flow_in		# deprecated
+	flow_out	# deprecated
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class context
+{
+	translate
+	contains
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param	# deprecated
+	set_param	# deprecated
+}
+
+class db_table
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+	install
+}
+
+class db_column
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+	search
+	add_name
+	remove_name
+}
+
+class db_view
+inherits database
+{
+	expand
+}
+
+class db_sequence
+inherits database
+{
+	get_value
+	next_value
+	set_value
+}
+
+class db_language
+inherits database
+{
+	implement
+	execute
+}
+
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+	receive
+}
+
+class zygote
+{
+	specifyids
+	specifyrlimits
+	specifycapabilities
+	specifyinvokewith
+	specifyseinfo
+}
--- a/adbd.te
+++ b/adbd.te
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain, mlstrustedsubject;
+allow adbd adb_device:chr_file rw_file_perms;
+allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
+allow adbd rootfs:file entrypoint;
+allow adbd init:process sigchld;
+allow adbd self:tcp_socket *;
+allow adbd self:unix_stream_socket *;
+allow adbd node:tcp_socket node_bind;
+allow adbd port:tcp_socket name_bind;
+allow adbd devpts:chr_file rw_file_perms;
+allow adbd cgroup:dir { write add_name create };
+allow adbd labeledfs:filesystem remount;
+allow adbd shell_data_file:dir rw_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+allow adbd graphics_device:dir search;
+allow adbd graphics_device:chr_file r_file_perms;
+allow adbd log_device:chr_file r_file_perms;
+# XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
+allow adbd system_file:file rx_file_perms;
+unix_socket_connect(adbd, vold, vold)
+# Talk to init via the property socket.
+unix_socket_connect(adbd, property, init)
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
--- a/app.te
+++ b/app.te
+#
+# Domains for apps that do not run with one of the predefined
+# platform UIDs (system, radio, nfc, ...).
+#
+
+#
+# Trusted apps.
+#
+type trusted_app, domain;
+app_domain(trusted_app)
+# Access the network.
+net_domain(trusted_app)
+# Access bluetooth.
+bluetooth_domain(trusted_app)
+# Read logs.
+allow trusted_app log_device:chr_file read;
+# Write to /cache.
+allow trusted_app cache_file:dir rw_dir_perms;
+allow trusted_app cache_file:file create_file_perms;
+# Read from /data/local.
+allow trusted_app shell_data_file:dir search;
+allow trusted_app shell_data_file:file { open getattr read };
+allow trusted_app shell_data_file:lnk_file read;
+# Access the sdcard.
+allow trusted_app sdcard:dir create_dir_perms;
+allow trusted_app sdcard:file create_file_perms;
+# Populate /data/app/vmdl*.tmp file created by system server.
+# It would be better if this was labeled differently.
+allow trusted_app apk_data_file:file write;
+# Perform binder IPC to any app domain.
+binder_call(trusted_app, appdomain)
+binder_transfer(trusted_app, appdomain)
+
+#
+# An example of a specific domain for a specific app
+# A domain for com.android.browser.
+type browser_app, domain;
+app_domain(browser_app)
+# Access the network.
+net_domain(browser_app)
+
+#
+# Untrusted apps.
+#
+type untrusted_app, domain;
+app_domain(untrusted_app)
+# Boolean-controlled options for untrusted apps.
+# Network access.
+bool app_network true;
+if (app_network) {
+# Cannot use net_domain within a conditional - type attribute.
+allow untrusted_app self:{ tcp_socket udp_socket } *;
+allow untrusted_app port_type:tcp_socket name_connect;
+allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
+allow untrusted_app port_type:udp_socket name_bind;
+allow untrusted_app port_type:tcp_socket name_bind;
+unix_socket_connect(untrusted_app, dnsproxyd, netd)
+}
+# Bluetooth access.
+bool app_bluetooth false;
+if (app_bluetooth) {
+# No specific SELinux class for bluetooth sockets presently.
+allow untrusted_app self:socket *;
+}
+# SDCard rw access.
+bool app_sdcard_rw true;
+if (app_sdcard_rw) {
+allow untrusted_app sdcard:dir create_dir_perms;
+allow untrusted_app sdcard:file create_file_perms;
+}
+# Native app support.
+bool app_ndk false;
+if (app_ndk) {
+allow untrusted_app app_data_file:file execute;
+}
+
+#
+# Rules for all app domains.
+#
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Communicate over a FIFO to system processes.
+allow appdomain system:fifo_file rw_file_perms;
+
+# App sandbox file accesses.
+allow appdomain app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+
+# lib subdirectory of /data/data dir is system-owned.
+allow appdomain system_data_file:dir r_dir_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+binder_transfer(appdomain, binderservicedomain)
+# Perform binder IPC to apps in the trusted_app domain.
+binder_call(appdomain, trusted_app)
+binder_transfer(appdomain, trusted_app)
--- a/attributes
+++ b/attributes
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+attribute fs_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# Domains that are allowed all permissions ("unconfined").
+attribute unconfineddomain;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
--- a/bluetooth.te
+++ b/bluetooth.te
+# Domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;
--- a/bluetoothd.te
+++ b/bluetoothd.te
+# bluetoothd - bluetooth daemon
+type bluetoothd, domain;
+type bluetoothd_exec, exec_type, file_type;
+
+init_daemon_domain(bluetoothd)
+allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
+allow bluetoothd self:socket *;
+allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
+allow bluetoothd bluetoothd_data_file:file create_file_perms;
+unix_socket_connect(bluetoothd, dbus, dbusd)
--- a/cts.te
+++ b/cts.te
+#
+# Rules to allow the Android CTS to run.
+# Do not enable in production policy.
+#
+
+bool android_cts false;
+if (android_cts) {
+# Reads /proc/pid entries to check that no unexpected root
+# processes are running.
+allow appdomain domain:dir r_dir_perms;
+allow appdomain domain:{ file lnk_file } r_file_perms;
+
+# Will still fail when trying to read other app /proc/pid
+# entries due to MLS constraints.  Just silence the denials.
+dontaudit appdomain appdomain:dir r_dir_perms;
+dontaudit appdomain appdomain:file r_file_perms;
+
+# Walk the file tree, stat any file.
+allow appdomain file_type:dir r_dir_perms;
+allow appdomain fs_type:dir r_dir_perms;
+allow appdomain dev_type:dir r_dir_perms;
+allow appdomain file_type:dir_file_class_set getattr;
+allow appdomain dev_type:dir_file_class_set getattr;
+allow appdomain fs_type:dir_file_class_set getattr;
+
+# Execute the shell or other system executables.
+allow appdomain shell_exec:file rx_file_perms;
+allow appdomain system_file:file rx_file_perms;
+
+# Read routing information.
+allow netdomain self:netlink_route_socket { create read write nlmsg_read };
+
+# Tries to open /dev/alarm for writing but expects failure.
+dontaudit appdomain alarm_device:chr_file write;
+
+# Tries to create and use a netlink kobject uevent socket
+# to test for a vulnerable vold.
+dontaudit appdomain self:netlink_kobject_uevent_socket create;
+
+# Tries to override DAC restrictions but expects to fail.
+dontaudit shell self:capability dac_override;
+}
--- a/dbusd.te
+++ b/dbusd.te
+# dbus daemon
+type dbusd, domain;
+type dbusd_exec, exec_type, file_type;
+
+init_daemon_domain(dbusd)
+# Reads /proc/pid/cmdline of clients
+r_dir_file(dbusd, system)
+r_dir_file(dbusd, bluetoothd)
--- a/debuggerd.te
+++ b/debuggerd.te
+# debugger interface
+type debuggerd, domain;
+type debuggerd_exec, exec_type, file_type;
+
+init_daemon_domain(debuggerd)
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill };
+allow debuggerd domain:dir r_dir_perms;
+allow debuggerd domain:file r_file_perms;
+allow debuggerd domain:process ptrace;
+allow debuggerd tombstone_data_file:dir create_dir_perms;
+allow debuggerd tombstone_data_file:file create_file_perms;
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file r_file_perms;
--- a/device.te
+++ b/device.te
+# Device types
+type device, dev_type, fs_type;
+type akm_device, dev_type;
+type accelerometer_device, dev_type;
+type alarm_device, dev_type, mlstrustedobject;
+type adb_device, dev_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type loop_device, dev_type;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type full_device, dev_type;
+type graphics_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type log_device, dev_type, mlstrustedobject;
+type mtd_device, dev_type;
+type nfc_device, dev_type;
+type nv_device, dev_type, mlstrustedobject;
+type powervr_device, dev_type, mlstrustedobject;
+type ptmx_device, dev_type, mlstrustedobject;
+type qemu_device, dev_type;
+type kmsg_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type urandom_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type;
--- a/domain.te
+++ b/domain.te
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# binder adjusts the nice value during IPC.
+allow domain self:capability sys_nice;
+
+# Intra-domain accesses.
+allow domain self:process ~{ execstack execheap };
+allow domain self:fd use;
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr read write shutdown };
+
+# Talk to debuggerd.
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir r_dir_perms;
+allow domain rootfs:lnk_file read;
+
+# Device accesses.
+allow domain device:dir search;
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file r_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain powervr_device:chr_file rw_file_perms;
+allow domain log_device:dir search;
+allow domain log_device:chr_file w_file_perms;
+allow domain nv_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain urandom_device:chr_file r_file_perms;
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+
+# System file accesses.
+allow domain system_file:dir r_dir_perms;
+allow domain system_file:file r_file_perms;
+allow domain system_file:file execute;
+allow domain system_file:lnk_file read;
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file read;
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir search;
+allow domain apk_data_file:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file r_file_perms;
+
+# Read already opened /cache files.
+allow domain cache_file:dir r_dir_perms;
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file read;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir search;
+allow domain cgroup:file w_file_perms;
+
+# For /sys/qemu_trace files in the emulator.
+bool in_qemu false;
+if (in_qemu) {
+allow domain sysfs:file rw_file_perms;
+}
+allow domain sysfs_writable:file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(domain, proc)
+r_dir_file(domain, sysfs)
+r_dir_file(domain, inotify)
+r_dir_file(domain, cgroup)
+
+# Ignore /sys/kernel/debug
+dontaudit domain debugfs:dir search;
--- a/drmserver.te
+++ b/drmserver.te
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+init_daemon_domain(drmserver)
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system)
--- a/file.te
+++ b/file.te
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+type selinuxfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, mlstrustedobject;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type sdcard, fs_type, mlstrustedobject;
+type debugfs, fs_type, mlstrustedobject;
+
+# File types
+type unlabeled, file_type;
+# Default type for anything under /system.
+type system_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type;
+# /data/gps
+type gps_data_file, file_type, data_file_type;
+# /data/misc subdirectories
+type bluetoothd_data_file, file_type, data_file_type;
+type bluetooth_data_file, file_type, data_file_type;
+type keystore_data_file, file_type, data_file_type;
+type vpn_data_file, file_type, data_file_type;
+type systemkeys_data_file, file_type, data_file_type;
+type wifi_data_file, file_type, data_file_type;
+type radio_data_file, file_type, data_file_type;
+type nfc_data_file, file_type, data_file_type;
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type;
+# Default type for anything under /cache
+type cache_file, file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+
+# Socket types
+type bluetooth_socket, file_type;
+type dbus_socket, file_type;
+type dnsproxyd_socket, file_type, mlstrustedobject;
+type gps_socket, file_type;
+type installd_socket, file_type;
+type keystore_socket, file_type;
+type netd_socket, file_type;
+type property_socket, file_type;
+type qemud_socket, file_type;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type;
+type vold_socket, file_type;
+type wpa_socket, file_type;
+type zygote_socket, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
--- a/file_contexts
+++ b/file_contexts
+###########################################
+# Root
+#
+# Nothing required since it is initramfs and implicitly labeled
+# by genfscon rootfs in ocontexts.
+#
+##########################
+# Devices
+#
+/dev(/.*)?		u:object_r:device:s0
+/dev/akm8973.*		u:object_r:akm_device:s0
+/dev/accelerometer	u:object_r:accelerometer_device:s0
+/dev/alarm		u:object_r:alarm_device:s0
+/dev/android_adb.*	u:object_r:adb_device:s0
+/dev/ashmem		u:object_r:ashmem_device:s0
+/dev/audio.*		u:object_r:audio_device:s0
+/dev/binder		u:object_r:binder_device:s0
+/dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/ram[0-9]*	u:object_r:ram_device:s0
+/dev/block/mtdblock5	u:object_r:radio_device:s0
+/dev/cam		u:object_r:camera_device:s0
+/dev/console		u:object_r:console_device:s0
+/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
+/dev/device-mapper	u:object_r:dm_device:s0
+/dev/full		u:object_r:full_device:s0
+/dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/input(/.*)		u:object_r:input_device:s0
+/dev/kmem		u:object_r:kmem_device:s0
+/dev/log(/.*)?		u:object_r:log_device:s0
+/dev/mem		u:object_r:kmem_device:s0
+/dev/modem.*		u:object_r:radio_device:s0
+/dev/mtd(/.*)?		u:object_r:mtd_device:s0
+/dev/mtd/mtd5		u:object_r:radio_device:s0
+/dev/mtd/mtd5ro		u:object_r:radio_device:s0
+/dev/pn544		u:object_r:nfc_device:s0
+/dev/ptmx		u:object_r:ptmx_device:s0
+/dev/pvrsrvkm		u:object_r:powervr_device:s0
+/dev/qemu_.*		u:object_r:qemu_device:s0
+/dev/kmsg		u:object_r:kmsg_device:s0
+/dev/null		u:object_r:null_device:s0
+/dev/nvhdcp1		u:object_r:video_device:s0
+/dev/nvmap		u:object_r:nv_device:s0
+/dev/nvhost-.*		u:object_r:nv_device:s0
+/dev/random		u:object_r:random_device:s0
+/dev/s3c-jpg		u:object_r:camera_device:s0
+/dev/s3c-mem		u:object_r:camera_device:s0
+/dev/s3c-mfc		u:object_r:graphics_device:s0
+/dev/snd(/.*)?		u:object_r:audio_device:s0
+/dev/socket		u:object_r:socket_device:s0
+/dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
+/dev/socket/dbus_bluetooth	u:object_r:bluetooth_socket:s0
+/dev/socket/dbus	u:object_r:dbus_socket:s0
+/dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
+/dev/socket/installd	u:object_r:installd_socket:s0
+/dev/socket/keystore	u:object_r:keystore_socket:s0
+/dev/socket/netd	u:object_r:netd_socket:s0
+/dev/socket/property_service	u:object_r:property_socket:s0
+/dev/socket/qemud	u:object_r:qemud_socket:s0
+/dev/socket/rild	u:object_r:rild_socket:s0
+/dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
+/dev/socket/vold	u:object_r:vold_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote	u:object_r:zygote_socket:s0
+/dev/spdif_out.*	u:object_r:audio_device:s0
+/dev/tegra.*		u:object_r:video_device:s0
+/dev/tty[0-9]*		u:object_r:tty_device:s0
+/dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/uinput		u:object_r:input_device:s0
+/dev/urandom		u:object_r:urandom_device:s0
+/dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
+/dev/video[0-9]*	u:object_r:video_device:s0
+/dev/zero		u:object_r:zero_device:s0
+#############################
+# System files
+#
+/system(/.*)?		u:object_r:system_file:s0
+/system/bin/ash		u:object_r:shell_exec:s0
+/system/bin/mksh	u:object_r:shell_exec:s0
+/system/bin/sh		--	u:object_r:shell_exec:s0
+/system/bin/app_process	u:object_r:zygote_exec:s0
+/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
+/system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
+/system/bin/drmserver	u:object_r:drmserver_exec:s0
+/system/bin/vold	u:object_r:vold_exec:s0
+/system/bin/netd	u:object_r:netd_exec:s0
+/system/bin/rild	u:object_r:rild_exec:s0
+/system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/dbus-daemon	u:object_r:dbusd_exec:s0
+/system/bin/installd	u:object_r:installd_exec:s0
+/system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/debuggerd	u:object_r:debuggerd_exec:s0
+/system/bin/bluetoothd	u:object_r:bluetoothd_exec:s0
+/system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
+/system/bin/qemud	u:object_r:qemud_exec:s0
+/system/xbin/su		u:object_r:su_exec:s0
+/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
+#############################
+# Data files
+#
+/data(/.*)?		u:object_r:system_data_file:s0
+/data/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/anr(/.*)?		u:object_r:anr_data_file:s0
+/data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
+/data/local(/.*)?	u:object_r:shell_data_file:s0
+# Misc data
+/data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
+/data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
+/data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
+/data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
+/data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
+/data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
+# App sandboxes
+/data/data/.*		u:object_r:app_data_file:s0
+#############################
+# efs files
+#
+/efs(/.*)?		u:object_r:efs_file:s0
+#############################
+# Cache files
+#
+/cache(/.*)?		u:object_r:cache_file:s0
+#############################
+# sysfs files
+#
+/sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
--- a/global_macros
+++ b/global_macros
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 }')
+
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans }')
+define(`r_file_perms', `{ getattr open read ioctl lock }')
+define(`w_file_perms', `{ open append write }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`link_file_perms', `{ getattr link unlink rename }')
+define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl }')
+define(`w_dir_perms', `{ open search write add_name remove_name }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
--- a/gpsd.te
+++ b/gpsd.te
+# gpsd - GPS daemon
+type gpsd, domain;
+type gpsd_exec, exec_type, file_type;
+
+init_daemon_domain(gpsd)
+net_domain(gpsd)
+allow gpsd gps_data_file:dir rw_dir_perms;
+allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
+# Socket is created by the daemon, not by init, and under /data/gps,
+# not under /dev/socket.
+type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd gps_socket:sock_file create_file_perms;
+# XXX Label sysfs files with a specific type?
+allow gpsd sysfs:file rw_file_perms;
--- a/init.te
+++ b/init.te
+# init switches to init domain (via init.rc).
+type init, domain;
+# init is unconfined.
+unconfined_domain(init)
+tmpfs_domain(init)
--- a/initial_sids
+++ b/initial_sids
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
--- a/installd.te
+++ b/installd.te
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+
+init_daemon_domain(installd)
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file create_file_perms;
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd data_file_type:dir create_dir_perms;
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:file { getattr unlink };
+allow installd apk_data_file:file r_file_perms;
+allow installd system_file:file x_file_perms;
+allow installd cgroup:dir create_dir_perms;
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+# Read /seapp_contexts, presently on the rootfs.
+allow installd rootfs:file r_file_perms;