Newer
Older
# rules removed from the domain attribute
# Search /storage/emulated tmpfs mount.
allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-sdcardd
-surfaceflinger
-system_server
-vold
-zygote
} tmpfs:dir r_dir_perms;
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-healthd
-installd
-servicemanager
-system_server
-ueventd
-uncrypt
-vold
-zygote
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-rild
-surfaceflinger
-system_server
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
auditallow {
domain_deprecated
-appdomain
-rild
-surfaceflinger
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-sdcardd
-system_server
-tee
} system_data_file:file { getattr read };
auditallow {
domain_deprecated
-appdomain
-system_server
-tee
} system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:dir { getattr search };
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-dex2oat
-installd
-system_server
} apk_data_file:lnk_file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
userdebug_or_eng(`
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
-system_server
-vold
} cache_file:file { getattr read };
auditallow {
domain_deprecated
-system_server
-vold
} cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-rild
-sdcardd
-system_server
-update_engine
-vold
} proc:file r_file_perms;
auditallow {
domain_deprecated
-fsck
-fsck_untrusted
-rild
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
-fingerprintd
-healthd
-netd
-rild
-system_app
-surfaceflinger
-system_server
-tee
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:dir r_dir_perms;
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
auditallow {
domain_deprecated
-appdomain
-surfaceflinger
-system_server
-vold
} proc_meminfo:file r_file_perms;