attributes

######################################
# Attribute declarations
#

# All types used for devices.
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
attribute dev_type;

# All types used for processes.
attribute domain;

# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute fs_type;

# All types used for context= mounts.
attribute contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute file_type;

# All types used for domain entry points.
attribute exec_type;

# All types used for /data files.
attribute data_file_type;
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
# All types in /vendor
attribute vendor_file_type;

# All types use for sysfs files.
attribute sysfs_type;

# All types use for debugfs files.
attribute debugfs_type;

# Attribute used for all sdcards
attribute sdcard_type;

# All types used for nodes/hosts.
attribute node_type;

# All types used for network interfaces.
attribute netif_type;

# All types used for network ports.
attribute port_type;

# All types used for property service
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute property_type;

# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;

# All properties used to configure log filtering.
attribute log_property_type;

# All service_manager types created by system_server
attribute system_server_service;

# services which should be available to all but isolated apps
attribute app_api_service;

# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;

# services which export only system_api
attribute system_api_service;

# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;

# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;

# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;

# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;

# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;


# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;

# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;

# All domains used for apps.
attribute appdomain;

# All third party apps.
attribute untrusted_app_all;

# All domains used for apps with network access.
attribute netdomain;

# All domains used for apps with bluetooth access.
attribute bluetoothdomain;

# All domains used for binder service domains.
attribute binderservicedomain;

# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;

# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;

# All socket devices owned by core domain components
attribute coredomain_socket;

# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
expandattribute binder_in_vendor_violators false;

# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;

# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;

# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
expandattribute pdx_channel_socket_type false;

pdx_service_attributes(display_client)
pdx_service_attributes(display_manager)
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
pdx_service_attributes(bufferhub_client)

# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;

# HALs
attribute hal_allocator;
expandattribute hal_allocator true;
attribute hal_allocator_client;
expandattribute hal_allocator_client true;
attribute hal_allocator_server;
expandattribute hal_allocator_server false;
attribute hal_audio;
expandattribute hal_audio false;
attribute hal_audio_client;
expandattribute hal_audio_client true;
attribute hal_audio_server;
expandattribute hal_audio_server false;
attribute hal_bluetooth;
expandattribute hal_bluetooth true;
attribute hal_bluetooth_client;
expandattribute hal_bluetooth_client true;
attribute hal_bluetooth_server;
expandattribute hal_bluetooth_server false;
attribute hal_bootctl;
expandattribute hal_bootctl false;
attribute hal_bootctl_client;
expandattribute hal_bootctl_client true;
attribute hal_bootctl_server;
expandattribute hal_bootctl_server false;
attribute hal_camera;
expandattribute hal_camera false;
attribute hal_camera_client;
expandattribute hal_camera_client true;
attribute hal_camera_server;
expandattribute hal_camera_server false;
attribute hal_configstore;
expandattribute hal_configstore true;
attribute hal_configstore_client;
expandattribute hal_configstore_client true;
attribute hal_configstore_server;
expandattribute hal_configstore_server false;
attribute hal_contexthub;
expandattribute hal_contexthub true;
attribute hal_contexthub_client;
expandattribute hal_contexthub_client true;
attribute hal_contexthub_server;
expandattribute hal_contexthub_server false;
attribute hal_drm;
expandattribute hal_drm false;
attribute hal_drm_client;
expandattribute hal_drm_client true;
attribute hal_drm_server;
expandattribute hal_drm_server true;
attribute hal_cas;
expandattribute hal_cas true;
attribute hal_cas_client;
expandattribute hal_cas_client true;
attribute hal_cas_server;
expandattribute hal_cas_server true;
attribute hal_dumpstate;
expandattribute hal_dumpstate true;
attribute hal_dumpstate_client;
expandattribute hal_dumpstate_client true;
attribute hal_dumpstate_server;
expandattribute hal_dumpstate_server false;
attribute hal_fingerprint;
expandattribute hal_fingerprint true;
attribute hal_fingerprint_client;
expandattribute hal_fingerprint_client true;
attribute hal_fingerprint_server;
expandattribute hal_fingerprint_server false;
attribute hal_gatekeeper;
expandattribute hal_gatekeeper true;
attribute hal_gatekeeper_client;
expandattribute hal_gatekeeper_client true;
attribute hal_gatekeeper_server;
expandattribute hal_gatekeeper_server false;
attribute hal_gnss;
expandattribute hal_gnss true;
attribute hal_gnss_client;
expandattribute hal_gnss_client true;
attribute hal_gnss_server;
expandattribute hal_gnss_server false;
attribute hal_graphics_allocator;
expandattribute hal_graphics_allocator true;
attribute hal_graphics_allocator_client;
expandattribute hal_graphics_allocator_client true;
attribute hal_graphics_allocator_server;
expandattribute hal_graphics_allocator_server false;
attribute hal_graphics_composer;
expandattribute hal_graphics_composer true;
attribute hal_graphics_composer_client;
expandattribute hal_graphics_composer_client true;
attribute hal_graphics_composer_server;
expandattribute hal_graphics_composer_server false;
attribute hal_health;
expandattribute hal_health true;
attribute hal_health_client;
expandattribute hal_health_client true;
attribute hal_health_server;
expandattribute hal_health_server false;
attribute hal_ir;
expandattribute hal_ir true;
attribute hal_ir_client;
expandattribute hal_ir_client true;
attribute hal_ir_server;
expandattribute hal_ir_server false;
attribute hal_keymaster;
expandattribute hal_keymaster true;
attribute hal_keymaster_client;
expandattribute hal_keymaster_client true;
attribute hal_keymaster_server;
expandattribute hal_keymaster_server false;
attribute hal_light;
expandattribute hal_light true;
attribute hal_light_client;
expandattribute hal_light_client true;
attribute hal_light_server;
expandattribute hal_light_server false;
attribute hal_memtrack;
expandattribute hal_memtrack true;
attribute hal_memtrack_client;
expandattribute hal_memtrack_client true;
attribute hal_memtrack_server;
expandattribute hal_memtrack_server false;
attribute hal_nfc;
expandattribute hal_nfc true;
attribute hal_nfc_client;
expandattribute hal_nfc_client true;
attribute hal_nfc_server;
expandattribute hal_nfc_server false;
attribute hal_oemlock;
expandattribute hal_oemlock true;
attribute hal_oemlock_client;
expandattribute hal_oemlock_client true;
attribute hal_oemlock_server;
expandattribute hal_oemlock_server false;
attribute hal_power;
expandattribute hal_power true;
attribute hal_power_client;
expandattribute hal_power_client true;
attribute hal_power_server;
expandattribute hal_power_server false;
attribute hal_sensors;
expandattribute hal_sensors true;
attribute hal_sensors_client;
expandattribute hal_sensors_client true;
attribute hal_sensors_server;
expandattribute hal_sensors_server false;
attribute hal_telephony;
expandattribute hal_telephony true;
attribute hal_telephony_client;
expandattribute hal_telephony_client true;
attribute hal_telephony_server;
expandattribute hal_telephony_server false;
attribute hal_tetheroffload;
expandattribute hal_tetheroffload true;
attribute hal_tetheroffload_client;
expandattribute hal_tetheroffload_client true;
attribute hal_tetheroffload_server;
expandattribute hal_tetheroffload_server false;
attribute hal_thermal;
expandattribute hal_thermal true;
attribute hal_thermal_client;
expandattribute hal_thermal_client true;
attribute hal_thermal_server;
expandattribute hal_thermal_server false;
attribute hal_tv_cec;
expandattribute hal_tv_cec true;
attribute hal_tv_cec_client;
expandattribute hal_tv_cec_client true;
attribute hal_tv_cec_server;
expandattribute hal_tv_cec_server false;
attribute hal_tv_input;
expandattribute hal_tv_input true;
attribute hal_tv_input_client;
expandattribute hal_tv_input_client true;
attribute hal_tv_input_server;
expandattribute hal_tv_input_server false;
attribute hal_usb;
expandattribute hal_usb true;
attribute hal_usb_client;
expandattribute hal_usb_client true;
attribute hal_usb_server;
expandattribute hal_usb_server false;
attribute hal_vibrator;
expandattribute hal_vibrator true;
attribute hal_vibrator_client;
expandattribute hal_vibrator_client true;
attribute hal_vibrator_server;
expandattribute hal_vibrator_server false;
attribute hal_vr;
expandattribute hal_vr true;
attribute hal_vr_client;
expandattribute hal_vr_client true;
attribute hal_vr_server;
expandattribute hal_vr_server false;
attribute hal_weaver;
expandattribute hal_weaver true;
attribute hal_weaver_client;
expandattribute hal_weaver_client true;
attribute hal_weaver_server;
expandattribute hal_weaver_server false;
attribute hal_wifi;
expandattribute hal_wifi true;
attribute hal_wifi_client;
expandattribute hal_wifi_client true;
attribute hal_wifi_server;
expandattribute hal_wifi_server false;
attribute hal_wifi_offload;
expandattribute hal_wifi_offload true;
attribute hal_wifi_offload_client;
expandattribute hal_wifi_offload_client true;
attribute hal_wifi_offload_server;
expandattribute hal_wifi_offload_server false;
attribute hal_wifi_supplicant;
expandattribute hal_wifi_supplicant true;
attribute hal_wifi_supplicant_client;
expandattribute hal_wifi_supplicant_client true;
attribute hal_wifi_supplicant_server;
expandattribute hal_wifi_supplicant_server false;

# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server  to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.

attribute display_service_server;
attribute wifi_keystore_service_server;