Skip to content
Snippets Groups Projects
Select Git revision
  • ad0d0fc722d04e465ce2b0bfd2f8e04714c75391
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

file_contexts

Blame
    • Stephen Smalley's avatar
      ad0d0fc7
      Protect /data/property. · ad0d0fc7
      Stephen Smalley authored 
      
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      ad0d0fc7
      History
      Protect /data/property.
      Stephen Smalley authored 
      
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    file_contexts 9.82 KiB 
    ###########################################
# Root
/			u:object_r:rootfs:s0

# Data files
/adb_keys		u:object_r:adb_keys_file:s0
/default\.prop		u:object_r:rootfs:s0
/fstab\..*		u:object_r:rootfs:s0
/init\..*		u:object_r:rootfs:s0
/res(/.*)?		u:object_r:rootfs:s0
/ueventd\..*		u:object_r:rootfs:s0

# Executables
/charger		u:object_r:rootfs:s0
/init			u:object_r:rootfs:s0
/sbin(/.*)?		u:object_r:rootfs:s0

# Empty directories
/lost\+found		u:object_r:rootfs:s0
/proc			u:object_r:rootfs:s0

# SELinux policy files
/file_contexts		u:object_r:rootfs:s0
/property_contexts	u:object_r:rootfs:s0
/seapp_contexts		u:object_r:rootfs:s0
/sepolicy		u:object_r:rootfs:s0

##########################
# Devices
#
/dev(/.*)?		u:object_r:device:s0
/dev/akm8973.*		u:object_r:sensors_device:s0
/dev/accelerometer	u:object_r:sensors_device:s0
/dev/adf[0-9]*		u:object_r:adf_device:s0
/dev/adf-interface[0-9]*\.[0-9]*	u:object_r:adf_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]*	u:object_r:adf_device:s0
/dev/alarm		u:object_r:alarm_device:s0
/dev/android_adb.*	u:object_r:adb_device:s0
/dev/ashmem		u:object_r:ashmem_device:s0
/dev/audio.*		u:object_r:audio_device:s0
/dev/binder		u:object_r:binder_device:s0
/dev/block(/.*)?	u:object_r:block_device:s0
/dev/block/loop[0-9]*	u:object_r:loop_device:s0
/dev/block/ram[0-9]*	u:object_r:ram_device:s0
/dev/bus/usb(.*)?       u:object_r:usb_device:s0
/dev/cam		u:object_r:camera_device:s0
/dev/console		u:object_r:console_device:s0
/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
/dev/device-mapper	u:object_r:dm_device:s0
/dev/eac		u:object_r:audio_device:s0
/dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
/dev/full		u:object_r:full_device:s0
/dev/fuse		u:object_r:fuse_device:s0
/dev/graphics(/.*)?	u:object_r:graphics_device:s0
/dev/hw_random		u:object_r:hw_random_device:s0
/dev/input(/.*)		u:object_r:input_device:s0
/dev/iio:device[0-9]+   u:object_r:iio_device:s0
/dev/ion		u:object_r:ion_device:s0
/dev/kmem		u:object_r:kmem_device:s0
/dev/log(/.*)?		u:object_r:log_device:s0
/dev/mem		u:object_r:kmem_device:s0
/dev/modem.*		u:object_r:radio_device:s0
/dev/mpu		u:object_r:gps_device:s0
/dev/mpuirq		u:object_r:gps_device:s0
/dev/mtd(/.*)?		u:object_r:mtd_device:s0
/dev/mtp_usb		u:object_r:mtp_device:s0
/dev/pn544		u:object_r:nfc_device:s0
/dev/ppp		u:object_r:ppp_device:s0
/dev/ptmx		u:object_r:ptmx_device:s0
/dev/pvrsrvkm		u:object_r:gpu_device:s0
    /dev/kmsg		u:object_r:kmsg_device:s0
/dev/null		u:object_r:null_device:s0
/dev/nvhdcp1		u:object_r:video_device:s0
/dev/random		u:object_r:random_device:s0
/dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
/dev/rproc_user	u:object_r:rpmsg_device:s0
/dev/snd(/.*)?		u:object_r:audio_device:s0
/dev/socket(/.*)?	u:object_r:socket_device:s0
/dev/socket/adbd	u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
/dev/socket/gps		u:object_r:gps_socket:s0
/dev/socket/installd	u:object_r:installd_socket:s0
/dev/socket/lmkd        u:object_r:lmkd_socket:s0
/dev/logd_debug		u:object_r:logd_debug:s0
/dev/socket/logd	u:object_r:logd_socket:s0
/dev/socket/logdr	u:object_r:logdr_socket:s0
/dev/socket/logdw	u:object_r:logdw_socket:s0
/dev/socket/mdns	u:object_r:mdns_socket:s0
/dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
/dev/socket/mtpd	u:object_r:mtpd_socket:s0
/dev/socket/netd	u:object_r:netd_socket:s0
/dev/socket/property_service	u:object_r:property_socket:s0
/dev/socket/racoon	u:object_r:racoon_socket:s0
/dev/socket/rild	u:object_r:rild_socket:s0
/dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
/dev/socket/vold	u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote	u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
/dev/spdif_out.*	u:object_r:audio_device:s0
/dev/tegra.*		u:object_r:video_device:s0
/dev/tf_driver		u:object_r:tee_device:s0
/dev/tty		u:object_r:owntty_device:s0
/dev/tty[0-9]*		u:object_r:tty_device:s0
/dev/ttyS[0-9]*		u:object_r:serial_device:s0
/dev/tun		u:object_r:tun_device:s0
/dev/uhid		u:object_r:uhid_device:s0
/dev/uinput		u:object_r:uhid_device:s0
/dev/uio[0-9]*		u:object_r:uio_device:s0
/dev/urandom		u:object_r:urandom_device:s0
/dev/usb_accessory	u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
/dev/video[0-9]*	u:object_r:video_device:s0
/dev/watchdog		u:object_r:watchdog_device:s0
/dev/xt_qtaguid	u:object_r:qtaguid_device:s0
/dev/zero		u:object_r:zero_device:s0
/dev/__kmsg__		u:object_r:klog_device:s0
/dev/__properties__ u:object_r:properties_device:s0
#############################
# System files
#
/system(/.*)?		u:object_r:system_file:s0
/system/bin/sh		--	u:object_r:shell_exec:s0
/system/bin/run-as	--	u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/app_process32	u:object_r:zygote_exec:s0
/system/bin/app_process64	u:object_r:zygote_exec:s0
/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
/system/bin/drmserver	u:object_r:drmserver_exec:s0
/system/bin/dumpstate   u:object_r:dumpstate_exec:s0
/system/bin/vold	u:object_r:vold_exec:s0
/system/bin/netd	u:object_r:netd_exec:s0
/system/bin/rild	u:object_r:rild_exec:s0
/system/bin/mediaserver	u:object_r:mediaserver_exec:s0
/system/bin/mdnsd	u:object_r:mdnsd_exec:s0
/system/bin/installd	u:object_r:installd_exec:s0
    /system/bin/keystore	u:object_r:keystore_exec:s0
/system/bin/debuggerd	u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
/system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
/system/bin/sdcard      u:object_r:sdcardd_exec:s0
/system/bin/dhcpcd      u:object_r:dhcp_exec:s0
/system/bin/mtpd	u:object_r:mtp_exec:s0
/system/bin/pppd	u:object_r:ppp_exec:s0
/system/bin/tf_daemon	u:object_r:tee_exec:s0
/system/bin/racoon	u:object_r:racoon_exec:s0
/system/xbin/su		u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
/system/bin/hostapd     u:object_r:hostapd_exec:s0
/system/bin/clatd	u:object_r:clatd_exec:s0
/system/bin/lmkd        u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd        u:object_r:logd_exec:s0
/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
#############################
# Vendor files
#
/vendor(/.*)?		u:object_r:system_file:s0
/vendor/bin/gpsd	u:object_r:gpsd_exec:s0
#############################
# Data files
#
/data(/.*)?		u:object_r:system_data_file:s0
/data/.layout_version		u:object_r:install_data_file:s0
/data/backup(/.*)?		u:object_r:backup_data_file:s0
/data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
/data/security(/.*)?	u:object_r:security_file:s0
/data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
/data/drm(/.*)?		u:object_r:drm_data_file:s0
/data/gps(/.*)?		u:object_r:gps_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)?		u:object_r:anr_data_file:s0
/data/app(/.*)?		u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
/data/app-private(/.*)?		u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
/data/media(/.*)?	u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)?	u:object_r:media_data_file:s0
/data/property(/.*)?	u:object_r:property_data_file:s0

# Misc data
/data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
/data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
/data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
/data/misc/media(/.*)?          u:object_r:media_data_file:s0
/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
/data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
/data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0

# Wallpaper file for other users
    /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
#############################
# efs files
#
/efs(/.*)?		u:object_r:efs_file:s0
#############################
# Cache files
#
/cache(/.*)?		u:object_r:cache_file:s0
/cache/.*\.data	u:object_r:cache_backup_file:s0
/cache/.*\.restore	u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this directory
/cache/backup(/.*)?	u:object_r:cache_backup_file:s0
#############################
# sysfs files
#
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0

#############################
# asec containers
/mnt/asec(/.*)?           u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/res\.zip   u:object_r:asec_public_file:s0
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
/data/app-asec(/.*)?      u:object_r:asec_image_file:s0