1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# All types used for processes.
11attribute domain;
12
13# All types used for filesystems.
14# On change, update CHECK_FC_ASSERT_ATTRS
15# definition in tools/checkfc.c.
16attribute fs_type;
17
18# All types used for context= mounts.
19attribute contextmount_type;
20
21# All types used for files that can exist on a labeled fs.
22# Do not use for pseudo file types.
23# On change, update CHECK_FC_ASSERT_ATTRS
24# definition in tools/checkfc.c.
25attribute file_type;
26
27# All types used for domain entry points.
28attribute exec_type;
29
30# All types used for /data files.
31attribute data_file_type;
32expandattribute data_file_type false;
33# All types in /data, not in /data/vendor
34attribute core_data_file_type;
35expandattribute core_data_file_type false;
36
37# All types in /system
38attribute system_file_type;
39
40# All types in /vendor
41attribute vendor_file_type;
42
43# All types used for procfs files.
44attribute proc_type;
45expandattribute proc_type false;
46
47# Types in /proc/net, excluding qtaguid types.
48# TODO(b/9496886) Lock down access to /proc/net.
49# This attribute is used to audit access to proc_net. it is temporary and will
50# be removed.
51attribute proc_net_type;
52expandattribute proc_net_type true;
53
54# All types used for sysfs files.
55attribute sysfs_type;
56
57# All types use for debugfs files.
58attribute debugfs_type;
59
60# Attribute used for all sdcards
61attribute sdcard_type;
62
63# All types used for nodes/hosts.
64attribute node_type;
65
66# All types used for network interfaces.
67attribute netif_type;
68
69# All types used for network ports.
70attribute port_type;
71
72# All types used for property service
73# On change, update CHECK_PC_ASSERT_ATTRS
74# definition in tools/checkfc.c.
75attribute property_type;
76
77# All properties defined in core SELinux policy. Should not be
78# used by device specific properties
79attribute core_property_type;
80
81# All properties used to configure log filtering.
82attribute log_property_type;
83
84# All properties that are not specific to device but are added from
85# outside of AOSP. (e.g. OEM-specific properties)
86# These properties are not accessible from device-specific domains
87attribute extended_core_property_type;
88
89# Properties used for representing ownership. All properties should have one
90# of: system_property_type, product_property_type, or vendor_property_type.
91
92# All properties defined by /system.
93attribute system_property_type;
94
95# All /system-defined properties used only in /system.
96attribute system_internal_property_type;
97
98# All /system-defined properties which can't be written outside /system.
99attribute system_restricted_property_type;
100
101# All /system-defined properties with no restrictions.
102attribute system_public_property_type;
103
104# All properties defined by /product.
105# Currently there are no enforcements between /system and /product, so for now
106# /product attributes are just replaced to /system attributes.
107define(`product_property_type',   `system_property_type')
108define(`product_internal_type',   `system_internal_property_type')
109define(`product_restricted_type', `system_restricted_property_type')
110define(`product_public_type',     `system_public_property_type')
111
112# All properties defined by /vendor.
113attribute vendor_property_type;
114
115# All /vendor-defined properties used only in /vendor.
116attribute vendor_internal_property_type;
117
118# All /vendor-defined properties which can't be written outside /vendor.
119attribute vendor_restricted_property_type;
120
121# All /vendor-defined properties with no restrictions.
122attribute vendor_public_property_type;
123
124# All service_manager types created by system_server
125attribute system_server_service;
126
127# services which should be available to all but isolated apps
128attribute app_api_service;
129
130# services which should be available to all ephemeral apps
131attribute ephemeral_app_api_service;
132
133# services which export only system_api
134attribute system_api_service;
135
136# services which served by vendor and also using the copy of libbinder on
137# system (for instance via libbinder_ndk). services using a different copy
138# of libbinder currently need their own context manager (e.g.
139# vndservicemanager)
140attribute vendor_service;
141
142# All types used for services managed by servicemanager.
143# On change, update CHECK_SC_ASSERT_ATTRS
144# definition in tools/checkfc.c.
145attribute service_manager_type;
146
147# All types used for services managed by hwservicemanager
148attribute hwservice_manager_type;
149
150# All HwBinder services guaranteed to be passthrough. These services always run
151# in the process of their clients, and thus operate with the same access as
152# their clients.
153attribute same_process_hwservice;
154
155# All HwBinder services guaranteed to be offered only by core domain components
156attribute coredomain_hwservice;
157
158# All HwBinder services that untrusted apps can't directly access
159attribute protected_hwservice;
160
161# All types used for services managed by vndservicemanager
162attribute vndservice_manager_type;
163
164
165# All domains that can override MLS restrictions.
166# i.e. processes that can read up and write down.
167attribute mlstrustedsubject;
168
169# All types that can override MLS restrictions.
170# i.e. files that can be read by lower and written by higher
171attribute mlstrustedobject;
172
173# All domains used for apps.
174attribute appdomain;
175
176# All third party apps.
177attribute untrusted_app_all;
178
179# All domains used for apps with network access.
180attribute netdomain;
181
182# All domains used for apps with bluetooth access.
183attribute bluetoothdomain;
184
185# All domains used for binder service domains.
186attribute binderservicedomain;
187
188# update_engine related domains that need to apply an update and run
189# postinstall. This includes the background daemon and the sideload tool from
190# recovery for A/B devices.
191attribute update_engine_common;
192
193# All core domains (as opposed to vendor/device-specific domains)
194attribute coredomain;
195
196# All socket devices owned by core domain components
197attribute coredomain_socket;
198expandattribute coredomain_socket false;
199
200# All vendor domains which violate the requirement of not using Binder
201# TODO(b/35870313): Remove this once there are no violations
202attribute binder_in_vendor_violators;
203expandattribute binder_in_vendor_violators false;
204
205# All vendor domains which violate the requirement of not using sockets for
206# communicating with core components
207# TODO(b/36577153): Remove this once there are no violations
208attribute socket_between_core_and_vendor_violators;
209expandattribute socket_between_core_and_vendor_violators false;
210
211# All vendor domains which violate the requirement of not executing
212# system processes
213# TODO(b/36463595)
214attribute vendor_executes_system_violators;
215expandattribute vendor_executes_system_violators false;
216
217# All domains which violate the requirement of not sharing files by path
218# between between vendor and core domains.
219# TODO(b/34980020)
220attribute data_between_core_and_vendor_violators;
221expandattribute data_between_core_and_vendor_violators false;
222
223# All system domains which violate the requirement of not executing vendor
224# binaries/libraries.
225# TODO(b/62041836)
226attribute system_executes_vendor_violators;
227expandattribute system_executes_vendor_violators false;
228
229# All system domains which violate the requirement of not writing vendor
230# properties.
231# TODO(b/78598545): Remove this once there are no violations
232attribute system_writes_vendor_properties_violators;
233expandattribute system_writes_vendor_properties_violators false;
234
235# All system domains which violate the requirement of not writing to
236# /mnt/vendor/*. Must not be used on devices launched with P or later.
237attribute system_writes_mnt_vendor_violators;
238expandattribute system_writes_mnt_vendor_violators false;
239
240# hwservices that are accessible from untrusted applications
241# WARNING: Use of this attribute should be avoided unless
242# absolutely necessary.  It is a temporary allowance to aid the
243# transition to treble and will be removed in a future platform
244# version, requiring all hwservices that are labeled with this
245# attribute to be submitted to AOSP in order to maintain their
246# app-visibility.
247attribute untrusted_app_visible_hwservice_violators;
248expandattribute untrusted_app_visible_hwservice_violators false;
249
250# halserver domains that are accessible to untrusted applications.  These
251# domains are typically those hosting  hwservices attributed by the
252# untrusted_app_visible_hwservice_violators.
253# WARNING: Use of this attribute should be avoided unless absolutely necessary.
254# It is a temporary allowance to aid the transition to treble and will be
255# removed in the future platform version, requiring all halserver domains that
256# are labeled with this attribute to be submitted to AOSP in order to maintain
257# their app-visibility.
258attribute untrusted_app_visible_halserver_violators;
259expandattribute untrusted_app_visible_halserver_violators false;
260
261# PDX services
262attribute pdx_endpoint_dir_type;
263attribute pdx_endpoint_socket_type;
264expandattribute pdx_endpoint_socket_type false;
265attribute pdx_channel_socket_type;
266expandattribute pdx_channel_socket_type false;
267
268pdx_service_attributes(display_client)
269pdx_service_attributes(display_manager)
270pdx_service_attributes(display_screenshot)
271pdx_service_attributes(display_vsync)
272pdx_service_attributes(performance_client)
273pdx_service_attributes(bufferhub_client)
274
275# All HAL servers
276attribute halserverdomain;
277# All HAL clients
278attribute halclientdomain;
279expandattribute halclientdomain true;
280
281# Exempt for halserverdomain to access sockets. Only builds for automotive
282# device types are allowed to use this attribute (enforced by CTS).
283# Unlike phone, in a car many modules are external from Android perspective and
284# HALs should be able to communicate with those devices through sockets.
285attribute hal_automotive_socket_exemption;
286
287# HALs
288hal_attribute(allocator);
289hal_attribute(atrace);
290hal_attribute(audio);
291hal_attribute(audiocontrol);
292hal_attribute(authsecret);
293hal_attribute(bluetooth);
294hal_attribute(bootctl);
295hal_attribute(bufferhub);
296hal_attribute(broadcastradio);
297hal_attribute(camera);
298hal_attribute(can_bus);
299hal_attribute(can_controller);
300hal_attribute(cas);
301hal_attribute(codec2);
302hal_attribute(configstore);
303hal_attribute(confirmationui);
304hal_attribute(contexthub);
305hal_attribute(drm);
306hal_attribute(dumpstate);
307hal_attribute(evs);
308hal_attribute(face);
309hal_attribute(fingerprint);
310hal_attribute(gatekeeper);
311hal_attribute(gnss);
312hal_attribute(graphics_allocator);
313hal_attribute(graphics_composer);
314hal_attribute(health);
315hal_attribute(health_storage);
316hal_attribute(identity);
317hal_attribute(input_classifier);
318hal_attribute(ir);
319hal_attribute(keymaster);
320hal_attribute(light);
321hal_attribute(lowpan);
322hal_attribute(memtrack);
323hal_attribute(neuralnetworks);
324hal_attribute(nfc);
325hal_attribute(oemlock);
326hal_attribute(omx);
327hal_attribute(power);
328hal_attribute(power_stats);
329hal_attribute(rebootescrow);
330hal_attribute(secure_element);
331hal_attribute(sensors);
332hal_attribute(telephony);
333hal_attribute(tetheroffload);
334hal_attribute(thermal);
335hal_attribute(tv_cec);
336hal_attribute(tv_input);
337hal_attribute(tv_tuner);
338hal_attribute(usb);
339hal_attribute(usb_gadget);
340hal_attribute(vehicle);
341hal_attribute(vibrator);
342hal_attribute(vr);
343hal_attribute(weaver);
344hal_attribute(wifi);
345hal_attribute(wifi_hostapd);
346hal_attribute(wifi_supplicant);
347
348# HwBinder services offered across the core-vendor boundary
349#
350# We annotate server domains with x_server  to loosen the coupling between
351# system and vendor images. For example, it should be possible to move a service
352# from one core domain to another, without having to update the vendor image
353# which contains clients of this service.
354
355attribute automotive_display_service_server;
356attribute camera_service_server;
357attribute display_service_server;
358attribute scheduler_service_server;
359attribute sensor_service_server;
360attribute stats_service_server;
361attribute system_suspend_server;
362attribute wifi_keystore_service_server;
363
364# All types used for super partition block devices.
365attribute super_block_device_type;
366