1;; complement CIL file for compatibility between ToT policy and 29.0 vendors. 2;; will be compiled along with other normal policy files, on 29.0 vendors. 3;; 4 5(typeattribute vendordomain) 6(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) 7(allow vendordomain self (netlink_route_socket (nlmsg_readpriv))) 8 9(typeattributeset mlsvendorcompat (and appdomain vendordomain)) 10(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) 11(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) 12(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir))) 13(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) 14 15;; permission for devices (older than S) where debugfs restriction doesn't apply. 16(typeattribute debugfs_file_type) 17(typeattributeset debugfs_file_type (and debugfs_type file_type)) 18(typeattribute debugfs_fs_type) 19(typeattributeset debugfs_fs_type (and debugfs_type fs_type)) 20 21(allow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) 22(allow dumpstate debugfs_mmc (file (ioctl read getattr lock map open watch watch_reads))) 23(allow dumpstate debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) 24(auditallow dumpstate debugfs (file (ioctl read getattr lock map open watch watch_reads))) 25 26(allow init debugfs (dir (getattr relabelfrom))) 27(allow init debugfs (file (getattr relabelfrom))) 28(allow init debugfs (lnk_file (getattr relabelfrom))) 29(allow init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) 30(allow init debugfs_fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget watch))) 31(allow init debugfs_type (dir (getattr relabelto))) 32(allow init debugfs_type (file (getattr relabelto))) 33(allow init debugfs_type (lnk_file (getattr relabelto))) 34 35(allow system_server debugfs_wakeup_sources (file (ioctl read getattr lock map open watch watch_reads))) 36 37(allow vendor_init debugfs_file_type (file (create getattr open read write setattr relabelfrom unlink map))) 38(allow vendor_init debugfs_fs_type (file (open read setattr map))) 39