1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# Attribute for all bpf filesystem subtypes.
11attribute bpffs_type;
12
13# All types used for processes.
14attribute domain;
15
16# All types used for filesystems.
17# On change, update CHECK_FC_ASSERT_ATTRS
18# definition in tools/checkfc.c.
19attribute fs_type;
20
21# All types used for context= mounts.
22attribute contextmount_type;
23
24# All types referencing a FUSE filesystem.
25# When mounting a new FUSE filesystem, the fscontext= option should be used to
26# set a domain-specific type with this attribute. See app_fusefs for an
27# example.
28attribute fusefs_type;
29
30# All types used for files that can exist on a labeled fs.
31# Do not use for pseudo file types.
32# On change, update CHECK_FC_ASSERT_ATTRS
33# definition in tools/checkfc.c.
34attribute file_type;
35
36# All types used for domain entry points.
37attribute exec_type;
38
39# All types used for /data files.
40attribute data_file_type;
41expandattribute data_file_type false;
42# All types in /data, not in /data/vendor
43attribute core_data_file_type;
44expandattribute core_data_file_type false;
45
46# All types used for app private data files in seapp_contexts.
47# Such types should not be applied to any other files.
48attribute app_data_file_type;
49expandattribute app_data_file_type false;
50
51# All types in /system
52attribute system_file_type;
53
54# All types in /system_dlkm
55attribute system_dlkm_file_type;
56
57# All types in /vendor
58attribute vendor_file_type;
59
60# All types used for procfs files.
61attribute proc_type;
62expandattribute proc_type false;
63
64# Types in /proc/net, excluding qtaguid types.
65# TODO(b/9496886) Lock down access to /proc/net.
66# This attribute is used to audit access to proc_net. it is temporary and will
67# be removed.
68attribute proc_net_type;
69expandattribute proc_net_type true;
70
71# All types used for sysfs files.
72attribute sysfs_type;
73
74# All types use for debugfs files.
75attribute debugfs_type;
76
77# All types used for tracefs files.
78attribute tracefs_type;
79
80# Attribute used for all sdcards
81attribute sdcard_type;
82
83# All types used for nodes/hosts.
84attribute node_type;
85
86# All types used for network interfaces.
87attribute netif_type;
88
89# All types used for network ports.
90attribute port_type;
91
92# All types used for property service
93# On change, update CHECK_PC_ASSERT_ATTRS
94# definition in tools/checkfc.c.
95attribute property_type;
96
97# All properties defined in core SELinux policy. Should not be
98# used by device specific properties
99attribute core_property_type;
100
101# All properties used to configure log filtering.
102attribute log_property_type;
103
104# All properties that are not specific to device but are added from
105# outside of AOSP. (e.g. OEM-specific properties)
106# These properties are not accessible from device-specific domains
107attribute extended_core_property_type;
108
109# Properties used for representing ownership. All properties should have one
110# of: system_property_type, product_property_type, or vendor_property_type.
111
112# All properties defined by /system.
113attribute system_property_type;
114expandattribute system_property_type false;
115
116# All /system-defined properties used only in /system.
117attribute system_internal_property_type;
118expandattribute system_internal_property_type false;
119
120# All /system-defined properties which can't be written outside /system.
121attribute system_restricted_property_type;
122expandattribute system_restricted_property_type false;
123
124# All /system-defined properties with no restrictions.
125attribute system_public_property_type;
126expandattribute system_public_property_type false;
127
128# All keystore2_key labels.
129attribute keystore2_key_type;
130
131# All properties defined by /product.
132# Currently there are no enforcements between /system and /product, so for now
133# /product attributes are just replaced to /system attributes.
134define(`product_property_type',   `system_property_type')
135define(`product_internal_property_type',   `system_internal_property_type')
136define(`product_restricted_property_type', `system_restricted_property_type')
137define(`product_public_property_type',     `system_public_property_type')
138
139# All properties defined by /vendor.
140attribute vendor_property_type;
141expandattribute vendor_property_type false;
142
143# All /vendor-defined properties used only in /vendor.
144attribute vendor_internal_property_type;
145expandattribute vendor_internal_property_type false;
146
147# All /vendor-defined properties which can't be written outside /vendor.
148attribute vendor_restricted_property_type;
149expandattribute vendor_restricted_property_type false;
150
151# All /vendor-defined properties with no restrictions.
152attribute vendor_public_property_type;
153expandattribute vendor_public_property_type false;
154
155# All service_manager types created by system_server
156attribute system_server_service;
157
158# services which should be available to all but isolated apps
159attribute app_api_service;
160
161# services which should be available to all ephemeral apps
162attribute ephemeral_app_api_service;
163
164# services which export only system_api
165attribute system_api_service;
166
167# services which are explicitly disallowed for untrusted apps to access
168attribute protected_service;
169
170# All types used for services managed by servicemanager.
171# On change, update CHECK_SC_ASSERT_ATTRS
172# definition in tools/checkfc.c.
173attribute service_manager_type;
174
175# All types used for services managed by hwservicemanager
176attribute hwservice_manager_type;
177
178# All HwBinder services guaranteed to be passthrough. These services always run
179# in the process of their clients, and thus operate with the same access as
180# their clients.
181attribute same_process_hwservice;
182
183# All HwBinder services guaranteed to be offered only by core domain components
184attribute coredomain_hwservice;
185
186# All HwBinder services that untrusted apps can't directly access
187attribute protected_hwservice;
188
189# All types used for services managed by vndservicemanager
190attribute vndservice_manager_type;
191
192# All services declared as part of an HAL
193attribute hal_service_type;
194
195# All domains that can override MLS restrictions.
196# i.e. processes that can read up and write down.
197attribute mlstrustedsubject;
198
199# All types that can override MLS restrictions.
200# i.e. files that can be read by lower and written by higher
201attribute mlstrustedobject;
202
203# All domains used for apps.
204attribute appdomain;
205
206# All third party apps (except isolated_app and ephemeral_app)
207attribute untrusted_app_all;
208
209# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
210attribute isolated_app_all;
211
212# All service types that would be allowed for isolated_compute_app.
213attribute isolated_compute_allowed_service;
214
215# All device types that would be allowed for isolated_compute_app.
216attribute isolated_compute_allowed_device;
217
218# All domains used for apps with network access.
219attribute netdomain;
220
221# All domains used for apps with bluetooth access.
222attribute bluetoothdomain;
223
224# Specific domains that expose a binder service.
225# Deprecated, consider granting the exact permissions required by your service.
226attribute binderservicedomain;
227
228# All domains which have BPF access.
229attribute bpfdomain;
230expandattribute bpfdomain false;
231
232# update_engine related domains that need to apply an update and run
233# postinstall. This includes the background daemon and the sideload tool from
234# recovery for A/B devices.
235attribute update_engine_common;
236
237# All core domains (as opposed to vendor/device-specific domains)
238attribute coredomain;
239
240# All vendor hwservice.
241attribute vendor_hwservice_type;
242
243# All socket devices owned by core domain components
244attribute coredomain_socket;
245expandattribute coredomain_socket false;
246
247# All vendor domains which violate the requirement of not using sockets for
248# communicating with core components
249# TODO(b/36577153): Remove this once there are no violations
250attribute socket_between_core_and_vendor_violators;
251expandattribute socket_between_core_and_vendor_violators false;
252
253# All vendor domains which violate the requirement of not executing
254# system processes
255# TODO(b/36463595)
256attribute vendor_executes_system_violators;
257expandattribute vendor_executes_system_violators false;
258
259# All domains which violate the requirement of not sharing files by path
260# between between vendor and core domains.
261# TODO(b/34980020)
262attribute data_between_core_and_vendor_violators;
263expandattribute data_between_core_and_vendor_violators false;
264
265# All system domains which violate the requirement of not executing vendor
266# binaries/libraries.
267# TODO(b/62041836)
268attribute system_executes_vendor_violators;
269expandattribute system_executes_vendor_violators false;
270
271# All system domains which violate the requirement of not writing vendor
272# properties.
273# TODO(b/78598545): Remove this once there are no violations
274attribute system_writes_vendor_properties_violators;
275expandattribute system_writes_vendor_properties_violators false;
276
277# All system domains which violate the requirement of not writing to
278# /mnt/vendor/*. Must not be used on devices launched with P or later.
279attribute system_writes_mnt_vendor_violators;
280expandattribute system_writes_mnt_vendor_violators false;
281
282# hwservices that are accessible from untrusted applications
283# WARNING: Use of this attribute should be avoided unless
284# absolutely necessary.  It is a temporary allowance to aid the
285# transition to treble and will be removed in a future platform
286# version, requiring all hwservices that are labeled with this
287# attribute to be submitted to AOSP in order to maintain their
288# app-visibility.
289attribute untrusted_app_visible_hwservice_violators;
290expandattribute untrusted_app_visible_hwservice_violators false;
291
292# halserver domains that are accessible to untrusted applications.  These
293# domains are typically those hosting  hwservices attributed by the
294# untrusted_app_visible_hwservice_violators.
295# WARNING: Use of this attribute should be avoided unless absolutely necessary.
296# It is a temporary allowance to aid the transition to treble and will be
297# removed in the future platform version, requiring all halserver domains that
298# are labeled with this attribute to be submitted to AOSP in order to maintain
299# their app-visibility.
300attribute untrusted_app_visible_halserver_violators;
301expandattribute untrusted_app_visible_halserver_violators false;
302
303# PDX services
304attribute pdx_endpoint_dir_type;
305attribute pdx_endpoint_socket_type;
306expandattribute pdx_endpoint_socket_type false;
307attribute pdx_channel_socket_type;
308expandattribute pdx_channel_socket_type false;
309
310pdx_service_attributes(display_client)
311pdx_service_attributes(display_manager)
312pdx_service_attributes(display_screenshot)
313pdx_service_attributes(display_vsync)
314pdx_service_attributes(performance_client)
315pdx_service_attributes(bufferhub_client)
316
317# All HAL servers
318attribute halserverdomain;
319# All HAL clients
320attribute halclientdomain;
321expandattribute halclientdomain true;
322
323# Exempt for halserverdomain to access sockets. Only builds for automotive
324# device types are allowed to use this attribute (enforced by CTS).
325# Unlike phone, in a car many modules are external from Android perspective and
326# HALs should be able to communicate with those devices through sockets.
327attribute hal_automotive_socket_exemption;
328
329# HALs
330hal_attribute(allocator);
331hal_attribute(atrace);
332hal_attribute(audio);
333hal_attribute(audiocontrol);
334hal_attribute(authgraph);
335hal_attribute(authsecret);
336hal_attribute(bluetooth);
337hal_attribute(bootctl);
338hal_attribute(broadcastradio);
339hal_attribute(camera);
340hal_attribute(can_bus);
341hal_attribute(can_controller);
342hal_attribute(cas);
343hal_attribute(codec2);
344hal_attribute(configstore);
345hal_attribute(confirmationui);
346hal_attribute(contexthub);
347hal_attribute(drm);
348hal_attribute(dumpstate);
349hal_attribute(evs);
350hal_attribute(face);
351hal_attribute(fastboot);
352hal_attribute(fingerprint);
353hal_attribute(gatekeeper);
354hal_attribute(gnss);
355hal_attribute(graphics_allocator);
356hal_attribute(graphics_composer);
357hal_attribute(health);
358hal_attribute(health_storage);
359hal_attribute(identity);
360hal_attribute(input_classifier);
361hal_attribute(input_processor);
362hal_attribute(ir);
363hal_attribute(ivn);
364hal_attribute(keymaster);
365hal_attribute(keymint);
366hal_attribute(light);
367hal_attribute(lowpan);
368hal_attribute(macsec);
369hal_attribute(memtrack);
370hal_attribute(neuralnetworks);
371hal_attribute(nfc);
372hal_attribute(nlinterceptor);
373hal_attribute(oemlock);
374hal_attribute(omx);
375hal_attribute(power);
376hal_attribute(power_stats);
377hal_attribute(rebootescrow);
378hal_attribute(remoteaccess);
379hal_attribute(secretkeeper);
380hal_attribute(remotelyprovisionedcomponent_avf);
381hal_attribute(secure_element);
382hal_attribute(sensors);
383hal_attribute(telephony);
384hal_attribute(tetheroffload);
385hal_attribute(thermal);
386hal_attribute(threadnetwork);
387hal_attribute(tv_cec);
388hal_attribute(tv_hdmi_cec);
389hal_attribute(tv_hdmi_connection);
390hal_attribute(tv_hdmi_earc);
391hal_attribute(tv_input);
392hal_attribute(tv_tuner);
393hal_attribute(usb);
394hal_attribute(usb_gadget);
395hal_attribute(uwb);
396# TODO(b/196225233): Remove this attribute and its usages elsewhere
397# once all chip vendors integrate to the new UWB stack.
398hal_attribute(uwb_vendor);
399hal_attribute(vehicle);
400hal_attribute(vibrator);
401hal_attribute(vr);
402hal_attribute(weaver);
403hal_attribute(wifi);
404hal_attribute(wifi_hostapd);
405hal_attribute(wifi_supplicant);
406
407# HwBinder services offered across the core-vendor boundary
408#
409# We annotate server domains with x_server  to loosen the coupling between
410# system and vendor images. For example, it should be possible to move a service
411# from one core domain to another, without having to update the vendor image
412# which contains clients of this service.
413
414attribute automotive_display_service_server;
415attribute camera_service_server;
416attribute display_service_server;
417attribute evsmanager_service_server;
418attribute remote_provisioning_service_server;
419attribute scheduler_service_server;
420attribute sensor_service_server;
421attribute stats_service_server;
422attribute system_suspend_internal_server;
423attribute system_suspend_server;
424attribute wifi_keystore_service_server;
425
426# All types used for super partition block devices.
427attribute super_block_device_type;
428
429# All types used for DMA-BUF heaps
430attribute dmabuf_heap_device_type;
431expandattribute dmabuf_heap_device_type false;
432
433# Types for VM managers
434attribute vm_manager_device_type;
435
436# All types used for DSU metadata files.
437attribute gsi_metadata_file_type;
438
439# Types used for module-specific APEX data directories under
440# /data/{misc,misc_ce,misc_de}/apexdata.
441attribute apex_data_file_type;
442
443# Domains used for charger.
444# This is the common type for domains that executes charger's
445# functionalities, including setting and getting necessary properties,
446# permissions to maintain the health loop, writing to kernel log, handling
447# inputs and drawing screens, etc.
448attribute charger_type;
449
450# All types of ART properties.
451attribute dalvik_config_prop_type;
452