diff options
Diffstat (limited to 'unconfined.te')
-rw-r--r-- | unconfined.te | 90 |
1 files changed, 0 insertions, 90 deletions
diff --git a/unconfined.te b/unconfined.te deleted file mode 100644 index a76c3d8..0000000 --- a/unconfined.te +++ /dev/null @@ -1,90 +0,0 @@ -####################################################### -# -# This is the unconfined template. This template is the base policy -# which is used by daemons and other privileged components of -# Android. -# -# Historically, this template was called "unconfined" because it -# allowed the domain to do anything it wanted. Over time, -# this has changed, and will continue to change in the future. -# The rules in this file will be removed when no remaining -# unconfined domains require it, or when the rules contradict -# Android security best practices. Domains which need rules not -# provided by the unconfined template should add them directly to -# the relevant policy. -# -# The use of this template is discouraged. -###################################################### - -allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; -allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; -allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; -allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; -allow unconfineddomain domain:fd *; -allow unconfineddomain domain:dir r_dir_perms; -allow unconfineddomain domain:lnk_file r_file_perms; -allow unconfineddomain domain:{ fifo_file file } rw_file_perms; -allow unconfineddomain domain:{ - socket - netlink_socket - key_socket - unix_stream_socket - unix_dgram_socket - netlink_route_socket - netlink_firewall_socket - netlink_tcpdiag_socket - netlink_nflog_socket - netlink_xfrm_socket - netlink_selinux_socket - netlink_audit_socket - netlink_ip6fw_socket - netlink_dnrt_socket - netlink_kobject_uevent_socket - tun_socket -} *; -allow unconfineddomain domain:ipc_class_set *; -allow unconfineddomain domain:key *; -allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file -}:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain exec_type:dir r_dir_perms; -allow unconfineddomain exec_type:file { r_file_perms execute }; -allow unconfineddomain exec_type:lnk_file r_file_perms; -allow unconfineddomain system_file:dir r_dir_perms; -allow unconfineddomain system_file:file { r_file_perms execute }; -allow unconfineddomain system_file:lnk_file r_file_perms; -allow unconfineddomain { - fs_type - -usermodehelper - -proc_security - -contextmount_type - -rootfs - -sdcard_type -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain rootfs:file execute; -allow unconfineddomain contextmount_type:dir r_dir_perms; -allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; -allow unconfineddomain node_type:node *; -allow unconfineddomain netif_type:netif *; -allow unconfineddomain domain:peer recv; -allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; |