kernel.te - OpenGrok cross reference for /system/sepolicy/prebuilts/api/26.0/public/kernel.te

Lines Matching full:kernel
1 # Life begins with the kernel.
2 type kernel, domain, mlstrustedsubject;
4 allow kernel self:capability sys_nice;
7 r_dir_file(kernel, rootfs)
8 r_dir_file(kernel, proc)
11 allow kernel selinuxfs:dir r_dir_perms;
12 allow kernel selinuxfs:file r_file_perms;
15 allow kernel file_contexts_file:file r_file_perms;
18 allow kernel rootfs:file relabelfrom;
19 allow kernel init_exec:file relabelto;
21 allow kernel init:process share;
24 allow kernel unlabeled:dir search;
27 allow kernel usbfs:filesystem mount;
28 allow kernel usbfs:dir search;
31 # We use dontaudit instead of allow to prevent a kernel spawned userspace
33 dontaudit kernel self:security setenforce;
36 allow kernel self:capability sys_resource;
43 allow kernel self:capability sys_boot;
44 allow kernel proc_sysrq:file w_file_perms;
47 allow kernel tmpfs:chr_file write;
50 allow kernel selinuxfs:file write;
51 allow kernel self:security setcheckreqprot;
54 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
55 allow kernel priv_app:fd use;
56 allow kernel sdcard_type:file { read write };
58 # Allow the kernel to read OBB files from app directories. (b/17428116)
59 # Kernel thread "loop0" reads a vold supplied file descriptor.
63 allow kernel vold:fd use;
64 allow kernel app_data_file:file read;
65 allow kernel asec_image_file:file read;
69   allow kernel update_engine_data_file:file read;
70   allow kernel nativetest_data_file:file read;
76 allow kernel media_rw_data_file:dir create_dir_perms;
77 allow kernel media_rw_data_file:file create_file_perms;
80 allow kernel vold_data_file:file read;
86 # The initial task starts in the kernel domain (assigned via
88 neverallow * kernel:process { transition dyntransition };
90 # The kernel domain is never entered via an exec, nor should it
92 # If you encounter an execute_no_trans denial on the kernel domain, then
94 # - The program is a kernel usermodehelper.  In this case, define a domain
98 neverallow kernel *:file { entrypoint execute_no_trans };
100 # the kernel should not be accessing files owned by other users.
103 neverallow kernel self:capability { dac_override dac_read_search };