1# iorap.inode2filename -> look up file paths from an inode
2type iorap_inode2filename, domain;
3type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
4type iorap_inode2filename_tmpfs, file_type;
5
6r_dir_file(iorap_inode2filename, rootfs)
7
8# Allow usage of pipes (child stdout -> parent pipe).
9allow iorap_inode2filename iorapd:fd use;
10allow iorap_inode2filename iorapd:fifo_file { read write getattr };
11
12# Allow reading most files under / ignoring usual access controls.
13allow iorap_inode2filename self:capability dac_read_search;
14
15typeattribute iorap_inode2filename mlstrustedsubject;
16
17# Grant access to open most of the files under /
18allow iorap_inode2filename apex_data_file:dir { getattr open read search };
19allow iorap_inode2filename apex_data_file:file { getattr };
20allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
21allow iorap_inode2filename apex_mnt_dir:file { getattr };
22allow iorap_inode2filename apk_data_file:dir { getattr open read search };
23allow iorap_inode2filename apk_data_file:file { getattr };
24allow iorap_inode2filename app_data_file:dir { getattr open read search };
25allow iorap_inode2filename app_data_file:file { getattr };
26allow iorap_inode2filename backup_data_file:dir  { getattr open read search };
27allow iorap_inode2filename backup_data_file:file  { getattr };
28allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
29allow iorap_inode2filename bluetooth_data_file:file { getattr };
30allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
31allow iorap_inode2filename bootchart_data_file:file { getattr };
32allow iorap_inode2filename metadata_file:dir { getattr open read search search };
33allow iorap_inode2filename metadata_file:file { getattr };
34allow iorap_inode2filename packages_list_file:dir { getattr open read search };
35allow iorap_inode2filename packages_list_file:file { getattr };
36allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
37allow iorap_inode2filename privapp_data_file:file { getattr };
38allow iorap_inode2filename property_data_file:dir { getattr open read search };
39allow iorap_inode2filename property_data_file:file { getattr };
40allow iorap_inode2filename radio_data_file:dir { getattr open read search };
41allow iorap_inode2filename radio_data_file:file { getattr };
42allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
43allow iorap_inode2filename resourcecache_data_file:file { getattr };
44allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
45allow iorap_inode2filename ringtone_file:dir { getattr open read search };
46allow iorap_inode2filename ringtone_file:file { getattr };
47allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
48allow iorap_inode2filename same_process_hal_file:file { getattr };
49allow iorap_inode2filename sepolicy_file:file { getattr };
50allow iorap_inode2filename staging_data_file:dir { getattr open read search };
51allow iorap_inode2filename staging_data_file:file { getattr };
52allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
53allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
54allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
55allow iorap_inode2filename system_app_data_file:file { getattr };
56allow iorap_inode2filename system_data_file:dir { getattr open read search };
57allow iorap_inode2filename system_data_file:file { getattr };
58allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
59allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
60allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
61allow iorap_inode2filename textclassifier_data_file:file { getattr };
62allow iorap_inode2filename toolbox_exec:file getattr;
63allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
64allow iorap_inode2filename user_profile_data_file:file { getattr };
65allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
66allow iorap_inode2filename unlabeled:file { getattr };
67allow iorap_inode2filename vendor_file:dir { getattr open read search };
68allow iorap_inode2filename vendor_file:file { getattr };
69allow iorap_inode2filename vendor_overlay_file:file { getattr };
70allow iorap_inode2filename zygote_exec:file { getattr };
71
72###
73### neverallow rules
74###
75
76neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
77neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
78