1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# All types used for processes.
11attribute domain;
12
13# All types used for filesystems.
14# On change, update CHECK_FC_ASSERT_ATTRS
15# definition in tools/checkfc.c.
16attribute fs_type;
17
18# All types used for context= mounts.
19attribute contextmount_type;
20
21# All types used for files that can exist on a labeled fs.
22# Do not use for pseudo file types.
23# On change, update CHECK_FC_ASSERT_ATTRS
24# definition in tools/checkfc.c.
25attribute file_type;
26
27# All types used for domain entry points.
28attribute exec_type;
29
30# All types used for /data files.
31attribute data_file_type;
32# All types in /data, not in /data/vendor
33attribute core_data_file_type;
34# All types in /vendor
35attribute vendor_file_type;
36
37# All types use for sysfs files.
38attribute sysfs_type;
39
40# All types use for debugfs files.
41attribute debugfs_type;
42
43# Attribute used for all sdcards
44attribute sdcard_type;
45
46# All types used for nodes/hosts.
47attribute node_type;
48
49# All types used for network interfaces.
50attribute netif_type;
51
52# All types used for network ports.
53attribute port_type;
54
55# All types used for property service
56# On change, update CHECK_PC_ASSERT_ATTRS
57# definition in tools/checkfc.c.
58attribute property_type;
59
60# All properties defined in core SELinux policy. Should not be
61# used by device specific properties
62attribute core_property_type;
63
64# All properties used to configure log filtering.
65attribute log_property_type;
66
67# All service_manager types created by system_server
68attribute system_server_service;
69
70# services which should be available to all but isolated apps
71attribute app_api_service;
72
73# services which should be available to all ephemeral apps
74attribute ephemeral_app_api_service;
75
76# services which export only system_api
77attribute system_api_service;
78
79# All types used for services managed by servicemanager.
80# On change, update CHECK_SC_ASSERT_ATTRS
81# definition in tools/checkfc.c.
82attribute service_manager_type;
83
84# All types used for services managed by hwservicemanager
85attribute hwservice_manager_type;
86
87# All HwBinder services guaranteed to be passthrough. These services always run
88# in the process of their clients, and thus operate with the same access as
89# their clients.
90attribute same_process_hwservice;
91
92# All HwBinder services guaranteed to be offered only by core domain components
93attribute coredomain_hwservice;
94
95# All types used for services managed by vndservicemanager
96attribute vndservice_manager_type;
97
98
99# All domains that can override MLS restrictions.
100# i.e. processes that can read up and write down.
101attribute mlstrustedsubject;
102
103# All types that can override MLS restrictions.
104# i.e. files that can be read by lower and written by higher
105attribute mlstrustedobject;
106
107# All domains used for apps.
108attribute appdomain;
109
110# All third party apps.
111attribute untrusted_app_all;
112
113# All domains used for apps with network access.
114attribute netdomain;
115
116# All domains used for apps with bluetooth access.
117attribute bluetoothdomain;
118
119# All domains used for binder service domains.
120attribute binderservicedomain;
121
122# update_engine related domains that need to apply an update and run
123# postinstall. This includes the background daemon and the sideload tool from
124# recovery for A/B devices.
125attribute update_engine_common;
126
127# All core domains (as opposed to vendor/device-specific domains)
128attribute coredomain;
129
130# All socket devices owned by core domain components
131attribute coredomain_socket;
132
133# All vendor domains which violate the requirement of not using Binder
134# TODO(b/35870313): Remove this once there are no violations
135attribute binder_in_vendor_violators;
136
137# All vendor domains which violate the requirement of not using sockets for
138# communicating with core components
139# TODO(b/36577153): Remove this once there are no violations
140attribute socket_between_core_and_vendor_violators;
141
142# All vendor domains which violate the requirement of not executing
143# system processes
144# TODO(b/36463595)
145attribute vendor_executes_system_violators;
146
147# hwservices that are accessible from untrusted applications
148# WARNING: Use of this attribute should be avoided unless
149# absolutely necessary.  It is a temporary allowance to aid the
150# transition to treble and will be removed in a future platform
151# version, requiring all hwservices that are labeled with this
152# attribute to be submitted to AOSP in order to maintain their
153# app-visibility.
154attribute untrusted_app_visible_hwservice;
155
156# PDX services
157attribute pdx_endpoint_dir_type;
158attribute pdx_endpoint_socket_type;
159attribute pdx_channel_socket_type;
160
161pdx_service_attributes(display_client)
162pdx_service_attributes(display_manager)
163pdx_service_attributes(display_screenshot)
164pdx_service_attributes(display_vsync)
165pdx_service_attributes(performance_client)
166pdx_service_attributes(bufferhub_client)
167
168# All HAL servers
169attribute halserverdomain;
170# All HAL clients
171attribute halclientdomain;
172
173# HALs
174attribute hal_allocator;
175attribute hal_allocator_client;
176attribute hal_allocator_server;
177attribute hal_audio;
178attribute hal_audio_client;
179attribute hal_audio_server;
180attribute hal_bluetooth;
181attribute hal_bluetooth_client;
182attribute hal_bluetooth_server;
183attribute hal_bootctl;
184attribute hal_bootctl_client;
185attribute hal_bootctl_server;
186attribute hal_camera;
187attribute hal_camera_client;
188attribute hal_camera_server;
189attribute hal_configstore;
190attribute hal_configstore_client;
191attribute hal_configstore_server;
192attribute hal_contexthub;
193attribute hal_contexthub_client;
194attribute hal_contexthub_server;
195attribute hal_drm;
196attribute hal_drm_client;
197attribute hal_drm_server;
198attribute hal_dumpstate;
199attribute hal_dumpstate_client;
200attribute hal_dumpstate_server;
201attribute hal_fingerprint;
202attribute hal_fingerprint_client;
203attribute hal_fingerprint_server;
204attribute hal_gatekeeper;
205attribute hal_gatekeeper_client;
206attribute hal_gatekeeper_server;
207attribute hal_gnss;
208attribute hal_gnss_client;
209attribute hal_gnss_server;
210attribute hal_graphics_allocator;
211attribute hal_graphics_allocator_client;
212attribute hal_graphics_allocator_server;
213attribute hal_graphics_composer;
214attribute hal_graphics_composer_client;
215attribute hal_graphics_composer_server;
216attribute hal_health;
217attribute hal_health_client;
218attribute hal_health_server;
219attribute hal_ir;
220attribute hal_ir_client;
221attribute hal_ir_server;
222attribute hal_keymaster;
223attribute hal_keymaster_client;
224attribute hal_keymaster_server;
225attribute hal_light;
226attribute hal_light_client;
227attribute hal_light_server;
228attribute hal_memtrack;
229attribute hal_memtrack_client;
230attribute hal_memtrack_server;
231attribute hal_nfc;
232attribute hal_nfc_client;
233attribute hal_nfc_server;
234attribute hal_oemlock;
235attribute hal_oemlock_client;
236attribute hal_oemlock_server;
237attribute hal_power;
238attribute hal_power_client;
239attribute hal_power_server;
240attribute hal_sensors;
241attribute hal_sensors_client;
242attribute hal_sensors_server;
243attribute hal_telephony;
244attribute hal_telephony_client;
245attribute hal_telephony_server;
246attribute hal_tetheroffload;
247attribute hal_tetheroffload_client;
248attribute hal_tetheroffload_server;
249attribute hal_thermal;
250attribute hal_thermal_client;
251attribute hal_thermal_server;
252attribute hal_tv_cec;
253attribute hal_tv_cec_client;
254attribute hal_tv_cec_server;
255attribute hal_tv_input;
256attribute hal_tv_input_client;
257attribute hal_tv_input_server;
258attribute hal_usb;
259attribute hal_usb_client;
260attribute hal_usb_server;
261attribute hal_vibrator;
262attribute hal_vibrator_client;
263attribute hal_vibrator_server;
264attribute hal_vr;
265attribute hal_vr_client;
266attribute hal_vr_server;
267attribute hal_weaver;
268attribute hal_weaver_client;
269attribute hal_weaver_server;
270attribute hal_wifi;
271attribute hal_wifi_client;
272attribute hal_wifi_server;
273attribute hal_wifi_keystore;
274attribute hal_wifi_keystore_client;
275attribute hal_wifi_keystore_server;
276attribute hal_wifi_offload;
277attribute hal_wifi_offload_client;
278attribute hal_wifi_offload_server;
279attribute hal_wifi_supplicant;
280attribute hal_wifi_supplicant_client;
281attribute hal_wifi_supplicant_server;
282
283# HwBinder services offered across the core-vendor boundary
284#
285# We annotate server domains with x_server  to loosen the coupling between
286# system and vendor images. For example, it should be possible to move a service
287# from one core domain to another, without having to update the vendor image
288# which contains clients of this service.
289
290attribute display_service_server;
291attribute wifi_keystore_service_server;
292