1######################################
2# Attribute declarations
3#
4
5# All types used for devices.
6# On change, update CHECK_FC_ASSERT_ATTRS
7# in tools/checkfc.c
8attribute dev_type;
9
10# All types used for processes.
11attribute domain;
12
13# All types used for filesystems.
14# On change, update CHECK_FC_ASSERT_ATTRS
15# definition in tools/checkfc.c.
16attribute fs_type;
17
18# All types used for context= mounts.
19attribute contextmount_type;
20
21# All types used for files that can exist on a labeled fs.
22# Do not use for pseudo file types.
23# On change, update CHECK_FC_ASSERT_ATTRS
24# definition in tools/checkfc.c.
25attribute file_type;
26
27# All types used for domain entry points.
28attribute exec_type;
29
30# All types used for /data files.
31attribute data_file_type;
32expandattribute data_file_type false;
33# All types in /data, not in /data/vendor
34attribute core_data_file_type;
35# All types in /vendor
36attribute vendor_file_type;
37
38# All types use for sysfs files.
39attribute sysfs_type;
40
41# All types use for debugfs files.
42attribute debugfs_type;
43
44# Attribute used for all sdcards
45attribute sdcard_type;
46
47# All types used for nodes/hosts.
48attribute node_type;
49
50# All types used for network interfaces.
51attribute netif_type;
52
53# All types used for network ports.
54attribute port_type;
55
56# All types used for property service
57# On change, update CHECK_PC_ASSERT_ATTRS
58# definition in tools/checkfc.c.
59attribute property_type;
60
61# All properties defined in core SELinux policy. Should not be
62# used by device specific properties
63attribute core_property_type;
64
65# All properties used to configure log filtering.
66attribute log_property_type;
67
68# All service_manager types created by system_server
69attribute system_server_service;
70
71# services which should be available to all but isolated apps
72attribute app_api_service;
73
74# services which should be available to all ephemeral apps
75attribute ephemeral_app_api_service;
76
77# services which export only system_api
78attribute system_api_service;
79
80# All types used for services managed by servicemanager.
81# On change, update CHECK_SC_ASSERT_ATTRS
82# definition in tools/checkfc.c.
83attribute service_manager_type;
84
85# All types used for services managed by hwservicemanager
86attribute hwservice_manager_type;
87
88# All HwBinder services guaranteed to be passthrough. These services always run
89# in the process of their clients, and thus operate with the same access as
90# their clients.
91attribute same_process_hwservice;
92
93# All HwBinder services guaranteed to be offered only by core domain components
94attribute coredomain_hwservice;
95
96# All types used for services managed by vndservicemanager
97attribute vndservice_manager_type;
98
99
100# All domains that can override MLS restrictions.
101# i.e. processes that can read up and write down.
102attribute mlstrustedsubject;
103
104# All types that can override MLS restrictions.
105# i.e. files that can be read by lower and written by higher
106attribute mlstrustedobject;
107
108# All domains used for apps.
109attribute appdomain;
110
111# All third party apps.
112attribute untrusted_app_all;
113
114# All domains used for apps with network access.
115attribute netdomain;
116
117# All domains used for apps with bluetooth access.
118attribute bluetoothdomain;
119
120# All domains used for binder service domains.
121attribute binderservicedomain;
122
123# update_engine related domains that need to apply an update and run
124# postinstall. This includes the background daemon and the sideload tool from
125# recovery for A/B devices.
126attribute update_engine_common;
127
128# All core domains (as opposed to vendor/device-specific domains)
129attribute coredomain;
130
131# All socket devices owned by core domain components
132attribute coredomain_socket;
133
134# All vendor domains which violate the requirement of not using Binder
135# TODO(b/35870313): Remove this once there are no violations
136attribute binder_in_vendor_violators;
137expandattribute binder_in_vendor_violators false;
138
139# All vendor domains which violate the requirement of not using sockets for
140# communicating with core components
141# TODO(b/36577153): Remove this once there are no violations
142attribute socket_between_core_and_vendor_violators;
143expandattribute socket_between_core_and_vendor_violators false;
144
145# All vendor domains which violate the requirement of not executing
146# system processes
147# TODO(b/36463595)
148attribute vendor_executes_system_violators;
149expandattribute vendor_executes_system_violators false;
150
151# hwservices that are accessible from untrusted applications
152# WARNING: Use of this attribute should be avoided unless
153# absolutely necessary.  It is a temporary allowance to aid the
154# transition to treble and will be removed in a future platform
155# version, requiring all hwservices that are labeled with this
156# attribute to be submitted to AOSP in order to maintain their
157# app-visibility.
158attribute untrusted_app_visible_hwservice;
159expandattribute untrusted_app_visible_hwservice false;
160
161# halserver domains that are accessible to untrusted applications.  These
162# domains are typically those hosting  hwservices attributed by the
163# untrusted_app_visible_hwservice.
164# WARNING: Use of this attribute should be avoided unless absolutely necessary.
165# It is a temporary allowance to aid the transition to treble and will be
166# removed in the future platform version, requiring all halserver domains that
167# are labeled with this attribute to be submitted to AOSP in order to maintain
168# their app-visibility.
169attribute untrusted_app_visible_halserver;
170expandattribute untrusted_app_visible_halserver false;
171
172# PDX services
173attribute pdx_endpoint_dir_type;
174attribute pdx_endpoint_socket_type;
175expandattribute pdx_endpoint_socket_type false;
176attribute pdx_channel_socket_type;
177expandattribute pdx_channel_socket_type false;
178
179pdx_service_attributes(display_client)
180pdx_service_attributes(display_manager)
181pdx_service_attributes(display_screenshot)
182pdx_service_attributes(display_vsync)
183pdx_service_attributes(performance_client)
184pdx_service_attributes(bufferhub_client)
185
186# All HAL servers
187attribute halserverdomain;
188# All HAL clients
189attribute halclientdomain;
190expandattribute halclientdomain true;
191
192# HALs
193attribute hal_allocator;
194expandattribute hal_allocator true;
195attribute hal_allocator_client;
196expandattribute hal_allocator_client true;
197attribute hal_allocator_server;
198expandattribute hal_allocator_server false;
199attribute hal_audio;
200expandattribute hal_audio false;
201attribute hal_audio_client;
202expandattribute hal_audio_client true;
203attribute hal_audio_server;
204expandattribute hal_audio_server false;
205attribute hal_bluetooth;
206expandattribute hal_bluetooth true;
207attribute hal_bluetooth_client;
208expandattribute hal_bluetooth_client true;
209attribute hal_bluetooth_server;
210expandattribute hal_bluetooth_server false;
211attribute hal_bootctl;
212expandattribute hal_bootctl false;
213attribute hal_bootctl_client;
214expandattribute hal_bootctl_client true;
215attribute hal_bootctl_server;
216expandattribute hal_bootctl_server false;
217attribute hal_broadcastradio;
218expandattribute hal_broadcastradio true;
219attribute hal_broadcastradio_client;
220expandattribute hal_broadcastradio_client true;
221attribute hal_broadcastradio_server;
222expandattribute hal_broadcastradio_server false;
223attribute hal_camera;
224expandattribute hal_camera false;
225attribute hal_camera_client;
226expandattribute hal_camera_client true;
227attribute hal_camera_server;
228expandattribute hal_camera_server false;
229attribute hal_configstore;
230expandattribute hal_configstore true;
231attribute hal_configstore_client;
232expandattribute hal_configstore_client true;
233attribute hal_configstore_server;
234expandattribute hal_configstore_server false;
235attribute hal_contexthub;
236expandattribute hal_contexthub true;
237attribute hal_contexthub_client;
238expandattribute hal_contexthub_client true;
239attribute hal_contexthub_server;
240expandattribute hal_contexthub_server false;
241attribute hal_drm;
242expandattribute hal_drm false;
243attribute hal_drm_client;
244expandattribute hal_drm_client true;
245attribute hal_drm_server;
246expandattribute hal_drm_server false;
247attribute hal_cas;
248expandattribute hal_cas false;
249attribute hal_cas_client;
250expandattribute hal_cas_client true;
251attribute hal_cas_server;
252expandattribute hal_cas_server false;
253attribute hal_dumpstate;
254expandattribute hal_dumpstate true;
255attribute hal_dumpstate_client;
256expandattribute hal_dumpstate_client true;
257attribute hal_dumpstate_server;
258expandattribute hal_dumpstate_server false;
259attribute hal_fingerprint;
260expandattribute hal_fingerprint true;
261attribute hal_fingerprint_client;
262expandattribute hal_fingerprint_client true;
263attribute hal_fingerprint_server;
264expandattribute hal_fingerprint_server false;
265attribute hal_gatekeeper;
266expandattribute hal_gatekeeper true;
267attribute hal_gatekeeper_client;
268expandattribute hal_gatekeeper_client true;
269attribute hal_gatekeeper_server;
270expandattribute hal_gatekeeper_server false;
271attribute hal_gnss;
272expandattribute hal_gnss true;
273attribute hal_gnss_client;
274expandattribute hal_gnss_client true;
275attribute hal_gnss_server;
276expandattribute hal_gnss_server false;
277attribute hal_graphics_allocator;
278expandattribute hal_graphics_allocator true;
279attribute hal_graphics_allocator_client;
280expandattribute hal_graphics_allocator_client true;
281attribute hal_graphics_allocator_server;
282expandattribute hal_graphics_allocator_server false;
283attribute hal_graphics_composer;
284expandattribute hal_graphics_composer true;
285attribute hal_graphics_composer_client;
286expandattribute hal_graphics_composer_client true;
287attribute hal_graphics_composer_server;
288expandattribute hal_graphics_composer_server false;
289attribute hal_health;
290expandattribute hal_health true;
291attribute hal_health_client;
292expandattribute hal_health_client true;
293attribute hal_health_server;
294expandattribute hal_health_server false;
295attribute hal_ir;
296expandattribute hal_ir true;
297attribute hal_ir_client;
298expandattribute hal_ir_client true;
299attribute hal_ir_server;
300expandattribute hal_ir_server false;
301attribute hal_keymaster;
302expandattribute hal_keymaster true;
303attribute hal_keymaster_client;
304expandattribute hal_keymaster_client true;
305attribute hal_keymaster_server;
306expandattribute hal_keymaster_server false;
307attribute hal_light;
308expandattribute hal_light true;
309attribute hal_light_client;
310expandattribute hal_light_client true;
311attribute hal_light_server;
312expandattribute hal_light_server false;
313attribute hal_memtrack;
314expandattribute hal_memtrack true;
315attribute hal_memtrack_client;
316expandattribute hal_memtrack_client true;
317attribute hal_memtrack_server;
318expandattribute hal_memtrack_server false;
319attribute hal_neuralnetworks;
320expandattribute hal_neuralnetworks true;
321attribute hal_neuralnetworks_client;
322expandattribute hal_neuralnetworks_client true;
323attribute hal_neuralnetworks_server;
324expandattribute hal_neuralnetworks_server false;
325attribute hal_nfc;
326expandattribute hal_nfc true;
327attribute hal_nfc_client;
328expandattribute hal_nfc_client true;
329attribute hal_nfc_server;
330expandattribute hal_nfc_server false;
331attribute hal_oemlock;
332expandattribute hal_oemlock true;
333attribute hal_oemlock_client;
334expandattribute hal_oemlock_client true;
335attribute hal_oemlock_server;
336expandattribute hal_oemlock_server false;
337attribute hal_power;
338expandattribute hal_power true;
339attribute hal_power_client;
340expandattribute hal_power_client true;
341attribute hal_power_server;
342expandattribute hal_power_server false;
343attribute hal_sensors;
344expandattribute hal_sensors true;
345attribute hal_sensors_client;
346expandattribute hal_sensors_client true;
347attribute hal_sensors_server;
348expandattribute hal_sensors_server false;
349attribute hal_telephony;
350expandattribute hal_telephony true;
351attribute hal_telephony_client;
352expandattribute hal_telephony_client true;
353attribute hal_telephony_server;
354expandattribute hal_telephony_server false;
355attribute hal_tetheroffload;
356expandattribute hal_tetheroffload true;
357attribute hal_tetheroffload_client;
358expandattribute hal_tetheroffload_client true;
359attribute hal_tetheroffload_server;
360expandattribute hal_tetheroffload_server false;
361attribute hal_thermal;
362expandattribute hal_thermal true;
363attribute hal_thermal_client;
364expandattribute hal_thermal_client true;
365attribute hal_thermal_server;
366expandattribute hal_thermal_server false;
367attribute hal_tv_cec;
368expandattribute hal_tv_cec true;
369attribute hal_tv_cec_client;
370expandattribute hal_tv_cec_client true;
371attribute hal_tv_cec_server;
372expandattribute hal_tv_cec_server false;
373attribute hal_tv_input;
374expandattribute hal_tv_input true;
375attribute hal_tv_input_client;
376expandattribute hal_tv_input_client true;
377attribute hal_tv_input_server;
378expandattribute hal_tv_input_server false;
379attribute hal_usb;
380expandattribute hal_usb true;
381attribute hal_usb_client;
382expandattribute hal_usb_client true;
383attribute hal_usb_server;
384expandattribute hal_usb_server false;
385attribute hal_vibrator;
386expandattribute hal_vibrator true;
387attribute hal_vibrator_client;
388expandattribute hal_vibrator_client true;
389attribute hal_vibrator_server;
390expandattribute hal_vibrator_server false;
391attribute hal_vr;
392expandattribute hal_vr true;
393attribute hal_vr_client;
394expandattribute hal_vr_client true;
395attribute hal_vr_server;
396expandattribute hal_vr_server false;
397attribute hal_weaver;
398expandattribute hal_weaver true;
399attribute hal_weaver_client;
400expandattribute hal_weaver_client true;
401attribute hal_weaver_server;
402expandattribute hal_weaver_server false;
403attribute hal_wifi;
404expandattribute hal_wifi true;
405attribute hal_wifi_client;
406expandattribute hal_wifi_client true;
407attribute hal_wifi_server;
408expandattribute hal_wifi_server false;
409attribute hal_wifi_offload;
410expandattribute hal_wifi_offload true;
411attribute hal_wifi_offload_client;
412expandattribute hal_wifi_offload_client true;
413attribute hal_wifi_offload_server;
414expandattribute hal_wifi_offload_server false;
415attribute hal_wifi_supplicant;
416expandattribute hal_wifi_supplicant true;
417attribute hal_wifi_supplicant_client;
418expandattribute hal_wifi_supplicant_client true;
419attribute hal_wifi_supplicant_server;
420expandattribute hal_wifi_supplicant_server false;
421
422# HwBinder services offered across the core-vendor boundary
423#
424# We annotate server domains with x_server  to loosen the coupling between
425# system and vendor images. For example, it should be possible to move a service
426# from one core domain to another, without having to update the vendor image
427# which contains clients of this service.
428
429attribute display_service_server;
430attribute wifi_keystore_service_server;
431