Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/factory-atlas-11907.B / . / sepolicy / policy / chromeos / file.te
blob: 99834c17888554c599a034476733b33f2b8f0a0d [file] [log] [blame]
# TODO(fqj): go over files of cros_system_file, and to label exec only and rename with _exec suffix.
type cros_system_file, exec_type, file_type, cros_system_file_type;
type cros_usr_dirs, file_type, cros_system_file_type;
type cros_etc, file_type, cros_system_file_type;
allow chromeos_domain cros_system_file_type:dir search;
type cros_kernel_modules_ko_file, file_type;
type cros_kernel_modules_file, file_type;
type chromeos_startup_script_exec, exec_type, file_type;
type cros_dev_image_files, file_type;
type cros_seccomp_policy_file, file_type;
type cros_accelerator_logs_exec, exec_type, file_type;
type cros_anomaly_collector_exec, exec_type, file_type;
type cros_apk_cache_cleaner_jailed_exec, exec_type, file_type;
type cros_arc_oemcrypto_exec, exec_type, file_type;
type cros_arc_setup_exec, exec_type, file_type;
type cros_avahi_daemon_exec, exec_type, file_type;
type cros_bluetoothd_exec, exec_type, file_type;
type cros_bootstat_exec, exec_type, file_type;
type cros_btdispatch_exec, exec_type, file_type;
type cros_camera_algo_exec, exec_type, file_type;
type cros_camera_service_exec, exec_type, file_type;
type cros_chapsd_exec, exec_type, file_type;
type cros_chromeos_cleanup_logs_exec, exec_type, file_type;
type cros_chromeos_trim_exec, exec_type, file_type;
type cros_chrt_exec, exec_type, file_type;
type cros_conntrackd_exec, exec_type, file_type;
type cros_cras_exec, exec_type, file_type;
type cros_crash_reporter_exec, exec_type, file_type;
type cros_crash_sender_exec, exec_type, file_type;
type cros_cryptohomed_exec, exec_type, file_type;
type cros_dbus_daemon_exec, exec_type, file_type;
type cros_dbus_uuidgen_exec, exec_type, file_type;
type cros_debugd_exec, exec_type, file_type;
type cros_dhcpcd_exec, exec_type, file_type;
type cros_disks_exec, exec_type, file_type;
type cros_jetstream_update_stats_exec, exec_type, file_type;
type cros_journald_exec, exec_type, file_type;
type cros_logger_exec, exec_type, file_type;
type cros_machine_id_regen_exec, exec_type, file_type;
type cros_memd_exec, exec_type, file_type;
type cros_metrics_client_exec, exec_type, file_type;
type cros_metrics_daemon_exec, exec_type, file_type;
type cros_midis_exec, exec_type, file_type;
type cros_minijail_exec, exec_type, file_type;
type cros_modem_manager_exec, exec_type, file_type;
type cros_modprobe_exec, exec_type, file_type;
type cros_mtpd_exec, exec_type, file_type;
type cros_newblued_exec, exec_type, file_type;
type cros_periodic_scheduler_exec, exec_type, file_type;
type cros_permission_broker_exec, exec_type, file_type;
type cros_powerd_exec, exec_type, file_type;
type cros_restorecon_exec, exec_type, file_type;
type cros_rsyslogd_exec, exec_type, file_type;
type cros_session_manager_exec, exec_type, file_type;
type cros_shill_exec, exec_type, file_type;
type cros_sshd_exec, exec_type, file_type;
type cros_sslh_exec, exec_type, file_type;
type cros_tcsd_exec, exec_type, file_type;
type cros_tlsdated_exec, exec_type, file_type;
type cros_udevd_exec, exec_type, file_type;
type cros_update_engine_exec, exec_type, file_type;
type cros_userfeedback_file, exec_type, file_type;
type cros_wpa_supplicant_exec, exec_type, file_type;
type cros_home, file_type;
type cros_home_user, file_type;
type cros_home_root, file_type;
type cros_home_chronos, file_type;
type cros_home_shadow, file_type;
type cros_home_shadow_uid, file_type;
type cros_home_shadow_uid_user, file_type;
type cros_home_shadow_uid_root, file_type;
type cros_home_shadow_uid_root_chaps, file_type;
type cros_home_shadow_uid_root_android, file_type;
type cros_home_shadow_uid_root_android_cache, file_type;
type system_data_file, file_type; # this is Android file label.
allow domain cros_home:dir r_dir_perms;
type cros_coreutils_exec, exec_type, file_type;
type frecon_exec, exec_type, file_type;
type sh_exec, exec_type, file_type;
type upstart_socket_bridge_exec, exec_type, file_type;
type chrome_browser_exec, exec_type, file_type;
type cros_unconfined_exec, exec_type, file_type;
type cros_init_activate_date_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_chapsd_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_crx_import_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_lockbox_cache_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_powerd_pre_start_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_shell_scripts, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_shill_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_start_bluetoothd_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_start_bluetoothlog_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_ui_pre_start_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_init_ui_respawn_shell_script, exec_type, file_type, cros_init_scripts_file_type;
type cros_ionice_exec, exec_type, file_type;
type cros_init_conf_file, file_type;
type cros_selinux_config_file, file_type;
type cros_sysctl_conf_file, file_type;
type cros_var, file_type;
type cros_var_cache, file_type;
type cros_var_log, file_type;
type cros_var_lib, file_type;
type cros_var_spool, file_type;
type cros_var_empty, file_type;
type cros_var_cache_shill, file_type;
type cros_var_lib_chaps, file_type;
type cros_var_lib_crash_reporter, file_type;
type cros_var_lib_dbus, file_type;
type cros_var_lib_power_manager, file_type;
type cros_var_lib_shill, file_type;
type cros_var_lib_update_engine, file_type;
type cros_var_lib_whitelist, file_type;
type cros_arc_log, file_type, cros_log_type;
type cros_authpolicy_log, file_type, cros_log_type;
type cros_boot_log, file_type, cros_log_type;
type cros_metrics_file, file_type;
type cros_metrics_uma_events_file, file_type;
type cros_net_log, file_type, cros_log_type;
type cros_powerd_log, file_type;
type cros_secure_log, file_type, cros_log_type;
type cros_syslog, file_type, cros_log_type;
type cros_tlsdate_log, file_type, cros_log_type;
type cros_var_log_chrome, file_type, cros_log_type;
type cros_var_log_eventlog, file_type, cros_log_type;
type cros_crash_spool, file_type;
type camera_socket, file_type; # compatible to existing Android names.
type cras_socket, file_type; # compatible to existing Android names.
type cros_run, file_type;
type cros_run_avahi_daemon, file_type;
type cros_run_containers, file_type;
type cros_run_crash_reporter, file_type;
type cros_run_dbus, file_type;
type cros_run_frecon, file_type;
type cros_run_ipsec, file_type;
type cros_run_journal, file_type;
type cros_run_lock, file_type;
type cros_run_power_manager, file_type;
type cros_run_session_manager, file_type;
type cros_run_shill, file_type;
type cros_run_systemd, file_type;
type cros_run_tcsd, file_type;
type cros_run_udev, file_type;
type cros_conntrackd_lock_file, file_type;
type cros_power_override_lock_file, file_type;
type cros_conntrackd_conf_file, file_type;
type cros_journal_conf_file, file_type;
type cros_ld_conf_cache, file_type;
type cros_modprobe_conf_file, file_type;
type cros_network_conf_file, file_type;
type cros_passwd_file, file_type;
type cros_rsyslog_conf_file, file_type;
type cros_tz_data_file, file_type;
type cros_udev_conf_file, file_type;
r_dir_file(chromeos_domain, cros_tz_data_file)
r_dir_file(domain, cros_ld_conf_cache);
filetrans_pattern(cros_ssh_session, cros_etc, cros_ld_conf_cache, file, "ld.so.cache~");
filetrans_pattern(frecon, cros_etc, cros_ld_conf_cache, file, "ld.so.cache~");
type cros_periodic_scheduler_cache_t, file_type;
allow fs_type self:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow chromeos_domain tmpfs:dir { getattr read setattr };
allow chromeos_domain tmpfs:dir create_dir_perms;
# TODO(kroot,crbug.com/887859): remove this rule.
# This is most likely due to a lack of "cp -Z" or similar.
allow tmpfs labeledfs:filesystem associate;
auditallow tmpfs labeledfs:filesystem associate;
allow file_type labeledfs:filesystem associate;
# TODO(fqj,crbug.com/874980): allow rootfs labeledfs:filesystem is a workaround
# before developer use process are confined.
allow rootfs labeledfs:filesystem associate;
auditallow rootfs labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow dev_type device:filesystem associate;
allow debugfs_type debugfs:filesystem associate;
allow debugfs_trace_marker debugfs_tracing:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow devpts tmpfs:filesystem associate; # minijail --mountdev creates symlink in /dev(tmpfs)/ptmx in new root.
neverallow fs_type file_type:filesystem associate;
type sysfs_class_devcoredump, sysfs_type;
type sysfs_net, sysfs_type;
type wayland_socket, file_type;
type cros_system_bus_socket, file_type;
# TODO(fqj): temporarily let un-decomposed chromeos domain to write file as tmpfs.
type_transition {chromeos cros_arc_setup} cros_run:dir tmpfs;
dontaudit rootfs {device sysfs}:filesystem associate;
# /var files creation
filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_lib, dir, "lib");
filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_cache, dir, "cache");
filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_empty, dir, "empty");
filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_log, dir, "log");
filetrans_pattern_no_target_perm(chromeos_domain, cros_var, cros_var_spool, dir, "spool");