sepolicy/file_contexts/chromeos_file_contexts - mirrors/cros/chromiumos/platform2 - Git at Google

 include(sepolicy/file_contexts/chromeos_unconfined)

 # Chrome OS file contexts.
 /                               u:object_r:rootfs:s0
 /sbin/init                      u:object_r:chromeos_init_exec:s0

 /sbin/crash_reporter            u:object_r:cros_crash_reporter_exec:s0
 /sbin/debugd                    u:object_r:cros_debugd_exec:s0
 /sbin/frecon                    u:object_r:frecon_exec:s0
 /sbin/insmod                    u:object_r:cros_modprobe_exec:s0
 /sbin/minijail0                 u:object_r:cros_minijail_exec:s0
 /sbin/modprobe                  u:object_r:cros_modprobe_exec:s0
 /sbin/rmmod                     u:object_r:cros_modprobe_exec:s0
 /sbin/upstart-socket-bridge     u:object_r:upstart_socket_bridge_exec:s0

 /bin/bash                       u:object_r:sh_exec:s0
 /bin/dash                       u:object_r:sh_exec:s0
 /bin/kmod                       u:object_r:cros_modprobe_exec:s0
 /bin/sh                         u:object_r:sh_exec:s0

 /usr/bin/chrt                   u:object_r:cros_chrt_exec:s0
 /usr/bin/shill                  u:object_r:cros_shill_exec:s0

 /usr/sbin/wpa_supplicant        u:object_r:cros_wpa_supplicant_exec:s0

 /usr/share/cros/init/.*         u:object_r:cros_init_shell_scripts:s0
 /usr/bin/start_bluetooth.sh     u:object_r:cros_init_shell_scripts:s0

 /var/log/messages               u:object_r:cros_syslog:s0

 # /opt/google
 /opt/google/chrome/chrome       u:object_r:chrome_browser_exec:s0

 # /etc
 /etc/init(/.*)?                 u:object_r:cros_init_conf_file:s0
 /etc/selinux(/.*)?              u:object_r:cros_selinux_config_file:s0

 # These files are mounted into the mini-container before real /data, /cache are
 # available.
 /opt/google/containers/android/rootfs/android-data/cache                   u:object_r:cache_file:s0
 /opt/google/containers/android/rootfs/android-data/data                    u:object_r:system_data_file:s0
 /opt/google/containers/android/rootfs/android-data/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

 # All the following files are created dynamically and need to be labeled at
 # runtime.

 has_arc(`
 /run/arc/cmdline.android        u:object_r:is_arc_nyc(proc, proc_cmdline):s0
 ')

 /run/arc/sdcard(/.*)?           u:object_r:storage_file:s0

 /run/arc/debugfs                           u:object_r:debugfs:s0

 include(sepolicy/file_contexts/sysfs_contexts)

 # Chrome OS shared memory files.
 /dev/shm(/.*)?                  u:object_r:cros_shm:s0
 /dev/console                    u:object_r:console_device:s0
 /dev/null                       u:object_r:null_device:s0
 /dev/random                     u:object_r:random_device:s0
 /dev/urandom                    u:object_r:urandom_device:s0
 /dev/zero                       u:object_r:zero_device:s0

 is_arc_nyc(`
 # Label /dev/bus/usb/NNN/MMM
 # (USB device nodes passed by Chrome / permission broker)
 /dev/bus/usb(/.*)?              u:object_r:usb_device:s0
 ')


 (/usr)?/lib64(/.*)?                    u:object_r:cros_system_file:s0
 (/usr)?/lib(/.*)?                      u:object_r:cros_system_file:s0

 # Downloads files
 /home/chronos/user/Downloads(/.*)*   u:object_r:cros_downloads_file:s0
	include(sepolicy/file_contexts/chromeos_unconfined)

	# Chrome OS file contexts.
	/ u:object_r:rootfs:s0
	/sbin/init u:object_r:chromeos_init_exec:s0

	/sbin/crash_reporter u:object_r:cros_crash_reporter_exec:s0
	/sbin/debugd u:object_r:cros_debugd_exec:s0
	/sbin/frecon u:object_r:frecon_exec:s0
	/sbin/insmod u:object_r:cros_modprobe_exec:s0
	/sbin/minijail0 u:object_r:cros_minijail_exec:s0
	/sbin/modprobe u:object_r:cros_modprobe_exec:s0
	/sbin/rmmod u:object_r:cros_modprobe_exec:s0
	/sbin/upstart-socket-bridge u:object_r:upstart_socket_bridge_exec:s0

	/bin/bash u:object_r:sh_exec:s0
	/bin/dash u:object_r:sh_exec:s0
	/bin/kmod u:object_r:cros_modprobe_exec:s0
	/bin/sh u:object_r:sh_exec:s0

	/usr/bin/chrt u:object_r:cros_chrt_exec:s0
	/usr/bin/shill u:object_r:cros_shill_exec:s0

	/usr/sbin/wpa_supplicant u:object_r:cros_wpa_supplicant_exec:s0

	/usr/share/cros/init/.* u:object_r:cros_init_shell_scripts:s0
	/usr/bin/start_bluetooth.sh u:object_r:cros_init_shell_scripts:s0

	/var/log/messages u:object_r:cros_syslog:s0

	# /opt/google
	/opt/google/chrome/chrome u:object_r:chrome_browser_exec:s0

	# /etc
	/etc/init(/.*)? u:object_r:cros_init_conf_file:s0
	/etc/selinux(/.*)? u:object_r:cros_selinux_config_file:s0

	# These files are mounted into the mini-container before real /data, /cache are
	# available.
	/opt/google/containers/android/rootfs/android-data/cache u:object_r:cache_file:s0
	/opt/google/containers/android/rootfs/android-data/data u:object_r:system_data_file:s0
	/opt/google/containers/android/rootfs/android-data/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

	# All the following files are created dynamically and need to be labeled at
	# runtime.

	has_arc(`
	/run/arc/cmdline.android u:object_r:is_arc_nyc(proc, proc_cmdline):s0
	')

	/run/arc/sdcard(/.*)? u:object_r:storage_file:s0

	/run/arc/debugfs u:object_r:debugfs:s0

	include(sepolicy/file_contexts/sysfs_contexts)

	# Chrome OS shared memory files.
	/dev/shm(/.*)? u:object_r:cros_shm:s0
	/dev/console u:object_r:console_device:s0
	/dev/null u:object_r:null_device:s0
	/dev/random u:object_r:random_device:s0
	/dev/urandom u:object_r:urandom_device:s0
	/dev/zero u:object_r:zero_device:s0

	is_arc_nyc(`
	# Label /dev/bus/usb/NNN/MMM
	# (USB device nodes passed by Chrome / permission broker)
	/dev/bus/usb(/.*)? u:object_r:usb_device:s0
	')


	(/usr)?/lib64(/.*)? u:object_r:cros_system_file:s0
	(/usr)?/lib(/.*)? u:object_r:cros_system_file:s0

	# Downloads files
	/home/chronos/user/Downloads(/.) u:object_r:cros_downloads_file:s0