compatibility.te - Android社区 - https://www.androidos.net.cn/

# This file contains autogenerated policy based on
# denials seen in the wild.
#
# As a general rule, you should not add policy to
# this file. You SHOULD treat this policy very
# skeptically- while it does preserve compatibility,
# it is also extremely overbroad.
#
# Over time this list should trend to size 0. Your
# assistance in bringing it to 0 is highly appreciated.

#============= adbd ==============
allow adbd app_data_file:dir { write add_name };
allow adbd app_data_file:file { write create open setattr };
allow adbd kernel:process setsched;
allow adbd proc:file write;
allow adbd self:capability setpcap;

#============= debuggerd ==============
allow debuggerd system:unix_stream_socket connectto;
allow debuggerd system_data_file:sock_file write;

#============= dhcp ==============
allow dhcp system_data_file:file open;
allow dhcp unlabeled:file create;

#============= drmserver ==============
allow drmserver init:unix_stream_socket { read write };

#============= init ==============
allow init node:rawip_socket node_bind;

#============= init_shell ==============
allow init_shell init:fifo_file write;
allow init_shell init:netlink_route_socket { read write };
allow init_shell init:netlink_socket { read write };
allow init_shell init:unix_stream_socket { read write };
allow init_shell self:netlink_route_socket { write getattr setopt bind create nlmsg_read };

#============= installd ==============
allow installd download_file:dir { read search open getattr };

#============= keystore ==============
allow keystore init:unix_stream_socket { read write };

#============= media_app ==============
allow media_app system_data_file:file append;

#============= mediaserver ==============
allow mediaserver device:chr_file { read write ioctl open };
allow mediaserver init:unix_dgram_socket sendto;
allow mediaserver init:unix_stream_socket { read write };
allow mediaserver system_data_file:file { write open };
allow mediaserver system_data_file:sock_file write;

#============= nfc ==============
allow nfc device:chr_file { read write open };
allow nfc init:unix_stream_socket { read write };
#allow nfc system_data_file:dir { write remove_name add_name };
#allow nfc system_data_file:file { write create unlink append };
allow nfc unlabeled:file { read write open };

#============= ping ==============
allow ping adbd:process sigchld;

#============= platform_app ==============
allow platform_app device:chr_file { read write ioctl };
allow platform_app init:binder { transfer call };
allow platform_app init:unix_stream_socket { read write };
#allow platform_app system_data_file:file append;
allow platform_app unlabeled:file { read getattr open };

#============= radio ==============
allow radio init:binder call;
allow radio init:unix_stream_socket { read write };
allow radio system_data_file:file append;

#============= release_app ==============
allow release_app system_data_file:file append;
allow release_app unlabeled:lnk_file read;

#============= sdcardd ==============
allow sdcardd unlabeled:dir { read open };

#============= shared_app ==============
allow shared_app device:chr_file { read write };
allow shared_app init:binder call;
allow shared_app init:unix_stream_socket { read write };
allow shared_app init_tmpfs:file read;
#allow shared_app system_data_file:file append;
allow shared_app unlabeled:file { write lock getattr open read };

#============= shell ==============
allow shell apk_private_data_file:dir getattr;
allow shell asec_image_file:dir getattr;
allow shell backup_data_file:dir getattr;
allow shell device:sock_file write;
allow shell drm_data_file:dir getattr;
allow shell nfc_data_file:dir getattr;
allow shell rootfs:file getattr;
allow shell sdcard_internal:dir { create rmdir };
#allow shell self:capability { fowner fsetid dac_override };
#allow shell self:capability2 syslog;
#allow shell system_data_file:dir { write remove_name add_name };
#allow shell system_data_file:file { write create setattr };
allow shell unlabeled:dir getattr;
allow shell vold:unix_stream_socket connectto;
allow shell vold_socket:sock_file write;

#============= surfaceflinger ==============
allow surfaceflinger adbd:binder call;
allow surfaceflinger device:chr_file { read write ioctl open };
allow surfaceflinger init:dir search;
allow surfaceflinger init:file { read open };
allow surfaceflinger init:unix_stream_socket { read write };
allow surfaceflinger platform_app:binder call;
allow surfaceflinger shell_data_file:dir search;
allow surfaceflinger sysfs:file write;
allow surfaceflinger system_app:dir search;
allow surfaceflinger system_app:file { read open };

#============= system ==============
allow system device:chr_file ioctl;
allow system init:binder { transfer call };
allow system init:unix_stream_socket { read write setopt };
allow system proc:file write;
allow system security_file:lnk_file read;
allow system unlabeled:dir { read remove_name write open add_name };
allow system unlabeled:file { rename getattr read create open ioctl append };

#============= system_app ==============
allow system_app init:unix_stream_socket { read write setopt };
allow system_app unlabeled:file { read getattr open };

#============= untrusted_app ==============
allow untrusted_app device:chr_file { read write };
allow untrusted_app init:binder { transfer call };
allow untrusted_app init:dir { getattr search };
allow untrusted_app init:file { read getattr open };
allow untrusted_app init:unix_stream_socket { read write connectto };
allow untrusted_app kernel:dir { getattr search };
allow untrusted_app kernel:file { read getattr open };
allow untrusted_app servicemanager:dir { getattr search };
allow untrusted_app servicemanager:file { read getattr open };
allow untrusted_app shell_data_file:dir search;
allow untrusted_app shell_data_file:file { read getattr open };
#allow untrusted_app system_data_file:file append;
allow untrusted_app ueventd:dir { search getattr };
allow untrusted_app ueventd:file { read getattr open };
allow untrusted_app unlabeled:dir setattr;
allow untrusted_app zygote:dir search;

#============= vold ==============
allow vold unlabeled:dir { read getattr open };

#============= wpa ==============
allow wpa init:unix_dgram_socket { read write sendto };
allow wpa wifi_data_file:sock_file write;

#============= zygote ==============
allow zygote security_file:lnk_file read;