Lines Matching refs:kernel
1 # Life begins with the kernel.
2 type kernel, domain, mlstrustedsubject;
4 allow kernel self:global_capability_class_set sys_nice;
7 r_dir_file(kernel, rootfs)
8 allow kernel proc_cmdline:file r_file_perms;
11 allow kernel selinuxfs:dir r_dir_perms;
12 allow kernel selinuxfs:file r_file_perms;
15 allow kernel file_contexts_file:file r_file_perms;
18 allow kernel rootfs:file relabelfrom;
19 allow kernel init_exec:file relabelto;
21 allow kernel init:process share;
24 allow kernel unlabeled:dir search;
27 allow kernel usbfs:filesystem mount;
28 allow kernel usbfs:dir search;
31 # We use dontaudit instead of allow to prevent a kernel spawned userspace
33 dontaudit kernel self:security setenforce;
36 allow kernel self:global_capability_class_set sys_resource;
43 allow kernel self:global_capability_class_set sys_boot;
44 allow kernel proc_sysrq:file w_file_perms;
47 allow kernel tmpfs:chr_file write;
50 allow kernel selinuxfs:file write;
51 allow kernel self:security setcheckreqprot;
53 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
54 allow kernel sdcard_type:file { read write };
56 # f_mtp driver accesses files from kernel context.
57 allow kernel mediaprovider:fd use;
59 # Allow the kernel to read OBB files from app directories. (b/17428116)
64 allow kernel vold:fd use;
65 allow kernel { app_data_file privapp_data_file }:file read;
66 allow kernel asec_image_file:file read;
69 # and for LTP kernel tests (b/73220071)
71 allow kernel update_engine_data_file:file { read write };
72 allow kernel nativetest_data_file:file { read write };
78 allow kernel media_rw_data_file:dir create_dir_perms;
79 allow kernel media_rw_data_file:file create_file_perms;
82 allow kernel vold_data_file:file { read write };
84 # Allow the kernel to read APEX file descriptors and (staged) data files;
86 # a kernel thread in earlier kernel version.
87 allow kernel apexd:fd use;
88 allow kernel {
94 # Allow the first-stage init (which is running in the kernel domain) to execute the
97 # before the domain is switched to the target domain. So, we need to allow the kernel
100 # kernel older than 4.8.
101 allow kernel system_file:file execute;
106 allow kernel rootfs:file execute;
110 allow kernel appdomain_tmpfs:file { read write };
116 # The initial task starts in the kernel domain (assigned via
118 neverallow * kernel:process { transition dyntransition };
120 # The kernel domain is never entered via an exec, nor should it
122 # If you encounter an execute_no_trans denial on the kernel domain, then
124 # - The program is a kernel usermodehelper. In this case, define a domain
128 neverallow kernel *:file { entrypoint execute_no_trans };
130 # the kernel should not be accessing files owned by other users.
133 neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
135 # Nobody should be ptracing kernel threads
136 neverallow * kernel:process ptrace;